Search the FAQ Archives

3 - A - B - C - D - E - F - G - H - I - J - K - L - M
N - O - P - Q - R - S - T - U - V - W - X - Y - Z
faqs.org - Internet FAQ Archives

Kerberos FAQ, v2.0 (last modified 8/18/2000)
Section - 2.2. What sort of resources do I need to dedicate to a KDC?

( Single Page )
[ Usenet FAQs | Web FAQs | Documents | RFC Index | Houses ]


Top Document: Kerberos FAQ, v2.0 (last modified 8/18/2000)
Previous Document: 2.1. Okay, I'm the administrator of a site, and I'd like to run Kerberos. What do I need to do?
Next Document: 2.3. What programs/files need to go on each application server?
See reader questions & answers on this topic! - Help others by sharing your knowledge
You will need a dedicated machine to run the KDC on. The database stored on
this machine is quite sensitive, if it's compromised your entire realm will
be compromised. Therefore, this machine needs to be as secure as possible.
Preferably it should not run any services other than the KDC. The
secure-minded administrator might only allow logins on the console.

This machine also has to be reliable. If it is down, you will not be able to
use any Kerberized services unless you have also configured a slave server.

Running the Kerberos server requires very little CPU power and a small
amount of disk. An old PC with some hundreds of megabytes of free disk space
should do fine. Most of the disk space will be used for various logs.

Because the KDC has all of the keys for all of the principals in your realm,
loss of the Kerberos database would require your entire realm to be rekeyed.
Thus, backing up your Kerberos database is critical. However, precisely
because the database contains all of your keys, you should treat backups of
the KDC with the same security that you treat the KDC itself (in other
words, don't leave the dump tapes lying around on your desk).

User Contributions:

Comment about this article, ask questions, or add new information about this topic: