Linux ksu (kerberized super user) command fails to use cached service (host) tickets... how can I do this?

Fabiano Tarlao ftarlao at gmail.com
Thu Nov 9 05:10:12 EST 2017


P.s: I posted the same question to serverfault
<https://serverfault.com/questions/882476/linux-ksu-kerberized-super-user-command-fails-to-use-cached-service-host-tic>
but I get no response.

Questions at the end

*About my environment*

I have tried in two different environments: (i) Linux Ubuntu 16.04LTS
server enrolled in Active Directory (Microsoft) Domain and (ii) Linux
Ubuntu 16.04LTS server enrolled in a FreeIPA Realm.

*What I like to do*

I'm trying to use *ksu*
<http://web.mit.edu/Kerberos/krb5-latest/doc/user/user_commands/ksu.html>
command to login on the current host (*authdemo4.addemo.it
<http://authdemo4.addemo.it>*) as another user: *kservice*. In detail I'm
trying (i) to obtain a service ticket for user *kservice* for the host
*authdemo4.addemo.it
<http://authdemo4.addemo.it>*, (ii) to save the ticket in a MIT cache file
*/media/public/krb_kservice* and (iii) to provide this ticket to *ksu*
command in order to login as *kservice*.


*it should be possibile (?)*

The *ksu* MIT documentation states that using a service ticket from cache
file is possible, let's quote:

Otherwise, ksu looks for an appropriate Kerberos ticket in the source
cache. The ticket can either be for the end-server or a ticket granting
ticket (TGT) for the target principal’s realm. If the ticket for the
end-server is already in the cache, it’s decrypted and verified. If it’s
not in the cache but the TGT is, the TGT is used to obtain the ticket for
the end-server. The end-server ticket is then verified.

*My experiments and results*

When using the TGT Kerberos ticket for *kservice*.. it works like a charm:

$ kinit -c /media/public/krb_kservice  kservice
Password for kservice at ADDEMO.IT:
$ ksu kservice -n kservice at ADDEMO.IT -c FILE:/media/public/krb_kservice
Authenticated kservice at ADDEMO.IT
Account kservice: authorization for kservice at ADDEMO.IT successful
Changing uid to kservice (50006)
groups: cannot find name for group ID 50024
kservice at authdemo4:/home/userlab$

This is the cache content, there is only the TGT:

$ klist -c /media/public/krb_kservice
Ticket cache: FILE:/media/public/krb_kservice
Default principal: kservice at ADDEMO.IT

Valid starting       Expires              Service principal
11/08/2017 11:44:07  11/08/2017 21:44:07  krbtgt/ADDEMO.IT at ADDEMO.IT
        renew until 11/09/2017 11:44:03

When trying with the end-server Kerberos ticket (service ticket) it fails,
*ksu* ignores the cached ticket and asks for the user password:

$ kinit   -S HOST/authdemo4.addemo.it at ADDEMO.IT  -c
/media/public/krb_kservice  kservice
Password for kservice at ADDEMO.IT:
$ ksu kservice -n kservice at ADDEMO.IT -c FILE:/media/public/krb_kservice
WARNING: Your password may be exposed if you enter it here and are
logged in remotely using an unsecure (non-encrypted) channel.
Kerberos password for kservice at ADDEMO.IT: :

This is the cache content, there is only the service ticket:

$ klist -f -c /media/public/krb_kservice
Ticket cache: FILE:/media/public/krb_kservice
Default principal: kservice at ADDEMO.IT

Valid starting       Expires              Service principal
11/08/2017 13:51:05  11/08/2017 23:51:05  HOST/authdemo4.addemo.it at ADDEMO.IT
        renew until 11/09/2017 13:51:02, Flags: FPRIA

It is proxiable-forwardable-renewable-initial-preauthenticated ticket.

In brief: *my attempt with end-server service ticket doesn't work*.

*I have tried* to change the kinit request, I have changed the service
principal name-parts to uppercase/lowercase, with and without-domain,
HOST->host, and so on but *it keeps failing*.

I checked with Wireshark the *ksu* Kerberos requests to the DC in order to
find differences with my requested service ticket. Service name is the same
"*HOST/authdemo4.addemo.it <http://authdemo4.addemo.it>*", *ksu* adds the
*canonizable* flag to the ticket and it asks the ticket to the TGS while
*kinit* sends the request to the AS :-(

*Questions*

They overlap a bit :-)

   - is there a way to populate a Kerberos cache file with a service ticket
   (for the host) that is compatible with *ksu*?
   - I have read about *kvno*
   <http://web.mit.edu/tsitkova/www/build/krb_users/user_commands/kvno.html>
   command but I have failed to use it, the documentation does not suffice
   (for me) and there are no usage examples around, can you explain me how to
   use it?
   - Are there alternatives to *kvno* command in order to perform service
   ticket requests to TGS (and put it into a cache file)?
   - Am I doing something wrong? Any tip?

Regards


More information about the Kerberos mailing list