survivor: Krb5 Check Module

SURVIVOR: krb5 Check Module

About krb5

About krb5

basics

Module Type	Scheduler	Remote
check	Yes	No

syntax

     module krb5 {
       principal <string>
       keytab <file>
       [cfdir <directory>]
     }

Dependencies

Executables
- kinit and kdestroy

Arguments

Name	Type	Value
principal	string	Principal used for testing.
keytab	file	Keytab file containing key for principal.
cfdir	optional directory, default is `/etc/survivor/krb5`	Directory containing required configuration files.

Description

The krb5 module executes the Kerberos V version of kinit in order to verify that the KDC on the host being checked is responding to ticket requests.

The keytab file must contain the key for principal. To set this up requires write access to the primary KDC. In this example, the principal test/check.domain.org is written to the keytab /etc/check.keytab:

        pollerhost# kadmin -p adminprinc
        kadmin:  addprinc -randkey test/check.domain.org
	kadmin:  ktadd -k /etc/check.keytab test/check.domain.org
	kadmin:  quit
	pollerhost# chown $INSTUSER /etc/check.keytab
	pollerhost# chmod 400 /etc/check.keytab

Note above that the keytab file is made readable only by the user that the scheduler runs as. This may prohibit the command line interface from manually running this check module, if it is run by a user unable to read the keytab.

The configuration directory (cfdir) must contain a valid krb5.conf file for each KDC to be tested, named krb5.hostname.conf. The contents of the file must include only hostname as a KDC (in addition to all the other standard definitions). For example, if alice is the primary KDC and bob is the secondary, the following two configuration files would be placed in cfdir:

krb5.alice.conf

 [libdefaults]
     ticket_lifetime = 600
     default_realm = REALM.ORG
     default_tkt_enctypes = des-cbc-crc
     default_tgs_enctypes = des-cbc-crc

 [realms]
     REALM.ORG = {
         kdc = alice.realm.org:88
         default_domain = realm.org
     }

 [domain_realm]
     .realm.org = REALM.ORG
     realm.org = REALM.ORG

krb5.bob.conf

 [libdefaults]
     ticket_lifetime = 600
     default_realm = REALM.ORG
     default_tkt_enctypes = des-cbc-crc
     default_tgs_enctypes = des-cbc-crc

 [realms]
     REALM.ORG = {
         kdc = bob.realm.org:88
         default_domain = realm.org
     }

 [domain_realm]
     .realm.org = REALM.ORG
     realm.org = REALM.ORG

Important: This module writes temporary files (the credentials obtained in verifying the principal) with predictable names: /tmp/check.krb5.hostname. While this should be no less secure than kinit run by ordinary users, if potentially malicious (or ordinary) users are permitted to login to the scheduler host (which they shouldn't be), it may be possible to set up a race condition or symlink attack to get this module to write the test tickets to a file owned by the malicious or clueless user. While the contents of the file should be harmless (the test principal created above should have no privileges anywhere), the possibility of exploit cannot be ignored completely.

Also: This module will not succeed for all KDCs until the addprinc operation performed above on the primary KDC has propagated to all secondary KDCs.

Examples

To test a KDC using the principal test/check.domain.org with /etc/survivor/krb5 holding the relevant configuration files:
```
     module krb5 {
       principal test/check.domain.org
       keytab    /etc/check.keytab
     }
     
```

$Date: 2006/11/19 19:11:29 $
$Revision: 0.5 $

keywords
cfdir
keytab
principal