Playground II

This lesson demonstrates creating keytabs and using the kadmin utility.

In this lesson, we’ll see how we can create keytabs and use kadmin to make KDC database changes. The detailed commands to execute and the terminal to execute them appear below, followed by a discussion of the exercise.

Press + to interact
# Get latest packages
apt-get update
# installing Kerberos server
apt install krb5-kdc krb5-admin-server krb5-config -y
# Enter the following string (or any of your choice) when
# prompted for 'Default Kerberos version 5 realm'
DATAJEK
# Enter localhost when prompted for 'Kerberos servers for your realm'
localhost
# Enter localhost when prompted for 'Administrative server for your Kerberos realm'
localhost
# Initialize the realm we created and then enter a suitable password when prompted
krb5_newrealm
# Now install the client packages for interacting with the KDC
apt install -y krb5-user libpam-krb5 libpam-ccreds auth-client-config
# Set the following environment variable so that we see detailed outputs
export KRB5_TRACE=/dev/stdout
# Start the kadmin console
kadmin.local
# Add the user principal laila
kadmin: add_principal laila/educative
# Quit the kadmin console
kadmin: quit
###################
# CREATING KEYTAB #
###################
# Start ktutil console
ktutil
# Add an entry
ktutil: add_entry -password -p laila/educative -k 1 -e aes256-cts
# Export the keytab to disk
ktutil: wkt /tmp/laila.keytab
# Exit ktutil console
ktutil: quit
# Verify the keytab has been created
ls -ltr /laila.keytab
# Exmaine the keytab
klist -ekt /tmp/laila.keytab
# Use this created keytab file to authenticate to Kerberos
kinit -V -k -t laila.keytab laila/educative@DATAJEK
###################
# USING KADMIN #
###################
# Modify ACL
vim /etc/krb5kdc/kadm5.acl
# At the bottom of the file add the following line and save
laila/educative@DATAJEK *
# Pess ESC key and quit vim by entering the following sequence and hitting enter
wq!
# Run the kadmind server
/etc/init.d/krb5-admin-server restart
# Connect to the kadmind server using the principal we created earlier
kadmin -p laila/educative
# List principals to verify we are connected to kadmind and able to execute commands
kadmin: list_principals
# Exit the kadmin console
kadmin: quit
Terminal 1
Terminal
Loading...

ktutil - Exporting creds to Keytab file

Using ktutil

We can export the Kerberos credentials to a keytab file, which is short for the key table. A keytab is a file containing pairs of Kerberos principals and encrypted keys that are derived from the Kerberos password. You can use a keytab file to authenticate to various remote systems using Kerberos without entering a password. We’ll use the ktutil utility to export the keytab for the user Laila. The sequence of commands to do so is shown below:

ktutil

ktutil: add_entry -password -p
...