Manual Administration Using kadmin

The Command-Line-Administrator is the program used to administer the principal database. It allows principals with administrative privileges to maintain the principal database using this command line tool. Each user, client or service that is authenticated by the security server must be included in the principal database.There are two different versions of this program, namely,

Local Command-Line-Administrator, kadmin
Remote Command-Line-Administrator, kadminl

The Local Command-Line-Administrator, kadminl, is available only on the Primary Security Server. The Remote Command-Line-Administrator, kadmin, can be installed on Secondary Security Servers and clients to permit remote administration of the prinicpal database.

Location

Local Administrator on the primary security server:

opt/krb5/admin/kadminl

Remote Administrator on secondary security servers and clients:

/opt/krb5/bin/kadmin




	NOTE: You must add the first administrative principal on the Local Administrator, `kadminl`, located on the primary server before you can log on to the Remote Command-Line-Administrator, `kadmin` from a secondary server or client.

You can use the kadmin to:

Add, modify, inquire or delete principals
Change the password of an existing principal
Extract a key for an existing prinicpal
Extract service principal information to the service key table

The Local Command-Line-Administrator, kadminl, can be invoked only by a root user.

To log in to the Remote Administrator, kadmin, you must use a principal account that has an entry in the admin_acl_file. For complete access to all the functions, use an unrestricted administrative principal account, one with the '*' permissions in the admin_acl_file. At a minimum, the account must have the inquire privileges. For more information on administrative permissions, refer to “admin_acl_file”.

When you start the kadmin, a principal name must be specified at the command line prompt, else the default login name, with the admin instance appended to it, is used. If the -n switch is specified, the default login name is used and the admin instance is not automatically appended to the login name.

The kadmin has two mechanisms to authenticate the administrator. The first mechanism prompts administrators for a password. Then second uses the -k switch that notifies kadmin to search the v5srvtab file for the key. With the -k switch, you can write shell-scripts to automate administrative tasks. Read the permissions in the v5srvtab to use this switch.

All communications between the kadmin client and the server-side daemon are encrypted to prevent disclosure of information across the network.

Once you have been authenticated, use the kadmin commands to manage the principal database. The kadmin commands have been discussed in the subsequent sections of this chapter.




	NOTE: The `Command-Line-Administrator`, kadmin, has limited capabilities. It cannot be used to control the following parameters of the user principals: administrative permissions default group prinicpal maximum ticket lifetime and renew times adding new realms alter key types We recommend that the Graphical user Interface be used for all administrative purposes.

Add a New Principal

To add a principal to the database, use the kadmin add command. This command requires the "add" administrative privilege to be specified in the admin_acl_file.

This command adds a new principal with the specified name and password to the principal database. When you add a principal using the add command it inherits the default group principal settings for the key type and salt types.

The general syntax for adding a new principal is:

command: add

For example, to add a principal "admin", you would do the following:

command: add Name of Principal to add: admin Enter password: password Re-enter password for verification: password Principal added

The entire principal name, identifier/instance@REALM, cannot exceed 767 characters and the first 255 characters must be unique.




	NOTE: Principal names are case sensitive.

Add Random Key

The addrnd command, adds the specified principal with a randomly generated password. This command is used for service principals.

The general syntax for adding a principal with a randomly generated password is:

command: addrnd

For example, to add a principal "admin" with a randomly generated password, you would do the following:

command: addrnd Name of Principal to add: admin Principal added

Specify New Password

The cpw command enables you to specify a new password for the principal selected.

The general syntax for specifying a new password is:

command: cpw

For example, to enable a new password for the principal "admin", you would do the following:

command: cpw Name of Principal: admin Enter password: password Re-enter password for verification: password Principal modified

Change Password to a New Randomly Generated Password

The cpwrnd command changes the password of a specified principal to a new randomly generated password.

The general syntax for changing the password to a new randomly generated password for a specified principal:

command: cpwrnd

For example, to change the password of the principal "admin" to a new randomly generated password, you would do the following:

command: cpwrnd Name of Principal: admin Principal modified

Delete a Principal

The del command deletes the specified principal. This command requires the "delete" administrative privilege to be specified in the admin_acl_file.

The general syntax for deleting a specified principal:

command: del

For example, to delete the principal "admin", you would do the following:

command: del Name of Principal to delete: admin Principal removed

You are not alerted with a confirmation message on deletion of a principal.

