Kerberos Utilities

:heavy_exclamation_mark: This post is older than a year. Consider some information might not be accurate anymore. :heavy_exclamation_mark:

Working with Kerberos these days. Some recipes for dealing with Kerberos. There are several open source implementations out there.


Heimdal is an implementation of Kerberos 5 (and some more stuff) largely written in Sweden (which was important when we started writing it, less so now). It is freely available under a three clause BSD style license.

List contents of keytab file

tan@omega:~/sources/fo-app-proxy/conf$ ktutil -v -k application.keytab list

Vno  Type                     Principal                      Date        Aliases
  0  des-cbc-crc              HTTP/applications@AFFE.COM  1970-01-01
  0  des-cbc-md5              HTTP/applications@AFFE.COM  1970-01-01
  0  arcfour-hmac-md5         HTTP/applications@AFFE.COM  1970-01-01
  0  aes256-cts-hmac-sha1-96  HTTP/applications@AFFE.COM  1970-01-01
  0  aes128-cts-hmac-sha1-96  HTTP/applications@AFFE.COM  1970-01-01

Kerberos Linux Client

The other implementation of Kerberos.

Installation on Ubuntu/Debian

sudo apt install krb5-user libpam-krb5 libpam-ccreds auth-client-config

Run the configuration

sudo dpkg-reconfigure krb5-config

Add the authorization instance, e.g. AFFE.COM

Request ticket

You can test the configuration by requesting a ticket using the kinit utility

tan@omega:~/sources/fo-app-proxy$ kinit tan@AFFE.COM
Password for tan@AFFE.COM:

List tickets

After a successful ticket lease you can check active tickets with klist.

tan@omega:~/sources/fo-app-proxy$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: tan@AFFE.COM

Valid starting       Expires              Service principal
06/13/2017 11:32:50  06/13/2017 21:32:50  krbtgt/AFFE.COM@AFFE.COM
        renew until 06/13/2017 21:32:50

Keytab file

Like Heimdal you can also check the keyfile.

tan@omega:~/sources/fo-app-proxy/conf$ klist -e -k -t -K application.keytab
Keytab name: FILE:application.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (des-cbc-crc)  (0xbaae641a1598683d)
   0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (des-cbc-md5)  (0xbaae641a1598683d)
   0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (arcfour-hmac)  (0x8beeb4b1a7f808a0c7c089cf7d8934e1)
   0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (aes256-cts-hmac-sha1-96)  (0x95f13d9bf55911a6069420d5a5ce2fd207d238d36541115e3aa97dc45061efba)
   0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (aes128-cts-hmac-sha1-96)  (0x8606b650732af3cd02f35f530125ac3b)


To test Kerberos authentication you need curl with SPNEGO support.

Check if your curl installation supports Kerberos and SPNEGO. It should be listed in the features.

tan@omega:~/sources/fo-app-proxy$ curl -V
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets

Kerberos and NTLM are two different concepts. Using Windows Desktop comes with NTLM. Decrypt the base64 token and check if it is NTLM.

tan@mtzhrfohap03:~> echo -n "TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==" | base64 -d
Please remember the terms for blog comments.