macos Kerberos kinit 在没有提示的情况下输入密码
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/8144596/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Kerberos kinit enter password without prompt
提问by user754905
I was looking at this: http://docs.oracle.com/javase/7/docs/technotes/tools/windows/kinit.htmland noticed that it says I could use the "password flag". I am not sure how to do this though?
我在看这个:http: //docs.oracle.com/javase/7/docs/technotes/tools/windows/kinit.html并注意到它说我可以使用“密码标志”。我不知道如何做到这一点?
Can I enter the password for kinitwithout it prompting me?
我可以输入密码kinit而不提示我吗?
For example currently:
例如目前:
If I type in:
如果我输入:
$ kinit test@REALM
I get response:
我得到回应:
test@REALM's password:
and I have to enter the password. Is there anyway I can input something like kinit test@REALM passwordso it doesn't prompt me?
我必须输入密码。无论如何我可以输入诸如kinit test@REALM 密码之类的东西,这样它就不会提示我吗?
采纳答案by Michael-O
Use a keytab for that principal!
为该主体使用密钥表!
In detail: How do I a service keytab.
详细说明:我如何服务密钥表。
There are multiple ways, but I will assume the following: You are running Active Directory as your KDC implementation, you backend runs on a Unix or Unix-like OS like CentOS, FreeBSD, HP-UX, etc. You have also MIT Kerberos or Heimdal installed and the krb5.confis properly configured.
有多种方法,但我会假设如下:您将 Active Directory 作为 KDC 实现运行,您的后端在 Unix 或类 Unix 操作系统(如 CentOS、FreeBSD、HP-UX 等)上运行。您还有 MIT Kerberos 或Heimdal 已安装并krb5.conf已正确配置。
Install msktutil(1)via package/ports manager or compile from source. If you choose to compile, make sure that all dependencies are present on your machine.
msktutil(1)通过包/端口管理器安装或从源代码编译。如果您选择编译,请确保您的机器上存在所有依赖项。
Now run mskutil:
现在运行mskutil:
$ /usr/local/sbin/msktutil update --verbose --use-service-account --account-name <samAccountName> \
--old-account-password <password> --dont-change-password --keytab <path>
Replace samAccountNameand passwordwith your data. Leave out dont-change-passwordif you are fine with autogenerated passwords. Adjust pathwhere you want to store the keytab file.
用您的数据替换samAccountName和password。离开了dont-change-password,如果你是罚款自动生成的密码。调整path要存储密钥表文件的位置。
Sample run:
示例运行:
$ /usr/local/sbin/msktutil update --verbose --use-service-account --account-name uawet8er \
> --old-account-password '...' --dont-change-password --keytab uawet8er.keytab
-- execute: Skipping creation of new password
-- get_dc_host: Attempting to find Domain Controller to use via DNS SRV record in domain AD.EXAMPLE.COM for procotol tcp
-- validate: Found DC: dc01.ad.example.com. Checking availability...
-- get_dc_host: Found preferred Domain Controller: dc01.ad.example.com
-- create_fake_krb5_conf: Created a fake krb5.conf file: /tmp/.msktkrb5.conf-y6WVDM
-- destroy_g_context: Destroying Kerberos Context
-- initialize_g_context: Creating Kerberos Context
-- finalize_exec: SAM Account Name is: uawet8er
-- try_machine_password: Trying to authenticate for uawet8er with password
-- create_default_machine_password: Default machine password for uawet8er is uawet8er
-- try_machine_password: Error: krb5_get_init_creds_keytab failed (Vorauthentifizierung fehlgeschlagen)
-- try_machine_password: Authentication with password failed
-- try_machine_supplied_password: Trying to authenticate for uawet8er with supplied password
-- switch_default_ccache: Using the local credential cache: FILE:/tmp/.mskt_krb5_ccache-ZUutAC
-- finalize_exec: Authenticated using method 6
-- LDAPConnection: Connecting to LDAP server: dc01.ad.example.com
SASL/GSSAPI authentication started
SASL username: [email protected]
SASL SSF: 256
SASL data security layer installed.
-- ldap_get_base_dn: Determining default LDAP base: dc=AD,dc=EXAMPLE,dc=COM
-- get_default_ou: Determining default OU: CN=Users,DC=ad,DC=example,DC=com
-- ldap_check_account: Checking that a service account for uawet8er exists
-- ldap_check_account: Checking service account - found
-- ldap_check_account: Found userAccountControl = 0x200
-- ldap_check_account: Found supportedEncryptionTypes = 28
-- ldap_check_account: Found User Principal: uawet8er
-- ldap_check_account_strings: Inspecting (and updating) service account attributes
-- ldap_set_supportedEncryptionTypes: No need to change msDs-supportedEncryptionTypes they are 28
-- ldap_set_userAccountControl_flag: Setting userAccountControl bit at 0x200000 to 0x0
-- ldap_set_userAccountControl_flag: userAccountControl not changed 0x200
-- ldap_get_kvno: KVNO is 8
-- remove_keytab_entries: Trying to remove entries for uawet8er from keytab
-- execute: Updating all entries for service account uawet8er in the keytab WRFILE:uawet8er.keytab
-- update_keytab: Updating all entries for uawet8er
-- add_principal_keytab: Adding principal to keytab: uawet8er
-- get_salt: Using salt of AD.EXAMPLE.COMuawet8er
-- add_principal_keytab: Adding entry of enctype 0x17
-- add_principal_keytab: Adding entry of enctype 0x11
-- add_principal_keytab: Adding entry of enctype 0x12
-- add_principal_keytab: Adding principal to keytab: uawet8er
-- get_salt: Using salt of AD.EXAMPLE.COMuawet8er
-- add_principal_keytab: Adding entry of enctype 0x17
-- add_principal_keytab: Adding entry of enctype 0x11
-- add_principal_keytab: Adding entry of enctype 0x12
-- add_keytab_entries: Trying to add missing entries for uawet8er to keytab
Now check your keytab with kinit:
现在检查您的密钥表kinit:
$ kinit -k -t uawet8er.keytab uawet8er
$ klist
Ticketzwischenspeicher: FILE:/tmp/krb5cc_722
Standard-Principal: [email protected]
Valid starting Expires Service principal
24.07.2019 13:15:45 24.07.2019 23:15:45 krbtgt/[email protected]
erneuern bis 25.07.2019 13:15:45
This keytab is now ready to be used with your login.conffor JGSS or with KRB5_CLIENT_KTNAMEand MIT Kerberos.
