This post is older than a year. Consider some information might not be accurate anymore.
Working with Kerberos these days. Some recipes for dealing with Kerberos. There are several open source implementations out there.
Heimdal
Heimdal is an implementation of Kerberos 5 (and some more stuff) largely written in Sweden (which was important when we started writing it, less so now). It is freely available under a three clause BSD style license.
List contents of keytab file
tan@omega:~/sources/fo-app-proxy/conf$ ktutil -v -k application.keytab list
application.keytab:
Vno Type Principal Date Aliases
0 des-cbc-crc HTTP/applications@AFFE.COM 1970-01-01
0 des-cbc-md5 HTTP/applications@AFFE.COM 1970-01-01
0 arcfour-hmac-md5 HTTP/applications@AFFE.COM 1970-01-01
0 aes256-cts-hmac-sha1-96 HTTP/applications@AFFE.COM 1970-01-01
0 aes128-cts-hmac-sha1-96 HTTP/applications@AFFE.COM 1970-01-01
Kerberos Linux Client
The other implementation of Kerberos.
Installation on Ubuntu/Debian
sudo apt install krb5-user libpam-krb5 libpam-ccreds auth-client-config
Run the configuration
sudo dpkg-reconfigure krb5-config
Add the authorization instance, e.g. AFFE.COM
Request ticket
You can test the configuration by requesting a ticket using the kinit
utility
tan@omega:~/sources/fo-app-proxy$ kinit tan@AFFE.COM
Password for tan@AFFE.COM:
List tickets
After a successful ticket lease you can check active tickets with klist
.
tan@omega:~/sources/fo-app-proxy$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: tan@AFFE.COM
Valid starting Expires Service principal
06/13/2017 11:32:50 06/13/2017 21:32:50 krbtgt/AFFE.COM@AFFE.COM
renew until 06/13/2017 21:32:50
Keytab file
Like Heimdal you can also check the keyfile.
tan@omega:~/sources/fo-app-proxy/conf$ klist -e -k -t -K application.keytab
Keytab name: FILE:application.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (des-cbc-crc) (0xbaae641a1598683d)
0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (des-cbc-md5) (0xbaae641a1598683d)
0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (arcfour-hmac) (0x8beeb4b1a7f808a0c7c089cf7d8934e1)
0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (aes256-cts-hmac-sha1-96) (0x95f13d9bf55911a6069420d5a5ce2fd207d238d36541115e3aa97dc45061efba)
0 01/01/1970 01:00:00 HTTP/applications@AFFE.COM (aes128-cts-hmac-sha1-96) (0x8606b650732af3cd02f35f530125ac3b)
curl
To test Kerberos authentication you need curl with SPNEGO support.
Check if your curl installation supports Kerberos and SPNEGO. It should be listed in the features.
tan@omega:~/sources/fo-app-proxy$ curl -V
curl 7.47.0 (x86_64-pc-linux-gnu) libcurl/7.47.0 GnuTLS/3.4.10 zlib/1.2.8 libidn/1.32 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP UnixSockets
Kerberos and NTLM are two different concepts. Using Windows Desktop comes with NTLM. Decrypt the base64 token and check if it is NTLM.
tan@mtzhrfohap03:~> echo -n "TlRMTVNTUAABAAAAl4II4gAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==" | base64 -d
NTLMSSP▒▒▒