Kerberos cheat sheet
Article ID: 294871
Updated On:
Products
Services Suite
Issue/Introduction
This article lists common commands regarding Kerberos administration. The platform being used is CentOS6.
Environment
Resolution
1. Install the package:
yum install krb5-libs krb5-workstation krb5-server
2. Refer to the configuration file below. (Default location for Pivotal HD)
/var/kerberos/krb5kdc/kdc.conf
Kerberos configuration on all hosts
/etc/krb5.conf
/var/kerberos/krb5kdc/kadm5.acl
3. kdb5_util allows an administrator to perform maintenance procedures on the KDC Database.
a. Backup the KDC Database.
[root@admin]# kdb5_util dump -verbose /backup/kdc.dump HTTP/[email protected] HTTP/[email protected] HTTP/[email protected]
b. Then use "string" to check the content of the dump file.
strings /backup/kdc.dump
c. Restore the KDC Database.
kdb5_util load /backup/kdc.dump
d. Add a new master key.
e. Add a new master key to the master key principal, but do not mark it as active.
[root@admin]# kdb5_util add_mkey Creating new master key for master key principal 'K/[email protected]' You will be prompted for a new database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify:
f. List all master keys
g. List all master keys, from most recent to earliest, in the master key principal.
[root@admin]# kdb5_util list_mkeys Master keys for Principal: K/[email protected] KNVO: 2, Enctype: aes256-cts-hmac-sha1-96, No activate time set KNVO: 1, Enctype: aes256-cts-hmac-sha1-96, Active on: Wed Dec 31 16:00:00 PST 1969 *
h. Activate a new master key.
Once a master key becomes active, it will be used to encrypt newly created principal keys.
kdb5_util use_mkey mkeyVNO [time]
Example
[root@admin]# kdb5_util use_mkey 2 [root@admin]# kdb5_util list_mkeys Master keys for Principal: K/[email protected] KNVO: 2, Enctype: aes256-cts-hmac-sha1-96, Active on: Tue Jun 10 15:39:01 PDT 2014 * KNVO: 1, Enctype: aes256-cts-hmac-sha1-96, Active on: Wed Dec 31 16:00:00 PST 1969
Update all principal keys to be encrypted in the new master key.
Update all principal records (Or only those matching the princ-pattern glob pattern) to re-encrypt the key data using the active database master key, if they are encrypted using a different version. Give a count at the end of the number of principals updated.
a. Do a dry run.
[root@admin]# kdb5_util update_princ_encryption -v -n Principals whose keys WOULD BE re-encrypted to master key vno 2: would update: HTTP/[email protected] (......) would update: yarn/[email protected] 22 principals processed: 22 would be updated, 0 already current
b. Run it.
[root@admin]# kdb5_util update_princ_encryption -v Re-encrypt all keys not using master key vno 2? (type 'yes' to confirm)? yes Principals whose keys are being re-encrypted to master key vno 2 if necessary: updating: HTTP/[email protected] skipping: HTTP/[email protected] updating: HTTP/[email protected] (......) 23 principals processed: 22 updated, 1 already current
c. Create the stash file for the new master key to replace the existing one.
[root@admin]# kdb5_util stash /var/kerberos/krb5kdc/.k5.VIADEA.COM Using existing stashed keys to update stash file.
d. Delete old master keys.
e. Delete master keys from the master key principal that are not used to protect any principals.
f. Do a dry run
[root@admin]# kdb5_util purge_mkeys -v -n Would purge the follwing master key(s) from K/[email protected]: KVNO: 1 1 key(s) would be purged.
g. Run it.
[root@admin]# kdb5_util purge_mkeys -v Will purge all unused master keys stored in the 'K/[email protected]' principal, are you sure? (type 'yes' to confirm)? yes OK, purging unused master keys from 'K/[email protected]'... Purging the follwing master key(s) from K/[email protected]: KVNO: 1 1 key(s) purged.
h. Create a new database.
kdb5_util create -s
i. Destroy a database.
kdb5_util destroy
List principals:
kadmin.local: list_principals yarn* yarn/[email protected] yarn/[email protected] yarn/[email protected] yarn/[email protected]
Viewing a principal's attributes:
kadmin.local: getprinc yarn/hdm.xxx.com Principal: yarn/[email protected] Expiration date: [never] Last password change: Sat Jun 07 14:49:36 PDT 2014 Password expiration date: [none] Maximum ticket life: 1 day 00:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Tue Jun 10 15:49:49 PDT 2014 (K/[email protected]) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 6 Key: vno 1, aes256-cts-hmac-sha1-96, no salt Key: vno 1, aes128-cts-hmac-sha1-96, no salt Key: vno 1, des3-cbc-sha1, no salt Key: vno 1, arcfour-hmac, no salt Key: vno 1, des-hmac-sha1, no salt Key: vno 1, des-cbc-md5, no salt MKey: vno 2 Attributes: Policy: [none]
Creating a new Principal:
kadmin.local: addprinc mysuperman/[email protected] WARNING: no policy specified for mysuperman/[email protected]; defaulting to no policy Enter password for principal "mysuperman/[email protected]": Re-enter password for principal "mysuperman/[email protected]": Principal "mysuperman/[email protected]" created.
