awol2005ex_kinit

Crates.ioawol2005ex_kinit
lib.rsawol2005ex_kinit
version0.0.1
created_at2025-10-28 08:03:10.146733+00
updated_at2025-10-28 08:03:10.146733+00
descriptionKerberos authentication using password or keytab
homepage
repositoryhttps://gitee.com/awol2010ex/awol2005ex_kinit
max_upload_size
id1904331
size80,259
(awol2005ex)

documentation

README

Kinit Command-Line Tool

A Rust implementation of the Kerberos kinit command that supports both password and keytab authentication to obtain Kerberos TGT (Ticket Granting Ticket).

Features

  • Password Authentication: Interactive password-based authentication (equivalent to traditional kinit principal)
  • Keytab Authentication: Non-interactive authentication using keytab files (equivalent to kinit -kt keytab principal)
  • Multiple Encryption Types: Support for AES256, AES128, and RC4-HMAC encryption types
  • Proper String-to-Key Conversion: Implements correct Kerberos password-to-key derivation
  • Automatic KDC Discovery: Reads KDC server information from krb5.conf configuration files
  • Credential Cache Management: Saves obtained credentials in standard Kerberos credential cache format
  • Comprehensive Error Handling: Detailed error messages and logging support
  • Command-line Interface: Familiar interface similar to traditional kinit command

Usage

Basic Usage

# Password authentication (prompts for password)
kinit principal@REALM.COM

# Keytab authentication (non-interactive)
kinit -t keytab_file.keytab principal@REALM.COM

# Specify KDC server explicitly
kinit principal@REALM.COM -s kdc.server.com

# Specify encryption type for password authentication
kinit principal@REALM.COM -e 18  # AES256
kinit principal@REALM.COM -e 17  # AES128
kinit principal@REALM.COM -e 23  # RC4-HMAC

# With verbose logging
kinit principal@REALM.COM -v

Command Line Options

  • <PRINCIPAL>: Kerberos principal in format username@REALM (required)
  • -t, --keytab <FILE>: Path to keytab file for keytab authentication
  • -s, --server <SERVER>: KDC server hostname or IP address (optional)
  • -e, --enctype <TYPE>: Encryption type for password authentication: 18 (AES256), 17 (AES128), 23 (RC4)
  • -v, --verbose: Enable verbose logging
  • -h, --help: Display help information

Note: If --keytab is not specified, the tool will prompt for password authentication.

Examples

# Password authentication (prompts for password)
kinit hdfs@TEST.COM

# Password authentication with specific KDC
kinit hdfs@TEST.COM -s 192.168.1.100

# Password authentication with AES256 encryption
kinit hdfs@TEST.COM -e 18

# Keytab authentication (non-interactive)
kinit -t hdfs@TEST.COM.keytab hdfs@TEST.COM

# Keytab authentication with specific KDC
kinit -t hdfs@TEST.COM.keytab hdfs@TEST.COM -s 192.168.1.100

# Verbose output for debugging
kinit hdfs@TEST.COM -v
kinit -t service.keytab service/user@EXAMPLE.COM -v

Configuration

KDC Server Discovery

The tool automatically discovers KDC servers by reading Kerberos configuration files in the following order:

  1. File specified in KRB5_CONFIG environment variable
  2. /etc/krb5.conf
  3. /etc/krb5/krb5.conf
  4. C:\Windows\krb5.ini
  5. %WINDIR%\krb5.ini

Credential Cache

The tool saves obtained credentials to a credential cache file:

  • If KRB5CCNAME environment variable is set, uses that path
  • Otherwise, creates a file named {principal}.ccache (with @ and / replaced by _)

Supported Encryption Types

The tool supports the following encryption types for both password and keytab authentication:

  • AES256-CTS-HMAC-SHA1-96 (type 18) - Recommended, most secure
  • AES128-CTS-HMAC-SHA1-96 (type 17) - Good security
  • RC4-HMAC (type 23) - Legacy, widely supported

Encryption Type Selection

For password authentication:

  • By default, tries encryption types in order: AES256 → AES128 → RC4
  • Use -e option to specify a specific encryption type
  • Automatically falls back to supported types if the preferred type fails

For keytab authentication:

  • Uses the encryption type from the keytab file entry

Error Handling

Common error scenarios and their meanings:

Password Authentication Errors

  • "Password authentication failed": Incorrect password or unsupported encryption type
  • "Unsupported encryption type": Specified encryption type is not supported (use 18, 17, or 23)
  • "Could not resolve KDC hostname": KDC server hostname cannot be resolved

Keytab Authentication Errors

  • "Keytab file not found": The specified keytab file doesn't exist
  • "Principal not found in keytab": The specified principal doesn't exist in the keytab file
  • "Unsupported key type": The keytab contains unsupported encryption types

General Errors

  • "Could not find KDC for realm": No KDC server found in configuration files
  • "TGT request failed": Authentication failed (network issues, KDC problems, etc.)
  • "Invalid principal format": Principal must be in format username@REALM

Building

cargo build --release

The binary will be available at target/release/kinit

Testing

Run the test suite:

cargo test

Dependencies

This tool depends on the following Kerberos libraries:

  • awol2005ex_kerbeiros: Core Kerberos functionality
  • awol2005ex_kerberos_keytab: Keytab file parsing
  • awol2005ex_kerberos_crypto: Cryptographic operations

License

This project is licensed under the Apache License 2.0 - see the LICENSE file for details.

Copyright 2024 awol2005ex

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Commit count: 0

cargo fmt