Table of Contents ***************** Shishi 1 Introduction 1.1 Getting Started 1.2 Features and Status 1.3 Overview 1.4 Cryptographic Overview 1.5 Supported Platforms 1.6 Getting help 1.7 Commercial Support 1.8 Downloading and Installing 1.9 Bug Reports 1.10 Contributing 2 User Manual 2.1 Proxiable and Proxy Tickets 2.2 Forwardable and Forwarded Tickets 3 Administration Manual 3.1 Introduction to Shisa 3.2 Configuring Shisa 3.3 Using Shisa 3.4 Starting Shishid 3.5 Configuring DNS for KDC 3.5.1 DNS vs. Kerberos - Case Sensitivity of Realm Names 3.5.2 Overview - KDC location information 3.5.3 Example - KDC location information 3.5.4 Security considerations 3.6 Kerberos via TLS 3.6.1 Setting up TLS resume 3.6.2 Setting up Anonymous TLS 3.6.3 Setting up X.509 authenticated TLS 3.6.3.1 Create a Kerberos Certificate Authority 3.6.3.2 Create a Kerberos KDC Certificate 3.6.3.3 Create a Kerberos Client Certificate 3.6.3.4 Starting KDC with X.509 authentication support 3.7 Multiple servers 3.8 Developer information 4 Reference Manual 4.1 Environmental Assumptions 4.2 Glossary of terms 4.3 Realm and Principal Naming 4.3.1 Realm Names 4.3.2 Principal Names 4.3.2.1 Name of server principals 4.3.2.2 Name of the TGS 4.3.3 Choosing a principal with which to communicate 4.3.4 Principal Name Form 4.4 Shishi Configuration 4.4.1 `default-realm' 4.4.2 `default-principal' 4.4.3 `client-kdc-etypes' 4.4.4 `verbose', `verbose-asn1', `verbose-noise', `verbose-crypto', `verbose-crypto-noise' 4.4.5 `realm-kdc' 4.4.6 `server-realm' 4.4.7 `kdc-timeout', `kdc-retries' 4.4.8 `stringprocess' 4.4.9 `ticket-life' 4.4.10 `renew-life' 4.5 Shisa Configuration 4.5.1 `db' 4.6 Parameters for shishi 4.7 Parameters for shishid 4.8 Parameters for shisa 4.9 Environment variables 4.10 Date input formats 4.10.1 General date syntax 4.10.2 Calendar date items 4.10.3 Time of day items 4.10.4 Time zone items 4.10.5 Day of week items 4.10.6 Relative items in date strings 4.10.7 Pure numbers in date strings 4.10.8 Seconds since the Epoch 4.10.9 Specifying time zone rules 4.10.10 Authors of `get_date' 5 Programming Manual 5.1 Preparation 5.1.1 Header 5.1.2 Initialization 5.1.3 Version Check 5.1.4 Building the source 5.1.5 Autoconf tests 5.1.5.1 Autoconf test via `pkg-config' 5.1.5.2 Standalone Autoconf test using Libtool 5.1.5.3 Standalone Autoconf test 5.2 Initialization Functions 5.3 Ticket Set Functions 5.4 AP-REQ and AP-REP Functions 5.5 SAFE and PRIV Functions 5.6 Ticket Functions 5.7 AS Functions 5.8 TGS Functions 5.9 Ticket (ASN.1) Functions 5.10 AS/TGS Functions 5.11 Authenticator Functions 5.12 KRB-ERROR Functions 5.13 Cryptographic Functions 5.14 X.509 Functions 5.15 Utility Functions 5.16 ASN.1 Functions 5.17 Error Handling 5.17.1 Error Values 5.17.2 Error Functions 5.18 Examples 5.19 Kerberos Database Functions 5.20 Generic Security Service 6 Acknowledgements Appendix A Criticism of Kerberos Appendix B Protocol Extensions B.1 STARTTLS protected KDC exchanges B.1.1 TCP/IP transport with TLS upgrade (STARTTLS) B.1.2 Extensible typed hole based on reserved high bit B.1.3 STARTTLS requested by client (extension mode 1) B.1.4 STARTTLS request accepted by server (extension mode 2) B.1.5 Proceeding after successful TLS negotiation B.1.6 Proceeding after failed TLS negotiation B.1.7 Interaction with KDC addresses in DNS B.1.8 Using TLS authentication logic in Kerberos B.1.9 Security considerations B.2 Telnet encryption with AES-CCM B.2.1 Command Names and Codes B.2.2 Command Meanings B.2.3 Implementation Rules B.2.4 Integration with the AUTHENTICATION telnet option B.2.5 Security Considerations B.2.5.1 Telnet Encryption Protocol Security Considerations B.2.5.2 AES-CCM Security Considerations B.2.6 Acknowledgments B.3 Kerberized rsh and rlogin B.3.1 Establish connection B.3.2 Kerberos identification B.3.3 Kerberos authentication B.3.4 Extended authentication B.3.5 Window size B.3.6 End of authentication B.3.7 Encryption B.3.8 KCMDV0.3 B.3.9 MIT/Heimdal authorization B.4 Key as initialization vector B.5 The Keytab Binary File Format B.6 The Credential Cache Binary File Format Appendix C Copying Information C.1 GNU Free Documentation License C.2 GNU General Public License Function and Data Index Concept Index Shishi ****** This manual is last updated 24 June 2008 for version 0.0.37 of Shishi. Copyright (C) 2002, 2003, 2004, 2005, 2006, 2007, 2008 Simon Josefsson. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". 1 Introduction ************** Shishi is an implementation of the Kerberos 5 network authentication system, as specified in RFC 4120. Shishi can be used to authenticate users in distributed systems. Shishi contains a library ('libshishi') that can be used by application developers to add support for Kerberos 5. Shishi contains a command line utility ('shishi') that is used by users to acquire and manage tickets (and more). The server side, a Key Distribution Center, is implemented by 'shishid'. Of course, a manual documenting usage aspects as well as the programming API is included. Shishi currently supports AS/TGS exchanges for acquiring tickets, pre-authentication, the AP exchange for performing client and server authentication, and SAFE/PRIV for integrity/privacy protected application data exchanges. Shishi is internationalized; error and status messages can be translated into the users' language; user name and passwords can be converted into any available character set (normally including ISO-8859-1 and UTF-8) and also be processed using an experimental Stringprep profile. Most, if not all, of the widely used encryption and checksum types are supported, such as 3DES, AES, ARCFOUR and HMAC-SHA1. Shishi is developed for the GNU/Linux system, but runs on over 20 platforms including most major Unix platforms and Windows, and many kind of devices including iPAQ handhelds and S/390 mainframes. Shishi is free software licensed under the GNU General Public License version 3.0. 1.1 Getting Started =================== This manual documents the Shishi application and library programming interface. All commands, functions and data types provided by Shishi are explained. The reader is assumed to possess basic familiarity with network security and the Kerberos 5 security system. This manual can be used in several ways. If read from the beginning to the end, it gives a good introduction into the library and how it can be used in an application. Forward references are included where necessary. Later on, the manual can be used as a reference manual to get just the information needed about any particular interface of the library. Experienced programmers might want to start looking at the examples at the end of the manual, and then only read up those parts of the interface which are unclear. 1.2 Features and Status ======================= Shishi might have a couple of advantages over other packages doing a similar job. It's Free Software Anybody can use, modify, and redistribute it under the terms of the GNU General Public License version 3.0 (*note GNU GPL::). It's thread-safe The library uses no global variables. It's internationalized It handles non-ASCII username and passwords and user visible strings used in the library (error messages) can be translated into the users' language. It's portable It should work on all Unix like operating systems, including Windows. Shishi is far from feature complete, it is not even a full RFC 1510 implementation yet. However, some basic functionality is implemented. A few implemented feature are mentioned below. * Initial authentication (AS) from raw key or password. This step is typically used to acquire a ticket granting ticket and, less commonly, a server ticket. * Subsequent authentication (TGS). This step is typically used to acquire a server ticket, by authenticating yourself using the ticket granting ticket. * Client-Server authentication (AP). This step is used by clients and servers to prove to each other who they are, using negotiated tickets. * Integrity protected communication (SAFE). This step is used by clients and servers to exchange integrity protected data with each other. The key is typically agreed on using the Client-Server authentication step. * Ticket cache, supporting multiple principals and realms. As tickets have a life time of typically several hours, they are managed in disk files. There can be multiple ticket caches, and each ticket cache can store tickets for multiple clients (users), servers, encryption types, etc. Functionality is provided for locating the proper ticket for every use. * Most standard cryptographic primitives. The believed most secure algorithms are supported (*note Cryptographic Overview::). * Telnet client and server. This is used to remotely login to other machines, after authenticating yourself with a ticket. * PAM module. This is used to login locally on a machine. * KDC addresses located using DNS SRV RRs. * Modularized low-level crypto interface. Currently Gnulib and Libgcrypt are supported. If you wish to add support for another low-level cryptographic library, you only have to implement a few APIs for DES, AES, MD5, SHA1, HMAC, etc. Look at `gl/gc-gnulib.c' or `gl/gc-libgcrypt.c' as a starting pointer. The following table summarize what the current objectives are (i.e., the todo list) and an estimate on how long it will take to implement the feature, including some reasonable startup-time to get familiar with Shishi in general. If you like to start working on anything, please let me know so work duplication can be avoided. * Parse `/etc/krb5.keytab' to extract keys to use for telnetd etc (week) * Cross-realm support (week). * PKINIT (use libksba, weeks) * Finish GSSAPI support via GSSLib (weeks) Shishi will not support GSSLib natively, but a separate project "GSSLib" is under way to produce a generic GSS implementation, and it will use Shishi to implement the Kerberos 5 mechanism. * Port to cyclone (cyclone need to mature first) * Modularize ASN.1 library so it can be replaced (days). Almost done, all ASN.1 functionality is found in lib/asn1.c, although the interface is rather libtasn1 centric. * KDC (initiated, weeks) * LDAP backend for Shisa. * Set/Change password protocol (weeks?) * Port applications to use Shishi (indefinite) * Finish server-realm stuff * Improve documentation * Improve internationalization * Add AP-REQ replay cache (week). * Study benefits by introducing a PA-TGS-REP. This would provide mutual authentication of the KDC in a way that is easier to analyze. Currently the mutual authentication property is only implicit from successful decryption of the KDC-REP and the 4 byte nonce. * GUI applet for managing tickets. This is supported via the ticket-applet, of which a Shishi port is published on the Shishi home page. * Authorization library (months?) The shishi_authorized_p() is not a good solution, better would be to have a generic and flexible authorization library. Possibly based on S-EXP's in tickets? Should support non-Kerberos uses as well, of course. * Proof read manual. * X.500 support, including DOMAIN-X500-COMPRESS. I will accept patches that implement this, if it causes minimal changes to the current code. 1.3 Overview ============ This section describes RFC 1510 from a protocol point of view(1). Kerberos provides a means of verifying the identities of principals, (e.g., a workstation user or a network server) on an open (unprotected) network. This is accomplished without relying on authentication by the host operating system, without basing trust on host addresses, without requiring physical security of all the hosts on the network, and under the assumption that packets traveling along the network can be read, modified, and inserted at will. (Note, however, that many applications use Kerberos' functions only upon the initiation of a stream-based network connection, and assume the absence of any "hijackers" who might subvert such a connection. Such use implicitly trusts the host addresses involved.) Kerberos performs authentication under these conditions as a trusted third- party authentication service by using conventional cryptography, i.e., shared secret key. (shared secret key - Secret and private are often used interchangeably in the literature. In our usage, it takes two (or more) to share a secret, thus a shared DES key is a secret key. Something is only private when no one but its owner knows it. Thus, in public key cryptosystems, one has a public and a private key.) The authentication process proceeds as follows: A client sends a request to the authentication server (AS) requesting "credentials" for a given server. The AS responds with these credentials, encrypted in the client's key. The credentials consist of 1) a "ticket" for the server and 2) a temporary encryption key (often called a "session key"). The client transmits the ticket (which contains the client's identity and a copy of the session key, all encrypted in the server's key) to the server. The session key (now shared by the client and server) is used to authenticate the client, and may optionally be used to authenticate the server. It may also be used to encrypt further communication between the two parties or to exchange a separate sub-session key to be used to encrypt further communication. The implementation consists of one or more authentication servers running on physically secure hosts. The authentication servers maintain a database of principals (i.e., users and servers) and their secret keys. Code libraries provide encryption and implement the Kerberos protocol. In order to add authentication to its transactions, a typical network application adds one or two calls to the Kerberos library, which results in the transmission of the necessary messages to achieve authentication. The Kerberos protocol consists of several sub-protocols (or exchanges). There are two methods by which a client can ask a Kerberos server for credentials. In the first approach, the client sends a cleartext request for a ticket for the desired server to the AS. The reply is sent encrypted in the client's secret key. Usually this request is for a ticket-granting ticket (TGT) which can later be used with the ticket-granting server (TGS). In the second method, the client sends a request to the TGS. The client sends the TGT to the TGS in the same manner as if it were contacting any other application server which requires Kerberos credentials. The reply is encrypted in the session key from the TGT. Once obtained, credentials may be used to verify the identity of the principals in a transaction, to ensure the integrity of messages exchanged between them, or to preserve privacy of the messages. The application is free to choose whatever protection may be necessary. To verify the identities of the principals in a transaction, the client transmits the ticket to the server. Since the ticket is sent "in the clear" (parts of it are encrypted, but this encryption doesn't thwart replay) and might be intercepted and reused by an attacker, additional information is sent to prove that the message was originated by the principal to whom the ticket was issued. This information (called the authenticator) is encrypted in the session key, and includes a timestamp. The timestamp proves that the message was recently generated and is not a replay. Encrypting the authenticator in the session key proves that it was generated by a party possessing the session key. Since no one except the requesting principal and the server know the session key (it is never sent over the network in the clear) this guarantees the identity of the client. The integrity of the messages exchanged between principals can also be guaranteed using the session key (passed in the ticket and contained in the credentials). This approach provides detection of both replay attacks and message stream modification attacks. It is accomplished by generating and transmitting a collision-proof checksum (elsewhere called a hash or digest function) of the client's message, keyed with the session key. Privacy and integrity of the messages exchanged between principals can be secured by encrypting the data to be passed using the session key passed in the ticket, and contained in the credentials. ---------- Footnotes ---------- (1) The text is a lightly adapted version of the introduction section from RFC 1510 by J. Kohl and C. Neuman, September 1993, copyright likely owned by the RFC 1510 authors or some contributor. 