Changing the password for a principal
kadmin.local: cpw [email protected] Enter password for principal "[email protected]": Re-enter password for principal "[email protected]": Password for "[email protected]" changed.
Alternatively, you can use kpasswd:
[root@admin ~]# kpasswd duncan2 Password for [email protected]: Enter new password: Enter it again:
Delete a principal:
kadmin.local: delete_principal testuser Are you sure you want to delete the principal "[email protected]"? (yes/no): yes Principal "[email protected]" deleted. Make sure that you have removed this principal from all ACLs before reusing.
Rename a principal:
kadmin.local: rename_principal duncan duncan2 Are you sure you want to rename the principal "[email protected]" to "[email protected]"? (yes/no): yes Principal "[email protected]" renamed to "[email protected]". Make sure that you have removed the old principal from all ACLs before reusing.
Modify a principal to use policy:
kadmin.local: modify_principal -policy testpolicy duncan2 Principal "[email protected]" modified.
Unlock a principal:
kadmin.local: modify_principal -unlock duncan2 Principal "[email protected]" modified.
Create a policy:
kadmin.local: add_policy -minlength 1 -minlength 5 -maxlife "999 days" -maxfailure 3 testpolicy
List policies:
kadmin.local: list_policies testpolicy
Modifying a Policy:
kadmin.local: modify_policy -minlength 3 testpolicy
Viewing a Kerberos policy's Attributes
kadmin.local: get_policy testpolicy Policy: testpolicy Maximum password life: 86313600 Minimum password life: 0 Minimum password length: 3 Minimum number of password character classes: 1 Number of old keys kept: 1 Reference count: 0 Maximum password failures before lockout: 3 Password failure count reset interval: 0 days 00:00:00 Password lockout duration: 0 days 00:00:00
Deleting a Policy
kadmin.local: delete_policy testpolicy
6. Keytab administration:
Add Principals to a Keytab:
kadmin.local: ktadd -norandkey -k /tmp/tmp.keytab [email protected] Entry for principal [email protected] with kvno 1, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/tmp.keytab. Entry for principal [email protected] with kvno 1, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/tmp/tmp.keytab. Entry for principal [email protected] with kvno 1, encryption type des3-cbc-sha1 added to keytab WRFILE:/tmp/tmp.keytab. Entry for principal [email protected] with kvno 1, encryption type arcfour-hmac added to keytab WRFILE:/tmp/tmp.keytab. Entry for principal [email protected] with kvno 1, encryption type des-hmac-sha1 added to keytab WRFILE:/tmp/tmp.keytab. Entry for principal [email protected] with kvno 1, encryption type des-cbc-md5 added to keytab WRFILE:/tmp/tmp.keytab.
Display keylist (principals) in a keytab file:
[root@admin ~]# klist -kt /tmp/tmp.keytab Keytab name: FILE:/tmp/tmp.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 1 06/10/14 22:08:00 [email protected] 1 06/10/14 22:08:00 [email protected] 1 06/10/14 22:08:00 [email protected] 1 06/10/14 22:08:00 [email protected] 1 06/10/14 22:08:00 [email protected] 1 06/10/14 22:08:00 [email protected]
Remove keylist (principal) from a keytab file:
kadmin.local: ktremove -k /tmp/tmp.keytab [email protected] Entry for principal [email protected] with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab. Entry for principal [email protected] with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab. Entry for principal [email protected] with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab. Entry for principal [email protected] with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab. Entry for principal [email protected] with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab. Entry for principal [email protected] with kvno 1 removed from keytab WRFILE:/tmp/tmp.keytab.
Authentication using keytab:
kinit -kt /etc/security/phd/keytab/hdfs.service.keytab hdfs/[email protected]
7. Credential cache administration:
List Principals in Credential Cache
[root@admin ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 06/10/14 22:24:22 06/11/14 22:24:22 krbtgt/[email protected] renew until 06/17/14 22:24:22
Destroy credential cache:
Note: This will only destroy credential cache for this user.
[testuser@admin ~]$ ls -altr /tmp/krb5* -rw-------. 1 root root 741 Jun 10 22:24 /tmp/krb5cc_0 -rw-------. 1 testuser testuser 758 Jun 10 22:36 /tmp/krb5cc_501 [root@admin ~]# kdestroy [root@admin ~]# ls -altr /tmp/krb* -rw-------. 1 testuser testuser 758 Jun 10 22:36 /tmp/krb5cc_501 [root@admin ~]# klist klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
8. Kerberos services:
KDC service:
/etc/init.d/krb5kdc start
kadmin service:
/etc/init.d/kadmin start
Feedback
Yes
No
Powered by
