In my Kerberos system:
run kinit test and input passwd, succeed.
generate keytab by kadmin.local -q "xst -k test.keytab test".
run kinit test and input passwd, failed:
kinit: Password incorrect while getting initial credentials
run kinit -k -t test.keytab test, succeed.
Is this normal ? If not, what are possible reasons?
Thanks.
I found that the attribute krbLastPwdChange(a timestamp value) in kerberos's database changed after I run:
kadmin.local -q "xst -k test.keytab test"
While add the option -norandkey will just create the keytab without changing password:
kadmin.local -q "xst -norandkey -k test.keytab test"
I can not find the detail document about kadmin xst.
This is by design. You cannot have both a password and a keytab in Kerberos. The reason is if both were enabled, if someone was able to pull a keytab on your behalf or was in possession of a copy of your keytab, then they could masquerade as you and you would never know it. They would be able to generate a TGT via kinit.
By pulling a keytab, the password is invalidated, so if you then tried to log in with a password, you would get an error. And even if you didn't know exactly what was going on, if you reset your password, it would invalidate the keytab.
For one simple reason:
kinit tells you that the client has not been found in the database, right? By default, when kinit is invoked with a keytab it uses the default server pricipal to obtain TGT. In your case host/<hostname>#REALM but your keytab contains a key for principal test#REALM.
I had this issue too until I have asked the MIT Kereros mailing list.
Related
I'm trying to use Keycloak in order to success a login configuration with Kerberos. (Which is a big failure)
I've made a mistake which is Kerberos : Required.
In other word I opened Authentication > Select Browser > Requirement : Required on Kerberos
So I can't connect anymore, I got a "Invalid username or password" when logging on "http://localhost:8080/auth"
Has someone had an issue to resolve this without deleting and reconfiguring the server?
Found something which help me a lot. I solved my problem so, i will explain how
I've used in my bin directory : kcadmin.bat (or .sh)
Opened in a CMD
Login with kcadmin
kcadm.bat config credentials --server http://localhost:8080/auth --realm master --user admin
Next, i get the ID i need to update the flow (master) :
kcadmin.bat get authentication/flows/{FLOW}/executions
Next, i put in a JSON file {"id":"ID_of_my_flow", "requirement":"ALTERNATIVE"}
Save my file and finaly just wrote
kcadmin.bat update authentication/flows/master/executions -r REALM -f myfile.json
Thanks.
everyone.
I hope that someone can help to answer my question.
I am joining a project in which I have to use various docker containers. I was told that I just needed to use docker-compose to pull down all the necessary containers. I tried this, and got two different errors, based on whether I used sudo or not. My machine is Ubuntu bionic beaver 18.04.4LTS
I have docker-engine installed according to the installation instructions for Bionic on the github page, and docker-compose is likewise installed according to its instructions. I did not create a "docker" group since I have sudo access.
We have two repos that I have to log in to before I can do anything. In order to prevent my passwords from being stored unencrypted in config.json, I followed this guide to set up a secure credential store:
https://www.techrepublic.com/article/how-to-setup-secure-credential-storage-for-docker/
However, rather than asking me for the password and/or passphrase mentioned in this article, the login process makes me enter the actual passwords to the repos. So, the secure credential store may not be working, which might be causing the problem.
At any rate, once I log in and the two commands show login succeeded, I then try to do a
docker-compose pull
on the repos. When I do
sudo docker-compose pull
I get this final error:
docker.errors.DockerException: Credentials store error: StoreError('Credentials store docker-credential-pass exited with "exit status 2: gpg: WARNING: unsafe ownership on homedir '/home/myuser/.gnupg'\ngpg: decryption failed: No secret key".')
an ls of the .gnupg directory is
myuser#myhost$ ls -lA ~ | grep gnupg
drwx------ 4 myuser myuser 226 Feb 9 13:35 .gnupg
gpg --list-secret-keys shows my keypair when I run it as myuser.
I am assuming that what is happening is that because I am running as sudo the user trying to access this directory is root, not myuser, and so it is failing. However, if I leave off the sudo
docker-compose pull
docker.errors.DockerException: Error while fetching server API version: ('Connection aborted.', PermissionError(13, 'Permission denied'))
I am guessing that this is because my normal user doesn't have the ability to connect to the docker daemon's Unix socket.
So, how do I make these play together? Is the answer to add a docker group so that the command still runs as myuser and not as root? or is there another way to do this?
Also, why is my credential store not asking me for the password set by docker-credential-pass or the GPG passphrase? I suspect these two are related. Perhaps the pull is trying to send my authentication tokens over again and can't because it doesn't have access to the secure credentials store.
All of the above are guesses. Does anyone know what is going on here?
Thanking you in advance,
Brad
I just wanted to follow up with a solution to this question that worked for me.
Firstly, you need to add your user to the docker group that was created during docker-engine's installation.
sudo usermod --append --groups docker your_user_name
Because I had already used sudo to try this, there were a few files that ended up being created by root.
So, you have to chown a few things.
sudo chown your_user_name:your_group_name ~/.docker/config.json
Note that for the group name I used
docker
but I'm not sure if that's necessary.
