Installing the MIT Kerberos V5 Distribution (UNIX)

This document describes how to build and install the MIT Kerberos V5 distribution on Penn UNIX servers.

Obtain and unpack the distribution

Obtain the source code for the latest distribution from MIT. (Version is 1.2.8 as of 15 Apr 2003)

Please upgrade old distributions! Quoting MIT's advisory:

Multiple vulnerabilities have been found in MIT Kerberos 5 releases prior to release 1.2.5. MIT recommends updating to 1.2.7 [and as of 20 Mar 2003, 1.2.8] if possible.

1. Go to http://web.mit.edu/network/kerberos-form.html. Answer 'yes' to all the questions if appropriate, after which you will be taken to MIT's Kerberos software distribution page.

2. Click on 'Kerberos V5 Release 1.2 Source Distributions' and select the file: krb5-1.2.8.tar
   (Version 1.3-alpha is available, but we do not recommend using pre-production releases of Kerberos software at Penn for production work.

3. Go to http://web.mit.edu/kerberos/www/advisories/ and retrieve all security patches for the krb5-1.2.8 distribution. As of 15 Apr 2003, there are no patches needed for Penn machines running this version of the distribution.

Build and install the distribution

1. Enter the src subdirectory of the unpacked source code and issue the command to configure the package:

   cd krb5-1.2.8/src
./configure --without-krb4

Note:

The above example shows a basic configure command. Individual sites may want to provide additional configuration options to customize their installation according to local conventions. Running './configure --help' will enumerate most of the available configuration options and their corresponding defaults. It may also be useful to read the Kerberos installation manual in the doc subdirectory of the distribution (install.html). For platforms on which shared libraries are supported (Solaris, Linux, Irix, Tru64), you may also want to consider adding '--enable-shared' to the configure line.




2. Issue commands to build and install the package:

   
   

   make
make install

Install the Kerberos configuration file

Place the Kerberos configuration file at /etc/krb5.conf (available for download). Its contents, before modifying the [logging] section in accord with any local syslog conventions, are:

[libdefaults]
        default_realm = UPENN.EDU
        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
        dns_fallback = true

[realms]
        UPENN.EDU = {
                admin_server = kerberos1.upenn.edu
        }

[logging]
        kdc = SYSLOG:INFO:AUTH
        admin_server = SYSLOG:INFO:AUTH
        default = SYSLOG:INFO:AUTH

Add entries for Kerberos services to /etc/services

Add the following entries for Kerberos services to the services file (usually the file /etc/services). This step is not strictly required for Kerberos to run.

kerberos 88/udp kdc # Kerberos V5 KDC
kerberos 88/tcp kdc # Kerberos V5 KDC
kerberos-adm 749/tcp # Kerberos V5 Administration
kerberos-adm 749/udp # Kerberos V5 Administration
kerberos-sec 750/tcp # Also called kerberos-iv, but needed for V5
kerberos-sec 750/udp # Also called kerberos-iv, but needed for V5
kerberos-master 751/tcp
kerberos-master 751/udp


Prevent Kerberos authenticated root access

Disallow root access via Kerberos authentication by installing the empty files: .k5users and .k5login into the home directory of the root account:

cp /dev/null /.k5users
cp /dev/null /.k5login

On some systems, root has a different home directory (such as /root with some Linux distributions). Adapt the command accordingly. For example:

cp /dev/null /root/.k5users
cp /dev/null /root/.k5login

Prevent backup of service keys - Very Important!

The service keys are stored in the file: /etc/krb5.keytab, readable only by root. This file doesn't usually exist until a service key has been extracted into it. Since you may use 'kadmin' to easily create replacements, there is no need — and much risk — to backing it up.

This is extremely important: Prevent keytab files from being backed up! In particular backing them up is dangerous when performed over the network. So, to sum up, prevent access to service key files in every manner: prevent sniffing them during network backups, getting access to backup tapes or other media, and the actual file (by giving permissions only to root) so that an attacker will not be able to masquerade as the server itself.

Adjust TCP Wrappers, Firewall Rules as Needed

Modify access rules to allow kerberos-related network traffic to enter and leave your machine. For each port below, permit packets to exit your machine with any source port and a destination of one of Penn's three KDC's (kerberos1.upenn.edu, kerberos2.upenn.edu, kerberos3.upenn.edu) with the port listed here as the destination port. Additionally, permit replies from the KDC's using the source port listed here and destined to any of your machine's unprivileged ports (above 1024).