Scripting a Kerberos Keytab instead of a password

What's all this, then?

This internal document describes how to use a Kerberos V keytab file to make the passwords used by Microsys Service Accounts harder to "shoulder surf"

By obscuring the clear text password in this manner, they are never, ever transmitted over the wire in the clear, and it's harder for an unauthorized human to read a password out of the source code. A keytab is a password equivelent file, but one must first defeat the file system security to gain access to it.

Scope

This document and it's examples are geared towards linux machines. Though they don't refer to it as a keytab file, Microsoft uses the same techniques for managing service account security.

Creating A Keytab

Step 1 - Make the account in AD

Use the Active Directory Users and Computers Management tool to create a user account for the UNIX or Linux service. Be sure to follow the naming guidelines for Microsys Service Accounts.

Assign the account whatever rights it need to perform it's task. Follow the principle of least privilege.

Optionally set the account to expire after one year.

Step 2 - export the Keytab

On the Windows machine, use the ktpass tool to set up an identity mapping for the user account. Use this general command:

ktpass --princ service-instance@REALM --mapuser account-name -pass password -out UNIXmachine.keytab

For our purposes, the kerberos service-instance is the username. Kerberos can support an optional class to identify things other than users, for example host/fred would be a workstation named "fred" and not a user.

An example run for an account named itd.wolfprep might look like:

ktpass --princ itd.wolfprep@UNITY.AD.NCSU.EDU -mapuser itd.wolfprep --pass password --out wolfprep.keytab

Step 3 - Move the keytab safely to the linux box

IOn linux machines, it is suggested that you create an /etc/pki/krb5keys directory and store your keys there. All keys should be "chmod 600" and owned by the unix account meant to use them. This will set up read and write access for the owner, and NO access to anyone else (execpt for the root account, which has all access all the time).

Using a Keytab file

You can use kinit to authenticate to kerberos with your keytab file. You can either do this from your script, or set a cron job to periodlically renew your kerberos tickets.

Create a special unix user, possibly with a shell of /bin/nologin. Set the keytab file to be mode 600 (owner can read/write, nobody else can read) for this user. This userid will need write rights to wherever you store the Credential Cache also (where KRB5CCNAME points)

Use kinit to acquire a Kerberos ticket for the principal from the keytab. Here's an example of a shell script that does this.

!/bin/sh
# PATH=$PATH:/path/to/kerberos; export PATH

# where to store the tickets
KRB5CCNAME=/var/run/krb5cc_servicename
export KRB5CCNAME

# uncomment if you want tickets destroyed after script exits.
# trap kdestroy 0 1 2 3 5 15

kinit -S service/host -k -t /path/to/keytab admin_principal
exit 0

As an example, the itd.wolfprep account might kinit as :

kinit itd.wolfprep@UNITY.AD.NCSU.EDU -k -t /etc/wolfprep.keytab

This style on kinit should work on a Windows server also.

This will authenticate to kerberos, and store the actual tickets in the file specified by KRB5CCNAME. You can set the environment variable KRB5CCNAME for any script that you want to use these credentials, assuming it has read access (run as the restricted user account if you're not sure).

Example: Using smbclient with a keytab

This example downloads the WolfPrep IP data in a cron job. The service principle is itd.wolfprep in AD, as created in the example above. The keytab file has been stored in /etc/pki/krb5keys/wolfprep.keytab

# this goes after the kinit in the script above

cd /srv/samba/wolfprep/ipdata
smbclient -k //uni04nt.unity.ad.ncsu.edu/wolfprep -c "cd ipdata;prompt off;lowercase on;mget * ; quit"

# if you want, you can kdestroy here.

The -k to smbclient tells it to use the kerberos tickets already in place, and not to prompt for a username or password. The -c passes a command string that is executed as if they were typed at the smbclient prompt.

For this script to work, you must share the directory \\uni04nt\wolfprep and assign the user itd.wolfprep read rights to it.

 

About Microsys | Accessibility in our Services | Feedback | Microsys RSS Feeds | April 20, 2007