Extract a Principal

The ext command securely extracts a principal's key into a local service key table file. By default, the host/fqdn@REALM principal is extracted into the v5srvtab file, where fqdn is the fully qualified domain name of the host system.

If the principal does not exist in the principal database, it is added with the name you have specified.If the service key table file does not exist, it is created with the name you have specified.

If the principal exits, kadmin resets the key version to 1 by overwriting the previous key and extracting the key that is created using a new password and no salt key. To extract the key without any modifications, use the -n option.

The general syntax for extracting a principal and a key to a local service key table file:

command: ext

For example, to extract the principal "admin" to a local service key table file, SrvTab, you would do the following:

command: ext Name of Principal (host/fqdn@REALM): admin Service Key Table File Name (/opt/krb5/v5srvtab):/opt/SrvTab Principal modified Key extracted

The optional parameters are:

[-n]

Extracts the key for an existing principal without changing the key or the salt type.

[-p keytype]

Defines the key type for the primary key, and extracts it to the service key table file. Supported values for keytype are 1 for DES type and 5 for 3DES type.

[-a keytype]

Defines the key type for the secondary key and extracts it to the service key table file.

Supported values for keytype are 0 for no secondary key, 1 for DES and 5 for 3DES.

[principal]

Specifies an alternate principal to extract other than the default host/fqdn@REALM principal.

For example, ext finance@BAMBI.COM

After ext executes, it prompts you for the service key table file name. The default file name is /krb5/v5srvtab.

List the Attributes of a Principal

The inq command lists the various attributes of the specified principal, if it does exist. If the principal is not in the database, kadmin informs you.

The general syntax for listing the various attributes of the specified principal:

command: inq

For example, to list the attributes of the principal "admin", you would do the following:

command: inq Name of Principal: admin

Modifying a Principal

To modify attributes of a principal in the database, use the kadmin mod command. The parameter type needs to be also specified. Given below is a list of the parameters that can be modified.

Attributes (attr)

Specify properties associated with the principal. To view a list of attributes from the command line, type the following and then press ENTER:

Command: attr Attribute (or quit): ?

Number of Specify the number of failed authentication attempts authentication the principal is allowed. The number must be an failures (fcnt)

integer between 0 and 255.

Key Version The number must be an integer between 0 and 255. Number (vno)

When you create a principal, its key version number (vno) is 1 and then it automatically increments by one each time the key is changed. You can manually change the key version number using this command.

The general syntax for modifying an existing principal is:

command: mod

To modify the principal admin, you need to do the following:

Command: mod Name of Principal to Modify: admin Parameter Type to be Modified (attr,fcnt,vno or quit):<option> Principal modified.

Enter the Parameter type to be modified at the command line prompt. Based on the parameter you have opted for the principal is modified. The following sections of this chapter entail a detailed description of the parameter types.

Number of Authentication failures (fcnt)

When you create a principal, the failed authentication count is automatically set to zero. The user associated with that principal increments the failed authentication count by one for each failed authentication attempt.

If the user has more consecutive authentication failures than allowed by the MaxFailAuthCnt parameter in the password policy file, the principal is locked. Before the user can attempt to authenticate again, the administrator must unlock the principal, which resets the fcnt to zero.

If the user successfully authenticates before the maximum failed authentication count value, fcnt is automatically reset to zero.

To modify the parameter type fcnt for the principal admin, you need to do the following:

 Command: mod
	 Name of Principal to Modify: admin
	 Parameter Type to be Modified (attr,fcnt,vno or quit) :fcnt
	 Failure Count (or quit): <enter count>
	 Principal modified.

Key Version Number Attribute

Every principal password has an associated version number that identifies the number of times the password has been changed.

When a principal is created, its password version number is inherited from the default group template. Every time a password is changed, the version number is incremented by one. However, the key version number is a writable field in the database, and hence this cannot be considered an accurate counter for the number of password changes made to a principal.

If you change the password for the default group principal, the key version number will increment, and therefore every new principal added to the database will not begin with one. As this may be confusing, we recommend that you edit the version number for the default group principal to be one after you re-generate a key for the default principal.

To modify the parameter type vno of the principal admin, you need to do the following:

Command: mod Name of Principal to Modify: admin Parameter Type to be Modified (attr,fcnt,vno or quit) :vno Remote Administrator version Number (or quit): <enter count> Principal modified.

