Loading...

2023 cinhtau.de, All Rights Reserved.

By tan / 14 June 2017 / security / est. 3 min read

Kerberos Utilities

:heavy_exclamation_mark: This post is older than a year. Consider some information might not be accurate anymore. :heavy_exclamation_mark:

Working with Kerberos these days. Some recipes for dealing with Kerberos. There are several open source implementations out there.

Heimdal

Heimdal is an implementation of Kerberos 5 (and some more stuff) largely written in Sweden (which was important when we started writing it, less so now). It is freely available under a three clause BSD style license.

List contents of keytab file

tan@omega:~/sources/fo-app-proxy/conf$ ktutil -v -k application.keytab list
application.keytab:

Vno  Type                     Principal                      Date        Aliases
  0  des-cbc-crc              HTTP/applications@AFFE.COM  1970-01-01
  0  des-cbc-md5              HTTP/applications@AFFE.COM  1970-01-01
  0  arcfour-hmac-md5         HTTP/applications@AFFE.COM  1970-01-01
  0  aes256-cts-hmac-sha1-96  HTTP/applications@AFFE.COM  1970-01-01
  0  aes128-cts-hmac-sha1-96  HTTP/applications@AFFE.COM  1970-01-01

Kerberos Linux Client

The other implementation of Kerberos.

Installation on Ubuntu/Debian

sudo apt install krb5-user libpam-krb5 libpam-ccreds auth-client-config

Run the configuration

sudo dpkg-reconfigure krb5-config

Add the authorization instance, e.g. AFFE.COM

Request ticket

You can test the configuration by requesting a ticket using the kinit utility

tan@omega:~/sources/fo-app-proxy$ kinit tan@AFFE.COM
Password for tan@AFFE.COM:

List tickets

After a successful ticket lease you can check active tickets with klist.

tan@omega:~/sources/fo-app-proxy$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: tan@AFFE.COM

Valid starting       Expires              Service principal
06/13/2017 11:32:50  06/13/2017 21:32:50  krbtgt/AFFE.COM@AFFE.COM
        renew until 06/13/2017 21:32:50

Keytab file

Like Heimdal you can also check the keyfile.

tan@omega:~/sources/fo-app-proxy/conf$ klist -e -k -t -K application.keytab
Keytab name: FILE:application.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (des-cbc-crc)  (0xbaae641a1598683d)
   0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (des-cbc-md5)  (0xbaae641a1598683d)
   0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (arcfour-hmac)  (0x8beeb4b1a7f808a0c7c089cf7d8934e1)
   0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (aes256-cts-hmac-sha1-96)  (0x95f13d9bf55911a6069420d5a5ce2fd207d238d36541115e3aa97dc45061efba)
   0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (aes128-cts-hmac-sha1-96)  (0x8606b650732af3cd02f35f530125ac3b)

curl

To test Kerberos authentication you need curl with SPNEGO support.

Check if your curl installation supports Kerberos and SPNEGO. It should be listed in the features.

tan@omega:~/sources/fo-app-proxy$ curl -V
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets

Kerberos and NTLM are two different concepts. Using Windows Desktop comes with NTLM. Decrypt the base64 token and check if it is NTLM.

tan@mtzhrfohap03:~> echo -n "TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==" | base64 -d
NTLMSSP▒▒▒
kerberos

Author

author-portrait
Tan-Vinh Nguyen

The happiest people don't have the best of everything, they just make the best of everything they have.
Birth, Development, in Progress ...

Please remember the terms for blog comments.