Ceci est une ancienne révision du document !
Table des matières
La station de travail
Nous l'avons vu, il suffit d'y installer le paquet krb5-user.
Ensuite, nous copions dessus le fichier /etc/krb5.conf que nous avons créé sur le KDC, sans rien y modifier, du moins pour l'instant.
Vérifications diverses
Enfin, il nous suffit de vérifier que tout ça fait le boulot :
root@pchris:~# kinit -V chris Password for chris@MAISON.MRS: Authenticated to Kerberos v5
On dirait que oui. Vérification avec klist :
root@pchris:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: chris@MAISON.MRS Valid starting Expires Service principal 02/13/10 17:31:13 02/14/10 03:31:13 krbtgt/MAISON.MRS@MAISON.MRS renew until 02/14/10 17:31:10
Le « Service principal » krbtgt/MAISON.MRS@MAISON.MRS, nous savons maintenant d'où il vient. Il indique ici que chris dispose d'un ticket d'accès au service « ticket granting tickets ». Encore un peu de patience, il nous faut l'usine complète pour en comprendre tout le sens.
root@pchris:~# kdestroy root@pchris:~# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Destruction des tickets obtenus.
root@pchris:~# kadmin -p chris/admin Authenticating as principal chris/admin with password. Password for chris/admin@MAISON.MRS: kadmin: list_principals K/M@MAISON.MRS chris/admin@MAISON.MRS chris@MAISON.MRS kadmin/admin@MAISON.MRS kadmin/changepw@MAISON.MRS kadmin/history@MAISON.MRS kadmin/kerberos.maison.mrs@MAISON.MRS krbtgt/MAISON.MRS@MAISON.MRS kadmin: quit root@pchris:~#
La commande kadmin fonctionne correctement depuis le client. Tout va bien.
C'est peut-être le moment de commencer à s'intéresser de près à ce qu'il se passe lorsque l'on invoque la commande kinit ? Voyons ça avec notre wireshark habituel.
Le kinit
No. Time Source Destination Protocol Info
1 0.000000 pchris.maison.mrs kerberos.maison.mrs KRB5 AS-REQ
2 0.000590 kerberos.maison.mrs pchris.maison.mrs KRB5 KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
3 2.763186 pchris.maison.mrs kerberos.maison.mrs KRB5 AS-REQ
4 2.766187 kerberos.maison.mrs pchris.maison.mrs KRB5 AS-REP
AS-REQ, on comprend. C'est une requête au serveur d'authentification. Mais il n'aime pas, il veut une pré-authentification. Il faut regarder plus en détail.
Frame 1 (211 bytes on wire, 211 bytes captured)
...
Kerberos AS-REQ
Pvno: 5
MSG Type: AS-REQ (10)
KDC_REQ_BODY
Padding: 0
KDCOptions: 00000010 (Renewable OK)
.0.. .... .... .... .... .... .... .... = Forwardable: Do NOT use forwardable tickets
..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets
.... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
.... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
.... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
.... .... 0... .... .... .... .... .... = Renewable: This ticket is NOT renewable
.... .... ...0 .... .... .... .... .... = Opt HW Auth: False
.... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
.... .... .... ...0 .... .... .... .... = Canonicalize: This is NOT a canonicalized ticket request
.... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
.... .... .... .... .... .... ...1 .... = Renewable OK: We accept RENEWED tickets
.... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
.... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
.... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
Client Name (Principal): chris
Name-type: Principal (1)
Name: chris
Realm: MAISON.MRS
Server Name (Unknown): krbtgt/MAISON.MRS
Name-type: Unknown (0)
Name: krbtgt
Name: MAISON.MRS
from: 2010-02-13 19:09:50 (UTC)
till: 2010-02-14 19:09:50 (UTC)
Nonce: 140992433
Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5 des-cbc-md4
Encryption type: aes256-cts-hmac-sha1-96 (18)
Encryption type: aes128-cts-hmac-sha1-96 (17)
Encryption type: des3-cbc-sha1 (16)
Encryption type: rc4-hmac (23)
Encryption type: des-cbc-crc (1)
Encryption type: des-cbc-md5 (3)
Encryption type: des-cbc-md4 (2)
L'utilisateur présente le nom de son principal, en indiquant dans quel royaume (MAISON.MRS) et à quel type de ticket (TGT) il demande. Il indique également quels algorithmes de chiffrement il sais manipuler.
Il n'y a aucune partie chiffrée dans cette requête, il n'y a pas non plus de mot de passe. Très simple, donc.
Oui mais voilà, le cerbère ne l'entend pas de cette oreille (ni des 5 autres).
Frame 2 (297 bytes on wire, 297 bytes captured)
Arrival Time: Feb 13, 2010 20:09:50.768937000
[Time delta from previous captured frame: 0.000590000 seconds]
[Time delta from previous displayed frame: 0.000590000 seconds]
[Time since reference or first frame: 0.000590000 seconds]
Frame Number: 2
Frame Length: 297 bytes
Capture Length: 297 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:kerberos]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: kerberos.maison.mrs (00:16:36:7e:43:9f), Dst: 192.168.0.16 (00:22:15:f4:1e:02)
Destination: 192.168.0.16 (00:22:15:f4:1e:02)
Address: 192.168.0.16 (00:22:15:f4:1e:02)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: kerberos.maison.mrs (00:16:36:7e:43:9f)
Address: kerberos.maison.mrs (00:16:36:7e:43:9f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: kerberos.maison.mrs (192.168.0.133), Dst: pchris.maison.mrs (192.168.0.16)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 283
Identification: 0x0000 (0)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0xb7ec [correct]
[Good: True]
[Bad : False]
Source: kerberos.maison.mrs (192.168.0.133)
Destination: pchris.maison.mrs (192.168.0.16)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 47115 (47115)
Source port: kerberos (88)
Destination port: 47115 (47115)
Length: 263
Checksum: 0x509f [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Kerberos KRB-ERROR
Pvno: 5
MSG Type: KRB-ERROR (30)
ctime: 1974-06-20 20:33:53 (UTC)
stime: 2010-02-13 19:09:50 (UTC)
susec: 737204
error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
Client Realm: MAISON.MRS
Client Name (Principal): chris
Name-type: Principal (1)
Name: chris
Realm: MAISON.MRS
Server Name (Unknown): krbtgt/MAISON.MRS
Name-type: Unknown (0)
Name: krbtgt
Name: MAISON.MRS
e-text: NEEDED_PREAUTH
e-data
padata: PA-ENC-TIMESTAMP Unknown:136 PA-ENCTYPE-INFO2 PA-SAM-RESPONSE Unknown:133
Type: PA-ENC-TIMESTAMP (2)
Value:
Type: Unknown (136)
Value:
Type: PA-ENCTYPE-INFO2 (19)
Value: 30153005A0030201123005A0030201173005A003020110 aes256-cts-hmac-sha1-96 rc4-hmac des3-cbc-sha1
Encryption type: aes256-cts-hmac-sha1-96 (18)
Encryption type: rc4-hmac (23)
Encryption type: des3-cbc-sha1 (16)
Type: PA-SAM-RESPONSE (13)
Value:
Type: Unknown (133)
Value: 4D4954
Frame 3 (310 bytes on wire, 310 bytes captured)
Arrival Time: Feb 13, 2010 20:09:53.531533000
[Time delta from previous captured frame: 2.762596000 seconds]
[Time delta from previous displayed frame: 2.762596000 seconds]
[Time since reference or first frame: 2.763186000 seconds]
Frame Number: 3
Frame Length: 310 bytes
Capture Length: 310 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:kerberos]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: 192.168.0.16 (00:22:15:f4:1e:02), Dst: kerberos.maison.mrs (00:16:36:7e:43:9f)
Destination: kerberos.maison.mrs (00:16:36:7e:43:9f)
Address: kerberos.maison.mrs (00:16:36:7e:43:9f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: 192.168.0.16 (00:22:15:f4:1e:02)
Address: 192.168.0.16 (00:22:15:f4:1e:02)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: pchris.maison.mrs (192.168.0.16), Dst: kerberos.maison.mrs (192.168.0.133)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 296
Identification: 0xf3a4 (62372)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0xc43a [correct]
[Good: True]
[Bad : False]
Source: pchris.maison.mrs (192.168.0.16)
Destination: kerberos.maison.mrs (192.168.0.133)
User Datagram Protocol, Src Port: 53332 (53332), Dst Port: kerberos (88)
Source port: 53332 (53332)
Destination port: kerberos (88)
Length: 276
Checksum: 0x830b [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Kerberos AS-REQ
Pvno: 5
MSG Type: AS-REQ (10)
padata: Unknown:133 PA-ENC-TIMESTAMP
Type: Unknown (133)
Value: 4D4954
Type: PA-ENC-TIMESTAMP (2)
Value: 3041A003020112A23A0438EAB48D41FF4F470D1BB255E7D7... aes256-cts-hmac-sha1-96
Encryption type: aes256-cts-hmac-sha1-96 (18)
enc PA_ENC_TIMESTAMP: EAB48D41FF4F470D1BB255E7D7D9A51F0D978D1B41945E89...
