Kerberos Commands
Available Languages
Table Of Contents
Kerberos Commands
This chapter describes the commands used to configure Kerberos. Kerberos is a secret-key network authentication protocol, developed at Massachusetts Institute of Technology (MIT), that uses the Data Encryption Standard (DES) cryptographic algorithm for encryption and authentication. Kerberos was designed to authenticate requests for network resources. Kerberos, like other secret-key systems, is based on the concept of a trusted third party that performs secure verification of users and services. In the Kerberos protocol, this trusted third party is called the key distribution center (KDC).
For information on how to configure Kerberos, refer to the chapter "Configuring Kerberos" in the Cisco IOS Security Configuration Guide. For configuration examples using the commands in this chapter, refer to the section "Kerberos Configuration Examples" located at the end of the
chapter "Configuring Kerberos" in the Cisco IOS Security Configuration Guide.clear kerberos creds
To delete the contents of the credentials cache, use the clear kerberos creds command in privileged EXEC mode.
clear kerberos creds
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Credentials are deleted when this command is issued.
Cisco supports Kerberos 5.
Examples
The following example illustrates the clear kerberos creds command:
cisco-2500 > show kerberos credsDefault Principal: chet@cisco.comValid Starting Expires Service Principal18-Dec-1995 16:21:07 19-Dec-1995 00:22:24 krbtgt/CISCO.COM@CISCO.COMcisco-2500 > clear kerberos credscisco-2500 > show kerberos credsNo Kerberos credentials.cisco-2500 >Related Commands
kerberos clients mandatory
To cause the rsh, rcp, rlogin, and telnet commands to fail if they cannot negotiate the Kerberos protocol with the remote server, use the kerberos clients mandatory command in global configuration mode. To make Kerberos optional, use the no form of this command.
kerberos clients mandatory
no kerberos clients mandatory
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
If this command is not configured and the user has Kerberos credentials stored locally, the rsh, rcp, rlogin, and telnet commands attempt to negotiate the Kerberos protocol with the remote server and will use the non-Kerberized protocols if unsuccessful.
If this command is not configured and the user has no Kerberos credentials, the standard protocols for rcp and rsh are used to negotiate.
Examples
The following example causes the rsh, rcp, rlogin, and telnet commands to fail if they cannot negotiate the Kerberos protocol with the remote server:
kerberos clients mandatoryRelated Commands
kerberos credentials forward
To force all network application clients on the router to forward users' Kerberos credentials upon successful Kerberos authentication, use the kerberos credentials forward command in global configuration mode. To turn off forwarding of Kerberos credentials, use the no form of this command.
kerberos credentials forward
no kerberos credentials forward
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
Enable credentials forwarding to have users' ticket granting tickets (TGTs) forwarded to the host on which they authenticate. In this way, users can connect to multiple hosts in the Kerberos realm without running the KINIT program each time they need to get a TGT.
Examples
The following example forces all network application clients on the router to forward users' Kerberos credentials upon successful Kerberos authentication:
kerberos credentials forwardRelated Commands
kerberos instance map
To map Kerberos instances to Cisco IOS privilege levels, use the kerberos instance map command in global configuration mode. To remove a Kerberos instance map, use the no form of this command.
kerberos instance map instance privilege-level
no kerberos instance map instance
Syntax Description
Defaults
Privilege level 1.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to create user instances with access to administrative commands.
Examples
The following example sets the privilege level to 15 for authenticated Kerberos users with the admin instance in Kerberos realm:
kerberos instance map admin 15Related Commands
kerberos local-realm
To specify the Kerberos realm in which the router is located, use the kerberos local-realm command in global configuration mode. To remove the specified Kerberos realm from this router, use the no form of this command.
kerberos local-realm kerberos-realm
no kerberos local-realm
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
The router can be located in more than one realm at a time. However, there can only be one instance of Kerberos local-realm. The realm specified with this command is the default realm.
Examples
The following example specify the Kerberos realm in which the router is located as EXAMPLE.COM:
kerberos local-realm EXAMPLE.COMRelated Commands
kerberos preauth
To specify a preauthentication method to use to communicate with the key distribution center (KDC), use the kerberos preauth command in global configuration mode. To disable Kerberos preauthentication, use the no form of this command.
kerberos preauth [encrypted-unix-timestamp | encrypted-kerberos-timestamp | none]
no kerberos preauth
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
It is more secure to use a preauthentication for communications with the KDC. However, communication with the KDC will fail if the KDC does not support this particular version of kerberos preauth. If that happens, turn off the preauthentication with the none option.
The no form of this command is equivalent to using the none keyword.
Examples
The following example enables Kerberos preauthentication:
kerberos preauth encrypted-unix-timestampThe following example disables Kerberos preauthentication:
kerberos preauth noneRelated Commands
kerberos realm
To map a host name or Domain Name System (DNS) domain to a Kerberos realm, use the kerberos realm command in global configuration mode. To remove a Kerberos realm map, use the no form of this command.
kerberos realm {dns-domain | host} kerberos-realm
no kerberos realm {dns-domain | host} kerberos-realm
Syntax Description
dns-domain
Name of a DNS domain or host.
host
Name of a DNS host.
kerberos-realm
Name of the Kerberos realm to which the specified domain or host belongs.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
DNS domains are specified with a leading dot (.) character; host names cannot begin with a dot (.) character. There can be multiple entries of this line.
A Kerberos realm consists of users, hosts, and network services that are registered to a Kerberos server. The Kerberos realm must be in uppercase characters. The router can be located in more than one realm at a time. Kerberos realm names must be in all uppercase characters.
Examples
The following example maps the domain name "example.com" to the Kerberos realm, EXAMPLE.COM:
kerberos realm .example.com EXAMPLE.COMRelated Commands
kerberos server
To specify the location of the Kerberos server for a given Kerberos realm, use the kerberos server command in global configuration mode. To remove a Kerberos server for a specified Kerberos realm, use the no form of this command.
kerberos server kerberos-realm {hostname | ip-address} [port-number]
no kerberos server kerberos-realm {hostname | ip-address}
Syntax Description
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
Use the kerberos server command to specify the location of the Kerberos server for a given realm.
Examples
The following example specifies 192.168.47.66 as the Kerberos server for the Kerberos realm EXAMPLE.COM:
kerberos server EXAMPLE.COM 192.168.47.66Related Commands
kerberos srvtab entry
To retrieve a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration, use the kerberos srvtab entry command in global configuration mode. To remove a SRVTAB entry from the router's configuration, use the no form of this command.
kerberos srvtab entry kerberos-principal principal-type timestamp key-version number key-type key-length encrypted-keytab
no kerberos srvtab entry kerberos-principal principal-type
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
When you use the kerberos srvtab remote command to copy the SRVTAB file from a remote host (generally the KDC), it parses the information in this file and stores it in the router's running configuration in the kerberos srvtab entry format. The key for each SRVTAB entry is encrypted with a private DES key if one is defined on the router. To ensure that the SRVTAB is available (that is, that it does not need to be acquired from the KDC) when you reboot the router, use the write memory router configuration command to write the router's running configuration to NVRAM.
If you reload a configuration, with a SRVTAB encrypted with a private DES key, on to a router that does not have a private DES key defined, the router displays a message informing you that the SRVTAB entry has been corrupted, and discards the entry.
If you change the private DES key and reload an old version of the router's configuration that contains SRVTAB entries encrypted with the old private DES keys, the router will restore your Kerberos SRVTAB entries, but the SRVTAB keys will be corrupted. In this case, you must delete your old Kerberos SRVTAB entries and reload your Kerberos SRVTABs on to the router using the kerberos srvtab remote command.
Although you can configure kerberos srvtab entry on the router manually, generally you would not do this because the keytab is encrypted automatically by the router when you copy the SRVTAB using the kerberos srvtab remote command.
Examples
In the following example, host/new-router.example.com@EXAMPLE.COM is the host, 0 is the type, 817680774 is the timestamp, 1 is the version of the key, 1 indicates the DES is the encryption type, 8 is the number of bytes, and .cCN.YoU.okK is the encrypted key:
kerberos srvtab entry host/new-router.example.com@EXAMPLE.COM 0 817680774 1 1 8 .cCN.YoU.okKRelated Commands
Retrieves a krb5 SRVTAB file from the specified host.
Defines a private DES key for the router.
kerberos srvtab remote
To retrieve a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration, use the kerberos srvtab remote command in global configuration mode.
kerberos srvtab remote {boot_device:URL}
Syntax Description
URL
Machine that has the Kerberos SRVTAB file.
ip-address
IP address of the machine that has the Kerberos SRVTAB file.
filename
Name of the SRVTAB file.
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Usage Guidelines
When you use the kerberos srvtab remote command to copy the SRVTAB file from the remote host (generally the key distribution center [KDC]), it parses the information in this file and stores it in the router's running configuration in the kerberos srvtab entry format. The key for each SRVTAB entry is encrypted with the private Data Encryption Standard (DES) key if one is defined on the router. To ensure that the SRVTAB is available (that is, that it does not need to be acquired from the KDC) when you reboot the router, use the write memory configuration command to write the router's running configuration to NVRAM.
Examples
The following example copies the SRVTAB file residing on b1.example.com to a router named s1.example.com:
kerberos srvtab remote tftp://b1.example.com/s1.example.com-new-srvtabRelated Commands
Retrieves a SRVTAB file from a remote host and automatically generate a Kerberos SRVTAB entry configuration.
Defines a private DES key for the router.
key config-key
To define a private DES key for the router, use the key config-key command in global configuration mode. To delete a private Data Encryption Standard (DES) key from the router, use the no form of this command.
key config-key 1 string
no key config-key 1 string
Syntax Description
1
Key number. This number is always 1.
string
Private DES key (can be up to eight alphanumeric characters).
Defaults
No DES-key defined.
Command Modes
Global configuration
Command History
Usage Guidelines
This command defines a private DES key for the router that will not show up in the router configuration. This private DES key can be used to DES-encrypt certain parts of the router's configuration.
CautionThe private DES key is unrecoverable. If you encrypt part of your configuration with the private DES key and lose or forget the key, you will not be able to recover the encrypted data.
Examples
The following example sets keyxx as the private DES key on the router:
key config-key 1 keyxxRelated Commands
Specifies a krb5 SRVTAB entry.
Retrieves a SRVTAB file from a remote host and automatically generates a Kerberos SRVTAB entry configuration.
show kerberos creds
To display the contents of your credentials cache, use the show kerberos creds command in privileged EXEC mode.
show kerberos creds
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The show kerberos creds command is equivalent to the UNIX klist command.
When users authenticate themselves with Kerberos, they are issued an authentication ticket called a credential. The credential is stored in a credential cache.
Examples
The following example displays entries in the credentials cache:
Router > show kerberos credsDefault Principal: user@example.comValid Starting Expires Service Principal18-Dec-1995 16:21:07 19-Dec-1995 00:22:24 krbtgt/EXAMPLE.COM@EXAMPLE.COMThe following example returns output that acknowledges that credentials do not exist in the credentials cache:
Router > show kerberos credsNo Kerberos credentialsRelated Commands
Feedback