Home / server / Questions / 1172420
Accepted
starfry
Asked: 2025-02-07 22:27:51 +0800 CST

MIT Kerberos idempotent Keytab merge

  • 772

I'm trying to write an idempotent script for Linux (MIT kerberos) that applies a given keytab to /etc/krb5.keytab by merging with its existing content. On MacOS (which, I believe uses Heimdal) it's easy:

ktutil copy /tmp/ktnew /etc/krb5.keytab

If the key(s) in /tmp/ktnew are already in /etc/krb5.keytab then it doesn't change (this can be confirmed with before and after hashes).

The MIT version of ktutil seems to only work interactively and does not have an equivalent to copy. Using rkt and wkt appends (and, therefore, duplicates) rather than merges and is therefore not idempotent.

It it possible to do this idempotently (and non-interactively) using the MIT tools commonly found on Linux systems?

kerberos

1 Answers

  1. Best Answer

    As far as I know, no. MIT Krb5 also comes with the k5srvutil script which relies on kadmin's non-interactive ktrem subcommand to remove superseded keys (those with a kvno older than the latest) but that's all it has.

    I would suggest that merging keytabs isn't the right thing to do in the first place – rather than putting everything in the "machine" keytab (and therefore having to grant all services access to the keytab), you should at most have host/* and nfs/* in there, while everything else should be using distinct keytab files. (Services which don't support specifying a keytab natively will generally support KRB5_KTNAME= through environment.)

    The deployment of keytabs would then become as simple as overwriting the whole file.

    In my own projects (specifically in a tool that tries to idempotently request a key via kadmin's ktadd), I parse the keytab via Python to determine whether it already has a key for the principal about to be added. Here's a starting point:

    # binary_io.py (not the tidiest class, merely something I'd been carrying
# around in various different projects over the years)
import io
import struct

class StreamWrapper():
    def __init__(self, fh=b""):
        if isinstance(fh, bytes) or isinstance(fh, bytearray):
            self.fh = io.BytesIO(fh)
        elif hasattr(fh, "makefile"):
            self.fh = fh.makefile("rwb")
        else:
            self.fh = fh

    def seek(self, pos, whence=0):
        return self.fh.seek(pos, whence)

    def tell(self):
        return self.fh.tell()

    def read(self, length):
        buf = self.fh.read(length)
        if len(buf) < length:
            if len(buf) == 0:
                raise EOFError("Hit EOF after %d/%d bytes" % (len(buf), length))
            else:
                raise IOError("Hit EOF after %d/%d bytes" % (len(buf), length))
        return buf

    def write(self, buf):
        return self.fh.write(buf)

    def flush(self):
        return self.fh.flush()

class BinaryReader(StreamWrapper):
    def _read_fmt(self, length, fmt):
        data, = struct.unpack(fmt, self.read(length))
        return data

    def read_u8(self):
        return self._read_fmt(1, "B")

    def read_u16_le(self):
        return self._read_fmt(2, "<H")

    def read_u16_be(self):
        return self._read_fmt(2, ">H")

    def read_u32_le(self):
        return self._read_fmt(4, "<L")

    def read_u32_be(self):
        return self._read_fmt(4, ">L")

    def read_u64_le(self):
        return self._read_fmt(8, "<Q")

    def read_u64_be(self):
        return self._read_fmt(8, ">Q")

class BinaryWriter(StreamWrapper):
    def _write_fmt(self, fmt, *args):
        return self.write(struct.pack(fmt, *args))

    def write_u8(self, val):
        return self._write_fmt("B", val)

    def write_u16_le(self, val):
        return self._write_fmt("<H", val)

    def write_u16_be(self, val):
        return self._write_fmt(">H", val)

    def write_u32_le(self, val):
        return self._write_fmt("<L", val)

    def write_u32_be(self, val):
        return self._write_fmt(">L", val)

    def write_u64_le(self, val):
        return self._write_fmt("<Q", val)

    def write_u64_be(self, val):
        return self._write_fmt(">Q", val)

class BinaryStream(BinaryReader, BinaryWriter):
    pass

# -----
# kerberos.py

from dataclasses import dataclass

# Format documentation:
#   https://web.mit.edu/kerberos/krb5-latest/doc/formats/keytab_file_format.html
#   https://www.gnu.org/software/shishi/manual/html_node/The-Keytab-Binary-File-Format.html

# The default name type
KRB5_NT_PRINCIPAL = 1

@dataclass
class Principal:
    nametype: int
    components: list[bytes]
    realm: bytes

    def unparse(self):
        # Mostly but not 100% correct
        sz = [s.replace(b"/", b"\\/") for s in self.components]
        sz = b"@".join([b"/".join(self.components), self.realm])
        return sz.decode()

@dataclass
class KeytabEntry:
    principal: Principal
    timestamp: int
    kvno: int
    enctype: int
    keydata: bytes

class KrbBinaryReader(BinaryReader):
    # Turns out *nothing* is common between the two formats. Principals have
    # their name_type in a different place. Even 'data' has a 32-bit length in
    # ccache and 16-bit length in keytab.

    uses_native_endian = True

    def read_u16(self):
        if self.uses_native_endian:
            return self._read_fmt(2, "=H")
        else:
            return self.read_u16_be()

    def read_u32(self):
        if self.uses_native_endian:
            return self._read_fmt(4, "=L")
        else:
            return self.read_u32_be()

    def read_s32(self):
        if self.uses_native_endian:
            return self._read_fmt(4, "=l")
        else:
            return self._read_fmt(4, ">l")

    def read_time(self):
        return self.read_u32()

    def tell_eof(self):
        start_pos = self.tell()
        self.seek(0, 2)
        end_pos = self.tell()
        self.seek(start_pos)
        return end_pos

class KeytabReader(KrbBinaryReader):
    version = None

    def read_data(self):
        length = self.read_u16()
        value = self.read(length)
        return value

    def read_principal(self):
        n_components = self.read_u16()
        if self.version == 1:
            n_components -= 1
        realm = self.read_data()
        components = []
        for i in range(n_components):
            components.append(self.read_data())
        name_type = KRB5_NT_PRINCIPAL
        if self.version >= 2:
            name_type = self.read_u32()
        return Principal(name_type, components, realm)

    def read_entry(self, size):
        end_pos = self.tell() + size
        principal = self.read_principal()
        timestamp = self.read_time()
        kvno = self.read_u8()
        enctype = self.read_u16()
        keydata = self.read_data()
        if end_pos - self.tell() >= 4:
            kvno = self.read_u32()
        # Skip to end of slot
        self.seek(end_pos)
        return KeytabEntry(principal, timestamp, kvno, enctype, keydata)

    def read_keytab(self):
        major = self.read_u8()
        if major != 5:
            raise IOError("Keytab major version not recognized")
        minor = self.read_u8()
        if not (1 <= minor <= 2):
            raise IOError("Keytab minor version not recognized")
        self.version = minor
        self.uses_native_endian = (self.version == 1)
        end_pos = self.tell_eof()
        while self.tell() < end_pos:
            length = self.read_s32()
            if length > 0:
                yield self.read_entry(length)
            elif length < 0:
                # Skip an empty slot
                self.read(-length)
            else:
                break

# ---

class Keytab():
    def __init__(self, path):
        self.path = path

    def list_principals(self):
        with open(self.path, "rb") as fh:
            rd = KeytabReader(fh)
            for e in rd.read_keytab():
                principal = e.principal.unparse()
                yield principal.rsplit("@", 1)[0]

    def has_principal(self, principal):
        if not os.path.exists(self.path):
            return False
        return principal in {*self.list_principals()}
    • 0