You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by Josh Clum <jo...@gmail.com> on 2014/04/24 15:27:53 UTC
Manual Keytab Creation
I was wondering if there was a way to generate my own keytab in java
without going to the kdc? I found code similar to this in an ApachDS test:
Keytab keytab = Keytab.getInstance();
KerberosTime timeStamp = new
KerberosTime(KerberosUtils.UTC_DATE_FORMAT.parse("20070217235745Z"));
Map<EncryptionType, EncryptionKey> keys = KerberosKeyFactory
.getKerberosKeys(principalName, userPassword);
KeytabEntry keytabEntry = new KeytabEntry(
principalName,
1L,
timeStamp,
(byte) 0,
keys.get(EncryptionType.DES_CBC_MD5));
List<KeytabEntry> entry = Arrays.asList(keytabEntry);
keytab.setEntries(entry);
keytab.write(keytabFile);
return keytabFile;
I'm able to a klist on a keytab that i create:
Vno Type Principal Date Aliases
0 des-cbc-md5 ssh/localhost@EXAMPLE.COM 2007-02-17
Also, if this is not possible, is there a way to programmatically get a
keytab using ApacheDS or any other java library?
Re: Manual Keytab Creation
Posted by Kiran Ayyagari <ka...@apache.org>.
On Thu, Apr 24, 2014 at 10:10 PM, Josh Clum <jo...@gmail.com> wrote:
>
> So just looking at the ticket, I can get the following seemingly relevant
> information. I'm requesting a tgt for a principle client@EXAMPLE.COM
> . krbtgt/EXAMPLE.COM@EXAMPLE.COM is my KDC in Ldap.
>
> TgTicket serverTgt = conn.getTgt(sshPrincipal, PASSWORD);
> LOG.debug("Client name: {}", serverTgt.getClientName());
> LOG.debug("Key version: {}",
> serverTgt.getEncKdcRepPart().getKey().getKeyVersion());
> LOG.debug("Key type: {}",
> serverTgt.getEncKdcRepPart().getKey().getKeyType());
> LOG.debug("Server name: {}", serverTgt.getServerName());
> LOG.debug("Ticket Vno: {}", serverTgt.getTicket().getTktVno());
> LOG.debug("Protocol Vno: {}",
> serverTgt.getTicket().getProtocolVersionNumber());
> LOG.debug("Server Name: {}", serverTgt.getTicket().getSName());
> LOG.debug("Server Name Value Type: {}",
> serverTgt.getTicket().getSName().getNameType().getValue());
> LOG.debug("Server Name String: {}",
> serverTgt.getTicket().getSName().getNameString());
>
> Client name: client
> Key version: 0
> Key type: des-cbc-md5 (3)
> Server name: krbtgt/EXAMPLE.COM
> Ticket Vno: 5
> Protocol Vno: 5
> Server Name: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', '
> EXAMPLE.COM'> }
> Server Name Value Type: 2
> Server Name String: krbtgt/EXAMPLE.COM
>
>
> For my keytab entry i need:
>
> new KeytabEntry(String princNam, long PrincType, KerberosTime timeStamp,
> byte keyverion, EncryptionKey key);
>
I have fixed an issue with null starttime in the ticket and also modified
the above constructor a bit( mostly
changed the type of 'pricipalType' to int)
I suggest you use the trunk
> I'm guessing that creating a keytab entry for client@EXAMPLE.COM would be
> done by passing in:
>
> new KeytabEntry("client@EXAMPLE.COM", X, Y, (byte) 0, Z);
>
> where:
>
> *X = PrincType? Is there some constant defined somewhere?*
> Y = new KerberosTime(KerberosUtils.UTC_DATE_FORMAT.parse("20070217235745Z"
> ));
> Z = encryption key from TgTicket.getEncKdcRepPart()
>
> Does that sound correct? Could i then use that keytab to authenticate
> client@EXAMPLE.COM?
>
here is the test code that I used to create a Keytab
http://pastebin.com/3AvpSARx
for some reason yet unknown to me when I try klist on this keytab it fails
with the error
(both on Linux and OS X as well)
klist: krb5_cc_get_principal: Offset too large
I have verified the format of the generated keytab and it is correct
>
> Josh
>
>
> On Thu, Apr 24, 2014 at 11:45 AM, Kiran Ayyagari <ka...@apache.org>wrote:
>
>>
>>
>>
>> On Thu, Apr 24, 2014 at 9:06 PM, Josh Clum <jo...@gmail.com> wrote:
>>
>>> What would be the key things I would need to get from the Tgt?
>>>
>>> all those that are needed to build a keytab ;)
>> (let me know if you don't find a particular piece of data in TgTicket)
>>
>>>
>>> On Thu, Apr 24, 2014 at 9:33 AM, Kiran Ayyagari <ka...@apache.org>wrote:
>>>
>>>>
>>>>
>>>>
>>>> On Thu, Apr 24, 2014 at 6:57 PM, Josh Clum <jo...@gmail.com> wrote:
>>>>
>>>>> I was wondering if there was a way to generate my own keytab in java
>>>>> without going to the kdc? I found code similar to this in an ApachDS test:
>>>>>
>>>>> Keytab keytab = Keytab.getInstance();
>>>>> KerberosTime timeStamp = new
>>>>> KerberosTime(KerberosUtils.UTC_DATE_FORMAT.parse("20070217235745Z"));
>>>>>
>>>>> Map<EncryptionType, EncryptionKey> keys = KerberosKeyFactory
>>>>> .getKerberosKeys(principalName, userPassword);
>>>>>
>>>>>
>>>>>
>>>>> KeytabEntry keytabEntry = new KeytabEntry(
>>>>> principalName,
>>>>> 1L,
>>>>> timeStamp,
>>>>> (byte) 0,
>>>>> keys.get(EncryptionType.DES_CBC_MD5));
>>>>>
>>>>> List<KeytabEntry> entry = Arrays.asList(keytabEntry);
>>>>>
>>>>> keytab.setEntries(entry);
>>>>>
>>>>> keytab.write(keytabFile);
>>>>>
>>>>> return keytabFile;
>>>>>
>>>>> I'm able to a klist on a keytab that i create:
>>>>>
>>>>> Vno Type Principal Date Aliases
>>>>>
>>>>> 0 des-cbc-md5 ssh/localhost@EXAMPLE.COM 2007-02-17
>>>>>
>>>>>
>>>>> Also, if this is not possible, is there a way to programmatically get
>>>>> a keytab using ApacheDS or any other java library?
>>>>>
>>>>> one way to do this is to use KdcConnection to obtain a TgTicket and
>>>> create KeyTab from the details of TgTicket
>>>>
>>>>
>>>>
>>>> --
>>>> Kiran Ayyagari
>>>> http://keydap.com
>>>>
>>>
>>>
>>
>>
>> --
>> Kiran Ayyagari
>> http://keydap.com
>>
>
>
--
Kiran Ayyagari
http://keydap.com
Re: Manual Keytab Creation
Posted by Josh Clum <jo...@gmail.com>.
So just looking at the ticket, I can get the following seemingly relevant
information. I'm requesting a tgt for a principle client@EXAMPLE.COM
. krbtgt/EXAMPLE.COM@EXAMPLE.COM is my KDC in Ldap.
TgTicket serverTgt = conn.getTgt(sshPrincipal, PASSWORD);
LOG.debug("Client name: {}", serverTgt.getClientName());
LOG.debug("Key version: {}",
serverTgt.getEncKdcRepPart().getKey().getKeyVersion());
LOG.debug("Key type: {}",
serverTgt.getEncKdcRepPart().getKey().getKeyType());
LOG.debug("Server name: {}", serverTgt.getServerName());
LOG.debug("Ticket Vno: {}", serverTgt.getTicket().getTktVno());
LOG.debug("Protocol Vno: {}",
serverTgt.getTicket().getProtocolVersionNumber());
LOG.debug("Server Name: {}", serverTgt.getTicket().getSName());
LOG.debug("Server Name Value Type: {}",
serverTgt.getTicket().getSName().getNameType().getValue());
LOG.debug("Server Name String: {}",
serverTgt.getTicket().getSName().getNameString());
Client name: client
Key version: 0
Key type: des-cbc-md5 (3)
Server name: krbtgt/EXAMPLE.COM
Ticket Vno: 5
Protocol Vno: 5
Server Name: { name-type: KRB_NT_SRV_INST, name-string : <'krbtgt', '
EXAMPLE.COM'> }
Server Name Value Type: 2
Server Name String: krbtgt/EXAMPLE.COM
For my keytab entry i need:
new KeytabEntry(String princNam, long PrincType, KerberosTime timeStamp,
byte keyverion, EncryptionKey key);
I'm guessing that creating a keytab entry for client@EXAMPLE.COM would be
done by passing in:
new KeytabEntry("client@EXAMPLE.COM", X, Y, (byte) 0, Z);
where:
*X = PrincType? Is there some constant defined somewhere?*
Y = new KerberosTime(KerberosUtils.UTC_DATE_FORMAT.parse("20070217235745Z"
));
Z = encryption key from TgTicket.getEncKdcRepPart()
Does that sound correct? Could i then use that keytab to authenticate
client@EXAMPLE.COM?
