Kerberos keytab permissions

kerberossquid

Can you share some thoughts on whether a Kerberos keytab should be readable only by root – under all circumstances? Or are there exceptions to this rule?

I am setting up a Squid proxy on Debian Jessie for Kerberos authentication with Active Directory. Most documentation advises to create a keytab for Squid containing an entry for the "HTTP" Service Principal.

However, if I join my system to an Active Directory domain, e.g., with realmd, this will already create a keytab, namely /etc/krb5.keytab. I can even make sure this keytab contains the necessary entry for the "HTTP" Service Principal:

# adcli preset-computer -D mydomain.org --service-name HOST --service-name HTTP proxy.mydomain.org
# realm join mydomain.org

So instead of creating a second keytab for Squid I could simply give read permissions for /etc/krb5.keytab to the process running Squid (which is the user proxy on Debian).

I am aware that it is considered a security issue if any user but root has access to the system keytab /etc/krb5.keytab. However, if my server hosts no services but the Squid proxy a keytab specifically created for Squid (e.g., with net ads keytab create && net ads keytab add HTTP) would contain more or less the same information as the system keytab anyway. (Or wouldn't it?)

So will I leap into any security holes when setting it up this way?

Best Answer

I think I should rephrase my question, thereby answering it: How do I create a keytab that contains only entries for the HTTP SPN?

If I create a new keytab for Squid with the following commands as it is described in the Squid wiki

# export KRB5_KTNAME=FILE:/etc/squid/HTTP.keytab
# net ads keytab CREATE
# net ads keytab ADD HTTP
# unset KRB5_KTNAME

then the new keytab /etc/squid3/HTTP.keytab will contain entries for the same SPNs as the system keytab plus entries for the HTTP SPN:

# klist -k
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- -----------------------------------------
   2 PROXY$@mydomain.org
   2 host/proxy.mydomain.org@mydomain.org
   2 host/proxy@mydomain.org

# klist -k /etc/squid3/HTTP.keytab
Keytab name: FILE:/etc/squid3/HTTP.keytab
KVNO Principal
---- -----------------------------------------
   2 PROXY$@mydomain.org
   2 host/proxy.mydomain.org@mydomain.org
   2 host/proxy@mydomain.org
   2 http/proxy.mydomain.org@mydomain.org
   2 http/proxy@mydomain.org
   2 HTTP/proxy.mydomain.org@mydomain.org
   2 HTTP/proxy@mydomain.org

This is why I did not see the point in denying Squid read permissions for the system keytab /etc/krb5.keytab - it had the same SPNs in its own keytab anyway.

However, if I make HTTP.keytab contain only HTTP entries the different permissions will make sense: Then Squid can only use the HTTP SPNs it actually needs - but no other SPNs that may be contained in the system keytab. That can be done as follows:

# net ads keytab add HTTP

This adds the HTTP SPN to the system keytab. Then we create a new keytab based on the system keytab and in this new keytab delete all but the HTTP SPNs:

# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: list
ktutil: delent <number of non-HTTP entry>

Repeat the last step until only entries are left that start with http or HTTP. Then write the result to a new file and set the permissions:

ktutil: wkt /etc/squid3/HTTP.keytab
ktutil: quit
# chown root:proxy /etc/squid3/HTTP.keytab
# chmod 640 /etc/squid3/HTTP.keytab

The resulting keytab now contains only HTTP SPNs:

# klist -k /etc/squid3/HTTP.keytab
Keytab name: FILE:/etc/squid3/HTTP.keytab
KVNO Principal
---- -----------------------------------------
   2 http/proxy.mydomain.org@mydomain.org
   2 http/proxy@mydomain.org
   2 HTTP/proxy.mydomain.org@mydomain.org
   2 HTTP/proxy@mydomain.org

Works for me :-)

Related Solutions

Redhat – RHEL 5.8 Kerberos Active Directory Windows 2003 Server SP2

When using kinit with a keytab it in necessary to provide the principle you wish to authenticate as. This is probably because keytabs can contain more than one principle.

[root@dhcp2 ~]# kinit -k
kinit(v5): Cannot resolve network address for KDC in realm  while getting initial credentials
[root@dhcp2 ~]# kinit -k  host/dhcp2.domain.tld
[root@dhcp2 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/dhcp2.domain.tld@DOMAIN.TLD

Valid starting     Expires            Service principal
07/29/12 19:27:49  07/30/12 07:27:49  krbtgt/DOMAIN.TLD@DOMAIN.TLD
        renew until 07/30/12 19:27:49


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

Linux – error reading keytab file krb5.keytab

If you don't have a keytab on the host, you really aren't using Kerberos properly and are wide open to a relatively simple attack if the attacker can poison your DNS caches.

Kerberos is a shared secret system and to work effectively any server that accepts Kerberos tickets needs to have a local copy of the shared secret that the Kerberos Key Distribution Center (KDC) also has. This is what a keytab is, a local copy of the shared secret for that service.

A keytab can also be used as a cache for obtaining Kerberos Ticket-Granting-Tickets (TGTs), but that is for when you want your host to act as a client for a Kerberos server, not as a server.

pam_krb5 uses the keytab to verify that the password typed is the actual password in the KDC. If you don't have a keytab to allow this, then all you're verifying is that some machine somewhere responded to a Kerberos protocol request.

Best Answer

Related Solutions

Redhat – RHEL 5.8 Kerberos Active Directory Windows 2003 Server SP2

Linux – error reading keytab file krb5.keytab

Related Topic