Attributes

The attributes indicate the properties that are associated with a principal. To view a list of attributes using the command line option, type the following and press the ENTER key:

Command: attr Attribute (or quit): ?

The following sections discuss the various attributes associated with a principal.

Allow Postdated Attribute

The Allow Postdated attribute determines whether a principal is allowed ticket postdating. Postdating is a mechanism that allows a principal to obtain a ticket that is initially invalid but becomes valid in the future.

The Allow Postdated attribute applies to both user and service principals as indicated below:

User principals can be issued either a postdated or postdatable ticket
Service principals can be issued postdated service tickets for the service by the server
NOTE: Before the server issues a postdated service ticket, the requesting user must possess a postdatable TGT.

To modify the parameter type attr for the principal admin, to set the Allow Postdated Attribute, you would need to do the following:

Command: mod Name of Principal to Modify: admin Parameter Type to be Modified (attr,fcnt,vno or quit) :attr Attribute (or quit): {postdate|nopostdate} Principal modified.

Allow Renewable Attribute

The Allow Renewable attribute determines whether a principal is allowed to request for renewable tickets. Renewable tickets are those that can be re-validated up to the maximum renewal time.

The maximum ticket lifetime and renewable time are stored in the principal database in krbtgt/REALM@REALM principal. Individual principal accounts can be limited using the Maximum Renew Time Setting on the General tab of the Administrator.

The Allow Renewable attribute applies to both user and service principals. If this attribute is set for a,

User principal, the principal can be issued a renewable ticket
Service principal, the server can issue a renewable ticket for the service
NOTE: Before the server issues a renewable service ticket, the requesting user must possess a renewable TGT.

To modify the parameter type attr for the principal admin, to set the Allow Renewable Attribute, you would need to do the following:

Command: mod Name of Principal to Modify: admin P arameter Type to be Modified (attr,fcnt,vno or quit) :attr Attribute (or quit): {renew|norenew} Principal modified.

Allow Forwardable Attribute

The Allow Forwardable attribute determines whether a principal is allowed ticket forwarding. Forwarding is a mechanism to send a TGT to a remote system, from one network host to another. The forwarded TGT can be used to generate, on the principal's behalf, a new service ticket on the second host's system. This eliminates the need for the user to re-authenticate and re-enter the password on the second host.

The Allow Forwardable attribute applies to both user and service principals. If this attribute is set for a,

User principal, the principal can be issued a forwarded or forwardable ticket
Service principal, the server can issue a forwarded service ticket for the service
NOTE: Before the server issues a service ticket on the remote host, the requesting user must possess a forwarded TGT

To modify the parameter type attr for the principal admin, to set the Allow Forwardable Attribute, you need to do the following:

Command: mod Name of Principal to Modify: admin Parameter Type to be Modified (attr,fcnt,vno or quit) :attr Attribute (or quit): {forward|noforward} Principal modified.

Allow Proxy Attribute

The Allow Proxy attribute determines whether a principal is allowed proxy tickets. Proxy tickets allow applications that a principal accesses with a TGT to request a special class of service ticket. This type of service ticket can be moved to another host on the network that acts on the principal's behalf. For example, a print service printing a file for a user.




	WARNING! The authorization fields of the ticket and authenticator can be used to hold restrictions on the proxy ticket.

The Allow Proxy attribute applies to both user and service principals. If this attribute is set for a,

User principal, the principal can be issued a proxy ticket
Service principal, the server can issue a proxy service ticket for the service




	NOTE: Before the server issues a proxy service ticket, the requesting user must possess a `proxy TGT`

To modify the parameter type attr for the principal admin, to set the Allow Proxy Attribute, you need to do the following:

	 Command: mod
	 Name of Principal to Modify: admin
	 Parameter Type to be Modified (attr,fcnt,vno or quit) :attr
	 Attribute (or quit): {proxy|noproxy}
	 Principal modified.

Allow Duplicate Session Key Attribute

The Allow Duplicate Session Key attribute determines whether a principal is allowed to use a duplicate session key. A duplicate session key, applies to user-to-user authentication, determines which key is used to encrypt the requested service tickets.

This setting controls the security protocol between an initiator, typically a client application, and acceptor, typically a service. When a user performs an action that causes the initiator application to request for a duplicate session key:

the initiator application sends two TGTs, the initiator's and the acceptor's, as a request to the TGS (ticket-granting service), provided this attribute is set. The service ticket returned to the initiator is encrypted with the session key in the acceptor's TGT
the service ticket returned to the initiator application is encrypted with the acceptor's secret key, provided this attribute is not set

This attribute is set by default, thereby allowing an initiator application to request for a duplicate session key for the acceptor's application. Principal accounts using duplicate session keys must be assigned the Allow as Service Attribute.