Josh
On Thu, Apr 24, 2014 at 11:45 AM, Kiran Ayyagari <ka...@apache.org>wrote:
>
>
>
> On Thu, Apr 24, 2014 at 9:06 PM, Josh Clum <jo...@gmail.com> wrote:
>
>> What would be the key things I would need to get from the Tgt?
>>
>> all those that are needed to build a keytab ;)
> (let me know if you don't find a particular piece of data in TgTicket)
>
>>
>> On Thu, Apr 24, 2014 at 9:33 AM, Kiran Ayyagari <ka...@apache.org>wrote:
>>
>>>
>>>
>>>
>>> On Thu, Apr 24, 2014 at 6:57 PM, Josh Clum <jo...@gmail.com> wrote:
>>>
>>>> I was wondering if there was a way to generate my own keytab in java
>>>> without going to the kdc? I found code similar to this in an ApachDS test:
>>>>
>>>> Keytab keytab = Keytab.getInstance();
>>>> KerberosTime timeStamp = new
>>>> KerberosTime(KerberosUtils.UTC_DATE_FORMAT.parse("20070217235745Z"));
>>>>
>>>> Map<EncryptionType, EncryptionKey> keys = KerberosKeyFactory
>>>> .getKerberosKeys(principalName, userPassword);
>>>>
>>>>
>>>>
>>>> KeytabEntry keytabEntry = new KeytabEntry(
>>>> principalName,
>>>> 1L,
>>>> timeStamp,
>>>> (byte) 0,
>>>> keys.get(EncryptionType.DES_CBC_MD5));
>>>>
>>>> List<KeytabEntry> entry = Arrays.asList(keytabEntry);
>>>>
>>>> keytab.setEntries(entry);
>>>>
>>>> keytab.write(keytabFile);
>>>>
>>>> return keytabFile;
>>>>
>>>> I'm able to a klist on a keytab that i create:
>>>>
>>>> Vno Type Principal Date Aliases
>>>>
>>>> 0 des-cbc-md5 ssh/localhost@EXAMPLE.COM 2007-02-17
>>>>
>>>>
>>>> Also, if this is not possible, is there a way to programmatically get a
>>>> keytab using ApacheDS or any other java library?
>>>>
>>>> one way to do this is to use KdcConnection to obtain a TgTicket and
>>> create KeyTab from the details of TgTicket
>>>
>>>
>>>
>>> --
>>> Kiran Ayyagari
>>> http://keydap.com
>>>
>>
>>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>
Re: Manual Keytab Creation
Posted by Kiran Ayyagari <ka...@apache.org>.
On Thu, Apr 24, 2014 at 9:06 PM, Josh Clum <jo...@gmail.com> wrote:
> What would be the key things I would need to get from the Tgt?
>
> all those that are needed to build a keytab ;)
(let me know if you don't find a particular piece of data in TgTicket)
>
> On Thu, Apr 24, 2014 at 9:33 AM, Kiran Ayyagari <ka...@apache.org>wrote:
>
>>
>>
>>
>> On Thu, Apr 24, 2014 at 6:57 PM, Josh Clum <jo...@gmail.com> wrote:
>>
>>> I was wondering if there was a way to generate my own keytab in java
>>> without going to the kdc? I found code similar to this in an ApachDS test:
>>>
>>> Keytab keytab = Keytab.getInstance();
>>> KerberosTime timeStamp = new
>>> KerberosTime(KerberosUtils.UTC_DATE_FORMAT.parse("20070217235745Z"));
>>>
>>> Map<EncryptionType, EncryptionKey> keys = KerberosKeyFactory
>>> .getKerberosKeys(principalName, userPassword);
>>>
>>>
>>>
>>> KeytabEntry keytabEntry = new KeytabEntry(
>>> principalName,
>>> 1L,
>>> timeStamp,
>>> (byte) 0,
>>> keys.get(EncryptionType.DES_CBC_MD5));
>>>
>>> List<KeytabEntry> entry = Arrays.asList(keytabEntry);
>>>
>>> keytab.setEntries(entry);
>>>
>>> keytab.write(keytabFile);
>>>
>>> return keytabFile;
>>>
>>> I'm able to a klist on a keytab that i create:
>>>
>>> Vno Type Principal Date Aliases
>>>
>>> 0 des-cbc-md5 ssh/localhost@EXAMPLE.COM 2007-02-17
>>>
>>>
>>> Also, if this is not possible, is there a way to programmatically get a
>>> keytab using ApacheDS or any other java library?
