Tuesday, June 10, 2014

Kerberos cheatsheet

This article lists common commands regarding kerberos administration, as my memo. Platform is CentOS6.

1. Package Installation

yum install krb5-libs krb5-workstation krb5-server

2. Configuration file(Default location for PivotalHD)

KDC configuration on KDC host

/var/kerberos/krb5kdc/kdc.conf

Kerberos configuration on all hosts

/etc/krb5.conf

kadmind ACL on KDC host

/var/kerberos/krb5kdc/kadm5.acl

3. kdb5_util

kdb5_util allows an administrator to perform maintenance procedures on the KDC database.

Backup KDC database

[root@admin]# kdb5_util dump -verbose /backup/kdc.dump
HTTP/hdm.xxx.com@OPENKBINFO.COM
HTTP/hdw1.xxx.com@OPENKBINFO.COM
HTTP/hdw2.xxx.com@OPENKBINFO.COM
Then you can use "string" to check the content of the dump file:
strings /backup/kdc.dump

Restore KDC database

kdb5_util load /backup/kdc.dump

Add a new master key

Adds a new master key to the master key principal, but does not mark it as active.
[root@admin]# kdb5_util add_mkey
Creating new master key for master key principal 'K/M@OPENKBINFO.COM'
You will be prompted for a new database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

List all master keys

List all master keys, from most recent to earliest, in the master key principal.  
[root@admin]# kdb5_util list_mkeys
Master keys for Principal: K/M@OPENKBINFO.COM
KNVO: 2, Enctype: aes256-cts-hmac-sha1-96, No activate time set
KNVO: 1, Enctype: aes256-cts-hmac-sha1-96, Active on: Wed Dec 31 16:00:00 PST 1969 *

Activate a new master key

Once a master key becomes active, it will be used to encrypt newly created principal keys.
kdb5_util use_mkey mkeyVNO [time]
 eg:
[root@admin]# kdb5_util use_mkey 2
[root@admin]# kdb5_util list_mkeys
Master keys for Principal: K/M@OPENKBINFO.COM
KNVO: 2, Enctype: aes256-cts-hmac-sha1-96, Active on: Tue Jun 10 15:39:01 PDT 2014 *
KNVO: 1, Enctype: aes256-cts-hmac-sha1-96, Active on: Wed Dec 31 16:00:00 PST 1969

Update all principal keys to be encrypted in the new master key 

Update all principal records (or only those matching the princ-pattern glob pattern) to re-encrypt the key data using the active database master key, if they are encrypted using a different version, and give a count at the end of the number of principals updated.
  • Dry run firstly:
[root@admin]# kdb5_util update_princ_encryption -v -n
Principals whose keys WOULD BE re-encrypted to master key vno 2:
would update: HTTP/hdm.xxx.com@OPENKBINFO.COM
(......)
would update: yarn/hdw3.xxx.com@OPENKBINFO.COM
22 principals processed: 22 would be updated, 0 already current
  • Run it:
[root@admin]# kdb5_util update_princ_encryption -v
Re-encrypt all keys not using master key vno 2?
(type 'yes' to confirm)? yes
Principals whose keys are being re-encrypted to master key vno 2 if necessary:
updating: HTTP/hdm.xxx.com@OPENKBINFO.COM
skipping: HTTP/hdm.xxx.com@OPENKBINFO.COM
updating: HTTP/hdw1.xxx.com@OPENKBINFO.COM
(......)
23 principals processed: 22 updated, 1 already current

Create the stash file for new master key to replace existing one

[root@admin]# kdb5_util stash /var/kerberos/krb5kdc/.k5.OPENKBINFO.COM
Using existing stashed keys to update stash file.

Delete old master keys

Delete master keys from the master key principal that are not used to protect any principals.
  • Dry run firstly:
[root@admin]# kdb5_util purge_mkeys -v -n
Would purge the follwing master key(s) from K/M@OPENKBINFO.COM:
KVNO: 1
1 key(s) would be purged.
  • Run it: 
[root@admin]# kdb5_util purge_mkeys -v
Will purge all unused master keys stored in the 'K/M@OPENKBINFO.COM' principal, are you sure?
(type 'yes' to confirm)? yes
OK, purging unused master keys from 'K/M@OPENKBINFO.COM'...
Purging the follwing master key(s) from K/M@OPENKBINFO.COM:
KVNO: 1
1 key(s) purged.

Create a new database

kdb5_util create -s

Destroy a database

kdb5_util destroy

4. Principal administration

List principals

kadmin.local:  list_principals yarn*
yarn/hdm.xxx.com@OPENKBINFO.COM
yarn/hdw1.xxx.com@OPENKBINFO.COM
yarn/hdw2.xxx.com@OPENKBINFO.COM
yarn/hdw3.xxx.com@OPENKBINFO.COM

Viewing a Principal's Attributes

kadmin.local:  getprinc yarn/hdm.xxx.com
Principal: yarn/hdm.xxx.com@OPENKBINFO.COM
Expiration date: [never]
Last password change: Sat Jun 07 14:49:36 PDT 2014
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Jun 10 15:49:49 PDT 2014 (K/M@OPENKBINFO.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 1, aes256-cts-hmac-sha1-96, no salt
Key: vno 1, aes128-cts-hmac-sha1-96, no salt
Key: vno 1, des3-cbc-sha1, no salt
Key: vno 1, arcfour-hmac, no salt
Key: vno 1, des-hmac-sha1, no salt
Key: vno 1, des-cbc-md5, no salt
MKey: vno 2
Attributes:
Policy: [none]

Creating a New Principal

kadmin.local:  addprinc mysuperman/admin@OPENKBINFO.COM
WARNING: no policy specified for mysuperman/admin@OPENKBINFO.COM; defaulting to no policy
Enter password for principal "mysuperman/admin@OPENKBINFO.COM":
Re-enter password for principal "mysuperman/admin@OPENKBINFO.COM":
Principal "mysuperman/admin@OPENKBINFO.COM" created.

