Info about Kerberos. Caveat: some of this may not be fully correct terminology, but it’s how I understand it. :-)

What is it?

Concepts

  • Keytab file - contains keys for a specific service. It’s equivalent to a password file or private key, and needs to be treated as a highly sensitive secret1
  • Principal - equivalent to a user in an operating system. Usually takes the form component1/component2@REALM
    • A User Principal is …?
    • A Service Principal represents an application or a computer, e.g. nfs/[email protected], HTTP/[email protected]
    • Service Principal Name (SPN) is a unique identifier of a service instance - i.e. to associate an instance of a service (like an application server) with a specific logon account.
  • Ticket Granting Ticket (TGT) - issued by the Authentication Service when a user successfully authenticates.

The key components in a Kerberos interaction are:

  • Key Distribution Center (KDC) - the authentication component that contains:
    • Authentication Service (AS) - responsible for the initial challenge to users. The AS grants a Ticket-Granting Ticket for authenticating with the TGS.
    • Ticket Granting Service (TGS) - given a Ticket-Granting Ticket and destination, it issues the user a Service Ticket.
  • Client - the principal who is requesting access to a resource.
  • Server - the secured service which is protected by Kerberos.

Service Principals

Service Principal Names follow this convention:

<service class>/<host>:<port>/<service name>
<service class>/<fqdn>@REALM

For example:

MyDBService/host1.example.com/CN=hrdb,OU=mktg,DC=example,DC=com
HTTP/[email protected]

Further notes:

Cookbook

List user’s current Kerberos tickets (Linux):

$ klist
Ticket cache: FILE:/tmp/krb5cc_185
Default principal: [email protected]

Valid starting       Expires              Service principal
11/19/2018 10:40:40  11/20/2018 10:40:40  krbtgt/[email protected]

SSO for web applications with Kerberos

It is possible to use Kerberos as an authentication mechanism for web applications. This allows a user to log on to a web application using just their Kerberos identity (via a ticket).

On the server side:

  • The protocol that allows Kerberos to be used as a form of authentication is called SPNEGO.
  • Check that the application server has support for SPNEGO, e.g. using a library or module.
  • Define all of the Kerberos connection parameters in a file krb5.conf and ensure that the application server uses this to communicate with Kerberos.
  • Also create a keytab file for the application server. This is similar to a private key for the application server, allowing it to communicate with Kerberos.
  • Implement a fallback authentication mechanism which should be used in case the user isn’t logging on from a Kerberos-configured PC.

On the client side:

  • Single Sign-on allows a user to be automatically signed in to a web application using the existing Kerberos infrastructure and login.
  • For example, if a user has already authenticated with Kerberos on Linux using kinit, a web browser can read their ticket (TGT), pass it to the Kerberos server to obtain a service ticket (ST) for the web app, and then pass this to the application server as proof of identity.
  • SSO with Kerberos works only if the user is already logged on to Kerberos on that machine - it’s an entirely different concept from the “SSO” concept used by, for example, Google Accounts, Microsoft Live, etc.

Examples

Configuration file

An example krb5.conf configuration file:

[libdefaults]
    default_realm = JBOSS.ORG
    default_tgs_enctypes = des-cbc-md5 des3-cbc-sha1-kd rc4-hmac
    default_tkt_enctypes = des-cbc-md5 des3-cbc-sha1-kd rc4-hmac
    kdc_timeout = 5000
    dns_lookup_realm = false
    dns_lookup_kdc = false
    dns_canonicalize_hostname = false
    rdns = false
    ignore_acceptor_hostname = true
    allow_weak_crypto = yes

[realms]
    JBOSS.ORG = {
        kdc = localhost:6088
    }

[domain_realm]
    localhost = JBOSS.ORG

Cookbook

Inspect the contents of a keytab file:

$ klist -k -t /tmp/spnego-demo-testdir/jbosstest.keytab
Keytab name: FILE:/tmp/spnego-demo-testdir/jbosstest.keytab
KVNO Timestamp           Principal
---- ------------------- ------------------------------------------------------
   0 11/21/2018 07:14:41 JBOSSTEST/[email protected]
   0 11/21/2018 07:14:41 JBOSSTEST/[email protected]
   0 11/21/2018 07:14:41 JBOSSTEST/[email protected]
   0 11/21/2018 07:14:41 JBOSSTEST/[email protected]
   0 11/21/2018 07:14:41 JBOSSTEST/[email protected]