Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Can I generate my own keytab programmatically in Java?

Tags:

java

kerberos

apacheds

I was wondering if there was a way to generate my own keytab in java without going to the kdc? I found code similar to this in an ApachDS test:

    Keytab keytab = Keytab.getInstance(); 
    KerberosTime timeStamp = new KerberosTime(KerberosUtils.UTC_DATE_FORMAT.parse("20070217235745Z"));

    Map<EncryptionType, EncryptionKey> keys = KerberosKeyFactory
        .getKerberosKeys(principalName, userPassword);



    KeytabEntry keytabEntry = new KeytabEntry(
        principalName, 
        1L,
        timeStamp, 
        (byte) 0,
        keys.get(EncryptionType.DES_CBC_MD5));

    List<KeytabEntry> entry = Arrays.asList(keytabEntry);

    keytab.setEntries(entry);

    keytab.write(keytabFile);

    return keytabFile;

I'm able to a klist on a keytab that i create:

Vno Type Principal Date Aliases

0 des-cbc-md5 ssh/[email protected] 2007-02-17

Also, if this is not possible, is there a way to programmatically get a keytab using ApacheDS or any other java library?

like image 678
jclum Avatar asked Apr 24 '14 13:04

jclum

1 Answers

You have to have 3 things in a keytab for each enctype store in the KDC for the principal.

  1. The principal name

  2. The key value

  3. The key version number

The first two you can recreate if you know the password for the principal, however the last requires that you contact the KDC. You also need to use the password to create all the enctypes that are in the KDC. What you want to do is theoretically possible, but in practice it's very difficult to achieve. If you use knvo = 0 in the keytab, that means "try this key against any version number" and that might get you around most of the problems.

What might be achievable with just the principal and password is to "bootstrap" the process. If you can get a keytab with at least one working key, you should be able to use that keytab to "update" the keytab with new versions of all the keys from the KDC using system utilities such as ktutil.

As a side note: des-cbc-md5 should not be used as a enctype if at all possible, it can be brute force cracked with very moderate hardware resources these days.

Unfortunately, the kadmin protocols to download keytabs vary between versions of kerberos and I don't know if any of them have java API's.

like image 150
Fred the Magic Wonder Dog Avatar answered Oct 09 '22 08:10

Fred the Magic Wonder Dog
Sign in to Comment

Related questions

Kafka: Cant Create Multiple Stream Consumers
Efficient concatenation of Bit Arrays Java
Regular expression matching algorithm in Java
MultiTenancy with Hibernate 4.0 with Separate Schema approach
Formatting of the `//@formatter:off` tag in eclipse
Loading every class in a package
WebRTC Java Server? [closed]
Configuring SSL for Tomcat 7 leads to an ERR_SSL_VERSION_OR_CIPHER_MISMATCH error
Parameterized unit test suites
Where does Delphi/Android search for a native language library?
How to get Date Difference in hour using HQL
Playing MP3 in chunks with Java?
SpringMVC: @PathVariable value containing the plus (+) character
appengine endpoint Failed to retrieve API configs with status: 500
Convert TIF to JPG without increasing Bit Depth
C# equivalent for ByteArrayOutputStream in java
import slidingmenu library in Eclipse Indigo Service Release 2
How does the dynamic tenuring threshold adjustment work in HotSpot JVM?
Android Websockets onMessage() never being called even on connection
JBOSS Login with Oracle DBMS: No matching username found in Principals

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!