Kerberos protocol transition with unconstrained delegation (i.e. TGT impersonation)

[Jonathan Calmels]

I finally had some time to implement this so here is the link if someone's interested: https://github.com/NVIDIA/sybil

This is a PoC which essentially does what was suggested in this thread. The service can forge TGTs or cross-realm TGTs, although I found the latter less useful since most tool can't deal with those on their own.

I'm sure this can be improved further, but it seems to do the job for the scenario I described initially.

Hopefully, somebody finds it useful. Also, contributions are welcomed if somebody has a slightly different use case in mind.

________________________________
From: Jeffrey Hutzelman <jhutz at cmu.edu>
Sent: Friday, October 28, 2022 5:30:41 AM
To: Greg Hudson <ghudson at mit.edu>
Cc: Russ Allbery <eagle at eyrie.org>; Jonathan Calmels via Kerberos <kerberos at mit.edu>; Jonathan Calmels <jcalmels at nvidia.com>
Subject: Re: Kerberos protocol transition with unconstrained delegation (i.e. TGT impersonation)

External email: Use caution opening links or attachments

Ah, I didn't realize MIT Kerberos had grown the "KDB" keytab method.  That's similar to Jonathan's idea of using the kadmin libraries to extract the client's key from the kdb, but didn't require wiring custom code. It does require colocating with a KDC, but I agree with Russ; it's probably best to do that anyway.

-- Jeff

On Fri, Oct 28, 2022, 00:06 Greg Hudson <ghudson at mit.edu<mailto:ghudson at mit.edu>> wrote:
On 10/27/22 12:36, Jeffrey Hutzelman wrote:
> You don't need libkadm5 for any of this -- all you need to print a service
> ticket (even a TGT) is the service's key. Heimdal comes with a program,
> kimpersonate, which does this and could easily be used as a basis for your
> impersonation service.

MIT krb5 has a sort-of equivalent: "kinit -k -t KDB: username".  The KDC
is still in the loop, but no password or keytab for the user is
required.  (Add "-S krbtgt/OTHERREALM" for a cross-realm TGT.)