# checker-kerberos happyDomain checker that audits a Kerberos realm from its DNS records. Starting from the realm name (or from the SRV records grouped under the `abstract.Kerberos` service), the checker performs a series of **anonymous probes**, and an optional **authenticated round-trip** when credentials are supplied, to give a complete picture of the realm's availability and security posture. ## What gets checked - SRV layout, `_kerberos._tcp.`, `_kerberos._udp.`, `_kerberos-master._tcp.`, `_kerberos-adm._tcp.`, `_kpasswd._tcp.`, `_kpasswd._udp.`. - Forward resolution of every SRV target (A + AAAA). - TCP reachability of each KDC/kadmin/kpasswd host. - UDP reachability of the KDC via a real AS-REQ. - Anonymous AS-REQ probe: realm confirmation, supported enctypes (from `ETYPE-INFO2`), PKINIT hint (`PA-PK-AS-REQ`), clock skew. - Weak enctype detection (DES / RC4). - Optional authenticated round-trip when `principal` and `password` are supplied: TGT acquisition then TGS-REQ for `targetService`. The HTML report surfaces the most common misconfigurations with a direct remediation hint: | Failure | Hint | | --- | --- | | No SRV records | publish `_kerberos._tcp.REALM. SRV …` | | SRV target DNS failure | add A/AAAA for the target | | Port 88 unreachable | open TCP+UDP 88 inbound | | Clock skew > max | run ntpd/chrony | | Weak enctypes only | switch to `aes256-cts-hmac-sha1-96` | | Wrong realm in reply | fix `default_realm` / realm config | | AS-REP roasting exposure | enable `requires_preauth` | ## Rules | Code | Description | Severity | |--------------------------------|---------------------------------------------------------------------------------------------------|---------------------| | `kerberos.srv_present` | Verifies that at least one _kerberos._tcp / _kerberos._udp SRV record is published for the realm. | CRITICAL | | `kerberos.kdc_reachable` | Verifies that at least one KDC endpoint (TCP/UDP 88) accepts a connection. | CRITICAL | | `kerberos.as_probe` | Verifies that the anonymous AS-REQ probe received a sane reply (KRB-ERROR or AS-REP). | CRITICAL | | `kerberos.realm_match` | Verifies the KDC answers for the expected realm name. | CRITICAL | | `kerberos.preauth_required` | Flags KDCs that return an AS-REP without requiring pre-authentication (AS-REP roasting exposure). | WARNING | | `kerberos.clock_skew` | Verifies the KDC clock is within tolerance of the checker's clock. | CRITICAL | | `kerberos.enctypes` | Reviews the encryption types advertised by the KDC, flagging DES/RC4-only configurations. | CRITICAL | | `kerberos.kadmin_reachable` | Flags kadmin endpoints that are published via SRV but not reachable. | WARNING | | `kerberos.kpasswd_reachable` | Flags kpasswd endpoints that are published via SRV but not reachable. | WARNING | | `kerberos.auth_tgt` | Verifies the supplied principal/password can obtain a TGT (only runs when credentials are supplied). | CRITICAL | | `kerberos.auth_tgs` | Verifies a TGS-REQ succeeds for the supplied target service (only runs when credentials and targetService are supplied). | WARNING | ## Build ```sh make # standalone binary make plugin # shared object for happyDomain make docker # container image ``` ## Run ```sh ./checker-kerberos -listen :8080 ``` ## Deployment The HTTP listener has no built-in authentication or rate-limiting, and will issue DNS queries and Kerberos AS-REQ / TGS-REQ exchanges against whatever realm and KDCs the caller asks for. When a `principal` and `password` are supplied, those credentials are forwarded to the target KDC over the network as part of an authenticated round-trip. It is meant to run on a trusted network, reachable only by the happyDomain instance that drives it. Restrict access via a reverse proxy with authentication, a network ACL, or by binding the listener to a private interface; do not expose it directly to the public internet.