1.4 Cryptographic Overview ========================== Shishi implements several of the standard cryptographic primitives. In this section we give the names of the supported encryption suites, and some notes about them, and their associated checksum suite. Statements such as "it is weak" should be read as meaning that there is no credible security analysis of the mechanism available, and/or that should an attack be published publicly, few people would likely be surprised. Also keep in mind that the key size mentioned is the actual key size, not the effective key space as far as a brute force attack is concerned. As you may infer from the descriptions, there is currently no encryption algorithm and only one checksum algorithm that inspire great confidence in its design. Hopefully this will change over time. `NULL' `NULL' is a dummy encryption suite for debugging. Encryption and decryption are identity functions. No integrity protection. It is weak. It is associated with the `NULL' checksum. `arcfour-hmac' `arcfour-hmac-exp' `arcfour-hmac-*' are a proprietary stream cipher with 56 bit (`arcfour-hmac-exp') or 128 bit (`arcfour-hmac') keys, used in a proprietary way described in an expired IETF draft `draft-brezak-win2k-krb-rc4-hmac-04.txt'. Deriving keys from passwords is supported, and is done by computing a message digest (MD4) of a 16-bit Unicode representation of the ASCII password, with no salt. Data is integrity protected with a keyed hash (HMAC-MD5), where the key is derived from the base key in a creative way. It is weak. It is associated with the `arcfour-hmac-md5' checksum. `des-cbc-none' `des-cbc-none' is DES encryption and decryption with 56 bit keys and 8 byte blocks in CBC mode, using a zero IV. The keys can be derived from passwords by an obscure application specific algorithm. It is weak, because it offers no integrity protection. This is typically only used by RFC 1964 GSS-API implementations (which try to protect integrity using an ad-hoc solution). It is associated with the `NULL' checksum. `des-cbc-crc' `des-cbc-crc' is DES encryption and decryption with 56 bit keys and 8 byte blocks in CBC mode, using the key as IV (*note Key as initialization vector::). The keys can be derived from passwords by an obscure application specific algorithm. Data is integrity protected with an unkeyed but encrypted `CRC32'-like checksum. It is weak. It is associated with the `rsa-md5-des' checksum. `des-cbc-md4' `des-cbc-md4' is DES encryption and decryption with 56 bit keys and 8 byte blocks in CBC mode, using a zero IV. The keys can be derived from passwords by an obscure application specific algorithm. Data is integrity protected with an unkeyed but encrypted MD4 hash. It is weak. It is associated with the `rsa-md4-des' checksum. `des-cbc-md5' `des-cbc-md5' is DES encryption and decryption with 56 bit keys and 8 byte blocks in CBC mode, using a zero IV. The keys can be derived from passwords by an obscure application specific algorithm. Data is integrity protected with an unkeyed but encrypted MD5 hash. It is weak. It is associated with the `rsa-md5-des' checksum. This is the strongest RFC 1510 interoperable encryption mechanism. `des3-cbc-none' `des3-cbc-none' is DES encryption and decryption with three 56 bit keys (effective key size 112 bits) and 8 byte blocks in CBC mode. The keys can be derived from passwords by the same algorithm as `des3-cbc-sha1-kd'. It is weak, because it offers no integrity protection. This is typically only used by GSS-API implementations (which try to protect integrity using an ad-hoc solution) for interoperability with some existing Kerberos GSS implementations. It is associated with the `NULL' checksum. `des3-cbc-sha1-kd' `des3-cbc-sha1-kd' is DES encryption and decryption with three 56 bit keys (effective key size 112 bits) and 8 byte blocks in CBC mode. The keys can be derived from passwords by a algorithm based on the paper "A Better Key Schedule For DES-like Ciphers" (1) by Uri Blumenthal and Steven M. Bellovin (it is not clear if the algorithm, and the way it is used, is used by any other protocols, although it seems unlikely). Data is integrity protected with a keyed SHA1 hash in HMAC mode. It has no security proof, but is assumed to provide adequate security in the sense that knowledge on how to crack it is not known to the public. Note that the key derivation function is not widely used outside of Kerberos, hence not widely studied. It is associated with the `hmac-sha1-des3-kd' checksum. `aes128-cts-hmac-sha1-96' `aes256-cts-hmac-sha1-96' `aes128-cts-hmac-sha1-96' and `aes256-cts-hmac-sha1-96' is AES encryption and decryption with 128 bit and 256 bit key, respectively, and 16 byte blocks in CBC mode with Cipher Text Stealing. Cipher Text Stealing means data length of encrypted data is preserved (pure CBC add up to 7 pad characters). The keys can be derived from passwords with RSA Laboratories PKCS#5 Password Based Key Derivation Function 2(2), which is allegedly provably secure in a random oracle model. Data is integrity protected with a keyed SHA1 hash, in HMAC mode, truncated to 96 bits. There is no security proof, but the schemes are assumed to provide adequate security in the sense that knowledge on how to crack them is not known to the public. Note that AES has yet to receive the test of time, and the AES cipher encryption mode (CBC with Ciphertext Stealing, and a non-standard IV output) is not widely standardized (hence not widely studied). It is associated with the `hmac-sha1-96-aes128' and `hmac-sha1-96-aes256' checksums, respectively. The protocol do not include any way to negotiate which checksum mechanisms to use, so in most cases the associated checksum will be used. However, checksum mechanisms can be used with other encryption mechanisms, as long as they are compatible in terms of key format etc. Here are the names of the supported checksum mechanisms, with some notes on their status and the compatible encryption mechanisms. They are ordered by increased security as perceived by the author. `NULL' `NULL' is a dummy checksum suite for debugging. It provides no integrity. It is weak. It is compatible with the `NULL' encryption mechanism. `arcfour-hmac-md5' `arcfour-hmac-md5' is a keyed HMAC-MD5 checksum computed on a MD5 message digest, in turn computed on a four byte message type indicator concatenated with the application data. (The `arcfour' designation is thus somewhat misleading, but since this checksum mechanism is described in the same document as the `arcfour' encryption mechanisms, it is not a completely unnatural designation.) It is weak. It is compatible with all encryption mechanisms. `rsa-md4' `rsa-md4' is a unkeyed MD4 hash computed over the message. It is weak, because it is unkeyed. However applications can, with care, use it non-weak ways (e.g., by including the hash in other messages that are protected by other means). It is compatible with all encryption mechanisms. `rsa-md4-des' `rsa-md4-des' is a DES CBC encryption of one block of random data and a unkeyed MD4 hash computed over the random data and the message to integrity protect. The key used is derived from the base protocol key by XOR with a constant. It is weak. It is compatible with the `des-cbc-crc', `des-cbc-md4', `des-cbc-md5' encryption mechanisms. `rsa-md5' `rsa-md5' is a unkeyed MD5 hash computed over the message. It is weak, because it is unkeyed. However applications can, with care, use it non-weak ways (e.g., by including the hash in other messages that are protected by other means). It is compatible with all encryption mechanisms. `rsa-md5-des' `rsa-md5-des' is a DES CBC encryption of one block of random data and a unkeyed MD5 hash computed over the random data and the message to integrity protect. The key used is derived from the base protocol key by XOR with a constant. It is weak. It is compatible with the `des-cbc-crc', `des-cbc-md4', `des-cbc-md5' encryption mechanisms. `hmac-sha1-des3-kd' `hmac-sha1-des3-kd' is a keyed SHA1 hash in HMAC mode computed over the message. The key is derived from the base protocol by the simplified key derivation function (similar to the password key derivation functions of `des3-cbc-sha1-kd', which does not appear to be widely used outside Kerberos and hence not widely studied). It has no security proof, but is assumed to provide good security. The weakest part is likely the proprietary key derivation function. It is compatible with the `des3-cbc-sha1-kd' encryption mechanism. `hmac-sha1-96-aes128' `hmac-sha1-96-aes256' `hmac-sha1-96-aes*' are keyed SHA1 hashes in HMAC mode computed over the message and then truncated to 96 bits. The key is derived from the base protocol by the simplified key derivation function (similar to the password key derivation functions of `aes*-cts-hmac-sha1-96', i.e., PKCS#5). It has no security proof, but is assumed to provide good security. It is compatible with the `aes*-cts-hmac-sha1-96' encryption mechanisms. Several of the cipher suites have long names that can be hard to memorize. For your convenience, the following short-hand aliases exists. They can be used wherever the full encryption names are used. `arcfour' Alias for `arcfour-hmac'. `des-crc' Alias for `des-cbc-crc'. `des-md4' Alias for `des-cbc-md4'. `des-md5' `des' Alias for `des-cbc-md5'. `des3' `3des' Alias for `des3-cbc-sha1-kd'. `aes128' Alias for `aes128-cts-hmac-sha1-96'. `aes' `aes256' Alias for `aes256-cts-hmac-sha1-96'. ---------- Footnotes ---------- (1) `http://www.research.att.com/~smb/papers/ides.pdf' (2) `http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/' 1.5 Supported Platforms ======================= Shishi has at some point in time been tested on the following platforms. Online build reports for each platforms and Shishi version is available at `http://josefsson.org/autobuild/'. 1. Debian GNU/Linux 3.0 (Woody) GCC 2.95.4 and GNU Make. This is the main development platform. `alphaev67-unknown-linux-gnu', `alphaev6-unknown-linux-gnu', `arm-unknown-linux-gnu', `armv4l-unknown-linux-gnu', `hppa-unknown-linux-gnu', `hppa64-unknown-linux-gnu', `i686-pc-linux-gnu', `ia64-unknown-linux-gnu', `m68k-unknown-linux-gnu', `mips-unknown-linux-gnu', `mipsel-unknown-linux-gnu', `powerpc-unknown-linux-gnu', `s390-ibm-linux-gnu', `sparc-unknown-linux-gnu', `sparc64-unknown-linux-gnu'. 2. Debian GNU/Linux 2.1 GCC 2.95.4 and GNU Make. `armv4l-unknown-linux-gnu'. 3. Tru64 UNIX Tru64 UNIX C compiler and Tru64 Make. `alphaev67-dec-osf5.1', `alphaev68-dec-osf5.1'. 4. SuSE Linux 7.1 GCC 2.96 and GNU Make. `alphaev6-unknown-linux-gnu', `alphaev67-unknown-linux-gnu'. 5. SuSE Linux 7.2a GCC 3.0 and GNU Make. `ia64-unknown-linux-gnu'. 6. SuSE Linux GCC 3.2.2 and GNU Make. `x86_64-unknown-linux-gnu' (AMD64 Opteron "Melody"). 7. RedHat Linux 7.2 GCC 2.96 and GNU Make. `alphaev6-unknown-linux-gnu', `alphaev67-unknown-linux-gnu', `ia64-unknown-linux-gnu'. 8. RedHat Linux 8.0 GCC 3.2 and GNU Make. `i686-pc-linux-gnu'. 9. RedHat Advanced Server 2.1 GCC 2.96 and GNU Make. `i686-pc-linux-gnu'. 10. Slackware Linux 8.0.01 GCC 2.95.3 and GNU Make. `i686-pc-linux-gnu'. 11. Mandrake Linux 9.0 GCC 3.2 and GNU Make. `i686-pc-linux-gnu'. 12. IRIX 6.5 MIPS C compiler, IRIX Make. `mips-sgi-irix6.5'. 13. AIX 4.3.2 IBM C for AIX compiler, AIX Make. `rs6000-ibm-aix4.3.2.0'. 14. HP-UX 11 HP-UX C compiler and HP Make. `ia64-hp-hpux11.22', `hppa2.0w-hp-hpux11.11'. 15. SUN Solaris 2.8 Sun WorkShop Compiler C 6.0 and SUN Make. `sparc-sun-solaris2.8'. 16. NetBSD 1.6 GCC 2.95.3 and GNU Make. `alpha-unknown-netbsd1.6', `i386-unknown-netbsdelf1.6'. 17. OpenBSD 3.1 and 3.2 GCC 2.95.3 and GNU Make. `alpha-unknown-openbsd3.1', `i386-unknown-openbsd3.1'. 18. FreeBSD 4.7 and 4.8 GCC 2.95.4 and GNU Make. `alpha-unknown-freebsd4.7', `alpha-unknown-freebsd4.8', `i386-unknown-freebsd4.7', `i386-unknown-freebsd4.8'. 19. MacOS X 10.2 Server Edition GCC 3.1 and GNU Make. `powerpc-apple-darwin6.5'. 20. Cross compiled to uClinux/uClibc on Motorola Coldfire. GCC 3.4 and GNU Make `m68k-uclinux-elf'. If you use Shishi on, or port Shishi to, a new platform please report it to the author (*note Bug Reports::). 1.6 Getting help ================ A mailing list where users of Shishi may help each other exists, and you can reach it by sending e-mail to . Archives of the mailing list discussions, and an interface to manage subscriptions, is available through the World Wide Web at `http://lists.gnu.org/mailman/listinfo/help-shishi'. 1.7 Commercial Support ====================== Commercial support is available for users of Shishi. The kind of support that can be purchased may include: * Implement new features. Such as support for some optional part of the Kerberos standards, e.g. PKINIT, hardware token authentication. * Port Shishi to new platforms. This could include porting Shishi to an embedded platforms that may need memory or size optimization. * Integrate Kerberos 5 support in your existing project. * System design of components related to Kerberos 5. If you are interested, please write to: Simon Josefsson Datakonsult Hagagatan 24 113 47 Stockholm Sweden E-mail: simon@josefsson.org If your company provide support related to Shishi and would like to be mentioned here, contact the author (*note Bug Reports::). 1.8 Downloading and Installing ============================== The package can be downloaded from several places, including: `http://josefsson.org/shishi/releases/' The latest version is stored in a file, e.g., `shishi-0.0.37.tar.gz' where the `0.0.37' indicate the highest version number. The package is then extracted, configured and built like many other packages that use Autoconf. For detailed information on configuring and building it, refer to the `INSTALL' file that is part of the distribution archive. Here is an example terminal session that download, configure, build and install the package. You will need a few basic tools, such as `sh', `make' and `cc'. $ wget -q http://josefsson.org/shishi/releases/shishi-0.0.37.tar.gz $ tar xfz shishi-0.0.37.tar.gz $ cd shishi-0.0.37/ $ ./configure ... $ make ... $ make install ... After this you should be prepared to continue with the user, administration or programming manual, depending on how you want to use Shishi. A few `configure' options may be relevant, summarized in the table. `--disable-des' `--disable-3des' `--disable-aes' `--disable-md' `--disable-null' `--disable-arcfour' Disable a cryptographic algorithm at compile time. Usually it is better to disable algorithms during run-time with the configuration file, but this allows you to reduce the code size slightly. `--disable-starttls' Disable the experimental TLS support for KDC connections. If you do not use a Shishi KDC, this support is of no use so you could safely disable it. `--without-stringprep' Disable internationalized string processing. For the complete list, refer to the output from `configure --help'. 1.9 Bug Reports =============== If you think you have found a bug in Shishi, please investigate it and report it. * Please make sure that the bug is really in Shishi, and preferably also check that it hasn't already been fixed in the latest version. * You have to send us a test case that makes it possible for us to reproduce the bug. * You also have to explain what is wrong; if you get a crash, or if the results printed are not good and in that case, in what way. Make sure that the bug report includes all information you would need to fix this kind of bug for someone else. Please make an effort to produce a self-contained report, with something definite that can be tested or debugged. Vague queries or piecemeal messages are difficult to act on and don't help the development effort. If your bug report is good, we will do our best to help you to get a corrected version of the software; if the bug report is poor, we won't do anything about it (apart from asking you to send better bug reports). If you think something in this manual is unclear, or downright incorrect, or if the language needs to be improved, please also send a note. Send your bug report to: `bug-shishi@josefsson.org' 1.10 Contributing ================= If you want to submit a patch for inclusion - from solve a typo you discovered, up to adding support for a new feature - you should submit it as a bug report (*note Bug Reports::). There are some things that you can do to increase the chances for it to be included in the official package. Unless your patch is very small (say, under 10 lines) we require that you assign the copyright of your work to the Free Software Foundation. This is to protect the freedom of the project. If you have not already signed papers, we will send you the necessary information when you submit your contribution. For contributions that doesn't consist of actual programming code, the only guidelines are common sense. Use it. For code contributions, a number of style guides will help you: * Coding Style. Follow the GNU Standards document (*note GNU Coding Standards: (standards)top.). If you normally code using another coding standard, there is no problem, but you should use `indent' to reformat the code (*note GNU Indent: (indent)top.) before submitting your work. * Use the unified diff format `diff -u'. * Return errors. The only valid reason for ever aborting the execution of the program is due to memory allocation errors, but for that you should call `xalloc_die' to allow the application to recover if it wants to. * Design with thread safety in mind. Don't use global variables. Don't even write to per-handle global variables unless the documented behaviour of the function you write is to write to the per-handle global variable. * Avoid using the C math library. It causes problems for embedded implementations, and in most situations it is very easy to avoid using it. * Document your functions. Use comments before each function headers, that, if properly formatted, are extracted into Texinfo manuals and GTK-DOC web pages. * Supply a ChangeLog and NEWS entries, where appropriate. 2 User Manual ************* Usually Shishi interacts with you to get some initial authentication information like a password, and then contacts a server to receive a so called ticket granting ticket. From now on, you rarely interacts with Shishi directly. Applications that needs security services instruct the Shishi library to use the ticket granting ticket to get new tickets for various servers. An example could be if you log on to a host remotely via `telnet'. The host usually requires authentication before permitting you in. The `telnet' client uses the ticket granting ticket to get a ticket for the server, and then use this ticket to authenticate you against the server (typically the server is also authenticated to you). You perform the initial authentication by typing `shishi' at the prompt. Sometimes it is necessary to supply options telling Shishi what your principal name (user name in the Kerberos realm) or realm is. In the example, I specify the client name `simon@JOSEFSSON.ORG'. $ shishi simon@JOSEFSSON.ORG Enter password for `simon@JOSEFSSON.ORG': simon@JOSEFSSON.ORG: Authtime: Fri Aug 15 04:44:49 2003 Endtime: Fri Aug 15 05:01:29 2003 Server: krbtgt/JOSEFSSON.ORG key des3-cbc-sha1-kd (16) Ticket key: des3-cbc-sha1-kd (16) protected by des3-cbc-sha1-kd (16) Ticket flags: INITIAL (512) $ As you can see, Shishi also prints a short description of the ticket received. A logical next step is to display all tickets you have received (by the way, the tickets are usually stored as text in `~/.shishi/tickets'). This is achieved by typing `shishi --list'. $ shishi --list Tickets in `/home/jas/.shishi/tickets': jas@JOSEFSSON.ORG: Authtime: Fri Aug 15 04:49:46 2003 Endtime: Fri Aug 15 05:06:26 2003 Server: krbtgt/JOSEFSSON.ORG key des-cbc-md5 (3) Ticket key: des-cbc-md5 (3) protected by des-cbc-md5 (3) Ticket flags: INITIAL (512) jas@JOSEFSSON.ORG: Authtime: Fri Aug 15 04:49:46 2003 Starttime: Fri Aug 15 04:49:49 2003 Endtime: Fri Aug 15 05:06:26 2003 Server: host/latte.josefsson.org key des-cbc-md5 (3) Ticket key: des-cbc-md5 (3) protected by des-cbc-md5 (3) 2 tickets found. $ As you can see, I had a ticket for the server `host/latte.josefsson.org' which was generated by `telnet':ing to that host. If, for some reason, you want to manually get a ticket for a specific server, you can use the `shishi --server-name' command. Normally, however, the application that uses Shishi will take care of getting a ticket for the appropriate server, so you normally wouldn't need this command. $ shishi --server-name=user/billg --encryption-type=des-cbc-md4 jas@JOSEFSSON.ORG: Authtime: Fri Aug 15 04:49:46 2003 Starttime: Fri Aug 15 04:54:33 2003 Endtime: Fri Aug 15 05:06:26 2003 Server: user/billg key des-cbc-md4 (2) Ticket key: des-cbc-md4 (2) protected by des-cbc-md5 (3) $ As you can see, I acquired a ticket for `user/billg' with a `des-cbc-md4' (*note Cryptographic Overview::) encryption key specified with the `--encryption-type' parameter. To wrap up this introduction, lets see how you can remove tickets. You may want to do this if you leave your terminal for lunch or similar, and don't want someone to be able to copy the file and then use your credentials. Note that this only destroy the tickets locally, it does not contact any server and tell it that these credentials are no longer valid. So if someone stole your ticket file, you must contact your administrator and have them reset your account, simply using this parameter is not sufficient. $ shishi --server-name=imap/latte.josefsson.org --destroy 1 ticket removed. $ shishi --server-name=foobar --destroy No tickets removed. $ shishi --destroy 3 tickets removed. $ Since the `--server-name' parameter takes a long to type, it is possible to type the server name directly, after the client name. The following example demonstrate a AS-REQ followed by a TGS-REQ for a specific server (assuming you did not have any tickets from the start). $ src/shishi simon@latte.josefsson.org imap/latte.josefsson.org Enter password for `simon@latte.josefsson.org': simon@latte.josefsson.org: Acquired: Wed Aug 27 17:21:06 2003 Expires: Wed Aug 27 17:37:46 2003 Server: imap/latte.josefsson.org key aes256-cts-hmac-sha1-96 (18) Ticket key: aes256-cts-hmac-sha1-96 (18) protected by aes256-cts-hmac-sha1-96 (18) Ticket flags: FORWARDED PROXIABLE (12) $ Refer to the reference manual for all available parameters (*note Parameters for shishi::). The rest of this section contains description of more specialized usage modes that can be ignored by most users. 2.1 Proxiable and Proxy Tickets =============================== At times it may be necessary for a principal to allow a service to perform an operation on its behalf. The service must be able to take on the identity of the client, but only for a particular purpose. A principal can allow a service to take on the principal's identity for a particular purpose by granting it a proxy. The process of granting a proxy using the proxy and proxiable flags is used to provide credentials for use with specific services. Though conceptually also a proxy, users wishing to delegate their identity in a form usable for all purpose MUST use the ticket forwarding mechanism described in the next section to forward a ticket-granting ticket. The PROXIABLE flag in a ticket is normally only interpreted by the ticket-granting service. It can be ignored by application servers. When set, this flag tells the ticket-granting server that it is OK to issue a new ticket (but not a ticket-granting ticket) with a different network address based on this ticket. This flag is set if requested by the client on initial authentication. By default, the client will request that it be set when requesting a ticket-granting ticket, and reset when requesting any other ticket. This flag allows a client to pass a proxy to a server to perform a remote request on its behalf (e.g. a print service client can give the print server a proxy to access the client's files on a particular file server in order to satisfy a print request). In order to complicate the use of stolen credentials, Kerberos tickets are usually valid from only those network addresses specifically included in the ticket[4]. When granting a proxy, the client MUST specify the new network address from which the proxy is to be used, or indicate that the proxy is to be issued for use from any address. The PROXY flag is set in a ticket by the TGS when it issues a proxy ticket. Application servers MAY check this flag and at their option they MAY require additional authentication from the agent presenting the proxy in order to provide an audit trail. Here is how you would acquire a PROXY ticket for the service `imap/latte.josefsson.org': $ shishi jas@JOSEFSSON.ORG imap/latte.josefsson.org --proxy Enter password for `jas@JOSEFSSON.ORG': libshishi: warning: KDC bug: Reply encrypted using wrong key. jas@JOSEFSSON.ORG: Authtime: Mon Sep 8 20:02:35 2003 Starttime: Mon Sep 8 20:02:36 2003 Endtime: Tue Sep 9 04:02:35 2003 Server: imap/latte.josefsson.org key des3-cbc-sha1-kd (16) Ticket key: des3-cbc-sha1-kd (16) protected by des3-cbc-sha1-kd (16) Ticket flags: PROXY (16) $ As you noticed, this asked for your password. The reason is that proxy tickets must be acquired using a proxiable ticket granting ticket, which was not present. If you often need to get proxy tickets, you may acquire a proxiable ticket granting ticket from the start: $ shishi --proxiable Enter password for `jas@JOSEFSSON.ORG': jas@JOSEFSSON.ORG: Authtime: Mon Sep 8 20:04:27 2003 Endtime: Tue Sep 9 04:04:27 2003 Server: krbtgt/JOSEFSSON.ORG key des3-cbc-sha1-kd (16) Ticket key: des3-cbc-sha1-kd (16) protected by des3-cbc-sha1-kd (16) Ticket flags: PROXIABLE INITIAL (520) Then you should be able to acquire proxy tickets based on that ticket granting ticket, as follows: $ shishi jas@JOSEFSSON.ORG imap/latte.josefsson.org --proxy libshishi: warning: KDC bug: Reply encrypted using wrong key. jas@JOSEFSSON.ORG: Authtime: Mon Sep 8 20:04:27 2003 Starttime: Mon Sep 8 20:04:32 2003 Endtime: Tue Sep 9 04:04:27 2003 Server: imap/latte.josefsson.org key des3-cbc-sha1-kd (16) Ticket key: des3-cbc-sha1-kd (16) protected by des3-cbc-sha1-kd (16) Ticket flags: PROXY (16) $ 2.2 Forwardable and Forwarded Tickets ===================================== Authentication forwarding is an instance of a proxy where the service that is granted is complete use of the client's identity. An example where it might be used is when a user logs in to a remote system and wants authentication to work from that system as if the login were local. The FORWARDABLE flag in a ticket is normally only interpreted by the ticket-granting service. It can be ignored by application servers. The FORWARDABLE flag has an interpretation similar to that of the PROXIABLE flag, except ticket-granting tickets may also be issued with different network addresses. This flag is reset by default, but users MAY request that it be set by setting the FORWARDABLE option in the AS request when they request their initial ticket-granting ticket. This flag allows for authentication forwarding without requiring the user to enter a password again. If the flag is not set, then authentication forwarding is not permitted, but the same result can still be achieved if the user engages in the AS exchange specifying the requested network addresses and supplies a password. The FORWARDED flag is set by the TGS when a client presents a ticket with the FORWARDABLE flag set and requests a forwarded ticket by specifying the FORWARDED KDC option and supplying a set of addresses for the new ticket. It is also set in all tickets issued based on tickets with the FORWARDED flag set. Application servers may choose to process FORWARDED tickets differently than non-FORWARDED tickets. If addressless tickets are forwarded from one system to another, clients SHOULD still use this option to obtain a new TGT in order to have different session keys on the different systems. Here is how you would acquire a FORWARDED ticket for the service `host/latte.josefsson.org': $ shishi jas@JOSEFSSON.ORG host/latte.josefsson.org --forwarded Enter password