Meditation, The Art of Exploitation

Thinking? At last I have discovered it--thought; this alone is inseparable from me. I am, I exist--that is certain. But for how long? For as long as I am thinking. For it could be, that were I totally to cease from thinking, I should totally cease to exist....I am, then, in the strict sense only a thing that thinks.

Tuesday, December 12, 2006

KERBROS based authentication

An overview of kerberos authentication method is given by wikipedia. Following REDHAT's administrator's guide on setting up KERBEROS server/client, one can start testing kerberos authentication. A commone issue encountered I imagine is this error message in log:

Dec 12 15:09:26 maple.netilla.com krb5kdc[29641](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.34: CLIENT_NOT_FOUND: feiliu@NETILLA.COM for krbtgt/NETILLA.COM@NETILLA.COM, Client not found in Kerberos database
Dec 12 15:09:26 maple.netilla.com krb5kdc[29641](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.34: CLIENT_NOT_FOUND: feiliu@NETILLA.COM for krbtgt/NETILLA.COM@NETILLA.COM, Client not found in Kerberos database

==> /var/log/krb5kdc.log <==
Dec 12 15:15:55 maple.netilla.com krb5kdc[29641](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.34: ISSUE: authtime 1165954555, etypes {rep=16 tkt=16 ses=16}, feiliu@NETILLA.COM for krbtgt/NETILLA.COM@NETILLA.COM
Dec 12 15:15:55 maple.netilla.com krb5kdc[29641](info): AS_REQ (7 etypes {18 17 16 23 1 3 2}) 192.168.1.34: ISSUE: authtime 1165954555, etypes {rep=16 tkt=16 ses=16}, feiliu@NETILLA.COM for krbtgt/NETILLA.COM@NETILLA.COM

'Client not found in Kerberos database' is a result of missing principle in KDC database. Again, ethereal or tcpdump are invaluable to diagnose network traffic pattern and figure out what's happening. At linux console,
# kinit feiliu/admin@NETILLA.COM
Password for feiliu/admin@NETILLA.COM:
[root@maple ~]# kadmin
Authenticating as principal feiliu/admin@NETILLA.COM with password.
Password for feiliu/admin@NETILLA.COM:
kadmin: ?
Available kadmin requests:

add_principal, addprinc, ank
Add principal
delete_principal, delprinc
Delete principal
modify_principal, modprinc
Modify principal
change_password, cpw Change password
get_principal, getprinc Get principal
list_principals, listprincs, get_principals, getprincs
List principals
add_policy, addpol Add policy
modify_policy, modpol Modify policy
delete_policy, delpol Delete policy
get_policy, getpol Get policy
list_policies, listpols, get_policies, getpols
List policies
get_privs, getprivs Get privileges
ktadd, xst Add entry(s) to a keytab
ktremove, ktrem Remove entry(s) from a keytab
lock Lock database exclusively (use with extreme caution!)
unlock Release exclusive database lock
list_requests, lr, ? List available requests.
quit, exit, q Exit program.
kadmin: getprincs
K/M@NETILLA.COM
feiliu/admin@NETILLA.COM
feiliu/firewood.netilla.com@NETILLA.COM
host/firewood.netilla.com@NETILLA.COM
kadmin/admin@NETILLA.COM
kadmin/changepw@NETILLA.COM
kadmin/history@NETILLA.COM
kadmin/maple@NETILLA.COM
krbtgt/NETILLA.COM@NETILLA.COM

which suggests that the missing principle 'feiliu/NETILLA.COM@NETILLA.COM' is indeed not in the KDC database. Create this entry:
kadmin: addprinc feiliu@NETILLA.COM
WARNING: no policy specified for feiliu@NETILLA.COM; defaulting to no policy
Enter password for principal "feiliu@NETILLA.COM":
Re-enter password for principal "feiliu@NETILLA.COM":
Principal "feiliu@NETILLA.COM" created.
kadmin.local: getprincs
K/M@NETILLA.COM
feiliu/NETILLA.COM@NETILLA.COM
feiliu/admin@NETILLA.COM
feiliu/firewood.netilla.com@NETILLA.COM
feiliu@NETILLA.COM
host/firewood.netilla.com@NETILLA.COM
kadmin/admin@NETILLA.COM
kadmin/changepw@NETILLA.COM
kadmin/history@NETILLA.COM
kadmin/maple@NETILLA.COM
krbtgt/NETILLA.COM@NETILLA.COM

Try again from kerbros client, authentication is successful with valid credentials information in the kerbros log.