Maintaining server encryption keys and keytab files is critical to establishing adequate security measures in your cell or domain. Under normal circumstances, keytab files require little maintenance. Because they are analogous to user passwords, they should be changed about as often.
The first step in changing a server encryption key is to add a new key to the keytab file. Two commands are available for adding keys: bos genkey and bos addkey.
· The bos genkey command automatically generates a random key. It also automatically updates the entry in the Registry Database for the principal with which the key is associated. Any subsequent communications that involve the specified principal and that require a key use the newly added key.
· The bos addkey command performs a similar function, but it requires that you enter a string to be converted into a key, and it gives you the option of updating the Registry Database entry for the indicated principal. The bos addkey command is less secure than the bos genkey command because user-specified strings are seldom as random as machine-generated strings.
A keytab file must already exist before either of these commands can be used to add a key to it; keytab files are created with the dcecp keytab create command.
A unique version number is associated with each key for a principal in a keytab file. When adding a key to a keytab file, you must specify its key version number as one of the following:
· An integer in the range 1 to 255. The command uses the specified integer as the version number of the new key. The integer must be unique for the indicated principal in the keytab file on the specified machine. Because reusing a version number currently in use in a keytab file can cause authentication failures between the processes on a server machine and clients communicating with them, an error is returned if you attempt to do so.
· + or 0 (zero). The command chooses an integer to serve as the version number of the new key. The integer it chooses is unique for the indicated principal in the Registry Database. However, it may not be unique for the indicated principal in the keytab file on the specified machine, in which case it replaces the key currently associated with the principal/version number pair in the keytab file.
It is best to keep the key version numbers in sequence by choosing a number that is one greater than the current version number for the principal. Use the bos lskeys command to examine the key version numbers associated with the keys in a keytab file.
The bos lskeys command also displays a checksum with each key version number. A checksum is a decimal number derived by encrypting a constant with a key. Because displaying the checksum is adequate for most purposes (for example, when checking key version numbers presently in use), and because its display is less of a security risk, it is displayed rather than the actual key associated with a version number. Note that the actual keys can be viewed by first issuing the bos setauth command to disable DFS authorization checking on the server machine; however, because disabling DFS authorization checking creates a compromised state of security, it is not recommended.
After a new key has been added to a keytab file, the old key can be removed from the file. The bos rmkey command can be used to remove one or more keys from a keytab file. Removing the key currently in use in the Registry Database or any other key still being used for client/server communications can cause authentication failures between server processes and clients. Tickets based on a removed key are invalidated; new tickets based on a new key must be obtained to reestablish communications with the server process.
To prevent authentication failures, wait until all old tickets held by client machines expire before removing the old key. For example, if tickets held by clients expire after 2 hours, wait at least that long from the time the new key is added to remove the old key. If you are unsure of whether a key is still in use, use the bos gckeys command to delete, or "garbage collect," those keys from a keytab file that are no longer in use (obsolete).
Note: The BOS Server uses authenticated RPC for communications with clients. By default, it uses the packet privacy protection level with the bos key commands described in this topic. However, this protection level is not available to everyone who uses DCE. If it is not available to you, the BOS Server uses the next-highest protection level, packet integrity. It displays the following message, reporting that it must use the packet integrity protection level because packet privacy is not available:
Data encryption unsupported by RPC. Continuing without it.
More:
Removing Specific Keys from Keytab Files
Removing All Obsolete Keys from Keytab Files