Extract users kerberos passwords

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

Extract users kerberos passwords

Francisco Oliveira-2
Hello,

I have the following problem:

I would like to extract some of my users' passwords (which are stored
in Mit Kerberos) and insert them in Openldap.
How  can I extract the users'  password?


Best regards,

F.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Extract users kerberos passwords

nikanth (Bugzilla)
I think you can take the key and store it in LDAP server but the
password cannot be extracted as it is the result of a one way hash

On 6/13/05, fsoliv <[hidden email]> wrote:

> Hello,
>
> I have the following problem:
>
> I would like to extract some of my users' passwords (which are stored
> in Mit Kerberos) and insert them in Openldap.
> How  can I extract the users'  password?
>
>
> Best regards,
>
> F.
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>


--
enter my brain[atleast virtually it exists] at http://nikanth.blogspot.com
speak with me @ 0-9886115038 (b'lore)

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Extract users kerberos passwords

Preetam Ramakrishna
In reply to this post by Francisco Oliveira-2
Hi,

        Users' passwords are stored as keys in MIT kerberos. So, you
can extract the keys but not the passwords.

Preetam

>>> fsoliv <[hidden email]> 6/13/2005 4:44:12 AM >>>
Hello,

I have the following problem:

I would like to extract some of my users' passwords (which are stored
in Mit Kerberos) and insert them in Openldap.
How  can I extract the users'  password?


Best regards,

F.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Extract users kerberos passwords

Francisco Oliveira-2
In reply to this post by Francisco Oliveira-2
Ok, thank you for your emails.

Can I extract the key from the  kdb5_util dump utility?

If so, which field represents the key?

Regards,
F.

On 6/13/05, Preetam Ramakrishna <[hidden email]> wrote:

> Hi,
>
>         Users' passwords are stored as keys in MIT kerberos. So, you
> can extract the keys but not the passwords.
>
> Preetam
>
> >>> fsoliv <[hidden email]> 6/13/2005 4:44:12 AM >>>
> Hello,
>
> I have the following problem:
>
> I would like to extract some of my users' passwords (which are stored
> in Mit Kerberos) and insert them in Openldap.
> How  can I extract the users'  password?
>
>
> Best regards,
>
> F.
>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Extract users kerberos passwords

Preetam Ramakrishna
fsoliv wrote:

>Ok, thank you for your emails.
>
>Can I extract the key from the  kdb5_util dump utility?
>
>If so, which field represents the key?
>
>Regards,
>F.
>
>On 6/13/05, Preetam Ramakrishna <[hidden email]> wrote:
>  
>
>>Hi,
>>
>>        Users' passwords are stored as keys in MIT kerberos. So, you
>>can extract the keys but not the passwords.
>>
>>Preetam
>>
>>    
>>
>>>>>fsoliv <[hidden email]> 6/13/2005 4:44:12 AM >>>
>>>>>          
>>>>>
>>Hello,
>>
>>I have the following problem:
>>
>>I would like to extract some of my users' passwords (which are stored
>>in Mit Kerberos) and insert them in Openldap.
>>How  can I extract the users'  password?
>>
>>
>>Best regards,
>>
>>F.
>>
>>________________________________________________
>>Kerberos mailing list           [hidden email]
>>https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>    
>>
>
>________________________________________________
>Kerberos mailing list           [hidden email]
>https://mailman.mit.edu/mailman/listinfo/kerberos
>
>  
>
Hi,

          You can use kadmin.local utility instead if you need to
extract only the key.

Preetam
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Extract users kerberos passwords

Francisco Oliveira-2
Ok, but How can I extract the key to put it on the userPassword field
of a ldap entry?
Thank you,

F.
On 6/13/05, Preetam <[hidden email]> wrote:

>  fsoliv wrote:
>  Thank you for your email.
> I have tried to extract the key from kadmin but I had no success. Can
> you tell me which command I should use?
>
> Regards,
>
> F.
>
> On 6/13/05, Preetam <[hidden email]> wrote:
>  
>  
>  fsoliv wrote:
>  Ok, thank you for your emails.
>
> Can I extract the key from the kdb5_util dump utility?
>
> If so, which field represents the key?
>
> Regards,
> F.
>
> On 6/13/05, Preetam Ramakrishna <[hidden email]> wrote:
>  
>  
>  Hi,
>
>  Users' passwords are stored as keys in MIT kerberos. So, you
> can extract the keys but not the passwords.
>
> Preetam
>
>  
>  
>  
>  
>  fsoliv <[hidden email]> 6/13/2005 4:44:12 AM >>>
>  
>  Hello,
>
> I have the following problem:
>
> I would like to extract some of my users' passwords (which are stored
> in Mit Kerberos) and insert them in Openldap.
> How can I extract the users' password?
>
>
> Best regards,
>
> F.
>
> ________________________________________________
> Kerberos mailing list [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>  
>  ________________________________________________
> Kerberos mailing list [hidden email]
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>  
>  Hi,
>  
>  You can use kadmin.local utility instead if you need to extract
> only the key.
>  
>  Preetam
>  
>  >
>
>  
>  Hi,
>  
>           You can run kadmin.local utility, then run the command
>  ktadd -k <path of keytab file> <principal name>
>  
>  Preetam
>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Extract users kerberos passwords

NetSteady
In reply to this post by Francisco Oliveira-2
Actually, the capability to transfer authentication information between
databases (including FROM krb to anything) will be a feature that will
be available in NeXauth, a product my company will be launching this
summer. If you'd like to get some information about this prior to it
coming out, please email me at cmh[at]netsteady.cc

Thanks
Chris Hutchison
- - - - - - - - - - - - - - - - - - - -
Christopher M. Hutchison, CEO
NetSteady Communications, Ltd.
P.O. Box 392
Galloway, Ohio 43119

Phone: 614-853-0091
Skype: wifi_chris

http://www.netsteady.cc

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Extract users kerberos passwords

Howard Chu
In reply to this post by Francisco Oliveira-2
MIT Kerberos has gone through a half-dozen different db dump formats,
so precise instructions on how to extract the fields depends on the
exact software version you have and the options you specify to the
kdb5_dump command.

Meanwhile, by default OpenLDAP does not have any module that recognizes
what to do with a Kerberos key in the userPassword attribute. So once
you figure out what to do to get the key out of the KDC, there's still
a problem of what to do with it next.

There is an indirect route that should work - in the OpenLDAP 2.3
contrib directory there is a module that adds support for Samba
passwords and Heimdal Kerberos keys (see
contrib/slapd-modules/smbk5pwd). If you use the Heimdal Kerberos tools
to import the MIT dump into Heimdal format, then you should be able to
use the result with OpenLDAP. But there are a lot of steps to get there
(starting with obtaining and installing the Heimdal source code).

If you're interested in getting this to work, I think you should go all
the way - you can run the Heimdal KDC directly on top of OpenLDAP,
instead of using a flat file-based kerberos database. In this case, all
of your Kerberos account information is stored as attributes of regular
OpenLDAP account entries. Once you have the database loaded into
OpenLDAP you can do all your account administration from there and you
never need to run the Kerberos account management utilities any more.
If building all of the packages seems like too much effort for you, my
company (Symas Corp., http://www.symas.com) provides prepackaged
binaries of all of the necessary software, ready to install. (OpenLDAP,
Heimdal, OpenSSL, Cyrus SASL, BerkeleyDB, etc.)

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos