1. 2017-06-14 - Kerberos Utilities; Tags: Kerberos Utilities

    Kerberos Utilities

    Working with Kerberos these days. Some recipes for dealing with Kerberos. There are several open source implementations out there.


    Heimdal is an implementation of Kerberos 5 (and some more stuff) largely written in Sweden (which was important when we started writing it, less so now). It is freely available under a three clause BSD style license.

    List contents of keytab file

    tan@omega:~/sources/fo-app-proxy/conf$ ktutil -v -k application.keytab list
    Vno  Type                     Principal                      Date        Aliases
      0  des-cbc-crc              HTTP/applications@AFFE.COM  1970-01-01
      0  des-cbc-md5              HTTP/applications@AFFE.COM  1970-01-01
      0  arcfour-hmac-md5         HTTP/applications@AFFE.COM  1970-01-01
      0  aes256-cts-hmac-sha1-96  HTTP/applications@AFFE.COM  1970-01-01
      0  aes128-cts-hmac-sha1-96  HTTP/applications@AFFE.COM  1970-01-01

    Kerberos Linux Client

    The other implementation of Kerberos.

    Installation on Ubuntu/Debian

    sudo apt install krb5-user libpam-krb5 libpam-ccreds auth-client-config

    Run the configuration

    sudo dpkg-reconfigure krb5-config

    Add the authorization instance, e.g. AFFE.COM

    Request ticket

    You can test the configuration by requesting a ticket using the kinit utility

    tan@omega:~/sources/fo-app-proxy$ kinit tan@AFFE.COM
    Password for tan@AFFE.COM:

    List tickets

    After a successful ticket lease you can check active tickets with klist.

    tan@omega:~/sources/fo-app-proxy$ klist
    Ticket cache: FILE:/tmp/krb5cc_1000
    Default principal: tan@AFFE.COM
    Valid starting       Expires              Service principal
    06/13/2017 11:32:50  06/13/2017 21:32:50  krbtgt/AFFE.COM@AFFE.COM
            renew until 06/13/2017 21:32:50

    Keytab file

    Like Heimdal you can also check the keyfile.

    tan@omega:~/sources/fo-app-proxy/conf$ klist -e -k -t -K application.keytab
    Keytab name: FILE:application.keytab
    KVNO Timestamp           Principal
    ---- ------------------- ------------------------------------------------------
       0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (des-cbc-crc)  (0xbaae641a1598683d)
       0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (des-cbc-md5)  (0xbaae641a1598683d)
       0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (arcfour-hmac)  (0x8beeb4b1a7f808a0c7c089cf7d8934e1)
       0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (aes256-cts-hmac-sha1-96)  (0x95f13d9bf55911a6069420d5a5ce2fd207d238d36541115e3aa97dc45061efba)
       0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (aes128-cts-hmac-sha1-96)  (0x8606b650732af3cd02f35f530125ac3b)


    To test Kerberos authentication you need curl with SPNEGO support.

    Check if your curl installation supports Kerberos and SPNEGO. It should be listed in the features.

    tan@omega:~/sources/fo-app-proxy$ curl -V
    curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
    Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
    Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets

    Kerberos and NTLM are two different concepts. Using Windows Desktop comes with NTLM. Decrypt the base64 token and check if it is NTLM.

    tan@mtzhrfohap03:~> echo -n "TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==" | base64 -d