Kerberos
-
Realmmust be inuppercase. -
KVNO- Key Version NumberThe
key version number, commonly abbreviated askvno, distinguishes between different encryption keys that are stored for a given principal. For example, if a user changes his password, then his principal has a new encryption key associated with it. When theKerberosKDCstores his new encryption key in theKerberosdatabase, it increments the key version number. Similarly, if a service’s long-term key is changed, thekey version numberalso changes.Key version numbersare not important when dealing with user principals. However, they do become important when working with Kerberized services. In order for Kerberized services to be able to read the ticket contents sent by clients for authentication, both the encryption key and thekey version numberthat is stored in the service’s keytab must match the encryption key andkey version numberthat is stored in the Kerberos database. A mismatch in either the encryption key or key version number will cause the decryption process to fail. -
Integration with Active Directory
SPNfor a service user must match toFQDNof server;- Clients should use an
FQDNin URL’s (not the host short names); - IP-address of server in
DNSreverse zone should be resolved exactly to mentionedFQDN.
-
Resources
-
What is Ticket Granting Tickets (TGT) - Security Wiki (opens in a new tab)
-
MIT Kerberos Documentation - User Commands (opens in a new tab)
-
MIT Kerberos Documentation - krb5.conf (opens in a new tab)
krb5.conf reference
-
MIT Kerberos Documentation - MIT Kerberos defaults (opens in a new tab)
-
MIT Kerberos Documentation - Environment variables (opens in a new tab)
-
-
JAAS
-
RFC
-
RFC 4120: The Kerberos Network Authentication Service (opens in a new tab)
7.5.9 - Error Codes
-
4.1. The WWW-Authenticate Response Header
When the Kerberos Version 5 GSSAPI mechanism [
RFC4121] is being used, the HTTP server will be using a principal name of the form ofHTTP/hostname.
-
Tutorial
-
Local integration testing with Kerberos and SSH
Containerized Testing with Kerberos and SSH (opens in a new tab)
-
Enforce AES encryption
- Kerberos deactivation RC4 part 1 - protocol principle and encryption types | SAMURAJ-cz.com (opens in a new tab)
- Kerberos disabling RC4 part 2 - moving from RC4 to AES (opens in a new tab)
- Active Directory Hardening Series - Part 4 – Enforcing AES for Kerberos | Microsoft Community Hub (opens in a new tab)
-
General guide
Keytab
-
Deployment
The keytab file is independent of the computer it's created on, its filename, and its location in the file system. Once it's created, you can rename it, move it to another location on the same computer, or move it to another Kerberos computer, and it will still function. The keytab file is a binary file, so be sure to transfer it in a way that does not corrupt it.
Active Directory
- Audit Kerberos Service Ticket Operations - Windows 10 | Microsoft Learn (opens in a new tab)
- Audit Kerberos Authentication Service - Windows 10 | Microsoft Learn (opens in a new tab)
CLI cheatsheet
Get a TGT (Ticket-granting Ticket)
-
kinit --password-file=<text-file-storing-password> <principal>If the default cache type supports switching, kinit princname will search the collection for a matching cache and store credentials there, or will store credentials in a new unique cache of the default type if no existing cache for the principal exists. Either way, kinit will switch to the selected cache.
Show all caches with contents
klist -AMIT - Show all principals in the specified keytab file with timestamps
klist -tke $keytab_fileMIT - Switch to the specified cache by principal name
kswitch -p $principalNote: The cache must exist already.
MIT - Destroy the specified cache by principal name
kdestroy -p $principalMIT - ktutil command lists
> ktutil: ?
Available ktutil requests:
clear_list, clear Clear the current keylist.
read_kt, rkt Read a krb5 keytab into the current keylist.
read_st, rst Deprecated and removed.
write_kt, wkt Write the current keylist to a krb5 keytab.
write_st, wst Deprecated and removed.
add_entry, addent Add an entry to the current keylist.
delete_entry, delent Delete an entry from the current keylist.
list, l List the current keylist.
list_requests, lr, ? List available requests.
quit, exit, q Exit program.MIT - Merge Keytab files
> ktutil
ktutil: read_kt mykeytab-1
ktutil: read_kt mykeytab-2
ktutil: read_kt mykeytab-3
ktutil: write_kt krb5.keytab
ktutil: quitMIT - Delete a key from a keytab file
> ktutil
ktutil: read_kt mykeytab
ktutil: list
...
slot# version# username@ADS.IU.EDU version#
...
ktutil: delent slot#SPNEGO
SPNEGO is used when a client application wants to authenticate to a remote server, but neither end is sure what authentication protocols the other supports. The pseudo-mechanism uses a protocol to determine what common GSSAPI mechanisms are available, selects one and then dispatches all further security operations to it. This can help organizations deploy new security mechanisms in a phased manner.
-
Steps
-
Client Web Browser does
HTTP GETfor resource. -
Web server returns
HTTP 401status and a header:WWW-Authenticate: Negotiate -
Client generates a
NegTokenInit, base64 encodes it, and resubmits theGETwith anAuthorizationheader:Authorization: Negotiate <base64 encoding> -
Server decodes the
NegTokenInit, extracts the supportedMechTypes(only Kerberos V5 in our case), ensures it is one of the expected ones, and then extracts theMechToken(Kerberos Token) and authenticates it. -
If more processing is required another
HTTP 401is returned to the client with more data in the theWWW-Authenticateheader. Client takes the info and generates another token passing this back in theAuthorizationheader until complete. -
When the client has been authenticated the Web server should return the
HTTP 200status, a finalWWW-Authenticateheader and the page content.
-
-
Resources
- Microsoft Learn - HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol (opens in a new tab)
- RFC 4178 - The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism (opens in a new tab)
- RFC 4559 - SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows (opens in a new tab)
- SPNEGO ASN.1 codec (opens in a new tab)
SPNEGO auth with curl
curl --negotiate -u : -G $HTTP_ENDPOINT-
--negotiateEnables
SPNEGOauthentication -
-u :Selects the user name and password from your environment, colon is required.
GSS
Workflow
The definitive feature of GSSAPI applications is the exchange of opaque messages (tokens) which hide the implementation detail from the higher-level application. The client and server sides of the application are written to convey the tokens given to them by their respective GSSAPI implementations. GSSAPI tokens can usually travel over an insecure network as the mechanisms provide inherent message security. After the exchange of some number of tokens, the GSSAPI implementations at both ends inform their local application that a security context is established.
Once a security context is established, sensitive application messages can be wrapped (encrypted) by the GSSAPI for secure communication between client and server. Typical protections guaranteed by GSSAPI wrapping include confidentiality (secrecy) and integrity (authenticity). The GSSAPI can also provide local guarantees about the identity of the remote user or remote host.