Can you use a keytab generated on Windows from Linux? - linux

I am on Linux and I have a java web application container setup with kerberos. I need this java web application container setup so that it can authenticate with an IIS server protected by siteminder + kerberos.
So on Windows, I have generated a keytab file using
ktpass -out serviceaccount.keytab -princ serviceaccount#MYDOMAIN.COM -mapUser serviceaccount -mapOp set -pass YOUR_PASSWORD -crypto ALL -pType KRB5_NT_PRINCIPAL
So that gives me serviceaccount.keytab. Great.
But what about on Linux? Can I just use this keytab file that was generated? Or do I have to run this process again. Something like:
ktutil
addent -password -p serviceaccount#MYDOMAIN.COM -k 1 -e RC4-HMAC
- it will ask you for password of serviceaccount -
wkt serviceaccount.keytab
q
Is the keytab file generated on Windows platform independent? Or does one need to generate it again using linux ktutil?

There are a couple of flavors of Kerberos client tools.
Most common is MIT Kerberos, another one is Heimdal.
I haven't seen Heimdal being used anywhere on our Linux servers, but I know other folks are using it.
For example, when you install krb5-workstation yum package, that will bring MIT Kerberos and not Heimdal.
As long as you use the same flavor of Kerberos tools, keytab generated on Windows will work the same on Linux, and vice versa.

Related

Update SSH ciphers for linux (ubuntu) in Azure Function

I have created an Azure Function to connect to an SFTP server via SSH. The only problem appears to be that needed SSH ciphers are not supported by SSH on the Ubuntu 20.04.4 LTS operating system that the Azure Function is running on. So I'd like to know if there's a way to update the SSH ciphers to the ones I need for the Azure Function on that operating system (without using Docker Hub)?
I read somewhere that you can edit /etc/ssh/sshd_config to get this done, but if that's the way forward, then how is it done (bear in mind that I don't think I have direct access to the operating system in the context of the Azure Function unless I'm mistaken)?
Yes you heard it correct you need to edit edit /etc/ssh/sshd_config to get this done.You can configure encryption algorithms in the configuration file using the Ciphers keyword; the default is 'AnyStdCipher'.
Perform the following steps:
1.In /etc/ssh/sshd_config (server) and /etc/ssh/ssh_config (client), search for Ciphers. The following is the default configuration:
Copy
#Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
2.Uncomment this line and replace it with the following value:
Copy
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
3.Restart SSH by running the service sshd restart command.
reference : https://www.netiq.com/documentation/access-manager-45/security-guide/data/ssh-ciphers.html

SSH to aks Windows node: azureuser#(windows node internal ip address)'s password

I'm trying to SSH into AKS windows node using this reference which created debugging Linux node, and ssh into the windows node from the debugging node. Once I enter the Linux node and try to SSH into the windows node, it asks me to type in azureuser password like below:
azureuser#10.240.0.128's password:
Permission denied, please try again.
What is azureuser#(windows node internal IP address)'s password? Is it my azure service password or is it a WindowsProfileAdminUserPassword that I pass in when I create an AKS cluster using New-AzAksCluster cmdlet? Or is it my ssh keypair password? If I do not know what it is, is there a way I can reset it? Or is there a way I can create a Windows node free from credentials? Any help is appreciated. Thanks ahead!
It looks like you're trying to login with your password, not your ssh key. Look for the explanation between those methods. These are two different authentication methods. If you want to ssh to your node, you need to chose ssh with key authentication. You can do this by running the command:
ssh -i <id_rsa> azureuser#<your.ip.adress>
But before this, you need to create key pair. It is well done described in this section. Then you can create the SSH connection to a Linux node. You have everything described in detail, step by step, in the documentation you provide.
When you configure everything correctly, you will be able to log into the node using the ssh key pair. You won't need a password. When you execute the command
ssh -i <id_rsa> azureuser#<your.ip.adress>
you should see an output like this:
The authenticity of host '10.240.0.67 (10.240.0.67)' can't be established.
ECDSA key fingerprint is SHA256:1234567890abcdefghijklmnopqrstuvwxyzABCDEFG.
Are you sure you want to continue connecting (yes/no)? yes
[...]
Microsoft Windows [Version 10.0.17763.1935]
(c) 2018 Microsoft Corporation. All rights reserved.
When you see Are you sure you want to continue connecting (yes/no)? you need to write yes and confirm using Enter.

Azure Linux web app: change OpenSSL default security level?

In my Azure Linux web app, I'm trying to perform an API call to an external provider, with a certificate. That call fails, while it's working fine when deploying the same code on a Windows app service plan. The equivalent cURL command line is:
curl --cert-type p12 --cert /var/ssl/private/THUMBPRINT.p12 -X POST https://www.example.com
The call fails with the following error:
curl: (58) could not load PKCS12 client certificate, OpenSSL error error:140AB18E:SSL routines:SSL_CTX_use_certificate:ca md too weak
The issue is caused by OpenSSL 1.1.1d, which by defaults requires a security level of 2, and my certificate is signed with SHA1 with RSA encryption:
openssl pkcs12 -in THUMBPRINT.p12 -nodes | openssl x509 -noout -text | grep 'Signature Algorithm'
Signature Algorithm: sha1WithRSAEncryption
Signature Algorithm: sha1WithRSAEncryption
On a normal Linux VM, I could edit /etc/ssl/openssl/cnf to change
CipherString = DEFAULT#SECLEVEL=2
to security level 1, but on an Azure Linux web app, the changes I make to that file are not persisted..
So my question is: how do I change the OpenSSL security level on an Azure web app? Or is there a better way to allow the use of my weak certificate?
Note: I'm not the issuer of the certificate, so I can't regenerate it myself. I'll check with the issuer if they can regenerate it, but in the meantime I'd like to proceed if possible :)
A call with Microsoft support led me to a solution. It's possible to run a script whenever the web app container starts, which means it's possible to edit the openssl.cnf file before the dotnet app in launched.
To do this, navigate to the Configuration blade of your Linux web app, then General settings, then Startup command:
The Startup command is a command that's ran when the container starts. You can do what you want, but it HAS to launch your app, because it's no longer done automatically.
You can SSH to your Linux web app, and edit that custom_startup.sh file:
#!/usr/sh
# allow weak certificates (certificate signed with SHA1)
# by downgrading OpenSSL security level from 2 to 1
sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf
# run the dotnet website
cd /home/site/wwwroot
dotnet APPLICATION_DLL_NAME.dll
The relevant doc can be found here: https://learn.microsoft.com/en-us/azure/app-service/containers/app-service-linux-faq#built-in-images
Note however that the Startup command is not working for Azure Functions (at the time of writing May 19th, 2020). I've opened an issue on Github.
To work around this, I ended up creating custom Docker images:
Dockerfile for a webapp:
FROM mcr.microsoft.com/appsvc/dotnetcore:3.1-latest_20200502.1
# allow weak certificates (certificate signed with SHA1)
# by downgrading OpenSSL security level from 2 to 1
RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf
Dockerfile for an Azure function:
FROM mcr.microsoft.com/azure-functions/dotnet:3.0.13614-appservice
# allow weak certificates (certificate signed with SHA1)
# by downgrading OpenSSL security level from 2 to 1
RUN sed -i 's/SECLEVEL=2/SECLEVEL=1/g' /etc/ssl/openssl.cnf

How to test HTTPS rest from command line

I'm having a problem I can't seem to solve on my own:
I have to request RESTful services but the RESTful services use HTTPs protocol.
I've created the client and it is deployed in WebLogic
I've downloaded the certificate using the browser and I've installed it in JAVA using the following command (In my linux server):
"keytool -import -alias myalias -keystore /jdk1.8.0_101/jre/lib/security/cacerts -file certificado.com.crt"
I need to test that it works...
First, How can I test the RESTful services from command line?
Second, Do I need to install the certificate in WebLogic? If yes, How can I do it?
JAVA: jdk1.8.0_101
WebLogic: 12.1.3.0.0
The certificate must be installed on the system that's making the request. It's not about weblogic, it's about the local sertificate vault of the machine. You don't need to install the certificate on weblogic. You may want to take a look at this.
Then you can use wget or curl, just keep in mind that wget just makes get requests while curl do all types of requests.

Executing exe or bat file on remote windows machine from *nix

I am trying to execute a bat file on remote windows machine on cloud from my Linux. The bat files starts selenium server and then my selenium tests are run. I am not able to start selenium RC server on that machine. I tried with Telnet but the problem with it is when telnet session is closed the RC server port is also closed. As my code my code has to start the server so I tried with ANT telnet task and also executed shell script of telnet in both ways the port was closed.
I read about Open SSH, psexec for linux and cygwin. But i am not getting how to use these and will they will solve my problem.
I have tried to start a service which will start the server but in this method i am not getting browser visible all tests are running in background as my script takes screen shot browser visibility is must.
Now my Question is what to use and which will be preferable for my job.
and what ever i choose should be executed by code it may be by shell, ant or php.
Thanks in advance.
Let's go through the various options you mentioned:
psexec: This is pretty much a PC only thing. Plus, you must make sure that newer Windows machines can get through the UAC that are setup by default. UAC is the thing you see all the time on Vista and Windows 7 when you try to do something that requires administrator's privileges. You can try something called winexe which is a Linux program that can do the psexec protocol, but I've had problems getting it to work.
OpenSSH: There are two main flavors of SSH, and Open SSH is the one used by the vast majority of sites. SSH has several advantages over other methods:
SSH is secure: Your network traffic is encrypted.
SSH can be password independent: You can setup SSH to use private/public keys. This way, you don't even have to know the password on the remote server. This makes it more secure since you don't have passwords being stored on various systems. And, in many Windows sites, passwords have to be changed every month or so or the account is locked.
SSH can do more than just execute remote commands: There are two sub-protocols on SSH called SCP and SFTP. These allow you to transfer files between two machines. Since they work over SSH, you get all of the advantages of SSH including encrypted packets, and public/private key protection.
SSH is well implemented in the Unix World: You'll find SSH clients built into Ant, Maven, and other build tools. Programs like CVS, Subversion, and Git can work over SSH connections too. Unfortunately, the Windows World operates in a different space time dimension. To use SSH on a Windows system requires third party software like Cygwin.
Cygwin: Cygwin is sort of an odd beast. It's a layer on top of Windows that allows many of the Unix/GNU libraries to work over Windows. It was originally developed to allow Unix developers to run their software on Windows DOS systems. However, Cygwin now contains a complete Unix like system including tools such as Perl and Python, BASH shell, and many utilities such as an SSH server. Since Cygwin is open source, you can download it for free and run SSH server. Unfortunately, I've had problems with Cygwin's SSH server. Another issue: If you're running programs remotely, you probably want to run them in a Windows environment and not the Cygwin environment.
I recommend that you look at WinSSHD from Bitvise. It's an OpenSSH implementation of the SSH Server, but it's not open source. It's about $100 per license and you need a license on each server. However, it's a robust implementation and has all of the features SSH has to offer.
You can look at CoSSH which is a package of Cygwin utilities and OpenSSH server. This is free and all open source, but if you want an easy way of setting it up, you have to pay for the Advanced Administrator Console. You don't need the Advanced Administrator Console since you can use Cygwin to set everything up, and it comes with a basic console to help.
I prefer to use cygwin and use SSH to then log in to the windows machine to execute commands. Be aware that, by default, cygwin doesn't have OpenSSH installed.
Once you have SSH working on the windows machine you can run a command on it from the Linux machine like this:
ssh user#windowsmachine 'mycommand.exe'
You can also set up ssh authentication keys so that you don't need to enter a password each time.
I've succeeded to run remote command on W2K3 via EXPECT on Debian Buster. Here is the script of mine:
#!/usr/bin/expect
#
# execute the script in the following manner:
#
# <script> <vindoze> <user> <password> <command>
#
#
set timeout 200
set hostname [lindex $argv 0]
set username [lindex $argv 1]
set password [lindex $argv 2]
set command [lindex $argv 3]
spawn telnet $hostname
expect "login:"
send "$username\r"
expect "password:"
send "$password\r"
expect "C:*"
send "dir c:\\tasks\\logs \r"
# send $command
expect "C:*"
send "exit\r\r\r"
Bear in mind that you need to enable TELNET service of the Win machine and also the user which you are authenticated with must be member of TelnetClients built-in Win group. Or as most of the Win LazyMins do - authenticate with Admin user ;)
I use similar "expect" script for automated collecting & backup configuration of CLI enabled network devices like Allied Telesyn, Cisco, Planet etc.
Cheers,
LAZA
Not a very secure way, but if you have a running webserver you can use PHP or ASP to trigger a system command. Just hide thgat script under www.myserver.com/02124309c9867a7616972f52a55db1b4.php or something. And make sure the command are fixed written in the code, not open via parameter ...

Resources