CIS MIT Kerberos 1.10 Benchmark v1.0.0
CIS MIT Kerberos 1.10 Benchmark v1.0.0
10 Benchmark
v1.0.0
12-28-2012
The CIS Security Benchmarks division provides consensus-oriented information security products, services, tools, metrics, suggestions, and
recommendations (the “SB Products”) as a public service to Internet users worldwide. Downloading or using SB Products in any way signifies
and confirms your acceptance of and your binding agreement to these CIS Security Benchmarks Terms of Use.
SPECIAL RULES FOR CIS MEMBER ORGANIZATIONS: CIS reserves the right to create special rules for: (1) CIS Members; and (2) Non-
Member organizations and individuals with which CIS has a written contractual relationship. CIS hereby grants to each CIS Member
Organization in good standing the right to distribute the SB Products within such Member’s own organization, whether by manual or
electronic means. Each such Member Organization acknowledges and agrees that the foregoing grants in this paragraph are subject to the
terms of such Member’s membership arrangement with CIS and may, therefore, be modified or terminated by CIS at any time.
1|Page
Table of Contents
Recommendations ................................................................................................................................................ 8
1 Kerberos Runtime......................................................................................................................................... 8
1.1 Secure the KDC daemon (krb5kdc) (Scored) ............................................................................. 8
1.2 Secure the Kerberos administration server daemon (kadmind) (Scored)..................... 9
1.3 Secure the Kerberos database administration utility (kadmin.local) (Scored) ............ 9
1.4 Secure the Kerberos LDAP configuration utility (kdb5_ldap_util) (Scored) ............... 10
1.5 Secure the Kerberos configuration utility (kdb5_util) (Scored) ...................................... 11
1.6 Secure the Kerberos propagation utility (kprop) (Scored) ............................................... 12
1.7 Secure the Kerberos slave KDC update daemon (kpropd) (Scored).............................. 13
1.8 Secure the Kerberos propagation log utility (kproplog) (Scored) .................................. 14
1.9 Secure the Kerberos problem report utility (krb5-send-pr) (Scored) .......................... 15
1.10 Secure the Kerberos host key table manipulation utility (k5srvutil) (Scored) ....... 16
1.11 Secure the Kerberos database administration utility (kadmin) (Scored) ................. 17
1.12 Secure the kdestroy utility (Scored) ........................................................................................ 18
1.13 Secure the kinit utility (Scored) ................................................................................................. 19
1.14 Secure the klist utility (Scored) ................................................................................................. 20
1.15 Secure the kpasswd utility (Scored) ........................................................................................ 21
1.16 Secure the krb5-config utility (Scored) .................................................................................. 22
1.17 Secure the ksu utility (Scored) ................................................................................................... 23
1.18 Secure the kswitch utility (Scored) .......................................................................................... 24
1.19 Secure the ktutil utility (Scored) ............................................................................................... 24
2 KDC Configuration (kdc.conf) ............................................................................................................... 25
2.1 [kdcdefaults] ............................................................................................................................................ 26
2.1.1 Ensure restrict_anonymous_to_tgt is set to true (Scored) ............................................. 26
2.2 [realms] ...................................................................................................................................................... 27
2.2.1 Secure the Kerberos database access control file (acl_file) (Scored)........................ 27
2.2.2 Secure the kadmin keytab (admin_keytab) (Scored) ...................................................... 28
2.2.3 Secure the KDC database file (database_name) (Scored) ............................................... 29
2|Page
2.2.4 Ensure that pwservice is not in the default_principal_flags (Scored) ........................ 30
2.2.5 Secure the dictionary file (dict_file) (Scored)...................................................................... 31
2.2.6 Secure KDC key stash file (key_stash_file) (Scored) ......................................................... 32
2.2.7 Ensure the master_key_name is set to K/M (Scored)....................................................... 33
2.2.8 Ensure master_key_type is using a strong encryption algorithm (Scored) ............. 34
2.2.9 Ensure max_life is 24 hours or less (Scored) ....................................................................... 35
2.2.10 Ensure max_renewable_life is less than 14 days (Scored) .......................................... 36
2.2.11 Ensure only strong encryption types are supported (supported_enctypes)
(Scored) ......................................................................................................................................................... 37
2.2.12 Ensure reject_bad_transit is set to true (Scored) ............................................................ 38
2.3 [dbdefaults] .............................................................................................................................................. 39
2.3.1 Secure the Kerberos database file (database_name) (Scored) ..................................... 39
2.3.2 Ensure "Last successful authentication" field is updated (disable_last_success)
(Scored) ......................................................................................................................................................... 40
2.3.3 Ensure account lockouts are not disabled (disable_lockout) (Scored) .................... 41
2.3.4 Secure the LDAP server password file (ldap_service_password_file) (Scored) ..... 42
2.3.5 Ensure kadmin and KDC run as different LDAP users (Scored) .................................. 43
2.4 [logging] ..................................................................................................................................................... 44
2.4.1 Secure the default location (default) (Scored) .................................................................... 44
2.4.2 Secure the kdc log location (kdc) (Scored)........................................................................... 45
2.4.3 Secure the administrative server log location (admin_server) (Scored) ................. 47
2.4.4 Ensure a persistent log sink is configured for default log location (Scored) .......... 48
2.4.5 Ensure a persistent log sink is configured for kdc logging (Scored) .......................... 49
2.4.6 Ensure a persistent log sink is configured for administrative server logging
(Scored) ......................................................................................................................................................... 50
2.5 Secure the KDC configuration file (kdc.conf) (Scored)........................................................ 51
3 Kerberos Configuration (krb5.conf) ................................................................................................... 52
3.1 [libdefaults] .............................................................................................................................................. 52
3.1.1 Secure the default keytab (default_keytab_name) (Scored) .......................................... 52
3.1.2 Ensure AES256 is the preferred encryption type for TGS (default_tgs_enctypes)
(Scored) ......................................................................................................................................................... 53
3|Page
3.1.3 Ensure single DES-based encryption types are disallowed for TGS
(default_tgs_enctypes) (Scored) .......................................................................................................... 54
3.1.4 Ensure AES256 is the preferred encryption type for TKT (default_tkt_enctypes)
(Scored) ......................................................................................................................................................... 55
3.1.5 Ensure single DES-based encryption types are disallowed for TKT
(default_tkt_enctypes) (Scored) .......................................................................................................... 56
3.1.6 Ensure single DES-based encryption types are not permitted
(permitted_enctypes) (Scored) ............................................................................................................ 57
3.1.7 Disallow weak encryption types (allow_weak_crypto) (Scored) ................................ 58
3.1.8 Ensure clockskew tolerance is minimized (clockskew) (Scored) ............................... 59
3.1.9 Ensure ignore_acceptor_hostname is not set to true (Scored) ................................... 60
3.2 [plugins] ..................................................................................................................................................... 60
3.2.1 Prevent blank password creation (pwqual:empty) (Scored) ....................................... 61
3.2.2 Prevent dictionary word password creation (pwqual:dict) (Scored) ....................... 62
3.2.3 Prevent creation of passwords derived from the principal's name (pwqual:princ)
(Scored) ......................................................................................................................................................... 63
3.3 Secure the Kerberos configuration file (krb5.conf) (Scored) ........................................... 64
4 Kerberos Database Access Control List (kadm5.acl) ................................................................... 64
4.1 Ensure kiprop principles are only allowed propagation permission (Scored) ......... 65
4.2 Ensure kadmin/changepw principle does not have multiple key versions (Scored)
.......................................................................................................................................................................... 65
4.3 Ensure krbtgt/<REALM> principle does not allow duplicate session keys (Scored)
.......................................................................................................................................................................... 66
4.4 Ensure krbtgt/<REALM> principle does not have multiple key versions (Scored) 67
4.5 Secure the Kerberos Access Control List (kadm5.acl) (Scored) ...................................... 68
5 LDAP Object Security ................................................................................................................................ 68
5.1 Restrict KDC write access to all attributes other than counters and timers (Not
Scored) .......................................................................................................................................................... 69
5.2 Ensure only KDC and kadmin can read attributes (Not Scored) ..................................... 69
5.3 Ensure only kadmind (ldap_kadmind_dn) can write to all attributes (Not Scored) 70
Appendix: Change History .............................................................................................................................. 72
4|Page
Overview
This document, CIS MIT Kerberos 1.10 Benchmark v1.0.0, provides prescriptive guidance
for establishing a secure configuration posture for MIT Kerberos 1.10-based Key
Distribution Centers (KDC)s. This guide was tested against MIT Kerberos 1.10.3 running on
Red Hat Enterprise Linux 6 x64. To obtain the latest version of this guide, please
visit http://benchmarks.cisecurity.org. If you have questions, comments, or have identified
ways to improve this guide, please write us at [email protected].
