Passwordless access to kadmin?
Marcus Watts
mdw at spam.ifs.umich.edu
Tue Jul 17 15:45:24 EDT 2007
> Date: Tue, 17 Jul 2007 10:29:39 PDT
> To: kerberos at mit.edu
> From: Russ Allbery <rra at stanford.edu>
> Subject: Re: Passwordless access to kadmin?
>
> "Bryan K. Wright" <bryan at ayesha.phys.virginia.edu> writes:
>
> > But as a side-effect of this, I can then no longer
> > get into kadmin by typing "kadmin -p root/admin" and supplying
> > a password. If I try, kadmin tells me the password is bad.
>
> Yes, when you create a keytab for a principal, it randomizes the
> password.
>
> > What do I need to do to make both of these work?
>
> Don't use the same account for interactive use and for scripted use.
> Instead, create a new principal for scripted use and add it to kadm5.acl.
What Russ says is best practice, and you should go do that.
Sharing passwords between users is bad enough. Sharing passwords
with machine principals really sucks.
Just so that you don't think this is the fault of the software,
it *is* possible to set up a principal that can authenticate to kadmind
either via a keytab or via a password. Here's how:
/1/ create the principal:
spam% /usr/sbin/kadmin -p admin at DOGS.UMICH.EDU -r DOGS.UMICH.EDU
Authenticating as principal admin at DOGS.UMICH.EDU with password.
Password for admin at DOGS.UMICH.EDU:
kadmin: ank -e aes256-cts:normal -pw this.is.a.password demopwkt
WARNING: no policy specified for demopwkt at DOGS.UMICH.EDU; defaulting to no policy
Principal "demopwkt at DOGS.UMICH.EDU" created.
kadmin: quit
/2/ make a keytab
spam% /usr/sbin/ktutil
ktutil: addent -password -p demopwkt at DOGS.UMICH.EDU -k 1 -e aes256-cts
Password for demopwkt at DOGS.UMICH.EDU: this.is.a.password
ktutil: wkt /tmp/demopwkt.ktab
ktutil: q
spam%
/3/ test the keytab (optional, but recommended)
spam% kinit -k -t /tmp/demopwkt.ktab demopwkt at DOGS.UMICH.EDU
spam% kdestroy
/4/ run kadmin with the keytab:
spam% /usr/sbin/kadmin -p demopwkt at DOGS.UMICH.EDU -r DOGS.UMICH.EDU -k -t /tmp/demopwkt.ktab
Authenticating as principal demopwkt at DOGS.UMICH.EDU with keytab /tmp/demopwkt.ktab.
kadmin: getprinc admin
get_principal: Operation requires ``get'' privilege while retrieving "admin at DOGS.UMICH.EDU".
kadmin: getprinc demopwkt
Principal: demopwkt at DOGS.UMICH.EDU
Expiration date: [never]
Last password change: Tue Jul 17 15:25:39 EDT 2007
Password expiration date: [none]
Maximum ticket life: 4 days 04:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Jul 17 15:25:39 EDT 2007 (admin at DOGS.UMICH.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
kadmin: quit
spam%
It is also possible, although not especially useful, to authenticate
using a credentials cache:
spam% kinit -k -t /tmp/demopwkt.ktab -S kadmin/admin at DOGS.UMICH.EDU demopwkt at DOGS.UMICH.EDU
spam% /usr/sbin/kadmin -r DOGS.UMICH.EDU -c FILE:/tmp/krb5cc_25131_czrBQ2
Authenticating as principal demopwkt at DOGS.UMICH.EDU with existing credentials.
kadmin: quit
Administration credentials NOT DESTROYED.
spam% klist -5
Ticket cache: FILE:/tmp/krb5cc_25131_czrBQ2
Default principal: demopwkt at DOGS.UMICH.EDU
Valid starting Expires Service principal
07/17/07 15:33:26 07/17/07 18:33:26 kadmin/admin at DOGS.UMICH.EDU
renew until 07/18/07 15:33:26
spam%
A kadmin/admin ticket isn't good for getting more service tickets, and you
can't get a kadmin/admin ticket using a krbtgt (since DISALLOW_TGT_BASED is set.)
Note that I forced the key type to be one value. In a typical realm,
users will default to having multiple key types. This will complicate things.
Also, of course, demopwkt isn't a kerberos administrator (not in kadm5.acl)
so has very limited rights. And, of course, you don't need to do this.
-Marcus Watts
More information about the Kerberos
mailing list