Kerberos Version 5

Endpoint Privilege Management for Unix and Linux can use Kerberos v5 to authenticate its various parts and to exchange encryption key information.

To use Kerberos with Endpoint Privilege Management for Unix and Linux, you must register pbmasterd, pblocald, and pblogd as Kerberos principals. The principals should look like this (substitute your own host and pblogd principal names):

• pbmasterd/kerberizedmachine.your_realm.com
• pblocald/kerberizedmachine.your_realm.com
• pblogd/kerberizedmachine.your_realm.com

These principals must be added to the keytab file. Users also need to be principals and need a target.

The default principals are pbmasterd, pblocald, and pblogd. These can be overridden by the mprincipal, lprincipal, and gprincipal settings in the settings file.

All Endpoint Privilege Management for Unix and Linux client and server programs can use Kerberos Version 5 for authentication and session encryption keys.

Endpoint Privilege Management for Unix and Linux clients request verification to use pbmasterd by checking the submitting user ticket cache or obtaining a ticket for pbmasterd with the principal in mprincipal.

Endpoint Privilege Management for Unix and Linux daemons request verification to access other daemons by checking the services’ principals for both daemons, as listed in the following table.

Kerberos Principal Usage

kerberos

• Version 4.0.0 and later: kerberos setting available.
• Version 22.1 and later: krbfirstpbmasterd is available. The setting kerberos is a list setting. Use getlistsetting() in policy language to get the settings list.

When set to yes, the kerberos setting enables the use of the Endpoint Privilege Management for Unix and Linux Kerberos Version 5 features. When set to no, the kerberos setting disables the use of these features.

Use the option krbfirstpbmasterd with the option yes to enable the compatibility of 10.3.2 or below versions of clients with newer versions of EPM-UL servers and clients.

The krbfirstpbmasterd option is valid from version 22.1. The krbfirstpbmasterd option is enabled on all newer versions of endpoints (22.1+ servers and clients. No changes are required on 10.3.2 or below versioned clients).

kerberos yes
kerberos yes krbfirstpbmasterd

Default

kerberos no

Used on

• Log hosts
• Policy server hosts
• Submit hosts
• Run hosts

keytab

Version 4.0.0 and later: keytab setting available.

The keytab setting contains the name of the Kerberos 5 Key Table. Newer versions of Kerberos discourage setting the keytab in this fashion and favor using the krb5.conf file or the KRB5_KTNAME environment variable. Use of the keytab setting should be avoided.

keytabencryption

• Version 8.0.0 and earlier: keytabencryption setting not available.
• Version 8.0.1 and later: keytabencryption setting available.

The keytabencryption setting specifies which cipher all Endpoint Privilege Management for Unix and Linux components use for Kerberos negotiations. The algorithm must match the default algorithm used by the Kerberos server. Supported values include des-hmac, des3-hmac, and arcfour-hmac. As of this writing, the AES algorithms are not supported, which effectively limits using Active Directory as a Kerberos server. This keyword is mandatory to support more recent, non-DES Kerberos implementations because Endpoint Privilege Management for Unix and Linux cannot automatically determine the best cipher.

keytabencryption arcfour-hmac

Default

keytabencryption des-hmac

Used on

• Log hosts
• Policy server hosts
• Submit hosts
• Run hosts

gprincipal

• Version 4.0.0 and later: gprincipal setting available.

The gprincipal setting contains the principal that the policy server daemon (pbmasterd), the local daemon (pblocald) and clients that are running in local mode (for example, pbrun -l ...) use to verify access to the log server daemon (pblogd). The host name and realm are appended to form the full principal.

gprincipal pblogd_principal

Default

gprincipal pblogd

Used on

• Log hosts
• Policy server hosts
• Submit hosts
• Run hosts

lprincipal

• Version 4.0.0 and later: lprincipal setting available.

The lprincipal setting contains the principal that the policy server daemon (pbmasterd) and client programs use to verify access to the local daemon (pblocald). The host name and realm are appended to form the full principal.

lprincipal pblocald_principal

Default

lprincipal pblocald

Used on

• Log hosts
• Policy server hosts
• Run hosts
• Submit hosts

mprincipal

• Version 4.0.0 and later: mprincipal setting available.

The mprincipal setting contains the principal that the Endpoint Privilege Management for Unix and Linux clients use to verify access to the policy server daemon (pbmasterd). The host name and realm are appended to form the full principal.

mprincipal pbmasterd_principal

Default

mprincipal pbmasterd

Used on

• Policy server hosts
• Submit hosts

sprincipal

• Version 5.2 and earlier: sprincipal setting not available.
• Version 6.0 and later: sprincipal setting available.

The sprincipal setting contains the principal that the Endpoint Privilege Management for Unix and Linuxpbsync client uses to verify access to the log synchronization daemon (pbsyncd). The host name and realm are appended to form the full principal.

sprincipal pbsync_principal

Default

sprincipal pbsyncd

Used on

• Log hosts
• Policy server hosts
• Sync hosts

kerberosvalidatecacheuser

• Version 4.0 and later: kerberosvalidatecacheuser setting available.

If set to yes, compares current user’s Unix/Linux username with the Kerberos client name. If they do not match, it invalidates the cache and new credentials have to be provided.

Default

kerberosvalidatecacheuser no