Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

The Shuttle is now going five times the sound of speed. -- Dan Rather, first landing of Columbia

devel / comp.protocols.kerberos / Re: Impersonate Kerberos user on HDFS

SubjectAuthor
o Re: Impersonate Kerberos user on HDFSKen Hornstein

1
Re: Impersonate Kerberos user on HDFS

<mailman.82.1712838283.2322.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=534&group=comp.protocols.kerberos#534

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ken...@cmf.nrl.navy.mil (Ken Hornstein)
Newsgroups: comp.protocols.kerberos
Subject: Re: Impersonate Kerberos user on HDFS
Date: Thu, 11 Apr 2024 08:24:29 -0400
Organization: TNet Consulting
Lines: 26
Message-ID: <mailman.82.1712838283.2322.kerberos@mit.edu>
References: <4FD44739-01B9-4D7A-B383-D3B7B4BFF047@free.fr>
<202404111224.43BCOTL9014923@hedwig.cmf.nrl.navy.mil>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="24058"; mail-complaints-to="newsmaster@tnetconsulting.net"
Cc: kerberos@mit.edu
To: Philippe de Rochambeau <phiroc@free.fr>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=Sd7eUt3M;
dkim=pass (2048-bit key,
unprotected) header.d=nrl.navy.mil header.i=@nrl.navy.mil header.a=rsa-sha256
header.s=s2.dkim header.b=B4Yy5u1P
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=jZA494+/vSZz4OMFHAS9STBqXd7jDcvNKQzQF9kop3MpVH99lekvEq+TN4tagIqlH9YT8GZJ+kzJTnaLkktDUWI0tmBPWIA7unmejRRP+LC0ot3MtI9M8qWkA5zDWGjRLAW8wKy990gYFkG+g0zTLmQMP9j7pF937Qhf6x0hf63vayEcl9yTZxVgH5H3+BDopjWr2nE/OXiZ3ealGY6vCoYBXaDB0rjS93AcAq4o79M0/n2buJ2qyqBplSwKkZa7All88ln+ZiZKkcwwePm5mZNKyT/DZlJ+OCPq0QhUUVeKX8fPKSkxHTcPVmzPlN3N5zeusbL1fvrHn8YPYf1kjA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=iobdYZMthedy7ELEq/hMkg8pCLbMuO/Qg47ngUZ2HSo=;
b=aOhy0pvODb1FPo5TdUkqnH/1gExIAytHaI+8qW8+lhbjudxwJbRnp+4xk04IdSd1xvFY1XzqmdDq222uDTr6XMyhlEiakcLNVeTFpvOO5S/HufZkF3CITr+G0ZhcnhLVvJUk7Jz7P3FqnTGAc7KUKJwz57oH2mdzjcLWaKU+qjT7YjUDDGseZBG74CpJQ2YJzlIDB+l7rJNrMz8/xccFHABMegQpYBUGhURwigk8xN5HULxE2fAgEbmzZG/sVPVTzPVWyR3EDkLbiLlyWnjUYweCb1yMkC/j3OJ5kRlruDlOx/q/+/+hirnjiNprwUJXq3V1xls0Wsvh+57DPPasVg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
140.32.61.234) smtp.rcpttodomain=mit.edu smtp.mailfrom=cmf.nrl.navy.mil;
dmarc=pass (p=reject sp=reject pct=100) action=none
header.from=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=iobdYZMthedy7ELEq/hMkg8pCLbMuO/Qg47ngUZ2HSo=;
b=Sd7eUt3M7XT3i5XYgfqQLxhREFbsw/LBVez61lFkyZEGWlfeFIC5oTSRvlHzAR7a33quETt7vEsqAOtVJ6WXZx420nj36A9jiJ148I5njoSgDFVtXZ7h3xNHnilfaM7YrqMhhBk4naHqsXnON1T0IOlRMRAOuMS2+U5YRwx0FrQ=
Authentication-Results: spf=pass (sender IP is 140.32.61.234)
smtp.mailfrom=cmf.nrl.navy.mil; dkim=pass (signature was verified)
header.d=nrl.navy.mil;dmarc=pass action=none header.from=cmf.nrl.navy.mil;
Received-SPF: Pass (protection.outlook.com: domain of cmf.nrl.navy.mil
designates 140.32.61.234 as permitted sender)
receiver=protection.outlook.com; client-ip=140.32.61.234; helo=mf.dren.mil;
pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nrl.navy.mil;
h=message-id : from :
to : cc : subject : in-reply-to : references : mime-version : content-type
: date; s=s2.dkim; bh=iobdYZMthedy7ELEq/hMkg8pCLbMuO/Qg47ngUZ2HSo=;
b=B4Yy5u1PJvWZfk2LaIkNxlsyQnw0XkmkN7D1MoneEnDijNttrIH31VNP6VbFkz0ijMhR
QXbsi22TCJzsr2uA9xasoS4Z5gU5TD4zC2ukEP/IzQszfcbNvoV0IoBvtyaldfNFBZ3Z
eRHjmuB/2ZUMBWwf16FgoW2K6VuTawfgeCtBgwGSBOtKe+GNyxu59+H0vGdZX3G+t0zI
zNyuR32vMgkLlKNJLUlT6QUFx3wB5Os8+PI12oBbAoE/VCbufv0NGcsPrU7BEO+yriu7
