This is Info file kerberos-admin.info, produced by Makeinfo-1.55 from
the input file admin.texinfo.


File: kerberos-admin.info,  Node: Top,  Next: Introduction,  Prev: (dir),  Up: (dir)

This document describes how to administrate a Kerberos V5 installation.

Copyright (C) 1990, 1991, 1992, 1993, 1994, 1995, 1996 by the
Massachusetts Institute of Technology.

     Export of software employing encryption from the United States of
     America may require a specific license from the United States
     Government.  It is the responsibility of any person or organization
     contemplating export to obtain such a license before exporting.

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute
this software and its documentation for any purpose and without fee is
hereby granted, provided that the above copyright notice appear in all
copies and that both that copyright notice and this permission notice
appear in supporting documentation, and that the name of M.I.T. not be
used in advertising or publicity pertaining to distribution of the
software without specific, written prior permission.  M.I.T. makes no
representations about the suitability of this software for any purpose.
It is provided "as is" without express or implied warranty.

Kerberos V5 includes documentation and software developed at the
University of California at Berkeley, which includes this copyright
notice:

Copyright (C) 1983 Regents of the University of California.
All rights reserved.

Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions are
met:
  1. Redistributions of source code must retain the above copyright
     notice, this list of conditions and the following disclaimer.

  2. Redistributions in binary form must reproduce the above copyright
     notice, this list of conditions and the following disclaimer in the
     documentation and/or other materials provided with the
     distribution.

  3. All advertising materials mentioning features or use of this
     software must display the following acknowledgement:
          This product includes software developed by the University of
          California, Berkeley and its contributors.

  4. Neither the name of the University nor the names of its
     contributors may be used to endorse or promote products derived
     from this software without specific prior written permission.

Permission is granted to make and distribute verbatim copies of this
manual provided the copyright notices and this permission notice are
preserved on all copies.

Permission is granted to copy and distribute modified versions of this
manual under the conditions for verbatim copying, provided also that the
entire resulting derived work is distributed under the terms of a
permission notice identical to this one.

Permission is granted to copy and distribute translations of this manual
into another language, under the above conditions for modified versions.

* Menu:

* Introduction::
* How Kerberos Works::
* Administrating Kerberos Database Entries::
* Application Servers::
* Backups of Secure Hosts::
* Bug Reporting::
* Appendix::


File: kerberos-admin.info,  Node: Introduction,  Next: How Kerberos Works,  Prev: Top,  Up: Top

Introduction
************

* Menu:

* Why Should I use Kerberos?::
* Kerberos V5 Documentation::
* Overview of This Guide::


File: kerberos-admin.info,  Node: Why Should I use Kerberos?,  Next: @value{PRODUCT} Documentation,  Prev: Introduction,  Up: Introduction

Why Should I use Kerberos?
==========================

Since Kerberos negotiates authenticated, and optionally encrypted,
communications between two points anywhere on the internet, it provides
a layer of security that is not dependent on which side of a firewall
either client is on.  Since studies have shown that half of the computer
security breaches in industry happen from inside firewalls, Kerberos V5
from MIT will play a vital role in the security of your network.


File: kerberos-admin.info,  Node: @value{PRODUCT} Documentation,  Next: Overview of This Guide,  Prev: Why Should I use Kerberos?,  Up: Introduction

Kerberos V5
 ocumentation
=========================

This document is one piece of the document set for Kerberos V5.  The
documents, and their intended audiences, are:

This document is one piece of the document set for Kerberos V5.  The
documents, and their intended audiences, are:

   * Kerberos V5 Installation Guide:  a concise guide for installing
     Kerberos V5.  Kerberos administrators (particularly whoever will be
     making site-wide decisions about the installation) and the system
     administrators who will be installing the software should read this
     guide.

   * Kerberos V5 System Administrator's Guide:  a sysadmin's guide to
     administering a Kerberos installation.  The System Administrator's
     Guide describes the administration software and suggests policies
     and procedures for administering a Kerberos installation.  Anyone
     who will have administrative access to your Kerberos database
     should read this guide.

   * Kerberos V5 UNIX User's Guide:  a guide to using the Kerberos UNIX
     client programs.  All users on UNIX systems should read this guide,
     particularly the "Tutorial" section.


File: kerberos-admin.info,  Node: Overview of This Guide,  Prev: @value{PRODUCT} Documentation,  Up: Introduction

Overview of This Guide
======================

The next chapter describes how Kerberos works.

Chapter three describes administration of the principals in the Kerberos
database.

Chapter four describes administrative programs for manipulating the
Kerberos database as a whole.

Chapter five describes issues to consider when adding an application
server to the database.

Chapter six describes our problem reporting system.

The appendices include sample configuration files, the list of Kerberos
error messages, and a complete list of the time zones understood by
`kadmin'.


File: kerberos-admin.info,  Node: How Kerberos Works,  Next: Administrating Kerberos Database Entries,  Prev: Introduction,  Up: Top

How Kerberos Works
******************

This section provides a simplified description of a general user's
interaction with the Kerberos system.  This interaction happens
transparently--users don't need to know and probably don't care about
what's going on--but Kerberos administrators might find a schematic
description of the process useful.  This description glosses over a lot
of details; for more information, see Kerberos: An Authentication
Service for Open Network Systems, a paper presented at Winter USENIX
1988, in Dallas, Texas.  This paper can be retreived by FTP from
`athena-dist.mit.edu', in the location:
`/pub/ATHENA/kerberos/doc/USENIX.ps'.

* Menu:

* Network Services and Their Client Programs::
* Kerberos Tickets::
* The Kerberos Database::
* Kerberos Realms::
* The Ticket-Granting Ticket::
* Network Services and the Master Database::
* The User-Kerberos Interaction::
* Definitions::


File: kerberos-admin.info,  Node: Network Services and Their Client Programs,  Next: Kerberos Tickets,  Prev: How Kerberos Works,  Up: How Kerberos Works

Network Services and Their Client Programs
==========================================

In an environment that provides network services, you use "client"
programs to request "services" from "server" programs that are
somewhere on the network.  Suppose you have logged in to a workstation
and you want to `rlogin' to a typical UNIX host.  You use the local
`rlogin' client program to contact the remote machine's `rlogind'
daemon.


File: kerberos-admin.info,  Node: Kerberos Tickets,  Next: The Kerberos Database,  Prev: Network Services and Their Client Programs,  Up: How Kerberos Works

Kerberos Tickets
================

Under Kerberos, the `klogind' daemon allows you to login to a remote
machine if you can provide `klogind' a Kerberos ticket which proves
your identity.  In addition to the ticket, you must also have
possession of the corresponding ticket session key. The combination of
a ticket and the ticket's session key is known as a credential.

Typically, a client program automatically obtains credentials
identifying the person using the client program.  The credentials are
obtained from a Kerberos server that resides somewhere on the network.
A Kerberos server maintains a database of user, server, and password
information.


File: kerberos-admin.info,  Node: The Kerberos Database,  Next: Kerberos Realms,  Prev: Kerberos Tickets,  Up: How Kerberos Works

The Kerberos Database
=====================

Kerberos will give you credentials only if you have an entry in the
Kerberos server's "Kerberos database".  Your database entry includes
your Kerberos "principal" (an identifying string, which is often just
your username), and your Kerberos password.  Every Kerberos user must
have an entry in this database.


File: kerberos-admin.info,  Node: Kerberos Realms,  Next: The Ticket-Granting Ticket,  Prev: The Kerberos Database,  Up: How Kerberos Works

Kerberos Realms
===============

Each administrative domain will have its own Kerberos database, which
contains information about the users and services for that particular
site or administrative domain.  This administrative domain is the
"Kerberos realm".

Each Kerberos realm will have at least one Kerberos server, where the
master Kerberos database for that site or administrative domain is
stored.  A Kerberos realm may also have one or more "slave servers",
which have read-only copies of the Kerberos database that are
periodically propagated from the master server.  For more details on how
this is done, see the "Set Up the Slave KDCs for Database Propagation"
and "Propagate the Database to Each Slave KDC" sections of the Kerberos
V5 Installation Guide.


File: kerberos-admin.info,  Node: The Ticket-Granting Ticket,  Next: Network Services and the Master Database,  Prev: Kerberos Realms,  Up: How Kerberos Works

The Ticket-Granting Ticket
==========================

The `kinit' command prompts for your password.  If you enter it
successfully, you will obtain a "ticket-granting ticket" and a "ticket
session key" which gives you the right to use the ticket.  This
combination of the ticket and its associated key is known as your
"credentials".  As illustrated below, client programs use your
ticket-granting ticket credentials in order to obtain client-specific
credentials as needed.

Your credentials are stored in a "credentials cache", which is often
just a file in `/tmp'.  The credentials cache is also called the
"ticket file", especially in Kerberos V4 documentation.  Note, however,
that a credentials cache does not have to be stored in a file.


File: kerberos-admin.info,  Node: Network Services and the Master Database,  Next: The User--Kerberos Interaction,  Prev: The Ticket-Granting Ticket,  Up: How Kerberos Works

Network Services and the Master Database
========================================

The master database also contains entries for all network services that
require Kerberos authentication.  Suppose that your site has a machine,
`laughter.mit.edu', that requires Kerberos authentication from anyone
who wants to `rlogin' to it.  The host's Kerberos realm is
`ATHENA.MIT.EDU'.

This service must be registered in the Kerberos database, using the
proper service name, which in this case is the "principal":

     host/laughter.mit.edu@ATHENA.MIT.EDU

The `/' character separates the Kerberos "primary" (in this case,
`host') from the "instance" (in this case, `laughter.mit.edu'); the `@'
character separates the realm name (in this case, `ATHENA.MIT.EDU')
from the rest of the principal.  The primary, `host', denotes the name
or type of the service that is being offered:  generic host-level
access to the machine.  The instance, `laughter.mit.edu', names the
specific machine that is offering this service.  There will generally be
many different machines, each offering one particular type of service,
and the instance serves to give each one of these servers a different
Kerberos principal.

* Menu:

* The Keytab File::


File: kerberos-admin.info,  Node: The Keytab File,  Prev: Network Services and the Master Database,  Up: Network Services and the Master Database

The Keytab File
---------------

For each service, there must also be a "service key" known only by
Kerberos and the service.  On the Kerberos server, the service key is
stored in the Kerberos database.

On the server host, these service keys are stored in "key tables",
which are files known as "keytabs".(1)  For example, the service keys
used by services that run as root are usually stored in the keytab file
`/etc/v5srvtab'.  N.B.: This service key is the equivalent of the
service's password, and must be kept secure.  Data which is meant to be
read only by the service is encrypted using this key.

---------- Footnotes ----------

(1)  Keytabs were called "srvtabs" in Kerberos V4.


File: kerberos-admin.info,  Node: The User--Kerberos Interaction,  Next: Definitions,  Prev: Network Services and the Master Database,  Up: How Kerberos Works

The User-Kerberos Interaction
=============================

Suppose that you walk up to a host intending to login to it, and then
`rlogin' to the machine `laughter'.  Here's what happens:

  1. You login to the workstation and use the `kinit' command to get a
     ticket-granting ticket.  This command prompts you for your Kerberos
     password.  (On systems running the Kerberos V5 `login' program,
     this may be done as part of the login process, not requiring the
     user to run a separate program.)

       A. The `kinit' command sends your request to the Kerberos master
          server machine.  The server software looks for your principal
          name's entry in the Kerberos database.

       B. If this entry exists, the Kerberos server creates and returns
          a ticket-granting ticket and the key which allows you to use
          it, encrypted by your password.  If `kinit' can decrypt the
          Kerberos reply using the password you provide, it stores this
          ticket in a credentials cache on your local machine for later
          use.  The name of the credentials cache can be specified in
          the `KRB5_CCNAME' environment variable.  If this variable is
          not set, the name of the file will be `/tmp/krb5cc_<uid>',
          where <uid> is your UNIX user-id, represented in decimal
          format.

  2. Now you use the `rlogin' client to access the machine `laughter'.

          host% rlogin laughter

       A. The `rlogin' client checks your ticket file to see if you
          have a ticket for the `host' service for `laughter'.  You
          don't, so `rlogin' uses the credential cache's
          ticket-granting ticket to make a request to the master
          server's ticket-granting service.

       B. This ticket-granting service receives the request for a
          ticket for `host/laughter.mit.edu', and looks in the master
          database for an entry for `host/laughter.mit.edu'.  If the
          entry exists, the ticket-granting service issues you a ticket
          for that service.  That ticket is also cached in your
          credentials cache.

       C. The `rlogin' client now sends that ticket to the `laughter'
          `klogind' service program.  The service program checks the
          ticket by using its own service key.  If the ticket is valid,
          it now knows your identity.  If you are allowed to login to
          `laughter' (because your username matches one in /etc/passwd,
          or your Kerberos principal is in the appropriate `.k5login'
          file), `klogind' will let you login.


File: kerberos-admin.info,  Node: Definitions,  Prev: The User--Kerberos Interaction,  Up: How Kerberos Works

Definitions
===========

Following are definitions of some of the Kerberos terminology.

client
     an entity that can obtain a ticket.  This entity is usually either
     a user or a host.

host
     a computer that can be accessed over a network.

Kerberos
     in Greek mythology, the three-headed dog that guards the entrance
     to the underworld.  In the computing world, Kerberos is a network
     security package that was developed at MIT.

KDC
     Key Distribution Center.  A machine that issues Kerberos tickets.

keytab
     a key table file containing one or more keys.  A host or service
     uses a "keytab" file in much the same way as a user uses his/her
     password.

principal
     a string that names a specific entity to which a set of
     credentials may be assigned.  It generally has three parts:

    primary
          the first part of a Kerberos principal.  In the case of a
          user, it is the username.  In the case of a service, it is
          the name of the service.

    instance
          the second part of a Kerberos principal.  It gives
          information that qualifies the primary.  The instance may be
          null.  In the case of a user, the instance is often used to
          describe the intended use of the corresponding credentials.
          In the case of a host, the instance is the fully qualified
          hostname.

    realm
          the logical network served by a single Kerberos database and
          a set of Key Distribution Centers.  By convention, realm
          names are generally all uppercase letters, to differentiate
          the realm from the internet domain.

     The typical format of a typical Kerberos principal is
     primary/instance@REALM.

service
     any program or computer you access over a network.  Examples of
     services include "host" (a host, e.g., when you use `telnet' and
     `rsh'), "ftp" (FTP), "krbtgt" (authentication; cf. ticket-granting
     ticket), and "pop" (email).

ticket
     a temporary set of electronic credentials that verify the identity
     of a client for a particular service.

TGT
     Ticket-Granting Ticket.  A special Kerberos ticket that permits the
     client to obtain additional Kerberos tickets within the same
     Kerberos realm.


File: kerberos-admin.info,  Node: Administrating Kerberos Database Entries,  Next: Application Servers,  Prev: How Kerberos Works,  Up: Top

Administrating the Kerberos Database
************************************

Your Kerberos database contains all of your realm's Kerberos principals,
their passwords, and other administrative information about each
principal.  For the most part, you will use the `kdb5_util' program to
manipulate the Kerberos database as a whole, and the `kadmin' program
to make changes to the entries in the database.  (One notable exception
is that users will use the `kpasswd' program to change their own
passwords.)  The `kadmin' program has its own command-line interface,
to which you type the database administrating commands.

`Kdb5_util' provides a means to create, delete, load, or dump a
Kerberos database.  It also includes a command to stash a copy of the
master database key in a file on a KDC, so that the KDC can authenticate
itself to the `kadmind' and `krb5kdc' daemons at boot time.

`Kadmin' provides for the maintenance of Kerberos principals, KADM5
policies, and service key tables (keytabs).  It exists as both a
Kerberos client, `kadmin', using Kerberos authentication and an RPC, to
operate securely from anywhere on the network, and as a local client,
`kadmin.local', intended to run directly on the KDC without Kerberos
authentication.  Other than the fact that the remote client uses
Kerberos to authenticate the person using it, the functionalities of
the two versions are identical.  The local version is necessary to
enable you to set up enough of the database to be able to use the remote
version.  It replaces the now obsolete `kdb5_edit' (except for database
dump and load, which are provided by `kdb5_util').

The remote version authenticates to the KADM5 server using the service
principal `kadmin/admin'.  If the credentials cache contains a ticket
for the `kadmin/admin' principal, and the `-c credentials_cache' option
is specified, that ticket is used to authenticate to KADM5.  Otherwise,
the `-p' and `-k' options are used to specify the client Kerberos
principal name used to authenticate.  Once kadmin has determined the
principal name, it requests a `kadmin/admin' Kerberos service ticket
from the KDC, and uses that service ticket to authenticate to KADM5.

