Can I verify the password in a keytab file? - kerberos

I have a Kerberos keytab file. Is there an easy way to verify that the password contained is the one that I assume?
I looked at the file in a hex editor, and, according to the structure described at http://www.gnu.org/software/shishi/manual/html_node/The-Keytab-Binary-File-Format.html, the
keyblock types contained are 3 for des-cbc-md5, 1 for ??, 23 for arcfour-hmac-md5, 16 for des3-cbc-sha1, and 17 for ??

Related

Kerberos keytab file generation error: "Failed to set property 'servicePrincipalName' / Warning: Unable to set SPN mapping data"

I am trying to generate a keytab file for kerberos setup. I keep getting an error "Failed to set property "ServicePrinciplalName.""
My call Looks like this:
ktpass -out ssowebapp.keytab -princ HTTP/pdx-kerbtest#DEV
-COMPANY.LOCAL -mapUser webapp5#DEV-COMPANY.LOCAL -crypto AES256-SHA1 -pType KRB5_
NT_PRINCIPAL -pass password -mapOp set
When I run it I get this return:
Targeting domain controller: DC1.dev-COMPANY.local
Failed to set property 'servicePrincipalName' to 'HTTP/pdx-kerbtest' on Dn 'CN=S
SO WEBAPP5,OU=Ken OU,DC=dev-COMPANY,DC=local': 0x13.
WARNING: Unable to set SPN mapping data.
If webapp5 already has an SPN mapping installed for HTTP/pdx-kerbtest, this is n
o cause for concern.
Password successfully set!
Key created.
Output keytab to ssowebapp.keytab:
Keytab version: 0x502
keysize 85 HTTP/pdx-kerbtest#DEV-COMPANY.LOCAL ptype 1 (KRB5_NT_PRINCIPAL) vno 67
etype 0x12 (AES256-SHA1) keylength 32 (0xf5873e603d459d34cc3346f672bb4e72189328
256eecc9aed4363b5c121f1b41)
There isn't a current mapping. I am logged in as an administrator that is a member of Domain Admins, Schema Admins, Enterprise Admins, and the built-in Administrators group. CMD window is ran as an administrator. The UAC on the server is disabled.
Not sure what I am doing wrong here or what else I need to check to get this to run correctly.

flutter_stripe example app has 18 errors all "Object is of type 'unknown'." for 'error' variables

I'm trying to run flutter_stripe's example app. I forked and cloned the Github repository to my laptop.
Starting the yarn server results in 18 errors. All start with Object is of type 'unknown'. All are error or e or err, on lines 130, 301, 442, 450, 451, 455, 456, 464, 578, 586, 587, 591, 592, 595, 599, and 600. Then it says Command failed with exit code 2.
Is this a null safety issue? How do I fix it?
Your existing github issue with the library maintainers is likely to be your best source of help, however reading that I noticed you said:
In the last step, setting up server/.env, my Stripe account has pk_test and a pk_live Publishable and Secret Keys. My guess is that I should use the pk_test keys in server/.env.example. Let’s make this clear in the comment at the top of server/.env.example.
This seems to be a misunderstanding of your Stripe API keys. There are secret keys (sk_) for your server and publishable keys (pk_) for your client-side application as a matching pair, and there is a pair for each of live and test mode. You need to use a matching secret and publishable key from your dashboard.
Additionally, when setting up secrets in environment files, you'll typically be creating a .env file in the server/repo root directory. I read the above as though you might be trying to set up your keys in the .env.example file which I don't expect would work. You should check with the developer of the library/example about this if .env doesn't work.

Couldn't decrypt the repo, please make sure you enter the right password

I can't run the "Fastlane release", because it shows the error "Couldn't decrypt the repo, please make sure you enter the right password!".
I'm sure that the entered password is correct. I tried to remove all profiles and certificates manually but it didn't work.
[13:03:58]: Enter the passphrase that should be used to encrypt/decrypt your certificates
[13:03:58]: This passphrase is specific per repository and will be stored in your local keychain
[13:03:58]: Make sure to remember the password, as you'll need it when you run match on a different machine
[13:03:58]: Passphrase for Match storage: ********
[13:04:10]: Type passphrase again: ********
[13:04:16]: wrong final block length
[13:04:16]: Couldn't decrypt the repo, please make sure you enter the right password!
keychain: "/Users/mohsen/Library/Keychains/login.keychain-db"
version: 512
class: "inet"
attributes:
0x00000007 <blob>="match_https://bitbucket.org/******"
0x00000008 <blob>=<NULL>
"acct"<blob>=<NULL>
"atyp"<blob>="dflt"
"cdat"<timedate>=0x32303230303332343038333431355A00 "20200324083415Z\000"
"crtr"<uint32>=<NULL>
"cusi"<sint32>=<NULL>
"desc"<blob>=<NULL>
"icmt"<blob>=<NULL>
"invi"<sint32>=<NULL>
"mdat"<timedate>=0x32303230303332343038333431355A00 "20200324083415Z\000"
"nega"<sint32>=<NULL>
"path"<blob>=<NULL>
"port"<uint32>=0x00000000
"prot"<blob>=<NULL>
"ptcl"<uint32>=0x00000000
"scrp"<sint32>=<NULL>
"sdmn"<blob>=<NULL>
"srvr"<blob>="match_https://bitbucket.org/****"
"type"<uint32>=<NULL>
password has been deleted.

