[table of contents][main topic of chapter][index][previous][next]
[copyright and trademarks][Preface Overview][Cisco TCP/IP Suite books]

Setting Kerberos Options

Kerberos authenticates user access to a remote system without sending passwords over the network. This form of authentication, which uses strong encryption, prevents intruders from breaking into systems by capturing passwords.

A fully implemented Kerberos system contains a number of components. This section provides a high-level overview of these components and how they interact with one another.

To set up a secure environment using Kerberos, a network administrator first establishes a Kerberos database on a dedicated system. This system is known as the Kerberos ticket server, KDC (Key Distribution Center) or admin server (short for administrative server). The KDC must be secure, and the Kerberos database itself must be inaccessible by NFS or other disk-sharing protocols. The Kerberos database is the cornerstone of the network security. An attacker that manages to access the Kerberos database can access every machine on the network that uses Kerberos for user authentication.

On the KDC, the network administrator sets a master key that is used to access to the Kerberos database itself, and adds database entries for user names and application servers. For each application server, a srvtab file is created and securely moved to the server; this file is used when a user accesses the server and eliminates the need for the server to communicate directly with the KDC whenever a user needs to be authenticated.

On a client system, the user must configure a list of ticket servers for each realm in which they wish to be authenticated. A realm is an administrative space, similar to a DNS domain. Kerberos realms and DNS domains often overlap, and the name of a realm is usually the same as the domain that it applies to, although not always. Realm names are case-sensitive and are almost always uppercase. For example, an application server named apple.yoyodyne.com could be in the realm YOYODYNE.COM. In the realm YOYODYNE.COM, one of the KDCs could be named kerberos.yoyodyne.com. A user usually authenticates in the local realm, but they can use any realm for which a ticket server is listed.

After configuring the client system, the user can get tickets from the KDC. Each ticket lets the user access a particular service or group of services. Initially, the user obtains a ticket-granting ticket, which allows the client system to automatically get server-specific tickets. The user only needs to provide their user name and password to get the ticket-granting ticket. Various client programs like Telnet use the ticket-granting ticket to get server tickets as needed, as long as the ticket-granting ticket has not expired. If the ticket-granting ticket expires, the user may be asked for their user name and password the next time they run an application like Telnet. Kerberos grants ticket-granting tickets to some services automatically, such as Telnet and FTP.

Establishing a Kerberos Account

Cisco TCP/IP Suite for Windows does not include a KDC server. Therefore, to establish an account for a user you must follow the instructions for your particular server. If you are using Cisco MultiNet for OpenVMS, consult the Administrators Guide. Adding a new user generally involves editing the Kerberos database to add a new principal name (user), password, and expiration date.

The procedure for establishing a KDC on your system varies from operating system to operating system but is generally as follows:

  1. Create a Kerberos configuration file.
  2. Create a file that matches domain names to realm names (if necessary).
  3. Initialize the Kerberos database.
  4. Store the Kerberos master key in a protected master file.
  5. Add users and services to the database.
  6. Create a protected key file for each server that will run Kerberos-modified network server programs.
  7. Move the protected key file to each server.
  8. Enable the Kerberos server.

Starting the Kerberos Application

To start the Kerberos application in Windows 3.x, double- click the Kerberos icon in the Cisco Suite 100 group. To start Kerberos in Windows 95, select the Kerberos icon from the Cisco Suite 100 program group on the Start menu. The first time you invoke Kerberos, the Configure dialog box appears.

This dialog box lets you identify your local realm, maintain a list of Kerberos servers you use, and identify any special realm mappings.

If you have already entered a local realm in the Configure dialog box, the Kerberos dialog box appears.

This dialog box lists any active or recently expired tickets. (Expired tickets appear only if you check the Show Expired Tickets check box.) It also lets you get Kerberos tickets, change your password for the Kerberos server, identify new Kerberos servers, add special realm mappings, and remove all existing tickets.