for `jas@JOSEFSSON.ORG': libshishi: warning: KDC bug: Reply encrypted using wrong key. jas@JOSEFSSON.ORG: Authtime: Mon Sep 8 20:07:11 2003 Starttime: Mon Sep 8 20:07:12 2003 Endtime: Tue Sep 9 04:07:11 2003 Server: host/latte.josefsson.org key des3-cbc-sha1-kd (16) Ticket key: des3-cbc-sha1-kd (16) protected by des3-cbc-sha1-kd (16) Ticket flags: FORWARDED (4) $ As you noticed, this asked for your password. The reason is that forwarded tickets must be acquired using a forwardable ticket granting ticket, which was not present. If you often need to get forwarded tickets, you may acquire a forwardable ticket granting ticket from the start: $ shishi --forwardable Enter password for `jas@JOSEFSSON.ORG': jas@JOSEFSSON.ORG: Authtime: Mon Sep 8 20:08:53 2003 Endtime: Tue Sep 9 04:08:53 2003 Server: krbtgt/JOSEFSSON.ORG key des3-cbc-sha1-kd (16) Ticket key: des3-cbc-sha1-kd (16) protected by des3-cbc-sha1-kd (16) Ticket flags: FORWARDABLE INITIAL (514) $ Then you should be able to acquire forwarded tickets based on that ticket granting ticket, as follows: $ shishi jas@JOSEFSSON.ORG host/latte.josefsson.org --forwarded libshishi: warning: KDC bug: Reply encrypted using wrong key. jas@JOSEFSSON.ORG: Authtime: Mon Sep 8 20:08:53 2003 Starttime: Mon Sep 8 20:08:57 2003 Endtime: Tue Sep 9 04:08:53 2003 Server: host/latte.josefsson.org key des3-cbc-sha1-kd (16) Ticket key: des3-cbc-sha1-kd (16) protected by des3-cbc-sha1-kd (16) Ticket flags: FORWARDED (4) $ 3 Administration Manual *********************** Here you will learn how to set up, run and maintain the Shishi Kerberos server. Kerberos is incompatible with the standard Unix `/etc/passwd' password database(1), therefor the first step will be to create a Kerberos user database. Shishi's user database system is called Shisa. Once Shisa is configured, you can then start the server and begin issuing Kerberos tickets to your users. The Shishi server is called `shishid'. After getting the server up and running, we discuss how you can set up multiple Kerberos servers, to increase availability or offer load-balancing. Finally, we include some information intended for developers, that will enable you to customize Shisa to use an external user database, such as a LDAP server or SQL database. ---------- Footnotes ---------- (1) And besides, Shishi is intended to work on non-Unix platforms as well. 3.1 Introduction to Shisa ========================= The user database part of Shishi is called Shisa. The Shisa library is independent of the core Shishi library. Shisa is responsible for storing the name of your realms, the name of your principals (users), accounting information for the users (i.e., when each account start to be valid and when it expire), and the cryptographic keys each user have. Some Kerberos internal data can also be stored, such as the key version number, the last dates for when various ticket requests were made, the cryptographic salt, string-to-key parameters and password for each user. Not all information need to be stored. For example, in some situations it is prudent to leave the password field empty, so that somebody who manage to steal the user database will only be able to compromise your system, and not other systems were your user may have re-used the same password. On the other hand, you may already store the password in your customized database, in which case being able to change it via the Shisa interface can be useful. Shisa is a small (a few thousand lines of C code) standalone library. Shisa does not depend on the Shishi library. Because a user database with passwords may be useful for other applications as well (e.g., GNU SASL), it may be separated into its own project later on. You should keep this in mind, so that you don't consider writing a Shisa backend for your own database a purely Shishi specific project. You may, for example, chose to use the Shisa interface in your own applications to have a simple interface to your user database. Your experience and feedback is appreciated if you chose to explore this. Note that the Shisa database does not expose everything you may want to know about a user, such as its full human name, telephone number or even the user's login account name or home directory. It only store what is needed to authenticate a peer claiming to be an entity. Thus it does not make sense to replace your current user database or `/etc/passwd' with data derived from the Shisa database. Instead, it is intended that you write a Shisa backend that export some of the information stored in your user database. You may be able to replace some existing functionality, such as the password field in `/etc/passwd' with a Kerberos PAM module, but there is no requirement for doing so. 3.2 Configuring Shisa ===================== The configuration file for Shisa is typically stored in `/usr/local/etc/shishi/shisa.conf'. You do not have to configure this file, the defaults should be acceptable to first-time users. The file is used to define where you user database reside, and some options such as making the database read-only or whether errors detected when accessing the database should be ignored. (The latter may be useful if the server is a remote LDAP server that may be unavailable, and you want to fail over to a local copy of the database.) The default will store the user database using directories and files, rooted by default in `/usr/local/var/shishi'. You may use standard file permission settings to control access to the directory hierarchy. It is strongly recommended to restrict access to the directory. Storing the directory on local storage (i.e., hard disk or removal media) is recommended. We discourage placing the database on a network file system, but realize it can be useful in some situations (*note Multiple servers::). See the reference manual (*note Shisa Configuration::) for the details of the configuration file. Again, you are not expected to need to modify anything unless you are an experienced Shishi administrator. 3.3 Using Shisa =============== There is a command line interface to the Shisa library, aptly named `shisa'. You will use this tool to add, remove and change information stored in the database about realms, principals and keys. The tool can also be used to "dump" all information in the database, for backup or debugging purposes. (Currently the output format cannot be read by any tool, but functionality to do this will be added in the future, possibly as a read-only file-based Shisa database backend.) The reference manual (*note Parameters for shisa::) explains all parameters, but here we will give you a walk-through of the typical uses of the tool. Installing Shishi usually create a realm with two principals; one ticket granting ticket for the realm, and one host key for the server. This is what you typically need to get started, but it doesn't serve our purposes. So we start by removing the principals and the realm. To do that, we need to figure out the name of the realm. The `--list' or `--dump' parameters can be used for this. (Most "long" parameters, like `--dump', have shorter names as well, in this case `-d', *note Parameters for shisa::). jas@latte:~$ shisa -d latte krbtgt/latte Account is enabled. Current key version 0 (0x0). Key 0 (0x0). Etype aes256-cts-hmac-sha1-96 (0x12, 18). Salt lattekrbtgt/latte. host/latte Account is enabled. Current key version 0 (0x0). Key 0 (0x0). Etype aes256-cts-hmac-sha1-96 (0x12, 18). Salt lattehost/latte. jas@latte:~$ The realm names are printed at column 0, the principal names are indented with one `TAB' character (aka `\t' or ASCII 0x09 Horizontal Tabulation), and the information about each principal are indented with two `TAB' characters. The above output means that there is one realm `latte' with two principals; `krbtgt/latte' (which is used to authenticate Kerberos ticket requests) and `host/latte' (used to authenticate host-based applications like Telnet). They were created during `make install' on a host called `latte'. If the installation did not create a default database for you, you might get an error similar to the following. jas@latte:~$ shisa -d shisa: Cannot initialize `file' database backend. Location `/usr/local/var/shishi' and options `N/A'. shisa: Initialization failed: Shisa database could not be opened. jas@latte:~$ This indicate the database do not exist. For a file database, you can create it by simply creating the directory, as follows. Note the access permission change with `chmod'. Typically the `root' user would own the files, but as these examples demonstrate, setting up a Kerberos server does not require root access. Indeed, it may be prudent to run all Shishi applications as a special non-`root' user, and have all Shishi related files owned by that user, so that any security vulnerabilities does not lead to a system compromise. (However, if the user database is stolen, system compromises of other systems may be possible if you use, e.g., Kerberos Telnet.) jas@latte:~$ mkdir /usr/local/var/shishi jas@latte:~$ chmod go-rwx /usr/local/var/shishi Back to the first example, where you have a realm `latte' with some principals. We want to remove the realm to demonstrate how you create the realm from scratch. (Of course, you can have more than one realm in the database, but for this example we assume you want to set up a realm named the same as Shishi guessed you would name it, so the existing realm need to be removed first.) The `--remove' (short form `-r') parameter is used for this purpose, as follows. jas@latte:~$ shisa -r latte host/latte Removing principal `host/latte@latte'... Removing principal `host/latte@latte'...done jas@latte:~$ shisa -r latte krbtgt/latte Removing principal `krbtgt/latte@latte'... Removing principal `krbtgt/latte@latte'...done jas@latte:~$ shisa -r latte Removing realm `latte'... Removing realm `latte'...done jas@latte:~$ You may be asking yourself "What if the realm has many more principals?". If you fear manual labor (or a small `sed' script, recall the format of `--list'?), don't worry, there is a `--force' (short form `-f') flag. Use with care. Here is a faster way to do the above: jas@latte:~$ shisa -r latte -f Removing principal `krbtgt/latte@latte'... Removing principal `krbtgt/latte@latte'...done Removing principal `host/latte@latte'... Removing principal `host/latte@latte'...done Removing realm `latte'... Removing realm `latte'...done jas@latte:~$ You should now have a working, but empty, Shisa database. Let's set up the realm manually, step by step. The first step is to decide on name for your realm. The full story is explained elsewhere (*note Realm and Principal Naming::) but the short story is to take your DNS domain name and translate it to upper case. For example, if your organization uses `example.org' it is a good idea to use `EXAMPLE.ORG' as the name of your Kerberos realm. We'll use `EXAMPLE.ORG' as the realm name in these examples. Let's create the realm. jas@latte:~$ shisa -a EXAMPLE.ORG Adding realm `EXAMPLE.ORG'... Adding realm `EXAMPLE.ORG'...done jas@latte:~$ Currently, there are no properties associated with entire realms. In the future, it may be possible to set a default realm-wide password expiry policy or similar. Each realm normally have one principal that is used for authenticating against the "ticket granting service" on the Kerberos server with a ticket instead of using the password. This is used by the user when she acquire a ticket for servers. This principal must look like `krbtgt/REALM' (*note Name of the TGS: krbtgt.). Let's create it. jas@latte:~$ shisa -a EXAMPLE.ORG krbtgt/EXAMPLE.ORG Adding principal `krbtgt/EXAMPLE.ORG@EXAMPLE.ORG'... Adding principal `krbtgt/EXAMPLE.ORG@EXAMPLE.ORG'...done jas@latte:~$ Now that wasn't difficult, although not very satisfying either. What does adding a principal mean? The name is created, obviously, but it also mean setting a few values in the database. Let's view the entry to find out which values. jas@latte:~$ shisa -d EXAMPLE.ORG krbtgt/EXAMPLE.ORG Account is enabled. Current key version 0 (0x0). Key 0 (0x0). Etype aes256-cts-hmac-sha1-96 (0x12, 18). Salt EXAMPLE.ORGkrbtgt/EXAMPLE.ORG. jas@latte:~$ To use host based security services like SSH or Telnet with Kerberos, each host must have a key shared between the host and the KDC. The key is typically stored in `/usr/local/etc/shishi/shishi.keys'. We assume your server is called `mail.example.org' and create the principal. To illustrate a new parameter, we also set the specific algorithm to use by using the `--encryption-type' (short form `-E') parameter. jas@latte:~$ shisa -a EXAMPLE.ORG host/mail.example.org -E des3 Adding principal `host/mail.example.org@EXAMPLE.ORG'... Adding principal `host/mail.example.org@EXAMPLE.ORG'...done jas@latte:~$ To export the key, there is another Shisa parameter `--keys' that will print the key in a format that is recognized by Shishi. Let's use it to print the host key. jas@latte:~$ shisa -d --keys EXAMPLE.ORG host/mail.example.org EXAMPLE.ORG host/mail.example.org Account is enabled. Current key version 0 (0x0). Key 0 (0x0). Etype des3-cbc-sha1-kd (0x10, 16). -----BEGIN SHISHI KEY----- Keytype: 16 (des3-cbc-sha1-kd) Principal: host/mail.example.org Realm: EXAMPLE.ORG iQdA8hxdvOUHZNliZJv7noM02rXHV8gq -----END SHISHI KEY----- Salt EXAMPLE.ORGhost/mail.example.org. jas@latte:~$ So to set up the host, simply redirect output to the host key file. jas@latte:~$ shisa -d --keys EXAMPLE.ORG \ host/mail.example.org > /usr/local/etc/shishi/shishi.keys jas@latte:~$ The next logical step is to create a principal for some user, so you can use your password to get a Ticket Granting Ticket via the Authentication Service (AS) from the KDC, and then use the Ticket Granting Service (TGS) from the KDC to get a ticket for a specific host, and then send that ticket to the host to authenticate yourself. Creating this end-user principle is slightly different from the earlier steps, because you want the key to be derived from a password instead of being a random key. The `--password' parameter indicate this. This make the tool ask you for the password. jas@latte:~$ shisa -a EXAMPLE.ORG simon --password Password for `simon@EXAMPLE.ORG': Adding principal `simon@EXAMPLE.ORG'... Adding principal `simon@EXAMPLE.ORG'...done jas@latte:~$ The only special thing about this principal now is that it has a `password' field set in the database. jas@latte:~$ shisa -d EXAMPLE.ORG simon --keys EXAMPLE.ORG simon Account is enabled. Current key version 0 (0x0). Key 0 (0x0). Etype aes256-cts-hmac-sha1-96 (0x12, 18). -----BEGIN SHISHI KEY----- Keytype: 18 (aes256-cts-hmac-sha1-96) Principal: simon Realm: EXAMPLE.ORG Ja7ciNtrAI3gtodLaVDQ5zhcH58ffk0kS5tGAM7ILvM= -----END SHISHI KEY----- Salt EXAMPLE.ORGsimon. Password foo. jas@latte:~$ You should now be ready to start the KDC, which is explained in the next section (*note Starting Shishid::), and get tickets as explained earlier (*note User Manual::). 