-
Notifications
You must be signed in to change notification settings - Fork 5
/
README
194 lines (141 loc) · 5.34 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
Kerberos Challenge Response Authentication Protocol [KCRAP]
Version 0.4.0
Authors:
Jonathan Chen <kcrap+web@spock.org>
Dan Fuhry <dan@fuhry.com>
Building and installing KCRAP
-----------------------------
1) Extract the KCRAP distribution file
2) Run configure:
./configure [arguments]
Configure arguments of note:
--with-server
Enable building of KCRAP server (see note on --with-mit-krb5-src)
--with-mit-krb5-src=PATH
Location of MIT KerberosV source code (recommended when building
server.) KCRAP will want to use kdb.h from this location in the
server code. KCRAP also ships with a "stub" version of kdb.h from
MIT Kerberos versions 1.4.4 and 1.6.2. It will try to determine
the correct version to use, but you should specify the correct
path of kdb.h from your Kerberos build in order to ensure
compatibility.
IMPORTANT:
KCRAP server will not be built unless it finds a usable kdb.h.
You mist specify either --with-mit-krb5-src=PATH to use the one
shipped with your KerberosV version, or use --with-server without
specifying --with-mit-krb5-src=PATH if you want to use the one
shipped with KCRAP.
3) Build KCRAP:
make all
4) Install KCRAP:
make install
Configuring KCRAP Server
------------------------
KCRAP server requires a configuration file to run. A sample configuration
file is included in server/kcrap_server.conf. Its syntax is similar to
the kdc configuration.
Example:
[kcrap_server]
# port (required) specifies the port KCRAP listens on
port = 89
# realm (required) specifies the realm used for communication
# security and authentication
# only one realm is currently supported
realm = EXAMPLE.COM
# realm specification (optional) is similar to that of kdc.conf.
[realms]
EXAMPLE.COM = {
database_name = /var/krb5kdc/EXAMPLE.COM/principal
key_stash_file = /var/krb5kdc/EXAMPLE.COM/.k5.EXAMPLE.COM
}
If you use another database module such as kldap, copy the [dbmodules] section
from your kdc.conf, or just place the [kcrap_server] section into kdc.conf and
modify your startup/init script to pass "-f" followed by the path to kdc.conf
when starting kcrap_server.
NOTE:
Be sure to omit the "database_name" key from your configuration file if
you are using kldap.
IMPORTANT:
In order to authenticate with the NTLM family of challenge response
protocols, you must have NTLM password hashes stored in your
Kerberos database. Make sure you have "arcfour-hmac:normal"
specified specified as a supported encryption type in your kdc.conf.
Your users will also need to change their password after you
have added any encryption types.
Configuring KCRAP Library
-------------------------
You must specify the KCRAP server for each realm in your krb5.conf file.
For each KCRAP server, put a line in your krb5.conf file under the correct
realm:
kcrap = kdc.example.com:89
Example:
[realms]
EXAMPLE.COM = {
kdc = kdc1.example.com:88
kcrap = kdc1.example.com:89
kdc = kdc2.example.com:88
kcrap = kdc2.example.com:89
kdc = kdc3.example.com:88
kcrap = kdc3.example.com:89
admin_server = kdc1.example.com:749
default_domain = example.com
}
Testing your KCRAP setup
------------------------
KCRAP ships with test clients for each challenge/response protocol that it
supports. To test:
1) Create in your Kerberos database a test account:
USERNAME: user
PASSWORD: SecREt01
2) Run each test in the test directory. Tests should respond with the
output: "Authentication OK"
3) Probably a good idea to delete your test account now.
Getting your services to work with KCRAP
----------------------------------------
Patches to get KCRAP working with some programs can be found at:
http://www.spock.org/kcrap/
The C API for KCRAP is fairly simple:
1) Obtain KCRAP context:
struct kcrap_context *kcontext =kcrap_init(char* keytab, char* service);
Arguments:
keytab: location of keytab file, or NULL for default
service: service name of principal, or NULL for "host"
Returns:
kcrap_context, or NULL on error. errno is set on error.
2) Fill out request structure
struct kcrap_auth_req_data req;
bzero(req, sizeof(req));
req.chal_type.data = "NTLM"
req.chal_type.length = 4;
[...]
There is no need to fill out pkt_type
timestamp and nonce will be filled automatically if they are 0.
For NTLM:
alt_username is not used
either server_challenge or client_challenge contains the challenge
response contains the NTLM response
For NTLM2:
alt_username is the NT domain name
server_challenge is the (8-byte) server generated challenge
client_challenge is the client generated blob
response contains the 16-byte MD5 hash response
For NTLM2S:
alt_username is not used
server_challenge is the (8-byte) server generated challenge
client_challenge is the (8-byte) client generated blob
response contains the 24-byte response
3) Request authentication
int retval = kcrap_try((struct kcrap_context *kcontext, struct kcrap_auth_req_data *req, int *auth_status);
Arguments:
kcontext: context from kcrap_init
req: request structure
auth_status: status of authentication (bitwise OR):
0 - failed
KCRAP_AUTH_OK - authentication successful
KCRAP_AUTH_COOKIE_OK - server_challenge_cookie check OK
Returns:
0 if no error, or errno.
4) Destroy context
kcrap_free(struct kcrap_context *kcontext);
a) Error messages:
kcrap_errmsg() will return the latest error message.