Is a keytab file encrypted?

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Is a keytab file encrypted?

pratyush parimal
Hi guys,

Kind of a noob question, but here it goes.
When I export a principal's key to a keytab file using the following
command:

ktadd -k keytabfile service/host@REALM

(1) Does the keytabfile contain the key in encrypted form or as plaintext?
(2) Is it possible to export the key in encrypted form? If so, then how
does the service application open the encrypted keytab?

Thanks,
Pratyush
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Is a keytab file encrypted?

Greg Hudson
On 07/18/2017 12:48 PM, pratyush parimal wrote:
> When I export a principal's key to a keytab file using the following
> command:
>
> ktadd -k keytabfile service/host@REALM
>
> (1) Does the keytabfile contain the key in encrypted form or as plaintext?

The keytab file contains the actual keys, unencrypted.

> (2) Is it possible to export the key in encrypted form? If so, then how
> does the service application open the encrypted keytab?

The keytab file does not have any way to represent encrypted keys, and
the kadmin protocol has no facility to export encrypted keys.  One
could, in principle, design an out-of-band system which used
kadmin.local to create a keytab, encrypt the file, transmit the
encrypted kyetab file to the server, and then decrypt the file on the
server (into a memory filesystem, perhaps) before running the server
application, but I've never heard of anyone doing that.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Is a keytab file encrypted?

Russ Allbery-2
Greg Hudson <[hidden email]> writes:
> On 07/18/2017 12:48 PM, pratyush parimal wrote:

>> (2) Is it possible to export the key in encrypted form? If so, then how
>> does the service application open the encrypted keytab?

> The keytab file does not have any way to represent encrypted keys, and
> the kadmin protocol has no facility to export encrypted keys.  One
> could, in principle, design an out-of-band system which used
> kadmin.local to create a keytab, encrypt the file, transmit the
> encrypted kyetab file to the server, and then decrypt the file on the
> server (into a memory filesystem, perhaps) before running the server
> application, but I've never heard of anyone doing that.

You have kind of a chicken and an egg problem, since in a typical Kerberos
environment the keytab *is* the core identity keys for an application.  If
it's encrypted, then you need some other unencrypted keys that *really*
represent the application, at which point why not use those keys for
Kerberos directly?

That said, if you had a private key in a TPM or some other sort of
tamper-resistent hardware, I could see wanting to hand out Kerberos
keytabs encrypted to the public key of the server.  But you'd have to
build the service to do key issuance that way yourself.  (It wouldn't be
horribly hard to build if you'd already done the work to build out the PKI
and its TPM component.)

But, even in that case, it's not clear to me what the keytab is then doing
for you versus just using the PKI and using PKINIT to get Kerberos
tickets.  There are probably some practical uses for introducing the extra
layer of complexity, but it's not obviously necessary.

--
Russ Allbery ([hidden email])              <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Is a keytab file encrypted?

pratyush parimal
Ah, I get it. It's much clearer now. Thanks guys!

On Jul 18, 2017 10:15 PM, "Russ Allbery" <[hidden email]> wrote:

> Greg Hudson <[hidden email]> writes:
> > On 07/18/2017 12:48 PM, pratyush parimal wrote:
>
> >> (2) Is it possible to export the key in encrypted form? If so, then how
> >> does the service application open the encrypted keytab?
>
> > The keytab file does not have any way to represent encrypted keys, and
> > the kadmin protocol has no facility to export encrypted keys.  One
> > could, in principle, design an out-of-band system which used
> > kadmin.local to create a keytab, encrypt the file, transmit the
> > encrypted kyetab file to the server, and then decrypt the file on the
> > server (into a memory filesystem, perhaps) before running the server
> > application, but I've never heard of anyone doing that.
>
> You have kind of a chicken and an egg problem, since in a typical Kerberos
> environment the keytab *is* the core identity keys for an application.  If
> it's encrypted, then you need some other unencrypted keys that *really*
> represent the application, at which point why not use those keys for
> Kerberos directly?
>
> That said, if you had a private key in a TPM or some other sort of
> tamper-resistent hardware, I could see wanting to hand out Kerberos
> keytabs encrypted to the public key of the server.  But you'd have to
> build the service to do key issuance that way yourself.  (It wouldn't be
> horribly hard to build if you'd already done the work to build out the PKI
> and its TPM component.)
>
> But, even in that case, it's not clear to me what the keytab is then doing
> for you versus just using the PKI and using PKINIT to get Kerberos
> tickets.  There are probably some practical uses for introducing the extra
> layer of complexity, but it's not obviously necessary.
>
> --
> Russ Allbery ([hidden email])              <http://www.eyrie.org/~eagle/>
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Is a keytab file encrypted?

Charles Hedrick
The argument makes sense.

However I am disturbed by the fact that a keytab can be used anywhere. If someone manages to become root on one machine, I’d like them not to be able to do things on other machines. I’m in an environment where we have systems administered by users, and unattended public workstations.

That makes me unwilling to tell users to create key tables for cron jobs.


> On Jul 18, 2017, at 10:20 PM, pratyush parimal <[hidden email]> wrote:
>
> Ah, I get it. It's much clearer now. Thanks guys!
>
> On Jul 18, 2017 10:15 PM, "Russ Allbery" <[hidden email]> wrote:
>
>> Greg Hudson <[hidden email]> writes:
>>> On 07/18/2017 12:48 PM, pratyush parimal wrote:
>>
>>>> (2) Is it possible to export the key in encrypted form? If so, then how
>>>> does the service application open the encrypted keytab?
>>
>>> The keytab file does not have any way to represent encrypted keys, and
>>> the kadmin protocol has no facility to export encrypted keys.  One
>>> could, in principle, design an out-of-band system which used
>>> kadmin.local to create a keytab, encrypt the file, transmit the
>>> encrypted kyetab file to the server, and then decrypt the file on the
>>> server (into a memory filesystem, perhaps) before running the server
>>> application, but I've never heard of anyone doing that.
>>
>> You have kind of a chicken and an egg problem, since in a typical Kerberos
>> environment the keytab *is* the core identity keys for an application.  If
>> it's encrypted, then you need some other unencrypted keys that *really*
>> represent the application, at which point why not use those keys for
>> Kerberos directly?
>>
>> That said, if you had a private key in a TPM or some other sort of
>> tamper-resistent hardware, I could see wanting to hand out Kerberos
>> keytabs encrypted to the public key of the server.  But you'd have to
>> build the service to do key issuance that way yourself.  (It wouldn't be
>> horribly hard to build if you'd already done the work to build out the PKI
>> and its TPM component.)
>>
>> But, even in that case, it's not clear to me what the keytab is then doing
>> for you versus just using the PKI and using PKINIT to get Kerberos
>> tickets.  There are probably some practical uses for introducing the extra
>> layer of complexity, but it's not obviously necessary.
>>
>> --
>> Russ Allbery ([hidden email])              <https://na01.safelinks.protection.outlook.com/?url=http:%2F%2Fwww.eyrie.org%2F~eagle%2F&data=02%7C01%7Chedrick%40rutgers.edu%7Cd8fbc3140d2741aa9bce08d4ce4d0583%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636360277603180808&sdata=2Uw%2BnFuhcAIE2Dg%2BGDPrXN2lw8wed2FqCiyTf0DdFCM%3D&reserved=0>
>>
> ________________________________________________
> Kerberos mailing list           [hidden email]
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmailman.mit.edu%2Fmailman%2Flistinfo%2Fkerberos&data=02%7C01%7Chedrick%40rutgers.edu%7Cd8fbc3140d2741aa9bce08d4ce4d0583%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636360277603180808&sdata=GaOrAUT3ukJJgW3X8l9nbRJHGkBah2K9VIeLXdiLpJo%3D&reserved=0


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Is a keytab file encrypted?

Jeffrey Altman-2
On 7/21/2017 11:13 AM, Charles Hedrick wrote:
> The argument makes sense.
>
> However I am disturbed by the fact that a keytab can be used anywhere. If someone manages to become root on one machine, I’d like them not to be able to do things on other machines. I’m in an environment where we have systems administered by users, and unattended public workstations.
>
> That makes me unwilling to tell users to create key tables for cron jobs.

