Next: , Previous: Using Shisa, Up: Administration Manual


3.4 Starting Shishid

The Shishi server, or Key Distribution Center (KDC), is called Shishid. Shishid is responsible for listening on UDP and TCP ports for Kerberos requests. Currently it can handle initial ticket requests (Authentication Service, or AS), typically authenticated with keys derived from passwords, and subsequent ticket requests (Ticket Granting Service, or TGS), typically authenticated with the key acquired during an AS exchange.

Currently there is very little configuration available, the only variables are which ports the server should listen on and an optional user name to setuid into after successfully listening to the ports.

By default, Shishid listens on the ‘kerberos’ service port (typically translated to 88 via /etc/services) on the UDP and TCP transports via IPv4 and (if your machine support it) IPv6 on all interfaces on your machine. Here is a typical startup.

     latte:/home/jas/src/shishi# /usr/local/sbin/shishid
     Initializing GNUTLS...
     Initializing GNUTLS...done
     Listening on IPv4:*:kerberos/udp...done
     Listening on IPv4:*:kerberos/tcp...done
     Listening on IPv6:*:kerberos/udp...failed
     socket: Address family not supported by protocol
     Listening on IPv6:*:kerberos/tcp...failed
     socket: Address family not supported by protocol
     Listening on 2 ports...

Running as root is not recommended. Any security problem in shishid and your host may be compromised. Therefor, we recommend using the ‘--setuid’ parameter, as follows.

     latte:/home/jas/src/shishi# /usr/local/sbin/shishid --setuid=jas
     Initializing GNUTLS...
     Initializing GNUTLS...done
     Listening on IPv4:*:kerberos/udp...done
     Listening on IPv4:*:kerberos/tcp...done
     Listening on IPv6:*:kerberos/udp...failed
     socket: Address family not supported by protocol
     Listening on IPv6:*:kerberos/tcp...failed
     socket: Address family not supported by protocol
     Listening on 2 ports...
     User identity set to `jas' (22541)...

An alternative is to run shishid on an alternative port as a non-privileged user. To continue the example of setting up the EXAMPLE.ORG realm as a non-privileged user from the preceding section, we start the server listen on port 4711 via UDP on IPv4.

     jas@latte:~$ /usr/local/sbin/shishid -l IPv4:*:4711/udp
     Initializing GNUTLS...
     Initializing GNUTLS...done
     Listening on *:4711/tcp...
     Listening on 1 ports...
     shishid: Starting (GNUTLS `1.0.4')
     shishid: Listening on *:4711/tcp socket 4

If you have set up the Shisa database as in the previous example, you can now acquire tickets as follows.

     jas@latte:~$ shishi -o 'realm-kdc=EXAMPLE.ORG,localhost:4711' \
        simon@EXAMPLE.ORG
     Enter password for `simon@EXAMPLE.ORG':
     simon@EXAMPLE.ORG:
     Authtime:       Fri Dec 12 01:41:01 2003
     Endtime:        Fri Dec 12 01:57:41 2003
     Server:         krbtgt/EXAMPLE.ORG key aes256-cts-hmac-sha1-96 (18)
     Ticket key:     aes256-cts-hmac-sha1-96 (18) protected by aes256-cts-hmac-sha1-96 (18)
     Ticket flags:   FORWARDED PROXIABLE RENEWABLE INITIAL (12)
     jas@latte:~$

The output from Shishid on a successful invocation would look like:

     shishid: Has 131 bytes from *:4711/udp on socket 4
     shishid: Processing 131 from *:4711/udp on socket 4
     shishid: Trying AS-REQ
     shishid: AS-REQ from simon@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG
     shishid: Matching client etype 18 against user key etype 18
     shishid: Have 511 bytes for *:4711/udp on socket 4
     shishid: Sending 511 bytes to *:4711/udp socket 4 via UDP
     shishid: Listening on *:4711/udp socket 4

You may use the '-v' parameter for Shishid and Shishi to generate more debugging information.

To illustrate what an application, such as the Shishi patched versions of GNU lsh or Telnet from GNU InetUtils, would do when contacting the host ‘mail.example.org’ we illustrate using the TGS service as well.

     jas@latte:~$ shishi -o 'realm-kdc=EXAMPLE.ORG,localhost:4711' \
        simon@EXAMPLE.ORG host/mail.example.org
     simon@EXAMPLE.ORG:
     Authtime:       Fri Dec 12 01:46:54 2003
     Endtime:        Fri Dec 12 02:03:34 2003
     Server:         host/mail.example.org key des3-cbc-sha1-kd (16)
     Ticket key:     des3-cbc-sha1-kd (16) protected by aes256-cts-hmac-sha1-96 (18)
     Ticket flags:   FORWARDED PROXIABLE (45398796)
     jas@latte:~$

This conclude our walk-through of setting up a new Kerberos realm using Shishi. It is quite likely that one or more steps failed, and if so we encourage you to debug it and submit a patch, or at least report it as a problem. Heck, even letting us know if you got this far would be of interest. See Bug Reports.