Then, there were files inside the ~/.password-store directory that needed to be changed.
sudo chown -R your_user_name:your_group_name ~/.password-store
Most of these files are already owned by you, but the recorded credentials are not.
Then, the magic that fixed it all. From
https://ask.csdn.net/questions/5153956
you have to do this.
export GPG_TTY=$(tty)
and it is this last that makes gpg work.
Then, you can log in to your repos if you have to without using sudo
docker login -u repo_user_name your_repo_host
and then log in with your repo password.
Note that I don't know why you have to use the repo password instead of using the stored credentials.
Once you log in, you should be able to do a
docker-compose pull
without sudo
from the directory where you want the containers to be placed.
Note that you will probably have to provide your GPG passphrase at first. I'm not sure about this because I had already unlocked the key by following the steps in the above link to check to see if docker-credential-pass had the right credential store password stored.
and that should do it.
I need to restart my open shift PODs whenever I see Kerberos authentication failure exception. To get that done, I need to check the Kerberos authentication as part of liveness check. Can you someone please let me know how do I check Kerberos authentication without proceeding a message to kafka broker? Thanks.
A simple klist command can be used to list the Kerberos principal and tickets held in a credentials cache or the keys held in a keytab.
I also read another method here: https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-52-01/configuring/policy-server-configuration/authentication-schemes/configure-kerberos-authentication/troubleshoot-kerberos-authentication-setup.html
Windows:
Verify whether the keytab file is valid. Run the following command:
kinit -k -t keytab_file_location
respective_spn
This command returns no error when the keytab file is valid.
UNIX:
Run the following command:
kinit -k -t keytab_file
service_principal_name
If you get no errors, keytab files are fine, and the krb.conf file has valid values.
Hope this helps or at least gives you some ideas on how to test without producing a message to the topic!
I'm trying to execute below command using Putty pscp tool.
pscp -v -pw mypassword "X:\data\temp*" root#172.x.x.x:\tmp\data
I'm getting following error.
Fatal: Disconnected: No supported authentication methods available
I have to pass user name and password. And on target system I don't have much of control.
Could anybody point out what I'm doing wrong?
The remote server might be rejecting ssh with a password. You could try to set up DSA or RSA keys with puttygen but you would need to change the key on the remote site. Does this work with ftp? Root login might also be disabled, and besides its usually a bad idea. That is why someone suggested that this go to the superuser forum. Root is not a regular user and remote login might be disabled in /etc/sshd_config.
Changed
...
PermitRootLogin no
...
PasswordAuthentication no
...
To
...
PermitRootLogin yes
...
PasswordAuthentication yes
And it worked!
I would like to login to Perforce(P4) from the command line.
I tried using
p4 -u My_Username login
But how do I provide the password. I need this to check-in a file from the command line.
Before connecting to the server, set P4PORT (to tell the client where the server is) and P4USER (to tell the server who you are). P4PORT is specified as hostname:port, with the port usually (but not always) being 1666. If you're not sure what your Perforce server address and user name are, check with your sys admin.
p4 set P4PORT=your.server.hostname:1666
p4 set P4USER=your.username
You can also use "set" or "setenv" or "export" as appropriate to your shell, but with a 2014.2 or newer Perforce client (use "p4 -V" to check your version information) you can use "p4 set" as a persistent cross-platform alternative. Another option is to use the "-u" and "-p" flags on every command you run (e.g. "p4 -p your.server.hostname:1666 -u your.username sync ..."), but this gets tiresome quickly.
To verify that your connection is correct, run:
p4 info
If this gives you an error message, or says that your user is unknown, check with your Perforce administrator to make sure you have the correct P4PORT and P4USER values.
To login, run:
p4 login
If the client is able to connect to the server and your user name is correct, you will be prompted for the password. Enter it and you will be logged in.
If you are scripting Perforce commands that require login credentials, and you don't want your script to stop in the middle to prompt for a password, my recommendation would be to run "p4 login" as above at some point prior to running the script. The login ticket will persist on your machine and the script will pick it up (provided that it's connecting with the same P4PORT and P4USER that you used to generate the ticket). This is the most secure method because your cleartext password is not stored anywhere on your machine, and the login ticket is not usable from other machines by default (it is also probably time-limited, depending on how your admin has configured things).
The insecure method is to put the plaintext password into your script:
echo my.formerly.secure.password|p4 login
Piping the cleartext of the password into the "p4 login" command will cause it to behave as if you'd entered it at the prompt, and continue executing rather than waiting for additional input.
Setup Perforce login details in Windows cmd
After installing perforce and setup your workspace through p4v, you could set up your workspace in Windows cmd.
The command you need is:
p4 set
Set your server
p4 set P4PORT= xx.xxx.xx.xxx:xxxxx
Set your user name
p4 set P4USER=username
Set your password
If you want to secure your password, you could download the MD5 encryptor to encrypt your password.
p4 set P4PASSWD=hashedpasswd
Set you client (workspace)
In order to select your workspace, you could use the following command:
p4 set P4CLIENT=nameofworkspace
The name of your workspace could look like: username_hostmachinename_numbers.
Set your ignore file
You can set up your ignore file so that when adding your project to perforce, some files (building results) could be automatically ignored.
p4 set P4IGNORE= filepath
I believe you can do this:
p4 -P My_Password login