Sites have implemented a wide variety of approaches to authenticating
cron jobs.  The cron process is specific to a host and is not the user.
As such some sites provide tooling that issues host specific principals
for such use with cron:

  user/cron/hostname@REALM

is a common format.  It is then up to the service receiving such a
principal to ensure that the authenticating client is in fact connecting
from the specified host.  Authorization rules can be applied as desired
to either grant specific permissions to

  user/cron/hostname@REALM
  user/cron/*@REALM
  user/*/*@REALM

with appropriate name folding.

Jeffrey Altman




________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Is a keytab file encrypted?

Russ Allbery-2
In reply to this post by Charles Hedrick
Charles Hedrick <[hidden email]> writes:

> The argument makes sense.

> However I am disturbed by the fact that a keytab can be used
> anywhere. If someone manages to become root on one machine, I’d like
> them not to be able to do things on other machines. I’m in an
> environment where we have systems administered by users, and unattended
> public workstations.

> That makes me unwilling to tell users to create key tables for cron
> jobs.

Yeah, if you're worried about portable keys, that's when you probably want
to do something with a system TPM.  If you go down that path, I'd probably
try to figure out some way to do PKINIT using a TLS certificate stored in
the TPM.  I'm not aware of anyone who has already done that work, but it
would be a pretty interesting project.

--
Russ Allbery ([hidden email])              <http://www.eyrie.org/~eagle/>

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Is a keytab file encrypted?

Charles Hedrick
My approach is simpler:

* A kerberized service where the user registers that they want to be able to do cron jobs on a given machine.
* A kerberized pam module that calls the same service and gets back credentials, locked to the IP address, and at least by default not forwardable.

The pam module authenticates using the system keytable.

This may not be quite as good as a TPM, because it depends upon the integrity of the system key table. But the service checks the IP address, so my host credential is host/FOO, a lookup of FOO has to produce the IP address the request came from. That seems pretty close. I’ll look into TPM, to see if that could somehow be used.

> On Jul 21, 2017, at 3:42 PM, Russ Allbery <[hidden email]> wrote:
>
> Charles Hedrick <[hidden email]> writes:
>
>> The argument makes sense.
>
>> However I am disturbed by the fact that a keytab can be used
>> anywhere. If someone manages to become root on one machine, I’d like
>> them not to be able to do things on other machines. I’m in an
>> environment where we have systems administered by users, and unattended
>> public workstations.
>
>> That makes me unwilling to tell users to create key tables for cron
>> jobs.
>
> Yeah, if you're worried about portable keys, that's when you probably want
> to do something with a system TPM.  If you go down that path, I'd probably
> try to figure out some way to do PKINIT using a TLS certificate stored in
> the TPM.  I'm not aware of anyone who has already done that work, but it
> would be a pretty interesting project.
>
> --
> Russ Allbery ([hidden email])              <https://na01.safelinks.protection.outlook.com/?url=http:%2F%2Fwww.eyrie.org%2F~eagle%2F&data=02%7C01%7Chedrick%40rutgers.edu%7C90d749cea9134410e85408d4d070b68e%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636362629909705292&sdata=iWSMAyut%2BMLlSdzzPQnhZLbT4%2FCEYt5a%2BnBhbvnucCw%3D&reserved=0>


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Is a keytab file encrypted?

Russ Allbery-2
Charles Hedrick <[hidden email]> writes:

> * A kerberized service where the user registers that they want to be
> able to do cron jobs on a given machine.
> * A kerberized pam module that calls the same service and gets back
> credentials, locked to the IP address, and at least by default not
> forwardable.

How does this address the problem raised on this thread?  It's still the
case that if you become root on the host, you can just steal the keytab
used by that daemon and use it anywhere.  This gives you enhanced
protection if you trust the boundary between non-root users and root, but
not if you don't trust the machine.

The point of the TPM is that you can't exfiltrate the keys, even if you
have root, only perform on-line operations.

--
Russ Allbery ([hidden email])              <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Is a keytab file encrypted?

