La station de travail

Nous l'avons vu, il suffit d'y installer le paquet krb5-user.

Ensuite, nous copions dessus le fichier /etc/krb5.conf que nous avons créé sur le KDC, sans rien y modifier, du moins pour l'instant.

Vérifications diverses

Enfin, il nous suffit de vérifier que tout ça fait le boulot :

root@pchris:~# kinit -V chris
Password for chris@MAISON.MRS: 
Authenticated to Kerberos v5

On dirait que oui. Vérification avec klist :

root@pchris:~# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: chris@MAISON.MRS

Valid starting     Expires            Service principal
02/13/10 17:31:13  02/14/10 03:31:13  krbtgt/MAISON.MRS@MAISON.MRS
	renew until 02/14/10 17:31:10

Le « Service principal » krbtgt/MAISON.MRS@MAISON.MRS, nous savons maintenant d'où il vient. Il indique ici que chris dispose d'un ticket d'accès au service « ticket granting tickets ». Encore un peu de patience, il nous faut l'usine complète pour en comprendre tout le sens.

root@pchris:~# kdestroy
root@pchris:~# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)

Destruction des tickets obtenus.

root@pchris:~# kadmin -p chris/admin
Authenticating as principal chris/admin with password.
Password for chris/admin@MAISON.MRS: 
kadmin:  list_principals
K/M@MAISON.MRS
chris/admin@MAISON.MRS
chris@MAISON.MRS
kadmin/admin@MAISON.MRS
kadmin/changepw@MAISON.MRS
kadmin/history@MAISON.MRS
kadmin/kerberos.maison.mrs@MAISON.MRS
krbtgt/MAISON.MRS@MAISON.MRS
kadmin:  quit
root@pchris:~# 

La commande kadmin fonctionne correctement depuis le client. Tout va bien.

C'est peut-être le moment de commencer à s'intéresser de près à ce qu'il se passe lorsque l'on invoque la commande kinit ? Voyons ça avec notre wireshark 1) habituel.

Le kinit

No.     Time        Source                Destination           Protocol Info
      1 0.000000    pchris.maison.mrs     kerberos.maison.mrs   KRB5     AS-REQ
      2 0.000590    kerberos.maison.mrs   pchris.maison.mrs     KRB5     KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
      3 2.763186    pchris.maison.mrs     kerberos.maison.mrs   KRB5     AS-REQ
      4 2.766187    kerberos.maison.mrs   pchris.maison.mrs     KRB5     AS-REP

AS-REQ, on comprend. C'est une requête au serveur d'authentification. Mais il n'aime pas, il veut une pré-authentification. Il faut regarder plus en détail.

Frame 1 (211 bytes on wire, 211 bytes captured)
...
Kerberos AS-REQ
    Pvno: 5
    MSG Type: AS-REQ (10)
    KDC_REQ_BODY
        Padding: 0
        KDCOptions: 00000010 (Renewable OK)
            .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT use forwardable tickets
            ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
            ...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets
            .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
            .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
            .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
            .... .... 0... .... .... .... .... .... = Renewable: This ticket is NOT renewable
            .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
            .... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
            .... .... .... ...0 .... .... .... .... = Canonicalize: This is NOT a canonicalized ticket request
            .... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
            .... .... .... .... .... .... ...1 .... = Renewable OK: We accept RENEWED tickets
            .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
            .... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
            .... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
        Client Name (Principal): chris
            Name-type: Principal (1)
            Name: chris
        Realm: MAISON.MRS
        Server Name (Unknown): krbtgt/MAISON.MRS
            Name-type: Unknown (0)
            Name: krbtgt
            Name: MAISON.MRS
        from: 2010-02-13 19:09:50 (UTC)
        till: 2010-02-14 19:09:50 (UTC)
        Nonce: 140992433
        Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5 des-cbc-md4
            Encryption type: aes256-cts-hmac-sha1-96 (18)
            Encryption type: aes128-cts-hmac-sha1-96 (17)
            Encryption type: des3-cbc-sha1 (16)
            Encryption type: rc4-hmac (23)
            Encryption type: des-cbc-crc (1)
            Encryption type: des-cbc-md5 (3)
            Encryption type: des-cbc-md4 (2)
L'utilisateur présente le nom de son principal, en indiquant dans quel royaume (MAISON.MRS) et à quel type de ticket (TGT) il demande. Il indique également quels algorithmes de chiffrement il sait manipuler.

Il n'y a aucune partie chiffrée dans cette requête, il n'y a pas non plus de mot de passe. Très simple, donc.

Oui mais voilà, le cerbère ne l'entend pas de cette oreille (ni des 5 autres).