How to resolve error Salt must be 8 bytes long

I am writing a program to sign a pdf using certificate (pfx file). For few of the certificates I am getting below exception.
java.security.InvalidAlgorithmParameterException: Salt must be at least 8 bytes long
This happens when I execute the below code.
Keystore ks = KeyStore.getInstance("pkcs12");
I am getting an exception in the below java file at line number 123.
http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/8-b132/com/sun/crypto/provider/HmacPKCS12PBESHA1.java?av=h
Your keystore has one or more certificate(s) that has a salt length which is less than 8. The crypto program requires atleast 8 bytes.
I would recommend creating a new keystore with just the one certificate that you need and try signing with that.
I resolved the exception using pkcs12-DEF keystore. I have added my code lines below.
BouncyCastleProvider provider = new BouncyCastleProvider();
Security.addProvider(provider);
KeyStore ks = KeyStore.getInstance("pkcs12-DEF");
Earlier I had not added BountyCastleProvider to Security, because of which I was not able to get instance of pkcs12-DEF keystore.
Apart from this I have also downloaded jar files from http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html location and replaced it with jar files present in Java\Jdk1.7\jre\lib\security. These are JCE 7 Unlimited strength policy files.

using keytab file with spring security kerberos extension

My goal: implement SSO on a java-based web application.
My problem: I'm not a security guy...
After some investigation I found that spring security kerberos extension is what I need (also looked into apache shiro but could only find example with a login page).
I used the samples in the following project:
https://github.com/spring-projects/spring-security-kerberos/tree/master/spring-security-kerberos-sample
I realized that I need to create a keytab. When I tried to use the keytab I got the following error:
javax.security.auth.login.LoginException: Unable to obtain password from user
Looking for some details about this error I saw that it could result from a wrong keytab location, but this is not the case here - I debugged into the source code and saw that the keytab file is loaded.
So I decided to check my keytab and see if it's ok.
First, this is last command (after a long evolution) I used to create my keytab:
ktpass /out http-web.keytab /mapuser MyUser#MYDOMAIN.COM /princ HTTP/MyUser#MYDOMAIN.COM /pass MyPass /ptype KRB5_NT_PRINCIPAL
Of course I created an SPN for MyUser with the following command:
setspn -a HTTP/MyUser#MYDOMAIN.COM MYDOMAIN.COM\MyUser
I tested the spn with the the following:
setspn -Q HTTP/MyUser#MYDOMAIN.COM
And got a successful result:
Checking domain DC=mydomain,DC=com CN=MyUser,OU=MyOrg,DC=mydomain,DC=com
HTTP/MyUser
HTTP/MyUser#MYDOMAIN.COM
Existing SPN found!
Now I wanted to test if I can obtain a ticket for MyUser by running the following command:
kinit MyUser#MYDOMAIN.COM
I got a successful result ("new ticket is stored in cache file....")
Now I wanted to test it with my keytab:
kinit MyUser#MYDOMAIN.COM -k -t http-web.keytab
Got the following exception:
Exception: krb_error 0 Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type: No error KrbException: Do not have keys of types listed in default_tkt_enctypes available; only have keys of following type:
I used klist tool to see if my keytab contains any keys:
klist -e -K -k -t http-web.keytab
Got the following result:
KVNO: 8
Key type: 23
Key: 0x47bf8039a8506cd67c524a03ff84ba4e
Time stamp: Jan 01, 1970 02:00
As a last desperate attempt, I checked the following account options for MyUser:
Use Kerberos DES encryption types for this account
The account suppoerts Kerberos AES 128 bit encryption
The account suppoerts Kerberos AES 256 bit encryption
I'm not sure if setting these options caused it, but now when I run
kinit MyUser#MYDOMAIN.COM
I get the following error:
Exception: krb_error 14 KDC has no support for encryption type (14) KDC has no support for encryption type
KrbException: KDC has no support for encryption type (14)
So I'm kind of desperate here, I don't really know what I'm doing. It's all a matter of trial and error (mostly error).
If anyone can guide me through here it would be much appreciated.
Thanks,
Lior
Turned out to be a stupid mistake.
I injected in spring the user account instead of the principal name as the servicePrincipal.