Change the Password for a Principal

kadmin.local:  cpw tim@OPENKBINFO.COM
Enter password for principal "tim@OPENKBINFO.COM":
Re-enter password for principal "tim@OPENKBINFO.COM":
Password for "tim@OPENKBINFO.COM" changed.
or use kpasswd
[root@admin ~]# kpasswd duncan2
Password for duncan2@OPENKBINFO.COM:
Enter new password:
Enter it again:

Delete a Principal

kadmin.local:  delete_principal testuser
Are you sure you want to delete the principal "testuser@OPENKBINFO.COM"? (yes/no): yes
Principal "testuser@OPENKBINFO.COM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.

Rename a Principal

kadmin.local:  rename_principal duncan duncan2
Are you sure you want to rename the principal "duncan@OPENKBINFO.COM" to "duncan2@OPENKBINFO.COM"? (yes/no): yes
Principal "duncan@OPENKBINFO.COM" renamed to "duncan2@OPENKBINFO.COM".
Make sure that you have removed the old principal from all ACLs before reusing.

Modify a Principal to use Policy

kadmin.local:  modify_principal -policy testpolicy duncan2
Principal "duncan2@OPENKBINFO.COM" modified.

Unlock a Principal

kadmin.local:  modify_principal -unlock duncan2
Principal "duncan2@OPENKBINFO.COM" modified.

5. Policy administration

Create a Policy

kadmin.local:  add_policy -minlength 1 -minlength 5 -maxlife "999 days" -maxfailure 3 testpolicy

List policies

kadmin.local:  list_policies
testpolicy

Modify a Policy

kadmin.local:  modify_policy -minlength 3 testpolicy

Viewing a Kerberos Policy's Attributes

kadmin.local:  get_policy testpolicy
Policy: testpolicy
Maximum password life: 86313600
Minimum password life: 0
Minimum password length: 3
Minimum number of password character classes: 1
Number of old keys kept: 1
Reference count: 0
Maximum password failures before lockout: 3
Password failure count reset interval: 0 days 00:00:00
Password lockout duration: 0 days 00:00:00

Delete a Policy

kadmin.local:  delete_policy testpolicy

6. Keytab administration

Add Principals to a Keytab

kadmin.local:  ktadd -norandkey -k /tmp/tmp.keytab duncan2@OPENKBINFO.COM
Entry for principal duncan2@OPENKBINFO.COM with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/tmp.keytab.
Entry for principal duncan2@OPENKBINFO.COM with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/tmp.keytab.
Entry for principal duncan2@OPENKBINFO.COM with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/tmp.keytab.
Entry for principal duncan2@OPENKBINFO.COM with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:/tmp/tmp.keytab.
Entry for principal duncan2@OPENKBINFO.COM with kvno 1, encryption type des-hmac-sha1 added to keytab WRFILE:/tmp/tmp.keytab.
Entry for principal duncan2@OPENKBINFO.COM with kvno 1, encryption type des-cbc-md5 added to keytab WRFILE:/tmp/tmp.keytab.

Display Keylist (Principals) in a Keytab File

[root@admin ~]# klist -kt /tmp/tmp.keytab
Keytab name: FILE:/tmp/tmp.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   1 06/10/14 22:08:00 duncan2@OPENKBINFO.COM
   1 06/10/14 22:08:00 duncan2@OPENKBINFO.COM
   1 06/10/14 22:08:00 duncan2@OPENKBINFO.COM
   1 06/10/14 22:08:00 duncan2@OPENKBINFO.COM
   1 06/10/14 22:08:00 duncan2@OPENKBINFO.COM
   1 06/10/14 22:08:00 duncan2@OPENKBINFO.COM

Remove Keylist(Principal) from a Keytab File

kadmin.local:  ktremove -k /tmp/tmp.keytab duncan2@OPENKBINFO.COM
Entry for principal duncan2@OPENKBINFO.COM with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab.
Entry for principal duncan2@OPENKBINFO.COM with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab.
Entry for principal duncan2@OPENKBINFO.COM with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab.
Entry for principal duncan2@OPENKBINFO.COM with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab.
Entry for principal duncan2@OPENKBINFO.COM with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab.
Entry for principal duncan2@OPENKBINFO.COM with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab.

Authentication using Keytab

kinit -kt /etc/security/phd/keytab/hdfs.service.keytab hdfs/hdm.xxx.com@OPENKBINFO.COM

7. Credential cache administration

List Principals in Credential Cache 

[root@admin ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: tim@OPENKBINFO.COM

Valid starting     Expires            Service principal
06/10/14 22:24:22  06/11/14 22:24:22  krbtgt/OPENKBINFO.COM@OPENKBINFO.COM
 renew until 06/17/14 22:24:22

Destroy Credential Cache

Note: This will only destroy credential cache for this user.
[testuser@admin ~]$ ls -altr /tmp/krb5*
-rw-------. 1 root     root     741 Jun 10 22:24 /tmp/krb5cc_0
-rw-------. 1 testuser testuser 758 Jun 10 22:36 /tmp/krb5cc_501
[root@admin ~]# kdestroy
[root@admin ~]# ls -altr /tmp/krb*
-rw-------. 1 testuser testuser 758 Jun 10 22:36 /tmp/krb5cc_501
[root@admin ~]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

8. Kerberos services

KDC service

/etc/init.d/krb5kdc start

kadmin service

/etc/init.d/kadmin start
Posted by at
Labels: , ,

3 comments:

Subscribe to: Post Comments (Atom)

Popular Posts