Managing Kerberos Credentials
The non-privileged user interacts with the Kerberos system to manage the Kerberos tickets that are used to request network services. There are four commands used for this purpose:
klist The klist command displays a list of the Kerberos tickets that you are currently holding. The ticket information is kept in the file /tmp/krb5cc_XXX, where XXX is your UID on the Linux server.
kinit The kinit command requests a ticket-granting ticket from the KDC and holds it in the /tmp/krb5cc_XXX file for inspection by the klist command.
kdestroy The kdestroy command removes any Kerberos tickets that you are currently holding.
kpasswd The kpasswd command changes your current Kerberos password (which protects your master secret associated with your principal).
Listing 13.9 contains an example of a user acquiring and displaying a Kerberos ticketgranting ticket.
Listing 13.9 Acquiring and displaying a TGT using klist [ramon]$ klist klist: No credentials cache file found (ticket cache FILE:/tmp/krb5cc_500)
Kerberos 4 ticket cache: /tmp/tkt500 klist: You have no tickets cached [ramon]$ kinit
Password for [email protected]: [ramon]$ klist
Ticket cache: FILE:/tmp/krb5cc_500 Default principal: [email protected]
Valid starting Expires Service principal
02/24/01 17:50:05 02/25/01 03:49:52 krbtgt/HONTANON.COM@~CAHONTANON.COM
Kerberos 4 ticket cache: /tmp/tkt500 klist: You have no tickets cached
User ramon uses the klist command to display his credentials, and he doesn't yet have any. He then runs kinit and obtains a TGT, but only after he provides the password that protects his principal's master secret. A new invocation of the klist commands reveals that the username ramon now has a TGT in his credentials cache.
NOTE Note that the klist command reports both version 5 and version 4 tickets. This is because the standard RPM Kerberos packet includes support for the older Kerberos v.4 protocol.
By default, the kinit command attempts to obtain a TGT for the principal user@REALM, where user is the username that requests the ticket, and REALM is the value of the
defau1t_rea1m variable in the /etc/krb5.conf file. To obtain a ticket for a different principal, specify the principal name on the command line, as in the following example:
[ramon]$ kinit [email protected]
The klist commands shows that the ticket you've just acquired is valid until 2/25/01 at 3:39 A.M. (10 hours from now). If you want to discard this ticket, use the kdestroy command to delete it from the cache (see Listing 13.10).
Listing 13.10 Deleting a ticket from the cache using kdestroy
[ramon]$ kdestroy [ramon]$ klist klist: No credentials cache file found (ticket cache FILE:/tmp/krb5cc_500)
Kerberos 4 ticket cache: /tmp/tkt500 klist: You have no tickets cached
Finally, the kpasswd command should be used by non-privileged members on a regular basis to change their Kerberos password to minimize its exposure. The use of the kpasswd utility is virtually identical to the use of the standard Linux passwd command, as you can see in Listing 13.11.
Listing 13.11 Changing a Kerberos password with kpasswd [ramon]$ kpasswd kpasswd: No credentials cache file found getting principal from^ cache [ramon]$ kinit
Password for [email protected]: [ramon]$ kpasswd
Password for [email protected]: Enter new password: Enter it again: Password changed.
Note that in order to issue the kpasswd command, you need to be in possession of an unexpired TGT. This makes sense because you'll need this TGT to prove to the KDC that it really is you issuing the kpasswd command, and you'll need the TGT to encrypt the new password while in transit.
WARNING It is extremely important that you choose a good password and that you change it on a regular basis. Unlike your standard Linux password, the Kerberos password can be used to obtain tickets to access other services on your behalf, so the potential damage from an intrusion is much greater.
Using Kerberos to Allow Others to Access Your Account
The ability to grant temporary access rights to your account is one of the most useful features of Kerberos authentication on a Linux server. By creating a .k51ogin file in your home directory, you can grant temporary access to other users without having to give them your password. Instead, simply add their principal names (one per line) to the .k51ogin files to allow them access, as in the following example:
[ramon]$ more .k5login
[email protected] [email protected]
If Alice or Bob can successfully obtain a ticket for their principal, they will be allowed to log in to your account. This feature can also be used to grant non-privileged users temporary root access by simply entering their principal name in /.k51ogin (assuming that your root user's home directory is /). This saves you from both giving out the root password and from exposing the password on the network.
