Kerberos kinit enter password without prompt

Question

I was looking at this: http://docs.oracle.com/javase/7/docs/technotes/tools/windows/kinit.html and noticed that it says I could use the "password flag". I am not sure how to do this though?

Can I enter the password for kinit without it prompting me?

For example currently:

If I type in:

$ kinit test@REALM

I get response:

test@REALM's password:

and I have to enter the password. Is there anyway I can input something like kinit test@REALM password so it doesn't prompt me?

I came to this because I was looking for a way to save my password for easier kiniting. For that, the solution is `kinit --keychain`, and then you only have to type your password once. — itsmichaelwang, Mar 28 '18 at 02:29
for me below worked on Hortonworks (HDP): ktutil ktutil: addent -password -p username@somedomain.com -k 1 -e rc4-hmac Password for username@somedomain.com: ktutil: wkt username.keytab ktutil: quit — RajashekharC, Jul 03 '23 at 23:43

score 87 · Answer 1 · edited Jul 22 '19 at 12:47

87

Also you can

$ echo 'password' | kinit username

edited Jul 22 '19 at 12:47

slm

15,396
12
109
124

answered Dec 04 '13 at 10:41

user2939990

915
1
6
7

19

The hacker's approach. – HorseloverFat Jan 16 '15 at 10:48
Worked for me. Thanks. – neverwinter Mar 02 '16 at 14:15
3

On CentOS 7 I had to use single quotes `'` instead of `"` around the password and ensure the Active Directory domain/Kerberos realm was capitalized to get this to work. – Chris Magnuson Oct 10 '17 at 19:56
4

This doesn't work for OS X FWIW (which requires a secure password entry https://apple.stackexchange.com/q/79986/25085)...but you can store your password in the keychain and use it with kinit, see https://superuser.com/q/360262/39364 – rogerdpack Feb 02 '18 at 19:41
7

In bash I prefer `kinit username <<<'password'` which prevents the value from showing up when `set -x` is enabled. – bdrx Jun 02 '20 at 21:20
This is a MUCH better answer than the keytab approach, which is quite confusing. Very straight-forward. – Adrian Keister Sep 04 '20 at 15:04
This puts your password in plaintext in your shell's history file, which is a really bad idea. – Paul Price Sep 29 '20 at 17:15
2

This would only put your password in your shell's history file if it was executed _from_ the shell. It does warrant a warning, but really, who would add all those extra characters in a shell command? The OP is surely asking because they want a way to do it in a script. – Auspex Nov 09 '20 at 20:34
This would also make the password available to kaudit subscribers and then possibly disseminate it throughout any security logging infrastructure. very poor security hygene – Djarid Feb 17 '22 at 13:08
The fact that this is the most upvoted answer is alarming – Ole Morud Jun 26 '23 at 12:48

score 19 · Accepted Answer · edited Apr 29 '20 at 13:38

Use a keytab for that principal!

In detail: How do I a service keytab.

There are multiple ways, but I will assume the following: You are running Active Directory as your KDC implementation, you backend runs on a Unix or Unix-like OS like CentOS, FreeBSD, HP-UX, etc. You have also MIT Kerberos or Heimdal installed and the krb5.conf is properly configured.

Install msktutil(1) via package/ports manager or compile from source. If you choose to compile, make sure that all dependencies are present on your machine.

Now run mskutil:

$ /usr/local/sbin/msktutil update --verbose --use-service-account --account-name <samAccountName> \
  --old-account-password <password> --dont-change-password --keytab <path>

Replace samAccountName and password with your data. Leave out dont-change-password if you are fine with autogenerated passwords. Adjust path where you want to store the keytab file.

Sample run:

$ /usr/local/sbin/msktutil update --verbose --use-service-account --account-name uawet8er \
>   --old-account-password '...' --dont-change-password --keytab uawet8er.keytab
 -- execute: Skipping creation of new password
 -- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain AD.EXAMPLE.COM for procotol tcp
 -- validate: Found DC: dc01.ad.example.com. Checking availability...
 -- get_dc_host: Found preferred Domain Controller: dc01.ad.example.com
 -- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-y6WVDM
 -- destroy_g_context: Destroying Kerberos Context
 -- initialize_g_context: Creating Kerberos Context
 -- finalize_exec: SAM Account Name is: uawet8er
 -- try_machine_password: Trying to authenticate for uawet8er with password
 -- create_default_machine_password: Default machine password for uawet8er is uawet8er
 -- try_machine_password: Error: krb5_get_init_creds_keytab failed (Vorauthentifizierung fehlgeschlagen)
 -- try_machine_password: Authentication with password failed
 -- try_machine_supplied_password: Trying to authenticate for uawet8er with supplied password
 -- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-ZUutAC
 -- finalize_exec: Authenticated using method 6
 -- LDAPConnection: Connecting to LDAP server: dc01.ad.example.com
SASL/GSSAPI authentication started
SASL username: uawet8er@AD.EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
 -- ldap_get_base_dn: Determining default LDAP base: dc=AD,dc=EXAMPLE,dc=COM
 -- get_default_ou: Determining default OU: CN=Users,DC=ad,DC=example,DC=com
 -- ldap_check_account: Checking that a service account for uawet8er exists
 -- ldap_check_account: Checking service account - found
 -- ldap_check_account: Found userAccountControl = 0x200
 -- ldap_check_account: Found supportedEncryptionTypes = 28
 -- ldap_check_account: Found User Principal: uawet8er
 -- ldap_check_account_strings: Inspecting (and updating) service account attributes
 -- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28
 -- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0
 -- ldap_set_userAccountControl_flag: userAccountControl not changed 0x200
 -- ldap_get_kvno: KVNO is 8
 -- remove_keytab_entries: Trying to remove entries for uawet8er from keytab
 -- execute: Updating all entries for service account uawet8er in the keytab WRFILE:uawet8er.keytab
 -- update_keytab: Updating all entries for uawet8er
 -- add_principal_keytab: Adding principal to keytab: uawet8er
 -- get_salt: Using salt of AD.EXAMPLE.COMuawet8er
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- add_principal_keytab: Adding principal to keytab: uawet8er
 -- get_salt: Using salt of AD.EXAMPLE.COMuawet8er
 -- add_principal_keytab:   Adding entry of enctype 0x17
 -- add_principal_keytab:   Adding entry of enctype 0x11
 -- add_principal_keytab:   Adding entry of enctype 0x12
 -- add_keytab_entries: Trying to add missing entries for uawet8er to keytab

Now check your keytab with kinit:

$ kinit  -k -t uawet8er.keytab uawet8er
$ klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_722
Standard-Principal: uawet8er@AD.EXAMPLE.COM

Valid starting       Expires              Service principal
24.07.2019 13:15:45  24.07.2019 23:15:45  krbtgt/AD.EXAMPLE.COM@AD.EXAMPLE.COM
        erneuern bis 25.07.2019 13:15:45

This keytab is now ready to be used with your login.conf for JGSS or with KRB5_CLIENT_KTNAME and MIT Kerberos.

Kumar · Answer 3 · 2019-04-24T09:05:49.667

Create a keytab using "ktutil"

> ktutil   
ktutil:  addent -password -p username@domain.com -k 1 -e rc4-hmac   
Password for username@domain.com: [enter your password]  
ktutil:  addent -password -p username@domain.com -k 1 -e aes256-cts  
Password for username@domain.com: [enter your password]   
ktutil:  wkt username.keytab   
ktutil:  quit


    # Below steps will will create a keytab for the user, move it into a secure directory, 
and automatically get a ticket when the user logs in with a bash shell

mkdir /home/username/keytabs 
chmod 700 /home/username/keytabs 
mv username.keytab /home/username/keytabs 
chmod 600 /home/username/keytabs/username.keytab 
echo "kinit -kt /home/username/keytabs/username.keytab username@domain.com" >> /home/username/.bash_profile

Command to pass keytab and login

kinit username@domain.com -k -t /path/to/username.keytab

Reference link hortonworks kb.iu.edu

Didn't work for me. `kinit: Preauthentication failed while getting initial credentials` — user1129682, Sep 20 '21 at 09:13
@user1129682 It is possible that your ktutil is too old to support salt. You also need to make sure the exact case is used. For example, for AD, adminstrator@EXAMPLE.COM won't work, but Administator@EXAMPLE.COM will — Ding-Yi Chen, Feb 03 '22 at 23:49

score 7 · Answer 4 · edited Jul 22 '19 at 12:50

There are 2 popular Kerberos client packages: MIT and Heimdal. Heimdal is what comes with MacOS, but MIT is the reference implementation. On Heimdal clients, you can use the --password-file flag:

$ kinit --password-file=~/mypasswordfile test@REALM

This avoids leaking the password to the process list as it, "reads the password from the first line of filename."

You can alternatively do

--password-file=STDIN

and pipe it in, ex cat password_file | kinit --password-file=STDIN test@REALM.

NOTE: This avoids leaking the password via the ps output.

On MacOS you can also use the keychain option. You can check the type of client you have with kinit --version. If the --version flag is unrecognized, you most likely have a MIT client; the Heimdal clients seem too recognize the flag and report a version.

Note that Ubuntu switched the default from a Heimdal implementation to the MIT one between 14.04 and 16.04. Also, generally speaking, the two packages conflict with one another.

does this actually always work? In my case I got an error `Bad start time value sword-file=mypasswordfile ` — greyxray, Mar 13 '19 at 15:25
OK I fixed up some typos (it does work, at least here). I'd guess it's some other problem with your kerberos server or local box, maybe ask a new question on it. — rogerdpack, Mar 13 '19 at 16:05

score 4 · Answer 5 · answered Dec 04 '13 at 15:04

You might be able to depending on exactly which kinit you are using, but it's an extremely bad idea. Anyone on that system can read the process table and ARGV for any command and thus your password is exposed.

Most implementations of kinit do not support this for exactly this reason.

It's not completely clear are you on a Window's box or a Unix one?

Either way, the correct way to handle this problem is to use a keytab.

Keytabs store the key for a principal ( not the password ). In kerberos the password is used to generate a more random key that is actually used in the cryptographic exchange. The command for creating/manipulating keytabs is usually

ktutil

score 1 · Answer 6 · answered Apr 04 '22 at 06:47

I had this issue when I was going to run a shell script. I was manually typing

kinit username@domain.com
Password for username@domain.com:

like this. and after searching the weeb I got this result.

Create a keytab using "ktutil"

> ktutil   
ktutil:  addent -password -p username@domain.com -k 1 -e rc4-hmac   
Password for username@domain.com: [enter your password]  
ktutil:  addent -password -p username@domain.com -k 1 -e aes256-cts  
Password for username@domain.com: [enter your password]   
ktutil:  wkt username.keytab   
ktutil:  quit

After running this .keytab file will be in (~) root folder. In my script I have moved the file to tmp folder. now we can give keytab file while running the shell script.

kinit username@domai.come -k -t /tmp/username.keytab

Kerberos kinit enter password without prompt

6 Answers6

Linked

Related