Difference between revisions of "LKDC"
From Wikifications
| Line 16: | Line 16: | ||
The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD | The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD | ||
| + | ==Interesting Files== | ||
| + | * NetAuthAgent - this one appears to be a client side Kerberos helper | ||
| + | <pre>{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb | ||
| + | KerberosSession | ||
| + | BypassKerberos | ||
| + | kerberosClientPrincipalCredentials | ||
| + | kerberosRelease | ||
| + | kerberosClientPrincipal | ||
| + | kerberosKeychainRealm | ||
| + | kerberosPrincipalInfo | ||
| + | MountedByKerberos | ||
| + | SupportsKerberos | ||
| + | /System/Library/CoreServices/Kerberos.app | ||
| + | mInvalidKerberosUserName | ||
| + | checkForKerberosUserName: | ||
| + | isValidKerberosUserName: | ||
| + | useKerberos | ||
| + | kerberosServiceName | ||
| + | kerberosServicePrincipalHint | ||
| + | kerberosSession | ||
| + | kerberosServicePrincipal | ||
| + | kerberosAcquireTicket | ||
| + | Kerberos | ||
| + | AllowKerberosUI | ||
| + | KerberosInfo | ||
| + | kerberosUIOption | ||
| + | kerberosHostDisplayName | ||
| + | kerberosHostAddress | ||
| + | kerberosAlreadyHasTicket</pre> | ||
| + | |||
| + | * LKDCHelper - this one appears to be a server-side piece that installs the mDNS records used by clients to discover details about the server's LKDC. | ||
| + | <pre>{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper | ||
| + | Idle exit | ||
| + | do_LKDCDumpStatus | ||
| + | [[[ %s | ||
| + | do_LKDCSetLogLevel | ||
| + | do_LKDCGetLocalRealm | ||
| + | Cached lookup | ||
| + | LocalKDCRealm = %s | ||
| + | do_LKDCDiscoverRealm | ||
| + | Looking up realm for %s | ||
| + | do_LKDCFindKDCForRealm | ||
| + | Looking up host for %s | ||
| + | %s: | ||
| + | Unauthorized access by euid=%lu pid=%lu | ||
| + | update_idle_timer | ||
| + | 0 == gettimeofday(&last_message, NULL) | ||
| + | /SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c | ||
| + | idletimer_main | ||
| + | 0 == gettimeofday(&now, NULL) | ||
| + | Invalid idle timeout: %s | ||
| + | Usage: [-d] [-t maxidle] | ||
| + | Could not initialize ASL logging. | ||
| + | Starting (uid=%ul) | ||
| + | mach_port_allocate: %s | ||
| + | mach_port_insert_right: %s | ||
| + | com.apple.KerberosHelper.LKDCHelper | ||
| + | bootstrap_register2 failed: %s | ||
| + | CheckIn | ||
| + | Could not create checkin message for launchd. | ||
| + | Could not message launchd. | ||
| + | Launchd checkin failed: %s. | ||
| + | MachServices | ||
| + | Launchd reply does not contain %s dictionary. | ||
| + | Launchd reply does not contain %s Mach port. | ||
| + | Launchd gave me a null Mach port. | ||
| + | Failed to start idletimer thread: %s | ||
| + | mach_msg_server: %s | ||
| + | KerberosKDC | ||
| + | dsRecTypeStandard:Config | ||
| + | realname | ||
| + | _kerberos | ||
| + | LookupRealmCallBack | ||
| + | mDNSError = %d | ||
| + | More than one record, last one wins!!! | ||
| + | LKDCAddLocatorDetails | ||
| + | New entry for (realm=%s host=%s) | ||
| + | Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s) | ||
| + | ]]] %s = %d (%s) | ||
| + | LKDCHostnameForRealm | ||
| + | Cache hit | ||
| + | Cache miss | ||
| + | HandleEvents | ||
| + | LKDCLookupRealm | ||
| + | LKDCRealmForHostname | ||
| + | %s.%s | ||
| + | mDNSResult | ||
| + | CallbackError = %d | ||
| + | Timeout! | ||
| + | LKDCDumpCacheStatus | ||
| + | Cache root node = %08p | ||
| + | node = %08p { | ||
| + | realmName = (%08p) %s | ||
| + | serviceHost = (%08p) %s | ||
| + | servicePort = %u | ||
| + | TTL = %u | ||
| + | } | ||
| + | Communication to the helper failed | ||
| + | Not authorized | ||
| + | Input parameter error | ||
| + | Serializing object failed | ||
| + | Unserializing object failed | ||
| + | Object passed is not a dictionary | ||
| + | A Local KDC was not found | ||
| + | Lookup of the KDC for the requested realm failed | ||
| + | %s: | ||
| + | Success | ||
| + | <unknown error> | ||
| + | </pre> | ||
| + | |||
| + | * /usr/libexec/configureLocalKDC - this is a perl script that installs the LKDC at installation time, including creating service principals, editing service config files, and installing a kerberos certificate into the system keychain. | ||
==Resources== | ==Resources== | ||
Revision as of 22:23, 12 May 2008
The local KDC in Leopard is pretty rad. This page will be a jumble of research and various investigations regarding the LKDC.
Discovery
The LKDC realm name of a remote Mac OS X machine may be discovered as follows:
dns-sd -Q "_kerberos.donk.local" txt
Replace "donk" with the rendezvous name of a Leopard machine on your local network (can test on yourself if needed).