Using Kerberos-Enabled Applications
Once a user has a TGT, they can use a number of Kerberized applications to access remote services without having to identify themselves to each of them. The Linux Kerberos distribution ships with modified versions of the most popular network clients: te1net, ftp, r1ogin, rsh, and rcp. Let's take a look at the Kerberos use of these applications.
telnet
Kerberos extends the standard Linux command with the command-line options listed in Table 13.6.
|
Option |
Meaning |
|
-k realm |
Request tickets for a realm other than the one specified in the defau1t_rea1m variable in the /etc/krb5.conf file. |
|
-K |
Authenticate but do not log in. |
|
-a |
Perform automatic login with your credentials and your local username (the client will not prompt for it). |
|
-x |
Enable encryption. |
For example, consider the sequence of commands in Listing 13.12.
Listing 13.12 Obtaining a Kerberos ticket for use with the Kerberized telnet client
[ramon]$ hostname at1antis.hontanon.com
[ramon]$ kinit [email protected]
Password for [email protected]: [ramon]$ klist
Ticket cache: FILE:/tmp/krb5cc_501 Default principal: [email protected]
Valid starting Expires Service principal
02/24/01 20:59:12 02/25/01 06:59:12 krbtgt/HONTANON.COM@~CAHONTANON.COM
Kerberos 4 ticket cache: /tmp/tkt501
klist: You have no tickets cached
[ramon]$ telnet -x -a -k HONTANON.COM challenger
Trying 163.109.21.167...
Connected to challenger (163.109.21.167).
Waiting for encryption to be negotiated...
[ Kerberos V5 accepts you as "[email protected]'' ]
done.
Last login: Sat Feb 24 20:58:07 from atlantis You have mail. [ramon]$ exit logout
Connection closed by foreign host. [ramon]$ klist
Ticket cache: FILE:/tmp/krb5cc_501 Default principal: [email protected]
Valid starting Expires Service principal
02/24/01 20:59:12 02/25/01 06:59:12 krbtgt/[email protected]
02/24/01 20:59:29 02/25/01 06:59:12 host/[email protected]
Kerberos 4 ticket cache: /tmp/tkt501 klist: You have no tickets cached
This sequence begins on the host atlantis.hontanon.com, where user ramon starts out with no Kerberos tickets. ramon then requests a TGT for the principal [email protected] using the kinit command. ramon then logs in to the machine challenger.hontanon.com using a Kerberized telnet client. An encrypted connection is then established because ramon has included the -x option in the telnet command.
Upon exiting from the challenger session, user ramon now has an additional Kerberos ticket:
02/24/01 20:59:29 02/25/01 06:59:12 host/[email protected]
This is the ticket that his local host (atlantis) requested from the KDC in order to gain telnet access to challenger. Note that you will be able to use this ticket to access challenger until 6:59 A.M. on 2/25/01. At that point, you will be asked to run kinit again (to obtain a new ticket) when attempting the telnet operation.
Much like the telnet command, the Kerberized ftp client has two command-line options that are different from its standard Linux equivalent. They are listed in Table 13.7.
|
Option |
Meaning |
|
-k realm |
Request tickets for a realm other than the one specified in the default_realm variable in the /etc/krb5.conf file. |
-x Enable encryption.
-x Enable encryption.
Just like the normal ftp client, the file .netrc is used to automate the connection-establishment process:
[ramon]$ cat .netrc < .a machine ftp.uu.net login anonymous password [email protected]
machine ftp.netscape.com login anonymous password [email protected]
default login ramon
The first two lines of the .netrc file in the preceding example define the default username/ passwords for specific remote FTP servers. The last line in this example defines a default username to use for all other hosts. Take a look at a typical sequence of commands involving a Kerberized ftp client in Listing 13.13.
Listing 13.13 Obtaining a Kerberos ticket for use with the Kerberized ftp client
[ramon]$ hostname atlantis.hontanon.com
[ramon]$ kinit [email protected]
Password for [email protected]: [ramon]$ klist
Ticket cache: FILE:/tmp/krb5cc_501 Default principal: [email protected]
Valid starting Expires Service principal
02/24/01 21:20:59 02/25/01 07:20:59 krbtgt/HONTANON.COM@^ HONTANON.COM
Kerberos 4 ticket cache: /tmp/tkt501 klist: You have no tickets cached [ramon]$ ftp -x challenger Connected to challenger.
