Copying SRVTAB Files
To make it possible for remote users to authenticate to the device using Kerberos credentials, the device must
share a secret key with the KDC. To do this, you must give the device a copy of the SRVTAB you extracted
on the KDC.
The most secure method to copy an SRVTAB file to the hosts in your Kerberos realm is to copy it onto
physical media and go to each host in turn and manually copy the files onto the system. To copy an SRVTAB
file to the device, which does not have a physical media drive, it must be transfered over the network using
TFTP.
To remotely copy an SRVTAB file to the device from the KDC, use the kerberos srvtab remotecommand
in global configuration mode:
Device(config)# kerberos srvtab remote {hostname | ip-address } {filename }
When you copy the SRVTAB file from the device to the KDC, the kerberos srvtab remote command parses
the information in this file and stores it in the running configuration of the device, in the kerberos srvtab
entryformat. To ensure that the SRVTAB is available (does not need to be acquired from the KDC) when
you reboot the device, use the write memory configuration command to write your running configuration
(which contains the parsed SRVTAB file) to NVRAM.
Specifying Kerberos Authentication
See the Configuring Authentication feature module for more information on configuring authentication on
the device aaa authentication command is used to specify Kerberos as the authentication method.
Enabling Credentials Forwarding
With Kerberos configured thus far, a user authenticated to a Kerberized device has a TGT and can use it to
authenticate to a host on the network. However, if the user tries to list credentials after authenticating to a
host, the output will show no Kerberos credentials present.
You can optionally configure the device to forward users’ TGTs with them as they authenticate from the
device to Kerberized remote hosts on the network when using Kerberized Telnet, rcp, rsh, and rlogin (with
the appropriate flags).
To force all clients to forward users’ credentials as they connect to other hosts in the Kerberos realm, use the
following command in global configuration mode:
PurposeCommand
Forces all clients to forward user credentials upon
successful Kerberos authentication.
Device(config)# kerberos credentials forward
With credentials forwarding enabled, users’ TGTs are automatically forwarded to the next host they authenticate
to. In this way, users can connect to multiple hosts in the Kerberos realm without running the KINIT program
each time to get a new TGT.
Consolidated Platform Configuration Guide, Cisco IOS Release 15.2(4)E (Catalyst 2960-X Switches)
989
How to Configure Kerberos
To Next Page
Loading...
Need help?
General