* Menu:

* Kadmin Options::
* Date Format::
* Principals::
* Policies::
* Dumping a Kerberos Database to a File::
* Restoring a Kerberos Database from a Dump File::
* Creating a Stash File::
* Creating and Destroying a Kerberos Database::


File: kerberos-admin.info,  Node: Kadmin Options,  Next: Date Format,  Prev: Administrating Kerberos Database Entries,  Up: Administrating Kerberos Database Entries

Kadmin Options
==============

You can invoke `kadmin' with any of the following options:

-r REALM
     Use REALM as the default Kerberos realm for the database.

-p principal
     Use the Kerberos principal principal to authenticate to Kerberos.
     If this option is not given, `kadmin' will append `admin' to
     either the primary principal name, the environment variable USER,
     or to the username obtained grom `getpwuid', in order of
     preference.

-k keytab
     Use the keytab keytab to decrypt the KDC response instead of
     prompting for a password on the TTY.  In this case, the principal
     will be `host/hostname'.

-c credentials cache
     Use credentials_cache as the credentials cache.  The credentials
     cache should contain a service ticket for the `kadmin/admin'
     service, which can be acquired with the `kinit' program.  If this
     option is not specified, `kadmin' requests a new service ticket
     from the KDC, and stores it in its own temporary ccache.

-w password
     Use password as the password instead of prompting for one on the
     TTY.  Note:  placing the password for a Kerberos principal with
     administration access into a shell script can be dangerous if
     unauthorized users gain read access to the script.

-q query
     Pass query directly to `kadmin'.  This is useful for writing
     scripts that pass specific queries to `kadmin'.


File: kerberos-admin.info,  Node: Date Format,  Next: Principals,  Prev: Kadmin Options,  Up: Administrating Kerberos Database Entries

Date Format
===========

Many of the `kadmin' commands take a duration or time as an argument.
The date can appear in a wide variety of formats, such as:

     "15 minutes"
     "7 days"
     "1 month"
     "2 hours"
     "400000 seconds"
     "next year"
     "this Monday"
     "next Monday"
     yesterday
     tomorrow
     now
     "second Monday"
     fortnight
     "3/31/92 10:00:07 PST"
     "January 23, 1987 10:05pm"
     "22:00 GMT"

Note that if the date specification contains spaces, you must enclose it
in double quotes.  Note also that you cannot use a number without a
unit.  (I.e., ""60 seconds"" is correct, but "60" is incorrect.) All
keywords are case-insensitive.  The following is a list of all of the
allowable keywords.

Months
     january, jan, february, feb, march, mar, april, apr, may, june,
     jun, july, jul, august, aug, september, sept, sep, october, oct,
     november, nov, december, dec

Days
     sunday, sun, monday, mon, tuesday, tues, tue, wednesday, wednes,
     wed, thursday, thurs, thur, thu, friday, fri, saturday, sat

Units
     year, month, fortnight, week, day, hour, minute, min, second, sec

Relative
     tomorrow, yesterday, today, now, last, this, next, first, third,
     fourth, fifth, sixth, seventh, eighth, ninth, tenth, eleventh,
     twelfth, ago

Time Zones
     `kadmin' recognizes abbreviations for most of the world's time
     zones.  A complete listing appears in *Note kadmin Time Zones::.

12-hour Time Delimiters
     am, pm


File: kerberos-admin.info,  Node: Principals,  Next: Policies,  Prev: Date Format,  Up: Administrating Kerberos Database Entries

Principals
==========

Each entry in the Kerberos database contains a Kerberos principal
(*note Definitions::.) and the attributes and policies associated with
that principal.

* Menu:

* Retrieving Information About a Principal::
* Privileges::
* Adding or Modifying Principals::
* Deleting Principals::
* Changing Passwords::
* Renaming Principals::


File: kerberos-admin.info,  Node: Retrieving Information About a Principal,  Next: Privileges,  Prev: Principals,  Up: Principals

Retrieving Information About a Principal
----------------------------------------

* Menu:

* Attributes::
* Retrieving a List of Principals::


File: kerberos-admin.info,  Node: Attributes,  Next: Retrieving a List of Principals,  Prev: Retrieving Information About a Principal,  Up: Retrieving Information About a Principal

Attributes
..........

To retrieve a listing of the attributes and/or policies associated with
a principal, use the `kadmin' `get_principal' command, which requires
the "inquire" administrative privilege.  The syntax is:

     get_principal principal

The `get_principal' command has the alias `getprinc'.

For example, suppose you wanted to view the attributes of the principals
`jennifer/root@ATHENA.MIT.EDU' and `systest@ATHENA.MIT.EDU'.  You would
type:

     shell% kadmin
     kadmin: getprinc jennifer/root
     Principal: jennifer/root@ATHENA.MIT.EDU
     Key version: 3
     Maximum life: 1 day 00:00:00
     Maximum renewable life: 7 days 00:00:00
     Master key version: 1
     Expires: Mon Jan 18 22:14:07 EDT 2038
     Password expires: Mon Sep 19 14:40:00 EDT 1996
     Password last changed: Mon Jan 31 02:06:40 EDT 1996
     Last modified: by joeadmin/admin@ATHENA.MIT.EDU
     	on Wed Jul 13 18:27:08 EDT 1996
     Attributes: DISALLOW_FORWARDABLE, DISALLOW_PROXIABLE,
     	REQUIRES_HW_AUTH
     Salt type: DEFAULT
     kadmin:

The `get_principal' command has a `-terse' option, which lists the
fields as a quoted, tab-separated string.  For example:

     kadmin: getprinc -terse systest
     systest@ATHENA.MIT.EDU	3	86400	604800	1
     785926535	753241234	785900000
     joeadmin/admin@ATHENA.MIT.EDU	786100034	0
     0
     kadmin:


File: kerberos-admin.info,  Node: Retrieving a List of Principals,  Prev: Attributes,  Up: Retrieving Information About a Principal

Retrieving a List of Principals
...............................

