备案控制台
开发者社区 安全 文章 正文

有哪些方法可以验证kerberos keytab文件的有效性?

2023-10-10 178
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《 阿里云开发者社区用户服务协议》和 《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写 侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
简介: 有哪些方法可以验证kerberos keytab文件的有效性?

1 Keytab 文件概述

  • 在开启了kerberos安全认证的环境中,任何用户进行任何操作之前,都要首先通过 AS_REQ 请求向 KDC 的 AS 进行认证以获得总票据 tgt,然后才能通过 TGS_REQ 请求向 KDC 的 TGS申请具体的服务票据 ticket;
  • 而在进行 AS_REQ 请求时,可以通过命令行交互式手动输入密码的方式(比如执行命令 kinit dap),也可以通过keytab文件的方式(比如JAVA代码中的org.apache.hadoop.security.UserGroupInformation#loginUserFromKeytab(String user,String path),或命令行的 kinit dap -kt dap.keytab);
  • keytab 文件包含了单个或多个principal(用户/组/服务/服务器)的身份认证信息(即key),在功能上等同于密码,且有些管理员倾向于定期为 principal 生成符合密码策略 password policy 的随机密码以增强其安全性,所以 keytab 文件的安全性和重要性不言而喻。

image.png


2 keytab文件的有效性概述

管理员经常会在kdc服务端更改某个 principal 的密码,常见的更改密码的场景有:

  • 比如通过命令显示更改密码:kpasswd;
  • 比如通过脚本定期显示更改密码 (password rotation);
  • 比如通过命令kadmin.local -q "xst -k dap.keytab dap",在生成新的keytab文件时隐式同步更改密码。

无论哪种场景,一旦服务端更改密码后,原有的已经分发给客户端的keytab文件都将失效,所有客户端需要验证其keytab的有效性。 由于 keytab 文件是加密的二进制格式,我们并不能通过 less/cat等命令直接查看其内容,那么怎么验证keytab文件的有效性呢?

3 使用 klist 命令查看对比新老 keytab 文件以验证其有效性

  • 每个keytab文件可以包括多个principa的认证信息,也可以包括同一个principal的多个版本的认证信息;
  • 可以通过 klist -ekt xxx.keytab 查看keytab文件内容,在输出内容中的 KVNO 列代表 key version number,较新版本对应列的KVNO值会更大,klist/kinit等命令或程序使用该keytab文件进行认证时,会自动选择并使用KVNO值最大的列;
  • 可以通过以下命令在不更改某个principal原有密码的情况下,将其认证信息写入当前路径下的某个keytab文件中(如果当前路径不存在该keytab文件,则会新建该文件;如果当前路径存在该Keytab文件,则会将该principal认证信息追加到该keytab文件中):kadmin.local -q "xst -norandkey -k spark2.keytab dap2";
  • 可以通过以下命令,更改某个principal的旧密码并生成随机新密码,然后将其新认证信息写入当前路径下的某个keytab文件中(如果当前路径不存在该keytab文件,则会新建该文件;如果当前路径存在该Keytab文件,则会将该principal认证信息追加到该keytab文件中):kadmin.local -q "xst -k spark2.keytab dap2";
  • Multiple keys can be present in a keytab file,the version of the key is shown in its key version number (KVNO).,Refreshing (also called rotating) the principal's key increments the KVNO in the keytab entry.
  • When a key is refreshed, a new entry is added to the keytab with a higher KVNO. The original key remains in the keytab but is no longer used to issue tickets.

image.png


4 使用keytab文件进行认证并查看相关日志

可以通过kinit命令或JAVA代码使用keytab文件进行认证,以验证其有效性。 为进一步细致排查问题,也可以通过以下方式调整kerberos日志级别:

