1. 2017-06-14 - Kerberos Utilities; Tags: Kerberos Utilities
    Loading...

    Kerberos Utilities

    Working with Kerberos these days. Some recipes for dealing with Kerberos. There are several open source implementations out there.

    Heimdal

    Heimdal is an implementation of Kerberos 5 (and some more stuff) largely written in Sweden (which was important when we started writing it, less so now). It is freely available under a three clause BSD style license.

    List contents of keytab file

    tan@omega:~/sources/fo-app-proxy/conf$ ktutil -v -k application.keytab list
    application.keytab:
    
    Vno  Type                     Principal                      Date        Aliases
      0  des-cbc-crc              HTTP/applications@AFFE.COM  1970-01-01
      0  des-cbc-md5              HTTP/applications@AFFE.COM  1970-01-01
      0  arcfour-hmac-md5         HTTP/applications@AFFE.COM  1970-01-01
      0  aes256-cts-hmac-sha1-96  HTTP/applications@AFFE.COM  1970-01-01
      0  aes128-cts-hmac-sha1-96  HTTP/applications@AFFE.COM  1970-01-01
    

    Kerberos Linux Client

    The other implementation of Kerberos.

    Installation on Ubuntu/Debian

    sudo apt install krb5-user libpam-krb5 libpam-ccreds auth-client-config
    

    Run the configuration

    sudo dpkg-reconfigure krb5-config
    

    Add the authorization instance, e.g. AFFE.COM

    Request ticket

    You can test the configuration by requesting a ticket using the kinit utility

    tan@omega:~/sources/fo-app-proxy$ kinit tan@AFFE.COM
    Password for tan@AFFE.COM:
    

    List tickets

    After a successful ticket lease you can check active tickets with klist.

    tan@omega:~/sources/fo-app-proxy$ klist
    Ticket cache: FILE:/tmp/krb5cc_1000
    Default principal: tan@AFFE.COM
    
    Valid starting       Expires              Service principal
    06/13/2017 11:32:50  06/13/2017 21:32:50  krbtgt/AFFE.COM@AFFE.COM
            renew until 06/13/2017 21:32:50
    

    Keytab file

    Like Heimdal you can also check the keyfile.

    tan@omega:~/sources/fo-app-proxy/conf$ klist -e -k -t -K application.keytab
    Keytab name: FILE:application.keytab
    KVNO Timestamp           Principal
    ---- ------------------- ------------------------------------------------------
       0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (des-cbc-crc)  (0xbaae641a1598683d)
       0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (des-cbc-md5)  (0xbaae641a1598683d)
       0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (arcfour-hmac)  (0x8beeb4b1a7f808a0c7c089cf7d8934e1)
       0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (aes256-cts-hmac-sha1-96)  (0x95f13d9bf55911a6069420d5a5ce2fd207d238d36541115e3aa97dc45061efba)
       0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (aes128-cts-hmac-sha1-96)  (0x8606b650732af3cd02f35f530125ac3b)
    

    curl

    To test Kerberos authentication you need curl with SPNEGO support.

    Check if your curl installation supports Kerberos and SPNEGO. It should be listed in the features.

    tan@omega:~/sources/fo-app-proxy$ curl -V
    curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
    Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
    Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets
    

    Kerberos and NTLM are two different concepts. Using Windows Desktop comes with NTLM. Decrypt the base64 token and check if it is NTLM.

    tan@mtzhrfohap03:~> echo -n "TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==" | base64 -d
    NTLMSSP▒▒▒