To modify the parameter type attr for the principal admin, to set the Allow Duplicate Session Key Attribute, you need to do the following:

	 Command: mod
	 Name of Principal to Modify: admin
	 P	arameter Type to be Modified (attr,fcnt,vno or quit) :attr
	 Attribute (or quit): {dskey|nodskey}
	 Principal modified.

Require Preauthentication Attribute

The Require Preauthentication attribute determines whether a principal is required to preauthenticate when requesting for a TGT. Preauthentication implies that the client logon program attaches known encrypted data to a ticket request, providing additional security when the TGT is presented to gain access to a secured service.

The Require Preauthentication attribute applies to user and service principals. If this attribute is set for a,

User principal, the user must run logon software that performs authentication using the preauthentication protocol
Service principal, the service accepts TGTs only from user principals who obtained a TGT using a preauthentication protocol




	NOTE: Client applications require preauthentication by default; however, a client can override this setting.

To modify the parameter type attr for the principal admin, to set the Require Preauthentication Attribute, you need to do the following:

C ommand: mod Name of Principal to Modify: admin Parameter Type to be Modified (attr,fcnt,vno or quit) :attr Attribute (or quit): {preauth|nopreauth} Principal modified.

Require Password Change Attribute

The Require Password Change attribute determines whether a principal must change the user's password during the next authentication attempt. When this attribute is set, users are required to change their passwords.

When a new principal is added to the database or when a principal's password is changed, this attribute is controlled by the NoReqChangePwd setting in the principal's password policy file. By default, NoReqChangePwd is set to zero, meaning the user must change their password at first logon.

If a random key is designated for a principal using Administrator or the kadmin addrnd command, the Require Change Password attribute is not set by default. As a result, a service principal with an extracted key is not required to have a new key extracted at the next authentication attempt.

To modify the parameter type attr for the principal admin, to set the Require Password Change Attribute, you need to do the following:

Command: mod Name of Principal to Modify: admin Parameter Type to be Modified (attr,fcnt,vno or quit) :attr Attribute (or quit): {pwchg|nopwchg} Principal modified.

Lock Principal Attribute

The Lock Principal attribute determines whether a principal account is usable. A locked principal exists in the principal database but is unable to use or provide security network services.

The Lock Principal attribute applies to both user and service principals. If this attribute is set for a,

User principal, no tickets can be issued to the user
Service principal, no tickets are issued for principals to use the service

This attribute is set automatically when a principal exceeds the maximum number of failed authentication attempts specified in the password policy file. The default maximum number of failed authentication attempts allowed is five (5). If a principal account is locked, a principal with the required administrative permissions must unlock the principal account before the user can authenticate again.

To modify the parameter type attr for the principal admin, to set the Lock Principal Attribute, you need to do the following:

	 Command: mod
	 Name of Principal to Modify: admin
	 Parameter Type to be Modified (attr,fcnt,vno or quit) :attr
	 Attribute (or quit): {lock|nolock}
	 Principal modified.

Allow as Service Attribute

The Allow As Service attribute should be selected for any principal that will be used as a service.

This attribute can be applied to all principal types, both user and service. Selecting this attribute does not necessarily mean that the principal account is being used by a network service application. Select this attribute for user principals who run programs that require user-to-user authentication.

When this attribute is set, the principal's name appears in the server field of the service ticket. If this attribute is not set, the security server cannot issue a service ticket for that principal because the principal's name cannot appear in the server field of the service ticket.

This attribute is set by default, allowing principals to act as a service and enabling user-to-user authentication for user principals.

To modify the parameter type attr of the principal admin, to set the Allow as Service Attribute, you need to do the following:

Command: mod Name of Principal to Modify: admin Parameter Type to be Modified (attr,fcnt,vno or quit) :attr A ttribute (or quit): {svr|nosvr} Principal modified.

Require Initial Authentication Attribute

The Require Initial Authentication attribute specifies whether the server is allowed to issue service tickets to a service principal on behalf of a user principal using an existing TGT.

The Require Initial Authentication attribute applies only to service principals,

If this attribute is set, user principals must re-authenticate to the security server before the server issues a service ticket for that service. For example, the change password service requires a principal to enter a password to receive a ticket for the change password service before the password can be changed.
If this attribute is not set, the server may issue a service ticket based on the user principal's existing TGT.




	NOTE: In Administrator, when the `Require Initial Authentication` attribute is selected, the `Allow as Service Attribute` is automatically selected.

Do not enable this setting for user principal accounts. This attribute is applicable to selected service principals.

To modify the parameter type attr of the principal admin, to set the Require Initial Authentication Attribute, you need to do the following:

Command: mod Name of Principal to Modify: admin Parameter Type to be Modified (attr,fcnt,vno or quit) :attr Attribute (or quit): {tgt|notgt} Principal modified.

The notgt command in kadmin is equivalent to selecting the Require Initial Authentication on the Attributes tab of the Administrator; the tgt command in the kadmin is equivalent to clearing the Require Initial Authentication check-box on the Attributes tab.

You can use the kadmin inq command to view this principal's attribute. With Require Initial Authentication selected (tgt), the inquire command shows TGT_BASED in the attributes field. Without the Require Initial Authentication setting (notgt) no text appears in the attributes field.

Table 6-4 “Require Initial Authentication Attribute Settings” equates the Administrator Attributes tab check-box setting with the kadmin command setting. It also indicates the attribute text that shows if you view a principal's settings using the kadmin inq command.

Table 6-4 Require Initial Authentication Attribute Settings

Attributes Tab Check-box Setting	kadmin Command	Kadmin inq Shows:
Select Require Initial Authentication	notgt	no text shows
Select Require Initial Authentication	tgt	TGT_BASED

Set As Password Change Service Attribute

The Set As Password Change Service attribute determines whether a service principal can act as a change password service. Setting this attribute allows a service principal to receive initial tickets for user principals whose passwords have expired.




	NOTE: When the `Set as Password Change Service` attribute is selected, the `Require Initial Authentication` Attribute is automatically selected.

Normally, you would select the Set As Password Change Service attribute for only the service principal defined as a change password service. You can add other Change Password service principals to the principal database if you have created custom applications that require different password service principals.

To modify the parameter type attr of the principal admin, to set the Set As Password Change Service Attribute, you need to do the following:

Command: mod Name of Principal to Modify: admin P arameter Type to be Modified (attr,fcnt,vno or quit) :attr Attribute (or quit): {cpwsrv|nocpwsrv} Principal modified.

Password Expiration Attribute

A principal password can have either a finite or an infinite lifetime. Expiration time is controlled by several factors, including the principal type:

Service Principals - The secret key stored in the service key table file on the service's host does not expire. However, we recommend extracting new random keys periodically for best security practices. Refer to “Maintaining Secret Keys In The Key Table File”, for more information.

User principals - The expiration time for a user's password depends on the settings designated for the principal account.

Activating the Password Expiration attribute holds a principal in accordance with the password expiration policy. The user is prompted to change their password before the expiration date. If the Password Expiration attribute is not enabled, the current principal's password never expires.




	NOTE: The password expiration date is stored in the security server with each principal. It is changed to the current date plus the Expiration value in the password policy file when a user changes the password.

Before the password expires, the user is given advance notice that their password is about to expire. The advanced notice timing is controlled by the NotifyTime parameter in the password policy file. If the user ignores the advance notice and the expiration date elapses, the user must change the password before they can obtain any more tickets from the security server.

As the expiration time is calculated from the time a new principal is added to the database, the password change load on the server is distributed over time. Therefore, you can select to require a password expiration in the default group principal template without concern for the administrative load, provided you add new principals over a period of time.

To modify the parameter type attr of the principal admin, to set the Password Expiration Attribute, you need to do the following:

Command: mod Name of Principal to Modify: admin Parameter Type to be Modified (attr,fcnt,vno or quit) :attr Attribute (or quit): {cpwexp|nocpwexp} Principal modified.

Principal Expiration Attribute

The Principal Expiration setting determines when a principal account will expire. This can be set to a definite time or never. An expired principal account is essentially locked; it can no longer be used to access the security network. However, it is not removed from the principal database, and the account can be re-enabled by resetting the expiration time.

Setting a principal expiration time may be useful for temporary employees. However, if you choose an expiration date for the default group principal, all principals added using that template setting will expire at the same time. You should consider the administrative requirements of expiring all principal accounts on the same day.