To generate a listing of principals, use the `kadmin' `list_principals'
command, which requires the "list" privilege.  The syntax is:

     list_principals [expression]

where expression is a shell-style glob expression that can contain the
characters `*', `?', `[', and `]'.  All policy names matching the
expression are displayed.  The `list_principals' command has the alias
`listprincs'.  For example:

     kadmin: listprincs test*
     test3@mit.edu
     test2@mit.edu
     test1@mit.edu
     testuser@mit.edu
     kadmin:

If no expression is provided, all principals are printed.


File: kerberos-admin.info,  Node: Privileges,  Next: Adding or Modifying Principals,  Prev: Retrieving Information About a Principal,  Up: Principals

Privileges
----------

Administrative privileges for the Kerberos database are stored in the
file `kadm5.acl'.  Each line of the file contains a principal, the
privileges that principal has, and optionally the target to which those
permissions apply.  The privileges are represented by single letters;
UPPER-CASE letters represent negative permissions.  The permissions are:

a
     allows the addition of principals or policies in the database.

A
     disallows the addition of principals or policies in the database.

d
     allows the deletion of principals or policies in the database.

D
     disallows the deletion of principals or policies in the database.

m
     allows the modification of principals or policies in the database.

M
     disallows the modification of principals or policies in the
     database.

c
     allows the changing of passwords for principals in the database.

C
     disallows the changing of passwords for principals in the database.

i
     allows inquiries to the database.

I
     disallows inquiries to the database.

l
     allows the listing of principals or policies in the database.

L
     disallows the listing of principals or policies in the database.

*
     All privileges (admcil).

x
     All privileges (admcil); identical to "*".

Principals in this file can include the * wildcard.  Here is an example
of a `kadm5.acl' file.  Note that order is important; permissions are
determined by the first matching entry.

     */admin@ATHENA.MIT.EDU  *
     joeadmin/null@ATHENA.MIT.EDU  ADMCIL
     joeadmin/*@ATHENA.MIT.EDU  il
     jennifer/root@ATHENA.MIT.EDU  cil  */root@ATHENA.MIT.EDU
     */*@ATHENA.MIT.EDU  i

In the above file, any principal with an `admin' instance has all
administrative privileges.  The user `joeadmin' has all permissions
with his `admin' instance, `joeadmin/admin@ATHENA.MIT.EDU' (matches the
first line).  He has no permissions at all with his `null' instance,
`joeadmin/null@ATHENA.MIT.EDU' (matches the second line).  He has
inquire and list permissions with any other instance (matches the third
line).  When `jennifer' is using her `root' instance,
`jennifer/root@ATHENA.MIT.EDU', she has change password, inquire, and
list privileges for any other principal that has the instance `root'.
Finally, any principal in the realm `ATHENA.MIT.EDU' (except for
`joeadmin/null@ATHENA.MIT.EDU', as mentioned above) has inquire
privileges.


File: kerberos-admin.info,  Node: Adding or Modifying Principals,  Next: Deleting Principals,  Prev: Privileges,  Up: Principals

Adding or Modifying Principals
------------------------------

To add a principal to the database, use the kadmin `add_principal'
command, which requires the "add" administrative privilege.  The syntax
is:

     kadmin: add_principal [options] principal

To modify attributes of a principal, use the kadmin `modify_principal'
command, which requires the "modify" administrative privilege.  The
syntax is:

     kadmin: modify_principal [options] principal

`add_principal' has the aliases `addprinc' and `ank'(1).
`modify_principal' has the alias `modprinc'.

The `add_principal' and `modify_principal' commands take the following
switches:

-salt salttype
     Uses the specified salt for generating the key.  The valid salt
     types are:

        * full_name (aliases "v5_salt" and "normal"; this is the
          default)

        * name_only

        * realm_only

        * no_salt (alias "v4_salt")

-clearpolicy
     removes the current policy from a principal (`modify_principal'
     only).

-expire date
     Sets the expiration date of the principal to date.

-pwexpire date
     Sets the expiration date of the password to date.

-maxlife maxlife
     Sets the maximum ticket life of the principal to maxlife.

-kvno number
     Explicity sets the key version number to number.  MIT does not
     recommend doing this unless there is a specific reason.

-policy policy
     Sets the policy used by this principal.  (*Note Policies::.)  If no
     policy is supplied, the principal will have no policy, and `kadmin'
     will print a warning message.

{-|+}allow_postdated
     The "-allow_postdated" option prohibits this principal from
     obtaining postdated tickets.  "+allow_postdated" clears this flag.
     In effect, "-allow_postdated" sets the
     KRB5_KDB_DISALLOW_POSTDATED flag on the principal in the database.

{-|+}allow_forwardable
     The "-allow_forwardable" option prohibits this principal from
     obtaining forwardable tickets.  "+allow_forwardable" clears this
     flag.  In effect, "-allow_forwardable" sets the
     KRB5_KDB_DISALLOW_FORWARDABLE flag on the principal in the
     database.

{-|+}allow_renewable
     The "-allow_renewable" option prohibits this principal from
     obtaining renewable tickets.  "+allow_renewable" clears this flag.
     In effect, "-allow_renewable" sets the
     KRB5_KDB_DISALLOW_RENEWABLE flag on the principal in the database.

{-|+}allow_proxiable
     The "-allow_proxiable" option prohibits this principal from
     obtaining proxiable tickets.  "+allow_proxiable" clears this flag.
     In effect, "-allow_proxiable" sets the
     KRB5_KDB_DISALLOW_PROXIABLE flag. on the principal in the database.

