Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Cross-realm Authentication

In order for a KDC in one realm to authenticate Kerberos users in a different realm, it must share a key with the KDC in the other realm. In both databases, there must be krbtgt service principals for realms. These principals should all have the same passwords, key version numbers, and encryption types. For example, if the administrators of ATHENA.MIT.EDU and EXAMPLE.COM wanted to authenticate across the realms, they would run the following commands on the KDCs in both realms:

     shell%: kadmin.local -e "des3-hmac-sha1:normal des-cbc-crc:v4"
     kadmin: add_princ -requires_preauth krbtgt/[email protected]
     Enter password for principal krbtgt/[email protected]:
     Re-enter password for principal krbtgt/[email protected]:
     kadmin: add_princ -requires_preauth krbtgt/[email protected]
     Enter password for principal krbtgt/[email protected]:
     Enter password for principal krbtgt/[email protected]:
     kadmin:
     

Even if most principals in a realm are generally created with the requires_preauth flag enabled, this flag is not desirable on cross-realm authentication keys because doing so makes it impossible to disable preauthentication on a service-by-service basis. Disabling it as in the example above is recommended.

It is also very important that these principals have good passwords. MIT recommends that TGT principal passwords be at least 26 characters of random ASCII text.


 
 
  © 1985-2006 by the Massachusetts Institute of Technology - Reproduced with permission. Design by Interspire