Nous l'avons vu, il suffit d'y installer le paquet krb5-user.
Ensuite, nous copions dessus le fichier /etc/krb5.conf que nous avons créé sur le KDC, sans rien y modifier, du moins pour l'instant.
Enfin, il nous suffit de vérifier que tout ça fait le boulot :
root@pchris:~# kinit -V chris Password for chris@MAISON.MRS: Authenticated to Kerberos v5
On dirait que oui. Vérification avec klist :
root@pchris:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: chris@MAISON.MRS Valid starting Expires Service principal 02/13/10 17:31:13 02/14/10 03:31:13 krbtgt/MAISON.MRS@MAISON.MRS renew until 02/14/10 17:31:10
Le « Service principal » krbtgt/MAISON.MRS@MAISON.MRS, nous savons maintenant d'où il vient. Il indique ici que chris dispose d'un ticket d'accès au service « ticket granting tickets ». Encore un peu de patience, il nous faut l'usine complète pour en comprendre tout le sens.
root@pchris:~# kdestroy root@pchris:~# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Destruction des tickets obtenus.
root@pchris:~# kadmin -p chris/admin Authenticating as principal chris/admin with password. Password for chris/admin@MAISON.MRS: kadmin: list_principals K/M@MAISON.MRS chris/admin@MAISON.MRS chris@MAISON.MRS kadmin/admin@MAISON.MRS kadmin/changepw@MAISON.MRS kadmin/history@MAISON.MRS kadmin/kerberos.maison.mrs@MAISON.MRS krbtgt/MAISON.MRS@MAISON.MRS kadmin: quit root@pchris:~#
La commande kadmin fonctionne correctement depuis le client. Tout va bien.
C'est peut-être le moment de commencer à s'intéresser de près à ce qu'il se passe lorsque l'on invoque la commande kinit ? Voyons ça avec notre wireshark 1) habituel.
No. Time Source Destination Protocol Info
1 0.000000 pchris.maison.mrs kerberos.maison.mrs KRB5 AS-REQ
2 0.000590 kerberos.maison.mrs pchris.maison.mrs KRB5 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
3 2.763186 pchris.maison.mrs kerberos.maison.mrs KRB5 AS-REQ
4 2.766187 kerberos.maison.mrs pchris.maison.mrs KRB5 AS-REP
AS-REQ, on comprend. C'est une requête au serveur d'authentification. Mais il n'aime pas, il veut une pré-authentification. Il faut regarder plus en détail.
Frame 1 (211 bytes on wire, 211 bytes captured)
...
Kerberos AS-REQ
Pvno: 5
MSG Type: AS-REQ (10)
KDC_REQ_BODY
Padding: 0
KDCOptions: 00000010 (Renewable OK)
.0.. .... .... .... .... .... .... .... = Forwardable: Do NOT use forwardable tickets
..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets
.... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
.... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
.... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
.... .... 0... .... .... .... .... .... = Renewable: This ticket is NOT renewable
.... .... ...0 .... .... .... .... .... = Opt HW Auth: False
.... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
.... .... .... ...0 .... .... .... .... = Canonicalize: This is NOT a canonicalized ticket request
.... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
.... .... .... .... .... .... ...1 .... = Renewable OK: We accept RENEWED tickets
.... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
.... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
.... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
Client Name (Principal): chris
Name-type: Principal (1)
Name: chris
Realm: MAISON.MRS
Server Name (Unknown): krbtgt/MAISON.MRS
Name-type: Unknown (0)
Name: krbtgt
Name: MAISON.MRS
from: 2010-02-13 19:09:50 (UTC)
till: 2010-02-14 19:09:50 (UTC)
Nonce: 140992433
Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5 des-cbc-md4
Encryption type: aes256-cts-hmac-sha1-96 (18)
Encryption type: aes128-cts-hmac-sha1-96 (17)
Encryption type: des3-cbc-sha1 (16)
Encryption type: rc4-hmac (23)
Encryption type: des-cbc-crc (1)
Encryption type: des-cbc-md5 (3)
Encryption type: des-cbc-md4 (2)
L'utilisateur présente le nom de son principal, en indiquant dans quel royaume (MAISON.MRS) et à quel type de ticket (TGT) il demande. Il indique également quels algorithmes de chiffrement il sait manipuler.
Il n'y a aucune partie chiffrée dans cette requête, il n'y a pas non plus de mot de passe. Très simple, donc.
Oui mais voilà, le cerbère ne l'entend pas de cette oreille (ni des 5 autres).
Frame 2 (297 bytes on wire, 297 bytes captured)
...
