login script to use machine password for kinit to obtain ticket at login
Your question could be tagged as duplicate of that one, but to eliminate any remaining confusion, let's start with a clear statement: SIMULATING AN INTERACTIVE PASSWORD ENTRY IN A SCRIPT IS PURE EVIL.
Moreover, there is a proper way to automatically create a Kerberos ticket -- it can be used to authenticate Linux services at boot time, for example.
- Step 0: run
klist -e
to list the encryption algorithm(s) that have been negociated with the KDC -- for example "aes256-cts-hmac-sha1-96" and "arcfour-hmac"
NB: that legacy Arc4 is still legit in many corporate Active Directory directories, yuck - Step 1: create a keytab file for your principal, with
ktutil
(tutorial here for instance), adding one entry per encryption algorithm - Step 2: immediately after creating the keytab file, restrict access to the file with
chmod
, otherwise anyone could use the file to "steal your Kerberos identity" - Step 3: use
kinit -kt <path/to/keytab_file> <principal@REALM>
to authenticate without entering the password - Step 4: you can run
kinit -R
periodically to request a ticket renewal (that renewal does not require a password) -- provided that you have a renewable ticket, that it has not expired yet, and that you did not reach the max renewable limit (see below)
Side note: the encryption algos used by
kinit
match what is configured in your local /etc/krb5.conf
under permitted_enctypes
and default_tkt_enctypes
and default_tgs_enctypes
-- provided that the Kerberos server (KDC) accepts these algorithms.
Side note: the ticket created by kinit
has a lifetime configured in /etc/krb5.conf
under ticket_lifetime
-- provided that it does not exceed the KDC limit (usually 10h).
The renewable lifetime is under renew_lifetime
-- provided etc. (a zero-lifetime means the ticket will be marked as non-renewable)
By the way, if your Linux box uses SSSD authentication backed by Active Directory, you can activate automatic creation & renewal of your Kerberos ticket with properties such as:
ldap_krb5_init_creds = True
krb5_ccname_template = FILE:/tmp/krb5cc_%U
krb5_lifetime = 86400
krb5_renewable_lifetime = 604800
krb5_renew_interval = 7200
kidmose
Updated on June 05, 2022Comments
-
kidmose almost 2 years
I syncronised my passwords/passphrases for logging in to my machine, unlocking my ssh keyfile (
~/.ssh/id_rsa
, seeman ssh-keygen
) and for kerberos. When I log in, I enter the password once to access my local machine account, and as a bonus my ssh key file is also unlocked.I'd like to also automate my kerberos authentification, which also uses the same password. Essentially, I want a secure way to achieve the equivalent effect of putting this in my ´~/.bash_profile`:
# PASSWORD SHOULD NEVER BE HARDCODED - FOR EXPLANATION PURPOSE ONLY PASSWORD="qwerty" # NEVER DO THIS!!! echo "$PASSWORD" | kinit -u $KRBUSR
Any suggestions? Insights as to how the keyfile is unlocked?