Intended Audience
This document is intended for system and application administrators, identity managers,
security specialists, and auditors who plan to develop, deploy, assess, or secure solutions
that incorporate MIT Kerberos 1.10.
Consensus Guidance
This benchmark was created using a consensus review process comprised of volunteer and
contract subject matter experts. Consensus participants provide perspective from a diverse
set of backgrounds including consulting, software development, audit and compliance,
security research, operations, government, and legal.
Each CIS benchmark undergoes two phases of consensus review. The first phase occurs
during initial benchmark development. During this phase, subject matter experts convene
to discuss, create, and test working drafts of the benchmark. This discussion occurs until
consensus has been reached on benchmark recommendations. The second phase begins
after the benchmark has been released to the public Internet. During this phase, all
feedback provided by the Internet community is reviewed by the consensus team for
incorporation in the benchmark. If you are interested in participating in the consensus
review process, please send us a note to [email protected].
5|Page
Typographical Conventions
The following typographical conventions are used throughout this guide:
Convention Meaning
Stylized Monospace font Used for blocks of code, command, and script examples.
Text should be interpreted exactly as presented.
Monospace font Used for inline code, commands, or examples. Text should
be interpreted exactly as presented.
<italic font in brackets> Italic texts set in angle brackets denote a variable
requiring substitution for a real value.
Italic font Used to denote the title of a book, article, or other
publication.
Note Additional information or caveats
Scoring Information
A scoring status indicates whether compliance with the given recommendation impacts the
assessed target's benchmark score. The following scoring statuses are used in this
benchmark:
Scored
Failure to comply with "Scored" recommendations will decrease the final benchmark score.
Compliance with "Scored" recommendations will increase the final benchmark score.
Not Scored
Failure to comply with "Not Scored" recommendations will not decrease the final
benchmark score. Compliance with "Not Scored" recommendations will not increase the
final benchmark score.
6|Page
Profile Definitions
The following configuration profiles are defined by this Benchmark:
Items in this profile apply to MIT Kerberos KDC 1.10 installations that leverage a
DB2 file for the Kerberos database. Additionally, items in this profile intend to:
Items in this profile apply to MIT Kerberos KDC 1.10 installations that leverage
LDAP for the Kerberos database. Additionally, items in this profile intend to:
Acknowledgements
This benchmark exemplifies the great things a community of users, vendors, and subject matter
experts can accomplish through consensus collaboration. The CIS community thanks the entire
consensus team with special recognition to the following individuals who contributed greatly to
the creation of this guide:
Contributor
JR Aquino
Richard Basch
Jeff Blaine
Blake Frantz, Center for Internet Security
Roger Kennedy
Tao Zhou
7|Page
Recommendations
1 Kerberos Runtime
Recommendations in this section apply to libraries and executable that are installed as part
of the MIT Kerberos 1.10 software.
Description:
The KDC daemon is implemented as an executable service, krb5kdc. Ensure access to the
KDC daemon executable reflects least privilege.
Rationale:
Ensuring that access to the KDC daemon executable reflects least privilege will in-turn help
ensure the integrity and availability of KDC operations.
Audit:
Remediation:
8|Page
1.2 Secure the Kerberos administration server daemon (kadmind)
(Scored)
Profile Applicability:
Description:
Rationale:
Ensuring that access to the Kerberos administration server executable reflects least
privilege will in-turn help ensure the integrity and availability of KDC operations.
Audit:
3. Ensure the output from the above command reflects the following:
o The output starts with root:root
o The 2nd and 5th characters from the right are "-".
Remediation:
9|Page
KDC with LDAP Database
Description:
Rationale:
Ensuring that access to the Kerberos database administration utility reflects least privilege
will in-turn help ensure the integrity and availability of KDC operations.
Audit:
3. Ensure the output from the above command reflects the following:
o The output starts with root:root
o The 2nd and 5th characters from the right are "-".
Remediation:
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/admin_commands/kadmin_local.html
10 | P a g e
KDC with LDAP Database
Description:
Rationale:
Ensuring that access to the Kerberos LDAP configuration utility executable reflects least
privilege will in-turn help ensure the integrity and availability of KDC operations.
Audit:
3. Ensure the output from the above command reflects the following:
o The output starts with root:root
o The 2nd and 5th characters from the right are "-".
Remediation:
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/admin_commands/kdb5_ldap_util.html
11 | P a g e
Description:
Rationale:
Ensuring that access to the Kerberos configuration utility executable reflects least privilege
will in-turn help ensure the integrity and availability of KDC operations.
Audit:
3. Ensure the output from the above command reflects the following:
o The output starts with root:root
o The 2nd and 5th characters from the right are "-".
Remediation:
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/admin_commands/kdb5_util.html
Description:
12 | P a g e
The Kerberos database propagation utility is implemented as an executable command line
tool, kprop. Ensure access to the Kerberos database propagation utility reflects least
privilege.
Rationale:
Ensuring that access to the Kerberos database propagation utility executable reflects least
privilege will in-turn help ensure the integrity and availability of KDC operations.
Audit:
3. Ensure the output from the above command reflects the following:
o The output starts with root:root
o The 2nd and 5th characters from the right are "-".
Remediation:
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/admin_commands/kprop.html
1.7 Secure the Kerberos slave KDC update daemon (kpropd) (Scored)
Profile Applicability:
Description:
The Kerberos slave KDC update daemon is implemented as an executable service, kpropd.
Ensure access to the Kerberos slave KDC update daemon reflects least privilege.
13 | P a g e
Rationale:
Ensuring that access to the Kerberos slave KDC update daemon reflects least privilege will
in-turn help ensure the integrity and availability of KDC operations.