Kerberos KRB-ERROR
Pvno: 5
MSG Type: KRB-ERROR (30)
ctime: 1974-06-20 20:33:53 (UTC)
stime: 2010-02-13 19:09:50 (UTC)
susec: 737204
error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
Client Realm: MAISON.MRS
Client Name (Principal): chris
Name-type: Principal (1)
Name: chris
Realm: MAISON.MRS
Server Name (Unknown): krbtgt/MAISON.MRS
Name-type: Unknown (0)
Name: krbtgt
Name: MAISON.MRS
e-text: NEEDED_PREAUTH
e-data
padata: PA-ENC-TIMESTAMP Unknown:136 PA-ENCTYPE-INFO2 PA-SAM-RESPONSE Unknown:133
Type: PA-ENC-TIMESTAMP (2)
Value:
Type: Unknown (136)
Value:
Type: PA-ENCTYPE-INFO2 (19)
Value: 30153005A0030201123005A0030201173005A003020110 aes256-cts-hmac-sha1-96 rc4-hmac des3-cbc-sha1
Encryption type: aes256-cts-hmac-sha1-96 (18)
Encryption type: rc4-hmac (23)
Encryption type: des3-cbc-sha1 (16)
Type: PA-SAM-RESPONSE (13)
Value:
Type: Unknown (133)
Value: 4D4954
Ce n'est pas une vraie erreur, c'est juste que l'AS désire recevoir une pré-authentification. Voyez les RFC idoines si vous voulez vraiment aller tout au fond des choses :
The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.
Bref, le client s'exécute :
Frame 3 (310 bytes on wire, 310 bytes captured)
...
Kerberos AS-REQ
Pvno: 5
MSG Type: AS-REQ (10)
padata: Unknown:133 PA-ENC-TIMESTAMP
Type: Unknown (133)
Value: 4D4954
Type: PA-ENC-TIMESTAMP (2)
Value: 3041A003020112A23A0438EAB48D41FF4F470D1BB255E7D7... aes256-cts-hmac-sha1-96
Encryption type: aes256-cts-hmac-sha1-96 (18)
enc PA_ENC_TIMESTAMP: EAB48D41FF4F470D1BB255E7D7D9A51F0D978D1B41945E89...
KDC_REQ_BODY
Padding: 0
KDCOptions: 00000010 (Renewable OK)
.0.. .... .... .... .... .... .... .... = Forwardable: Do NOT use forwardable tickets
..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets
.... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
.... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
.... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
.... .... 0... .... .... .... .... .... = Renewable: This ticket is NOT renewable
.... .... ...0 .... .... .... .... .... = Opt HW Auth: False
.... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
.... .... .... ...0 .... .... .... .... = Canonicalize: This is NOT a canonicalized ticket request
.... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
.... .... .... .... .... .... ...1 .... = Renewable OK: We accept RENEWED tickets
.... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
.... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
.... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
Client Name (Principal): chris
Name-type: Principal (1)
Name: chris
Realm: MAISON.MRS
Server Name (Unknown): krbtgt/MAISON.MRS
Name-type: Unknown (0)
Name: krbtgt
Name: MAISON.MRS
from: 2010-02-13 19:09:50 (UTC)
till: 2010-02-14 19:09:50 (UTC)
Nonce: 140992433
Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5 des-cbc-md4
Encryption type: aes256-cts-hmac-sha1-96 (18)
Encryption type: aes128-cts-hmac-sha1-96 (17)
Encryption type: des3-cbc-sha1 (16)
Encryption type: rc4-hmac (23)
Encryption type: des-cbc-crc (1)
Encryption type: des-cbc-md5 (3)
Encryption type: des-cbc-md4 (2)
Finalement , le cerbère accorde son TGT au client :
Frame 4 (711 bytes on wire, 711 bytes captured)
...
Kerberos AS-REP
Pvno: 5
MSG Type: AS-REP (11)
padata: PA-ENCTYPE-INFO2
Type: PA-ENCTYPE-INFO2 (19)
Value: 30073005A003020112 aes256-cts-hmac-sha1-96
Encryption type: aes256-cts-hmac-sha1-96 (18)
Client Realm: MAISON.MRS
Client Name (Principal): chris
Name-type: Principal (1)
Name: chris
Ticket
Tkt-vno: 5
Realm: MAISON.MRS
Server Name (Unknown): krbtgt/MAISON.MRS
Name-type: Unknown (0)
Name: krbtgt
Name: MAISON.MRS
enc-part aes256-cts-hmac-sha1-96
Encryption type: aes256-cts-hmac-sha1-96 (18)
Kvno: 1
enc-part: 19E7D3E7337658EFC983B6221B1F4BC80C8E7AB16003E6E9...
enc-part aes256-cts-hmac-sha1-96
Encryption type: aes256-cts-hmac-sha1-96 (18)
enc-part: D41400F6E3A44CD883DA34BEE71F312519890F9FF2A053CC...
The ETYPE-INFO2 MAY also be sent in an AS-REP to provide information to the client about which key salt to use for the string-to-key to be used by the client to obtain the key for decrypting the encrypted part the AS-REP.
Voilà qui ne manque pas de sel.