Kerberos on Linux
Status: Scaffold — content in progress
Linux uses MIT Kerberos (not Microsoft's implementation) for authentication, but it is fully interoperable with AD Kerberos (RFC 4120 + MS extensions).
Credential Cache Types
| Type | Location | Description |
|---|---|---|
| FILE | /tmp/krb5cc_<uid> | File on disk — stealable |
| DIR | Directory of files | Per-service caches |
| KEYRING | Kernel keyring | In-memory, more secure |
| KCM | sssd-kcm daemon | SSSD-managed, harder to steal |
Keytab Files
A keytab (/etc/krb5.keytab) contains long-term key material for machine/service accounts. If stolen:
- Use
kinit -k -t /etc/krb5.keytab host/machine@DOMAINto get a TGT as the service account - Persistent access until keytab is revoked
Attacks
| Attack | Tool | What you get |
|---|---|---|
| ccache theft | klist, copy .ccache file | Reuse Kerberos tickets — Pass-the-Ticket on Linux |
| Keytab theft | Copy /etc/krb5.keytab | Long-term Kerberos authentication as service account |
Cross-Links
| Topic | Link |
|---|---|
| Pass-the-Ticket | pass-the-ticket |
| Linux SSSD | linux-sssd |