Audit:
3. Ensure the output from the above command reflects the following:
o The output starts with root:root
o The 2nd and 5th characters from the right are "-".
Remediation:
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/admin_commands/kpropd.html
Description:
Rationale:
14 | P a g e
Ensuring that access to the Kerberos propagation log utility reflects least privilege will in-
turn help ensure the integrity and availability of KDC operations.
Audit:
3. Ensure the output from the above command reflects the following:
o The output starts with root:root
o The 2nd and 5th characters from the right are "-".
Remediation:
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/admin_commands/kproplog.html
Description:
Rationale:
Ensuring that access to the Kerberos problem report utility binary reflects least privilege
will in-turn help ensure the integrity and availability of KDC operations.
15 | P a g e
Audit:
3. Ensure the output from the above command reflects the following:
o The output starts with root:root
o The 2nd and 5th characters from the right are "-".
Remediation:
1.10 Secure the Kerberos host key table manipulation utility (k5srvutil)
(Scored)
Profile Applicability:
Description:
Rationale:
Ensuring that access to the Kerberos host key table manipulation utility binary reflects
least privilege will in-turn help ensure the integrity and availability of KDC operations.
Audit:
16 | P a g e
1. Ensure the owner of /usr/bin/k5srvutil is root:root.
2. Ensure the permissions
on /usr/bin/k5srvutil prevent writes by group and other.
3. Ensure the output from the above command reflects the following:
o The output starts with root:root
o The 2nd and 5th characters from the right are "-".
Remediation:
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/admin_commands/k5srvutil.html
Description:
Rationale:
Ensuring that access to the Kerberos database administration utility executable reflects
least privilege will in-turn help ensure the integrity and availability of KDC operations.
Audit:
17 | P a g e
1. Ensure the owner of /usr/bin/kadmin is root:root.
2. Ensure the permission
on /usr/bin/kadmin prevent writes by group and other.
3. Ensure the output from the above command reflects the following:
o The output starts with root:root
o The 2nd and 5th characters from the right are "-".
Remediation:
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/admin_commands/kadmin_local.html
Description:
The kdestroy utility is used to destroy a given user's active Kerberos authorization
tickets as they exist in the credential cache. Ensure access to the kdestroy utility reflects
least privilege.
Rationale:
Ensuring that access to the kdestroy utility reflects least privilege will ensure that the
integrity of the utility is not compromised.
Audit:
18 | P a g e
2. Ensure the permission
on /usr/bin/kdestroy prevent writes by group and other.
3. Ensure the output from the above command reflects the following:
o The output starts with root:root
o The 2nd and 5th characters from the right are "-".
Remediation:
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/user/user_commands/kdestroy.html
Description:
The kinit utility is used to create and cache Kerberos ticket-granting tickets. Ensure
access to the kinit utility reflects least privilege.
Rationale:
Ensuring that access to the kinit utility reflects least privilege will ensure that the
integrity of the utility is not compromised.
Audit:
19 | P a g e
stat -L --format "%U:%G %A" /usr/bin/kinit
3. Ensure the output from the above command reflects the following:
o The output starts with root:root
o The 2nd and 5th characters from the right are "-".
Remediation:
References:
1. http://web.mit.edu/kerberos/krb5-current/doc/user/user_commands/kinit.html
Description:
The klist utility is used to list cached Kerberos tickets. Ensure access to
the klist utility reflects least privilege.
Rationale:
Ensuring that access to the klist utility reflects least privilege will ensure that the
integrity of the utility is not compromised.
Audit:
3. Ensure the output from the above command reflects the following:
20 | P a g e
o The output starts with root:root
o The 2nd and 5th characters from the right are "-".
Remediation:
References:
1. http://web.mit.edu/kerberos/krb5-current/doc/user/user_commands/klist.html
Description:
The kpasswd utility is used to change a given user's Kerberos password. Ensure access to
the kpasswd utility reflects least privilege.
Rationale:
Ensuring that access to the kpasswd utility reflects least privilege will ensure that the
integrity of the utility is not compromised.
Audit:
3. Ensure the output from the above command reflects the following:
o The output starts with root:root
o The 2nd and 5th characters from the right are "-".
Remediation:
21 | P a g e
1. Set the ownership on /usr/bin/kpasswd to root:root.
2. Revoke write permission from group and other on /usr/bin/kpasswd.
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/user/user_commands/kpasswd.html
Description:
The krb5-config utility is used for linking against MIT Kerberos libraries. Ensure
access to the krb5-config utility reflects least privilege.
Rationale:
Ensuring that access to the krb5-config utility reflects least privilege will ensure that
the integrity of the utility is not compromised.
Audit:
3. Ensure the output from the above command reflects the following:
o The output starts with root:root
o The 2nd and 5th characters from the right are "-".
Remediation:
22 | P a g e
chmod og-w /usr/bin/krb5-config
chown root:root /usr/bin/krb5-config
Description:
The ksu utility is a kerberized implementation of the su command and can be used to
switch user IDs. Ensure access to the ksu utility reflects least privilege.
Rationale:
Ensuring that access to the ksu utility reflects least privilege will ensure that the integrity
of the utility is not compromised.
Audit:
3. Ensure the output from the above command reflects the following:
o The output starts with root:root
o The 2nd and 5th characters from the right are "-".
Remediation:
References:
1. http://web.mit.edu/kerberos/krb5-current/doc/user/user_commands/ksu.html
23 | P a g e
1.18 Secure the kswitch utility (Scored)
Profile Applicability:
Description:
The kswitch utility is used to set the given credential cache to the primary credential
cache. Ensure access to the kswitch utility reflects least privilege.
Rationale:
Ensuring that access to the kswitch utility reflects least privilege will ensure that the
integrity of the utility is not compromised.
Audit:
3. Ensure the output from the above command reflects the following:
o The output starts with root:root
o The 2nd and 5th characters from the right are "-".
Remediation:
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/user/user_commands/kswitch.html
24 | P a g e
KDC with DB2 Database
KDC with LDAP Database
Description:
The ktutil utility is used perform maintenance tasks on a given keytab. Ensure access to
the ktutil utility reflects least privilege.
Rationale:
Ensuring that access to the ktutil utility reflects least privilege will ensure that the
integrity of the utility is not compromised.
Audit:
3. Ensure the output from the above command reflects the following:
o The output starts with root:root
o The 2nd and 5th characters from the right are "-".
Remediation:
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/admin_commands/ktutil.html
25 | P a g e
2.1 [kdcdefaults]
The kdcdefaults section specifies default values for realm variables to be used if the realms
subsection does not contain the configuration directive.
Description:
This option allows anonymous PKINIT to be enabled for use as FAST armor tickets without
allowing anonymous authentication to services. If set to true, the KDC will reject ticket
requests from anonymous principals to service principals other than the realm’s ticket-
granting service.
Rationale:
For auditing and accounting, access to a service should be tied to a specific identity
principle, not an anonymous principle.
Audit:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [kdcdefaults] section
3. Locate the restrict_anonymous_to_tgt directive
4. Ensure the restrict_anonymous_to_tgt directive is set to true.
Remediation:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [kdcdefaults] section
3. Locate the restrict_anonymous_to_tgt directive
4. Set the restrict_anonymous_to_tgt directive to true.
Default Value:
References:
26 | P a g e
1. http://web.mit.edu/kerberos/krb5-
current/doc/krb_admins/conf_files/kdc_conf.html#kdcdefaults
2. http://k5wiki.kerberos.org/wiki/Anonymous_kerberos
2.2 [realms]
The realms section creates and configures the realm(s) that the KDC provides.
