Différences

Ci-dessous, les différences entre deux révisions de la page.

--- 320kerberos:40_workstation [le 13/02/2010 à 19:17] – prof
+++ 320kerberos:40_workstation [le 30/06/2018 à 15:58] (Version actuelle) – prof
@@ Ligne 47: / Ligne 47: @@
 La commande ''kadmin'' fonctionne correctement depuis le client. Tout va bien.
-C'est peut-être le moment de commencer à s'intéresser de près à ce qu'il se passe lorsque l'on invoque la commande ''kinit'' ? Voyons ça avec notre wireshark habituel.
+C'est peut-être le moment de commencer à s'intéresser de près à ce qu'il se passe lorsque l'on invoque la commande ''kinit'' ? Voyons ça avec notre wireshark (([[http://www.wireshark.org/|Wireshark]] est un « Network Protocol Analyzer »)) habituel.
 ==== Le kinit ====
 <code>
@@ Ligne 59: / Ligne 60: @@
 <html><pre class="code">
 Frame 1 (211 bytes on wire, 211 bytes captured)
-    Arrival Time: Feb 13, 2010 20:09:50.768347000
+...
-    [Time delta from previous captured frame: 0.000000000 seconds]
-    [Time delta from previous displayed frame: 0.000000000 seconds]
-    [Time since reference or first frame: 0.000000000 seconds]
-    Frame Number: 1
-    Frame Length: 211 bytes
-    Capture Length: 211 bytes
-    [Frame is marked: False]
-    [Protocols in frame: eth:ip:udp:kerberos]
-    [Coloring Rule Name: UDP]
-    [Coloring Rule String: udp]
-Ethernet II, Src: 192.168.0.16 (00:22:15:f4:1e:02), Dst: kerberos.maison.mrs (00:16:36:7e:43:9f)
-    Destination: kerberos.maison.mrs (00:16:36:7e:43:9f)
-        Address: kerberos.maison.mrs (00:16:36:7e:43:9f)
-        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
-        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
-    Source: 192.168.0.16 (00:22:15:f4:1e:02)
-        Address: 192.168.0.16 (00:22:15:f4:1e:02)
-        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
-        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
-    Type: IP (0x0800)
-Internet Protocol, Src: pchris.maison.mrs (192.168.0.16), Dst: kerberos.maison.mrs (192.168.0.133)
-    Version: 4
-    Header length: 20 bytes
-    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
-00.. = Differentiated Services Codepoint: Default (0x00)
-        .... ..0. = ECN-Capable Transport (ECT): 0
-        .... ...0 = ECN-CE: 0
-    Total Length: 197
-    Identification: 0xf290 (62096)
-    Flags: 0x04 (Don't Fragment)
-... = Reserved bit: Not set
-        .1.. = Don't fragment: Set
-        ..0. = More fragments: Not set
-    Fragment offset: 0
-    Time to live: 64
-    Protocol: UDP (0x11)
-    Header checksum: 0xc5b1 [correct]
-        [Good: True]
-        [Bad : False]
-    Source: pchris.maison.mrs (192.168.0.16)
-    Destination: kerberos.maison.mrs (192.168.0.133)
-User Datagram Protocol, Src Port: 47115 (47115), Dst Port: kerberos (88)
-    Source port: 47115 (47115)
-    Destination port: kerberos (88)
-    Length: 177
-    Checksum: 0x82a8 [validation disabled]
-        [Good Checksum: False]
-        [Bad Checksum: False]
 Kerberos AS-REQ
     Pvno: 5
@@ Ligne 148: / Ligne 101: @@
             Encryption type: des-cbc-md5 (3)
             Encryption type: des-cbc-md4 (2)
+</pre></html>
+L'utilisateur présente le nom de son principal, en indiquant dans quel royaume (MAISON.MRS) et à quel type de ticket (TGT) il demande. Il indique également quels algorithmes de chiffrement il sait manipuler.
+Il n'y a aucune partie chiffrée dans cette requête, il n'y a pas non plus de mot de passe. Très simple, donc.
+Oui mais voilà, le cerbère ne l'entend pas de cette oreille (ni des 5 autres).
+<html><pre class="code">
 Frame 2 (297 bytes on wire, 297 bytes captured)
-    Arrival Time: Feb 13, 2010 20:09:50.768937000
+...
-    [Time delta from previous captured frame: 0.000590000 seconds]
-    [Time delta from previous displayed frame: 0.000590000 seconds]
-    [Time since reference or first frame: 0.000590000 seconds]
-    Frame Number: 2
-    Frame Length: 297 bytes
-    Capture Length: 297 bytes
-    [Frame is marked: False]
-    [Protocols in frame: eth:ip:udp:kerberos]
-    [Coloring Rule Name: UDP]
-    [Coloring Rule String: udp]
-Ethernet II, Src: kerberos.maison.mrs (00:16:36:7e:43:9f), Dst: 192.168.0.16 (00:22:15:f4:1e:02)
-    Destination: 192.168.0.16 (00:22:15:f4:1e:02)
-        Address: 192.168.0.16 (00:22:15:f4:1e:02)
-        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
-        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
-    Source: kerberos.maison.mrs (00:16:36:7e:43:9f)
-        Address: kerberos.maison.mrs (00:16:36:7e:43:9f)
-        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
-        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
-    Type: IP (0x0800)
-Internet Protocol, Src: kerberos.maison.mrs (192.168.0.133), Dst: pchris.maison.mrs (192.168.0.16)
-    Version: 4
-    Header length: 20 bytes
-    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
-00.. = Differentiated Services Codepoint: Default (0x00)
-        .... ..0. = ECN-Capable Transport (ECT): 0
-        .... ...0 = ECN-CE: 0
-    Total Length: 283
-    Identification: 0x0000 (0)
-    Flags: 0x04 (Don't Fragment)
-... = Reserved bit: Not set
-        .1.. = Don't fragment: Set
-        ..0. = More fragments: Not set
-    Fragment offset: 0
-    Time to live: 64
-    Protocol: UDP (0x11)
-    Header checksum: 0xb7ec [correct]
-        [Good: True]
-        [Bad : False]
-    Source: kerberos.maison.mrs (192.168.0.133)
-    Destination: pchris.maison.mrs (192.168.0.16)
-User Datagram Protocol, Src Port: kerberos (88), Dst Port: 47115 (47115)
-    Source port: kerberos (88)
-    Destination port: 47115 (47115)
-    Length: 263
-    Checksum: 0x509f [validation disabled]
-        [Good Checksum: False]
-        [Bad Checksum: False]
 Kerberos KRB-ERROR
     Pvno: 5
@@ Ligne 205: / Ligne 117: @@
     stime: 2010-02-13 19:09:50 (UTC)
     susec: 737204
-    error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
+    <span class="hly">error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)</span>
     Client Realm: MAISON.MRS
     Client Name (Principal): chris
@@ Ligne 217: / Ligne 129: @@
     e-text: NEEDED_PREAUTH
     e-data
-        padata: PA-ENC-TIMESTAMP Unknown:136 PA-ENCTYPE-INFO2 PA-SAM-RESPONSE Unknown:133
+<span class="hly">        padata: PA-ENC-TIMESTAMP Unknown:136 PA-ENCTYPE-INFO2 PA-SAM-RESPONSE Unknown:133
             Type: PA-ENC-TIMESTAMP (2)
                 Value: <MISSING>
@@ Ligne 230: / Ligne 142: @@
                 Value: <MISSING>
             Type: Unknown (133)
-                Value: 4D4954
+                Value: 4D4954</span>
+</pre></html>
+Ce n'est pas une vraie erreur, c'est juste que l'AS désire recevoir une pré-authentification. Voyez les RFC idoines si vous voulez vraiment aller tout au fond des choses :
+//The ETYPE-INFO2 pre-authentication type is sent by the KDC in a KRB-ERROR indicating a requirement for additional pre-authentication. It is usually used to notify a client of which key to use for the encryption of an encrypted timestamp for the purposes of sending a PA-ENC-TIMESTAMP pre-authentication value.//
+Bref, le client s'exécute :
+<html><pre class="code">
 Frame 3 (310 bytes on wire, 310 bytes captured)
-    Arrival Time: Feb 13, 2010 20:09:53.531533000
+...
-    [Time delta from previous captured frame: 2.762596000 seconds]
-    [Time delta from previous displayed frame: 2.762596000 seconds]
-    [Time since reference or first frame: 2.763186000 seconds]
-    Frame Number: 3
-    Frame Length: 310 bytes
-    Capture Length: 310 bytes
-    [Frame is marked: False]
-    [Protocols in frame: eth:ip:udp:kerberos]
-    [Coloring Rule Name: UDP]
-    [Coloring Rule String: udp]
-Ethernet II, Src: 192.168.0.16 (00:22:15:f4:1e:02), Dst: kerberos.maison.mrs (00:16:36:7e:43:9f)
-    Destination: kerberos.maison.mrs (00:16:36:7e:43:9f)
-        Address: kerberos.maison.mrs (00:16:36:7e:43:9f)
-        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
-        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
-    Source: 192.168.0.16 (00:22:15:f4:1e:02)
-        Address: 192.168.0.16 (00:22:15:f4:1e:02)
-        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
-        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
-    Type: IP (0x0800)
-Internet Protocol, Src: pchris.maison.mrs (192.168.0.16), Dst: kerberos.maison.mrs (192.168.0.133)
-    Version: 4
-    Header length: 20 bytes
-    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
-00.. = Differentiated Services Codepoint: Default (0x00)
-        .... ..0. = ECN-Capable Transport (ECT): 0
-        .... ...0 = ECN-CE: 0
-    Total Length: 296
-    Identification: 0xf3a4 (62372)
-    Flags: 0x04 (Don't Fragment)
-... = Reserved bit: Not set
-        .1.. = Don't fragment: Set
-        ..0. = More fragments: Not set
-    Fragment offset: 0
-    Time to live: 64
-    Protocol: UDP (0x11)
-    Header checksum: 0xc43a [correct]
-        [Good: True]
-        [Bad : False]
-    Source: pchris.maison.mrs (192.168.0.16)
-    Destination: kerberos.maison.mrs (192.168.0.133)
-User Datagram Protocol, Src Port: 53332 (53332), Dst Port: kerberos (88)
-    Source port: 53332 (53332)
-    Destination port: kerberos (88)
-    Length: 276
-    Checksum: 0x830b [validation disabled]
-        [Good Checksum: False]
-        [Bad Checksum: False]
 Kerberos AS-REQ
     Pvno: 5
     MSG Type: AS-REQ (10)
-    padata: Unknown:133 PA-ENC-TIMESTAMP
+<span class="hly">    padata: Unknown:133 PA-ENC-TIMESTAMP
         Type: Unknown (133)
             Value: 4D4954
@@ Ligne 291: / Ligne 163: @@
             Value: 3041A003020112A23A0438EAB48D41FF4F470D1BB255E7D7... aes256-cts-hmac-sha1-96
                 Encryption type: aes256-cts-hmac-sha1-96 (18)
-                enc PA_ENC_TIMESTAMP: EAB48D41FF4F470D1BB255E7D7D9A51F0D978D1B41945E89...
+                enc PA_ENC_TIMESTAMP: EAB48D41FF4F470D1BB255E7D7D9A51F0D978D1B41945E89...</span>
     KDC_REQ_BODY
         Padding: 0
@@ Ligne 329: / Ligne 201: @@
             Encryption type: des-cbc-md5 (3)
             Encryption type: des-cbc-md4 (2)
+</pre></html>
+Finalement , le cerbère accorde son TGT au client :
+<html><pre class="code">
 Frame 4 (711 bytes on wire, 711 bytes captured)
-    Arrival Time: Feb 13, 2010 20:09:53.534534000
+...
-    [Time delta from previous captured frame: 0.003001000 seconds]
-    [Time delta from previous displayed frame: 0.003001000 seconds]
-    [Time since reference or first frame: 2.766187000 seconds]
-    Frame Number: 4
-    Frame Length: 711 bytes
-    Capture Length: 711 bytes
-    [Frame is marked: False]
-    [Protocols in frame: eth:ip:udp:kerberos]
-    [Coloring Rule Name: UDP]
-    [Coloring Rule String: udp]
-Ethernet II, Src: kerberos.maison.mrs (00:16:36:7e:43:9f), Dst: 192.168.0.16 (00:22:15:f4:1e:02)
-    Destination: 192.168.0.16 (00:22:15:f4:1e:02)
-        Address: 192.168.0.16 (00:22:15:f4:1e:02)
-        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
-        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
-    Source: kerberos.maison.mrs (00:16:36:7e:43:9f)
-        Address: kerberos.maison.mrs (00:16:36:7e:43:9f)
-        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
-        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
-    Type: IP (0x0800)
-Internet Protocol, Src: kerberos.maison.mrs (192.168.0.133), Dst: pchris.maison.mrs (192.168.0.16)
-    Version: 4
-    Header length: 20 bytes
-    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
-00.. = Differentiated Services Codepoint: Default (0x00)
-        .... ..0. = ECN-Capable Transport (ECT): 0
-        .... ...0 = ECN-CE: 0
-    Total Length: 697
-    Identification: 0x0000 (0)
-    Flags: 0x04 (Don't Fragment)
-... = Reserved bit: Not set
-        .1.. = Don't fragment: Set
-        ..0. = More fragments: Not set
-    Fragment offset: 0
-    Time to live: 64
-    Protocol: UDP (0x11)
-    Header checksum: 0xb64e [correct]
-        [Good: True]
-        [Bad : False]
-    Source: kerberos.maison.mrs (192.168.0.133)
-    Destination: pchris.maison.mrs (192.168.0.16)
-User Datagram Protocol, Src Port: kerberos (88), Dst Port: 53332 (53332)
-    Source port: kerberos (88)
-    Destination port: 53332 (53332)
-    Length: 677
-    Checksum: 0x1449 [validation disabled]
-        [Good Checksum: False]
-        [Bad Checksum: False]
 Kerberos AS-REP
     Pvno: 5
     MSG Type: AS-REP (11)
-    padata: PA-ENCTYPE-INFO2
+<span class="hly">    padata: PA-ENCTYPE-INFO2
         Type: PA-ENCTYPE-INFO2 (19)
             Value: 30073005A003020112 aes256-cts-hmac-sha1-96
@@ Ligne 404: / Ligne 232: @@
     enc-part aes256-cts-hmac-sha1-96
         Encryption type: aes256-cts-hmac-sha1-96 (18)
-        enc-part: D41400F6E3A44CD883DA34BEE71F312519890F9FF2A053CC...
+        enc-part: D41400F6E3A44CD883DA34BEE71F312519890F9FF2A053CC...</span>
 </pre></html>
+//The ETYPE-INFO2 MAY also be sent in an AS-REP to provide information to the client about which key salt to use for the string-to-key to be used by the client to obtain the key for decrypting the encrypted part the AS-REP.//
+Voilà qui ne manque pas de sel.