Computing : Kerberos & AFS - Obtaining tickets and token without password

Created by Frank Schluenzen on Jan 13, 2022 18:23

It's possible to generate a kerberos ticket for example in a batch job, and generate an afs-token subsequently without specifying a password during the procedure.

# You first need to create a personal keytab. Whoever has access can generate a kerberos-ticket on your behalf so KEEP IT SAFE.
# For example
mkdir -p $HOME/.ssh
chmod 700 $HOME/.ssh

# create a keytab.
# Everytime you change your DESY password, this step has to be repeated.
cd $HOME/.ssh
/usr/bin/ktutil
  ktutil:  addent -password -p your-username@DESY.DE -k 1 -e aes256-cts
  Password for username@DESY.DE: [enter your password]
  ktutil:  wkt keytab
  ktutil:  quit

# KEEP IT SAVE
chmod 600  $HOME/.ssh/keytab

# try it out
[someone@node ~]$ klist 
klist: No credentials cache found (filename: )

[someone@node ~]$ tokens
Tokens held by the Cache Manager:
   --End of list--

[someone@node ~]$ kinit -f someone@DESY.DE -k -t $HOME/.ssh/keytab -c $HOME/.ssh/someone.cc
[someone@node ~]$ KRB5CCNAME=FILE:$HOME/.ssh/someone.cc 

[someone@node ~]$ klist 
Ticket cache: FILE:/home/someone/.ssh/someone.cc
Default principal: someone@DESY.DE

Valid starting       Expires              Service principal
12/09/2019 20:28:05  12/10/2019 20:28:05  krbtgt/DESY.DE@DESY.DE
	renew until 12/11/2019 20:28:05
12/09/2019 20:28:05  12/10/2019 20:28:05  afs/desy.de@DESY.DE
	renew until 12/11/2019 20:28:05

[someone@node ~]$ aklog

[someone@node ~]$ tokens
Tokens held by the Cache Manager:

User's (AFS ID 1234) tokens for afs@desy.de [Expires Dec 10 20:28]
   --End of list--

It works pretty much the same way for window credentials:

# You first need to create a personal keytab. Whoever has access can generate a kerberos-ticket on your behalf so keep it save.  
# cd $HOME/.ssh
/usr/bin/ktutil
  ktutil:  addent -password -p your-username@WIN.DESY.DE -k 1 -e aes256-cts
  Password for username@WIN.DESY.DE: [enter your password]
  ktutil:  wkt windows.keytab
  ktutil:  quit

# try it out
[someone@node ~]$ klist 
klist: No credentials cache found (filename: )

[someone@node ~]$ /usr/bin/kinit -f someone@WIN.DESY.DE -k -t $HOME/.ssh/windows.keytab -c $HOME/.ssh/someone.cc
[someone@node ~]$ KRB5CCNAME=FILE:$HOME/.ssh/someone.cc 

[someone@node ~]$ klist
Ticket cache: FILE:/afs/desy.de/user/s/someone/.ssh/someone.cc
Default principal: someone@WIN.DESY.DE

# ticket can be used to authenticate for smbclient
[someone@node ~]$ smbclient //ntapwin1.desy.de/someone$  -k
smb: \> ls
[...] # works!
smb: \> quit

# unfortunately currently doesn't work for smb-mounts with gio/gvfs ...

Note: the keytab doesn't have an expiration date. However, it becomes invalid once you change your password, and needs to be recreated.

Note: on maxwell /software/tools/bin/gettoken will get a krb-ticket and token, if the keytab is stored as $HOME/.ssh/maxwell.keytab