Kerberos Version 5

Privilege Management for Unix and Linux can use Kerberos v5 to authenticate its various parts and to exchange encryption key information.

To use Kerberos with Privilege Management for Unix and Linux, you must register pbmasterd, pblocald, and pblogd as Kerberos principals. The principals should look like this (substitute your own host and pblogd principal names):

  • pbmasterd/kerberizedmachine.your_realm.com
  • pblocald/kerberizedmachine.your_realm.com
  • pblogd/kerberizedmachine.your_realm.com

These principals must be added to the keytab file. Users also need to be principals and need a target.

The default principals are pbmasterd, pblocald, and pblogd. These can be overridden by the mprincipal, lprincipal, and gprincipal settings in the settings file.

All Privilege Management for Unix and Linux client and server programs can use Kerberos Version 5 for authentication and session encryption keys.

Privilege Management for Unix and Linux clients request verification to use pbmasterd by checking the submitting user ticket cache or obtaining a ticket for pbmasterd with the principal in mprincipal.

Privilege Management for Unix and Linux daemons request verification to access other daemons by checking the services’ principals for both daemons, as listed in the following table.

From Principal Connection Type To Principal

pbrun

pbksh

pbsh

pbguid

user@realm Direct pbmasterd mprincipal/ masterhost@real m

pbrun

pbksh

pbsh

user@realm Dynamic pblocald lprincipal/ runhost@realm

pbrun

pbksh

pbsh

pblocald

principal/ runhost@realm Direct or dynamic pblogd gprincipal/ loghost@realm

pbmasterd

mprincipal/ masterhost@real m Direct pblocald lprincipal/ loghost@realm

pbmasterd

mprincipal/ masterhost@real m Direct pblogd gprincipal/ loghost@realm

kerberos

  • Version 4.0.0 and later: kerberos setting available.

When set to yes, the kerberos setting enables the use of the Privilege Management for Unix and Linux Kerberos Version 5 features. When set to no, the kerberos setting disables the use of these features.

kerberos yes
kerberos no
  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

keytab

Version 4.0.0 and later: keytab setting available.

The keytab setting contains the name of the Kerberos 5 Key Table. Newer versions of Kerberos discourage setting the keytab in this fashion and favor using the krb5.conf file or the KRB5_KTNAME environment variable. Use of the keytab setting should be avoided.

keytabencryption

  • Version 8.0.0 and earlier: keytabencryption setting not available.
  • Version 8.0.1 and later: keytabencryption setting available.

The keytabencryption setting specifies which cipher all Privilege Management for Unix and Linux components use for Kerberos negotiations. The algorithm must match the default algorithm used by the Kerberos server. Supported values include des-hmac, des3-hmac, and arcfour-hmac. As of this writing, the AES algorithms are not supported, which effectively limits using Active Directory as a Kerberos server. This keyword is mandatory to support more recent, non-DES Kerberos implementations because Privilege Management for Unix and Linux cannot automatically determine the best cipher.

keytabencryption arcfour-hmac
keytabencryption des-hmac
  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

gprincipal

  • Version 4.0.0 and later: gprincipal setting available.

The gprincipal setting contains the principal that the policy server daemon (pbmasterd), the local daemon (pblocald) and clients that are running in local mode (for example, pbrun -l ...) use to verify access to the log server daemon (pblogd). The host name and realm are appended to form the full principal.

gprincipal pblogd_principal
gprincipal pblogd
  • Log hosts
  • Policy server hosts
  • Submit hosts
  • Run hosts

lprincipal

  • Version 4.0.0 and later: lprincipal setting available.

The lprincipal setting contains the principal that the policy server daemon (pbmasterd) and client programs use to verify access to the local daemon (pblocald). The host name and realm are appended to form the full principal.

lprincipal pblocald_principal
lprincipal pblocald
  • Log hosts
  • Policy server hosts
  • Run hosts
  • Submit hosts

mprincipal

  • Version 4.0.0 and later: mprincipal setting available.

The mprincipal setting contains the principal that the Privilege Management for Unix and Linux clients use to verify access to the policy server daemon (pbmasterd). The host name and realm are appended to form the full principal.

mprincipal pbmasterd_principal
mprincipal pbmasterd
  • Policy server hosts
  • Submit hosts

sprincipal

  • Version 5.2 and earlier: sprincipal setting not available.
  • Version 6.0 and later: sprincipal setting available.

The sprincipal setting contains the principal that the Privilege Management for Unix and Linuxpbsync client uses to verify access to the log synchronization daemon (pbsyncd). The host name and realm are appended to form the full principal.

sprincipal pbsync_principal
sprincipal pbsyncd
  • Log hosts
  • Policy server hosts
  • Sync hosts

kerberosvalidatecacheuser

  • Version 4.0 and later: kerberosvalidatecacheuser setting available.

If set to yes, compares current user’s Unix/Linux username with the Kerberos client name. If they do not match, it invalidates the cache and new credentials have to be provided.

kerberosvalidatecacheuser no