2.2.1 Secure the Kerberos database access control file (acl_file) (Scored)
Profile Applicability:
Description:
The acl_file directive specifies the location of the ACL file that kadmin uses to
determine a given principal's permissions on the Kerberos database. Ensure that the
acl_file is owned by root:root and is not accessible by any principal other than
root.
Rationale:
Ensuring that access to the KDC Access Control List file reflects least privilege will in-turn
help ensure the integrity and availability of KDC operations.
Audit:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [realms] section
3. For each defined realm, locate the acl_file directive
4. Locate the file referenced by the acl_file directive. If the acl_file directive is not
present, it is implicitly set to <LOCALSTATEDIR>/krb5kdc/kadmn5.acl, such
as /var/kerberos/krb5kdc/kadm5.acl.
5. Run the following command:
root:root 600
Remediation:
27 | P a g e
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [realms] section
3. For each defined realm, locate the acl_file directive
4. Locate the file referenced by the acl_file directive. If the acl_file directive is not
present, it is implicitly set to <LOCALSTATEDIR>/krb5kdc/kadmn5.acl, such
as /var/kerberos/krb5kdc/kadm5.acl.
5. Run the following command:
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#realms
Description:
The admin_keytab directive specifies the location of the keytab file that kadmin uses to
authenticate to the database. Ensure that the admin_keytab is owned by root:root
and is not accessible by any principal other than root.
Rationale:
Ensuring that access to the KDC admin keytab file reflects least privilege will in-turn help
ensure the integrity and availability of KDC operations.
Audit:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [realms] section
3. For each defined realm, locate the admin_keytab directive
4. Locate the file referenced by the admin_keytab directive. If the directive is not
present, the implicit path is /usr/local/var/krb5kdc/kadm5.keytab.
5. Run the following command:
28 | P a g e
6. Ensure the output of the above command is as follows:
root:root 600
Remediation:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [realms] section
3. For each defined realm, locate the admin_keytab directive
4. Locate the file referenced by the admin_keytab directive. If the directive is not
present, the implicit path is /usr/local/var/krb5kdc/kadm5.keytab.
5. Run the following command:
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#realms
Description:
The database_name directive specifies the location of the Berkeley DB file that the KDC
uses as a database backend. Ensure that the database_name is owned by root:root
and is not accessible by any principal other than root.
Rationale:
Ensuring that access to the KDC Database file reflects least privilege will in-turn help
ensure the integrity and availability of KDC operations.
Audit:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [realms] section
3. Locate the database_name directive
4. Locate the file referenced by the database_name directive. If the
database_name directive is not present, it is implicitly set to
29 | P a g e
<LOCALSTATEDIR>/krb5kdc/principal, such as
/var/kerberos/krb5kdc/principal.
5. Run the following command:
6. Ensure the output of the above command starts with "root:root" and ends with "00".
Remediation:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [realms] section
3. Locate the database_name directive
4. Locate the file referenced by the database_name directive. If
the database_name directive is not present, it is implicitly set
to <LOCALSTATEDIR>/krb5kdc/principal, such
as /var/kerberos/krb5kdc/principal.
5. Run the following command:
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#kdc-realms
Description:
The pwservice flag a principal as a password change service, which grants it permission
to change passwords without going through normal password authentication.
Rationale:
Access to a principle with the pwservice flag can result in passwords being changed,
denying service to legitimate users and elevating the access of an attacker.
30 | P a g e
Audit:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [realms] section
3. For each defined realm, locate the default_principal_flags directive
4. Ensure that default_principal_flags contains -pwservice
Remediation:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [realms] section
3. For each defined realm, locate the default_principal_flags directive
4. Adjust the list so that that default_principal_flags contains -pwservice
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#realms
Description:
The dict_file directive specifies the location of the file that contains values that are not
allowed as passwords. Ensure that the dict_file is owned by root:root and is
writable by any principal other than root.
Rationale:
Ensuring that access to the dict_file reflects least privilege will help ensure that the
integrity of the dict_file is not compromised. If the integrity of the dict_file is
compromised, the efficacy of the password blacklist controls may be reduced.
Audit:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [realms] section
3. For each defined realm, locate the dict_file directive
4. Locate the file referenced by the dict_file directive.
31 | P a g e
5. Run the following command:
Remediation:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [realms] section
3. For each defined realm, locate the dict_file directive
4. Locate the file referenced by the dict_file directive.
5. Run the following command:
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#realms
Description:
The key_stash_file directive specifies the file containing the master key as stored
with kdb5_stash. Ensure access to the file referenced by
the key_stash_file directive reflects least privilege.
Rationale:
Ensuring that access to the file referenced by the key_stash_file directive reflects
least privilege will help ensure the integrity of authentication services provided by
Kerberos and the confidentiality of credentials used by participating principals and
servers.
32 | P a g e
Audit:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [realms] section
3. Locate the key_stash_file directive
4. Locate the file referenced by the key_stash_file directive. If
the key_stash_file directive is not present, it is implicitly set
to <LOCALSTATEDIR>/krb5kdc/.k5.<REALM>, such
as /var/kerberos/krb5kdc/.k5.example.com.
5. Ensure the owner of the referenced file is root:root and permissions prevent
access by group or other.
6. Ensure the output of the above command starts with "root:root" and ends with
"00".
Remediation:
1. Open /var/kerberos/krb5kdc/kdc.conf.
2. Locate the [realms] section.
3. Locate the file referenced by the key_stash_file directive. If
the key_stash_file directive is not present, it is implicitly set
to <LOCALSTATEDIR>/krb5kdc/.k5.<REALM>, such
as /var/kerberos/krb5kdc/.k5.example.com.
4. Set the owner of the referenced file to root:root.
5. Set the permissions on the referenced file to prevent access by group or other.
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#realms
33 | P a g e
Description:
This string specifies the name of the principal associated with the master key. The default
value is K/M.
Rationale:
While there is no direct security impact for renaming the master key, the master key
principle has special access controls that require auditing. Changing the master key name
may cause ACL audits to improperly fail.
Audit:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [realms] section
3. For each defined realm, locate the master_key_name directive
4. Ensure that the master_key_name is set to K/M
Remediation:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [realms] section
3. For each defined realm, locate the master_key_name directive
4. Set the master_key_name to K/M
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#realms
Description:
This directive controls the master key's key type. It is recommended to only use an
algorithm from the following list:
aes256-cts-hmac-sha1-96
aes128-cts-hmac-sha1-96
34 | P a g e
des3-cbc-sha1
arcfour-hmac-md5
Rationale:
Audit:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [realms] section
3. For each defined realm, locate the master_key_type directive
4. Ensure the value is set to one of the following: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5
Remediation:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [realms] section
3. For each defined realm, locate the master_key_type directive
4. Set the value to one of the following: aes256-cts-hmac-sha1-96, aes128-
cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#realms
Description:
This directive uses a timedelta to specify the maximum time period that a ticket may be
valid for in this realm.
