Re: Extract users kerberos passwords - Kerberos

This is a discussion on Re: Extract users kerberos passwords - Kerberos ; Ok, thank you for your emails. Can I extract the key from the kdb5_util dump utility? If so, which field represents the key? Regards, F. On 6/13/05, Preetam Ramakrishna wrote: > Hi, > > Users' passwords are stored as keys ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Re: Extract users kerberos passwords

  1. Re: Extract users kerberos passwords

    Ok, thank you for your emails.

    Can I extract the key from the kdb5_util dump utility?

    If so, which field represents the key?

    Regards,
    F.

    On 6/13/05, Preetam Ramakrishna wrote:
    > Hi,
    >
    > Users' passwords are stored as keys in MIT kerberos. So, you
    > can extract the keys but not the passwords.
    >
    > Preetam
    >
    > >>> fsoliv 6/13/2005 4:44:12 AM >>>

    > Hello,
    >
    > I have the following problem:
    >
    > I would like to extract some of my users' passwords (which are stored
    > in Mit Kerberos) and insert them in Openldap.
    > How can I extract the users' password?
    >
    >
    > Best regards,
    >
    > F.
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: Extract users kerberos passwords

    Ok, but How can I extract the key to put it on the userPassword field
    of a ldap entry?
    Thank you,

    F.
    On 6/13/05, Preetam wrote:
    > fsoliv wrote:
    > Thank you for your email.
    > I have tried to extract the key from kadmin but I had no success. Can
    > you tell me which command I should use?
    >
    > Regards,
    >
    > F.
    >
    > On 6/13/05, Preetam wrote:
    >
    >
    > fsoliv wrote:
    > Ok, thank you for your emails.
    >
    > Can I extract the key from the kdb5_util dump utility?
    >
    > If so, which field represents the key?
    >
    > Regards,
    > F.
    >
    > On 6/13/05, Preetam Ramakrishna wrote:
    >
    >
    > Hi,
    >
    > Users' passwords are stored as keys in MIT kerberos. So, you
    > can extract the keys but not the passwords.
    >
    > Preetam
    >
    >
    >
    >
    >
    > fsoliv 6/13/2005 4:44:12 AM >>>
    >
    > Hello,
    >
    > I have the following problem:
    >
    > I would like to extract some of my users' passwords (which are stored
    > in Mit Kerberos) and insert them in Openldap.
    > How can I extract the users' password?
    >
    >
    > Best regards,
    >
    > F.
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >
    > Hi,
    >
    > You can use kadmin.local utility instead if you need to extract
    > only the key.
    >
    > Preetam
    >
    > >

    >
    >
    > Hi,
    >
    > You can run kadmin.local utility, then run the command
    > ktadd -k
    >
    > Preetam
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Extract users kerberos passwords

    fsoliv wrote:

    >Ok, thank you for your emails.
    >
    >Can I extract the key from the kdb5_util dump utility?
    >
    >If so, which field represents the key?
    >
    >Regards,
    >F.
    >
    >On 6/13/05, Preetam Ramakrishna wrote:
    >
    >
    >>Hi,
    >>
    >> Users' passwords are stored as keys in MIT kerberos. So, you
    >>can extract the keys but not the passwords.
    >>
    >>Preetam
    >>
    >>
    >>
    >>>>>fsoliv 6/13/2005 4:44:12 AM >>>
    >>>>>
    >>>>>

    >>Hello,
    >>
    >>I have the following problem:
    >>
    >>I would like to extract some of my users' passwords (which are stored
    >>in Mit Kerberos) and insert them in Openldap.
    >>How can I extract the users' password?
    >>
    >>
    >>Best regards,
    >>
    >>F.
    >>
    >>________________________________________________
    >>Kerberos mailing list Kerberos@mit.edu
    >>https://mailman.mit.edu/mailman/listinfo/kerberos
    >>
    >>
    >>

    >
    >________________________________________________
    >Kerberos mailing list Kerberos@mit.edu
    >https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >
    >

    Hi,

    You can use kadmin.local utility instead if you need to
    extract only the key.

    Preetam
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: Extract users kerberos passwords

    Actually, the capability to transfer authentication information between
    databases (including FROM krb to anything) will be a feature that will
    be available in NeXauth, a product my company will be launching this
    summer. If you'd like to get some information about this prior to it
    coming out, please email me at cmh[at]netsteady.cc

    Thanks
    Chris Hutchison
    - - - - - - - - - - - - - - - - - - - -
    Christopher M. Hutchison, CEO
    NetSteady Communications, Ltd.
    P.O. Box 392
    Galloway, Ohio 43119

    Phone: 614-853-0091
    Skype: wifi_chris

    http://www.netsteady.cc


  5. Re: Extract users kerberos passwords

    MIT Kerberos has gone through a half-dozen different db dump formats,
    so precise instructions on how to extract the fields depends on the
    exact software version you have and the options you specify to the
    kdb5_dump command.

    Meanwhile, by default OpenLDAP does not have any module that recognizes
    what to do with a Kerberos key in the userPassword attribute. So once
    you figure out what to do to get the key out of the KDC, there's still
    a problem of what to do with it next.

    There is an indirect route that should work - in the OpenLDAP 2.3
    contrib directory there is a module that adds support for Samba
    passwords and Heimdal Kerberos keys (see
    contrib/slapd-modules/smbk5pwd). If you use the Heimdal Kerberos tools
    to import the MIT dump into Heimdal format, then you should be able to
    use the result with OpenLDAP. But there are a lot of steps to get there
    (starting with obtaining and installing the Heimdal source code).

    If you're interested in getting this to work, I think you should go all
    the way - you can run the Heimdal KDC directly on top of OpenLDAP,
    instead of using a flat file-based kerberos database. In this case, all
    of your Kerberos account information is stored as attributes of regular
    OpenLDAP account entries. Once you have the database loaded into
    OpenLDAP you can do all your account administration from there and you
    never need to run the Kerberos account management utilities any more.
    If building all of the packages seems like too much effort for you, my
    company (Symas Corp., http://www.symas.com) provides prepackaged
    binaries of all of the necessary software, ready to install. (OpenLDAP,
    Heimdal, OpenSSL, Cyrus SASL, BerkeleyDB, etc.)


+ Reply to Thread