Kerberos 5
Endpoint Privilege Management for Unix and Linux can use Kerberos 5 to authenticate its various parts and to exchange encryption key information.
To use Kerberos with EPM-UL, you must register pbmasterd, pblocald, and pblogd as Kerberos principals. The principals should look like this (substitute your host and pblogd principal names):
- pbmasterd/kerberizedmachine.your_realm.com
- pblocald/kerberizedmachine.your_realm.com
- pblogd/kerberizedmachine.your_realm.com
Add the principals to the keytab file. Users also need to be principals and need a target.
- The default principals are pbmasterd, pblocald, and pblogd. These can be overridden by the mprincipal, lprincipal, and gprincipal settings in the settings file.
- All EPM-UL client and server programs can use Kerberos Version 5 for authentication and session encryption keys.
- EPM-UL clients request verification to use pbmasterd by checking the submitting user ticket cache or obtaining a ticket for pbmasterd with the principal in mprincipal.
- EPM-UL daemons request verification to access other daemons by checking the services’ principals for both daemons, as listed in the following table.
Kerberos principal usage
| From | Principal | Connection Type | To | Principal |
|---|---|---|---|---|
| pbrun pbksh pbsh | user@realm | Direct | pbmasterd | mprincipal/ masterhost@real m |
| pbrun pbksh pbsh | user@realm | Dynamic | pblocald | lprincipal/ runhost@realm |
| pbrun pbksh pbsh pblocald | principal/ runhost@realm | Direct or dynamic | pblogd | gprincipal/ loghost@realm |
| pbmasterd | mprincipal/ masterhost@real m | Direct | pblocald | lprincipal/ loghost@realm |
| pbmasterd | mprincipal/ masterhost@real m | Direct | pblogd | gprincipal/ loghost@realm |
kerberos
- Version 4.0.0 and later: kerberos setting available.
- Version 22.1 and later: krbfirstpbmasterd is available. The setting kerberos is a list setting. Use getlistsetting() in policy language to get the settings list.
When set to yes, the kerberos setting enables the use of the EPM-UL Kerberos Version 5 features. When set to no, the kerberos setting disables the use of these features.
Use the option krbfirstpbmasterd with the option yes to enable the compatibility of 10.3.2 or below versions of clients with newer versions of EPM-UL servers and clients.
Note
The krbfirstpbmasterd option is valid from version 22.1. The krbfirstpbmasterd option is enabled on all newer versions of endpoints (22.1+ servers and clients. No changes are required on 10.3.2 or below versioned clients).
Example
kerberos yes
kerberos yes krbfirstpbmasterd
Default
kerberos no
Used on
- Log hosts
- Policy server hosts
- Submit hosts
- Run hosts
keytab
Version 4.0.0 and later: keytab setting available.
The keytab setting contains the name of the Kerberos 5 Key Table.
Newer versions of Kerberos prefer using the krb5.conf file or the KRB5_KTNAME environment variable. Use of the keytab setting should be avoided.
keytabencryption
- Version 8.0.0 and earlier: keytabencryption setting not available.
- Version 8.0.1 and later: keytabencryption setting available.
The keytabencryption setting specifies the cipher all EPM-UL components use for Kerberos negotiations.
- The algorithm must match the default algorithm used by the Kerberos server. Supported values include des-hmac, des3-hmac, and arcfour-hmac.
- As of this writing, the AES algorithms are not supported, which effectively limits using Active Directory as a Kerberos server.
- This keyword is mandatory to support more recent, non-DES Kerberos implementations because EPM-UL cannot automatically determine the best cipher.
Example
keytabencryption arcfour-hmac
Default
keytabencryption des-hmac
Used on
- Log hosts
- Policy server hosts
- Submit hosts
- Run hosts
gprincipal
- Version 4.0.0 and later: gprincipal setting available.
The gprincipal setting contains the principal that the policy server daemon (pbmasterd), the local daemon (pblocald) and clients that are running in local mode (for example, pbrun -l ...) use to verify access to the log server daemon (pblogd). The host name and realm are appended to form the full principal.
Example
gprincipal pblogd_principal
Default
gprincipal pblogd
Used on
- Log hosts
- Policy server hosts
- Submit hosts
- Run hosts
lprincipal
- Version 4.0.0 and later: lprincipal setting available.
The lprincipal setting contains the principal that the policy server daemon (pbmasterd) and client programs use to verify access to the local daemon (pblocald). The host name and realm are appended to form the full principal.
Example
lprincipal pblocald_principal
Default
lprincipal pblocald
Used on
- Log hosts
- Policy server hosts
- Run hosts
- Submit hosts
mprincipal
- Version 4.0.0 and later: mprincipal setting available.
The mprincipal setting contains the principal EPM-UL clients use to verify access to the policy server daemon (pbmasterd). The host name and realm are appended to form the full principal.
Example
mprincipal pbmasterd_principal
Default
mprincipal pbmasterd
Used on
- Policy server hosts
- Submit hosts
sprincipal
- Version 5.2 and earlier: sprincipal setting not available.
- Version 6.0 and later: sprincipal setting available.
The sprincipal setting contains the principal the EPM-UL pbsync client uses to verify access to the log synchronization daemon (pbsyncd). The host name and realm are appended to form the full principal.
Example
sprincipal pbsync_principal
Default
sprincipal pbsyncd
Used on
- Log hosts
- Policy server hosts
- Sync hosts
kerberosvalidatecacheuser
- Version 4.0 and later: kerberosvalidatecacheuser setting available.
If set to yes, compares current user’s Unix/Linux username with the Kerberos client name. If they do not match, it invalidates the cache and new credentials have to be provided.
Default
kerberosvalidatecacheuser no
Updated 5 days ago