Sowacz blog, DBA and GNU/Linux Admin notes : 10/01/2011

2011-10-07

info-kerberos

1 def

The CLIENT and SERVER do not initially share an encryption key.
Whenever a CLIENT authenticates itself to a new VERIFIER it relies on the AUTHENTICATION SERVER to generate a new encryption key and distribute it securely to both parties (CLIENT and VERIFIER)
The Kerberos TICKET is a certificate issued by an AUTHENTICATION SERVER, encrypted using the SERVER KEY.
The TICKET is not sent directly to the VERIFIER, but is instead sent to the CLIENT who forwards it to the VERIFIER as part of the application request. Because the ticket is encrypted in the SERVER KEY, known only by the AUTHENTICATION SERVER and intended VERIFIER, it is not possible for the CLIENT to modify the ticket without detection.
There are two parts to the application request, a TICKET and an AUTHENTICATOR:
1. The AUTHENTICATOR includes, among other fields (all encrypted with the SESSION KEY):
  - the current time
  - a checksum
  - an optional encryption key
2. When a client wishes to create an association with a particular VERIFIER, the client uses the authentication request and response, messages, to obtain a TICKET and SESSION KEY from the AUTHENTICATION SERVER.

klist -k [keytab_file] #sprawdzanie principali w pliku keytab
klist -k #sprawdzanie principali w defaultowym pliku, można sprawdzić path do pliku
klist #sprawdzanie principali z plików w /tmp/krb5cc_[nr]

stworzenie nowego usera w AD trzymającego principal-e
- opcja dla usera - password never expires
dopisanie principala do powyższego usera za pomocą ktpass dostarczonego przez Windows Server 2003 Support Tools http://support.microsoft.com/kb/892777
- ktpass -princ HTTP/[service_hostname]@[DOMAIN] -mapuser [above_ad_user] -pass [above_ad_user_pass] [/desonly] [-crypto des-cbc-crc] -out [output_file]
sprawdzenie
- AD => user => properties => Account => [User logon name: HTTP/[service_hostname]@[domain]