0

I'm currently learning about Kerberos and all the details of it. Learned how to set up a Kerberos KDC and admin server on Ubuntu, and I can now create user principals and get a TGT using kinit etc.

What I didn't get is how does an application authenticate users. I get the theory, but I want to see it in action. So what I want to do is write a small HTTP application in Linux (C/C++) and have it authenticate users based on Kerberos tickets.

I've been searching the web but couldn't find anything. Could someone give me a hint where to start?

YoavKlein
  • 2,005
  • 9
  • 38

3 Answers3

0

Turn on Tracing for kerberos on Linux this is easy: (do this first it will start giving you feedback)

env KRB5_TRACE=/dev/stdout

Then you could use Curl as @Michael-O said, but with verbose logging turned on that would help you get a feel for things. (as described here) Check curl version

$ curl -V #- It should support the feature "GSS-Negotiate"

Login using kinit

$ kinit

Use curl

$ curl -v --negotiate -u : -b ~/cookiejar.txt -c ~/cookiejar.txt http://localhost:14000/webhdfs/v1/?op=liststatus

"--negotiate" option enables SPNEGO

"-u" option is required but ignored (the principle specified during kinit is used)

"-b" & "-c" options are used to store and send http cookies.

SPNEGO is a authentication mechanism that knows how to facilitate kerberos via GSS-Negotiate. THis would be the fastest way to get a feel for things but it's a lot of logs and not always the most clear.

Matt Andruff
  • 4,974
  • 1
  • 5
  • 21
  • 1, SPNEGO is NOT an authorization mechanism, 2. Kerberod does NOT negotiate. – Michael-O Jan 15 '22 at 09:08
  • @Michael-O - Spengo facilitates the authorization engine. Probably loosely could could be called an authorization mechanism/component. If you want to add more to the conversation maybe you could explain your opinions. – Matt Andruff Jan 16 '22 at 16:40
  • Still wrong, read the difference between authentication and authorization. – Michael-O Jan 16 '22 at 19:37
  • I have corrected it. I know the difference but clearly used the wrong one. – Matt Andruff Jan 17 '22 at 13:31
0

What I didn't get is how does an application authenticate users. I get the theory, but I want to see it in action. So what I want to do is write a small HTTP application in Linux (C/C++) and have it authenticate users based on Kerberos tickets.

For the server, I would choose one of these options:

  • Apache with the mod_auth_gssapi module (not the old mod_auth_kerb... but it works too),
  • or Python using Flask and flask-gssapi (good choice if you want to see how the underlying gssapi functions are used).

There are several others, e.g. Golang's gokrb5 has an SPNEGO example.

In all cases, the GSS-API (or the Windows equivalent, SSPI) will be used on both the client and server, starting with gss_init_sec_context(). The "direct" Kerberos functions are generally not used in programs (except old ones that predate GSS-API).

(Note that normally GSS-API produces raw Kerberos tokens, but with HTTP Negotiate auth they're wrapped inside SPNEGO tokens, so you have to specifically request the SPNEGO mechanism when initializing GSS-API.)

user1686
  • 13,155
  • 2
  • 35
  • 54
-2

Use curl, it has everything builtin.

Michael-O
  • 18,123
  • 6
  • 55
  • 121