Rationale:
Kerberos tickets should expire regularly to ensure that compromised tickets cannot be
used indefinitely.
35 | P a g e
Audit:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [realms] section
3. For each defined realm, locate the max_life directive
4. Ensure that the time is set to 24h 0m 0s or lower
Remediation:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [realms] section
3. For each defined realm, locate the max_life directive
4. Change the time to 24h 0m 0s or lower
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#realms
Description:
This directive controls the maximum time period that a ticket may be renewed.
Rationale:
A compromised Kerberos ticket may be renewed indefinitely. This directive should be used
to limit the impact of such a credential compromise.
Audit:
1. Open /etc/krb5.conf
2. Locate the [realms] section
3. For each defined realm, locate the max_renewable_life directive
4. Ensure max_renewable_life is set to less than 14d
Remediation:
1. Open /var/kerberos/krb5kdc/kdc.conf
36 | P a g e
2. Locate the [realms] section
3. For each defined realm, locate the max_renewable_life directive
4. Set max_renewable_life to less than 14d
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#realms
Description:
The supported_enctypes directive specifies the default key/salt combinations for this
realm. Any principals created through kadmin will have keys of these types. Ensure the
supported_enctypes directive includes only strong key/salt combinations.
Rationale:
Audit:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [realms] section
3. For each defined realm, locate the supported_enctypes directive
4. Ensure the supported_enctypes directive is set to the following value:
aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal \
des3-cbc-sha1:normalarcfour-hmac-md5:normal
Remediation:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [realms] section
3. For each defined realm, locate the supported_enctypes directive.
37 | P a g e
4. Set the supported_enctypes directive to the following value:
aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal \
des3-cbc-sha1:normal arcfour-hmac-md5:normal
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/krb_admins/conf_files/kdc_conf.html#realms
Description:
This boolean specifies whether or not the list of transited realms for cross-realm
tickets should be checked against the transit path computed from the realm names and
the [capaths] section of its krb5.conf. If this value is set to false, such tickets will be
issued anyways, and it will be left up to the application server to validate the realm transit
path.
Rationale:
Realm transit path should be enforced by the KDC, not left to the application. Some
applications may not check the transit path, which could result in unauthorized resource
access.
Audit:
1. Open /etc/krb5.conf
2. Locate the [realms] section
3. For each defined realm, locate the reject_bad_transit directive
4. Ensure that reject_bad_transit is set to true
Remediation:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [realms] section
3. For each defined realm, locate the reject_bad_transit directive
4. Set reject_bad_transit is to true
38 | P a g e
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#realms
2.3 [dbdefaults]
2.3.1 Secure the Kerberos database file (database_name) (Scored)
Profile Applicability:
Description:
The database_name directive specifies the location of the Kerberos database on the file
system. This directive is significant only when a Berkeley DB database type is configured.
Ensure that access to the Kerberos database reflects least privilege.
Rationale:
Ensuring that access to the Kerberos database reflects least privilege will help ensure the
integrity and confidentiality of database contents.
Audit:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [dbdefaults] section
3. Locate the database_name directive
4. Locate the file referenced by the database_name directive.
5. Run the following command:
6. Ensure the output of the above command starts with "root:root" and ends with "00".
Remediation:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [dbdefaults] section
3. Locate the database_name directive
4. Locate the file referenced by the database_name directive.
39 | P a g e
5. Run the following command:
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#dbdefaults
2. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#dbmodules
Description:
Rationale:
Ensuring that "Last success authentication" updates occur may provide useful information
when investigating an operational or security event.
Audit:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [dbdefaults] section
3. Ensure the disable_last_success directive is absent OR is present and set to
false.
Remediation:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [dbdefaults] section
3. Locate the disable_last_success directive.
4. Set the disable_last_success directive to false.
40 | P a g e
Impact:
Setting this directive to false results in network traffic for each login, which can result in
a denial of service under heavy usage. If you opt to set this directive to true, account
lockouts are not possible as there is no success/failure logging. This will conflict with
Recommendation 2.3.3.
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#dbdefaults
2. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#dbmodules
Description:
The disable_lockout directive determines if the KDC will suppress updates to the
"Last failed authentication" and "Failed password attempts" field of principal entries
requiring preauthentication. Ensure that these events are not suppressed.
Rationale:
Ensuring that "Last failed authentication" and "Failed password attempts" updates occur
may provide useful information when investigating an operational or security event.
Additionally, allowing these updates enables accounts to be locked out due to too many
successive authentication failures.
Audit:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [dbdefaults] section
3. Ensure the disable_lockout directive is absent OR is present and set to
false.
Remediation:
1. Open /var/kerberos/krb5kdc/kdc.conf
41 | P a g e
2. Locate the [dbdefaults] section
3. Locate the disable_lockout directive.
4. Set the disable_lockout directive to false.
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#dbdefaults
2. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#dbmodules
Description:
Rationale:
Audit:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [dbdefaults] section
3. Locate the ldap_service_password_file directive
4. Locate the file referenced by the ldap_service_password_file directive.
5. Ensure the owner of the referenced file is root:root and permissions prevent
access by group or other.
42 | P a g e
6. Ensure the output of the above command starts with "root:root" and ends with
"00".
Remediation:
1. Open /var/kerberos/krb5kdc/kdc.conf.
2. Locate the [dbdefaults] section.
3. Locate the ldap_service_password_file directive.
4. Locate the file referenced by the ldap_service_password_file directive.
5. Set the owner of the referenced file to root:root.
6. Set the permissions on the referenced file to prevent access by group or other.
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#dbdefaults
2. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#dbmodules
2.3.5 Ensure kadmin and KDC run as different LDAP users (Scored)
Profile Applicability:
Description:
When using LDAP as a Kerberos backend, the two server components, kadmind and kdc,
each have an LDAP user DN configured with ldap_kadmind_dn and ldap_kdc_dn.
Rationale:
Different users should be created and configured for the two server components to ensure
separation of privilege.
Audit:
1. Open kdc.conf
2. Find the lines ldap_kadmind_dn and ldap_kdc_dn
3. Ensure that two different LDAP DNs are configured
43 | P a g e
Remediation:
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#dbmodules
2.4 [logging]
2.4.1 Secure the default location (default) (Scored)
Profile Applicability:
Description:
The default logging entry determines where logs are sent in the absence of an explicit
entry for a given role, such as kdc and admin_server. The default logging entry
may be prefixed by FILE=, FILE:, STDERR, CONSOLE, DEVICE, or SYSLOG. For all
default entries prefixed with FILE= or FILE:, ensure access to the specified location
reflects least privilege.
Rationale:
Ensuring that access to the default log location reflects least privilege will help ensure the
integrity and confidentiality of Kerberos logs.
Audit:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [logging] section
3. Locate all default directives
4. For each default directive prefixed with FILE: or FILE=, locate the referenced
file on the file system.
5. Ensure the owner of the referenced file is root:root and permission prevent
access by group or other.
44 | P a g e
stat -L --format "%U:%G %a" <location_referenced_by_default_directive>
6. Ensure the output of the above command starts with "root:root" and ends with
"00".
Remediation:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [logging] section
3. Locate all default directives
4. For each default directive prefixed with FILE: or FILE=, locate the referenced
file on the file system.
