Browse Source
Add Kerberos cheat sheets
| **Command** | **Command Description** |
|---------------|----------------------------------------------------------------------------------|
| `kadmin` | Kerberos administration tool for remote administration of principals and policies. |
| `kadmind` | Kerberos administration server daemon managing authentication services. |
| `kadmin.local`| Kerberos administration tool for local management of principals and policies. |
| `kdb5_util` | Utility for managing the Kerberos database. |
| `kdestroy` | Destroy a user's Kerberos tickets. |
| `kgetcred` | Fetch a credential cache with specific settings from the Kerberos Ticket Granting Server. |
| `kinit` | Obtain and cache an initial ticket-granting ticket for Kerberos authentication. |
| `klist` | List cached Kerberos tickets. |
| `kpasswd` | Change a Kerberos principal's password. |
| `kprop` | Propagate a Kerberos database dump from the master to a slave server. |
| `kpropd` | Receive and install propagated Kerberos database dumps. |
| `krb524init` | Initialize a krb524 service ticket for older Kerberos 4 authentication support. |
| `krb5kdc` | Kerberos Key Distribution Center daemon. |
| `krenew` | Renew a Kerberos ticket-granting ticket and optionally forward it. |
| `ksu` | Kerberos substitute user - switch user identity similar to su but using Kerberos authentication. |
| `kswitch` | Switch primary Kerberos credential cache. |
| `ktutil` | Utility to manage entries in a Kerberos keytab file. |
| `kvno` | Obtain and display the Kerberos service ticket for a specified principal. |
Igor Chubin
11 months ago
GitHub
GPG Key ID:
14 changed files with
421 additions and
0 deletions
sheets/kadmin
sheets/kadmin.local
sheets/kdb5_util
sheets/kdestroy
sheets/kinit
sheets/klist
sheets/kpasswd
sheets/kprop
sheets/kpropd
sheets/krenew
sheets/ksu
sheets/ktutil
sheets/kvno
topics/kerberos.json
@ -0,0 +1,50 @@
# kadmin
# Kerberos administration tool for remote administration of principals and policies.
# Launch kadmin in interactive mode
kadmin
# Launch kadmin with a specific Kerberos realm
kadmin -r EXAMPLE.COM
# Retrieve a new TGT (Ticket Granting Ticket) for the admin session
kadmin -p admin/admin
# Change the password of a specific principal
kadmin -q "cpw [principal]"
# Add a new principal with default options
kadmin -q "addprinc [principal]"
# Add a new principal with a specific password
kadmin -q "addprinc -pw [password] [principal]"
# Delete a specific principal
kadmin -q "delprinc [principal]"
# Rename a principal
kadmin -q "renprinc [oldprincipal] [newprincipal]"
# List all principals
kadmin -q "listprincs"
# List all policies
kadmin -q "listpols"
# Add a new policy
kadmin -q "addpol [policy]"
# Modify a policy with specific parameters
kadmin -q "modpol -maxlife 7d0h0m0s [policy]"
# Delete a policy
kadmin -q "delpol [policy]"
# Get detailed information about a principal
kadmin -q "getprinc [principal]"
# Get detailed information about a policy
kadmin -q "getpol [policy]"
# Exit kadmin interactive mode (if in it)
exit
@ -0,0 +1,35 @@
# kadmin.local
# Kerberos administration tool for local management of principals and policies.
# Add a new principal
kadmin.local -q "addprinc username"
# Change a principal's password
kadmin.local -q "cpw username"
# Delete a principal
kadmin.local -q "delprinc username"
# List all principals
kadmin.local -q "listprincs"
# Get information about a specific principal
kadmin.local -q "getprinc username"
# Rename a principal
kadmin.local -q "renprinc oldusername newusername"
# Add a new policy
kadmin.local -q "addpol -minlength 8 -minclasses 3 policy_name"
# Modify an existing policy
kadmin.local -q "modpol -minlength 12 policy_name"
# List all policies
kadmin.local -q "listpols"
# Get information about a specific policy
kadmin.local -q "getpol policy_name"
# Delete a policy
kadmin.local -q "delpol policy_name"
