39

I had to "sporadically" work with Heimdal / MIT Gssapi for kerberos authentication over past couple of years. I had to build an application that was to be used as a web-service running on a Linux box, and serve client applications like browsers, running on Windows and/or Linux Desktops and Workstations. Surely not the easiest of beasts to tame. Eventually when summarizing my work, I could record that the difficulties emanated due to challenges in multiple dimensions. Getting started with gssapi programming is truly a challenge just because of poor documentation, and practically non-existant tutorials. Googling mostly results in either some theoretical discussion on what's kerberos, or leads to content written with presumption that you already know everything besides some particular semantic issue. Some really good hacks around here contributed to help me, I therefore suppose it would be a good idea to summarize the stuff, from a developer's perspective, and share it here as some sort of a wiki, to give something back to this fantastic place, and fellow programmers.

Haven't really done a wiki like this before, and I am surely no authority on GSSAPI nor Kerberos, so please be kind, but more than that please contribute and correct my mistakes. Site Editors, I am counting on you to do your magic ;)

Getting your project completed successfully will require 3 specific things to be done correctly:

  1. Setup of your test environment
  2. Setup of your libraries
  3. Your code

As I said already, such projects are beasts, just because all the three haven't been put together on the same page anywhere.

Ok So let's begin at the beginning.

Unavoidable theory for a newbie GSSAPI helps a client application to provide credentials for a server to authoritatively identify the user. Extremely useful because the server applications can modulate their served responses if they wish to, as per the user. Very naturally therefore both - the client and the server applications must be kerberized, or as some would state kerberos-aware.

The kerberos based authentication, requires both the client and server applications, to be members of a Kerberos Realm. KDC (Kerberos Domain Controller) is the designated authority that rules the realm. Microsoft's AD servers are one of the most popularly experienced examples of a KDC, though you can of course be using a *NIX based KDC. But surely without a KDC there can be no Kerberos business at all. Desktops, Servers & workstations joined into the domain identify each other as long as all of them remain joined into the domain.

For your initial experiments, setup the client & server applications in the same realm. Though Kerberos Authentication can surely be also used across realms by creating trusts between KDCs of these realms, or even merging keytabs from different KDCs that do not trust each other. Your code will not really need any change to accommodate such different and complex-sounding scenarios.

Kerberos Authentication basically works via "tickets (or tokens)". When a member joins the realm, the KDC "grants tokens" to each of them. These tokens are unique; time and FQDN are essential factors for these tickets.

Before you even think of the very first line of your code make sure you have got these two right:

Pitfall #1 When you setup your development and test environment, make sure everything is tested and addressed as FQDN. For example if you want to check connectivity, ping using FQDN, not IP. Needless to say therefore, they must necessarily have the same DNS service configuration.

Pitfall #2 Make sure all the host systems - that are running your KDC, client software, server software have the same time server. Time synchronization is something that one forgets, and realizes to be amiss after a lot of hair-splitting, and head-banging!

Both, the client and server applications NEED kerberos keytabs. So if your application is going to run in a *NIX host, and be a part of a Microsoft Domain, you have to get a kerberos keytab generated, before we start to look at the remaining preparatory steps for gss programming.

Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability at is an absolute must-read.

GSS-API Programming Guide is an excellent bookmark.

Depending upon your *NIX distribution you can install the headers & libraries for building your code. My suggestion however is to download the source and build it yourself. Yes, you might not get it right at one go, but it surely is worth the trouble.

Pitfall #3 Make sure that your application is running in an Kerberos aware environment. I really learnt this the hard way, but maybe because I am not so smart. In my earliest stages of gssapi programming struggle, I had discovered that kerberos keytabs were absolutely necessary for making my application kerberos-aware. But I simply couldn't find anything about how to load these keytabs in my application. You know why?!! Because no such api exists!!! Because: The application is to be run in an environment which is aware of the keytabs. Ok, let me make this simple: Your application that is supposed to do the GSSAPI / Kerberos things has to run after you have set environment variable KRB5_KTNAME to the path where you have stored the keytabs. So either you do something like:

export KRB5_KTNAME=<path/to/your/keytab>

or make use of setenv to set KRB5_KTNAME in your application sufficiently before the very first line of your code that uses gssapi is run.

We are now ready to do the necessary things in the application's code.

I understand there are quite a few other aspects that must be reviewed by the application developer, to write and test an application. I know of a few environment variables, that can be important.

Can anybody please shed some more light upon that?

mdk
  • 6,225
  • 1
  • 25
  • 30
  • 6
    If you want to post this type of content here, you need to make sure you actually ask a Stack Overflow-type question, and answer it (you can do both at the same time in the "Ask Question" interface. As it is, your post doesn't fit. – Mat Jan 13 '14 at 12:21
  • 1
    @Mat: I do see your point, but not sure about how I go about it practically. I though I could start a Wiki like page here add bits to it as I get time, and that could be community-edited, and enriched. Hoping this catches the eye of some editor, who can re-cycle this post. – mdk Jan 13 '14 at 12:55
  • 2
    That's not how this site works. It's a Q&A site, not a Wikipedia clone. Your post is likely to get closed if it stays in this format. – Mat Jan 13 '14 at 12:56
  • The statement "The kerberos based authentication, requires both the client and server applications, to be members of the same Kerberos Realm." is incorrect. Kerberos is satisfied as long as there is a trust between two different realms. Both do not need to be in the same realm. – Michael-O Jan 15 '14 at 09:40
  • Do you recommend MIT kerberos or Heimdal? – Brian Schlenker Feb 19 '14 at 22:05
  • 1
    @BrianSchlenker For development of KRB-aware applications I personally prefer Heimdal, my reasons: MIT has some US govt. export restrictions, and Heimdal documentation is just a little bit better, compiling Heimdal from source is a bit easier. Overall concepts, and operational things like env variables etc. are similar. – mdk Feb 21 '14 at 07:49
  • Great work! I suggest that you change your post to a simple question (How to use gssapi in C++ ?) and put everything in an answer. That's how Q&A are done usually on SO. Maybe you could explicitely write Fully Qualified Domain Name (I had to google that one). It's a shame such a good question / answer only has a few upvotes. – Arnaud Apr 21 '15 at 17:10
  • No such thing as "C/C++". Pick a language. – Lightness Races in Orbit Oct 08 '15 at 10:40
  • 7
    I'm voting to close this question as off-topic because it's a wiki article, not a question. – paxdiablo Nov 19 '15 at 04:31
  • I'm voting to close this question as off-topic because it's not a question. – Constantin Jan 27 '16 at 05:27
  • Great Wiki. Thank you. – displayName Jun 03 '20 at 18:06

0 Answers0