  • 通用配置 OS-level Kerberos Debugging: export KRB5_TRACE=/tmp/kinit.log (技术背景:User can set an environment variable called KRB5_TRACE to a filename or to /dev/stdout, Kerberos programs like kinit, klist and kvno etc., as well as Kerberos libraries libkrb5*, will start printing more interesting details.This is a very powerfull feature and can be used to debug any program which uses Kerberos libraries);
  • JAVA程序,可以配置 JVM Kerberos Library logging:-Dsun.security.krb5.debug=true
  • JAVA程序,可以配置 JVM SPNEGO Logging:-Dsun.security.spnego.debug=true
  • HADOOP可以配置 Hadoop-side JAAS debugging:export HADOOP_JAAS_DEBUG=true
  • HADOOP可以配置 HADOOP_OPTS environment variable:export HADOOP_OPTS="-Djava.net.preferIPv4Stack=true -Dsun.security.krb5.debug=true ${HADOOP_OPTS}“
  • if the env variable HADOOP_JAAS_DEBUG is set to true,then hadoop UGI will set the "debug" flag on any JAAS files it creates;
  • 针对HADOOP配置环境变量时,可以通过以下命令查看环境变量:echo $HADOOP_OPTS(不是 export $HADOOP_OPTS!!!!);

因为 keytab 文件失效而认证失败时,常见的两个错误如下:

## 错误1:javax.security.auth.login.LoginException: Checksum failed,完整信息如下:
Caused by: org.apache.hadoop.security.KerberosAuthException: failure to login: for principal: dap2@CDH.COM from keytab ./dap2.keytab javax.security.auth.login.LoginException: Checksum failed
        at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:1846) ~[hadoop-common-3.1.4.jar:?]
        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1214) ~[hadoop-common-3.1.4.jar:?]
        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1007) ~[hadoop-common-3.1.4.jar:?]
        at com.hundsun.broker.dsc.biz.pub.util.JdbcEntityUtils.getHiveJdbcEntity(JdbcEntityUtils.java:867) ~[dsc-biz-pub.jar:?]
        at com.hundsun.broker.dsc.biz.pub.util.JdbcEntityUtils.loadPropConfig(JdbcEntityUtils.java:678) ~[dsc-biz-pub.jar:?]
        at com.hundsun.broker.dsc.biz.pub.util.JdbcEntityUtils.<clinit>(JdbcEntityUtils.java:93) ~[dsc-biz-pub.jar:?]
        ... 2 more
Caused by: javax.security.auth.login.LoginException: Checksum failed
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:804) ~[?:1.8.0_201]
        at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617) ~[?:1.8.0_201]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_201]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_201]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_201]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_201]
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) ~[?:1.8.0_201]
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) ~[?:1.8.0_201]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) ~[?:1.8.0_201]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) ~[?:1.8.0_201]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_201]
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) ~[?:1.8.0_201]
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587) ~[?:1.8.0_201]
        at org.apache.hadoop.security.UserGroupInformation$HadoopLoginContext.login(UserGroupInformation.java:1924) ~[hadoop-common-3.1.4.jar:?]
        at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:1836) ~[hadoop-common-3.1.4.jar:?]
        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1214) ~[hadoop-common-3.1.4.jar:?]
        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1007) ~[hadoop-common-3.1.4.jar:?]
Caused by: sun.security.krb5.KrbCryptoException: Checksum failed
        at sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:102) ~[?:1.8.0_201]
        at sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:94) ~[?:1.8.0_201]
        at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175) ~[?:1.8.0_201]
        at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:149) ~[?:1.8.0_201]
        at sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121) ~[?:1.8.0_201]
        at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:285) ~[?:1.8.0_201]
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) ~[?:1.8.0_201]
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776) ~[?:1.8.0_201]
        at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617) ~[?:1.8.0_201]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_201]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_201]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_201]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_201]
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) ~[?:1.8.0_201]
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) ~[?:1.8.0_201]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) ~[?:1.8.0_201]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) ~[?:1.8.0_201]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_201]
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) ~[?:1.8.0_201]
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587) ~[?:1.8.0_201]
        at org.apache.hadoop.security.UserGroupInformation$HadoopLoginContext.login(UserGroupInformation.java:1924) ~[hadoop-common-3.1.4.jar:?]
        at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:1836) ~[hadoop-common-3.1.4.jar:?]
        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1214) ~[hadoop-common-3.1.4.jar:?]
        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1007) ~[hadoop-common-3.1.4.jar:?]
Caused by: java.security.GeneralSecurityException: Checksum failed
        at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decryptCTS(AesDkCrypto.java:451) ~[?:1.8.0_201]
        at sun.security.krb5.internal.crypto.dk.AesDkCrypto.decrypt(AesDkCrypto.java:272) ~[?:1.8.0_201]
        at sun.security.krb5.internal.crypto.Aes128.decrypt(Aes128.java:76) ~[?:1.8.0_201]
        at sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:100) ~[?:1.8.0_201]
        at sun.security.krb5.internal.crypto.Aes128CtsHmacSha1EType.decrypt(Aes128CtsHmacSha1EType.java:94) ~[?:1.8.0_201]
        at sun.security.krb5.EncryptedData.decrypt(EncryptedData.java:175) ~[?:1.8.0_201]
        at sun.security.krb5.KrbAsRep.decrypt(KrbAsRep.java:149) ~[?:1.8.0_201]
        at sun.security.krb5.KrbAsRep.decryptUsingKeyTab(KrbAsRep.java:121) ~[?:1.8.0_201]
        at sun.security.krb5.KrbAsReqBuilder.resolve(KrbAsReqBuilder.java:285) ~[?:1.8.0_201]
        at sun.security.krb5.KrbAsReqBuilder.action(KrbAsReqBuilder.java:361) ~[?:1.8.0_201]
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:776) ~[?:1.8.0_201]
        at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617) ~[?:1.8.0_201]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_201]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_201]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_201]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_201]
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) ~[?:1.8.0_201]
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) ~[?:1.8.0_201]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) ~[?:1.8.0_201]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) ~[?:1.8.0_201]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_201]
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) ~[?:1.8.0_201]
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587) ~[?:1.8.0_201]
        at org.apache.hadoop.security.UserGroupInformation$HadoopLoginContext.login(UserGroupInformation.java:1924) ~[hadoop-common-3.1.4.jar:?]
        at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:1836) ~[hadoop-common-3.1.4.jar:?]
        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1214) ~[hadoop-common-3.1.4.jar:?]
        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1007) ~[hadoop-common-3.1.4.jar:?]
##错误2:javax.security.auth.login.LoginException: Unable to obtain password from user,完整信息如下:
Caused by: org.apache.hadoop.security.KerberosAuthException: failure to login: for principal: hundsun@FZCN.ORG from keytab ./spark2.keytab javax.security.auth.login.LoginException: Unable to obtain password from user
        at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:1846) ~[hadoop-common-3.1.4.jar:?]
        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1214) ~[hadoop-common-3.1.4.jar:?]
        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1007) ~[hadoop-common-3.1.4.jar:?]
Caused by: javax.security.auth.login.LoginException: Unable to obtain password from user
        at com.sun.security.auth.module.Krb5LoginModule.promptForPass(Krb5LoginModule.java:897) ~[?:1.8.0_221]
        at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:760) ~[?:1.8.0_221]
        at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617) ~[?:1.8.0_221]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:1.8.0_221]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:1.8.0_221]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_221]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_221]
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) ~[?:1.8.0_221]
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) ~[?:1.8.0_221]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682) ~[?:1.8.0_221]
        at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680) ~[?:1.8.0_221]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_221]
        at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680) ~[?:1.8.0_221]
        at javax.security.auth.login.LoginContext.login(LoginContext.java:587) ~[?:1.8.0_221]
        at org.apache.hadoop.security.UserGroupInformation$HadoopLoginContext.login(UserGroupInformation.java:1924) ~[hadoop-common-3.1.4.jar:?]
        at org.apache.hadoop.security.UserGroupInformation.doSubjectLogin(UserGroupInformation.java:1836) ~[hadoop-common-3.1.4.jar:?]
        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytabAndReturnUGI(UserGroupInformation.java:1214) ~[hadoop-common-3.1.4.jar:?]
        at org.apache.hadoop.security.UserGroupInformation.loginUserFromKeytab(UserGroupInformation.java:1007) ~[hadoop-common-3.1.4.jar:?]