@ -0,0 +1,26 @@
# kdb5_util
# Utility for managing the Kerberos database.
# Initialize a new Kerberos database
kdb5_util create -s
# Destroy an existing Kerberos database
kdb5_util destroy
# Dump the Kerberos database to a file
kdb5_util dump /path/to/dumpfile
# Load a Kerberos database from a dump file
kdb5_util load /path/to/dumpfile
# Archive the current log to the specified output file
kdb5_util ark /path/to/archivefile
# Show the Kerberos database's attributes
kdb5_util list
# Change the master key
kdb5_util stash
# Prompt for old master key, then read and update key from a file
kdb5_util update -f /path/to/stashfile
@ -0,0 +1,14 @@
# kdestroy
# Destroy a user's Kerberos tickets.
# Remove the user's current Kerberos tickets, effectively logging them out of Kerberos
kdestroy
# Remove Kerberos tickets and display a message upon successful destruction
kdestroy -q
# Remove Kerberos tickets for a specific cache (useful in multi-cache environments)
kdestroy -c /path/to/your/credentials/cache
# Force delete the credential cache, even if there are errors (use with caution)
kdestroy -f
@ -0,0 +1,29 @@
# kinit
# Obtain and cache an initial ticket-granting ticket for Kerberos authentication.
# Obtain an initial ticket-granting ticket
kinit
# Obtain a ticket for a specific principal
kinit username@REALM
# Specify a different cache file for the ticket
kinit -c /path/to/credentials_cache
# Obtain a ticket with a specific lifetime (e.g., 10 hours)
kinit -l 10h
# Obtain a renewable ticket with a specific renewal lifetime (e.g., 7 days)
kinit -r 7d
# Use a specific keytab file to authenticate
kinit -k -t /path/to/keytab_file
# Use a password from a file instead of prompting
kinit < username.passfile
# Obtain tickets silently (no password prompt, useful for scripts)
kinit -s
# Obtain a ticket for the default principal and verify it immediately
kinit && klist -s
@ -0,0 +1,26 @@
# klist
# List cached Kerberos tickets.
# Display the default credential cache
klist
# Display the credential cache for a specific cache name
klist -c /path/to/your/credential.cache
# List the tickets with their timestamps in a human-readable format
klist -f
# Display all information about credentials, including encryption types
klist -e
# Show only the list of Kerberos tickets without extra information
klist -s
# Display tickets for a specified client principal
klist -k -p principal_name
# Check if the tickets are still valid, suppressing output on success
klist -s /path/to/credential.cache
# List all available caches
klist -A
@ -0,0 +1,20 @@
# kpasswd
# Change a Kerberos principal's password.
# Basic usage to change your own Kerberos principal's password
kpasswd
# Change a specified Kerberos principal's password
kpasswd principal_name
# Specify a particular realm for the Kerberos principal when changing the password
kpasswd principal_name@REALM
# Use the verbose option to get more detailed output during the password change process
kpasswd -v
# Specify a custom configuration file for kpasswd
kpasswd -c /path/to/conf_file
# Display help information for kpasswd command
kpasswd -h
@ -0,0 +1,17 @@
# kprop
# Propagate a Kerberos database dump from the master to a slave server.
# Propagate a Kerberos database dump from the master to a slave server
kprop -f /path/to/dumpfile -P port_number slave_server
# Propagate a Kerberos database with verbosity for debugging
kprop -f /path/to/dumpfile -P port_number -d slave_server
# Use a different keytab file for authentication
kprop -f /path/to/dumpfile -P port_number -k /path/to/keytab slave_server
# Specify a specific service principal for authentication
kprop -f /path/to/dumpfile -P port_number -s principal'service_name slave_server
# Attempt to propagate a database dump with encryption verification
kprop -f /path/to/dumpfile -e slave_server
@ -0,0 +1,23 @@
# kpropd
# Receive and install propagated Kerberos database dumps.
# Start the kpropd in standalone mode
kpropd -S
# Run kpropd in daemon mode
kpropd -d
# Specify an alternate database file
kpropd -f /path/to/alternate/db
# Increase verbosity of kpropd
kpropd -d -d -d
# Specify a file for logging
kpropd -F /path/to/logfile.log
# Specify the port kpropd listens on
kpropd -p 754
# Run kpropd without forking (remain attached to terminal)
kpropd -n
@ -0,0 +1,20 @@
# krenew
# Renew a Kerberos ticket-granting ticket and optionally forward it.
# Renew a Kerberos ticket-granting ticket, keeping it valid indefinitely
krenew -b -K 60
# Renew a ticket-granting ticket and forward the tickets
krenew -F -b -K 60
# Renew a ticket-granting ticket as a specific user
krenew -t -u username -K 60
# Run a command with a renewable and forwardable ticket-granting ticket
krenew -F -- my_command
# Use a specific credential cache while renewing
krenew -c /path/to/credential.cache -K 60
# Run krenew in the background and redirect output to a log file
krenew -b -K 60 -o /path/to/logfile.log
@ -0,0 +1,26 @@
# ksu
# Kerberos substitute user - switch user identity similar to su but using Kerberos authentication.
# Switch to another user using Kerberos authentication
ksu [username]
# Switch to another user and specify a particular Kerberos ticket cache
ksu -c [cache_name] [username]
# Run a command as another user with Kerberos authentication
ksu [username] -e [command]
# Request a forwardable ticket on behalf of the user
ksu -F [username]
# Display the version of ksu
ksu -V
# Use verbose mode for additional output details
ksu -v [username]
# Force the use of a specific authentication method
ksu -o [option] [username]
# Specify a different authentication context
ksu -a [auth_context] [username]
@ -0,0 +1,35 @@
# ktutil
# Utility to manage entries in a Kerberos keytab file.
# Load an existing keytab file
ktutil
ktutil: rkt <keytab_file>
# List the entries in the currently loaded keytab
ktutil
ktutil: list
# Add a new entry to the keytab
ktutil
ktutil: add_entry -password -p <principal> -k <kvno> -e <encryption_type>
# Write the current keytab entries to a new keytab file
ktutil
ktutil: wkt <keytab_file>
# Remove a specific entry from the keytab
ktutil
ktutil: delete_entry <entry_number>
# Change the password of a principal and update the keytab
ktutil
ktutil: change_password -p <principal> -newpass
# Quit the ktutil session
ktutil
ktutil: quit
# Start ktutil and directly execute commands from a script (example)
ktutil < script_file
# Explanation: The commands in 'script_file' will be executed in order. Each line should contain a valid ktutil command such as 'rkt', 'add_entry', 'wkt', etc.
@ -0,0 +1,26 @@
# kvno
# Obtain and display the Kerberos service ticket for a specified principal.
# Obtain a service ticket for a specific principal
kvno [principal_name]
# Obtain service tickets for multiple specified principals
kvno [principal1_name] [principal2_name] [principal3_name]
# Obtain and display a service ticket for the current user's primary principal
kvno host/[hostname]
# Obtain a service ticket and display it with a specified encryption type (specify encryption type such as aes256-cts)
kvno -e [enctype] [principal_name]
# Obtain a service ticket with verbose output to show detailed information
kvno -verbose [principal_name]
# Obtain a service ticket from a specific Key Distribution Center (KDC)
kvno -c [cache_name] [principal_name]
# Allows for proxiable tickets
kvno -P [principal_name]
# Specifies the keytab from which credentials are accessed
kvno -k [keytab] [principal_name]
@ -0,0 +1,74 @@
[
{
"command" : "kadmin" ,
"description" : "Kerberos administration tool for remote administration of principals and policies."
} ,
{
"command" : "kadmind" ,
"description" : "Kerberos administration server daemon managing authentication services."
} ,
{
"command" : "kadmin.local" ,
"description" : "Kerberos administration tool for local management of principals and policies."
} ,
{
"command" : "kdb5_util" ,
"description" : "Utility for managing the Kerberos database."
} ,
{
"command" : "kdestroy" ,
"description" : "Destroy a user's Kerberos tickets."
} ,
{
"command" : "kgetcred" ,
"description" : "Fetch a credential cache with specific settings from the Kerberos Ticket Granting Server."
} ,
{
"command" : "kinit" ,
"description" : "Obtain and cache an initial ticket-granting ticket for Kerberos authentication."
} ,
{
"command" : "klist" ,
"description" : "List cached Kerberos tickets."
} ,
{
"command" : "kpasswd" ,
"description" : "Change a Kerberos principal's password."
} ,
{
"command" : "kprop" ,
"description" : "Propagate a Kerberos database dump from the master to a slave server."
} ,
{
"command" : "kpropd" ,
"description" : "Receive and install propagated Kerberos database dumps."
} ,
{
"command" : "krb524init" ,
"description" : "Initialize a krb524 service ticket for older Kerberos 4 authentication support."
} ,
{
"command" : "krb5kdc" ,
"description" : "Kerberos Key Distribution Center daemon."
} ,
{
"command" : "krenew" ,
"description" : "Renew a Kerberos ticket-granting ticket and optionally forward it."
} ,
{
"command" : "ksu" ,
"description" : "Kerberos substitute user - switch user identity similar to su but using Kerberos authentication."
} ,
{
"command" : "kswitch" ,
"description" : "Switch primary Kerberos credential cache."
} ,
{
"command" : "ktutil" ,
"description" : "Utility to manage entries in a Kerberos keytab file."
} ,
{
"command" : "kvno" ,
"description" : "Obtain and display the Kerberos service ticket for a specified principal."
}
]
Igor Chubin
11 months ago
GitHub