182 lines
10 KiB
HTML
182 lines
10 KiB
HTML
<!DOCTYPE html>
|
||
|
||
<html lang="en" data-content_root="../">
|
||
<head>
|
||
<meta charset="utf-8" />
|
||
<meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="viewport" content="width=device-width, initial-scale=1" />
|
||
|
||
<title>Backups of secure hosts — MIT Kerberos Documentation</title>
|
||
<link rel="stylesheet" type="text/css" href="../_static/pygments.css?v=fa44fd50" />
|
||
<link rel="stylesheet" type="text/css" href="../_static/agogo.css?v=879f3c71" />
|
||
<link rel="stylesheet" type="text/css" href="../_static/kerb.css?v=6a0b3979" />
|
||
<script src="../_static/documentation_options.js?v=5a446f36"></script>
|
||
<script src="../_static/doctools.js?v=888ff710"></script>
|
||
<script src="../_static/sphinx_highlight.js?v=dc90522c"></script>
|
||
<link rel="author" title="About these documents" href="../about.html" />
|
||
<link rel="index" title="Index" href="../genindex.html" />
|
||
<link rel="search" title="Search" href="../search.html" />
|
||
<link rel="copyright" title="Copyright" href="../copyright.html" />
|
||
<link rel="next" title="PKINIT configuration" href="pkinit.html" />
|
||
<link rel="prev" title="Host configuration" href="host_config.html" />
|
||
</head><body>
|
||
<div class="header-wrapper">
|
||
<div class="header">
|
||
|
||
|
||
<h1><a href="../index.html">MIT Kerberos Documentation</a></h1>
|
||
|
||
<div class="rel">
|
||
|
||
<a href="../index.html" title="Full Table of Contents"
|
||
accesskey="C">Contents</a> |
|
||
<a href="host_config.html" title="Host configuration"
|
||
accesskey="P">previous</a> |
|
||
<a href="pkinit.html" title="PKINIT configuration"
|
||
accesskey="N">next</a> |
|
||
<a href="../genindex.html" title="General Index"
|
||
accesskey="I">index</a> |
|
||
<a href="../search.html" title="Enter search criteria"
|
||
accesskey="S">Search</a> |
|
||
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Backups of secure hosts">feedback</a>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
|
||
<div class="content-wrapper">
|
||
<div class="content">
|
||
<div class="document">
|
||
|
||
<div class="documentwrapper">
|
||
<div class="bodywrapper">
|
||
<div class="body" role="main">
|
||
|
||
<section id="backups-of-secure-hosts">
|
||
<h1>Backups of secure hosts<a class="headerlink" href="#backups-of-secure-hosts" title="Link to this heading">¶</a></h1>
|
||
<p>When you back up a secure host, you should exclude the host’s keytab
|
||
file from the backup. If someone obtained a copy of the keytab from a
|
||
backup, that person could make any host masquerade as the host whose
|
||
keytab was compromised. In many configurations, knowledge of the
|
||
host’s keytab also allows root access to the host. This could be
|
||
particularly dangerous if the compromised keytab was from one of your
|
||
KDCs. If the machine has a disk crash and the keytab file is lost, it
|
||
is easy to generate another keytab file. (See <a class="reference internal" href="appl_servers.html#add-princ-kt"><span class="std std-ref">Adding principals to keytabs</span></a>.)
|
||
If you are unable to exclude particular files from backups, you should
|
||
ensure that the backups are kept as secure as the host’s root
|
||
password.</p>
|
||
<section id="backing-up-the-kerberos-database">
|
||
<h2>Backing up the Kerberos database<a class="headerlink" href="#backing-up-the-kerberos-database" title="Link to this heading">¶</a></h2>
|
||
<p>As with any file, it is possible that your Kerberos database could
|
||
become corrupted. If this happens on one of the replica KDCs, you
|
||
might never notice, since the next automatic propagation of the
|
||
database would install a fresh copy. However, if it happens to the
|
||
primary KDC, the corrupted database would be propagated to all of the
|
||
replicas during the next propagation. For this reason, MIT recommends
|
||
that you back up your Kerberos database regularly. Because the primary
|
||
KDC is continuously dumping the database to a file in order to
|
||
propagate it to the replica KDCs, it is a simple matter to have a cron
|
||
job periodically copy the dump file to a secure machine elsewhere on
|
||
your network. (Of course, it is important to make the host where
|
||
these backups are stored as secure as your KDCs, and to encrypt its
|
||
transmission across your network.) Then if your database becomes
|
||
corrupted, you can load the most recent dump onto the primary KDC.
|
||
(See <a class="reference internal" href="database.html#restore-from-dump"><span class="std std-ref">Dumping and loading a Kerberos database</span></a>.)</p>
|
||
</section>
|
||
</section>
|
||
|
||
|
||
<div class="clearer"></div>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
<div class="sidebar">
|
||
|
||
<h2>On this page</h2>
|
||
<ul>
|
||
<li><a class="reference internal" href="#">Backups of secure hosts</a><ul>
|
||
<li><a class="reference internal" href="#backing-up-the-kerberos-database">Backing up the Kerberos database</a></li>
|
||
</ul>
|
||
</li>
|
||
</ul>
|
||
|
||
<br/>
|
||
<h2>Table of contents</h2>
|
||
<ul class="current">
|
||
<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
|
||
<li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</a><ul class="current">
|
||
<li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Files</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration decisions</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="database.html">Database administration</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos with OpenLDAP back-end</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a></li>
|
||
<li class="toctree-l2 current"><a class="current reference internal" href="#">Backups of secure hosts</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary attack risks</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indicators</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administration programs</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defaults</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variables</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a></li>
|
||
<li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
|
||
</ul>
|
||
</li>
|
||
<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li>
|
||
<li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin module developers</a></li>
|
||
<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li>
|
||
<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li>
|
||
<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li>
|
||
<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li>
|
||
<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li>
|
||
<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li>
|
||
<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
|
||
</ul>
|
||
|
||
<br/>
|
||
<h4><a href="../index.html">Full Table of Contents</a></h4>
|
||
<h4>Search</h4>
|
||
<form class="search" action="../search.html" method="get">
|
||
<input type="text" name="q" size="18" />
|
||
<input type="submit" value="Go" />
|
||
<input type="hidden" name="check_keywords" value="yes" />
|
||
<input type="hidden" name="area" value="default" />
|
||
</form>
|
||
|
||
</div>
|
||
<div class="clearer"></div>
|
||
</div>
|
||
</div>
|
||
|
||
<div class="footer-wrapper">
|
||
<div class="footer" >
|
||
<div class="right" ><i>Release: 1.22.2</i><br />
|
||
© <a href="../copyright.html">Copyright</a> 1985-2026, MIT.
|
||
</div>
|
||
<div class="left">
|
||
|
||
<a href="../index.html" title="Full Table of Contents"
|
||
>Contents</a> |
|
||
<a href="host_config.html" title="Host configuration"
|
||
>previous</a> |
|
||
<a href="pkinit.html" title="PKINIT configuration"
|
||
>next</a> |
|
||
<a href="../genindex.html" title="General Index"
|
||
>index</a> |
|
||
<a href="../search.html" title="Enter search criteria"
|
||
>Search</a> |
|
||
<a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Backups of secure hosts">feedback</a>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
|
||
</body>
|
||
</html> |