9

I was wondering if there was a way to generate my own keytab in java without going to the kdc? I found code similar to this in an ApachDS test:

    Keytab keytab = Keytab.getInstance(); 
    KerberosTime timeStamp = new KerberosTime(KerberosUtils.UTC_DATE_FORMAT.parse("20070217235745Z"));

    Map<EncryptionType, EncryptionKey> keys = KerberosKeyFactory
        .getKerberosKeys(principalName, userPassword);



    KeytabEntry keytabEntry = new KeytabEntry(
        principalName, 
        1L,
        timeStamp, 
        (byte) 0,
        keys.get(EncryptionType.DES_CBC_MD5));

    List<KeytabEntry> entry = Arrays.asList(keytabEntry);

    keytab.setEntries(entry);

    keytab.write(keytabFile);

    return keytabFile;

I'm able to a klist on a keytab that i create:

Vno Type Principal Date Aliases

0 des-cbc-md5 ssh/localhost@EXAMPLE.COM 2007-02-17

Also, if this is not possible, is there a way to programmatically get a keytab using ApacheDS or any other java library?

jclum
  • 91
  • 1
  • 5

3 Answers3

1

You have to have 3 things in a keytab for each enctype store in the KDC for the principal.

  1. The principal name

  2. The key value

  3. The key version number

The first two you can recreate if you know the password for the principal, however the last requires that you contact the KDC. You also need to use the password to create all the enctypes that are in the KDC. What you want to do is theoretically possible, but in practice it's very difficult to achieve. If you use knvo = 0 in the keytab, that means "try this key against any version number" and that might get you around most of the problems.

What might be achievable with just the principal and password is to "bootstrap" the process. If you can get a keytab with at least one working key, you should be able to use that keytab to "update" the keytab with new versions of all the keys from the KDC using system utilities such as ktutil.

As a side note: des-cbc-md5 should not be used as a enctype if at all possible, it can be brute force cracked with very moderate hardware resources these days.

Unfortunately, the kadmin protocols to download keytabs vary between versions of kerberos and I don't know if any of them have java API's.

Fred the Magic Wonder Dog
  • 8,889
  • 1
  • 26
  • 32
0

Java has a KeyTab class, which you may use to read Keytabs, and keytab entries: http://docs.oracle.com/javase/7/docs/api/javax/security/auth/kerberos/KeyTab.html

If you want to create keytab, there's a command line tool for creating Keytabs. It doesn't need connection to KDC (for exapm: http://docs.oracle.com/javase/7/docs/technotes/tools/windows/ktab.html.

greenmarker
  • 1,599
  • 1
  • 21
  • 29
0

I know the question is Java-specific, but here's example in Python and since it is just calling ktutil tool to create keytab, it should be easy to adopt to other languages too:

https://github.com/Tagar/stuff/blob/master/keytab.py

Hope this helps.

Tagar
  • 13,911
  • 6
  • 95
  • 110