[39305] in Kerberos
Re: Kerberos protocol transition with unconstrained delegation (i.e.
daemon@ATHENA.MIT.EDU (Jonathan Calmels via Kerberos)
Thu Nov 9 05:55:12 2023
To: Jeffrey Hutzelman <jhutz@cmu.edu>, Greg Hudson <ghudson@mit.edu>
Date: Thu, 9 Nov 2023 09:05:19 +0000
Message-ID: <BYAPR12MB288836425E0CEEFBB8509607BBAFA@BYAPR12MB2888.namprd12.prod.outlook.com>
In-Reply-To: <CALF+FNzsG3Q=w0+KZYHurgDjiNRg252ar6pCa_5=H8kDjAynWA@mail.gmail.com>
Content-Language: en-US
MIME-Version: 1.0
From: Jonathan Calmels via Kerberos <kerberos@mit.edu>
Reply-To: Jonathan Calmels <jcalmels@nvidia.com>
Cc: Jonathan Calmels via Kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I finally had some time to implement this so here is the link if someone's interested: https://github.com/NVIDIA/sybil
This is a PoC which essentially does what was suggested in this thread. The service can forge TGTs or cross-realm TGTs, although I found the latter less useful since most tool can't deal with those on their own.
I'm sure this can be improved further, but it seems to do the job for the scenario I described initially.
Hopefully, somebody finds it useful. Also, contributions are welcomed if somebody has a slightly different use case in mind.
________________________________
From: Jeffrey Hutzelman <jhutz@cmu.edu>
Sent: Friday, October 28, 2022 5:30:41 AM
To: Greg Hudson <ghudson@mit.edu>
Cc: Russ Allbery <eagle@eyrie.org>; Jonathan Calmels via Kerberos <kerberos@mit.edu>; Jonathan Calmels <jcalmels@nvidia.com>
Subject: Re: Kerberos protocol transition with unconstrained delegation (i.e. TGT impersonation)
External email: Use caution opening links or attachments
Ah, I didn't realize MIT Kerberos had grown the "KDB" keytab method. That's similar to Jonathan's idea of using the kadmin libraries to extract the client's key from the kdb, but didn't require wiring custom code. It does require colocating with a KDC, but I agree with Russ; it's probably best to do that anyway.
-- Jeff
On Fri, Oct 28, 2022, 00:06 Greg Hudson <ghudson@mit.edu<mailto:ghudson@mit.edu>> wrote:
On 10/27/22 12:36, Jeffrey Hutzelman wrote:
> You don't need libkadm5 for any of this -- all you need to print a service
> ticket (even a TGT) is the service's key. Heimdal comes with a program,
> kimpersonate, which does this and could easily be used as a basis for your
> impersonation service.
MIT krb5 has a sort-of equivalent: "kinit -k -t KDB: username". The KDC
is still in the loop, but no password or keytab for the user is
required. (Add "-S krbtgt/OTHERREALM" for a cross-realm TGT.)
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
