keytab file format - exporting arcfour keys from active directory - Kerberos

This is a discussion on keytab file format - exporting arcfour keys from active directory - Kerberos ; Hi, Is there any documentation on the keytab file format? From scanning the code the rules are not clear and leaves me wanting of definitive documentation. I want to write an encoder (and I suppose decoder) in plain C for ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: keytab file format - exporting arcfour keys from active directory

  1. keytab file format - exporting arcfour keys from active directory

    Hi,

    Is there any documentation on the keytab file format? From scanning
    the code the rules are not clear and leaves me wanting of definitive
    documentation.

    I want to write an encoder (and I suppose decoder) in plain C for
    inclusion in the pwdump2 [1] program for exporting Kerberos keys from a
    MS Windows domain controller. This would be largely for debugging purposes
    (e.g. for Ethereal to decrypt things).

    If someone would be kind enough to provide me with the details I
    will furnish a web page with the modified program, source code, and
    documentation.

    Thanks,
    Mike

    [1] http://www.bindview.com/Services/raz...mp2_readme.cfm
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: keytab file format - exporting arcfour keys from active directory

    > Date: Mon, 1 May 2006 14:47:06 -0400
    > From: Michael B Allen
    > To: kerberos@mit.edu
    > Subject: keytab file format - exporting arcfour keys from active directory
    >
    > Hi,
    >
    > Is there any documentation on the keytab file format? From scanning
    > the code the rules are not clear and leaves me wanting of definitive
    > documentation.
    >
    > I want to write an encoder (and I suppose decoder) in plain C for
    > inclusion in the pwdump2 [1] program for exporting Kerberos keys from a
    > MS Windows domain controller. This would be largely for debugging purposes
    > (e.g. for Ethereal to decrypt things).
    >
    > If someone would be kind enough to provide me with the details I
    > will furnish a web page with the modified program, source code, and
    > documentation.
    >
    > Thanks,
    > Mike



    Following is a comment I left myself when I was doing a similar exercise.
    General format:
    offset length purpose
    VNO = 2 means "new version"; likely to be always true.
    Caveat: this isn't guaranteed to be even vaguely accurate or even
    particularly understandable. This will probably make more sense if
    you go through several keytab dumps by hand and decode them.
    Also: beware keytype -- it may matter that that should be a 16-bit *signed* int.

    /*
    *
    * keytab format:
    *
    * head:
    * 0 1 5
    * 1 1 VNO 1 or 2
    * per entry:
    * 0 4 len (excludes len)
    * 4 2 count of princ components (pc)
    * 6 2 length realm (rl)
    * 8 rl realm
    * REP *pc {
    * 0 2 length nl
    * 2 nl name-component
    * }
    * IF new? {
    * xxx 4 name-type
    * }
    * xxx 4 timestamp
    * xxx 1 vno
    * {
    * 0 2 keytype
    * 2 2 keylen
    * 4 keylen keydata
    * }
    * POSSIBLE if length left {
    * xxx 4 vno
    * }
    */

    -Marcus Watts
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: keytab file format - exporting arcfour keys from active directory

    We'd really prefer you just call into a krb5_32.dll. That will
    continue to work if the keytab format changes in the future.

    For example we're in the middle of coordinating on a change to how key
    versions are handled.

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: keytab file format - exporting arcfour keys from active directory

    On Mon, 01 May 2006 17:13:13 -0400
    Sam Hartman wrote:

    > We'd really prefer you just call into a krb5_32.dll. That will
    > continue to work if the keytab format changes in the future.


    I don't think asking people to installing an MIT kerberos dll on a Windows
    KDC would go over well. I think I'll stick to standard C.

    Mike
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: keytab file format - exporting arcfour keys from active directory

    Michael B Allen wrote:
    > On Mon, 01 May 2006 17:13:13 -0400
    > Sam Hartman wrote:
    >
    >> We'd really prefer you just call into a krb5_32.dll. That will
    >> continue to work if the keytab format changes in the future.

    >
    > I don't think asking people to installing an MIT kerberos dll on a Windows
    > KDC would go over well. I think I'll stick to standard C.
    >
    > Mike


    Why not? People do it all the time. Besides what language do you
    think the DLL was compiled from? "C".

    Jeffrey Altman

  6. Re: keytab file format - exporting arcfour keys from active directory

    Various wrote:
    > Message-ID: <44569531.5080008@nyc.rr.com>
    > From: Jeffrey Altman
    > Subject: Re: keytab file format - exporting arcfour keys from active directory
    > Date: Mon, 01 May 2006 23:08:32 GMT
    > Organization: Road Runner High Speed Online http://www.rr.com
    > To: kerberos@mit.edu
    >
    > Michael B Allen wrote:
    > > On Mon, 01 May 2006 17:13:13 -0400
    > > Sam Hartman wrote:
    > >
    > >> We'd really prefer you just call into a krb5_32.dll. That will
    > >> continue to work if the keytab format changes in the future.

    > >
    > > I don't think asking people to installing an MIT kerberos dll on a Windows
    > > KDC would go over well. I think I'll stick to standard C.
    > >
    > > Mike

    >
    > Why not? People do it all the time. Besides what language do you
    > think the DLL was compiled from? "C".
    >
    > Jeffrey Altman
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >


    I can understand not wanting to make this file format
    very permanent. I think it might be nice to have *some*
    format that is reasonably permanent and useable cross-platform,
    between different languages & all. So far, we have:
    mit kerberos
    heimdal kerberos
    microsoft
    shishi
    ... not to mention several vendor adaptions of mit,
    several java implementations of kerberos, etc.
    The heimdal folks seem to have bothered to figure out the file format.
    Apparently Microsoft today can also make keytabs. I don't know if they
    have any sort of public native API to read/write them. The shishi
    folks don't yet have logic to do this, probably in part due to the lack
    of documentation. The shishi folks *do* have their own keyfile
    format. Nevertheless, this is on their project list. So the MIT folks
    have already got significant compatibility issues to work out, at least
    with past versions of themselves, & if they care, also with heimdal,
    microsoft, and any other vendors or environments with which they wish
    to interoperate.

    I think this is an area where it would pay more to actually come up
    with a standard - ideally for keytab file formats, or failing that,
    some sort of import/export stringified key exchange text standard.

    -Marcus
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  7. Re: keytab file format - exporting arcfour keys from active directory

    List,

    I would suggest just documenting the 5 2 format of keytab files properly and
    make it the "official" file format for now.
    I can put a wiki page up on wiki.ethereal.com that documents the format.

    The file format is used by various tools ans products already and all have
    basically had to reverse engineer the
    format independently.

    Lets call this format a de facto standard for keytab files.

    MIT uses this format
    Heimdal uses this format.
    Microsofts KTPASS utility writes this format
    Samba4 has some tool that creates/writes files in this format.
    Ethereal will soonish read this format natively for BTN_KERBEROS (better
    than nothing) that would be an rc4 only fallback mode when neither mit nor
    heimdal is available to link with.
    Mr Allen is writing a keytap encoder as well.
    I know of several other proprietary kerberos client implementations that use
    the same format as well.


    There are many situations where one wants to read/write keytab files,
    something which only requires at most a couple of hundred
    lines of simple C-code and where one for various reasons do not want to link
    with a full blown huge kerberos implementation.
    There are also situations where one wants to be able to read/write such
    files on platforms or hosts where there are no kerberos libraries installed.


    ronnie

    On 5/2/06, Marcus Watts wrote:
    >
    > Various wrote:
    > > Message-ID: <44569531.5080008@nyc.rr.com>
    > > From: Jeffrey Altman
    > > Subject: Re: keytab file format - exporting arcfour keys from active

    > directory
    > > Date: Mon, 01 May 2006 23:08:32 GMT
    > > Organization: Road Runner High Speed Online http://www.rr.com
    > > To: kerberos@mit.edu
    > >
    > > Michael B Allen wrote:
    > > > On Mon, 01 May 2006 17:13:13 -0400
    > > > Sam Hartman wrote:
    > > >
    > > >> We'd really prefer you just call into a krb5_32.dll. That will
    > > >> continue to work if the keytab format changes in the future.
    > > >
    > > > I don't think asking people to installing an MIT kerberos dll on a

    > Windows
    > > > KDC would go over well. I think I'll stick to standard C.
    > > >
    > > > Mike

    > >
    > > Why not? People do it all the time. Besides what language do you
    > > think the DLL was compiled from? "C".
    > >
    > > Jeffrey Altman
    > > ________________________________________________
    > > Kerberos mailing list Kerberos@mit.edu
    > > https://mailman.mit.edu/mailman/listinfo/kerberos
    > >

    >
    > I can understand not wanting to make this file format
    > very permanent. I think it might be nice to have *some*
    > format that is reasonably permanent and useable cross-platform,
    > between different languages & all. So far, we have:
    > mit kerberos
    > heimdal kerberos
    > microsoft
    > shishi
    > ... not to mention several vendor adaptions of mit,
    > several java implementations of kerberos, etc.
    > The heimdal folks seem to have bothered to figure out the file format.
    > Apparently Microsoft today can also make keytabs. I don't know if they
    > have any sort of public native API to read/write them. The shishi
    > folks don't yet have logic to do this, probably in part due to the lack
    > of documentation. The shishi folks *do* have their own keyfile
    > format. Nevertheless, this is on their project list. So the MIT folks
    > have already got significant compatibility issues to work out, at least
    > with past versions of themselves, & if they care, also with heimdal,
    > microsoft, and any other vendors or environments with which they wish
    > to interoperate.
    >
    > I think this is an area where it would pay more to actually come up
    > with a standard - ideally for keytab file formats, or failing that,
    > some sort of import/export stringified key exchange text standard.
    >
    > -Marcus
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  8. Re: keytab file format - exporting arcfour keys from active directory

    Marcus Watts wrote:

    > I can understand not wanting to make this file format
    > very permanent.


    Its not a question of making the file format permanent
    or not. The file format is extensible and it is documented
    in the source code. The Kerberos vendors work together
    and as such MIT, Heimdal and Microsoft all implement the
    same format. Unfortunately, the Java team got it wrong
    and have only recently corrected it.

    The problem with the existing format is that it does not
    have enough space to represent the entire set of key verson
    numbers that can be issued for a principal. Organizations
    that replace DES keys on a daily basis will run out of kvnos
    in well under a year. Therefore, the format needs to be
    extended. When we do so we would prefer to be able to upgrade
    applications by replacing our libraries rather then requiring
    that application vendors re-write their apps.

    We have a similar problem with the FILE: ccache format
    because the existing format cannot represent 64-bit time
    values.

    Jeffrey Altman

+ Reply to Thread