{-|+}allow_dup_skey
     The "-allow_dup_skey" option disables user-to-user authentication
     for this principal by prohibiting this principal from obtaining a
     session key for another user.  "+allow_dup_skey" clears this flag.
     In effect, "-allow_dup_skey" sets the KRB5_KDB_DISALLOW_DUP_SKEY
     flag on the principal in the database.

{-|+}requires_preauth
     The "+requires_preauth" option requires this principal to
     preauthenticate before being allowed to kinit.  -requires_preauth
     clears this flag.  In effect, +requires_preauth sets the
     KRB5_KDB_REQUIRES_PRE_AUTH flag on the principal in the database.

{-|+}requires_hwauth
     The "+requires_hwauth" flag requires the principal to
     preauthenticate using a hardware device before being allowed to
     kinit.  "-requires_hwauth" clears this flag.  In effect,
     "+requires_hwauth" sets the KRB5_KDB_REQUIRES_HW_AUTH flag on the
     principal in the database.

{-|+}allow_svr
     The "-allow_svr" flag prohibits the issuance of service tickets for
     this principal.  "+allow_svr" clears this flag.  In effect,
     "-allow_svr" sets the KRB5_KDB_DISALLOW_SVR flag on the principal
     in the database.

{-|+}allow_tgs_req
     The "-allow_tgs_req" option specifies that a Ticket-Granting
     Service (TGS) request for a service ticket for this principal is
     not permitted.  You will probably never need to use this option.
     "+allow_tgs_req" clears this flag.  The default is
     "+allow_tgs_req".  In effect, "-allow_tgs_req" sets the
     KRB5_KDB_DISALLOW_TGT_BASED flag on the principal in the database.

{-|+}allow_tix
     The "-allow_tix" option forbids the issuance of any tickets for
     this principal.  "+allow_tix" clears this flag.  The default is
     "+allow_tix".  In effect, "-allow_tix" sets the
     KRB5_KDB_DISALLOW_ALL_TIX flag on the principal in the database.

{-|+}needchange
     The "+needchange" option sets a flag in attributes field to force a
     password change; "-needchange" clears it.  The default is
     "-needchange".  In effect, "+needchange" sets the
     KRB5_KDB_REQUIRES_PWCHANGE flag on the principal in the database.

{-|+}password_changing_service
     The "+password_changing_service" option sets a flag in the
     attributes field marking this principal as a password change
     service. (Again, you will probably never need to use this option.)
     "-password_changing_service" clears the flag.  The default is
     "-password_changing_service".  In effect, the
     "+password_changing_service" option sets the
     KRB5_KDB_PWCHANGE_SERVICE flag on the principal in the database.

-clearpolicy policyname
     Removes the policy policyname from the principal
     (`modify_principal' only).

-randkey
     Sets the key for the principal to a random value (`add_principal'
     only).  MIT recommends using this option for host keys.

-pw password
     Sets the key of the principal to the specified string and does not
     prompt for a password (`add_principal' only).  MIT does not
     recommend using this option.

If you want to just use the default values, all you need to do is:

     kadmin: addprinc jennifer
     WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
     defaulting to no policy.
     Enter password for principal jennifer@ATHENA.MIT.EDU:  <= Type the password.
     Re-enter password for principal jennifer@ATHENA.MIT.EDU:  <=Type it again.
     Principal "jennifer@ATHENA.MIT.EDU" created.
     kadmin:

If, on the other hand, you want to set up an account that expires on
January 1, 2000, that uses a policy called "stduser", with a temporary
password (which you want the user to change immediately), you would type
the following.  (Note:  each line beginning with => is a continuation
of the previous line.)


     kadmin: addprinc david -expire "1/1/2000 12:01am EST" -policy stduser
     =>  +needchange
     Enter password for principal david@ATHENA.MIT.EDU:  <= Type the password.
     Re-enter password for principal
     david@ATHENA.MIT.EDU:  <= Type it again.
     Principal "david@ATHENA.MIT.EDU" created.
     kadmin:

If you will need cross-realm authentication, you need to add principals
for the other realm's TGT to each realm.  For example, if you need to do
cross-realm authentication between the realms ATHENA.MIT.EDU and
FUBAR.ORG, you would need to add the principals
`krbtgt/FUBAR.ORG@ATHENA.MIT.EDU' and `krbtgt/ATHENA.MIT.EDU@FUBAR.ORG'
to both databases.  You need to be sure the passwords and the key
version numbers (kvno) are the same in both databases.  This may require
explicitly setting the kvno with the `-kvno' option.

---------- Footnotes ----------

(1)  `ank' was the short form of the equivalent command using the
deprecated `kadmin5' database administrative tool.  It has been kept


File: kerberos-admin.info,  Node: Deleting Principals,  Next: Changing Passwords,  Prev: Adding or Modifying Principals,  Up: Principals

Deleting Principals
-------------------

To delete a principal, use the kadmin `delete_principal' command, which
requires the "delete" administrative privilege.  The syntax is:

     delete_principal [-force] principal

`delete_principal' has the alias `delprinc'.  The `-force' option
causes `delete_principal' not to ask if you're sure.  For example:

     kadmin: delprinc jennifer
     Are you sure you want to delete the principal
     "jennifer@ATHENA.MIT.EDU"? (yes/no): yes
     Principal "jennifer@ATHENA.MIT.EDU" deleted.
     Make sure that you have removed this principal from
     all ACLs before reusing.
     kadmin:


File: kerberos-admin.info,  Node: Changing Passwords,  Next: Renaming Principals,  Prev: Deleting Principals,  Up: Principals

Changing Passwords
------------------

To change a principal's password use the kadmin `change_password'
command, which requires the "modify" administrative privilege (unless
the principal is changing his/her own password).  The syntax is:

     change_password [options] principal

The `change_password' option has the alias `cpw'.  `change_password'
takes the following options:

-salt salttype
     Uses the specified salt for generating the key.  Salt types are
     the same as for the `add_principal' command (*note Adding or
     Modifying Principals::.).