5. Set the owner of the referenced file to root:root.
6. Set the permissions on the referenced file to prevent access by group or other.
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#logging
Description:
The kdc logging entry determines where the KDC logs are sent. The kdc logging entry
may be prefixed by FILE=, FILE:, STDERR, CONSOLE, DEVICE, or SYSLOG. For all
kdc entries prefixed with FILE= or FILE:, ensure access to the specified location
reflects least privilege.
Rationale:
45 | P a g e
Ensuring that access to the KDC log location reflects least privilege will help ensure the
integrity and confidentiality of Kerberos logs.
Audit:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [logging] section
3. Locate all kdc directives
4. For each kdc directive prefixed with FILE: or FILE=, locate the referenced file on
the file system.
5. Ensure the owner of the referenced file is root:root and permission prevent
access by group or other.
6. Ensure the output of the above command starts with "root:root" and ends with
"00".
Remediation:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [logging] section
3. Locate all kdc directives
4. For each kdc directive prefixed with FILE: or FILE=, locate the referenced file on
the file system.
5. Set the owner of the referenced file to root:root.
6. Set the permissions on the referenced file to prevent access by group or other.
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#logging
46 | P a g e
2.4.3 Secure the administrative server log location (admin_server)
(Scored)
Profile Applicability:
Description:
The admin_server logging entry determines where the administrative server logs are
sent. The admin_server logging entry may be prefixed by FILE=, FILE:, STDERR,
CONSOLE, DEVICE, or SYSLOG. For all admin_server entries prefixed with FILE= or
FILE:, ensure access to the specified location reflects least privilege.
Rationale:
Ensuring that access to the administrative server log location reflects least privilege will
help ensure the integrity and confidentiality of the logs.
Audit:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [logging] section
3. Locate all admin_server directives
4. For each admin_server directive prefixed with FILE: or FILE=, locate the
referenced file on the file system.
5. Ensure the owner of the referenced file is root:root and permission prevent
access by group or other.
6. Ensure the output of the above command starts with "root:root" and ends with
"00".
Remediation:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [logging] section
3. Locate all admin_server directives
47 | P a g e
4. For each admin_server directive prefixed with FILE: or FILE=, locate the
referenced file on the file system.
5. Set the owner of the referenced file to root:root.
6. Set the permissions on the referenced file to prevent access by group or other.
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#logging
2.4.4 Ensure a persistent log sink is configured for default log location
(Scored)
Profile Applicability:
Description:
The default logging entry determines where logs are sent in the absence of an explicit
entry for a given role, such as kdc and admin_server. The default logging entry
may be prefixed by FILE=, FILE:, STDERR, CONSOLE, DEVICE, or SYSLOG. Ensure at
least one default entry is prefixed by FILE=, FILE:, DEVICE, or SYSLOG.
Rationale:
Ensuring that at least one default entry is prefixed by FILE=, FILE:, DEVICE,
or SYSLOG will ensure that logs sent to the default sink are persisted to disk. Information
sent to STDERR or CONSOLE are unlikely to be persisted to disk. Persisting logs to disk
will increase the probability that logs are available in support of resolving operational or
security events.
Audit:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [logging] section
48 | P a g e
3. Locate all default directives
4. Ensure at least one default directive is prefixed by FILE=, FILE:, DEVICE,
or SYSLOG.
Remediation:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [logging] section
3. Add a default entry that leverages the FILE:, FILE=, SYSLOG, or DEVICE
prefix.
4. default = SYSLOG:INFO:DAEMON
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#logging
2.4.5 Ensure a persistent log sink is configured for kdc logging (Scored)
Profile Applicability:
Description:
The kdc logging entry determines where the KDC logs are sent. The kdc directive's value
may be prefixed by FILE=, FILE:, STDERR, CONSOLE, DEVICE, or SYSLOG. Ensure at
least one kdc directive has a value that is prefixed by FILE=, FILE:, DEVICE, or
SYSLOG.
Rationale:
Ensuring that at least one kdc entry is prefixed by FILE=, FILE:, DEVICE,
or SYSLOG will ensure that logs sent to the kdc sink are persisted to disk. Information
sent to STDERR or CONSOLE are unlikely to be persisted to disk. Persisting logs to disk
will increase the probability that logs are available in support of resolving operational or
security events.
Audit:
1. Open /etc/krb5.conf
2. Locate the [logging] section
3. Locate all kdc directives
49 | P a g e
4. Ensure at least one kdc directive's value is prefixed by FILE=, FILE:, DEVICE,
or SYSLOG.
Remediation:
1. Open /etc/krb5.conf
2. Locate the [logging] section
3. Add a kdc entry that leverages the FILE:, FILE=, SYSLOG, or DEVICE prefix.
4. kdc = SYSLOG:INFO:DAEMON
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#logging
Description:
The admin_server logging entry determines where the administrative server logs are
sent. The admin_server logging entry may be prefixed by FILE=, FILE:, STDERR,
CONSOLE, DEVICE, or SYSLOG. Ensure at least one kdc entry is prefixed by FILE=,
FILE:, DEVICE, or SYSLOG.
Rationale:
Ensuring that at least one admin_server entry is prefixed by FILE=, FILE:, DEVICE,
or SYSLOG will ensure that logs sent to the kdc sink are persisted to disk. Information
sent to STDERR or CONSOLE are unlikely to be persisted to disk. Persisting logs to disk
will increase the probability that logs are available in support of resolving operational or
security events.
Audit:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [logging] section
3. Locate all admin_server directives
50 | P a g e
4. Ensure at least one admin_server directive is prefixed
by FILE=, FILE:, DEVICE, or SYSLOG.
Remediation:
1. Open /var/kerberos/krb5kdc/kdc.conf
2. Locate the [logging] section
3. Add a admin_server entry that leverages the FILE:, FILE=, SYSLOG, or
DEVICE prefix.
4. admin_server = FILE:/var/log/kadmin.log
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#logging
Description:
The KDC configuration file contains directives that dictate how the Kerberos
Authentication Service and Key Distribution Center (AS/KDC) operate. Ensure access to the
KDC configuration file reflects least privilege.
Rationale:
Ensuring that access to the KDC configuration file reflects least privilege will help ensure
the integrity and availability of KDC operations.
Audit:
51 | P a g e
root:root 600
Remediation:
References:
1. http://web.mit.edu/kerberos/krb5-current/doc/admin/conf_files/kdc_conf.html
Description:
A keytab is a file that contains Kerberos principles and encrypted keys. The default keytab
is typically used to identify the local kerberos service to the KDC.
Rationale:
The keytab file can be used to authenticate without a password. Read access to the keytab
may allow an attacker to elevate privilege or impersonate other users.
Audit:
1. Open /etc/krb5.conf
2. Locate the [libdefaults] section
3. Locate the default_keytab_name directive
4. Locate the file referenced by the default_keytab_name directive. If the directive
is not present, the implicit path is /etc/krb5.keytab.
52 | P a g e
5. Run the following command:
root:root 600
Remediation:
1. Open /etc/krb5.conf
2. Locate the [libdefaults] section
3. Locate the default_keytab_name directive
4. Locate the file referenced by the default_keytab_name directive. If the directive
is not present, the implicit path is /etc/krb5.keytab.
