Difference between revisions of "LKDC"
From Wikifications
(→Interesting Files) |
|||
| Line 17: | Line 17: | ||
==Interesting Files== | ==Interesting Files== | ||
| − | * NetAuthAgent - this one appears to be a client side Kerberos helper | + | * NetAuthAgent - this one appears to be a client side Kerberos helper. The role of NetAuthAgent appears to be to manage the Kerberos authentication process at a high level on behalf of screen sharing (vncserver), afp client, and cifs client. A string dump reveals the following chunk of kerberos service names: |
| + | <pre>vncserver | ||
| + | webdaveserver | ||
| + | ftpsserver | ||
| + | ftpserver | ||
| + | cifs | ||
| + | afpserver</pre> | ||
| + | vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see: | ||
<pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb | <pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb | ||
KerberosSession | KerberosSession | ||
| Line 45: | Line 52: | ||
kerberosHostAddress | kerberosHostAddress | ||
kerberosAlreadyHasTicket</pre> | kerberosAlreadyHasTicket</pre> | ||
| + | |||
| + | * LKDCLocate - looks like this one performs DNS queries to retrieve kerberos info about a remote host. | ||
| + | {14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate | ||
| + | %s: | ||
| + | LKDCLookup | ||
| + | Declined to handle address family %d | ||
| + | svc = %d, realm = %s, family= %d, socktype = %d | ||
| + | KDC|MasterKDC | ||
| + | LKDC: | ||
| + | getaddrinfo () == %d | ||
| + | 0x%08p: family = %d, socktype = %d, protocol = %d | ||
| + | Running callback 0x%08p | ||
| + | Unexpected address family %d | ||
| + | Callback done 0x%08p, err=%d | ||
| + | inet_ntop failed: %s | ||
| + | addr = %s, port = %d | ||
| + | failed %d | ||
| + | LKDCGetHelperPort | ||
| + | com.apple.KerberosHelper.LKDCHelper | ||
| + | %s: cannot contact helper | ||
| + | LKDCHelperExit | ||
| + | Mach communication failed: %s | ||
| + | LKDCDumpStatus | ||
| + | LKDCSetLogLevel | ||
| + | LKDCGetLocalRealm | ||
| + | [[[ %s | ||
| + | Local realm = %s | ||
| + | ]]] %s = %d (%s) | ||
| + | LKDCDiscoverRealm | ||
| + | No place to store discovered realm. | ||
| + | realm = %s | ||
| + | LKDCFindKDCForRealm | ||
| + | No place to store discovered KDC hostname. | ||
| + | KDC Hostname = %s:%u | ||
| + | Communication to the helper failed | ||
| + | Not authorized | ||
| + | Input parameter error | ||
| + | Serializing object failed | ||
| + | Unserializing object failed | ||
| + | Object passed is not a dictionary | ||
| + | A Local KDC was not found | ||
| + | Lookup of the KDC for the requested realm failed | ||
| + | %s: | ||
| + | Success | ||
| + | <unknown error> | ||
| + | [...] | ||
| + | |||
* LKDCHelper - this one appears to be a server-side piece that installs the mDNS records used by clients to discover details about the server's LKDC. | * LKDCHelper - this one appears to be a server-side piece that installs the mDNS records used by clients to discover details about the server's LKDC. | ||
Revision as of 22:43, 12 May 2008
The local KDC in Leopard is pretty rad. This page will be a jumble of research and various investigations regarding the LKDC.
Discovery
The LKDC realm name of a remote Mac OS X machine may be discovered as follows:
dns-sd -Q "_kerberos.donk.local" txt
Replace "donk" with the rendezvous name of a Leopard machine on your local network (can test on yourself if needed).
The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.
xxd -r -c 256
<paste in the hex string, press return>
The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Interesting Files
- NetAuthAgent - this one appears to be a client side Kerberos helper. The role of NetAuthAgent appears to be to manage the Kerberos authentication process at a high level on behalf of screen sharing (vncserver), afp client, and cifs client. A string dump reveals the following chunk of kerberos service names:
vncserver webdaveserver ftpsserver ftpserver cifs afpserver
vncserver, cifs, and afpserver are the only 3 services that are kerberized in the LKDC by default, though NetAuthAgent appears to support others as well. Looking at all strings matching 'kerb', we see:
{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket
- LKDCLocate - looks like this one performs DNS queries to retrieve kerberos info about a remote host.
{14} andre@donk [~] % strings /System/Library/KerberosPlugins/KerberosFrameworkPlugins/LKDCLocate.bundle/Contents/MacOS/LKDCLocate %s: LKDCLookup Declined to handle address family %d svc = %d, realm = %s, family= %d, socktype = %d KDC|MasterKDC LKDC: getaddrinfo () == %d 0x%08p: family = %d, socktype = %d, protocol = %d Running callback 0x%08p Unexpected address family %d Callback done 0x%08p, err=%d inet_ntop failed: %s addr = %s, port = %d failed %d LKDCGetHelperPort com.apple.KerberosHelper.LKDCHelper %s: cannot contact helper LKDCHelperExit Mach communication failed: %s LKDCDumpStatus LKDCSetLogLevel LKDCGetLocalRealm [[[ %s Local realm = %s ]]] %s = %d (%s) LKDCDiscoverRealm No place to store discovered realm. realm = %s LKDCFindKDCForRealm No place to store discovered KDC hostname. KDC Hostname = %s:%u Communication to the helper failed Not authorized Input parameter error Serializing object failed Unserializing object failed Object passed is not a dictionary A Local KDC was not found Lookup of the KDC for the requested realm failed
%s:
Success <unknown error> [...]
- LKDCHelper - this one appears to be a server-side piece that installs the mDNS records used by clients to discover details about the server's LKDC.
{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
- /usr/libexec/configureLocalKDC - this is a perl script that installs the LKDC at installation time, including creating service principals, editing service config files, and installing a kerberos certificate into the system keychain.
Resources
- http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.
- http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.
- http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.
- http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby
- http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.
- http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using multicast dns.
- http://www.dns-sd.org/ServiceTypes.html multicast DNS service types
- http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general
- http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.
