3

I syncronised my passwords/passphrases for logging in to my machine, unlocking my ssh keyfile (~/.ssh/id_rsa, see man ssh-keygen) and for kerberos. When I log in, I enter the password once to access my local machine account, and as a bonus my ssh key file is also unlocked.

I'd like to also automate my kerberos authentification, which also uses the same password. Essentially, I want a secure way to achieve the equivalent effect of putting this in my ´~/.bash_profile`:

# PASSWORD SHOULD NEVER BE HARDCODED - FOR EXPLANATION PURPOSE ONLY
PASSWORD="qwerty" # NEVER DO THIS!!!
echo "$PASSWORD" | kinit -u $KRBUSR

Any suggestions? Insights as to how the keyfile is unlocked?

kidmose
  • 871
  • 1
  • 9
  • 15

2 Answers2

12

Your question could be tagged as duplicate of that one, but to eliminate any remaining confusion, let's start with a clear statement: SIMULATING AN INTERACTIVE PASSWORD ENTRY IN A SCRIPT IS PURE EVIL.

Moreover, there is a proper way to automatically create a Kerberos ticket -- it can be used to authenticate Linux services at boot time, for example.

  • Step 0: run klist -e to list the encryption algorithm(s) that have been negociated with the KDC -- for example "aes256-cts-hmac-sha1-96" and "arcfour-hmac"
    NB: that legacy Arc4 is still legit in many corporate Active Directory directories, yuck
  • Step 1: create a keytab file for your principal, with ktutil (tutorial here for instance), adding one entry per encryption algorithm
  • Step 2: immediately after creating the keytab file, restrict access to the file with chmod, otherwise anyone could use the file to "steal your Kerberos identity"
  • Step 3: use kinit -kt <path/to/keytab_file> <principal@REALM> to authenticate without entering the password
  • Step 4: you can run kinit -R periodically to request a ticket renewal (that renewal does not require a password) -- provided that you have a renewable ticket, that it has not expired yet, and that you did not reach the max renewable limit (see below)

Side note: the encryption algos used by kinit match what is configured in your local /etc/krb5.conf under permitted_enctypes and default_tkt_enctypes and default_tgs_enctypes -- provided that the Kerberos server (KDC) accepts these algorithms.

Side note: the ticket created by kinit has a lifetime configured in /etc/krb5.conf under ticket_lifetime -- provided that it does not exceed the KDC limit (usually 10h).
The renewable lifetime is under renew_lifetime -- provided etc. (a zero-lifetime means the ticket will be marked as non-renewable)

By the way, if your Linux box uses SSSD authentication backed by Active Directory, you can activate automatic creation & renewal of your Kerberos ticket with properties such as: 
ldap_krb5_init_creds = True
krb5_ccname_template = FILE:/tmp/krb5cc_%U
krb5_lifetime           =  86400
krb5_renewable_lifetime = 604800
krb5_renew_interval     =   7200
Community
  • 1
  • 1
Samson Scharfrichter
  • 8,884
  • 1
  • 17
  • 36
  • Sorry for not making it clear that the snippet was to illustrate my goal: I don't want to interact with kerberos at all - authentification should happen in the background. Updated accordingly. – kidmose Aug 30 '16 at 12:14
  • I disagree with your suggestion for a duplicate: My question is different (At least what I had in my head.. This might be clearer now that I edited the question). The solution is however the same. Still I'd say http://unix.stackexchange.com/questions/12021/automatic-kerberos-ticket-initialization-on-login is of better quality and should thus be the reference – kidmose Aug 30 '16 at 12:18
  • Won't the renewal lifetime impose a need for me to now and then repeat step 1? Then your solution merely offers a trade of between how difficult it is to authenticate vs. how often it has to be done. It doesn't eliminate the authentification step by reusing the password entered to log in and unlock ssh key. – kidmose Aug 30 '16 at 12:28
  • 1
    @kidmose: yes, my answer assumes that you use short-lived interactive sessions. If you want the ticket to be renewed in the background, just use **two CRON jobs** -- one that re-creates the ticket (using keytab) every Sunday noon, and one that renews the ticket every 8 hours. Assuming the standard 10h / 7d lifetimes. – Samson Scharfrichter Aug 30 '16 at 17:07
0

This should be solvable with PAM: https://unix.stackexchange.com/questions/12021/automatic-kerberos-ticket-initialization-on-login

I've had no success though. Possibly because my user names doesn't match between local machine and kerberos or because I use the heimdal implementation of kerberos.

Community
  • 1
  • 1
kidmose
  • 871
  • 1
  • 9
  • 15