Penn Computing
Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

KAdmin HOWTO: Managing and Administering Non-User PennKeys

Terms Used ] [  KAdmin Capabilities  and  Contacts ] [  School/Center Role ] [ Common Tasks ]

Terms Used

In MIT Kerberos documentation, principal is the term used for the userid belonging to a person or a program for using Kerberos. Penn uses PennKey as a friendlier synonym. They are interchangeable in the context of getting Kerberos to work.

For Kerberos use, each user must have a User PennKey, but each kerberized host must also have a Service PennKey or a Cross-Realm Trust PennKey for each service (telnet, ftp, etc.).

Generic terms appear which you would need to change appropriately for your particular situation.

service: Service string as called for by the application, including host, pop, imap, krbtgt

dept.upenn.edu or theorg.upenn.edu: A DNS domain name for your organization.

machine: The specific host DNS domain name, which with the dept.upenn.edu makes the host's fully-qualified domain name (FQDN).

pennname: An individual's unique alphanumeric identifier assigned within the PennNames database and used in many Penn systems, including PennKey


KAdmin PennKey Capabilities

KAdmin Pennkeys allow creating, changing and deleting other KAdmin PennKeys and Service PennKeys within the DNS domain following the "kadmin-" string. Case is observed, and KAdmin and Service PennKeys must list the DNS domain in lowercase whereas Cross-Realm Trust PennKeys must list the MS domain in uppercase. One KAdmin PennKey may even delete the KAdmin PennKey which created it.

In the examples below, the realm for Penn, @UPENN.EDU, is not included since it is the default if krb5.conf is set up right.

So the example KAdmin PennKey,

person11/kadmin-theorg.upenn.edu

may issue, change or delete all of these:

person54/kadmin-theorg.upenn.edu person55/kadmin-server1.theorg.upenn.edu person56/kadmin-www.suborg.theorg.upenn.edu ftp/theorg.upenn.edu host/server1.theorg.upenn.edu mynewservice/www.suborg.theorg.upenn.edu

but not these:

person54/kadmin-otherorg.upenn.edu
person55
person56/kadmin-www.upenn.edu
person57/kadmin-THEORG.UPENN.EDU
ftp/ourotherDNSdomain.upenn.edu


Schools' and Centers' Role

During Kerberos initial introduction, ISC issued KAdmin PennKeys. However, after an authorized individual in a school or center receives a KAdmin PennKey for its DNS domains, ISC plans not to issue additional KAdmin or Service PennKeys for that school or center. Instead, the school or center will control the issuance of its KAdmin, Service and Cross-Realm Trust PennKeys. A list of KAdmin PennKey issuers is available. Systems administrators and Local Support Providers (LSPs) may contact the ProDesk if your school or center is not listed.

ISC continues to issue User PennKeys via the applications found in "Register Your PennKey" .

You'll need to understand the following privileges and assign them carefully. Carelessness with a KAdmin PennKey could undermine the security of systems in your school or center.

In particular, please be aware of the following points:

  1. Only give such privileges to people whom you consider to be very trustworthy.

  2. Make sure to properly authenticate people before issuing KAdmin PennKeys. Accepting requests and issuing keys in email is unacceptable unless requests are properly authenticated (using PGP for example) and passwords properly encrypted (again, PGP).

  3. You should keep records as you issue KAdmin PennKeys to help in removing privileges or revoking keys in the future.


Models for Completing Common Tasks

Here are examples of commands that you may use as models when issuing, managing and administering PennKeys. For more details, see the man page for kadmin on your system or visit MIT's documentation website at web.mit.edu/kerberos/www/krb5-1.2/index.html.

  • Login to the "kadmin" program and environment with your KAdmin PennKey

    kadmin -p pennname/kadmin-dept.upenn.edu

    [you will be prompted for your password here]
    [you will see the ">" prompt indicating you're in kadmin]

  • Exit from the "kadmin" program and environment

    exit
    [you will return to your system prompt]

  • Create another KAdmin PennKey

    addprinc +requires_preauth pennname/kadmin-lowercasednsofhost.dept.upenn.edu

  • Create a Service PennKey

    addprinc -randkey +requires_preauth service/machine.dept.upenn.edu

    [now see "Export a Service PennKey", below]

  • Export a Service PennKey to a "keytab" file with a randomized password (only on Unix-like systems)

    [First see "Create a Service PennKey", above]

    ktadd service/machine.dept.upenn.edu

    [That command saves the Service PennKey with the default name /etc/krb5.keytab. To save it somewhere else (for instance, to allow using kadmin on your local, non-shared computer and thereafter transfer the keytab file securely to the multi-user computer on which the service runs), use the following:]

    ktadd -k /path/here/alt.keytab service/machine.dept.upenn.edu

  • Create a Cross-Realm Trust PennKey with a known password

    addprinc -e des-cbc-crc:normal +allow_svr krbtgt/MSDOMAIN.DEPT.UPENN.EDU

    [Note Window 2000 domain must be in caps. You must use a KAdmin PennKey which likewise uses caps. For instance, logging in with this KAdmin PennKey would allow creating the previous Cross-Realm Trust PennKey: pennname/kadmin-DEPT.UPENN.EDU ]

    Enter password for principal "krbtgt/MSDOMAIN.DEPT.UPENN.EDU":
    Re-enter password for principal "krbtgt/MSDOMAIN.DEPT.UPENN.EDU":

    Password for "krbtgt/MSDOMAIN.DEPT.UPENN.EDU@UPENN.EDU" changed.

    [Make it a strong password.]

  • Reset password on KAdmin PennKey to a selected password for someone who has forgotten their password

    cpw pennname/kadmin-machine.dept.upenn.edu

    Enter password for principal "pennname/kadmin-machine.dept.upenn.edu":
    Re-enter password for principal "pennname/kadmin-machine.dept.upenn.edu":

    Password for "pennname/kadmin-machine.dept.upenn.edu@UPENN.EDU" changed.

    [Make it a strong password.]

    For Cross-Realm Trust PennKeys, you'll instead need to delete the PennKey and recreate with a different password. Otherwise, the internal "kvno" kerberos value will no longer be 1, currently a Microsoft requirement.

  • Reset a password for a User or KAdmin PennKey when you know the password

    Unix: "kpasswd" program (see man page)
    Mac: The ticket manager (see /pennkey/use/)
    Win32: Leash32 (see /pennkey/use/)

    [Though kadmin can be used for this, the extra complexity comes with no benefits]

    For Cross-Realm Trust PennKeys, you'll instead need to delete the PennKey and recreate with a different password. Otherwise, the internal "kvno" kerberos value will no longer be 1, currently a Microsoft requirement.

  • Delete another KAdmin, Service or Cross-Realm Trust PennKey

    delete_principal pennname/kadmin-dept.upenn.edu
    Are you sure you want to delete the principal "pennname/kadmin-dept.upenn.edu"? (yes/no): yes

    It is possible but unwise to delete the KAdmin PennKey with which you logged in to the kadmin program.

top

Information Systems and Computing
University of Pennsylvania
Comments & Questions


University of Pennsylvania Penn Computing University of Pennsylvania Information Systems & Computing (ISC)
Information Systems and Computing, University of Pennsylvania