35COcBRxGFHcraFFLOonugI6RivV74yUYj+hcekck/gxm5ZHFGlDNdJSL1ztMZU5pTT3 VQ==
In-Reply-To: <4FD44739-01B9-4D7A-B383-D3B7B4BFF047@free.fr>
X-Face: "Evs"_GpJ]],xS)b$T2#V&{KfP_i2`TlPrY$Iv9+TQ!6+`~+l)#7I)0xr1>4hfd{#0B4
WIn3jU;bql;{2Uq%zw5bF4?%F&&j8@KaT?#vBGk}u07<+6/`.F-3_GA@6Bq5gN9\+s;_d
gD\SW #]iN_U0 KUmOR.P<|um5yP<ea#^"SJK;C*}fMI;Mv(aiO2z~9n.w?@\>kEpSD@*e`
X-NRLCMF-Spam-Score: () hits=0 User Authenticated
X-NRLCMF-Virus-Scanned:
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: BN3PEPF0000B073:EE_|DM8PR01MB7068:EE_
X-MS-Office365-Filtering-Correlation-Id: c70635ea-adc3-4a1d-ce86-08dc5a225aeb
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: xl7kQQtoqMCzGskBIFIjkyDHMp6HfkyfbOZBAjvJZsrvYKqBHWeYR3gIEP9IUq+rkGw25o/M60HJax4EAWLFVB0hTYWClpRC/3TRA9NhBMls4xD2vgT0I+foBsIqK1sBkeX5rRggVZC/UMHPEpJ/hHg11+uobr0P6bz5AM9tcMk6lDIkmxQj3yAFvpTQjPijd1d3qekKzu1zosMtd1C5cekw/yzGTBiMPhGHhCWFK5IkPgNrdxhIGcbt4eeCWj49jybZIGFsGzeiSvz7D8w/6kQeinLO/nhqA/pFiNfqaxmS8Wbl6uEBCOqz93wtep32TOjTak1QcNL3CKlxrfkXMYBHG3dkbFdwdrBYFdQcpqsDILLVlWDOPhepe6dUoPdvDGqVw9Om1PCycGVrBuIhsxADZEJ9eupsBj6kPpjfToptTgFF8q0SNqmDrIVtOqdYgfmyw1KJh5BmSlGyVTs0Ro1UMPS7PQgkAphnNgxA3CKIaqQ85yefJK+mqu3uI7n9TlsldhDrDOJrOwCURG/p2QAizGVkejgqUOSvS1ZJqLmFI+eGnZpxK4/uglti9rdonztIonSMLHf5tN5TqCaA6ikehXH3mmb6p1K9puWsph/iN+IIWaYocIikxvt0e1WpGGsGIqPI3F+TEy/H0eBd5oyqaFKv2YIDSx7fjyDVaDc12WLS9oZVb5JL1NkG90NL1jr+Yur5TKm0MRBSxGRqNK/FYjyAbR0vXWn1m3sPBVJhuVubt1U53g4xMpNTUaUq
X-Forefront-Antispam-Report: CIP:140.32.61.234; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:mf.dren.mil; PTR:mfw.dren.mil; CAT:NONE;
SFS:(13230031)(61400799018)(48200799009)(376005); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Apr 2024 12:24:37.8215 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: c70635ea-adc3-4a1d-ce86-08dc5a225aeb
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: BN3PEPF0000B073.namprd04.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR01MB7068
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <202404111224.43BCOTL9014923@hedwig.cmf.nrl.navy.mil>
X-Mailman-Original-References: <4FD44739-01B9-4D7A-B383-D3B7B4BFF047@free.fr>
 by: Ken Hornstein - Thu, 11 Apr 2024 12:24 UTC

>- impersonate the user as, say, admin, with kinit; e.g. kinit <user>
>- scan all HDFS directories and try to read or write
>
>Does anyone have suggestions?

In general, your options are:

- Have access to to user's key/password and generate a ticket for that
user using kinit. As someone else already noted, this isn't really
impersonating a user.
- Have access to the TGS key and generate a TGT for that user (or any user).
This is generally referred to as "ticket printing". I don't _think_
the Kerberos distributions come with a utility to do that, but I
believe there are example programs floating around that do that. I
have to say that doing so would require access to the TGS key and
having that outside of your Kerberos database would be extremely
dangerous as if it was compromised your entire realm would be
compromised.
- Have access to the HDFS service key and print a service ticket for that
user. Again, I don't know if the Kerberos distributions have such
a utility, but this would be less dangerous (you already have to have
the HDFS key on disk somewhere). I don't know how Kerberos works with
HDFS, but if there are multiple service tickets for a HDFS filesystem
spread across multiple servers that might be complicated.

--Ken

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor