问题
I syncronised my passwords/passphrases for logging in to my machine, unlocking my ssh keyfile (~/.ssh/id_rsa, see man ssh-keygen) and for kerberos.
When I log in, I enter the password once to access my local machine account, and as a bonus my ssh key file is also unlocked.
I'd like to also automate my kerberos authentification, which also uses the same password. Essentially, I want a secure way to achieve the equivalent effect of putting this in my ´~/.bash_profile`:
# PASSWORD SHOULD NEVER BE HARDCODED - FOR EXPLANATION PURPOSE ONLY
PASSWORD="qwerty" # NEVER DO THIS!!!
echo "$PASSWORD" | kinit -u $KRBUSR
Any suggestions? Insights as to how the keyfile is unlocked?
回答1:
Your question could be tagged as duplicate of that one, but to eliminate any remaining confusion, let's start with a clear statement: SIMULATING AN INTERACTIVE PASSWORD ENTRY IN A SCRIPT IS PURE EVIL.
Moreover, there is a proper way to automatically create a Kerberos ticket -- it can be used to authenticate Linux services at boot time, for example.
- Step 0: run
klist -eto list the encryption algorithm(s) that have been negociated with the KDC -- for example "aes256-cts-hmac-sha1-96" and "arcfour-hmac"
NB: that legacy Arc4 is still legit in many corporate Active Directory directories, yuck - Step 1: create a keytab file for your principal, with
ktutil(tutorial here for instance), adding one entry per encryption algorithm - Step 2: immediately after creating the keytab file, restrict access to the file with
chmod, otherwise anyone could use the file to "steal your Kerberos identity" - Step 3: use
kinit -kt <path/to/keytab_file> <principal@REALM>to authenticate without entering the password - Step 4: you can run
kinit -Rperiodically to request a ticket renewal (that renewal does not require a password) -- provided that you have a renewable ticket, that it has not expired yet, and that you did not reach the max renewable limit (see below)
Side note: the encryption algos used by
kinit match what is configured in your local /etc/krb5.conf under permitted_enctypes and default_tkt_enctypes and default_tgs_enctypes -- provided that the Kerberos server (KDC) accepts these algorithms.
Side note: the ticket created by kinit has a lifetime configured in /etc/krb5.conf under ticket_lifetime -- provided that it does not exceed the KDC limit (usually 10h).
The renewable lifetime is under renew_lifetime -- provided etc. (a zero-lifetime means the ticket will be marked as non-renewable)
By the way, if your Linux box uses SSSD authentication backed by Active Directory, you can activate automatic creation & renewal of your Kerberos ticket with properties such as:
ldap_krb5_init_creds = True
krb5_ccname_template = FILE:/tmp/krb5cc_%U
krb5_lifetime = 86400
krb5_renewable_lifetime = 604800
krb5_renew_interval = 7200
回答2:
This should be solvable with PAM: https://unix.stackexchange.com/questions/12021/automatic-kerberos-ticket-initialization-on-login
I've had no success though. Possibly because my user names doesn't match between local machine and kerberos or because I use the heimdal implementation of kerberos.
来源:https://stackoverflow.com/questions/39221465/login-script-to-use-machine-password-for-kinit-to-obtain-ticket-at-login