5. Run the following command:
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/krb5_conf.html#libdefaults
Description:
The default_tgs_enctypes directive specifies the list of session key encryption types
supported by the Kerberos library. Ensure this directive is configured to prefer AES256.
Rationale:
Setting AES256 as the preferred encryption type reduces the probability of sensitive
information becoming compromised. AES256 may also be required to comply with
industry and government standards.
53 | P a g e
Audit:
1. Open /etc/krb5.conf
2. Locate the [libdefaults] section
3. Locate the default_tgs_enctypes directive
4. Ensure the list pointed to by the default_tgs_enctypes directive begins
with aes-256-cts.
Remediation:
1. Open /etc/krb5.conf
2. Locate the [libdefaults] section
3. Locate the default_tgs_enctypes directive
4. Insert the following value at the beginning of the list pointed to by the
default_tgs_enctypes directive:
aes-256-cts
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/krb5_conf.html#libdefaults
3.1.3 Ensure single DES-based encryption types are disallowed for TGS
(default_tgs_enctypes) (Scored)
Profile Applicability:
Description:
The default_tgs_enctypes directive specifies the list of session key encryption types
supported by the Kerberos library. Ensure this directive disallows Single DES-based
encryption types.
Rationale:
Ensuring that single DES encryption types are disallowed reduces the probability of
sensitive information becoming compromised. Single DES encryption is considered "weak".
Using modern hardware and cloud computing, cracking single DES is considered both
affordable and fast. Some government compliance my also disallow the use of single DES.
Audit:
54 | P a g e
1. Open /etc/krb5.conf
2. Locate the [libdefaults] section
3. Locate the default_tgs_enctypes directive
4. Ensure the list pointed to by the default_tgs_enctypes directive contains no
entries that start with "des-"
Remediation:
1. Open /etc/krb5.conf
2. Locate the [libdefaults] section
3. Locate the default_tgs_enctypes directive
4. Remove all entries from the list pointed to by the default_tgs_enctypes
directive that start with "des-"
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/krb5_conf.html#libdefaults
Description:
The default_tkt_enctypes directive specifies the list of session key encryption types
requested by the client. Ensure this directive is configured to prefer AES256.
Rationale:
Setting AES256 as the preferred encryption type reduces the probability of sensitive
information becoming compromised. AES256 may also be required to comply with
industry and government standards.
Audit:
1. Open /etc/krb5.conf
2. Locate the [libdefaults] section
3. Locate the default_tkt_enctypes directive
55 | P a g e
4. Ensure the list pointed to by the default_tkt_enctypes directive begins
with aes-256-cts.
Remediation:
1. Open /etc/krb5.conf
2. Locate the [libdefaults] section
3. Locate the default_tkt_enctypes directive
4. Insert the following value at the beginning of the list pointed to by the
default_tkt_enctypes directive:
aes-256-cts
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/krb5_conf.html#libdefaults
3.1.5 Ensure single DES-based encryption types are disallowed for TKT
(default_tkt_enctypes) (Scored)
Profile Applicability:
Description:
The default_tkt_enctypes directive specifies the list of session key encryption types
supported by the Kerberos library. Ensure this directive disallows single DES-based
encryption types.
Rationale:
Ensuring that single DES encryption types are disallowed reduces the probability of
sensitive information becoming compromised. Single DES encryption is considered "weak".
Using modern hardware and cloud computing, cracking single DES is considered both
affordable and fast. Some government compliance my also disallow the use of single DES.
Audit:
1. Open /etc/krb5.conf
2. Locate the [libdefaults] section
3. Locate the default_tgs_enctypes directive
56 | P a g e
4. Ensure the list pointed to by the default_tgs_enctypes directive contains no
entries that start with "des-"
Remediation:
1. Open /etc/krb5.conf
2. Locate the [libdefaults] section
3. Locate the default_tkt_enctypes directive
4. Remove all entries from the list pointed to by the default_tkt_enctypes
directive that start with "des-"
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/krb5_conf.html#libdefaults
Description:
Rationale:
Ensuring that single DES encryption types are disallowed reduces the probability of
sensitive information becoming compromised. Single DES encryption is considered "weak".
Using modern hardware and cloud computing, cracking single DES is considered both
affordable and fast. Some government compliance my also disallow the use of single DES.
Audit:
1. Open /etc/krb5.conf
2. Locate the [libdefaults] section
3. Locate the permitted_enctypes directive
4. Ensure the list pointed to by the permitted_enctypes directive contains no
entries that start with "des-"
57 | P a g e
Remediation:
1. Open /etc/krb5.conf
2. Locate the [libdefaults] section
3. Locate the permitted_enctypes directive
4. Remove all entries from the list pointed to by the permitted_enctypes directive
that start with "des-"
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/krb5_conf.html#libdefaults
Description:
Rationale:
Ensuring that weak encryption types are disallowed reduces the probability of sensitive
information becoming compromised. These encryption types are considered "weak"
because there are cryptographic attacks that significantly reduce the search space or the
search space is small relative to modern computing power. These algorithms are typical
very old and use small key sizes.
Audit:
1. Open /etc/krb5.conf
2. Locate the [libdefaults] section
3. Ensure the allow_weak_crypto is present and set to false.
Remediation:
1. Open /etc/krb5.conf
2. Locate the [libdefaults] section
3. Locate the allow_weak_crypto directive and set it to false.
58 | P a g e
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/krb5_conf.html#libdefaults
Description:
Rationale:
In order to prevent intruders from resetting their system clocks in order to continue to use
expired tickets, Kerberos is set up to reject ticket requests from any host whose clock is not
within the specified maximum clock skew of the KDC. Similarly, hosts are configured to
reject responses from any KDC whose clock is not within the specified maximum clock
skew of the host.
Audit:
1. Open /etc/krb5.conf
2. Locate the [libdefaults] section
3. Ensure the clockskew directive is present and set to less than or equal to 300.
Remediation:
1. Open /etc/krb5.conf
2. Locate the [libdefaults] section
3. Locate the clockskew directive and set it to less than or equal to 300.
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/krb5_conf.html#libdefaults
59 | P a g e
3.1.9 Ensure ignore_acceptor_hostname is not set to true (Scored)
Profile Applicability:
Description:
When accepting GSSAPI or krb5 security contexts for host-based service principals, ignore
any hostname passed by the calling application and allow any service principal present in
the keytab that matches the service name and realm name (if given). This option can
improve the administrative flexibility of server applications on multi-homed hosts, but can
compromise the security of virtual hosting environments.
Rationale:
An attacker may attempt to use alternate hostnames to bypass restrictions that the
administrator has placed on the service.
Audit:
1. Open /etc/krb5.conf
2. Locate the [libdefaults] section
3. Ensure the ignore_acceptor_hostname directive is absent OR is present and
set to false.
Remediation:
1. Open /etc/krb5.conf
2. Locate the [libdefaults] section
3. Locate the ignore_acceptor_hostname directive and set it to false.
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/krb5_conf.html#libdefaults
3.2 [plugins]
60 | P a g e
3.2.1 Prevent blank password creation (pwqual:empty) (Scored)
Profile Applicability:
Description:
The password quality interface (pwqual) has a built-in module, named empty, that will
reject attempts to set a blank password. Ensure the empty module is enabled.
