This section provides information on the security considerations for Novell® Kerberos KDC:
Use SSL mutual authentication or SASL EXTERNAL bind for authenticating the Kerberos services.
Secure the connection between your Web browser and the iManager server with SSL and the connection between iManager and Novell eDirectoryâ„¢. Failing to do so causes the Kerberos sensitive data, such as the master key and principal key, to be sniffed during the creation of the realm and principals.
Protect the following files with appropriate file system rights:
Configuration file (/etc/krb5.conf)
Service password stash file (specified with the ldap_service_password_file parameter in /etc/krb5.conf)
ACL file for administration (specified with the acl_file parameter in /etc/krb5.conf)
Password dictionary file (specified with the dict_file parameter in /etc/krb5.conf)
Certificate files for the Kerberos service.
Trusted root certificates for the LDAP servers (specified with the ldap_root_certificate_file parameter in /etc/krb5.conf)
Log files of the KDC, Administration, and Password servers, because they contain auditing information.
Kerberos keytab files (the default location is /etc/krb5.keytab)
Configuration and log files of the Kerberization utility.
All of these files must be stored only on the local storage device and not on remotely mounted devices. The recommended file permissions for these files are RW for root. Additionally, protect these files during backup and restore operations.
Use the strongest cryptographic algorithm for the master and principal keys. Use DES and RC4 only for interoperability with other Kerberos distributions.
Keep the Kerberos servers in a physically secure location with the access only to the authorized personnel.
The TGS (krbtgt/REALM@REALM), Administration service (kadmin/admin@REALM), and Password service (kadmin/changepw@REALM) principal keys must be randomly generated and periodically reset.
IMPORTANT:We do not recommend the use of an Administration server, because it needs almost supervisor rights. Instead, we recommend using kadmin.local directly to communicate with eDirectory using LDAP over SSL. We also recommend that you use the Novell Kerberos KDC iManager plug-ins.