Kerberos through SASL: Do I need to get the ticket?How do I interact with a kerberos server from my own applicationMixed authentication modes: send both Kerberos token and username token over HTTPs with WCFWhy Firefox keeps negotiating kerberos service tickets?Kerberos credentials not forwarded to openldap using mod_auth_kerb/Apache2, Authen::SASL/perlMaking SASL(with GSSAPI) enabled client and server with LDAP+kerberos as authenticator? (Single Sign on SSO sytstem)Service Ticket in Kerberos - Hadoop securityJava client hangs when kerberos ticket expiresHAProxy with https and kerberosKerberos cached ticket on windows machine not regenerated after user unlockkerberos client authentication node js app
My players like to search everything. What do they find?
Should you add specific garden-fresh herbs to a stew at the beginning or the end?
What instances can be solved today by modern solvers (pure LP)?
Why would "dead languages" be the only languages that spells could be written in?
Has chattel slavery ever been used as a criminal punishment in the USA since the passage of the Thirteenth Amendment?
How to respond to someone who condemns behavior similar to what they exhibit?
Has there ever been a cold war other than between the U.S. and the U.S.S.R.?
How should I present a resort brochure in my general fiction?
how to convert Timestring to seconds
How can solar sailed ships be protected from space debris?
What is meant by perfect, imperfect consonance and dissonance?
Should I cheat if the majority does it?
Convenience stores in India
Minimizing medical costs with HSA
CPA filed late returns, stating I would get money; IRS says they were filed too late
Park the computer
Using Sed to add counter to keyword
How serious is plagiarism in a master’s thesis?
Motorcyle Chain needs to be cleaned every time you lube it?
Should I hide my travel history to the UK when I apply for an Australian visa?
AB5E type molecule
Can a wizard delay learning new spells from leveling up to learn different spells later?
When can a Barbarian, who has just levelled up, use the additional Rage gained from that level?
What is this arch-and-tower near a road?
Kerberos through SASL: Do I need to get the ticket?
How do I interact with a kerberos server from my own applicationMixed authentication modes: send both Kerberos token and username token over HTTPs with WCFWhy Firefox keeps negotiating kerberos service tickets?Kerberos credentials not forwarded to openldap using mod_auth_kerb/Apache2, Authen::SASL/perlMaking SASL(with GSSAPI) enabled client and server with LDAP+kerberos as authenticator? (Single Sign on SSO sytstem)Service Ticket in Kerberos - Hadoop securityJava client hangs when kerberos ticket expiresHAProxy with https and kerberosKerberos cached ticket on windows machine not regenerated after user unlockkerberos client authentication node js app
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I am designing the authentication system for a piece of software and need some guidance on how SASL and Kerberos services interact.
Here is the situation:
I have a client/server application that is itself pretty standard: only registered users can use perform actions. As an MVP I would typically implement a pretty standard solution:
- Database stores username + salted hash of passord
- Authentication attempt from client over HTTP includes username/password over TLS
- Backend checks that username/password are valid and returns a bearer token that can be used for the duration of the session
In this case, however, there is a complicating factor. Some users of our system use Kerberos internally for user authentication for all internal services. As a feature, we would like to integrate our software with Kerberos so that they don't have to manage an additional set of users.
A more senior engineer recommended I look into SASL so that we might support several auth protocols simultaneously; standard customers can authenticate their users with the PLAIN method (over TLS), for instance, while other customers could limit authentication to only the GSSAPI method.
Up to this point, I have a clear idea of how things might be set up to achieve the desired goals. However, there is one more complicating factor. Some of the customers that want our system's auth to support Kerberos have other resources that our system will rely on (like HDFS) that also require authentication with Kerberos.
My understanding of Kerberos is this:
- A client authenticates with Kerberos's ticket granting server
- Upon successful authentication a TGT is returned that can be used for any future interaction with any Kerberos service in the system
Now to the point: How can I make all of these technologies work in harmony? What I want is:
- Client logs into my server
- My server authenticates client using customer's Kerberos system
- Client is given the OK
- Client asks for something from my server
- My server needs access to customer's HDFS, which requires Kerberos auth
- Server authenticates without asking the client to authenticate again
One possible solution I see to this is the following:
- Make my server itself a Kerberos user
- When the server needs to perform an action on HDFS, have it authenticate using its own credentials
There is a big downside to this, though: pretend the customer's Kerberos system has two realms: one with access to HDFS and one without. If users of both reals are allowed to use my system, but only one set can use HDFS, then I will need my own logic (and potentially objects in a DB) to determine who can perform actions that will require access to HDFS and who cannot.
Any pointers are going to be super helpful; in case it isn't obvious, I am quite new to all of this.
Thanks in advance!
kerberos sasl
asked Mar 25 at 18:39
Joshua GevirtzJoshua Gevirtz
1761 silver badge10 bronze badges
add a comment |
I am designing the authentication system for a piece of software and need some guidance on how SASL and Kerberos services interact.
Here is the situation:
I have a client/server application that is itself pretty standard: only registered users can use perform actions. As an MVP I would typically implement a pretty standard solution:
- Database stores username + salted hash of passord
- Authentication attempt from client over HTTP includes username/password over TLS
- Backend checks that username/password are valid and returns a bearer token that can be used for the duration of the session
In this case, however, there is a complicating factor. Some users of our system use Kerberos internally for user authentication for all internal services. As a feature, we would like to integrate our software with Kerberos so that they don't have to manage an additional set of users.
A more senior engineer recommended I look into SASL so that we might support several auth protocols simultaneously; standard customers can authenticate their users with the PLAIN method (over TLS), for instance, while other customers could limit authentication to only the GSSAPI method.
Up to this point, I have a clear idea of how things might be set up to achieve the desired goals. However, there is one more complicating factor. Some of the customers that want our system's auth to support Kerberos have other resources that our system will rely on (like HDFS) that also require authentication with Kerberos.
My understanding of Kerberos is this:
- A client authenticates with Kerberos's ticket granting server
- Upon successful authentication a TGT is returned that can be used for any future interaction with any Kerberos service in the system
Now to the point: How can I make all of these technologies work in harmony? What I want is:
- Client logs into my server
- My server authenticates client using customer's Kerberos system
- Client is given the OK
- Client asks for something from my server
- My server needs access to customer's HDFS, which requires Kerberos auth
- Server authenticates without asking the client to authenticate again
One possible solution I see to this is the following:
- Make my server itself a Kerberos user
- When the server needs to perform an action on HDFS, have it authenticate using its own credentials
There is a big downside to this, though: pretend the customer's Kerberos system has two realms: one with access to HDFS and one without. If users of both reals are allowed to use my system, but only one set can use HDFS, then I will need my own logic (and potentially objects in a DB) to determine who can perform actions that will require access to HDFS and who cannot.
Any pointers are going to be super helpful; in case it isn't obvious, I am quite new to all of this.
Thanks in advance!
kerberos sasl
asked Mar 25 at 18:39
Joshua GevirtzJoshua Gevirtz
1761 silver badge10 bronze badges
add a comment |
I am designing the authentication system for a piece of software and need some guidance on how SASL and Kerberos services interact.
Here is the situation:
I have a client/server application that is itself pretty standard: only registered users can use perform actions. As an MVP I would typically implement a pretty standard solution:
- Database stores username + salted hash of passord
- Authentication attempt from client over HTTP includes username/password over TLS
- Backend checks that username/password are valid and returns a bearer token that can be used for the duration of the session
In this case, however, there is a complicating factor. Some users of our system use Kerberos internally for user authentication for all internal services. As a feature, we would like to integrate our software with Kerberos so that they don't have to manage an additional set of users.
A more senior engineer recommended I look into SASL so that we might support several auth protocols simultaneously; standard customers can authenticate their users with the PLAIN method (over TLS), for instance, while other customers could limit authentication to only the GSSAPI method.
Up to this point, I have a clear idea of how things might be set up to achieve the desired goals. However, there is one more complicating factor. Some of the customers that want our system's auth to support Kerberos have other resources that our system will rely on (like HDFS) that also require authentication with Kerberos.
My understanding of Kerberos is this:
- A client authenticates with Kerberos's ticket granting server
- Upon successful authentication a TGT is returned that can be used for any future interaction with any Kerberos service in the system
Now to the point: How can I make all of these technologies work in harmony? What I want is:
- Client logs into my server
- My server authenticates client using customer's Kerberos system
- Client is given the OK
- Client asks for something from my server
- My server needs access to customer's HDFS, which requires Kerberos auth
- Server authenticates without asking the client to authenticate again
One possible solution I see to this is the following:
- Make my server itself a Kerberos user
- When the server needs to perform an action on HDFS, have it authenticate using its own credentials
There is a big downside to this, though: pretend the customer's Kerberos system has two realms: one with access to HDFS and one without. If users of both reals are allowed to use my system, but only one set can use HDFS, then I will need my own logic (and potentially objects in a DB) to determine who can perform actions that will require access to HDFS and who cannot.
Any pointers are going to be super helpful; in case it isn't obvious, I am quite new to all of this.
Thanks in advance!
kerberos sasl
asked Mar 25 at 18:39
Joshua GevirtzJoshua Gevirtz
1761 silver badge10 bronze badges
I am designing the authentication system for a piece of software and need some guidance on how SASL and Kerberos services interact.
Here is the situation:
I have a client/server application that is itself pretty standard: only registered users can use perform actions. As an MVP I would typically implement a pretty standard solution:
- Database stores username + salted hash of passord
- Authentication attempt from client over HTTP includes username/password over TLS
- Backend checks that username/password are valid and returns a bearer token that can be used for the duration of the session
In this case, however, there is a complicating factor. Some users of our system use Kerberos internally for user authentication for all internal services. As a feature, we would like to integrate our software with Kerberos so that they don't have to manage an additional set of users.
A more senior engineer recommended I look into SASL so that we might support several auth protocols simultaneously; standard customers can authenticate their users with the PLAIN method (over TLS), for instance, while other customers could limit authentication to only the GSSAPI method.
Up to this point, I have a clear idea of how things might be set up to achieve the desired goals. However, there is one more complicating factor. Some of the customers that want our system's auth to support Kerberos have other resources that our system will rely on (like HDFS) that also require authentication with Kerberos.
My understanding of Kerberos is this:
- A client authenticates with Kerberos's ticket granting server
- Upon successful authentication a TGT is returned that can be used for any future interaction with any Kerberos service in the system
Now to the point: How can I make all of these technologies work in harmony? What I want is:
- Client logs into my server
- My server authenticates client using customer's Kerberos system
- Client is given the OK
- Client asks for something from my server
- My server needs access to customer's HDFS, which requires Kerberos auth
- Server authenticates without asking the client to authenticate again
One possible solution I see to this is the following:
- Make my server itself a Kerberos user
- When the server needs to perform an action on HDFS, have it authenticate using its own credentials
There is a big downside to this, though: pretend the customer's Kerberos system has two realms: one with access to HDFS and one without. If users of both reals are allowed to use my system, but only one set can use HDFS, then I will need my own logic (and potentially objects in a DB) to determine who can perform actions that will require access to HDFS and who cannot.
Any pointers are going to be super helpful; in case it isn't obvious, I am quite new to all of this.
Thanks in advance!
kerberos sasl
kerberos sasl
asked Mar 25 at 18:39
Joshua GevirtzJoshua Gevirtz
1761 silver badge10 bronze badges
asked Mar 25 at 18:39
Joshua GevirtzJoshua Gevirtz
1761 silver badge10 bronze badges
asked Mar 25 at 18:39
Joshua GevirtzJoshua Gevirtz
1761 silver badge10 bronze badges
asked Mar 25 at 18:39
Joshua GevirtzJoshua Gevirtz
1761 silver badge10 bronze badges
asked Mar 25 at 18:39
Joshua GevirtzJoshua Gevirtz
1761 silver badge10 bronze badges
1761 silver badge10 bronze badges
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
It's not clear exactly what your question(s) are, but I'll do my best to address everything I think you're asking.
Firstly, I just want to clear this up:
Upon successful authentication a TGT is returned that can be used for
any future interaction with any Kerberos service in the system
That's not quite correct. The TGT enables the user to request service
tickets from the KDC for specific services. The service ticket is what
gives the user access to a specific service. The TGT is used to prove the
user's identity to the KDC when requesting a service ticket.
Client asks for something from my server - My server needs access to
customer's HDFS, which requires Kerberos auth - Server authenticates
without asking the client to authenticate again
This is a common enough problem and the Kerberos solution is called delegation. You should try to use Kerberos delegation in preference to coming up with your own solution. That said, how well supported it is depends on the technology stack you're using.
There are 2 kinds of delegation supported by Kerberos. The first kind is just called "delegation" and it works by sending the user's TGT to the service along with the service ticket. The service can then use the TGT to get new service tickets from the KDC on behalf of the user. The disadvantage of this approach is that once a service gets a user's TGT, it can effectively impersonate that user to any service that the user would be able to access. You might not want the service to have that level of freedom.
The second kind of delegation is called constrained delegation (also known as services4user or S4U). With this approach, the client doesn't send it's TGT to the service, but the service is allowed to ask the KDC for a service ticket to impersonate the user anyway. The services that can do this have to be whitelisted on the KDC, along with the services that they can request tickets for. This ultimately makes for a more secure approach because the service can't impersonate that user to just any service.
A more senior engineer recommended I look into SASL so that we might
support several auth protocols simultaneously; standard customers can
authenticate their users with the PLAIN method (over TLS), for
instance, while other customers could limit authentication to only the
GSSAPI method
Yes this is a good idea. Specifically, I'd recommend that you use the exact same session authentication mechanism for all users. The only difference for Kerberos users should be the way in which they get a session. You can set up a Kerberos-protected login URL that gets them a session without challenging them for credentials. Any user that hits this URL and doesn't have Kerberos credentials can just be redirected to a login page, which ultimately gets them the same session object (once they log in).
On the back end, the credential checking logic can use SASL to pass Kerberos users through to the KDC, and others through to your local authentication mechanism. This gives you a seamless fallback mechanism for situations when Kerberos doesn't work for the Kerberos users (which can happen easily enough due to things like clock skew etc.)
There is a big downside to this, though: pretend the customer's
Kerberos system has two realms: one with access to HDFS and one
without. If users of both reals are allowed to use my system, but only
one set can use HDFS, then I will need my own logic (and potentially
objects in a DB) to determine who can perform actions that will
require access to HDFS and who cannot.
This kind of thing is exactly the reason that you should use Kerberos delegation instead of coming up with your own custom solution. With Kerberos delegation, the KDC administrator control who can access what. If your service tries to impersonate a user to HDFS, and they are not allowed to access it, that authentication step will just fail and everything will be ok.
If you try to shadow the KDC's authorization rules in your own application, sooner or later they'll get out of sync and bad things will happen.
answered Mar 26 at 15:44
John BJohn B
1,2163 gold badges19 silver badges24 bronze badges
Thank you for your response! This is very helpful. Let me ask you a tangentially-related question: How would a login page work for an application whose backend is using SASL for authentication? In other words, in a client/server setup where the client is a CLI, it is clear the client uses the client-side portions of a SASL implementation to handle the auth negotiation. But in the context of a login web page, would the backend login handler do both the client and server sides of the SASL negotiation?
– Joshua Gevirtz
Mar 27 at 12:29
The way we've done this on my project is by using openldap with sasl passthrough. This way, my web app just sees the authentication backend as ldap, but ldap is configured to pass through to the Kerberos KDC for certain users. I can't give you specific instructions for setting it up, beacuse I didn't actually do it myself, but if you google 'openldap sasl pass thorugh' or similar terms, you should find good info on how to do it. Similarly, getting your web app to talk to ldap should be straightforward enough as it's a pretty common use case. I hope that helps!
– John B
Mar 27 at 12:44
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55344459%2fkerberos-through-sasl-do-i-need-to-get-the-ticket%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
It's not clear exactly what your question(s) are, but I'll do my best to address everything I think you're asking.