Rationale:
Ensuring that blank passwords are rejected will increase the efficacy of authentication and
authorization controls. If blank passwords are allowed, confidence in the identify of the
actor authenticating with a given credential can not be assured.
Audit:
1. Open /etc/krb5.conf.
2. Locate the [plugins] section.
3. Locate the pwqual interface subsection.
4. Locate the disable directive.
5. Ensure empty is not present on the disable directive line.
6. If the enable_only directive is present, ensure empty is present on
the enable_only directive line.
Remediation:
1. Open /etc/krb5.conf.
2. Locate the [plugins] section.
3. Locate the pwqual interface subsection.
4. Locate the disable directive.
5. Remove empty from the disable directive line.
6. If the enable_only directive is present, add empty to the enable_only
directive line.
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/krb_admins/conf_files/krb5_conf.html#pwqual-interface
61 | P a g e
3.2.2 Prevent dictionary word password creation (pwqual:dict) (Scored)
Profile Applicability:
Description:
The password quality interface (pwqual) has a built-in module, named dict, which will
reject attempts to set a password that is present in the realm's dictionary file. Ensure the
dict module is enabled.
Rationale:
Ensuring that password based on dictionary words are rejected will increase the efficacy of
authentication and authorization controls. If passwords based on dictionary words are
allowed, confidence in the identiyy of the actor authenticating with a given credential
cannot be assured.
Audit:
1. Open /etc/krb5.conf.
2. Locate the [plugins] section.
3. Locate the pwqual interface subsection.
4. Locate the disable directive.
5. Ensure dict is not present on the disable directive line.
6. If the enable_only directive is present, ensure dict is present on
the enable_only directive line.
Remediation:
1. Open /etc/krb5.conf.
2. Locate the [plugins] section.
3. Locate the pwqual interface subsection.
4. Locate the disable directive.
5. Remove dict from the disable directive line.
6. If the enable_only directive is present, add dict to the enable_only
directive line.
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/krb_admins/conf_files/krb5_conf.html#pwqual-interface
62 | P a g e
3.2.3 Prevent creation of passwords derived from the principal's name
(pwqual:princ) (Scored)
Profile Applicability:
Description:
The password quality interface (pwqual) has a built-in module, named princ, which will
reject attempts to set a password that is derived from the principal's name. Ensure the
princ module is enabled.
Rationale:
Ensuring that passwords derived from the principal's name are rejected will increase the
efficacy of authentication and authorization controls. If passwords derived from the
principal's name are allowed, confidence in the identity of the actor authenticating with a
given credential cannot be assured.
Audit:
1. Open /etc/krb5.conf.
2. Locate the [plugins] section.
3. Locate the pwqual interface subsection.
4. Locate the disable directive.
5. Ensure princ is not present on the disable directive line.
6. If the enable_only directive is present, ensure princ is present on
the enable_only directive line.
Remediation:
1. Open /etc/krb5.conf.
2. Locate the [plugins] section.
3. Locate the pwqual interface subsection.
4. Locate the disable directive.
5. Remove princ from the disable directive line.
6. If the enable_only directive is present, add princ to the enable_only
directive line.
References:
63 | P a g e
1. http://web.mit.edu/kerberos/krb5-
current/doc/krb_admins/conf_files/krb5_conf.html#pwqual-interface
Description:
The Kerberos configuration file contains information needed by the Kerberos library,
including descriptions of realms and the location of the KDC for those realms. Ensure
access to the Kerberos configuration file reflects least privilege.
Rationale:
Ensuring that access to the Kerberos configuration file reflects least privilege will help
ensure the integrity and availability of KDC operations.
Audit:
Remediation:
64 | P a g e
4.1 Ensure kiprop principles are only allowed propagation permission
(Scored)
Profile Applicability:
Description:
Note: The ordering of permissions is important: permissions are determined by the first
matching entry/glob. Please review the documentation for kadm5.acl for more details.
Rationale:
Principles used for Kerberos propagation should have restricted access to ensure principle
of least-privilege.
Audit:
Remediation:
References:
1. http://web.mit.edu/kerberos/krb5-current/doc/admin/conf_files/kadm5_acl.html
65 | P a g e
Description:
The kadmin/changepw principle is a special principle used by the KDC to change user
passwords.
Rationale:
Multiple key versions could allow an attacker to initiate replay attacks or perform offline
cracking attempts against expired Kerberos credentials.
Audit:
Remediation:
Description:
Rationale:
Audit:
66 | P a g e
kadmin.local -q "get_principal kadmin/<REALM>" | grep "^Attributes:"
Remediation:
Description:
Rationale:
Multiple key versions could allow an attacker to initiate replay attacks or perform offline
cracking attempts against expired Kerberos credentials.
Audit:
Note: During a key rotation, you may choose to keep the old TGT for a short interval to
prevent invalidating existing tickets. This window should be no longer than the length of
the ticket expiration/renewal window.
Remediation:
67 | P a g e
Log into the KDC and run the following command:
Description:
The Kerberos kadmind daemon uses kadm5.acl to manage access rights to the Kerberos
database. Ensure access to kadm5.acl reflects least privilege.
Rationale:
Ensuring that access to kadm5.acl reflects least privilege will help ensure the integrity
and availability of KDC operations.
Audit:
Remediation:
68 | P a g e
5.1 Restrict KDC write access to all attributes other than counters and
timers (Not Scored)
Profile Applicability:
Description:
The ldap_kdc_dn is the LDAP object used by the KDC daemon to access the LDAP
database.
Rationale:
To prevent escalation of privilege, the Kerberos server should not be allowed to access
arbitrary LDAP data.
Audit:
Connect to your LDAP server and determine if the ldap_kdc_dn user is granted
unnecessary write access. The specific steps to do so will differ by LDAP server and
organizational policy.
Remediation:
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#dbmodules
5.2 Ensure only KDC and kadmin can read attributes (Not Scored)
Profile Applicability:
Description:
69 | P a g e
The LDAP users configured in ldap_kadmind_dn and ldap_kdc_dn are used by the
Keberos server to read and write Kerberos attributes in the LDAP database.
Rationale:
To prevent escalation of privilege, the Kerberos server should not be allowed to access
arbitrary LDAP data.
Audit:
Remediation:
Configure the access controls so that the ldap_kadmind_dn and ldap_kdc_dn users
have only the necessary read access.
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#dbmodules
Description:
The LDAP user configured in ldap_kadmind_dn is used by the kadmind server to read
and write Kerberos attributes in the LDAP database.
Rationale:
To prevent escalation of privilege, the Kerberos server should not be allowed to modify
arbitrary LDAP data.
Audit:
70 | P a g e
Connect to your LDAP server and determine if the ldap_kadmind_dn user has the
appropriate write access. The specific steps to do so will differ by LDAP server and
organizational policy.
Remediation:
Configure the access controls so that the ldap_kadmind_dn user only has the necessary
write access. The ldap_kadmind_dn should only have write access to the Kerberos
attributes and objects in the LDAP database.
References:
1. http://web.mit.edu/kerberos/krb5-
current/doc/admin/conf_files/kdc_conf.html#dbmodules
71 | P a g e
Appendix: Change History
Date Version Changes for this version
2012-12-28 1.0.0 Initial Release
72 | P a g e