文章标签:
数据安全/隐私保护
Java
分布式计算
Hadoop
安全
明哥的IT随笔
目录
相关文章
warmhearted
|
1天前
|
数据采集 存储 安全
数据功能验证
数据功能验证
warmhearted
41 4
warmhearted
|
1天前
|
数据采集 存储 数据库
数据完整性验证
数据完整性验证
warmhearted
105 3
zhaoshuangjian
|
10月前
|
数据安全/隐私保护
JMX安全漏洞修复 服务端增加用户名和密码验证机制
JMX安全漏洞修复 服务端增加用户名和密码验证机制
zhaoshuangjian
96 0
漏刻有时
|
10月前
|
JSON 安全 关系型数据库
php传递url参数加密验证的解决方案(加密解密、安全验证过滤)
php传递url参数加密验证的解决方案(加密解密、安全验证过滤)
漏刻有时
262 0
礁之
|
网络安全
关于密钥验证
关于密钥验证
礁之
68 0
w53alm3uernjs
083.验证歌德巴赫猜想
083.验证歌德巴赫猜想
w53alm3uernjs
63 0
嗯哼9925
|
数据安全/隐私保护 Windows 安全
NTLM验证过程
嗯哼9925
1488 0
扬朋
如何验证公钥正确性测试步骤
说明:??? ?我们使用支付宝生成签名工具或opensll生成一对密钥。首先可以确认这一对密钥是肯定匹配的。??? ?以RSA2公钥验证为例,RSA和正式环境验证方式相同?操作步骤:????1.登录沙箱管理中心:[url]https://openhome.
扬朋
1386 0
嗯哼9925
|
数据安全/隐私保护 Windows SQL
Kerberos验证过程
嗯哼9925
3245 0
玄学酱
|
网络虚拟化 数据安全/隐私保护
3.6. 用户验证
玄学酱
1191 0

热门文章

最新文章

  • 1
    MySQL数据库重命名的方法
  • 2
    CVE-2017-9805:Struts2 REST插件远程执行命令漏洞(S2-052) 分析报告
  • 3
    阿里云播放器SDK的正确打开方式 | 功能、架构与应用(一)
  • 4
    流言终结者- Flutter和RN谁才是更好的跨端开发方案?
  • 5
    Linux 多核下绑定硬件中断到不同 CPU(IRQ Affinity)
  • 6
    PostgreSQL 聚合函数讲解 - 3 总体|样本 方差, 标准方差
  • 7
    利用Serverless Kubernetes和Kaniko快速自动化构建容器镜像
  • 8
    袋鼠云数据中台专栏(五):数栈,企业级一站式数据中台PaaS
  • 9
    企业微信开发(二):API对接及Demo程序
  • 10
    一篇文章深入浅出带你了解mybatis
  • 1
    如果使用已经到达 End of life 的 Angular 版本会遇到什么问题
    21
  • 2
    印刷文字识别产品使用合集之部署失败如何解决
    21
  • 3
    印刷文字识别产品使用合集之API接口无法调用如何解决
    21
  • 4
    什么是计算机图形领域的 color saturation
    25
  • 5
    mvp架构
    21
  • 6
    dex、vdex、.odex与.oat
    26
  • 7
    java调用kotlin代码编译报错“找不到符号”的问题
    16
  • 8
    印刷文字识别产品使用合集之身份证识别接口有哪些
    18
  • 9
    Build was configured to prefer settings repositories over project repositories but repository
    16
  • 10
    Java注解之编译时注解
    16

    • 相关电子书

    更多
  • ICA安全标准组测试认证分享
  • 安全机制与User账户身份验证实战
  • 低代码开发师(初级)实战教程
    • 下一篇
    2024年阿里云免费云服务器及学生云服务器申请教程参考
    http://www.vxiaotou.com