>>>
>>> one way to do this is to use KdcConnection to obtain a TgTicket and
>> create KeyTab from the details of TgTicket
>>
>>
>>
>> --
>> Kiran Ayyagari
>> http://keydap.com
>>
>
>
--
Kiran Ayyagari
http://keydap.com
Re: Manual Keytab Creation
Posted by Josh Clum <jo...@gmail.com>.
What would be the key things I would need to get from the Tgt?
On Thu, Apr 24, 2014 at 9:33 AM, Kiran Ayyagari <ka...@apache.org>wrote:
>
>
>
> On Thu, Apr 24, 2014 at 6:57 PM, Josh Clum <jo...@gmail.com> wrote:
>
>> I was wondering if there was a way to generate my own keytab in java
>> without going to the kdc? I found code similar to this in an ApachDS test:
>>
>> Keytab keytab = Keytab.getInstance();
>> KerberosTime timeStamp = new
>> KerberosTime(KerberosUtils.UTC_DATE_FORMAT.parse("20070217235745Z"));
>>
>> Map<EncryptionType, EncryptionKey> keys = KerberosKeyFactory
>> .getKerberosKeys(principalName, userPassword);
>>
>>
>>
>> KeytabEntry keytabEntry = new KeytabEntry(
>> principalName,
>> 1L,
>> timeStamp,
>> (byte) 0,
>> keys.get(EncryptionType.DES_CBC_MD5));
>>
>> List<KeytabEntry> entry = Arrays.asList(keytabEntry);
>>
>> keytab.setEntries(entry);
>>
>> keytab.write(keytabFile);
>>
>> return keytabFile;
>>
>> I'm able to a klist on a keytab that i create:
>>
>> Vno Type Principal Date Aliases
>>
>> 0 des-cbc-md5 ssh/localhost@EXAMPLE.COM 2007-02-17
>>
>>
>> Also, if this is not possible, is there a way to programmatically get a
>> keytab using ApacheDS or any other java library?
>>
>> one way to do this is to use KdcConnection to obtain a TgTicket and
> create KeyTab from the details of TgTicket
>
>
>
> --
> Kiran Ayyagari
> http://keydap.com
>
Re: Manual Keytab Creation
Posted by Kiran Ayyagari <ka...@apache.org>.
On Thu, Apr 24, 2014 at 6:57 PM, Josh Clum <jo...@gmail.com> wrote:
> I was wondering if there was a way to generate my own keytab in java
> without going to the kdc? I found code similar to this in an ApachDS test:
>
> Keytab keytab = Keytab.getInstance();
> KerberosTime timeStamp = new
> KerberosTime(KerberosUtils.UTC_DATE_FORMAT.parse("20070217235745Z"));
>
> Map<EncryptionType, EncryptionKey> keys = KerberosKeyFactory
> .getKerberosKeys(principalName, userPassword);
>
>
>
> KeytabEntry keytabEntry = new KeytabEntry(
> principalName,
> 1L,
> timeStamp,
> (byte) 0,
> keys.get(EncryptionType.DES_CBC_MD5));
>
> List<KeytabEntry> entry = Arrays.asList(keytabEntry);
>
> keytab.setEntries(entry);
>
> keytab.write(keytabFile);
>
> return keytabFile;
>
> I'm able to a klist on a keytab that i create:
>
> Vno Type Principal Date Aliases
>
> 0 des-cbc-md5 ssh/localhost@EXAMPLE.COM 2007-02-17
>
>
> Also, if this is not possible, is there a way to programmatically get a
> keytab using ApacheDS or any other java library?
>
> one way to do this is to use KdcConnection to obtain a TgTicket and create
KeyTab from the details of TgTicket
--
Kiran Ayyagari
http://keydap.com