Kerberos
Info about Kerberos. Caveat: some of this may not be fully correct terminology, but it’s how I understand it. :-)
What is it?
Concepts
- Keytab file - contains keys for a specific service. It’s equivalent to a password file or private key, and needs to be treated as a highly sensitive secret1
- Principal - equivalent to a user in an operating system. Usually takes the form
component1/component2@REALM
- A User Principal is …?
- A Service Principal represents an application or a computer, e.g.
nfs/[email protected]
,HTTP/[email protected]
- Service Principal Name (SPN) is a unique identifier of a service instance - i.e. to associate an instance of a service (like an application server) with a specific logon account.
- Ticket Granting Ticket (TGT) - issued by the Authentication Service when a user successfully authenticates.
The key components in a Kerberos interaction are:
- Key Distribution Center (KDC) - the authentication component that contains:
- Authentication Service (AS) - responsible for the initial challenge to users. The AS grants a Ticket-Granting Ticket for authenticating with the TGS.
- Ticket Granting Service (TGS) - given a Ticket-Granting Ticket and destination, it issues the user a Service Ticket.
- Client - the principal who is requesting access to a resource.
- Server - the secured service which is protected by Kerberos.
Service Principals
Service Principal Names follow this convention:
<service class>/<host>:<port>/<service name>
<service class>/<fqdn>@REALM
For example:
MyDBService/host1.example.com/CN=hrdb,OU=mktg,DC=example,DC=com
HTTP/[email protected]
Further notes:
- “If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN.” - this means that each server which needs a Kerberos account should have its own, rather than sharing them.
Cookbook
List user’s current Kerberos tickets (Linux):
$ klist
Ticket cache: FILE:/tmp/krb5cc_185
Default principal: [email protected]
Valid starting Expires Service principal
11/19/2018 10:40:40 11/20/2018 10:40:40 krbtgt/[email protected]
SSO for web applications with Kerberos
It is possible to use Kerberos as an authentication mechanism for web applications. This allows a user to log on to a web application using just their Kerberos identity (via a ticket).
On the server side:
- The protocol that allows Kerberos to be used as a form of authentication is called SPNEGO.
- Check that the application server has support for SPNEGO, e.g. using a library or module.
- Define all of the Kerberos connection parameters in a file
krb5.conf
and ensure that the application server uses this to communicate with Kerberos. - Also create a
keytab
file for the application server. This is similar to a private key for the application server, allowing it to communicate with Kerberos. - Implement a fallback authentication mechanism which should be used in case the user isn’t logging on from a Kerberos-configured PC.
On the client side:
- Single Sign-on allows a user to be automatically signed in to a web application using the existing Kerberos infrastructure and login.
- For example, if a user has already authenticated with Kerberos on Linux using
kinit
, a web browser can read their ticket (TGT), pass it to the Kerberos server to obtain a service ticket (ST) for the web app, and then pass this to the application server as proof of identity. - SSO with Kerberos works only if the user is already logged on to Kerberos on that machine - it’s an entirely different concept from the “SSO” concept used by, for example, Google Accounts, Microsoft Live, etc.
Examples
Configuration file
An example krb5.conf
configuration file:
[libdefaults]
default_realm = JBOSS.ORG
default_tgs_enctypes = des-cbc-md5 des3-cbc-sha1-kd rc4-hmac
default_tkt_enctypes = des-cbc-md5 des3-cbc-sha1-kd rc4-hmac
kdc_timeout = 5000
dns_lookup_realm = false
dns_lookup_kdc = false
dns_canonicalize_hostname = false
rdns = false
ignore_acceptor_hostname = true
allow_weak_crypto = yes
[realms]
JBOSS.ORG = {
kdc = localhost:6088
}
[domain_realm]
localhost = JBOSS.ORG
Cookbook
Inspect the contents of a keytab file:
$ klist -k -t /tmp/spnego-demo-testdir/jbosstest.keytab
Keytab name: FILE:/tmp/spnego-demo-testdir/jbosstest.keytab
KVNO Timestamp Principal
---- ------------------- ------------------------------------------------------
0 11/21/2018 07:14:41 JBOSSTEST/[email protected]
0 11/21/2018 07:14:41 JBOSSTEST/[email protected]
0 11/21/2018 07:14:41 JBOSSTEST/[email protected]
0 11/21/2018 07:14:41 JBOSSTEST/[email protected]
0 11/21/2018 07:14:41 JBOSSTEST/[email protected]