此密钥表现在已准备好与您login.conf的 JGSS 或KRB5_CLIENT_KTNAMEMIT Kerberos 一起使用。
回答by user2939990
Also you can
你也可以
$ echo 'password' | kinit username
回答by rogerdpack
There are 2 popular Kerberos client packages: MIT and Heimdal. Heimdal is what comes with MacOS, but MIT is the reference implementation. On Heimdal clients, you can use the --password-fileflag:
有两种流行的 Kerberos 客户端软件包:MIT 和 Heimdal。Heimdal 是 MacOS 附带的,但 MIT 是参考实现。在 Heimdal 客户端上,您可以使用以下--password-file标志:
$ kinit --password-file=~/mypasswordfile test@REALM
This avoids leaking the password to the process list as it, "reads the password from the first lineof filename."
这避免了将密码泄露给进程列表,因为它“从文件名的第一行读取密码”。
You can alternatively do
你也可以这样做
--password-file=STDIN
and pipe it in, ex cat password_file | kinit --password-file=STDIN test@REALM.
并将其输入,例如cat password_file | kinit --password-file=STDIN test@REALM。
NOTE:This avoids leaking the password via the psoutput.
注意:这可以避免通过ps输出泄露密码。
On MacOS you can also use the keychainoption. You can check the type of client you have with kinit --version. If the --versionflag is unrecognized, you most likely have a MIT client; the Heimdal clients seem too recognize the flag and report a version.
在 MacOS 上,您还可以使用钥匙串选项。您可以检查您拥有的客户类型kinit --version。如果--version无法识别该标志,则您很可能拥有 MIT 客户端;Heimdal 的客户似乎太认可该标志并报告一个版本。
Note that Ubuntu switched the default from a Heimdal implementation to the MIT one between 14.04 and 16.04. Also, generally speaking, the two packages conflict with one another.
请注意,Ubuntu 在 14.04 和 16.04 之间将默认值从 Heimdal 实现切换到 MIT 实现。此外,一般来说,这两个包相互冲突。
回答by Kumar
Create a keytab using "ktutil"
使用“ktutil”创建密钥表
> ktutil
ktutil: addent -password -p [email protected] -k 1 -e rc4-hmac
Password for [email protected]: [enter your password]
ktutil: addent -password -p [email protected] -k 1 -e aes256-cts
Password for [email protected]: [enter your password]
ktutil: wkt username.keytab
ktutil: quit
# Below steps will will create a keytab for the user, move it into a secure directory,
and automatically get a ticket when the user logs in with a bash shell
mkdir /home/username/keytabs
chmod 700 /home/username/keytabs
mv username.keytab /home/username/keytabs
chmod 600 /home/username/keytabs/username.keytab
echo "kinit -kt /home/username/keytabs/username.keytab [email protected]" >> /home/username/.bash_profile
Command to pass keytab and login
传递密钥表和登录的命令
kinit [email protected] -k -t /path/to/username.keytab
kinit [email protected] -k -t /path/to/username.keytab
Reference link hortonworkskb.iu.edu
参考链接hortonworks kb.iu.edu
回答by Fred the Magic Wonder Dog
You might be able to depending on exactly which kinit you are using, but it's an extremely bad idea. Anyone on that system can read the process table and ARGV for any command and thus your password is exposed.
您也许可以根据您正在使用的 kinit 来确定,但这是一个非常糟糕的主意。该系统上的任何人都可以读取任何命令的进程表和 ARGV,从而暴露您的密码。
Most implementations of kinit do not support this for exactly this reason.
正是由于这个原因,kinit 的大多数实现都不支持这一点。
It's not completely clear are you on a Window's box or a Unix one?
不完全清楚您是在 Window 的盒子上还是在 Unix 上?
Either way, the correct way to handle this problem is to use a keytab.
无论哪种方式,处理此问题的正确方法是使用密钥表。
Keytabs store the key for a principal ( not the password ). In kerberos the password is used to generate a more random key that is actually used in the cryptographic exchange. The command for creating/manipulating keytabs is usually
Keytabs 存储主体的密钥(不是密码)。在 kerberos 中,密码用于生成实际用于加密交换的更随机的密钥。创建/操作密钥表的命令通常是
ktutil
