Kerberos authentication in a container

This is a quick one.

We have a bot which uses Kerberos for authentication with other services. Of course we run our bot army as containers in OpenShift.

How do we do it? How can we use Kerberos inside linux containers?

…and not get eaten by errors such as

klist: Invalid UID in persistent keyring name while resolving ccache KEYRING:persistent:1000:krb_ccache_H2AfxtO

or

klist: Invalid UID in persistent keyring name while resolving ccache KEYRING:persistent:1000

or

klist: Invalid UID in persistent keyring name while getting default ccache

Solution

The main issue is that Kerberos by default stores credentials inside kernel keyring. Keyring is not namespaced, so this is a privileged operation.

[pid 19198] keyctl(KEYCTL_GET_PERSISTENT, 1000, KEY_SPEC_PROCESS_KEYRING) = -1 EPERM (Operation not permitted)

EDIT Feb 2022: Keyrings are now aware of namespaces.

Solution is really easy. Just change the method how the ticket granting ticket should be stored and that’s it. Therefore we’ll just store it in a file and we’re done.

EDIT Feb 2022: I wasn’t able to store the TGT in the (namespaced) kernel keyring in a unprivileged container so the solution applies still.

So let’s launch a container using podman, we’ll bind-mount the Kerberos configuration from host inside the container. Notice, no --cap-add nor --privileged.

+ podman run -it -v /etc/krb5.conf:/etc/krb5.conf -v /etc/krb5.conf.d/:/etc/krb5.conf.d/ fedora:35 bash

We should install Kerberos tooling now:

[root@157d96c3df2e /]# dnf install fedora-packager-kerberos
Last metadata expiration check: 0:00:37 ago on Tue Feb 15 09:19:06 2022.
Dependencies resolved.
=================================================================================
 Package                                                             Architecture
=================================================================================
Installing:
 fedora-packager-kerberos                                            noarch      
Installing dependencies:
 krb5-pkinit                                                         x86_64      
 krb5-workstation                                                    x86_64      
 libkadm5                                                            x86_64      
 libss                                                               x86_64      

Transaction Summary
=================================================================================
Install  5 Packages

Total download size: 779 k
Installed size: 3.6 M
Is this ok [y/N]: y

And now we’ll do the magic trick: we’ll tell Kerberos to store the TGT inside /tmp/tgt:

[root@101ff1a35d4d /]# export KRB5CCNAME=FILE:/tmp/tgt

Primetime!

[root@101ff1a35d4d /]# kinit ttomecek@FEDORAPROJECT.ORG
Password for ttomecek@FEDORAPROJECT.ORG:
[root@101ff1a35d4d /]# klist
Ticket cache: FILE:/tmp/tgt
Default principal: ttomecek@FEDORAPROJECT.ORG

Valid starting     Expires            Service principal
05/14/18 13:12:57  05/15/18 13:12:51  krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
        renew until 05/21/18 13:12:51

Obviously, this is insecure since everyone can find that file easily. Please make sure that your containers are secure and you know what you are running inside.

Also doing the same thing with docker:

+ docker run -it -v /etc/krb5.conf:/etc/krb5.conf -v /etc/krb5.conf.d/:/etc/krb5.conf.d/ fedora-with-krb5-workstation bash
[ddbd@a9c95325be85 ~]$ export KRB5CCNAME=FILE:/tmp/tgt
[ddbd@a9c95325be85 ~]$ kinit ttomecek@FEDORAPROJECT.ORG
Password for ttomecek@FEDORAPROJECT.ORG:
[ddbd@a9c95325be85 ~]$ klist
Ticket cache: FILE:/tmp/tgt
Default principal: ttomecek@FEDORAPROJECT.ORG

Valid starting       Expires              Service principal
05/14/2018 13:08:29  05/15/2018 13:08:14  krbtgt/FEDORAPROJECT.ORG@FEDORAPROJECT.ORG
        renew until 05/21/2018 13:08:14
comments powered by Disqus