Web lists-archives.com

Re: [Samba] Keytab extraction for tshark analyze




On Sat, 12 May 2018 19:45:10 +0200
Lapin Blanc <fabien.toune@xxxxxxxxxxxxxxx> wrote:

> I'm studying samba related protocols for a work I have to present at
> the university,
> and for me to really understand how it works, I try to put in in
> practice. So I was reading
> http://www.kerberos.org/software/tutorial.html and tried to track
> packets... I was hoping this command, run on my kdc
> 
> tshark -r kerberos.pcap -Y frame.number==10 -O kerberos  -K
> decode.keytab (n° 10 is AS-REP NT in this case)
> 
> would let me see the actual content of the TGT, and so on with further
> exchanges
> and other encrypted parts.

The whole idea behind kerberos is that it is supposed to be secure, so
whilst you may be able to see the traffic on the network, you will not
be able to see any passwords etc. I suggest you do a bit more internet
browsing ;-)

> 
> I'm also trying to understand why Samba needs the presence of
> /etc/krb5.keytab
> on the server for GSSAPI to work (putty and ssh), even if it doesn't
> contain
> any user's principal.

It is only required if you are using shared keys, but you can use ssh in
a way that doesn't use shared keys. Even if you go down the shared keys
path, you only need /etc/krb5.keytab on the client, not the server.

I think you really need to read more on how kerberos works, for
instance, the password is never sent across the wire.

Rowland
  

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba