I am using hadoop with kerberos keytab file name userid.keytab for a long while. But now i m not aware the password. Is it anyway to get password from the keytab file.
No, you can't.
The only thing you can get from a keytab file is the principal name:
$ ktutil
ktutil: read_kt test.wtk
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 1 hadoop_app#BLALBLABLA.LOC
Keytab contains pairs of principal and
encrypted keys (which are derived from the Kerberos password), no way to get back the password from these data.
Keytab has a principal name at the very least, but can also hold the NTLM hash of the password, next to AES hashes of the same password.
Extract hashes with https://github.com/sosdave/KeyTabExtract
Related
When trying to decrypt the kerberos by using the keytab file it shows the error "missing keytype 18". The keytab file has the keytype 18.
Based on the information you shared:
SPN: HOST/INTVMDC03.xxxx.com/xxxx.com.
Keytab entries:
1 1013219#xxxx.com (18:AES256 CTS mode with HMAC
SHA1-96) 1 1013219#xxxx.com (17:AES128 CTS mode with HMAC SHA1-96) 1
1013219#xxxx.com (20:AES256 CTS mode with HMAC SHA384-192) 1
1013219#xxxx.com (19:AES128 CTS mode with HMAC SHA256-128) 1
1013219#xxxx.com (16:DES3 CBC mode with SHA1-KD) 1 1013219#xxxx.com
(23:RC4 with HMAC)
There is no entry corresponding to the SPN being used inside your keytab.
What you need is SPN entries inside keytab, not the UPN entries.
Remember that the ticket is issued for the SPN and not the user principal name (UPN). Therefore Kerberos looks for the SPN entry inside keytab for which the ticket is issued.
Please generate a new keytab file and provide SPN.
For windows, you can use ktpass command (usually works on windows server os).
Check Here.
For example:
ktpass /out <filename> /princ <ServicePrincipalName> /mapuser <UserPrincipalName> /pass <UPN password> /crypto ALL /ptype KRB5_NT_PRINCIPAL /kvno 0
What mechanism does Ansible Vault use to detect wrong vault passwords? In other word, if a user inputs wrong vault password then Ansible shows error message below. How?
Decryption failed (no vault secrets were found that could decrypt)
Is there any section in Vault Payload that Ansible uses to detect wrong passwords?
The code for ansible-vault with the relevant section can be found here: https://github.com/ansible/ansible/blob/devel/lib/ansible/parsing/vault/init.py#L736
Summarised, it uses the specified password and vault ID to decrypt the file. So it will look for the vault ID in the vault file and will then try to decrypt the password. The crytpo part will only return a byte string when the decryption was successful and the expected format (PKCS7) is returned:
So first, the content of the vault is parsed (hex format is converted to actual bytes):
b_ciphertext, b_salt, b_crypted_hmac = parse_vaulttext(b_vaulttext)
Then, the relevant keys are generated from the salt and the password:
b_password = secret.bytes
b_key1, b_key2, b_iv = cls._gen_key_initctr(b_password, b_salt)
As you note correctly, the first thing that the _decrypt_cryptography function does is to check if the HMAC is correct, using one of the keys derived from the password above:
hmac = HMAC(b_key2, hashes.SHA256(), CRYPTOGRAPHY_BACKEND)
hmac.update(b_ciphertext)
try:
hmac.verify(_unhexlify(b_crypted_hmac))
except InvalidSignature as e:
raise AnsibleVaultError('HMAC verification failed: %s' % e)
Then, the actual decryption happens:
cipher = C_Cipher(algorithms.AES(b_key1), modes.CTR(b_iv), CRYPTOGRAPHY_BACKEND)
decryptor = cipher.decryptor()
unpadder = padding.PKCS7(128).unpadder()
b_plaintext = unpadder.update(
decryptor.update(b_ciphertext) + decryptor.finalize()
) + unpadder.finalize()
The b_plaintext is then returned.
So when you use the wrong password, the crypto function will return non-PKCS7 data and this then leads to the message above.
I am using Chef with kitchen (1.5.0) and vagrant (1.8.1) to manage a user consistently with a new server. My user recipe looks like this:
include_recipe "users"
group 'sudo'
password_secret = Chef::EncryptedDataBagItem.load_secret(node['enterprise_sp']['secret_file'])
jays_password = Chef::EncryptedDataBagItem.load('user_secrets','jgodse', password_secret)['password']
shadow_password = `openssl passwd -1 -salt xyz #{jays_password}`.strip
user 'jgodse' do
action :create
group 'sudo'
system true
shell '/bin/bash'
home '/home/jgodse'
manage_home true
password shadow_password #added to /etc/shadow when chef runs
end
The unencrypted data bag was where I configured my password in the clear. I then encrypted the data bag with a knife command.
This works, but this seems like a really dirty way around the problem of setting my password. I had to do that because the password directive of the user block only takes the shadow password, and that can only be generated by shelling out to an openssl command.
Is there a cleaner way of getting the shadow password without shelling out to an openssl command which generates the password?
You should not be storing the password at all, just hash it beforehand and put the hash in the data bag in the first place. Also using encrypted data bags like this is scary-level unsafe, please take some time to familiarize yourself with the threat model of Chef's encryption tools, this ain't it.
At least pre-calculate the password hash and put that into the data bag.
See https://github.com/chef-cookbooks/users for inspiration.
I've two text files one with list of server name's, another file with their root password (Unique password)
I have to check all server root password by logging to individual servers. but the issue is, by default ssh root login is disabled. Hence i have to login via my normal user(Test) and switch as root and try the root password which is mentioned in the text file.
is there any way i can get this automated ? highly appreciate if anyone can help me out.
Linux passwords are stored in /etc/shadow files.
They're just hashed plain-text, no magic.
Take a look at python's crypt.crypt() function.
# change 'root' password to 'secret' (demo only)
$ echo root:secret | chpasswd
Password for 'root' changed
# get 'root' hashed password
$ grep root /etc/shadow
root:$6$YvK0oNOm$k.zELztgUM2LajbVGsqtp5I3mGP3clC6vL7rNdVCNfg2FUtLOnfb94Bn6acfCp4cQpXxSAZ1Zt55K8rAgQ3nT0:16673:0:::::
# verify hashed password is correct
$ python -c 'import crypt; print crypt.crypt("secret", "$6$YvK0oNOm$") == "$6$YvK0oNOm$k.zELztgUM2LajbVGsqtp5I3mGP3clC6vL7rNdVCNfg2FUtLOnfb94Bn6acfCp4cQpXxSAZ1Zt55K8rAgQ3nT0"'
True
You can collect shadow files from all servers, and verify them locally.
WARNING: Shadow files are very sensitive.
This is a simple solution.
input.csv
192.168.1.1,secret,$6$YvK0oNOm$k.zELztgUM2LajbVGsqtp5I3mGP3clC6vL7rNdVCNfg2FUtLOnfb94Bn6acfCp4cQpXxSAZ1Zt55K8rAgQ3nT0
192.168.1.2,pAssWd,$6$AbcdeFgh$1234fsXXXXXXXXXXXsqtp5I3mGP3clC6vL7rNdVCNfg2FUtLOnfb94Bn6acfCp4cQpXxSAZ1Zt55K8rAgQ3nT0
192.168.1.3,123456,$6$efsjdsix$8787sdfsdsdfsd232sqtp5I3mGP3clC6vL7rNdVCNfg2FUtLOnfb94Bn6acfCp4cQpXxSAZ1Zt55K8rAgQ3nT0
check.py
import csv, crypt
for i, j, k in csv.reader(open('input.csv')):
if crypt.crypt(j, k) != k:
print i
result
$ python check.py
192.168.1.2
192.168.1.3
This is a long shot, but I'm trying to add an ssh key to a Heroku for its use in connecting to another server through SFTP:
Net::SFTP.start(HOST, USER, password: PASSWORD, keys: ['yada.pem']) do |sftp|
#sftp = sftp
end
My original solution was to push a .ssh directory to the repo and store yada.pem there. keys would include the path to this file.
A safer solution I've been told would be to store the key in an environment variable on Heroku. Problem is, this would store the key as a string, which I couldn't really pass to SFTP.start.
I could solve the problem in a couple ways:
Is there a way to pass the key as a string with Ruby net/sftp?
Is there a way to add a public key to Heroku so that net/sftp would use it when trying to connect to the remote server?
Thanks
You can pass keys as strings in the option hash under the key :key_data (should be an array of strings, each element of which containing a key in PEM format).
Net::SFTP.start(HOST, USER, password: PASSWORD, key_data: ['PEM key as string']) do |sftp|
#sftp = sftp
end
See Net::SSH#start (to which Net::SFTP#start defers).