Create a host principal using MIT Kerberos
|Debian (Lenny, Squeeze)|
To create a host principal using MIT Kerberos
A principal is an identity that Kerberos is able to authenticate. Principals may represent users, network hosts, or network services. A principal that corresponds to a network host is called a host principal and has a name of the form:
Host principals are needed for two reasons:
- to allow the host to verify that tickets were issued by a genuine KDC, and
- to allow clients to verify that they are communicating with the intended host.
In this respect it serves essentially the same function as a service principal, except that it refers to the host as a whole as opposed to any specific network service. Services that authenticate using the host principal include OpenSSH and the Kerberos V PAM module (
Suppose you wish to allow users to log in to the machine
www.example.com using SSH with GSSAPI authentication, so that those with a suitable Kerberos ticket need not supply a password. The machine belongs to the Kerberos realm
In order to achieve this it is necessary for the machine to have a host principal, which should be named
The method described here assumes that you already have:
- a Kerberos realm with an admin server and at least one KDC (Key Distribution Centre); and
- a Kerberos principal that is authorised to create other principals within that realm.
Host principals can be created using the
addprinc command of
kadmin in much the same way as user or service principals:
kadmin -q "addprinc -randkey host/www.example.com"
-q option specifies a
kadmin command to be executed, in this case
-randkey option of
addprinc specifies that the encryption key should be chosen at random instead of being derived from a password. Hosts normally authenticate using a keytab, so have no need for a password.
/admin to your default principal or username and attempts to authenticate to the admin server using that. You can specify an alternative admin principal using the
-p if required.
You do not need to be
root to run
kadmin, however if you are not root then it will probably not be on your path. A common location for the executable is
It is often convenient to run
kadmin on the machine for which the host principal is needed, particularly if you also intend to create a keytab, however you should do this only if you are willing to trust that machine with administrative rights to the realm as a whole. Otherwise, choose a machine that you do trust (such as the KDC).
On Debian-based systems
kadmin is provided by the
krb5-user package, whereas on Red Hat-based systems it is provided by the
You can check that the host principal exists using the
getprinc command of
kadmin -q "getprinc host/www.example.com"
If the principal exists then you should see output similar to the following:
Principal: host/www.example.com@EXAMPLE.COM Expiration date: [never] Last password change: Mon Mar 12 21:18:37 GMT 2012 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Mar 12 21:18:37 GMT 2012 (bofh/admin@EXAMPLE.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 2 Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 2, DES cbc mode with CRC-32, no salt Attributes: Policy: [none]
If it does not then you should see an error of the form:
get_principal: Principal does not exist while retrieving "host/www.example.com@EXAMPLE.COM".
Having created a host principal, you will normally want to add it to the default keytab (
/etc/krb5.keytab). See Add a host or service principal to a keytab using MIT Kerberos for instructions.
- Create a service principal using MIT Kerberos
- Add a host or service principal to a keytab using MIT Kerberos
- Kerberos V5 System Administrator's Guide, version 1.10, MIT, 2012
- kadmin (Ubuntu manpage)