keytab wrecks login - Kerberos

This is a discussion on keytab wrecks login - Kerberos ; Debian Sarge MIT Kerberos packages (1.3.6) I am clearly not understanding something about how kerberos operates. If I add a principal to a keytab, I can no longer log in with a password? ....password is working here... 1045# kadmin -p ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: keytab wrecks login

  1. keytab wrecks login

    Debian Sarge
    MIT Kerberos packages (1.3.6)

    I am clearly not understanding something about how kerberos operates.
    If I add a principal to a keytab, I can no longer log in with a
    password?

    ....password is working here...
    1045# kadmin -p network/admin
    Authenticating as principal network/admin with password.
    Password for network/admin@MTHOLYOKE.EDU:

    ....add user to keytab...
    kadmin: ktadd -k /var/tmp/test.keytab network/admin
    Entry for principal network/admin with kvno 10, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/tmp/test.keytab.
    Entry for principal network/admin with kvno 10, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/var/tmp/test.keytab.
    kadmin: quit

    ....authenticate using password is now broken!... <=============== why???
    1047# kadmin -p network/admin
    Authenticating as principal network/admin with password.
    Password for network/admin@MTHOLYOKE.EDU:
    kadmin: Incorrect password while initializing kadmin interface

    ....authenticate using keytab works...
    1046# kadmin -p network/admin@MTHOLYOKE.EDU -t /var/tmp/test.keytab -k /var/tmp/test.keytab
    Authenticating as principal network/admin@MTHOLYOKE.EDU with keytab /var/tmp/test.keytab.
    kadmin: quit

    Any help would be appreciated. TIA.

    --
    Ron Peterson
    Network & Systems Manager
    Mount Holyoke College
    http://www.mtholyoke.edu/~rpeterso

  2. Re: keytab wrecks login


    > Debian Sarge
    > MIT Kerberos packages (1.3.6)
    >
    > I am clearly not understanding something about how kerberos operates.
    > If I add a principal to a keytab, I can no longer log in with a
    > password?


    Right: ktadd randomizes the key and increments the key version number.
    Instead, use "ktutil addent" to create the keytab, using the password.

    --
    Richard Silverman
    res@qoxp.net


  3. Cross a firewall/NAT?

    Hi

    In my case, a client is in a physical subnet A with a private IP. Meanwhile,
    the server is in another physical subnet with a private IP. The client must
    cross NAT and firewall/gateway to access to the server. Does the Kerberos
    work in this case?

    Thanks for help in advance.

    -Yuzhong



    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: keytab wrecks login


    Well that's handy to know. Is than an intentionally undocumented feature
    or should someone like myself submit a man page patch?

    -Mike

    > Right: ktadd randomizes the key and increments the key version number.
    > Instead, use "ktutil addent" to create the keytab, using the password.
    >
    > --
    > Richard Silverman
    > res@qoxp.net
    >
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  5. Re: keytab wrecks login


    Something like this:

    --- ktutil.M 2006-07-11 23:16:06.000000000 -0500
    +++ ktutil.M.dop 2006-07-11 22:55:48.000000000 -0500
    @@ -43,11 +43,15 @@
    .BR clear .
    .TP
    \fBdelete_entry\fP \fIslot\fP
    -Delets the entry in slot number
    +Delete the entry in slot number
    .I slot
    -from the current keylist. Alais:
    +from the current keylist. Alias:
    .BR delent .
    .TP
    +\fBadd_entry\fP \(\-key \| \-password\) \-p \fIprincipal\fP \-k -fIkvno\fP \-e \fIenctype\fP
    +Add principal to keylist using key or password. Alias:
    +.BR addent .
    +.TP
    .BR list_requests
    Displays a listing of available commands. Aliases:
    .BR lr ,


    > Well that's handy to know. Is than an intentionally undocumented feature
    > or should someone like myself submit a man page patch?
    >
    > -Mike
    >
    >> Right: ktadd randomizes the key and increments the key version number.
    >> Instead, use "ktutil addent" to create the keytab, using the password.
    >>
    >> --
    >> Richard Silverman
    >> res@qoxp.net
    >>
    >> ________________________________________________
    >> Kerberos mailing list Kerberos@mit.edu
    >> https://mailman.mit.edu/mailman/listinfo/kerberos
    >>

    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos
    >

    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  6. Re: keytab wrecks login

    >>>>> "MD" == Mike Dopheide writes:

    Sure, I would think so -- I hadn't noticed that it was missing from the
    man page.

    MD> Well that's handy to know. Is than an intentionally undocumented
    MD> feature or should someone like myself submit a man page patch?

    MD> -Mike

    >> Right: ktadd randomizes the key and increments the key version
    >> number. Instead, use "ktutil addent" to create the keytab, using
    >> the password.
    >>
    >> -- Richard Silverman res@qoxp.net
    >>
    >> ________________________________________________ Kerberos mailing
    >> list Kerberos@mit.edu
    >> https://mailman.mit.edu/mailman/listinfo/kerberos
    >>

    MD> ________________________________________________ Kerberos mailing
    MD> list Kerberos@mit.edu
    MD> https://mailman.mit.edu/mailman/listinfo/kerberos


    --
    Richard Silverman
    res@qoxp.net


  7. Re: keytab wrecks login

    I may have jumped the gun on you Mike, at least for Fedora Core 5 (FC5):
    https://bugzilla.redhat.com/bugzilla....cgi?id=198500. Certainly
    add your comments, "Well that's handy to know,"--love it--and patch if
    you care to.

    In trying (still) to get NSFv4 working with Kerberos on FC5 I look for
    better documentation, e.g., a more thorough treatment of, "ktadd
    randomizes the key and increments the key version number."

    Cheers,
    Andrew


    Richard E. Silverman wrote:
    >>>>>> "MD" == Mike Dopheide writes:
    >>>>>>

    >
    > Sure, I would think so -- I hadn't noticed that it was missing from the
    > man page.
    >
    > MD> Well that's handy to know. Is than an intentionally undocumented
    > MD> feature or should someone like myself submit a man page patch?
    >
    > MD> -Mike
    >
    > >> Right: ktadd randomizes the key and increments the key version
    > >> number. Instead, use "ktutil addent" to create the keytab, using
    > >> the password.
    > >>
    > >> -- Richard Silverman res@qoxp.net
    > >>
    > >> ________________________________________________ Kerberos mailing
    > >> list Kerberos@mit.edu
    > >> https://mailman.mit.edu/mailman/listinfo/kerberos
    > >>

    > MD> ________________________________________________ Kerberos mailing
    > MD> list Kerberos@mit.edu
    > MD> https://mailman.mit.edu/mailman/listinfo/kerberos
    >
    >
    >


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  8. Re: keytab wrecks login

    "Andrew B Young" writes:

    > I may have jumped the gun on you Mike, at least for Fedora Core 5 (FC5):
    > https://bugzilla.redhat.com/bugzilla....cgi?id=198500. Certainly
    > add your comments, "Well that's handy to know,"--love it--and patch if
    > you care to.


    Submitting this sort of patch to Red Hat's bugzilla rather than to the MIT
    RT bug tracking system is somewhat less than ideal, although hopefully Red
    Hat will just forward the bug upstream. They don't always, though, and we
    may as well fix the bug for everyone, not just people using Red Hat.

    Thankfully, I was reading this thread, so I'll get the patch committed to
    the MIT tree.

    --
    Russ Allbery (rra@stanford.edu)

  9. Re: keytab wrecks login

    Mike Dopheide writes:

    > Something like this:


    Thanks, applied.

    > --- ktutil.M 2006-07-11 23:16:06.000000000 -0500
    > +++ ktutil.M.dop 2006-07-11 22:55:48.000000000 -0500
    > @@ -43,11 +43,15 @@
    > .BR clear .
    > .TP
    > \fBdelete_entry\fP \fIslot\fP
    > -Delets the entry in slot number
    > +Delete the entry in slot number
    > .I slot
    > -from the current keylist. Alais:
    > +from the current keylist. Alias:
    > .BR delent .
    > .TP
    > +\fBadd_entry\fP \(\-key \| \-password\) \-p \fIprincipal\fP \-k -fIkvno\fP \-e \fIenctype\fP
    > +Add principal to keylist using key or password. Alias:
    > +.BR addent .
    > +.TP
    > .BR list_requests
    > Displays a listing of available commands. Aliases:
    > .BR lr ,


    --
    Russ Allbery (rra@stanford.edu)

+ Reply to Thread