3.4 Starting Shishid ==================== The Shishi server, or Key Distribution Center (KDC), is called Shishid. Shishid is responsible for listening on UDP and TCP ports for Kerberos requests. Currently it can handle initial ticket requests (Authentication Service, or AS), typically authenticated with keys derived from passwords, and subsequent ticket requests (Ticket Granting Service, or TGS), typically authenticated with the key acquired during an AS exchange. Currently there is very little configuration available, the only variables are which ports the server should listen on and an optional user name to `setuid' into after successfully listening to the ports. By default, Shishid listens on the `kerberos' service port (typically translated to 88 via `/etc/services') on the UDP and TCP protocols via IPv4 and (if your machine support it) IPv6 on all interfaces on your machine. Here is a typical startup. latte:/home/jas/src/shishi# /usr/local/sbin/shishid Initializing GNUTLS... Initializing GNUTLS...done Listening on IPv4:*:kerberos/udp...done Listening on IPv4:*:kerberos/tcp...done Listening on IPv6:*:kerberos/udp...failed socket: Address family not supported by protocol Listening on IPv6:*:kerberos/tcp...failed socket: Address family not supported by protocol Listening on 2 ports... Running as root is not recommended. Any security problem in shishid and your host may be compromised. Therefor, we recommend using the `--setuid' parameter, as follows. latte:/home/jas/src/shishi# /usr/local/sbin/shishid --setuid=jas Initializing GNUTLS... Initializing GNUTLS...done Listening on IPv4:*:kerberos/udp...done Listening on IPv4:*:kerberos/tcp...done Listening on IPv6:*:kerberos/udp...failed socket: Address family not supported by protocol Listening on IPv6:*:kerberos/tcp...failed socket: Address family not supported by protocol Listening on 2 ports... User identity set to `jas' (22541)... An alternative is to run shishid on an alternative port as a non-privileged user. To continue the example of setting up the `EXAMPLE.ORG' realm as a non-privileged user from the preceding section, we start the server listen on port 4711 via UDP on IPv4. jas@latte:~$ /usr/local/sbin/shishid -l IPv4:*:4711/udp Initializing GNUTLS... Initializing GNUTLS...done Listening on *:4711/tcp... Listening on 1 ports... shishid: Starting (GNUTLS `1.0.4') shishid: Listening on *:4711/tcp socket 4 If you have set up the Shisa database as in the previous example, you can now acquire tickets as follows. jas@latte:~$ shishi -o 'realm-kdc=EXAMPLE.ORG,localhost:4711' \ simon@EXAMPLE.ORG Enter password for `simon@EXAMPLE.ORG': simon@EXAMPLE.ORG: Authtime: Fri Dec 12 01:41:01 2003 Endtime: Fri Dec 12 01:57:41 2003 Server: krbtgt/EXAMPLE.ORG key aes256-cts-hmac-sha1-96 (18) Ticket key: aes256-cts-hmac-sha1-96 (18) protected by aes256-cts-hmac-sha1-96 (18) Ticket flags: FORWARDED PROXIABLE RENEWABLE INITIAL (12) jas@latte:~$ The output from Shishid on a successful invocation would look like: shishid: Has 131 bytes from *:4711/udp on socket 4 shishid: Processing 131 from *:4711/udp on socket 4 shishid: Trying AS-REQ shishid: AS-REQ from simon@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG shishid: Matching client etype 18 against user key etype 18 shishid: Have 511 bytes for *:4711/udp on socket 4 shishid: Sending 511 bytes to *:4711/udp socket 4 via UDP shishid: Listening on *:4711/udp socket 4 You may use the '-v' parameter for Shishid and Shishi to generate more debugging information. To illustrate what an application, such as the Shishi patched versions of GNU lsh or Telnet from GNU InetUtils, would do when contacting the host `mail.example.org' we illustrate using the TGS service as well. jas@latte:~$ shishi -o 'realm-kdc=EXAMPLE.ORG,localhost:4711' \ simon@EXAMPLE.ORG host/mail.example.org simon@EXAMPLE.ORG: Authtime: Fri Dec 12 01:46:54 2003 Endtime: Fri Dec 12 02:03:34 2003 Server: host/mail.example.org key des3-cbc-sha1-kd (16) Ticket key: des3-cbc-sha1-kd (16) protected by aes256-cts-hmac-sha1-96 (18) Ticket flags: FORWARDED PROXIABLE (45398796) jas@latte:~$ This conclude our walk-through of setting up a new Kerberos realm using Shishi. It is quite likely that one or more steps failed, and if so we encourage you to debug it and submit a patch, or at least report it as a problem. Heck, even letting us know if you got this far would be of interest. *Note Bug Reports::. 3.5 Configuring DNS for KDC =========================== Making sure the configuration files on all hosts running Shishi clients include the addresses of your server is tedious. If the configuration files do not mention the KDC address for a realm, Shishi will try to look up the information from DNS. In order for Shishi to find that information, you need to add the information to DNS. For this to work well, you need to set up a DNS zone with the same name as your Kerberos realm. The easiest is if you own the publicly visible DNS name, such as `example.org' if your realm is `EXAMPLE.ORG', but you can set up an internal DNS server with the information for your realm only. If this is done, you do not need to keep configuration files updated for the KDC addressing information. 3.5.1 DNS vs. Kerberos - Case Sensitivity of Realm Names -------------------------------------------------------- In Kerberos, realm names are case sensitive. While it is strongly encouraged that all realm names be all upper case this recommendation has not been adopted by all sites. Some sites use all lower case names and other use mixed case. DNS on the other hand is case insensitive for queries but is case preserving for responses to TXT queries. Since "MYREALM", "myrealm", and "MyRealm" are all different it is necessary that only one of the possible combinations of upper and lower case characters be used. This restriction may be lifted in the future as the DNS naming scheme is expanded to support non-ASCII names. 3.5.2 Overview - KDC location information ----------------------------------------- KDC location information is to be stored using the DNS SRV RR [RFC 2052]. The format of this RR is as follows: Service.Proto.Realm TTL Class SRV Priority Weight Port Target The Service name for Kerberos is always "_kerberos". The Proto can be either "_udp", "_tcp", or "_tls._tcp". If these SRV records are to be used, a "_udp" record MUST be included. If the Kerberos implementation supports TCP transport, a "_tcp" record MUST be included. When using "_tcp" with "_kerberos", this indicates a "raw" TCP connection without any additional encapsulation. A "_tls._tcp" record MUST be specified for all Kerberos implementations that support communication with the KDC across TCP sockets encapsulated using TLS [RFC2246] (*note STARTTLS protected KDC exchanges::). The Realm is the Kerberos realm that this record corresponds to. TTL, Class, SRV, Priority, Weight, and Target have the standard meaning as defined in RFC 2052. As per RFC 2052 the Port number should be the value assigned to "kerberos" by the Internet Assigned Number Authority (88). 3.5.3 Example - KDC location information ---------------------------------------- These are DNS records for a Kerberos realm ASDF.COM. It has two Kerberos servers, kdc1.asdf.com and kdc2.asdf.com. Queries should be directed to kdc1.asdf.com first as per the specified priority. Weights are not used in these records. _kerberos._udp.ASDF.COM. IN SRV 0 0 88 kdc1.asdf.com. _kerberos._udp.ASDF.COM. IN SRV 1 0 88 kdc2.asdf.com. _kerberos._tcp.ASDF.COM. IN SRV 0 0 88 kdc1.asdf.com. _kerberos._tcp.ASDF.COM. IN SRV 1 0 88 kdc2.asdf.com. _kerberos._tls._tcp.ASDF.COM. IN SRV 0 0 88 kdc1.asdf.com. _kerberos._tls._tcp.ASDF.COM. IN SRV 1 0 88 kdc2.asdf.com. 3.5.4 Security considerations ----------------------------- As DNS is deployed today, it is an unsecure service. Thus the infor- mation returned by it cannot be trusted. Current practice for REALM to KDC mapping is to use hostnames to indicate KDC hosts (stored in some implementation-dependent location, but generally a local config file). These hostnames are vulnerable to the standard set of DNS attacks (denial of service, spoofed entries, etc). The design of the Kerberos protocol limits attacks of this sort to denial of service. However, the use of SRV records does not change this attack in any way. They have the same vulnerabilities that already exist in the common practice of using hostnames for KDC locations. Implementations SHOULD provide a way of specifying this information locally without the use of DNS. However, to make this feature worthwhile a lack of any configuration information on a client should be interpretted as permission to use DNS. 3.6 Kerberos via TLS ==================== If Shishi is built with support for GNUTLS, the messages exchanged between clients and Shishid can be protected with TLS. TLS is only available over TCP connections. A full discussion of the features TLS have is out of scope here, but in short it means the communication is integrity and privacy protected, and that users can use OpenPGP, X.509 or SRP (i.e., any mechanism supported by TLS) to authenticate themselves to the Kerberos server. For details on the implementation, *Note STARTTLS protected KDC exchanges::. 3.6.1 Setting up TLS resume --------------------------- Resuming earlier TLS session is supported and enabled by default. This improves the speed of the TLS handshake, because results from earlier negotiations can be re-used. Currently the TLS resume database is stored in memory (in constract to storing it on disk), in both the client and in the server. Because the server typically runs for a long time, this is not a problem for that side. The client is typically not a long-running process though; the client usually is invoked as part of applications like `telnet' or `login'. However, because each use of the client library typically result in a ticket, which is stored on disk and re-used by later processes, this is likely not a serious problem because the number of different tickets required by a user is usually quite small. For the client, TLS resume is typically only useful when you perform an initial authentication (using a password) followed by a ticket request for a service, in the same process. You can configure the server, `shishid' to never use TLS resume, or to increase or decrease the number of distinct TLS connections that can be resumed before they are garbage collected, see the `--resume-limit' parameter (*note Parameters for shishid::). 3.6.2 Setting up Anonymous TLS ------------------------------ Anonymous TLS is the simplest to set up and use. In fact, only the client need to be informed that your KDC support TLS. This can be done in the configuration file with the `/tls' parameter for `kdc-realm' (*note Shishi Configuration: realm-kdc.), or by placing the KDC address in DNS using the `_tls' SRV record (*note Configuring DNS for KDC::). Let's start Shishid, listening on a TCP socket. TLS require TCP. TCP sockets are automatically upgraded to TLS if the client request it. jas@latte:~$ /usr/local/sbin/shishid -l IPv4:*:4711/tcp Initializing GNUTLS...done Listening on IPv4:*:4711/tcp... Listening on 1 ports... shishid: Starting (GNUTLS `1.0.4') shishid: Listening on IPv4:*:4711/tcp socket 4 Let's use the client to talk with it, using TLS. jas@latte:~$ shishi -o 'realm-kdc=EXAMPLE.ORG,localhost:4711/tls \ simon@EXAMPLE.ORG Enter password for `simon@EXAMPLE.ORG': simon@EXAMPLE.ORG: Authtime: Tue Dec 16 05:20:47 2003 Endtime: Tue Dec 16 05:37:27 2003 Server: krbtgt/EXAMPLE.ORG key aes256-cts-hmac-sha1-96 (18) Ticket key: aes256-cts-hmac-sha1-96 (18) protected by aes256-cts-hmac-sha1-96 (18) Ticket flags: FORWARDED PROXIABLE (12) jas@latte:~$ On success, the server will print the following debug information. shishid: Accepted socket 6 from socket 4 as IPv4:*:4711/tcp peer 127.0.0.1 shishid: Listening on IPv4:*:4711/tcp socket 4 shishid: Listening on IPv4:*:4711/tcp peer 127.0.0.1 socket 6 shishid: Has 4 bytes from IPv4:*:4711/tcp peer 127.0.0.1 on socket 6 shishid: Trying STARTTLS shishid: TLS handshake negotiated protocol `TLS 1.0', key exchange `Anon DH', certficate type `X.509', cipher `AES 256 CBC', mac `SHA', compression `NULL', session not resumed shishid: TLS anonymous authentication with 1024 bit Diffie-Hellman shishid: Listening on IPv4:*:4711/tcp socket 4 shishid: Listening on IPv4:*:4711/tcp peer 127.0.0.1 socket 6 shishid: Has 131 bytes from IPv4:*:4711/tcp peer 127.0.0.1 on socket 6 shishid: Processing 131 from IPv4:*:4711/tcp peer 127.0.0.1 on socket 6 shishid: Trying AS-REQ shishid: AS-REQ from simon@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG shishid: Matching client etype 18 against user key etype 18 shishid: Have 511 bytes for IPv4:*:4711/tcp peer 127.0.0.1 on socket 6 shishid: Sending 511 bytes to IPv4:*:4711/tcp peer 127.0.0.1 socket 6 via TLS shishid: Listening on IPv4:*:4711/tcp socket 4 shishid: Listening on IPv4:*:4711/tcp peer 127.0.0.1 socket 6 shishid: Peer IPv4:*:4711/tcp peer 127.0.0.1 disconnected on socket 6 shishid: Closing IPv4:*:4711/tcp peer 127.0.0.1 socket 6 shishid: Listening on IPv4:*:4711/tcp socket 4 3.6.3 Setting up X.509 authenticated TLS ---------------------------------------- Setting up X.509 authentication is slightly more complicated than anonymous authentication. You need a X.509 certificate authority (CA) that can generate certificates for your Kerberos server and Kerberos clients. It is often easiest to setup the CA yourself. Managing a CA can be a daunting task, and we only give the bare essentials to get things up and running. We suggest that you study the relevant literature. As a first step beyond this introduction, you may wish to explore more secure forms of key storage than storing them unencrypted on disk. The following three sections describe how you create the CA, KDC certificate, and client certificates. You can use any tool you like for this task, as long as they generate X.509 (PKIX) certificates in PEM format and RSA keys in PKCS#1 format. Here we use `certtool' that come with GNUTLS, which is widely available. We conclude by discussing how you use these certificates in the KDC and in the Shishi client. 3.6.3.1 Create a Kerberos Certificate Authority ............................................... First create a CA key. jas@latte:~$ certtool --generate-privkey \ --outfile /usr/local/etc/shishi/shishi.key Generating a private key... Generating a 1024 bit RSA private key... jas@latte:~$ Then create the CA certificate. Use whatever details you prefer. jas@latte:~$ certtool --generate-self-signed \ --load-privkey /usr/local/etc/shishi/shishi.key \ --outfile /usr/local/etc/shishi/shishi.cert Generating a self signed certificate... Please enter the details of the certificate's distinguished name. \ Just press enter to ignore a field. Country name (2 chars): SE Organization name: Shishi Example CA Organizational unit name: Locality name: State or province name: Common name: CA This field should not be used in new certificates. E-mail: Enter the certificate's serial number (decimal): 0 Activation/Expiration time. The generated certificate will expire in (days): 180 Extensions. Does the certificate belong to an authority? (Y/N): y Is this a web server certificate? (Y/N): n Enter the e-mail of the subject of the certificate: X.509 certificate info: Version: 3 Serial Number (hex): 00 Validity: Not Before: Sun Dec 21 10:59:00 2003 Not After: Fri Jun 18 11:59:00 2004 Subject: C=SE,O=Shishi Example CA,CN=CA Subject Public Key Info: Public Key Algorithm: RSA X.509 Extensions: Basic Constraints: (critical) CA:TRUE Is the above information ok? (Y/N): y Signing certificate... jas@latte:~$ 3.6.3.2 Create a Kerberos KDC Certificate ......................................... First create the key for the KDC. jas@latte:~$ certtool --generate-privkey \ --outfile /usr/local/etc/shishi/shishid.key Generating a private key... Generating a 1024 bit RSA private key... jas@latte:~$ Then create actual KDC certificate, signed by the CA certificate created in the previous step. jas@latte:~$ certtool --generate-certificate \ --load-ca-certificate /usr/local/etc/shishi/shishi.cert \ --load-ca-privkey /usr/local/etc/shishi/shishi.key \ --load-privkey /usr/local/etc/shishi/shishid.key \ --outfile /usr/local/etc/shishi/shishid.cert Generating a signed certificate... Loading CA's private key... Loading CA's certificate... Please enter the details of the certificate's distinguished name. \ Just press enter to ignore a field. Country name (2 chars): SE Organization name: Shishi Example KDC Organizational unit name: Locality name: State or province name: Common name: KDC This field should not be used in new certificates. E-mail: Enter the certificate's serial number (decimal): 0 Activation/Expiration time. The generated certificate will expire in (days): 180 Extensions. Does the certificate belong to an authority? (Y/N): n Is this a web server certificate? (Y/N): n Enter the e-mail of the subject of the certificate: X.509 certificate info: Version: 3 Serial Number (hex): 00 Validity: Not Before: Sun Dec 21 11:02:00 2003 Not After: Fri Jun 18 12:02:00 2004 Subject: C=SE,O=Shishi Example KDC,CN=KDC Subject Public Key Info: Public Key Algorithm: RSA X.509 Extensions: Basic Constraints: (critical) CA:FALSE Is the above information ok? (Y/N): y Signing certificate... jas@latte:~$ 3.6.3.3 Create a Kerberos Client Certificate ............................................ First create the key for the client. jas@latte:~$ certtool --generate-privkey \ --outfile ~/.shishi/client.key Generating a private key... Generating a 1024 bit RSA private key... jas@latte:~$ Then create the client certificate, signed by the CA. An alternative would be to have the KDC sign the client certificates. jas@latte:~$ certtool --generate-certificate \ --load-ca-certificate /usr/local/etc/shishi/shishi.cert \ --load-ca-privkey /usr/local/etc/shishi/shishi.key \ --load-privkey ~/.shishi/client.key \ --outfile ~/.shishi/client.certs Generating a signed certificate... Loading CA's private key... Loading CA's certificate... Please enter the details of the certificate's distinguished name. \ Just press enter to ignore a field. Country name (2 chars): SE Organization name: Shishi Example Client Organizational unit name: Locality name: State or province name: Common name: Client This field should not be used in new certificates. E-mail: Enter the certificate's serial number (decimal): 0 Activation/Expiration time. The generated certificate will expire in (days): 180 Extensions. Does the certificate belong to an authority? (Y/N): n Is this a web server certificate? (Y/N): n Enter the e-mail of the subject of the certificate: X.509 certificate info: Version: 3 Serial Number (hex): 00 Validity: Not Before: Sun Dec 21 11:04:00 2003 Not After: Fri Jun 18 12:04:00 2004 Subject: C=SE,O=Shishi Example Client,CN=Client Subject Public Key Info: Public Key Algorithm: RSA X.509 Extensions: Basic Constraints: (critical) CA:FALSE Is the above information ok? (Y/N): y Signing certificate... jas@latte:~$ 3.6.3.4 Starting KDC with X.509 authentication support ...................................................... The KDC need the CA certificate (to verify client certificates) and the server certificate and key (to authenticate itself to the clients). See elsewhere (*note Parameters for shishid::) for the entire description of the parameters. jas@latte:~$ shishid -l *:4711/tcp \ --x509cafile /usr/local/etc/shishi/shishi.cert \ --x509certfile /usr/local/etc/shishi/shishid.cert \ --x509keyfile /usr/local/etc/shishi/shishid.key Initializing GNUTLS... Parsed 1 CAs... Loaded server certificate/key... Generating Diffie-Hellman parameters... Initializing GNUTLS...done Listening on *:4711/tcp... Listening on 1 ports... shishid: Starting (GNUTLS `1.0.4') shishid: Listening on *:4711/tcp socket 4 Then acquire tickets as usual. In case you wonder how shishi finds the client certificate and key, the filenames used above when generating the client certificates happen to be the default filenames for these files. So it pick them up automatically. jas@latte:~$ shishi -o 'realm-kdc=EXAMPLE.ORG,localhost:4711/tls' \ simon@EXAMPLE.ORG Enter password for `simon@EXAMPLE.ORG': simon@EXAMPLE.ORG: Authtime: Sun Dec 21 11:15:47 2003 Endtime: Sun Dec 21 11:32:27 2003 Server: krbtgt/EXAMPLE.ORG key aes256-cts-hmac-sha1-96 (18) Ticket key: aes256-cts-hmac-sha1-96 (18) protected by aes256-cts-hmac-sha1-96 (18) Ticket flags: FORWARDED PROXIABLE RENEWABLE HWAUTHENT TRANSITEDPOLICYCHECKED OKASDELEGATE (12) jas@latte:~$ Here is what the server would print. shishid: Accepted socket 6 from socket 4 as *:4711/tcp peer 127.0.0.1 shishid: Listening on *:4711/tcp socket 4 shishid: Listening on *:4711/tcp peer 127.0.0.1 socket 6 shishid: Has 4 bytes from *:4711/tcp peer 127.0.0.1 on socket 6 shishid: Trying STARTTLS shishid: TLS handshake negotiated protocol `TLS 1.0', key exchange `RSA', certficate type `X.509', cipher `AES 256 CBC', mac `SHA', compression `NULL', session not resumed shishid: TLS client certificate `C=SE,O=Shishi Example Client,CN=Client', issued by `C=SE,O=Shishi Example CA,CN=CA', serial number `00', MD5 fingerprint `a5:d3:1f:58:76:e3:58:cd:2d:eb:f7:45:a2:4b:52:f9:', activated `Sun Dec 21 11:04:00 2003', expires `Fri Jun 18 12:04:00 2004', version #3, key RSA modulus 1024 bits, currently EXPIRED shishid: Listening on *:4711/tcp socket 4 shishid: Listening on *:4711/tcp peer 127.0.0.1 socket 6 shishid: Has 131 bytes from *:4711/tcp peer 127.0.0.1 on socket 6 shishid: Processing 131 from *:4711/tcp peer 127.0.0.1 on socket 6 shishid: Trying AS-REQ shishid: AS-REQ from simon@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG shishid: Matching client etype 18 against user key etype 18 shishid: Have 511 bytes for *:4711/tcp peer 127.0.0.1 on socket 6 shishid: Sending 511 bytes to *:4711/tcp peer 127.0.0.1 socket 6 via TLS shishid: Listening on *:4711/tcp socket 4 shishid: Listening on *:4711/tcp peer 127.0.0.1 socket 6 shishid: Peer *:4711/tcp peer 127.0.0.1 disconnected on socket 6 shishid: Closing *:4711/tcp peer 127.0.0.1 socket 6 shishid: Listening on *:4711/tcp socket 4 3.7 Multiple servers ==================== Setting up multiple servers is as easy as replicating the user database. Since the default `file' user database is stored in the normal file system, you can use any common tools to replicate a file system. Network file system like NFS (properly secured by, e.g., a point-to-point symmetrically encrypted IPSEC connection) and file synchronizing tools like `rsync' are typical choices. The secondary server should be configured just like the master server. If you use the `file' database over NFS you do not have to make any modifications. If you use, e.g., a cron job to `rsync' the directory every hour or so, you may want to add a `--read-only' flag to the Shisa `db' definition (*note Shisa Configuration::). That way, nobody will be lured into creating or changing information in the database on the secondary server, which only would be overwritten during the next synchronization. db --read-only file /usr/local/var/backup-shishi The `file' database is designed so it doesn't require file locking in the file system, which may be unreliable in some network file systems or implementations. It is also designed so that multiple concurrent readers and writers may access the database without causing corruption. *Warning:* The last paragraph is currently not completely accurate. There may be race conditions with concurrent writers. None should cause infinite loops or data loss. However, unexpected results might occur if two writers try to update information about a principal simultaneous. If you use a remote LDAP server or SQL database to store the user database, and access it via a Shisa backend, you have make sure your Shisa backend handle concurrent writers properly. If you use a modern SQL database, this probably is not a concern. If it is a problem, you may be able to work around it by implementing some kind of synchronization or semaphore mechanism. If all else sounds too complicated, you can set up the secondary servers as `--read-only' servers, although you will lose some functionality (like changing passwords via the secondary server, or updating timestamps when the last ticket request occurred). One function that is of particular use for users with remote databases (be it LDAP or SQL) is the "database override" feature. Using this you can have the security critical principals (such as the ticket granting ticket) stored on local file system storage, but use the remote database for user principals. Of course, you must keep the local file system storage synchronized between all servers, as before. Here is an example configuration. db --read-only file /var/local/master db ldap kdc.example.org ca=/etc/shisa/kdc-ca.pem This instruct the Shisa library to access the two databases sequentially, for each query using the first database that know about the requested principal. If you put the `krbtgt/REALM' principal in the local `file' database, this will override the LDAP interface. Naturally, you can have as many `db' definition lines as you wish. Users with remote databases can also investigate a so called High Availability mode. This is useful if you wish to have your Kerberos servers be able to continue to operate even when the remote database is offline. This is achieved via the `--ignore-errors' flag in the database definition. Here is a sample configuration. db --ignore-errors ldap kdc.example.org ca=/etc/shisa/kdc-ca.pem db --read-only file /var/cache/ldap-copy This instruct the Shisa library to try the LDAP backend first, but if it fails, instead of returning an error, continue to try the operation on a read only local `file' based database. Of course, write requests will still fail, but it may be better than halting the server completely. To make this work, you first need to set up a cron job on a, say, hourly basis, to make a copy of the remote database and store it in the local file database. That way, when the remote server goes away, fairly current information will still be available locally. If you also wish to experiment with read-write fail over, here is an idea for the configuration. db --ignore-errors ldap kdc.example.org ca=/etc/shisa/kdc-ca.pem db --ignore-errors --read-only file /var/cache/ldap-copy db file /var/cache/local-updates This is similar to the previous, but it will ignore errors reading and writing from the first two databases, ultimately causing write attempts to end up in the final `file' based database. Of course, you would need to create tools to feed back any local updates made while the remote server was down. It may also be necessary to create a special backend for this purpose, which can auto create principals that are used. We finish with an example that demonstrate all the ideas presented. db --read-only file /var/local/master db --ignore-errors ldap kdc.example.org ca=/etc/shisa/kdc-ca.pem db --ignore-errors --read-only file /var/cache/ldap-copy db file /var/cache/local-updates 3.8 Developer information ========================= The Programming API for Shisa is described below (*note Kerberos Database Functions::); this section is about extending Shisa, and consequently Shishi, to use your own user database system. You may want to store your Kerberos user information on an LDAP database server, for example. Adding a new backend is straight forward. You need to implement the backend API function set, add the list of API functions to `db/db.c' and possibly also add any library dependencies to the Makefile. The simplest way to write a new backend is to start from the existing `file' based database, in `db/file.c', and modify the entry points as needed. Note that the current backend API will likely change before it is frozen. We may describe it in detail here when it has matured. However, currently it is similar to the external Shisa API (*note Kerberos Database Functions::). There should be no need to modify anything else in the Shisa library, and certainly not in the Shishi library or the `shishid' server. Naturally, we would appreciate if you would send us your new backend, if you believe it is generally useful (*note Bug Reports::). 4 Reference Manual ****************** This chapter discuss the underlying assumptions of Kerberos, contain a glossary to Kerberos concepts, give you background information on choosing realm and principal names, and describe all parameters and configuration file syntaxes for the Shishi tools. 4.1 Environmental Assumptions ============================= Kerberos imposes a few assumptions on the environment in which it can properly function: * "Denial of service" attacks are not solved with Kerberos. There are places in the protocols where an intruder can prevent an application from participating in the proper authentication steps. Detection and solution of such attacks (some of which can appear to be not-uncommon "normal" failure modes for the system) is usually best left to the human administrators and users. * Principals MUST keep their secret keys secret. If an intruder somehow steals a principal's key, it will be able to masquerade as that principal or impersonate any server to the legitimate principal. * "Password guessing" attacks are not solved by Kerberos. If a user chooses a poor password, it is possible for an attacker to successfully mount an offline dictionary attack by repeatedly attempting to decrypt, with successive entries from a dictionary, messages obtained which are encrypted under a key derived from the user's password. * Each host on the network MUST have a clock which is "loosely synchronized" to the time of the other hosts; this synchronization is used to reduce the bookkeeping needs of application servers when they do replay detection. The degree of "looseness" can be configured on a per-server basis, but is typically on the order of 5 minutes. If the clocks are synchronized over the network, the clock synchronization protocol MUST itself be secured from network attackers. * Principal identifiers are not recycled on a short-term basis. A typical mode of access control will use access control lists (ACLs) to grant permissions to particular principals. If a stale ACL entry remains for a deleted principal and the principal identifier is reused, the new principal will inherit rights specified in the stale ACL entry. By not re-using principal identifiers, the danger of inadvertent access is removed. 