Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Kerberos kinit enter password without prompt

Tags:

macos

kerberos

I was looking at this: http://docs.oracle.com/javase/7/docs/technotes/tools/windows/kinit.html and noticed that it says I could use the "password flag". I am not sure how to do this though?

Can I enter the password for kinit without it prompting me?

For example currently:

If I type in:

$ kinit test@REALM

I get response:

test@REALM's password: 

and I have to enter the password. Is there anyway I can input something like kinit test@REALM password so it doesn't prompt me?

like image 235
user754905 Avatar asked Nov 15 '11 23:11

user754905


People also ask

How do you run a Kinit command?

The user must be registered as a principal with the Key Distribution Center (KDC) prior to running kinit . By default, on Windows, a cache file named USER_HOME \krb5cc_ USER_NAME is generated. The identifier USER_HOME is obtained from the java. lang.

What is Kinit Kerberos?

kinit is used to obtain and cache Kerberos ticket-granting tickets. This tool is similar in functionality to the kinit tool that are commonly found in other Kerberos implementations, such as SEAM and MIT Reference implementations.

What does Kinit Admin do?

The kinit command obtains or renews a Kerberos ticket-granting ticket. The Key Distribution Center (KDC) options specified by the [kdcdefault] and [realms] in the Kerberos configuration file (kdc. conf) are used if you do not specify a ticket flag on the command line.


3 Answers

Also you can

$ echo 'password' | kinit username 
like image 80
user2939990 Avatar answered Sep 17 '22 19:09

user2939990


Use a keytab for that principal!

In detail: How do I a service keytab.

There are multiple ways, but I will assume the following: You are running Active Directory as your KDC implementation, you backend runs on a Unix or Unix-like OS like CentOS, FreeBSD, HP-UX, etc. You have also MIT Kerberos or Heimdal installed and the krb5.conf is properly configured.

Install msktutil(1) via package/ports manager or compile from source. If you choose to compile, make sure that all dependencies are present on your machine.

Now run mskutil:

$ /usr/local/sbin/msktutil update --verbose --use-service-account --account-name <samAccountName> \
  --old-account-password <password> --dont-change-password --keytab <path>

Replace samAccountName and password with your data. Leave out dont-change-password if you are fine with autogenerated passwords. Adjust path where you want to store the keytab file.

Sample run:

$ /usr/local/sbin/msktutil update --verbose --use-service-account --account-name uawet8er \
>   --old-account-password '...' --dont-change-password --keytab uawet8er.keytab
 -- execute: Skipping creation of new password
 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain AD.EXAMPLE.COM for procotol tcp
 -- validate: Found DC: dc01.ad.example.com. Checking availability...
 -- get_dc_host: Found preferred Domain Controller: dc01.ad.example.com
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-y6WVDM
 -- destroy_g_context: Destroying Kerberos Context
 -- initialize_g_context: Creating Kerberos Context
 -- finalize_exec: SAM Account Name is: uawet8er
 -- try_machine_password: Trying to authenticate for uawet8er with password
 -- create_default_machine_password: Default machine password for uawet8er is uawet8er
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Vorauthentifizierung fehlgeschlagen)
 -- try_machine_password: Authentication with password failed
 -- try_machine_supplied_password: Trying to authenticate for uawet8er with supplied password
 -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-ZUutAC
 -- finalize_exec: Authenticated using method 6
 -- LDAPConnection: Connecting to LDAP server: dc01.ad.example.com
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 256
SASL data security layer installed.
 -- ldap_get_base_dn: Determining default LDAP base: dc=AD,dc=EXAMPLE,dc=COM
 -- get_default_ou: Determining default OU: CN=Users,DC=ad,DC=example,DC=com
 -- ldap_check_account: Checking that a service account for uawet8er exists
 -- ldap_check_account: Checking service account - found
 -- ldap_check_account: Found userAccountControl = 0x200
 -- ldap_check_account: Found supportedEncryptionTypes = 28
 -- ldap_check_account: Found User Principal: uawet8er
 -- ldap_check_account_strings: Inspecting (and updating) service account attributes
 -- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28
 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0
 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x200
 -- ldap_get_kvno: KVNO is 8
 -- remove_keytab_entries: Trying to remove entries for uawet8er from keytab
 -- execute: Updating all entries for service account uawet8er in the keytab WRFILE:uawet8er.keytab
 -- update_keytab: Updating all entries for uawet8er
 -- add_principal_keytab: Adding principal to keytab: uawet8er
 -- get_salt: Using salt of AD.EXAMPLE.COMuawet8er
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- add_principal_keytab: Adding principal to keytab: uawet8er
 -- get_salt: Using salt of AD.EXAMPLE.COMuawet8er
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- add_keytab_entries: Trying to add missing entries for uawet8er to keytab

Now check your keytab with kinit:

$ kinit  -k -t uawet8er.keytab uawet8er
$ klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_722
Standard-Principal: [email protected]

Valid starting       Expires              Service principal
24.07.2019 13:15:45  24.07.2019 23:15:45  krbtgt/[email protected]
        erneuern bis 25.07.2019 13:15:45

This keytab is now ready to be used with your login.conf for JGSS or with KRB5_CLIENT_KTNAME and MIT Kerberos.

like image 42
Michael-O Avatar answered Sep 20 '22 19:09

Michael-O


Create a keytab using "ktutil"

> ktutil   
ktutil:  addent -password -p [email protected] -k 1 -e rc4-hmac   
Password for [email protected]: [enter your password]  
ktutil:  addent -password -p [email protected] -k 1 -e aes256-cts  
Password for [email protected]: [enter your password]   
ktutil:  wkt username.keytab   
ktutil:  quit


    # Below steps will will create a keytab for the user, move it into a secure directory, 
and automatically get a ticket when the user logs in with a bash shell

mkdir /home/username/keytabs 
chmod 700 /home/username/keytabs 
mv username.keytab /home/username/keytabs 
chmod 600 /home/username/keytabs/username.keytab 
echo "kinit -kt /home/username/keytabs/username.keytab [email protected]" >> /home/username/.bash_profile

Command to pass keytab and login

kinit [email protected] -k -t /path/to/username.keytab

Reference link hortonworks kb.iu.edu

like image 32
Kumar Avatar answered Sep 18 '22 19:09

Kumar