Frame 2 (297 bytes on wire, 297 bytes captured)
...
Kerberos KRB-ERROR
    Pvno: 5
    MSG Type: KRB-ERROR (30)
    ctime: 1974-06-20 20:33:53 (UTC)
    stime: 2010-02-13 19:09:50 (UTC)
    susec: 737204
    error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
    Client Realm: MAISON.MRS
    Client Name (Principal): chris
        Name-type: Principal (1)
        Name: chris
    Realm: MAISON.MRS
    Server Name (Unknown): krbtgt/MAISON.MRS
        Name-type: Unknown (0)
        Name: krbtgt
        Name: MAISON.MRS
    e-text: NEEDED_PREAUTH
    e-data
        padata: PA-ENC-TIMESTAMP Unknown:136 PA-ENCTYPE-INFO2 PA-SAM-RESPONSE Unknown:133
            Type: PA-ENC-TIMESTAMP (2)
                Value: 
            Type: Unknown (136)
                Value: 
            Type: PA-ENCTYPE-INFO2 (19)
                Value: 30153005A0030201123005A0030201173005A003020110 aes256-cts-hmac-sha1-96 rc4-hmac des3-cbc-sha1
                    Encryption type: aes256-cts-hmac-sha1-96 (18)
                    Encryption type: rc4-hmac (23)
                    Encryption type: des3-cbc-sha1 (16)
            Type: PA-SAM-RESPONSE (13)
                Value: 
            Type: Unknown (133)
                Value: 4D4954

Ce n'est pas une vraie erreur, c'est juste que l'AS désire recevoir une pré-authentification. Voyez les RFC idoines si vous voulez vraiment aller tout au fond des choses :

The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.

Bref, le client s'exécute :

Frame 3 (310 bytes on wire, 310 bytes captured)
...
Kerberos AS-REQ
    Pvno: 5
    MSG Type: AS-REQ (10)
    padata: Unknown:133 PA-ENC-TIMESTAMP
        Type: Unknown (133)
            Value: 4D4954
        Type: PA-ENC-TIMESTAMP (2)
            Value: 3041A003020112A23A0438EAB48D41FF4F470D1BB255E7D7... aes256-cts-hmac-sha1-96
                Encryption type: aes256-cts-hmac-sha1-96 (18)
                enc PA_ENC_TIMESTAMP: EAB48D41FF4F470D1BB255E7D7D9A51F0D978D1B41945E89...
    KDC_REQ_BODY
        Padding: 0
        KDCOptions: 00000010 (Renewable OK)
            .0.. .... .... .... .... .... .... .... = Forwardable: Do NOT use forwardable tickets
            ..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
            ...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets
            .... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
            .... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
            .... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
            .... .... 0... .... .... .... .... .... = Renewable: This ticket is NOT renewable
            .... .... ...0 .... .... .... .... .... = Opt HW Auth: False
            .... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
            .... .... .... ...0 .... .... .... .... = Canonicalize: This is NOT a canonicalized ticket request
            .... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
            .... .... .... .... .... .... ...1 .... = Renewable OK: We accept RENEWED tickets
            .... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
            .... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
            .... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
        Client Name (Principal): chris
            Name-type: Principal (1)
            Name: chris
        Realm: MAISON.MRS
        Server Name (Unknown): krbtgt/MAISON.MRS
            Name-type: Unknown (0)
            Name: krbtgt
            Name: MAISON.MRS
        from: 2010-02-13 19:09:50 (UTC)
        till: 2010-02-14 19:09:50 (UTC)
        Nonce: 140992433
        Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5 des-cbc-md4
            Encryption type: aes256-cts-hmac-sha1-96 (18)
            Encryption type: aes128-cts-hmac-sha1-96 (17)
            Encryption type: des3-cbc-sha1 (16)
            Encryption type: rc4-hmac (23)
            Encryption type: des-cbc-crc (1)
            Encryption type: des-cbc-md5 (3)
            Encryption type: des-cbc-md4 (2)

Finalement , le cerbère accorde son TGT au client :

Frame 4 (711 bytes on wire, 711 bytes captured)
...
Kerberos AS-REP
    Pvno: 5
    MSG Type: AS-REP (11)
    padata: PA-ENCTYPE-INFO2
        Type: PA-ENCTYPE-INFO2 (19)
            Value: 30073005A003020112 aes256-cts-hmac-sha1-96
                Encryption type: aes256-cts-hmac-sha1-96 (18)
    Client Realm: MAISON.MRS
    Client Name (Principal): chris
        Name-type: Principal (1)
        Name: chris
    Ticket
        Tkt-vno: 5
        Realm: MAISON.MRS
        Server Name (Unknown): krbtgt/MAISON.MRS
            Name-type: Unknown (0)
            Name: krbtgt
            Name: MAISON.MRS
        enc-part aes256-cts-hmac-sha1-96
            Encryption type: aes256-cts-hmac-sha1-96 (18)
            Kvno: 1
            enc-part: 19E7D3E7337658EFC983B6221B1F4BC80C8E7AB16003E6E9...
    enc-part aes256-cts-hmac-sha1-96
        Encryption type: aes256-cts-hmac-sha1-96 (18)
        enc-part: D41400F6E3A44CD883DA34BEE71F312519890F9FF2A053CC...

The ETYPE-INFO2 MAY also be sent in an AS-REP to provide information to the client about which key salt to use for the string-to-key to be used by the client to obtain the key for decrypting the encrypted part the AS-REP.

Voilà qui ne manque pas de sel.

1)
Wireshark est un « Network Protocol Analyzer »