4.2 Glossary of terms ===================== Authentication Verifying the claimed identity of a principal. Authentication header A record containing a Ticket and an Authenticator to be presented to a server as part of the authentication process. Authentication path A sequence of intermediate realms transited in the authentication process when communicating from one realm to another. Authenticator A record containing information that can be shown to have been recently generated using the session key known only by the client and server. Authorization The process of determining whether a client may use a service, which objects the client is allowed to access, and the type of access allowed for each. Capability A token that grants the bearer permission to access an object or service. In Kerberos, this might be a ticket whose use is restricted by the contents of the authorization data field, but which lists no network addresses, together with the session key necessary to use the ticket. Ciphertext The output of an encryption function. Encryption transforms plaintext into ciphertext. Client A process that makes use of a network service on behalf of a user. Note that in some cases a Server may itself be a client of some other server (e.g. a print server may be a client of a file server). Credentials A ticket plus the secret session key necessary to successfully use that ticket in an authentication exchange. Encryption Type (etype) When associated with encrypted data, an encryption type identifies the algorithm used to encrypt the data and is used to select the appropriate algorithm for decrypting the data. Encryption type tags are communicated in other messages to enumerate algorithms that are desired, supported, preferred, or allowed to be used for encryption of data between parties. This preference is combined with local information and policy to select an algorithm to be used. KDC Key Distribution Center, a network service that supplies tickets and temporary session keys; or an instance of that service or the host on which it runs. The KDC services both initial ticket and ticket-granting ticket requests. The initial ticket portion is sometimes referred to as the Authentication Server (or service). The ticket-granting ticket portion is sometimes referred to as the ticket-granting server (or service). Kerberos The name given to the Project Athena's authentication service, the protocol used by that service, or the code used to implement the authentication service. The name is adopted from the three-headed dog which guards Hades. Key Version Number (kvno) A tag associated with encrypted data identifies which key was used for encryption when a long lived key associated with a principal changes over time. It is used during the transition to a new key so that the party decrypting a message can tell whether the data was encrypted using the old or the new key. Plaintext The input to an encryption function or the output of a decryption function. Decryption transforms ciphertext into plaintext. Principal A named client or server entity that participates in a network communication, with one name that is considered canonical. Principal identifier The canonical name used to uniquely identify each different principal. Seal To encipher a record containing several fields in such a way that the fields cannot be individually replaced without either knowledge of the encryption key or leaving evidence of tampering. Secret key An encryption key shared by a principal and the KDC, distributed outside the bounds of the system, with a long lifetime. In the case of a human user's principal, the secret key MAY be derived from a password. Server A particular Principal which provides a resource to network clients. The server is sometimes referred to as the Application Server. Service A resource provided to network clients; often provided by more than one server (for example, remote file service). Session key A temporary encryption key used between two principals, with a lifetime limited to the duration of a single login "session". In the Kerberos system, a session key is generated by the KDC. The session key is distinct from the sub-session key, described next.. Sub-session key A temporary encryption key used between two principals, selected and exchanged by the principals using the session key, and with a lifetime limited to the duration of a single association. The sub- session key is also referred to as the subkey. Ticket A record that helps a client authenticate itself to a server; it contains the client's identity, a session key, a timestamp, and other information, all sealed using the server's secret key. It only serves to authenticate a client when presented along with a fresh Authenticator. 4.3 Realm and Principal Naming ============================== This section contains the discussion on naming realms and principals from the Kerberos specification. 4.3.1 Realm Names ----------------- Although realm names are encoded as GeneralStrings and although a realm can technically select any name it chooses, interoperability across realm boundaries requires agreement on how realm names are to be assigned, and what information they imply. To enforce these conventions, each realm MUST conform to the conventions itself, and it MUST require that any realms with which inter-realm keys are shared also conform to the conventions and require the same from its neighbors. Kerberos realm names are case sensitive. Realm names that differ only in the case of the characters are not equivalent. There are presently three styles of realm names: domain, X500, and other. Examples of each style follow: domain: ATHENA.MIT.EDU X500: C=US/O=OSF other: NAMETYPE:rest/of.name=without-restrictions Domain syle realm names MUST look like domain names: they consist of components separated by periods (.) and they contain neither colons (:) nor slashes (/). Though domain names themselves are case insensitive, in order for realms to match, the case must match as well. When establishing a new realm name based on an internet domain name it is recommended by convention that the characters be converted to upper case. X.500 names contain an equal (=) and cannot contain a colon (:) before the equal. The realm names for X.500 names will be string representations of the names with components separated by slashes. Leading and trailing slashes will not be included. Note that the slash separator is consistent with Kerberos implementations based on RFC1510, but it is different from the separator recommended in RFC2253. Names that fall into the other category MUST begin with a prefix that contains no equal (=) or period (.) and the prefix MUST be followed by a colon (:) and the rest of the name. All prefixes must be assigned before they may be used. Presently none are assigned. The reserved category includes strings which do not fall into the first three categories. All names in this category are reserved. It is unlikely that names will be assigned to this category unless there is a very strong argument for not using the 'other' category. These rules guarantee that there will be no conflicts between the various name styles. The following additional constraints apply to the assignment of realm names in the domain and X.500 categories: the name of a realm for the domain or X.500 formats must either be used by the organization owning (to whom it was assigned) an Internet domain name or X.500 name, or in the case that no such names are registered, authority to use a realm name MAY be derived from the authority of the parent realm. For example, if there is no domain name for E40.MIT.EDU, then the administrator of the MIT.EDU realm can authorize the creation of a realm with that name. This is acceptable because the organization to which the parent is assigned is presumably the organization authorized to assign names to its children in the X.500 and domain name systems as well. If the parent assigns a realm name without also registering it in the domain name or X.500 hierarchy, it is the parent's responsibility to make sure that there will not in the future exist a name identical to the realm name of the child unless it is assigned to the same entity as the realm name. 4.3.2 Principal Names --------------------- As was the case for realm names, conventions are needed to ensure that all agree on what information is implied by a principal name. The name-type field that is part of the principal name indicates the kind of information implied by the name. The name-type SHOULD be treated only as a hint to interpreting the meaning of a name. It is not significant when checking for equivalence. Principal names that differ only in the name-type identify the same principal. The name type does not partition the name space. Ignoring the name type, no two names can be the same (i.e. at least one of the components, or the realm, MUST be different). The following name types are defined: name-type value meaning NT-UNKNOWN 0 Name type not known NT-PRINCIPAL 1 Just the name of the principal as in DCE, or for users NT-SRV-INST 2 Service and other unique instance (krbtgt) NT-SRV-HST 3 Service with host name as instance (telnet, rcommands) NT-SRV-XHST 4 Service with host as remaining components NT-UID 5 Unique ID NT-X500-PRINCIPAL 6 Encoded X.509 Distingished name [RFC 2253] NT-SMTP-NAME 7 Name in form of SMTP email name (e.g. user@foo.com) NT-ENTERPRISE 10 Enterprise name - may be mapped to principal name When a name implies no information other than its uniqueness at a particular time the name type PRINCIPAL SHOULD be used. The principal name type SHOULD be used for users, and it might also be used for a unique server. If the name is a unique machine generated ID that is guaranteed never to be reassigned then the name type of UID SHOULD be used (note that it is generally a bad idea to reassign names of any type since stale entries might remain in access control lists). If the first component of a name identifies a service and the remaining components identify an instance of the service in a server specified manner, then the name type of SRV-INST SHOULD be used. An example of this name type is the Kerberos ticket-granting service whose name has a first component of krbtgt and a second component identifying the realm for which the ticket is valid. If the first component of a name identifies a service and there is a single component following the service name identifying the instance as the host on which the server is running, then the name type SRV- HST SHOULD be used. This type is typically used for Internet services such as telnet and the Berkeley R commands. If the separate components of the host name appear as successive components following the name of the service, then the name type SRV-XHST SHOULD be used. This type might be used to identify servers on hosts with X.500 names where the slash (/) might otherwise be ambiguous. A name type of NT-X500-PRINCIPAL SHOULD be used when a name from an X.509 certificate is translated into a Kerberos name. The encoding of the X.509 name as a Kerberos principal shall conform to the encoding rules specified in RFC 2253. A name type of SMTP allows a name to be of a form that resembles a SMTP email name. This name, including an "@" and a domain name, is used as the one component of the principal name. A name type of UNKNOWN SHOULD be used when the form of the name is not known. When comparing names, a name of type UNKNOWN will match principals authenticated with names of any type. A principal authenticated with a name of type UNKNOWN, however, will only match other names of type UNKNOWN. Names of any type with an initial component of 'krbtgt' are reserved for the Kerberos ticket granting service. *Note Name of the TGS: krbtgt, for the form of such names. 4.3.2.1 Name of server principals ................................. The principal identifier for a server on a host will generally be composed of two parts: (1) the realm of the KDC with which the server is registered, and (2) a two-component name of type NT-SRV-HST if the host name is an Internet domain name or a multi-component name of type NT-SRV-XHST if the name of the host is of a form such as X.500 that allows slash (/) separators. The first component of the two- or multi-component name will identify the service and the latter components will identify the host. Where the name of the host is not case sensitive (for example, with Internet domain names) the name of the host MUST be lower case. If specified by the application protocol for services such as telnet and the Berkeley R commands which run with system privileges, the first component MAY be the string 'host' instead of a service specific identifier. 4.3.2.2 Name of the TGS ....................... The principal identifier of the ticket-granting service shall be composed of three parts: (1) the realm of the KDC issuing the TGS ticket (2) a two-part name of type NT-SRV-INST, with the first part "krbtgt" and the second part the name of the realm which will accept the ticket-granting ticket. For example, a ticket-granting ticket issued by the ATHENA.MIT.EDU realm to be used to get tickets from the ATHENA.MIT.EDU KDC has a principal identifier of "ATHENA.MIT.EDU" (realm), ("krbtgt", "ATHENA.MIT.EDU") (name). A ticket-granting ticket issued by the ATHENA.MIT.EDU realm to be used to get tickets from the MIT.EDU realm has a principal identifier of "ATHENA.MIT.EDU" (realm), ("krbtgt", "MIT.EDU") (name). 4.3.3 Choosing a principal with which to communicate ---------------------------------------------------- The Kerberos protocol provides the means for verifying (subject to the assumptions in *note Environmental Assumptions::) that the entity with which one communicates is the same entity that was registered with the KDC using the claimed identity (principal name). It is still necessary to determine whether that identity corresponds to the entity with which one intends to communicate. When appropriate data has been exchanged in advance, this determination may be performed syntactically by the application based on the application protocol specification, information provided by the user, and configuration files. For example, the server principal name (including realm) for a telnet server might be derived from the user specified host name (from the telnet command line), the "host/" prefix specified in the application protocol specification, and a mapping to a Kerberos realm derived syntactically from the domain part of the specified hostname and information from the local Kerberos realms database. One can also rely on trusted third parties to make this determination, but only when the data obtained from the third party is suitably integrity protected while resident on the third party server and when transmitted. Thus, for example, one should not rely on an unprotected domain name system record to map a host alias to the primary name of a server, accepting the primary name as the party one intends to contact, since an attacker can modify the mapping and impersonate the party with which one intended to communicate. Implementations of Kerberos and protocols based on Kerberos MUST NOT use insecure DNS queries to canonicalize the hostname components of the service principal names. In an environment without secure name service, application authors MAY append a statically configured domain name to unqualified hostnames before passing the name to the security mechanisms, but should do no more than that. Secure name service facilities, if available, might be trusted for hostname canonicalization, but such canonicalization by the client SHOULD NOT be required by KDC implementations. Implementation note: Many current implementations do some degree of canonicalization of the provided service name, often using DNS even though it creates security problems. However there is no consistency among implementations about whether the service name is case folded to lower case or whether reverse resolution is used. To maximize interoperability and security, applications SHOULD provide security mechanisms with names which result from folding the user-entered name to lower case, without performing any other modifications or canonicalization. 4.3.4 Principal Name Form ------------------------- Principal names consist of a sequence of strings, which is often tedious to parse. Therefor, Shishi often uses a "printed" form of principal which embed the entire principal name string sequence, and optionally also the realm, into one string. The format is taken from the Kerberos 5 GSS-API mechanism (RFC 1964). The elements included within this name representation are as follows, proceeding from the beginning of the string: 1. One or more principal name components; if more than one principal name component is included, the components are separated by `/`. Arbitrary octets may be included within principal name components, with the following constraints and special considerations: a. Any occurrence of the characters `@` or `/` within a name component must be immediately preceded by the `\` quoting character, to prevent interpretation as a component or realm separator. b. The ASCII newline, tab, backspace, and null characters may occur directly within the component or may be represented, respectively, by `\n`, `\t`, `\b`, or `\0`. c. If the `\` quoting character occurs outside the contexts described in (1a) and (1b) above, the following character is interpreted literally. As a special case, this allows the doubled representation `\\` to represent a single occurrence of the quoting character. d. An occurrence of the `\` quoting character as the last character of a component is illegal. 2. Optionally, a `@` character, signifying that a realm name immediately follows. If no realm name element is included, the local realm name is assumed. The `/` , `:`, and null characters may not occur within a realm name; the `@`, newline, tab, and backspace characters may be included using the quoting conventions described in (1a), (1b), and (1c) above. 4.4 Shishi Configuration ======================== The valid configuration file tokens are described here. The user configuration file is typically located in `~/.shishi/shishi.conf' (compare `shishi --configuration-file') and the system configuration is typically located in `/usr/local/etc/shishi/shishi.conf' (compare `shishi --system-configuration-file'). If the first non white space character of a line is a '#', the line is ignored. Empty lines are also ignored. All tokens are valid in both the system and the user configuration files, and have the same meaning. However, as the system file is supposed to apply to all users on a system, it would not make sense to use some tokens in that file. For example, the `default-principal' is rarely useful in a system configuration file. 4.4.1 `default-realm' --------------------- Specify the default realm, by default the hostname of the host is used. E.g., default-realm JOSEFSSON.ORG 4.4.2 `default-principal' ------------------------- Specify the default principal, by default the login username is used. E.g., default-principal jas 4.4.3 `client-kdc-etypes' ------------------------- Specify which encryption types client asks server to respond in during AS/TGS exchanges. List valid encryption types, in preference order. Supported algorithms include aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1-kd, des-cbc-md5, des-cbc-md4, des-cbc-crc and null. This option also indicates which encryption types are accepted by the client when receiving the response. Note that the preference order is not cryptographically protected, so a man in the middle can modify the order without being detected. Thus, only specify encryption types you trust completely here. The default only includes aes256-cts-hmac-sha1-96, as suggested by RFC1510bis. E.g., client-kdc-etypes=aes256-cts-hmac-sha1-96 des3-cbc-sha1-kd des-cbc-md5 4.4.4 `verbose', `verbose-asn1', `verbose-noise', `verbose-crypto', `verbose-crypto-noise' ------------------------------------------------------------------------------------------ Enable verbose library messages. E.g., verbose verbose-noise 4.4.5 `realm-kdc' ----------------- Specify KDC addresses for realms. Value is `REALM,KDCADDRESS[/PROTOCOL][,KDCADDRESS[/PROTOCOL]...]'. KDCADDRESS is the hostname or IP address of KDC. Optional PROTOCOL is udp for UDP, tcp for TCP, and TLS for TLS connections. By default UDP is tried first, and TCP used as a fallback if the KRB_ERR_RESPONSE_TOO_BIG error is received. If not specified, Shishi tries to locate the KDC using SRV RRs, which is recommended. This option should normally only be used during experiments, or to access badly maintained realms. realm-kdc=JOSEFSSON.ORG,ristretto.josefsson.org 4.4.6 `server-realm' -------------------- Specify realm for servers. Value is `REALM,SERVERREGEXP[,SERVERREGEXP...]'. SERVERREGEXP is a regular expression matching servers in the realm. The first match is used. E.g., server-realm=JOSEFSSON.ORG,.josefsson.org Note: currently not used. 4.4.7 `kdc-timeout', `kdc-retries' ---------------------------------- How long shishi waits for a response from a KDC before continuing to next KDC for realm. The default is 5 seconds. E.g., kdc-timeout=10 How many times shishi sends a request to a KDC before giving up. The default is 3 times. E.g., kdc-retries=5 4.4.8 `stringprocess' --------------------- How username and passwords entered from the terminal, or taken from the command line, are processed. "none": no processing is used. "stringprep": convert from locale charset to UTF-8 and process using experimental RFC 1510 stringprep profile. It can also be a string indicating a character set supported by iconv via libstringprep, in which case data is converted from locale charset into the indicated character set. E.g., UTF-8, ISO-8859-1, KOI-8, EBCDIC-IS-FRISS are supported on GNU systems. On some systems you can use "locale -m" to list available character sets. By default, the "none" setting is used which is consistent with RFC 1510 that is silent on the issue. In practice, however, converting to UTF-8 improves interoperability. E.g., stringprocess=UTF-8 4.4.9 `ticket-life' ------------------- Specify default ticket life time. The string can be in almost any common format. It can contain month names, time zones, `am' and `pm', `yesterday', `ago', `next', etc. *Note Date input formats::, for the long story. As an extra feature, if the time specified by your string correspond to a time during the last 24 hours, an extra day is added to it. This allows you to specify relative times such as "17:00" to always mean the next 17:00, even if your system clock happens to be 17:30. The default is 8 hours. E.g., #ticket-life=8 hours #ticket-life=1 day ticket-life=17:00 4.4.10 `renew-life' ------------------- Specify how long a renewable ticket should remain renewable. See ticket-life for the syntax. The extra feature that handles negative values within the last 2 hours is not active here. The default is 7 days. E.g., #renew-life=1 week #renew-life=friday 17:00 renew-life=sunday 4.5 Shisa Configuration ======================= The configuration file for Shisa is typically stored in `/usr/local/etc/shishi/shisa.conf'. If the first non white space character of a line is a '#', the line is ignored. Empty lines are also ignored. 4.5.1 `db' ---------- Currently the only configuration options available is the `db' token that define the databases to use. The syntax is: db [OPTIONS] [LOCATION] [PARAMETERS ...] Specify the data sources for Kerberos 5 data. Multiple entries, even of the same data source type, are allowed. The data sources are accessed in the same sequence as they are defined here. If an entry is found in one data source, it will be used for the operations, without searching the remaining data sources. Valid OPTIONS include: --read-only No data is written to this data source. --ignore-errors Ignore failures in this backend. The default (when the configuration file is empty) uses one "file" data source (see below), but for a larger installation you may want to combine several data sources. Here is an example. db --read-only file /var/local/master db --ignore-errors ldap kdc.example.org ca=/etc/shisa/kdc-ca.pem db --read-only file /var/cache/ldap-copy This demonstrate how you can store critical principals on local disk (the first entry, /var/local/master) that will always be found without looking in the LDAP directory. The critical principals could be, e.g., krbtgt/EXAMPLE.ORG. The second entry denote a LDAP server that could hold user principals. As you can see, Shisa will not let the caller know about errors with the LDAP source (they will be logged, however). Instead, if for instance the LDAP server has crashed, Shisa would continue and read from the /var/cache/ldap-copy file source. That file source may have been set up to contain a copy of the data in the LDAP server, perhaps made on an hourly basis, so that your server will be able to serve recent data even in case of a crash. Any updates or passwords change requests will however not be possible while the LDAP server is inaccessible, to reduce the problem of synchronizing data back into the LDAP server once it is online again. Currently only the "file" data source is supported, and denote a data source that use the standard file system for storage. Valid syntaxes for the "file" database: db file PATH Examples: db file /var/shishi db file /usr/share/shishi read-only If no `db' tokens are present, the default will be: db file /usr/local/var/shishi 4.6 Parameters for shishi ========================= If no command is given, Shishi try to make sure you have a ticket granting ticket for the default realm, and then display it. Mandatory arguments to long options are mandatory for short options too. Usage: shishi [OPTIONS]... [CLIENT [SERVER]]... -h, --help Print help and exit -V, --version Print version and exit Commands: -d, --destroy Destroy tickets in local cache, limited by any --client-name or --server-name. (default=off) -l, --list List tickets in local cache, limited by any --client-name and --server-name. (default=off) -r, --renew Renew ticket. Use --server-name to specify ticket, default is the most recent renewable ticket granting ticket for the default realm. (default=off) Flags: --forwardable Get a forwardable ticket, i.e., one that can be used to get forwarded tickets. (default=off) --forwarded Get a forwarded ticket. (default= off) --proxiable Get a proxiable ticket, i.e., one that can be used to get proxy tickets. (default=off) --proxy Get a proxy ticket. (default=off) --renewable Get a renewable ticket. (default= off) Options: --client-name=NAME Client name. Default is login username. -E, --encryption-type=ETYPE,[ETYPE...] Encryption types to use. ETYPE is either registered name or integer. Valid values include 'aes128', 'aes256', 'aes' (same as 'aes256'), '3des', 'des-md5', 'des-md4', 'des-crc', 'des' (same as 'des-md5'), and 'arcfour'. -e, --endtime=STRING Specify when ticket validity should expire. The time syntax may be relative (to the start time), such as '20 hours', or absolute, such as '2001-02-03 04:05:06 CET'. The default is 8 hours after the start time. --realm=STRING Set default realm. --renew-till=STRING Specify renewable life of ticket. Implies --renewable. Accepts same time syntax as --endtime. If --renewable is specified, the default is 1 week after the start time. --server-name=NAME Server name. Default is 'krbtgt/REALM' where REALM is client realm. -s, --starttime=STRING Specify when ticket should start to be valid. Accepts same time syntax as --endtime. The default is to become valid immediately. --ticket-granter=NAME Service name in ticket to use for authenticating request. Only for TGS. Defaults to 'krbtgt/REALM@REALM' where REALM is client realm. Other options: --configuration-file=FILE Read user configuration from FILE. -c, --ticket-file=FILE Read tickets from FILE. -o, --library-options=STRING Parse STRING as a configuration file statement. -q, --quiet Don't produce any diagnostic output. (default=off) --system-configuration-file=FILE Read system configuration from FILE. --ticket-write-file=FILE Write tickets from FILE. Default is to write them back to where they were read from. -v, --verbose Produce verbose output. (default=off) 4.7 Parameters for shishid ========================== If no parameters are specified, `shishid' listens on the defaults interfaces and answers incoming requests using the keys in the default key file. Mandatory arguments to long options are mandatory for short options too. Usage: shishid [OPTIONS]... -h, --help Print help and exit -V, --version Print version and exit Commands: -l, --listen=[FAMILY:]ADDR:PORT/TYPE Sockets to listen for queries on. Family is `IPv4' or `IPv6', if absent