220 challenger.hontanon.com FTP server (Version 5.60) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type
GSSAPI authentication succeeded
200 Data channel protection level set to private.
232 GSSAPI user [email protected] is authorized as ramon
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> pwd
257 "/home/ramon" is current directory. ftp> bye
221 Goodbye. [ramon]$ klist
Ticket cache: FILE:/tmp/krb5cc_501 Default principal: [email protected]
Valid starting Expires Service principal
02/24/01 21:20:59 02/25/01 07:20:59 krbtgt/HONTANON.COM@^ HONTANON.COM
02/24/01 21:21:10 02/25/01 07:20:59 ftp/[email protected]
Kerberos 4 ticket cache: /tmp/tkt501 klist: You have no tickets cached
As in the telnet example, the ftp session is encrypted. Also, note that after exiting the session and looking at your Kerberos credentials, you now have a ticket of the form:
02/24/01 21:21:10 02/25/01 07:20:59 ftp/[email protected]
This is the ticket that atlantis requested from the KDC to access challenger's FTP service.
rlogin, rsh, and rcp
Table 13.8 lists the Kerberos-specific command-line options found in the Kerberized rlogin, rsh, and rcp clients.
|
Option |
Meaning |
|
-k realm |
Request tickets for a realm other than the one specified in the defau1t_rea1m variable in the /etc/krb5.conf file. |
-x Enable encryption.
-x Enable encryption.
The use of these three types of clients is best illustrated with an example. Let's start by establishing an encrypted rlogin session to host name challenger, as shown in Listing 13.14.
Listing 13.14 Obtaining a Kerberos ticket for use with the Kerberized (and encrypted) rlogin client
[ramon]$ hostname at1antis.hontanon.com [ramon]$ kinit [email protected]
Password for [email protected]: = <
[ramon]$ klist
Ticket cache: FILE:/tmp/krb5cc_501 Default principal: [email protected]
Valid starting Expires Service principal
02/24/01 21:29:54 02/25/01 07:29:54 krbtgt/HONTANON.COM@^ HONTANON.COM
Kerberos 4 ticket cache: /tmp/tkt501 k1ist: You have no tickets cached [ramon]$ rlogin -x challenger
This r1ogin session is using DES encryption for a11 data$ transmissions.
Last 1ogin: Sat Feb 24 21:29:33 from at1antis.hontanon.com You have mai1. [ramon]$ exit 1ogout
Connection c1osed. [ramon]$ klist
Ticket cache: FILE:/tmp/krb5cc_501 Default principal: [email protected]
Valid starting Expires Service principa1
02/24/01 21:29:54 02/25/01 07:29:54 krbtgt/HONTANON.COM@$ HONTANON.COM
02/24/01 21:30:06 02/25/01 07:29:54 host/[email protected]
Kerberos 4 ticket cache: /tmp/tkt501 k1ist: You have no tickets cached
It's important to note that the r1ogin, rsh, and rcp applications use the same type of host/host name ticket as te1net:
02/24/01 21:30:06 02/25/01 07:29:54 host/[email protected]
Next, you use the Kerberized rsh application to obtain a file listing from the remote host using Kerberos authentication (see Listing 13.15).
Listing 13.15 Using Kerberos authentication to obtain a file listing from a remote host
[ramon]$ rsh -x cha11enger.hontanon.com 1s -1 /usr/1oca1/etc/*-gw
This rsh session is using DES encryption for a11 data transmissions.
-rwxr-xr-x 1 root root 1954587 Jan 30 21:22 /usr/1oca1/etc/ftp-gw
-rwxr-xr-x 1 root root 2073268 Jan 30 21:22 /usr/1oca1/etc/http-gw
-rwxr-xr-x 1 root root 1866661 Jan 30 21:22 /usr/1oca1/etc/p1ug-gw
-rwxr-xr-x 1 root root 1912963 Jan 30 21:22 /usr/1oca1/etc/$ r1ogin-gw
-rwxr-xr-x 1 root root 1944219 Jan 30 21:22 /usr/local/etc/tn-gw -rwxr-xr-x 1 root root 217794 Jan 30 21:22 /usr/local/etc/x-gw
And finally, you copy a number of files from the remote host, using the Kerberized rcp client supplied with the distribution. In the following example, the first command copies the files in an encrypted channel, while the second command issues a remote shell request (also encrypted) to verify that the files have been transferred successfully (see Listing 13.16).
Listing 13.16 Using a Kerberized rcp client to copy files from a remote host
|
-r— |
1 |
ramon |
users |
4522 |
Feb |
24 |
21:37 /tmp/filel |
|
-r-- |
1 |
ramon |
users |
4522 |
Feb |
24 |
21:37 /tmp/fi1e2 |
|
-r-- |
1 |
ramon |
users |
4522 |
Feb |
24 |
21:37 /tmp/fi1e3 |
This wraps up the discussion of the Kerberos authentication system. The next section introduces the S/Key and OPIE systems for one-time passwords.
This wraps up the discussion of the Kerberos authentication system. The next section introduces the S/Key and OPIE systems for one-time passwords.
Continue reading here: SKey and OPIE
Was this article helpful?