12

I have been tasked with setting up a server which uses a web based control interface using kerberos and active directory for authentication. I am using twisted.web as the web server. The issue is that I do not want user passwords coming through this server, but I don't know if it is possible for firefox and chrome to get access keys from the kerberos key server. Specifically it must work with firefox, other browsers would be a bonus. Is there a javascript library, possibly using HTML5 or a firefox plugin that allows for authentication to an untrusted server using kerberos? A flash application might also be possible.

Francisc
  • 77,430
  • 63
  • 180
  • 276
Perkins
  • 2,409
  • 25
  • 23
  • If you're using Python, the answer to this question might be of use: http://stackoverflow.com/questions/922805/spnego-kerberos-token-generation-validation-for-sso-using-python#1001619 – millimoose Jun 24 '12 at 16:22
  • 1
    The problem with milimoose's suggestion is the password would still have to pass through the server, so the user has to trust the server to not mess with it. The javascript can be viewed by the user, if they are concerned with it, so I'd like to keep it just between the javascript on the client machine and the AD server. Javascript Web Sockets come close, but I'd rather not try to implement the kerberos protocol myself using them. – Perkins Sep 29 '12 at 02:03
  • I've long since not needed this, but the `websockify` project from the `noVNC` team would likely make implementing Kerberos in the browser possible. Either by compiling kerberos via emscripen (or similar), or reimplementing at least portions of it in javascript directly. – Perkins Feb 10 '21 at 07:25

1 Answers1

1

Maybe you could through a reverse proxy in front of twisted and use http auth from the web app and delegate authentication itself to Kerberos via an apache or nginx module.

While the proxy will receive the password, the twisted server won't, in line with your use case. Requests would be intercepted by the proxy and delegated to your back end (proxy_pass) following a successful authentication.

This way your solution would work independently from any http client/web browser.

pdeschen
  • 1,369
  • 15
  • 17
  • 1
    An interesting suggestion, and one I hadn't considered. The problem is my organisation doesn't have a server set up for to handle that type of proxy service. I could set one up, but only on the server I don't want the passwords hitting. It isn't so much a case of me not trusting the server software as it is wanting to avoid an auditing nightmare if someone gets their account compromised. – Perkins Jun 27 '12 at 00:06