Kerberos kinit enter password without prompt

Question

I was looking at this: http://docs.oracle.com/javase/7/docs/technotes/tools/windows/kinit.html and noticed that it says I could use the \"password flag\". I am not sure how

Answer 1

Create a keytab using "ktutil"

> ktutil   
ktutil:  addent -password -p username@domain.com -k 1 -e rc4-hmac   
Password for username@domain.com: [enter your password]  
ktutil:  addent -password -p username@domain.com -k 1 -e aes256-cts  
Password for username@domain.com: [enter your password]   
ktutil:  wkt username.keytab   
ktutil:  quit


    # Below steps will will create a keytab for the user, move it into a secure directory, 
and automatically get a ticket when the user logs in with a bash shell

mkdir /home/username/keytabs 
chmod 700 /home/username/keytabs 
mv username.keytab /home/username/keytabs 
chmod 600 /home/username/keytabs/username.keytab 
echo "kinit -kt /home/username/keytabs/username.keytab username@domain.com" >> /home/username/.bash_profile

Command to pass keytab and login

kinit username@domain.com -k -t /path/to/username.keytab

Reference link hortonworks kb.iu.edu

Answer 2

Also you can

$ echo 'password' | kinit username

Answer 3

You might be able to depending on exactly which kinit you are using, but it's an extremely bad idea. Anyone on that system can read the process table and ARGV for any command and thus your password is exposed.

Most implementations of kinit do not support this for exactly this reason.

It's not completely clear are you on a Window's box or a Unix one?

Either way, the correct way to handle this problem is to use a keytab.

Keytabs store the key for a principal ( not the password ). In kerberos the password is used to generate a more random key that is actually used in the cryptographic exchange. The command for creating/manipulating keytabs is usually

ktutil

Answer 4

There are 2 popular Kerberos client packages: MIT and Heimdal. Heimdal is what comes with MacOS, but MIT is the reference implementation. On Heimdal clients, you can use the --password-file flag:

$ kinit --password-file=~/mypasswordfile test@REALM

This avoids leaking the password to the process list as it, "reads the password from the first line of filename."

You can alternatively do

--password-file=STDIN

and pipe it in, ex cat password_file | kinit --password-file=STDIN test@REALM.

NOTE: This avoids leaking the password via the ps output.

On MacOS you can also use the keychain option. You can check the type of client you have with kinit --version. If the --version flag is unrecognized, you most likely have a MIT client; the Heimdal clients seem too recognize the flag and report a version.

Note that Ubuntu switched the default from a Heimdal implementation to the MIT one between 14.04 and 16.04. Also, generally speaking, the two packages conflict with one another.

Answer 5

Use a keytab for that principal!

In detail: How do I a service keytab.

There are multiple ways, but I will assume the following: You are running Active Directory as your KDC implementation, you backend runs on a Unix or Unix-like OS like CentOS, FreeBSD, HP-UX, etc. You have also MIT Kerberos or Heimdal installed and the krb5.conf is properly configured.

Install msktutil(1) via package/ports manager or compile from source. If you choose to compile, make sure that all dependencies are present on your machine.

Now run mskutil:

$ /usr/local/sbin/msktutil update --verbose --use-service-account --account-name <samAccountName> \
  --old-account-password <password> --dont-change-password --keytab <path>

Replace samAccountName and password with your data. Leave out dont-change-password if you are fine with autogenerated passwords. Adjust path where you want to store the keytab file.

Sample run:

$ /usr/local/sbin/msktutil update --verbose --use-service-account --account-name uawet8er \
>   --old-account-password '...' --dont-change-password --keytab uawet8er.keytab
 -- execute: Skipping creation of new password
 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain AD.EXAMPLE.COM for procotol tcp
 -- validate: Found DC: dc01.ad.example.com. Checking availability...
 -- get_dc_host: Found preferred Domain Controller: dc01.ad.example.com
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-y6WVDM
 -- destroy_g_context: Destroying Kerberos Context
 -- initialize_g_context: Creating Kerberos Context
 -- finalize_exec: SAM Account Name is: uawet8er
 -- try_machine_password: Trying to authenticate for uawet8er with password
 -- create_default_machine_password: Default machine password for uawet8er is uawet8er
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Vorauthentifizierung fehlgeschlagen)
 -- try_machine_password: Authentication with password failed
 -- try_machine_supplied_password: Trying to authenticate for uawet8er with supplied password
 -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-ZUutAC
 -- finalize_exec: Authenticated using method 6
 -- LDAPConnection: Connecting to LDAP server: dc01.ad.example.com
SASL/GSSAPI authentication started
SASL username: uawet8er@AD.EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
 -- ldap_get_base_dn: Determining default LDAP base: dc=AD,dc=EXAMPLE,dc=COM
 -- get_default_ou: Determining default OU: CN=Users,DC=ad,DC=example,DC=com
 -- ldap_check_account: Checking that a service account for uawet8er exists
 -- ldap_check_account: Checking service account - found
 -- ldap_check_account: Found userAccountControl = 0x200
 -- ldap_check_account: Found supportedEncryptionTypes = 28
 -- ldap_check_account: Found User Principal: uawet8er
 -- ldap_check_account_strings: Inspecting (and updating) service account attributes
 -- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28
 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0
 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x200
 -- ldap_get_kvno: KVNO is 8
 -- remove_keytab_entries: Trying to remove entries for uawet8er from keytab
 -- execute: Updating all entries for service account uawet8er in the keytab WRFILE:uawet8er.keytab
 -- update_keytab: Updating all entries for uawet8er
 -- add_principal_keytab: Adding principal to keytab: uawet8er
 -- get_salt: Using salt of AD.EXAMPLE.COMuawet8er
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- add_principal_keytab: Adding principal to keytab: uawet8er
 -- get_salt: Using salt of AD.EXAMPLE.COMuawet8er
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- add_keytab_entries: Trying to add missing entries for uawet8er to keytab

Now check your keytab with kinit:

$ kinit  -k -t uawet8er.keytab uawet8er
$ klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_722
Standard-Principal: uawet8er@AD.EXAMPLE.COM

Valid starting       Expires              Service principal
24.07.2019 13:15:45  24.07.2019 23:15:45  krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM
        erneuern bis 25.07.2019 13:15:45

This keytab is now ready to be used with your login.conf for JGSS or with KRB5_CLIENT_KTNAME and MIT Kerberos.