This section describe how you get the KDC server up and running to answer queries from clients.
First you must create a user database. Currently this is rather simplistic, and the database only contains cryptographic keys. Use the shishi -string-to-key command to generate keys, and store them in the shishid.keys file. The file path is /usr/local/etc/shishid.keys by default, although you can use shishid -k to specify another location.
Create a random key for the Kerberos Ticket Granting Service for your realm:
$ shishi --string-to-key --random \ krbtgt/latte.josefsson.org@latte.josefsson.org | \ tee /usr/local/etc/shishid.keys -----BEGIN SHISHI KEY----- Keytype: 18 (aes256-cts-hmac-sha1-96) Principal: krbtgt/latte.josefsson.org Realm: latte.josefsson.org oconxMTf59B5bvTylY+KE4mchA/gtmYI2Qok+48tnSM= -----END SHISHI KEY----- $
Create a key for a user from a specified password:
$ shishi --string-to-key=fnord \ simon@latte.josefsson.org | tee --append \ /usr/local/etc/shishid.keys -----BEGIN SHISHI KEY----- Keytype: 18 (aes256-cts-hmac-sha1-96) Principal: simon Realm: latte.josefsson.org c1rqwvYwuDFrABvqWVq9bWUsQWg/xbErsIUmLN+3lYM= -----END SHISHI KEY----- $
There is nothing special with a ticket granting key, you could have created it based on a password similar to the user key. However, please keep in mind that passwords typically have little entropy.
Finally, create a random key for a service:
$ shishi --string-to-key --random \ imap/latte.josefsson.org@latte.josefsson.org | \ tee --append /usr/local/etc/shishid.keys -----BEGIN SHISHI KEY----- Keytype: 18 (aes256-cts-hmac-sha1-96) Principal: imap/latte.josefsson.org Realm: latte.josefsson.org ts2v0QHWyW9FyXbWtCvLPqdEc60qPq5Yvat3p82rp5c= -----END SHISHI KEY----- $
You are now ready to start the KDC. Refer to the reference manual for available parameters (Section 5.3).
$ shishid
Then you can use shishi as usual to acquire tickets (Chapter 3). The following example demonstrate a AS-REQ for krbtgt/latte.josefsson.org followed by a TGS-REQ for imap/latte.josefsson.org.
$ shishi simon@latte.josefsson.org imap/latte.josefsson.org Enter password for `simon@latte.josefsson.org': simon@latte.josefsson.org: Acquired: Wed Aug 27 17:16:37 2003 Expires: Wed Aug 27 17:33:17 2003 Server: imap/latte.josefsson.org key aes256-cts-hmac-sha1-96 (18) Ticket key: aes256-cts-hmac-sha1-96 (18) protected by aes256-cts-hmac-sha1-96 (18) Ticket flags: FORWARDED PROXIABLE (12) $