Linux – How to force kerberos to use in memory credential cache

kerberoslinuxmitkerberossingle-sign-onssh

MIT Kerberos supports multiple types of credential cache to store tickets
.

For example, if I want to use a persistent keyring per-user in kernel memory I can add the following to krb5.conf.

[libdefaults]
    default_ccache_name = KEYRING:persistent:%{uid}

One of the options is a ccache in process memory.

How do I enable this option?

Best Answer

As explained in the linked document, the memory cache is using MEMORY keyword so the following should do the job:

 default_ccache_name = MEMORY:

But note that this type of ccache will be destroyed once the process exits. Note that : needs to be present, otherwise it will try to store the ticket in the file called MEMORY in current working directory.

The Problem

If we had run KRB5_TRACE=/dev/stderr kinit HostServiceAccount@REALM.COM back when the account was enabled for only RC4-HMAC encryption, we would have seen this line in the output:

[8192] 1441829478.537451: Selected etype info: etype rc4-hmac, salt "", params ""

Now that we have AES256 enabled, though, that line looks like this:

[8200] 1441829508.947208: Selected etype info: etype aes256-cts, salt "REALM.COMHostServiceAccount", params ""

When the switch was made from NTLM authentication to Kerberos, the RC4-HMAC algorithm was specified to reuse the NTLM hash. Microsoft declined to put a salt into the hash to make it easier for existing systems to interoperate with Kerberos. Now that users have the opportunity to upgrade, a salt is specified for the AES256 and AES128 algorithms, and the salt is the user name.

We can see this if we generate keytabs for RC4-HMAC and AES256 using different usernames. With RC4-HMAC:

fluggo@host:~$ ktutil
ktutil:  add_entry -password -p HTTP/host.example.com@REALM.COM -k 1 -e rc4-hmac
Password for HTTP/host.example.com@REALM.COM: 12345
ktutil:  add_entry -password -p HostServiceAccount@REALM.COM -k 1 -e rc4-hmac
Password for HostServiceAccount@REALM.COM: 12345
ktutil:  write_kt rc4.keytab
ktutil:  q
fluggo@host:~$ klist -Kek rc4.keytab
Keytab name: FILE:rc4.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 HTTP/host.example.com@REALM.COM (arcfour-hmac)  (0x7a21990fcd3d759941e45c490f143d5f)
   1 HostServiceAccount@REALM.COM (arcfour-hmac)  (0x7a21990fcd3d759941e45c490f143d5f)

...the hash is the same, so these two entries are equivalent. But with AES256:

fluggo@host:~$ ktutil
ktutil:  add_entry -password -p HTTP/host.example.com@REALM.COM -k 1 -e aes256-cts-hmac-sha1-96
Password for HTTP/host.example.com@REALM.COM: 12345
ktutil:  add_entry -password -p HostServiceAccount@REALM.COM -k 1 -e aes256-cts-hmac-sha1-96
Password for HostServiceAccount@REALM.COM: 12345
ktutil:  write_kt aes.keytab
ktutil:  q
fluggo@host:~$ klist -Kek aes.keytab
Keytab name: FILE:aes.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 HTTP/host.example.com@REALM.COM (aes256-cts-hmac-sha1-96)  (0x5746fa6f9b0c990ba7fb20acd85065040d66e843a043508569841768ef2b7917)
   1 HostServiceAccount@REALM.COM (aes256-cts-hmac-sha1-96)  (0x6a98fdccbce4db77f40192f4e916e0900a1b9cba2f6ca8bc737d968e4b961c25)

...the hashes are different. The principal name matters, and it needs to match the UPN of the account.

A Solution

Since the username must be correct for the keytab to work, we generate a new keytab with the principal name Active Directory uses on the ticket:

# rm /etc/apache2/service.keytab
# ktutil
ktutil:  add_entry -password -p HostServiceAccount@REALM.COM -k 1 -e aes256-cts-hmac-sha1-96
Password for HostServiceAccount@REALM.COM: <enter password here>
ktutil:  add_entry -password -p HostServiceAccount@REALM.COM -k 1 -e aes128-cts-hmac-sha1-96
Password for HostServiceAccount@REALM.COM: <enter password here>
ktutil:  write_kt /etc/apache2/service.keytab
ktutil:  q
# chown -v www-data:root /etc/apache2/service.keytab
# chmod -v 440 /etc/apache2/service.keytab

Apache cares about the principal name in the keytab, and so it won't find these entries on its own. Instead, we just direct Apache to use whatever working principal it can find:

KrbServiceName Any

I wanted Apache to find the principal by the correct name, but it hardly matters since our principals are the only ones in the keytab.

Restart Apache, refresh the page, and the authentication should work now.

Windows – Kerberos SSO from outside the domain

I recently got KERBEROS working from a VPN-connected workstation that's not joined to the domain (an AWS-managed Server 2008R2 Active Directory). The key was adding the SRV and corresponding A records to public DNS so that the worksation could resolve _kerberos._tcp.dc._msdcs.mydomain.mydomain.com to the DC's local VPC address on port 88 (note mydomain twice is not a mistake).

Kerberos clients get tickets using the domain credentials stored in the Windows Credentials Manager. Adding the realm via ksetup wasn't necessary.

Best Answer

Related Solutions

Linux – Enabling AES-encrypted single sign-on to Apache in a Win2008 domain

The Problem

A Solution

Windows – Kerberos SSO from outside the domain

Related Topic