directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amila Jayasekara <ami...@wso2.com>
Subject Re: Requesting TGT using Kinit when principle's password type is MD 5
Date Mon, 06 Sep 2010 08:08:26 GMT
Also is it possible to achieve this (Kerberos authentication agains 
hashed passwords) by some other mechanism ? Maybe by enabling 
pre-authentication ?

Thanks
AmilaJ

Amila Jayasekara wrote:
> Hi Stefan,
>    Thank you very much for the reply.
>    Will there be a new release with the support for hashed password in 
> near future ?
> Thanks
> AmilaJ
>
> Stefan Seelmann wrote:
>>
>> Hi Amila,
>>
>> The current implementation requires a plain text password, because 
>> the krb5 keys are derived from the password.
>>
>> Kind regards,
>> Stefan
>>
>> On Sep 6, 2010 5:02 AM, "Amila Jayasekara" <amilaj@wso2.com 
>> <mailto:amilaj@wso2.com>> wrote:
>> > Hi All,
>> > I am using Kerberos server which comes with apacheds. Currently i am
>> > facing a strange problem with that. Let me explain the scenario in 
>> detail.
>> > I am requesting a TGT using "kinit" program. For this i am executing
>> > following command,
>> >
>> > > kinit hnelson@EXAMPLE.COM <mailto:hnelson@EXAMPLE.COM>
>> >
>> > I was able to successfully retreive a ticket, when 
>> hnelson@EXAMPLE.COM <mailto:hnelson@EXAMPLE.COM>'s
>> > password is plain text. But when i convert principle's
>> > (hnelson@EXAMPLE.COM <mailto:hnelson@EXAMPLE.COM>) password type to 
>> MD5, i was not able to get the
>> > ticket. I am getting an error saying "kinit: Password incorrect while
>> > getting initial credentials".
>> >
>> > aj@wso2:~/development/Tools/LDAP/apacheds-1.5.5$ kinit 
>> hnelson@EXAMPLE.COM <mailto:hnelson@EXAMPLE.COM>
>> > Password for hnelson@EXAMPLE.COM <mailto:hnelson@EXAMPLE.COM>:
>> > kinit: Password incorrect while getting initial credentials
>> >
>> > Following i have paste the log output of apacheds server for above
>> > request. According to log output, server has not encountered on any
>> > error and server has successfully authenticated the principle. The
>> > response AS_REPLY has also sent back to client. Now i am bit confused
>> > what has gone wrong. Note that, for this particular case i have 
>> disabled
>> > pre-authentication on server. I beleive, this has something to do with
>> > the way kinit program works. But i couldnt get more information from
>> > kinit. Therefore i am not able to find any cause for this error.
>> >
>> > I am really grateful, if someone can help me to understand what has 
>> gone
>> > wrong here.
>> >
>> > Thanks
>> > AmilaJ
>> >
>> > 
>> ==============================================================================================================================================================================================================

>>
>> >
>> >
>> > [07:44:26] DEBUG
>> > 
>> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
>> > - /0:0:0:0:0:0:0:1:57572 CREATED: datagram
>> > [07:44:26] DEBUG
>> > 
>> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
>> > - /0:0:0:0:0:0:0:1:57572 OPENED
>> > [07:44:26] DEBUG
>> > 
>> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
>> > - /0:0:0:0:0:0:0:1:57572 RCVD:
>> > 
>> org.apache.directory.server.kerberos.shared.messages.KdcRequest@2c3299f6
>> > [07:44:26] DEBUG
>> > 
>> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
>>
>> > - Received Authentication Service (AS) request:
>> > messageType: AS_REQ
>> > protocolVersionNumber: 5
>> > clientAddress: 0:0:0:0:0:0:0:1
>> > nonce: 1457316737
>> > kdcOptions: FORWARDABLE PROXIABLE RENEWABLE_OK
>> > clientPrincipal: hnelson@EXAMPLE.COM <mailto:hnelson@EXAMPLE.COM>
>> > serverPrincipal: krbtgt/EXAMPLE.COM 
>> <http://EXAMPLE.COM>@EXAMPLE.COM <http://EXAMPLE.COM>
>> > encryptionType: des-cbc-md5 (3), rc4-hmac (23),
>> > aes128-cts-hmac-sha1-96 (17), des3-cbc-sha1-kd (16), des-cbc-crc (1),
>> > aes256-cts-hmac-sha1-96 (18), des-cbc-md4 (2)
>> > realm: EXAMPLE.COM <http://EXAMPLE.COM>
>> > from time: 20100906024426Z
>> > till time: 20100907024426Z
>> > renew-till time: null
>> > hostAddresses: null
>> > [07:44:26] DEBUG
>> > 
>> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
>>
>> > - Session will use encryption type des-cbc-md5 (3).
>> > [07:44:26] DEBUG
>> > 
>> [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] 
>>
>> > - Found entry ServerEntry
>> > dn[n]: uid=hnelson,ou=Users,dc=example,dc=com
>> > objectClass: organizationalPerson
>> > objectClass: person
>> > objectClass: krb5Principal
>> > objectClass: inetOrgPerson
>> > objectClass: krb5KDCEntry
>> > objectClass: top
>> > uid: hnelson
>> > sn: Nelson
>> > krb5PrincipalName: hnelson@EXAMPLE.COM <mailto:hnelson@EXAMPLE.COM>
>> > krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08
>> > 0xC7 0x86 0x58 0x23 0x98 ...'
>> > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10
>> > 0xC6 0x4B 0xD6 0xFE 0x30 ...'
>> > krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18
>> > 0x7A 0xB6 0x43 0x9D 0xF7 ...'
>> > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10
>> > 0x27 0xD9 0xE6 0xA4 0x66 ...'
>> > krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20
>> > 0x4A 0xCE 0xDE 0xEC 0x20 ...'
>> > krb5KeyVersionNumber: 7
>> > cn: Horatio Nelson
>> > userPassword: '0x7B 0x4D 0x44 0x35 0x7D 0x58 0x72 0x34 0x69 0x6C
>> > 0x4F 0x7A 0x51 0x34 0x50 0x43 ...'
>> > for kerberos principal name hnelson@EXAMPLE.COM 
>> <mailto:hnelson@EXAMPLE.COM>
>> > [07:44:26] DEBUG
>> > 
>> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
>>
>> > - Verifying using SAM subsystem.
>> > [07:44:26] DEBUG
>> > 
>> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
>>
>> > - Verifying using encrypted timestamp.
>> > [07:44:26] DEBUG
>> > 
>> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
>>
>> > - Entry for client principal hnelson@EXAMPLE.COM 
>> <mailto:hnelson@EXAMPLE.COM> has no SAM type.
>> > Proceeding with standard pre-authentication.
>> > [07:44:26] DEBUG
>> > 
>> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
>>
>> > - Pre-authentication by encrypted timestamp successful for
>> > hnelson@EXAMPLE.COM <mailto:hnelson@EXAMPLE.COM>.
>> > [07:44:26] DEBUG
>> > 
>> [org.apache.directory.server.kerberos.shared.store.operations.StoreUtils] 
>>
>> > - Found entry ServerEntry
>> > dn[n]: uid=krbtgt,ou=Users,dc=example,dc=com
>> > objectClass: organizationalPerson
>> > objectClass: person
>> > objectClass: krb5Principal
>> > objectClass: inetOrgPerson
>> > objectClass: krb5KDCEntry
>> > objectClass: top
>> > uid: krbtgt
>> > sn: Service
>> > userPassword: '0x73 0x65 0x63 0x72 0x65 0x74 '
>> > krb5PrincipalName: krbtgt/EXAMPLE.COM 
>> <http://EXAMPLE.COM>@EXAMPLE.COM <http://EXAMPLE.COM>
>> > krb5Key: '0x30 0x29 0xA0 0x03 0x02 0x01 0x12 0xA1 0x22 0x04 0x20
>> > 0x25 0x07 0x25 0x68 0x76 ...'
>> > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x17 0xA1 0x12 0x04 0x10
>> > 0x87 0x8D 0x80 0x14 0x60 ...'
>> > krb5Key: '0x30 0x11 0xA0 0x03 0x02 0x01 0x03 0xA1 0x0A 0x04 0x08
>> > 0x98 0x07 0x37 0x31 0xD9 ...'
>> > krb5Key: '0x30 0x21 0xA0 0x03 0x02 0x01 0x10 0xA1 0x1A 0x04 0x18
>> > 0x0D 0x79 0x98 0x29 0x20 ...'
>> > krb5Key: '0x30 0x19 0xA0 0x03 0x02 0x01 0x11 0xA1 0x12 0x04 0x10
>> > 0x64 0xEB 0x5E 0xDE 0x49 ...'
>> > krb5KeyVersionNumber: 0
>> > cn: KDC Service
>> > for kerberos principal name krbtgt/EXAMPLE.COM 
>> <http://EXAMPLE.COM>@EXAMPLE.COM <http://EXAMPLE.COM>
>> > [07:44:27] DEBUG
>> > 
>> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
>>
>> > - Ticket will be issued for access to krbtgt/EXAMPLE.COM 
>> <http://EXAMPLE.COM>@EXAMPLE.COM <http://EXAMPLE.COM>.
>> > [07:44:27] DEBUG
>> > 
>> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
>>
>> > - Monitoring Authentication Service (AS) context:
>> > clockSkew 300000
>> > clientAddress /0:0:0:0:0:0:0:1
>> > principal hnelson@EXAMPLE.COM <mailto:hnelson@EXAMPLE.COM>
>> > cn null
>> > realm null
>> > principal hnelson@EXAMPLE.COM <mailto:hnelson@EXAMPLE.COM>
>> > SAM type null
>> > principal krbtgt/EXAMPLE.COM <http://EXAMPLE.COM>@EXAMPLE.COM 
>> <http://EXAMPLE.COM>
>> > cn null
>> > realm null
>> > principal krbtgt/EXAMPLE.COM <http://EXAMPLE.COM>@EXAMPLE.COM 
>> <http://EXAMPLE.COM>
>> > SAM type null
>> > Request key type des-cbc-md5 (3)
>> > Client key version 0
>> > Server key version 0
>> > [07:44:27] DEBUG
>> > 
>> [org.apache.directory.server.kerberos.kdc.authentication.AuthenticationService] 
>>
>> > - Responding with Authentication Service (AS) reply:
>> > messageType: AS_REP
>> > protocolVersionNumber: 5
>> > nonce: 1457316737
>> > clientPrincipal: hnelson@EXAMPLE.COM <mailto:hnelson@EXAMPLE.COM>
>> > client realm: EXAMPLE.COM <http://EXAMPLE.COM>
>> > serverPrincipal: krbtgt/EXAMPLE.COM 
>> <http://EXAMPLE.COM>@EXAMPLE.COM <http://EXAMPLE.COM>
>> > server realm: EXAMPLE.COM <http://EXAMPLE.COM>
>> > auth time: 20100906024427Z
>> > start time: null
>> > end time: 20100907024426Z
>> > renew-till time: null
>> > hostAddresses: null
>> > [07:44:27] DEBUG
>> > 
>> [org.apache.directory.server.kerberos.protocol.KerberosProtocolHandler]
>> > - /0:0:0:0:0:0:0:1:57572 SENT:
>> > 
>> org.apache.directory.server.kerberos.shared.messages.AuthenticationReply@1a87ad67

>>
>> >
>>
>
>


Mime
View raw message