Authentication Mechanisms

Explore the authentication components of FreeIPA and techniques to test their security.

Authentication Topics

Navigate through different authentication mechanisms

Kerberos Overview

FreeIPA uses Kerberos for authentication, which is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. Understanding how Kerberos works in FreeIPA is essential for effective penetration testing.

Kerberos Authentication Flow in FreeIPA

Important Note

Kerberos authentication in FreeIPA is similar to Active Directory but with some Unix-specific implementations. Many of the same attack vectors apply, but with different tooling and approaches.

Credential Cache (CCache)

The Credential Cache (CCache) is a file used to store Kerberos tickets, usually located in the /tmp directory. These tickets can be extracted and used for authentication.

Set the KRB5CCNAME environment variable to point to a specific CCache file

export KRB5CCNAME=/tmp/krb5cc_0

Parse a ticket using klist

klist /tmp/krb5cc_0

Penetration Testing Tip:

During a penetration test, look for CCache files in the /tmp directory that might contain valid Kerberos tickets. These can be used to authenticate as the user who created them.

Unix Keyring

Administrators can store Kerberos tickets inside the Unix keyring for added security. However, these tickets can still be extracted using specialized tools.

Authenticate as admin

kinit admin

List current tickets

klist

Extract tickets from keyring using Tickey

./tickey

Set the KRB5CCNAME environment variable to point to the extracted ticket

export KRB5CCNAME=/tmp/<ticket_outfile>

Verify the extracted ticket

klist

Tool Reference

Tickey is a tool designed to extract Kerberos tickets from the Linux kernel keyring.

Keytab Files

A keytab file consists of pairs of Kerberos principals and encrypted keys that are derived from the Kerberos password associated with the principal. These files are used for automated authentication without requiring a password.

Parse a keytab file using KeytabParser

python KeytabParser.py /etc/krb5.keytab

Use a keytab file to authenticate

kinit -kt /etc/krb5.keytab host/name.domain.local@domain.local

Verify the authentication

klist

Tool Reference

KeytabParser is a tool that can parse keytab files for ticket generation.

Important Files

Several important files are used in the FreeIPA authentication process. Understanding these files and their locations is crucial for effective penetration testing.

Configuration Files

/etc/krb5.conf

Contains Kerberos information needed to get enrolled, such as the location of KDCs.

/etc/ipa/default.conf

Default configuration file that sets system-wide defaults for FreeIPA.

/etc/krb5.keytab

Required on all hosts inside the domain for the authentication process.

Environment Variables

KRB5CCNAME

Location of the Credential Cache (CCACHE).

KRB5_KTNAME

Location of the keytab file.

KRB5_CONFIG

Location of the Kerberos configuration file.

KRB5_KDC_PROFILE

Location of the Kerberos configuration file with additional KDC information.

KRB5RCACHETYPE

Default type of replay cache.

KRB5RCACHEDIR

Directory for replay caches.

KRB5_TRACE

Location of logs.

KRB5_CLIENT_KTNAME

Default client keytab filename.

Important Binaries

ipa

Standard binary for managing the domain.

kdestroy

Destroys any current Kerberos tickets in the user's session.

kinit

Establishes or renews Kerberos tickets.

klist

Lists any current Kerberos tickets in use.

kpasswd

Changes a Kerberos principal's password.

ksu

Alternative for the su binary.

kswitch

Switches the current credential cache in use.

kvno

Acquires a service ticket for the specified Kerberos principals and prints out the key version numbers of each.