Firstly, I just want to clear this up:
Upon successful authentication a TGT is returned that can be used for
any future interaction with any Kerberos service in the system
That's not quite correct. The TGT enables the user to request service
tickets from the KDC for specific services. The service ticket is what
gives the user access to a specific service. The TGT is used to prove the
user's identity to the KDC when requesting a service ticket.
Client asks for something from my server - My server needs access to
customer's HDFS, which requires Kerberos auth - Server authenticates
without asking the client to authenticate again
This is a common enough problem and the Kerberos solution is called delegation. You should try to use Kerberos delegation in preference to coming up with your own solution. That said, how well supported it is depends on the technology stack you're using.
There are 2 kinds of delegation supported by Kerberos. The first kind is just called "delegation" and it works by sending the user's TGT to the service along with the service ticket. The service can then use the TGT to get new service tickets from the KDC on behalf of the user. The disadvantage of this approach is that once a service gets a user's TGT, it can effectively impersonate that user to any service that the user would be able to access. You might not want the service to have that level of freedom.
The second kind of delegation is called constrained delegation (also known as services4user or S4U). With this approach, the client doesn't send it's TGT to the service, but the service is allowed to ask the KDC for a service ticket to impersonate the user anyway. The services that can do this have to be whitelisted on the KDC, along with the services that they can request tickets for. This ultimately makes for a more secure approach because the service can't impersonate that user to just any service.
A more senior engineer recommended I look into SASL so that we might
support several auth protocols simultaneously; standard customers can
authenticate their users with the PLAIN method (over TLS), for
instance, while other customers could limit authentication to only the
GSSAPI method
Yes this is a good idea. Specifically, I'd recommend that you use the exact same session authentication mechanism for all users. The only difference for Kerberos users should be the way in which they get a session. You can set up a Kerberos-protected login URL that gets them a session without challenging them for credentials. Any user that hits this URL and doesn't have Kerberos credentials can just be redirected to a login page, which ultimately gets them the same session object (once they log in).
On the back end, the credential checking logic can use SASL to pass Kerberos users through to the KDC, and others through to your local authentication mechanism. This gives you a seamless fallback mechanism for situations when Kerberos doesn't work for the Kerberos users (which can happen easily enough due to things like clock skew etc.)
There is a big downside to this, though: pretend the customer's
Kerberos system has two realms: one with access to HDFS and one
without. If users of both reals are allowed to use my system, but only
one set can use HDFS, then I will need my own logic (and potentially
objects in a DB) to determine who can perform actions that will
require access to HDFS and who cannot.
This kind of thing is exactly the reason that you should use Kerberos delegation instead of coming up with your own custom solution. With Kerberos delegation, the KDC administrator control who can access what. If your service tries to impersonate a user to HDFS, and they are not allowed to access it, that authentication step will just fail and everything will be ok.
If you try to shadow the KDC's authorization rules in your own application, sooner or later they'll get out of sync and bad things will happen.
answered Mar 26 at 15:44
John BJohn B
1,2163 gold badges19 silver badges24 bronze badges
Thank you for your response! This is very helpful. Let me ask you a tangentially-related question: How would a login page work for an application whose backend is using SASL for authentication? In other words, in a client/server setup where the client is a CLI, it is clear the client uses the client-side portions of a SASL implementation to handle the auth negotiation. But in the context of a login web page, would the backend login handler do both the client and server sides of the SASL negotiation?
– Joshua Gevirtz
Mar 27 at 12:29
The way we've done this on my project is by using openldap with sasl passthrough. This way, my web app just sees the authentication backend as ldap, but ldap is configured to pass through to the Kerberos KDC for certain users. I can't give you specific instructions for setting it up, beacuse I didn't actually do it myself, but if you google 'openldap sasl pass thorugh' or similar terms, you should find good info on how to do it. Similarly, getting your web app to talk to ldap should be straightforward enough as it's a pretty common use case. I hope that helps!
– John B
Mar 27 at 12:44
add a comment |
It's not clear exactly what your question(s) are, but I'll do my best to address everything I think you're asking.