Changing Kerberos Server Information

To identify your local realm and Kerberos ticket server to the Kerberos application:

  1. Start the Kerberos application.

    If the Kerberos dialog box appears, click the Configure... button.

    The Configure dialog box appears.

  2. In the Local Realm combo box, enter the name of your local realm or choose the desired realm from the Local Realm drop-down list, if you have added others.
  3. Click the Add... button that appears next to the Ticket Servers table.

    The Add Ticket Server dialog box appears.

  4. In the Realm field, enter the name of the realm (in uppercase) for the ticket server you are adding.
  5. In the Server field, enter the name of the Kerberos server.
  6. If the Kerberos server is an admin server, check the Admin Server check box.
  7. Click OK.

    The Kerberos application closes the Add Ticket Server dialog box and adds the specified ticket server to the Ticket Servers table.

You can now obtain your Kerberos tickets and start Kerberized sessions.

Providing Special Realm Mappings

A host's realm usually is the same as its domain. For example, users expect the host apple.yoyodyne.com to belong to the realm YOYODYNE.COM (its domain name).

Occasionally, however, you may encounter a host that belongs to a realm that is different than its domain. For example, the host apple.yoyodyne.com may belong to the realm TREE.COM. If this occurs, you need to let the Kerberos application know the correct realm.

The following sections explain how to add, modify, or delete special realm mappings for these situations.

Adding a Special Realm Mapping

To add a special realm mapping:

  1. Open the Kerberos dialog box by starting Kerberos.
  2. Click the Configure... button.

    The Configure Kerberos dialog box appears.

  3. In the Configure Kerberos dialog box, click the Add... button that appears next to the Special Realm Mappings table.

    The Add Special Realm Mapping dialog box appears.

  4. To map a single machine to a different realm, enter the complete host name in the Domain field, such as apple.yoyodyne.com. If you enter a host name, only the specified host uses the special realm mapping.

    To map an entire subdomain to a different realm, enter the subdomain in the Domain field, prefixing the entry with a . (dot), such as .yoyodyne.com. If you specify a subdomain, all hosts in the subdomain use the special realm mapping.

  5. In the Realm field, enter the realm that Kerberos should use for the specified domain in uppercase.
  6. Click OK to accept your entries. Click Cancel to close the Add Special Realm Mapping dialog box without accepting your entries.

    If you click OK, the Kerberos application closes the Add Special Realm Mapping dialog box and adds the entry to the Special Realm Mappings table.

Changing a Special Realm Mapping

To change a special realm mapping:

  1. Open the Kerberos dialog box by starting Kerberos.
  2. Click the Configure... button.

    The Configure Kerberos dialog box appears.

  3. Select the mapping you want to modify in the Special Realm Mapping table.
  4. Click the Modify... button that appears next to the Special Realm Mappings table.

    The Modify Special Realm Mapping dialog box appears.

  5. Enter the desired changes.
  6. Click OK to accept your changes. Click Cancel to close the Modify Special Realm Mapping dialog box without accepting your changes.

    If you click OK, the Kerberos application closes the Modify Special Realm Mapping dialog box and modifies the entry in the Special Realm Mappings table.

Deleting a Special Realm Mapping

To delete a special realm mapping:

  1. Open the Kerberos dialog box by starting Kerberos.
  2. Click the Configure... button.

    The Configure Kerberos dialog box appears.

  3. Select the mapping you want to delete in the Special Realm Mappings table.
  4. Click the Delete button that appears next to the Special Realm Mappings table.

    A message box appears, asking you to confirm the deletion.

  5. Click Yes to delete the mapping. Click No to leave the mapping in the Special Realm Mappings table.

    If you click Yes, the Kerberos application removes the selected entry from the Special Realm Mappings table.



[table of contents][main topic of chapter][index][previous][next]
[copyright and trademarks][Preface Overview][Cisco TCP/IP Suite books]

Copyright© 1995-1996 Cisco Systems, Inc. All Rights Reserved.

HTML file generated May 15, 1996.