KDC_REQ_BODY
Padding: 0
KDCOptions: 00000010 (Renewable OK)
.0.. .... .... .... .... .... .... .... = Forwardable: Do NOT use forwardable tickets
..0. .... .... .... .... .... .... .... = Forwarded: This is NOT a forwarded ticket
...0 .... .... .... .... .... .... .... = Proxiable: Do NOT use proxiable tickets
.... 0... .... .... .... .... .... .... = Proxy: This ticket has NOT been proxied
.... .0.. .... .... .... .... .... .... = Allow Postdate: We do NOT allow the ticket to be postdated
.... ..0. .... .... .... .... .... .... = Postdated: This ticket is NOT postdated
.... .... 0... .... .... .... .... .... = Renewable: This ticket is NOT renewable
.... .... ...0 .... .... .... .... .... = Opt HW Auth: False
.... .... .... ..0. .... .... .... .... = Constrained Delegation: This is a normal request (no constrained delegation)
.... .... .... ...0 .... .... .... .... = Canonicalize: This is NOT a canonicalized ticket request
.... .... .... .... .... .... ..0. .... = Disable Transited Check: Transited checking is NOT disabled
.... .... .... .... .... .... ...1 .... = Renewable OK: We accept RENEWED tickets
.... .... .... .... .... .... .... 0... = Enc-Tkt-in-Skey: Do NOT encrypt the tkt inside the skey
.... .... .... .... .... .... .... ..0. = Renew: This is NOT a request to renew a ticket
.... .... .... .... .... .... .... ...0 = Validate: This is NOT a request to validate a postdated ticket
Client Name (Principal): chris
Name-type: Principal (1)
Name: chris
Realm: MAISON.MRS
Server Name (Unknown): krbtgt/MAISON.MRS
Name-type: Unknown (0)
Name: krbtgt
Name: MAISON.MRS
from: 2010-02-13 19:09:50 (UTC)
till: 2010-02-14 19:09:50 (UTC)
Nonce: 140992433
Encryption Types: aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 des3-cbc-sha1 rc4-hmac des-cbc-crc des-cbc-md5 des-cbc-md4
Encryption type: aes256-cts-hmac-sha1-96 (18)
Encryption type: aes128-cts-hmac-sha1-96 (17)
Encryption type: des3-cbc-sha1 (16)
Encryption type: rc4-hmac (23)
Encryption type: des-cbc-crc (1)
Encryption type: des-cbc-md5 (3)
Encryption type: des-cbc-md4 (2)
Frame 4 (711 bytes on wire, 711 bytes captured)
Arrival Time: Feb 13, 2010 20:09:53.534534000
[Time delta from previous captured frame: 0.003001000 seconds]
[Time delta from previous displayed frame: 0.003001000 seconds]
[Time since reference or first frame: 2.766187000 seconds]
Frame Number: 4
Frame Length: 711 bytes
Capture Length: 711 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:udp:kerberos]
[Coloring Rule Name: UDP]
[Coloring Rule String: udp]
Ethernet II, Src: kerberos.maison.mrs (00:16:36:7e:43:9f), Dst: 192.168.0.16 (00:22:15:f4:1e:02)
Destination: 192.168.0.16 (00:22:15:f4:1e:02)
Address: 192.168.0.16 (00:22:15:f4:1e:02)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: kerberos.maison.mrs (00:16:36:7e:43:9f)
Address: kerberos.maison.mrs (00:16:36:7e:43:9f)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: kerberos.maison.mrs (192.168.0.133), Dst: pchris.maison.mrs (192.168.0.16)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 697
Identification: 0x0000 (0)
Flags: 0x04 (Don't Fragment)
0... = Reserved bit: Not set
.1.. = Don't fragment: Set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: UDP (0x11)
Header checksum: 0xb64e [correct]
[Good: True]
[Bad : False]
Source: kerberos.maison.mrs (192.168.0.133)
Destination: pchris.maison.mrs (192.168.0.16)
User Datagram Protocol, Src Port: kerberos (88), Dst Port: 53332 (53332)
Source port: kerberos (88)
Destination port: 53332 (53332)
Length: 677
Checksum: 0x1449 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Kerberos AS-REP
Pvno: 5
MSG Type: AS-REP (11)
padata: PA-ENCTYPE-INFO2
Type: PA-ENCTYPE-INFO2 (19)
Value: 30073005A003020112 aes256-cts-hmac-sha1-96
Encryption type: aes256-cts-hmac-sha1-96 (18)
Client Realm: MAISON.MRS
Client Name (Principal): chris
Name-type: Principal (1)
Name: chris
Ticket
Tkt-vno: 5
Realm: MAISON.MRS
Server Name (Unknown): krbtgt/MAISON.MRS
Name-type: Unknown (0)
Name: krbtgt
Name: MAISON.MRS
enc-part aes256-cts-hmac-sha1-96
Encryption type: aes256-cts-hmac-sha1-96 (18)
Kvno: 1
enc-part: 19E7D3E7337658EFC983B6221B1F4BC80C8E7AB16003E6E9...
enc-part aes256-cts-hmac-sha1-96
Encryption type: aes256-cts-hmac-sha1-96 (18)
enc-part: D41400F6E3A44CD883DA34BEE71F312519890F9FF2A053CC...
La station de travail: Dernière modification le: 17/02/2010 à 15:23 par prof