# checker-kerberos

happyDomain checker that audits a Kerberos realm from its DNS records.

Starting from the realm name (or from the SRV records grouped under the
`abstract.Kerberos` service), the checker performs a series of
**anonymous probes** — and an optional **authenticated round-trip** when
credentials are supplied — to give a complete picture of the realm's
availability and security posture.

## What gets checked

- SRV layout — `_kerberos._tcp.`, `_kerberos._udp.`,
  `_kerberos-master._tcp.`, `_kerberos-adm._tcp.`, `_kpasswd._tcp.`,
  `_kpasswd._udp.`.
- Forward resolution of every SRV target (A + AAAA).
- TCP reachability of each KDC/kadmin/kpasswd host.
- UDP reachability of the KDC via a real AS-REQ.
- Anonymous AS-REQ probe: realm confirmation, supported enctypes
  (from `ETYPE-INFO2`), PKINIT hint (`PA-PK-AS-REQ`), clock skew.
- Weak enctype detection (DES / RC4).
- Optional authenticated round-trip when `principal` and `password`
  are supplied: TGT acquisition then TGS-REQ for `targetService`.

The HTML report surfaces the most common misconfigurations with a
direct remediation hint:

| Failure | Hint |
| --- | --- |
| No SRV records | publish `_kerberos._tcp.REALM. SRV …` |
| SRV target DNS failure | add A/AAAA for the target |
| Port 88 unreachable | open TCP+UDP 88 inbound |
| Clock skew > max | run ntpd/chrony |
| Weak enctypes only | switch to `aes256-cts-hmac-sha1-96` |
| Wrong realm in reply | fix `default_realm` / realm config |
| AS-REP roasting exposure | enable `requires_preauth` |

## Build

```sh
make                         # standalone binary
make plugin                  # shared object for happyDomain
make docker                  # container image
```

## Run

```sh
./checker-kerberos -listen :8080
```