login script to use machine password for kinit to obtain ticket at login

Question

I syncronised my passwords/passphrases for logging in to my machine, unlocking my ssh keyfile (~/.ssh/id_rsa, see man ssh-keygen) and for kerberos. When I log in, I enter the password once to access my local machine account, and as a bonus my ssh key file is also unlocked.

I'd like to also automate my kerberos authentification, which also uses the same password. Essentially, I want a secure way to achieve the equivalent effect of putting this in my ´~/.bash_profile`:

# PASSWORD SHOULD NEVER BE HARDCODED - FOR EXPLANATION PURPOSE ONLY
PASSWORD="qwerty" # NEVER DO THIS!!!
echo "$PASSWORD" | kinit -u $KRBUSR

Any suggestions? Insights as to how the keyfile is unlocked?

Answer 1

Your question could be tagged as duplicate of that one, but to eliminate any remaining confusion, let's start with a clear statement: SIMULATING AN INTERACTIVE PASSWORD ENTRY IN A SCRIPT IS PURE EVIL.

Moreover, there is a proper way to automatically create a Kerberos ticket -- it can be used to authenticate Linux services at boot time, for example.

• Step 0: run klist -e to list the encryption algorithm(s) that have been negociated with the KDC -- for example "aes256-cts-hmac-sha1-96" and "arcfour-hmac"
  NB: that legacy Arc4 is still legit in many corporate Active Directory directories, yuck
• Step 1: create a keytab file for your principal, with ktutil (tutorial here for instance), adding one entry per encryption algorithm
• Step 2: immediately after creating the keytab file, restrict access to the file with chmod, otherwise anyone could use the file to "steal your Kerberos identity"
• Step 3: use kinit -kt <path/to/keytab_file> <principal@REALM> to authenticate without entering the password
• Step 4: you can run kinit -R periodically to request a ticket renewal (that renewal does not require a password) -- provided that you have a renewable ticket, that it has not expired yet, and that you did not reach the max renewable limit (see below)

---

Side note: the encryption algos used by kinit match what is configured in your local /etc/krb5.conf under permitted_enctypes and default_tkt_enctypes and default_tgs_enctypes -- provided that the Kerberos server (KDC) accepts these algorithms.

Side note: the ticket created by kinit has a lifetime configured in /etc/krb5.conf under ticket_lifetime -- provided that it does not exceed the KDC limit (usually 10h).
The renewable lifetime is under renew_lifetime -- provided etc. (a zero-lifetime means the ticket will be marked as non-renewable)

---

By the way, if your Linux box uses SSSD authentication backed by Active Directory, you can activate automatic creation & renewal of your Kerberos ticket with properties such as:

ldap_krb5_init_creds = True
krb5_ccname_template = FILE:/tmp/krb5cc_%U
krb5_lifetime           =  86400
krb5_renewable_lifetime = 604800
krb5_renew_interval     =   7200