-randkey
     Sets the key of the principal to a random value.

-pw password
     Sets the password to the string password.  MIT does not recommend
     using this option.

For example:

     kadmin: cpw david
     Enter password for principal david@ATHENA.MIT.EDU:  <= Type the new password.
     Re-enter password for principal david@ATHENA.MIT.EDU:  <= Type it again.
     Password for david@ATHENA.MIT.EDU changed.
     kadmin:

Note that `change_password' will not let you change the password to one
that is in the principal's password history.


File: kerberos-admin.info,  Node: Renaming Principals,  Prev: Changing Passwords,  Up: Principals

Renaming Principals
-------------------

To rename a principal, use the kadmin `rename_principal' command, which
requires both the "add" and "delete" administrative privileges.  The
syntax is:

     rename_principal [-force] old_principal new_principal

The `rename_principal' command has the alias `renprinc'.

For example:

     kadmin: renprinc test test0
     Are you sure you want to rename the principal
     "test@ATHENA.MIT.EDU" to
     "test0@ATHENA.MIT.EDU"? (yes/no): yes
     Principal "test@ATHENA.MIT.EDU" renamed to
     "test0@ATHENA.MIT.EDU".
     Make sure that you have removed "test@ATHENA.MIT.EDU" from
     all ACLs before reusing.
     kadmin:


File: kerberos-admin.info,  Node: Policies,  Next: Dumping a Kerberos Database to a File,  Prev: Principals,  Up: Administrating Kerberos Database Entries

Policies
========

A policy is a set of rules governing passwords.  Policies can dictate
minimum and maximum password lifetimes, minimum number of characters and
character classes a password must contain, and the number of old
passwords kept in the database.

* Menu:

* Retrieving Policies::
* Retrieving the List of Policies::
* Adding or Modifying Policies::
* Deleting Policies::


File: kerberos-admin.info,  Node: Retrieving Policies,  Next: Retrieving the List of Policies,  Prev: Policies,  Up: Policies

Retrieving Policies
-------------------

To retrieve a policy, use the kadmin `get_policy' command, which
requires the "inquire" administrative privilege.  The syntax is:

     get_policy [-terse] policy

The `get_policy' command has the alias `getpol'.  For example:

     kadmin: get_policy admin
     Policy: admin
     Maximum password life: 180 days 00:00:00
     Minimum password life: 00:00:00
     Minimum password length: 6
     Minimum number of password character classes: 2
     Number of old keys kept: 5
     Reference count: 17
     kadmin:

The "reference count" is the number of principals using that policy.

The `get_policy' command has a `-terse' option, which lists each field
as a quoted, tab-separated string.  For example:

     kadmin: get_policy -terse admin
     admin   15552000        0       6       2       5       17
     kadmin:


File: kerberos-admin.info,  Node: Retrieving the List of Policies,  Next: Adding or Modifying Policies,  Prev: Retrieving Policies,  Up: Policies

Retrieving the List of Policies
-------------------------------

You can retrieve the list of policies with the kadmin `list_policies'
command, which requires the "list" privilege.  The syntax is:

     list_policies [expression]

where expression is a shell-style glob expression that can contain the
characters *, ?, and [].  All policy names matching the expression are
displayed.  The `list_policies' command has the alias `listpols'.  For
example:

     kadmin:  listpols
     test-pol
     dict-only
     once-a-min
     test-pol-nopw
     
     kadmin:  listpols t*
     test-pol
     test-pol-nopw
     kadmin:


File: kerberos-admin.info,  Node: Adding or Modifying Policies,  Next: Deleting Policies,  Prev: Retrieving the List of Policies,  Up: Policies

Adding or Modifying Policies
----------------------------

To add a new policy, use the kadmin `add_policy' command, which
requires the "add" administrative privilege.  The syntax is:

     add_policy [options] policy_name

To modify attributes of a principal, use the kadmin `modify_policy'
command, which requires the "modify" administrative privilege.  The
syntax is:

     modify_policy [options] policy_name

`add_policy' has the alias `addpol'.  `modify_poilcy' has the alias
`modpol'.

The `add_policy' and `modify_policy' commands take the following
switches:

-maxlife time
     Sets the maximum lifetime of a password to time.

-minlife time
     Sets the minimum lifetime of a password to time.

-minlength length
     Sets the minimum length of a password to length characters.

-minclasses number
     Requires at least number of character classes in a password.

-history number
     Sets the number of past keys kept for a principal to number.


File: kerberos-admin.info,  Node: Deleting Policies,  Prev: Adding or Modifying Policies,  Up: Policies

Deleting Policies
-----------------

To delete a policy, use the `kadmin' `delete_policy' command, which
requires the "delete" administrative privilege.  The syntax is:

     delete_policy policy_name

The `delete_policy' command has the alias `delpol'.  It prompts for
confirmation before deletion.  For example:

     kadmin: delete_policy guests
     Are you sure you want to delete the policy "guests"?
     (yes/no): yes
     Policy "guests" deleted.
     kadmin:

Note that you must cancel the policy from all principals before deleting
it.  The `delete_policy' command will fail if it is in use by any
principals.


File: kerberos-admin.info,  Node: Dumping a Kerberos Database to a File,  Next: Restoring a Kerberos Database from a Dump File,  Prev: Policies,  Up: Administrating Kerberos Database Entries

Dumping a Kerberos Database to a File
=====================================

To dump a Kerberos database into a file, use the `kdb5_util' `dump'
command on one of the KDCs.  The syntax is:

     kdb5_util dump [-old] [-b6] [-ov] [-verbose] [filename
     [principals...]]

The `kdb5_util dump' command takes the following options:

-old
     causes the dump to be in the Kerberos 5 Beta 5 and earlier dump
     format ("kdb5_edit load_dump version 2.0").

-b6
     causes the dump to be in the Kerberos 5 Beta 6 format ("kdb5_edit
     load_dump version 3.0").

-ov
     causes the dump to be in ovsec_adm_export format.

-verbose
     causes the name of each principal and policy to be printed as it is
     dumped.

For example:

     shell% kdb5_util dump dumpfile
     shell%

     shell% kbd5_util dump -verbose dumpfile
     kadmin/admin@ATHENA.MIT.EDU
     krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
     kadmin/history@ATHENA.MIT.EDU
     K/M@ATHENA.MIT.EDU
     kadmin/changepw@ATHENA.MIT.EDU
     shell%

If you specify which principals to dump, you must use the full
principal, as in the following example.  (The line beginning with => is
a continuation of the previous line.):

     shell% kdb5_util dump -verbose dumpfile K/M@ATHENA.MIT.EDU
     => kadmin/admin@ATHENA.MIT.EDU
     kadmin/admin@ATHENA.MIT.EDU
     K/M@ATHENA.MIT.EDU
     shell%

Otherwise, the principals will not match those in the database and will
not be dumped:

     shell% kdb5_util dump -verbose dumpfile K/M kadmin/admin
     shell%

If you do not specify a dump file, `kdb5_util' will dump the database
to the standard output.


File: kerberos-admin.info,  Node: Restoring a Kerberos Database from a Dump File,  Next: Creating a Stash File,  Prev: Dumping a Kerberos Database to a File,  Up: Administrating Kerberos Database Entries

Restoring a Kerberos Database from a Dump File
==============================================

To restore a Kerberos database dump from a file, use the `kdb5_util'
`load' command on one of the KDCs.  The syntax is:

     kdb5_util load [-old] [-b6] [-ov] [-verbose] [-update]
     dumpfilename dbname [admin_dbname]

The `kdb5_util load' command takes the following options:

-old
     requires the dump to be in the Kerberos 5 Beta 5 and earlier dump
     format ("kdb5_edit load_dump version 2.0").

-b6
     requires the dump to be in the Kerberos 5 Beta 6 format ("kdb5_edit
     load_dump version 3.0").

-ov
     requires the dump to be in ovsec_adm_export format.

-verbose
     causes the name of each principal and policy to be printed as it is
     dumped.

-update
     causes records from the dump file to be updated in or added to the
     existing database.

For example:

     shell% kdb5_util load dumpfile principal
     shell%

     shell% kdb5_util load -update dumpfile principal
     shell%

If the database file exists, and the -update flag was not given,
`kdb5_util' will overwrite the existing database.


File: kerberos-admin.info,  Node: Creating a Stash File,  Next: Creating and Destroying a Kerberos Database,  Prev: Restoring a Kerberos Database from a Dump File,  Up: Administrating Kerberos Database Entries

Creating a Stash File
=====================

A stash file allows a KDC to authenticate itself to the database
utilities, such as `kadmin', `kadmind', `krb5kdc', and `kdb5_util'.

To create a stash file, use the `kdb5_util' `stash' command.  The
syntax is:

     kdb5_util stash [-f keyfile]

For example:

     shell% kdb5_util stash
     kdb5_util: Cannot find/read stored master key while reading master key
     kdb5_util: Warning: proceeding without master key
     Enter KDC database master key:  <= Type the KDC database master password.
     shell%

If you do not specify a stash file, `kdb5_util' will stash the key in
the file specified in your `kdc.conf' file.


File: kerberos-admin.info,  Node: Creating and Destroying a Kerberos Database,  Prev: Creating a Stash File,  Up: Administrating Kerberos Database Entries

Creating and Destroying a Kerberos Database
===========================================

If you need to create a new Kerberos database, use the `kdb5_util'
`create' command.  The syntax is:

     kdb5_util create [-s]

If you specify the `-s' option, `kdb5_util' will stash a copy of the
master key in a stash file.  (*Note Creating a Stash File::.)  For
example:

     shell% /usr/krb5/sbin/kdb5_util -r ATHENA.MIT.EDU create -s
     kdb5_util: No such file or directory while setting active database to '/krb5/principal'
     Initializing database '/usr/krb5/lib/krb5kdc/principal' for
     => realm 'ATHENA.MIT.EDU',
     master key name 'K/M@ATHENA.MIT.EDU'
     You will be prompted for the database Master Password.
     It is important that you NOT FORGET this password.
     Enter KDC database master key:  <= Type the master password.
     Re-enter KDC database master key to verify:  <= Type it again.
     shell%


File: kerberos-admin.info,  Node: Application Servers,  Next: Backups of Secure Hosts,  Prev: Administrating Kerberos Database Entries,  Up: Top

Application Servers
*******************

If you need to install the Kerberos V5 programs on an application
server, please refer to the Kerberos V5 Installation Guide.  Once you
have installed the software, you need to add that host to the Kerberos
database (*note Adding or Modifying Principals::.), and generate a
"keytab" for that host, that contains the host's key.  You also need to
make sure the host's clock is within your maximum clock skew of the
KDCs.

* Menu:

* Keytabs::
* Clock Skew::
* Getting DNS Information Correct::
* Configuring Your Firewall to Work With Kerberos V5::