The result is a string of hex characters. This command does not terminate, so control-C to stop it. Now take the hex and run it through xxd -r -c 256.
xxd -r -c 256
<paste in the hex string, press return>
The result is the LKDC realm name, such as LKDC:SHA1.8B0FBACC08E3152A473A68D303E297A13CAA3AFD
Interesting Files
- NetAuthAgent - this one appears to be a client side Kerberos helper
{5} andre@donk [~] % strings /System/Library/CoreServices/NetAuthAgent.app/Contents/MacOS/NetAuthAgent | grep -i kerb
KerberosSession
BypassKerberos
kerberosClientPrincipalCredentials
kerberosRelease
kerberosClientPrincipal
kerberosKeychainRealm
kerberosPrincipalInfo
MountedByKerberos
SupportsKerberos
/System/Library/CoreServices/Kerberos.app
mInvalidKerberosUserName
checkForKerberosUserName:
isValidKerberosUserName:
useKerberos
kerberosServiceName
kerberosServicePrincipalHint
kerberosSession
kerberosServicePrincipal
kerberosAcquireTicket
Kerberos
AllowKerberosUI
KerberosInfo
kerberosUIOption
kerberosHostDisplayName
kerberosHostAddress
kerberosAlreadyHasTicket
- LKDCHelper - this one appears to be a server-side piece that installs the mDNS records used by clients to discover details about the server's LKDC.
{34} andre@donk [~] % strings /System/Library/PrivateFrameworks/KerberosHelper.framework/Versions/A/Resources/LKDCHelper
Idle exit
do_LKDCDumpStatus
[[[ %s
do_LKDCSetLogLevel
do_LKDCGetLocalRealm
Cached lookup
LocalKDCRealm = %s
do_LKDCDiscoverRealm
Looking up realm for %s
do_LKDCFindKDCForRealm
Looking up host for %s
%s:
Unauthorized access by euid=%lu pid=%lu
update_idle_timer
0 == gettimeofday(&last_message, NULL)
/SourceCache/KerberosHelper/KerberosHelper-31/Source/LKDCHelper-main.c
idletimer_main
0 == gettimeofday(&now, NULL)
Invalid idle timeout: %s
Usage: [-d] [-t maxidle]
Could not initialize ASL logging.
Starting (uid=%ul)
mach_port_allocate: %s
mach_port_insert_right: %s
com.apple.KerberosHelper.LKDCHelper
bootstrap_register2 failed: %s
CheckIn
Could not create checkin message for launchd.
Could not message launchd.
Launchd checkin failed: %s.
MachServices
Launchd reply does not contain %s dictionary.
Launchd reply does not contain %s Mach port.
Launchd gave me a null Mach port.
Failed to start idletimer thread: %s
mach_msg_server: %s
KerberosKDC
dsRecTypeStandard:Config
realname
_kerberos
LookupRealmCallBack
mDNSError = %d
More than one record, last one wins!!!
LKDCAddLocatorDetails
New entry for (realm=%s host=%s)
Replacing existing entry (realm=%s host=%s) with (realm=%s host=%s)
]]] %s = %d (%s)
LKDCHostnameForRealm
Cache hit
Cache miss
HandleEvents
LKDCLookupRealm
LKDCRealmForHostname
%s.%s
mDNSResult
CallbackError = %d
Timeout!
LKDCDumpCacheStatus
Cache root node = %08p
node = %08p {
realmName = (%08p) %s
serviceHost = (%08p) %s
servicePort = %u
TTL = %u
}
Communication to the helper failed
Not authorized
Input parameter error
Serializing object failed
Unserializing object failed
Object passed is not a dictionary
A Local KDC was not found
Lookup of the KDC for the requested realm failed
%s:
Success
<unknown error>
- /usr/libexec/configureLocalKDC - this is a perl script that installs the LKDC at installation time, including creating service principals, editing service config files, and installing a kerberos certificate into the system keychain.
Resources
- http://www.felipe-alfaro.org/blog/2007/12/07/kerberizing-leopards-ssh/ This documents how to kerberize ssh / sshd, in Leopard, but uses a static configuration instead of dynamically discovering the remote realm name, as is done by the services kerberized in the LKDC by default.
- http://www.mactech.com/articles/mactech/Vol.23/23.11/ExploringLeopardwithDTrace/index.html Exploring Leopard with DTrace - was useful in determining how some of the service clients interact with Kerberos.
- http://developer.apple.com/technotes/tn2005/tn2083.html Daemons and Agents. Fantastic technote by Quinn. This helped me understand a bit more about the mach service that is provided by LKDCHelper.
- http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/129443 Multicast DNS libraries for Ruby
- http://www.ldap.com/1/commentary/wahl/20070511_01.shtml Discovering local identity services. Outlines several methods for dynamic discovery of how to bootstrap authentication sessions with a remote system.
- http://www.cybersafe.ltd.uk/docs_standards/draft-ietf-krb-wg-krb-dns-locate-03.txt This expired draft documents how kerberos realm information might be discovered using multicast dns.
- http://www.dns-sd.org/ServiceTypes.html multicast DNS service types
- http://files.multicastdns.org/draft-cheshire-dnsext-multicastdns.txt This expired draft documents multicast DNS in general
- http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC9 Kerberos install document; this section documents how Kerberos finds realm information.
