Kerberos-AES-256 Keytab不起作用 [英] Kerberos - AES-256 Keytab does not work
本文介绍了Kerberos-AES-256 Keytab不起作用的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我们的AD小组将禁用RC4-HMAC,因此我必须将JBoss应用程序更改为AES. 我将aes类型添加到krb5.conf并创建了新的密钥表,但这似乎不起作用.除了带有kinit的应用程序以外的测试都显示出相同的结果.
出现了类似问题,但已经为我们启用了其解决方案.还有另一个人(里克·莫里茨(Rick Moritz))遇到我的问题,没有答案.
服务器:SLES12
AD:Windows Server 2016
krb5.conf
[libdefaults]
debug = false
default_realm = MY.DOMAIN
ticket_lifetime = 24000
default_keytab_name = /app/myapp/sso/myapp_eu.keytab_AES
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac
default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac
permitted_enctypes = aes256-cts aes128-cts rc4-hmac
[realms]
MY.DOMAIN = {
kdc = my.domain
default_domain = my.domain
}
[domain_realm]
.my.domain = MY.DOMAIN
my.domain = MY.DOMAIN
[appdefaults]
forwardable = true
键标签
keytab旧版RC4:
klist -ket myapp_eu.keytab_RC4
Keytab name: FILE:myapp_eu.keytab_RC4
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
0 02/19/2018 14:41:39 MyappEU@MY.DOMAIN (arcfour-hmac)
keytab新的AES256:
klist -ket myapp_eu.keytab_AES
Keytab name: FILE:myapp_eu.keytab_AES
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
0 03/14/2018 15:03:31 MyappEU@MY.DOMAIN (aes256-cts-hmac-sha1-96)
kinit测试(krb5版本1.12.5)
使用密码进行身份验证(成功):
kinit -fV MyappEU@MY.DOMAIN
klist -ef
Valid starting Expires Service principal
03/14/18 14:37:12 03/15/18 00:37:12 krbtgt/MY.DOMAIN@MY.DOMAIN
renew until 03/15/18 14:37:06, Flags: FRIA
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
使用旧密钥表RC4进行身份验证(成功):
kinit -fV -k -t /app/myapp/sso/myapp_eu.keytab_RC4 MyappEU@MY.DOMAIN
klist -ef
Valid starting Expires Service principal
03/14/18 14:36:52 03/15/18 00:36:52 krbtgt/MY.DOMAIN@MY.DOMAIN
renew until 03/15/18 14:36:51, Flags: FRIA
Etype (skey, tkt): arcfour-hmac, aes256-cts-hmac-sha1-96
使用新的密钥表AES256进行身份验证(失败):
kinit -fV -k -t /app/myapp/sso/myapp_eu.keytab_AES MyappEU@MY.DOMAIN
Using principal: MyappEU@MY.DOMAIN
Using keytab: /app/myapp/sso/myapp_eu.keytab_AES
kinit: Preauthentication failed while getting initial credentials
对etypes的查看表明es似乎有效.但是我无法弄清楚为什么我使用aes-keytabs会收到预身份验证错误.
旧的和新的密钥表是通过以下ktpass命令创建的:
ktpass -princ MyappEU@MY.DOMAIN -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass xxxxxxxx -kvno 0 -out myapp_eu.keytab_RC4
ktpass -princ MyappEU@MY.DOMAIN -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass xxxxxxxx -kvno 0 -out myapp_eu.keytab_AES
我已经用正确的kvno而不是0进行了尝试,得到相同的结果.
感谢您的帮助或想法.
P.S.匿名MY.DOMAIN和myapp
使用新编译的krb5 1.16进行测试
我结合了Samson Scharfrichter和T.Heron的技巧,现在我发现在创建密钥表时从ktpass获得的SALT与从kinit的跟踪输出获得的SALT之间存在差异.但我不知道它来自哪里以及如何更改它.在这种情况下,盐是SPN之一.ktpass
PS X:\> ktpass -out x:\MyappEUv3.keytab -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass xxxxxx -princ MyappEU@MY.DOMAIN
Building salt with principalname MyappEU and domain MY.DOMAIN (encryption type 18)...
Hashing password with salt "MY.DOMAINMyappEU".
Key created.