Russ Allbery-2
Russ Allbery <[hidden email]> writes:
> Charles Hedrick <[hidden email]> writes:

>> * A kerberized service where the user registers that they want to be
>> able to do cron jobs on a given machine.
>> * A kerberized pam module that calls the same service and gets back
>> credentials, locked to the IP address, and at least by default not
>> forwardable.

> How does this address the problem raised on this thread?  It's still the
> case that if you become root on the host, you can just steal the keytab
> used by that daemon and use it anywhere.  This gives you enhanced
> protection if you trust the boundary between non-root users and root,
> but not if you don't trust the machine.

Oh, wait, I see -- it does transform part of the attack to occasional
on-line, since while you can steal the system keytab and request tickets
whenever you want, you can't get the long-lived keytab for the actual
target credential.  (And presumably you can put monitoring and alerting
around the host keytab being used from unexpected places.)

Yeah, that's a partial security improvement.

--
Russ Allbery ([hidden email])              <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Is a keytab file encrypted?

Charles Hedrick
You can only use the host key table from a host with the same IP address. The server verifies that the IP address corresponds to the hostname. In theory someone could bring a laptop and plug it in in place of the original host with the same IP address, but that wouldn’t let them compromise anything they couldn’t already get if they had root on the original host. We do lots of monitoring. If one of our hosts disappears, we’ll notice. If they replace it with another host at the same IP address that’s close enough to the original that we don’t  notice, it’s not clear what is being compromised. They’re just giving us free hardware...

And at least in our situation, we have various groups of systems at different security levels. So you could compromise that user on one cluster, but not system-wide.


> On Jul 21, 2017, at 5:55:27 PM, Russ Allbery <[hidden email]> wrote:
>
> Russ Allbery <[hidden email]> writes:
>> Charles Hedrick <[hidden email]> writes:
>
>>> * A kerberized service where the user registers that they want to be
>>> able to do cron jobs on a given machine.
>>> * A kerberized pam module that calls the same service and gets back
>>> credentials, locked to the IP address, and at least by default not
>>> forwardable.
>
>> How does this address the problem raised on this thread?  It's still the
>> case that if you become root on the host, you can just steal the keytab
>> used by that daemon and use it anywhere.  This gives you enhanced
>> protection if you trust the boundary between non-root users and root,
>> but not if you don't trust the machine.
>
> Oh, wait, I see -- it does transform part of the attack to occasional
> on-line, since while you can steal the system keytab and request tickets
> whenever you want, you can't get the long-lived keytab for the actual
> target credential.  (And presumably you can put monitoring and alerting
> around the host keytab being used from unexpected places.)
>
> Yeah, that's a partial security improvement.
>
> --
> Russ Allbery ([hidden email])              <https://na01.safelinks.protection.outlook.com/?url=http:%2F%2Fwww.eyrie.org%2F~eagle%2F&data=02%7C01%7Chedrick%40rutgers.edu%7Cb553338940c945a517d608d4d08333bf%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636362709304409598&sdata=T8q1NWbN3%2FdXMfTw1%2FpYvQIn%2B3l1YP9X31WIkzncynU%3D&reserved=0>


________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Is a keytab file encrypted?

Theodore Ts'o-2
In reply to this post by Russ Allbery-2
On Fri, Jul 21, 2017 at 12:42:38PM -0700, Russ Allbery wrote:
>
> Yeah, if you're worried about portable keys, that's when you probably want
> to do something with a system TPM.  If you go down that path, I'd probably
> try to figure out some way to do PKINIT using a TLS certificate stored in
> the TPM.  I'm not aware of anyone who has already done that work, but it
> would be a pretty interesting project.

Or implement a subset of Kerberos as a smartcard application, so the
key would live in the smart card, and the smartcard would only do
operations if the proper pin/password is submitted --- much like how
the GPG smartcard application works.

For a server, the pin/password for the smartcard would have to be
stored on the disk, or entered by the system administrator each time
the system reboots, so it's not clear how much this would really help
you.  The same is true for the system TPM alternative as well of
course, but at least with the smartcard approach, you could easily
remove the smartcard if you wanted to put the server/laptop into a
"safe" mode where the keying materials have been separated from the
system.

It all depends on your specific threat model and what you are trying
to protect against....

                                                - Ted
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Loading...