Output keytab to x:\MyappEUv3.keytab:
Keytab version: 0x502
keysize 71 MyappEU@MY.DOMAIN ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etype 0x12 (AES256-SHA1) keylength 32 (0x326dd53c7fce5ac4f25d1d17c6a1cf721d7d044f7eb72eaa92a20125055a3b25)
运动轨迹
env KRB5_TRACE=/dev/stdout /home/akirsch/krb5-1.16_made/bin/kinit -fV -k -t /home/akirsch/MyappEUv3.keytab MyappEU@MY.DOMAIN
Using default cache: /tmp/krb5cc_0
Using principal: MyappEU@MY.DOMAIN
Using keytab: /home/akirsch/MyappEUv3.keytab
[32175] 1521108914.135563: Getting initial credentials for MyappEU@MY.DOMAIN
[32175] 1521108914.135564: Looked up etypes in keytab: aes256-cts
[32175] 1521108914.135566: Sending unauthenticated request
[32175] 1521108914.135567: Sending request (153 bytes) to MY.DOMAIN
[32175] 1521108914.135568: Resolving hostname MY.DOMAIN
[32175] 1521108914.135569: Sending initial UDP request to dgram 172.18.32.134:88
[32175] 1521108914.135570: Received answer (214 bytes) from dgram 172.18.32.134:88
[32175] 1521108914.135571: Response was not from master KDC
[32175] 1521108914.135572: Received error from KDC: -1765328359/Additional pre-authentication required
[32175] 1521108914.135575: Preauthenticating using KDC method data
[32175] 1521108914.135576: Processing preauth types: 16, 15, 19, 2
[32175] 1521108914.135577: Selected etype info: etype aes256-cts, salt "MY.DOMAINHTTPmyapp-entw.intranet-test.my.domain", params ""
[32175] 1521108914.135578: Retrieving MyappEU@MY.DOMAIN from FILE:/home/akirsch/MyappEUv3.keytab (vno 0, enctype aes256-cts) with result: 0/Success
[32175] 1521108914.135579: AS key obtained for encrypted timestamp: aes256-cts/ECF3
[32175] 1521108914.135581: Encrypted timestamp (for 1521108914.396292): plain 301AA011180F32303138303331353130313531345AA1050203060C04, encrypted F92E4F783F834FF6500EA86CAF8CA3088517CB02F75BD2C962E5B454DC02C6F3BBCAF59EEB6F52D58AA873FF5EDFCA1496F59D2A587701A1
[32175] 1521108914.135582: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[32175] 1521108914.135583: Produced preauth for next request: 2
[32175] 1521108914.135584: Sending request (231 bytes) to MY.DOMAIN
[32175] 1521108914.135585: Resolving hostname MY.DOMAIN
[32175] 1521108914.135586: Sending initial UDP request to dgram 10.174.50.13:88
[32175] 1521108914.135587: Received answer (181 bytes) from dgram 10.174.50.13:88
[32175] 1521108914.135588: Response was not from master KDC
[32175] 1521108914.135589: Received error from KDC: -1765328360/Preauthentication failed
[32175] 1521108914.135592: Preauthenticating using KDC method data
[32175] 1521108914.135593: Processing preauth types: 19
[32175] 1521108914.135594: Selected etype info: etype aes256-cts, salt "MY.DOMAINHTTPmyapp-entw.intranet-test.my.domain", params ""
[32175] 1521108914.135595: Getting initial credentials for MyappEU@MY.DOMAIN
[32175] 1521108914.135596: Looked up etypes in keytab: des-cbc-crc, des, des-cbc-crc, rc4-hmac, aes256-cts, aes128-cts
[32175] 1521108914.135598: Sending unauthenticated request
[32175] 1521108914.135599: Sending request (153 bytes) to MY.DOMAIN (master)
kinit: Preauthentication failed while getting initial credentials
解决方案
感谢T.Heron和Samson的提示.
最后只有2个步骤要做.
- 按照 T.Herons文章
- 将ktpass与mapuser一起使用,将salt设置为用于登录的主体. (将显示一个错误,但仍会设置盐)
第二部分很难找到. MapUser会将SALT和UPN设置为已映射的SPN!只能有一个SALT.
您可以使用以下命令在Linux上查看当前盐:
env KRB5_TRACE=/dev/stdout env KRB5_CONFIG=krb5.conf kinit -fV ADUSER@MYDOMAIN.COM
ExampleOutputLine(在这种情况下为错误的盐)
[10757] 1523617677.379889: Selected etype info: etype aes256-cts, salt "MYDOMAIN.COMHTTPvm41568226", params ""
Our AD Team is going to disable RC4-HMAC so I have to change our JBoss-applications to AES. I added the aes types to krb5.conf and created new keytabs but that seems to not work. Tests besides the application with kinit show the same results.
There was an similar issue but its solution was already enabled for us. There is another guy (Rick Moritz) with my problem without an answer.
Server: SLES12
AD: Windows Server 2016
krb5.conf
[libdefaults]
debug = false
default_realm = MY.DOMAIN
ticket_lifetime = 24000
default_keytab_name = /app/myapp/sso/myapp_eu.keytab_AES
dns_lookup_realm = false
dns_lookup_kdc = false
default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac
default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac
permitted_enctypes = aes256-cts aes128-cts rc4-hmac
[realms]
MY.DOMAIN = {
kdc = my.domain
default_domain = my.domain
}
[domain_realm]
.my.domain = MY.DOMAIN
my.domain = MY.DOMAIN
[appdefaults]
forwardable = true
Keytabs
keytab old RC4:
klist -ket myapp_eu.keytab_RC4
Keytab name: FILE:myapp_eu.keytab_RC4
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
0 02/19/2018 14:41:39 MyappEU@MY.DOMAIN (arcfour-hmac)
keytab new AES256:
klist -ket myapp_eu.keytab_AES
Keytab name: FILE:myapp_eu.keytab_AES
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
0 03/14/2018 15:03:31 MyappEU@MY.DOMAIN (aes256-cts-hmac-sha1-96)
kinit tests (krb5 Version 1.12.5)
authentication with password (success):
kinit -fV MyappEU@MY.DOMAIN
klist -ef
Valid starting Expires Service principal
03/14/18 14:37:12 03/15/18 00:37:12 krbtgt/MY.DOMAIN@MY.DOMAIN
renew until 03/15/18 14:37:06, Flags: FRIA
Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
authentication with old keytab RC4 (success):
kinit -fV -k -t /app/myapp/sso/myapp_eu.keytab_RC4 MyappEU@MY.DOMAIN
klist -ef
Valid starting Expires Service principal
03/14/18 14:36:52 03/15/18 00:36:52 krbtgt/MY.DOMAIN@MY.DOMAIN
renew until 03/15/18 14:36:51, Flags: FRIA
Etype (skey, tkt): arcfour-hmac, aes256-cts-hmac-sha1-96
authentication with new keytab AES256 (failure):
kinit -fV -k -t /app/myapp/sso/myapp_eu.keytab_AES MyappEU@MY.DOMAIN
Using principal: MyappEU@MY.DOMAIN
Using keytab: /app/myapp/sso/myapp_eu.keytab_AES
kinit: Preauthentication failed while getting initial credentials
A look on the etypes shows that aes seems to work. But i cant figure out why i get a preauthentication error with the aes-keytabs.
The old and new keytabs were created by the following ktpass command:
ktpass -princ MyappEU@MY.DOMAIN -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass xxxxxxxx -kvno 0 -out myapp_eu.keytab_RC4
ktpass -princ MyappEU@MY.DOMAIN -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass xxxxxxxx -kvno 0 -out myapp_eu.keytab_AES
I already tried it with the correct kvno instead of 0 with the same result.
Thanks for you help or ideas.
P.S. anonymized MY.DOMAIN and myapp
Test with fresh compiled krb5 1.16
i combined the tips from Samson Scharfrichter and T.Heron and now i see a difference between the SALT i get from ktpass at the creation of the keytab and from the trace-output of kinit. But i dont know where it comes from and how to change it. The salt consists one of the SPNs in this case.
ktpass
PS X:\> ktpass -out x:\MyappEUv3.keytab -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -pass xxxxxx -princ MyappEU@MY.DOMAIN
Building salt with principalname MyappEU and domain MY.DOMAIN (encryption type 18)...
Hashing password with salt "MY.DOMAINMyappEU".
Key created.
Output keytab to x:\MyappEUv3.keytab:
Keytab version: 0x502
keysize 71 MyappEU@MY.DOMAIN ptype 1 (KRB5_NT_PRINCIPAL) vno 1 etype 0x12 (AES256-SHA1) keylength 32 (0x326dd53c7fce5ac4f25d1d17c6a1cf721d7d044f7eb72eaa92a20125055a3b25)
kinit trace
env KRB5_TRACE=/dev/stdout /home/akirsch/krb5-1.16_made/bin/kinit -fV -k -t /home/akirsch/MyappEUv3.keytab MyappEU@MY.DOMAIN
Using default cache: /tmp/krb5cc_0
Using principal: MyappEU@MY.DOMAIN
Using keytab: /home/akirsch/MyappEUv3.keytab
[32175] 1521108914.135563: Getting initial credentials for MyappEU@MY.DOMAIN
[32175] 1521108914.135564: Looked up etypes in keytab: aes256-cts
[32175] 1521108914.135566: Sending unauthenticated request
[32175] 1521108914.135567: Sending request (153 bytes) to MY.DOMAIN
[32175] 1521108914.135568: Resolving hostname MY.DOMAIN
[32175] 1521108914.135569: Sending initial UDP request to dgram 172.18.32.134:88
[32175] 1521108914.135570: Received answer (214 bytes) from dgram 172.18.32.134:88
[32175] 1521108914.135571: Response was not from master KDC
[32175] 1521108914.135572: Received error from KDC: -1765328359/Additional pre-authentication required
[32175] 1521108914.135575: Preauthenticating using KDC method data
[32175] 1521108914.135576: Processing preauth types: 16, 15, 19, 2
[32175] 1521108914.135577: Selected etype info: etype aes256-cts, salt "MY.DOMAINHTTPmyapp-entw.intranet-test.my.domain", params ""
[32175] 1521108914.135578: Retrieving MyappEU@MY.DOMAIN from FILE:/home/akirsch/MyappEUv3.keytab (vno 0, enctype aes256-cts) with result: 0/Success
[32175] 1521108914.135579: AS key obtained for encrypted timestamp: aes256-cts/ECF3
[32175] 1521108914.135581: Encrypted timestamp (for 1521108914.396292): plain 301AA011180F32303138303331353130313531345AA1050203060C04, encrypted F92E4F783F834FF6500EA86CAF8CA3088517CB02F75BD2C962E5B454DC02C6F3BBCAF59EEB6F52D58AA873FF5EDFCA1496F59D2A587701A1
[32175] 1521108914.135582: Preauth module encrypted_timestamp (2) (real) returned: 0/Success
[32175] 1521108914.135583: Produced preauth for next request: 2
[32175] 1521108914.135584: Sending request (231 bytes) to MY.DOMAIN
[32175] 1521108914.135585: Resolving hostname MY.DOMAIN
[32175] 1521108914.135586: Sending initial UDP request to dgram 10.174.50.13:88
[32175] 1521108914.135587: Received answer (181 bytes) from dgram 10.174.50.13:88
[32175] 1521108914.135588: Response was not from master KDC
[32175] 1521108914.135589: Received error from KDC: -1765328360/Preauthentication failed
[32175] 1521108914.135592: Preauthenticating using KDC method data
[32175] 1521108914.135593: Processing preauth types: 19
[32175] 1521108914.135594: Selected etype info: etype aes256-cts, salt "MY.DOMAINHTTPmyapp-entw.intranet-test.my.domain", params ""
[32175] 1521108914.135595: Getting initial credentials for MyappEU@MY.DOMAIN
[32175] 1521108914.135596: Looked up etypes in keytab: des-cbc-crc, des, des-cbc-crc, rc4-hmac, aes256-cts, aes128-cts
[32175] 1521108914.135598: Sending unauthenticated request
[32175] 1521108914.135599: Sending request (153 bytes) to MY.DOMAIN (master)
kinit: Preauthentication failed while getting initial credentials
解决方案
Thanks and T.Heron and Samson for the tips.
At the end there were only 2 steps to do.
- Activate AES for the Account as described in T.Herons article
- Use ktpass with mapuser to set the salt to the principal that is used as login. (a error will be shown but the salt will still be set)
The second part was hard to find out. MapUser will set the SALT and the UPN to the SPN which is mapped! There can only be one SALT.
You can see the current salt on linux using:
env KRB5_TRACE=/dev/stdout env KRB5_CONFIG=krb5.conf kinit -fV ADUSER@MYDOMAIN.COM
ExampleOutputLine (wrong salt in this case)
[10757] 1523617677.379889: Selected etype info: etype aes256-cts, salt "MYDOMAIN.COMHTTPvm41568226", params ""
这篇关于Kerberos-AES-256 Keytab不起作用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