Firstly, I just want to clear this up:
Upon successful authentication a TGT is returned that can be used for
any future interaction with any Kerberos service in the system
That's not quite correct. The TGT enables the user to request service
tickets from the KDC for specific services. The service ticket is what
gives the user access to a specific service. The TGT is used to prove the
user's identity to the KDC when requesting a service ticket.
Client asks for something from my server - My server needs access to
customer's HDFS, which requires Kerberos auth - Server authenticates
without asking the client to authenticate again
This is a common enough problem and the Kerberos solution is called delegation. You should try to use Kerberos delegation in preference to coming up with your own solution. That said, how well supported it is depends on the technology stack you're using.
There are 2 kinds of delegation supported by Kerberos. The first kind is just called "delegation" and it works by sending the user's TGT to the service along with the service ticket. The service can then use the TGT to get new service tickets from the KDC on behalf of the user. The disadvantage of this approach is that once a service gets a user's TGT, it can effectively impersonate that user to any service that the user would be able to access. You might not want the service to have that level of freedom.
The second kind of delegation is called constrained delegation (also known as services4user or S4U). With this approach, the client doesn't send it's TGT to the service, but the service is allowed to ask the KDC for a service ticket to impersonate the user anyway. The services that can do this have to be whitelisted on the KDC, along with the services that they can request tickets for. This ultimately makes for a more secure approach because the service can't impersonate that user to just any service.
A more senior engineer recommended I look into SASL so that we might
support several auth protocols simultaneously; standard customers can
authenticate their users with the PLAIN method (over TLS), for
instance, while other customers could limit authentication to only the
GSSAPI method
Yes this is a good idea. Specifically, I'd recommend that you use the exact same session authentication mechanism for all users. The only difference for Kerberos users should be the way in which they get a session. You can set up a Kerberos-protected login URL that gets them a session without challenging them for credentials. Any user that hits this URL and doesn't have Kerberos credentials can just be redirected to a login page, which ultimately gets them the same session object (once they log in).
On the back end, the credential checking logic can use SASL to pass Kerberos users through to the KDC, and others through to your local authentication mechanism. This gives you a seamless fallback mechanism for situations when Kerberos doesn't work for the Kerberos users (which can happen easily enough due to things like clock skew etc.)
There is a big downside to this, though: pretend the customer's
Kerberos system has two realms: one with access to HDFS and one
without. If users of both reals are allowed to use my system, but only
one set can use HDFS, then I will need my own logic (and potentially
objects in a DB) to determine who can perform actions that will
require access to HDFS and who cannot.
This kind of thing is exactly the reason that you should use Kerberos delegation instead of coming up with your own custom solution. With Kerberos delegation, the KDC administrator control who can access what. If your service tries to impersonate a user to HDFS, and they are not allowed to access it, that authentication step will just fail and everything will be ok.
If you try to shadow the KDC's authorization rules in your own application, sooner or later they'll get out of sync and bad things will happen.
answered Mar 26 at 15:44
John BJohn B
1,2163 gold badges19 silver badges24 bronze badges
Thank you for your response! This is very helpful. Let me ask you a tangentially-related question: How would a login page work for an application whose backend is using SASL for authentication? In other words, in a client/server setup where the client is a CLI, it is clear the client uses the client-side portions of a SASL implementation to handle the auth negotiation. But in the context of a login web page, would the backend login handler do both the client and server sides of the SASL negotiation?
– Joshua Gevirtz
Mar 27 at 12:29
The way we've done this on my project is by using openldap with sasl passthrough. This way, my web app just sees the authentication backend as ldap, but ldap is configured to pass through to the Kerberos KDC for certain users. I can't give you specific instructions for setting it up, beacuse I didn't actually do it myself, but if you google 'openldap sasl pass thorugh' or similar terms, you should find good info on how to do it. Similarly, getting your web app to talk to ldap should be straightforward enough as it's a pretty common use case. I hope that helps!
– John B
Mar 27 at 12:44
add a comment |
It's not clear exactly what your question(s) are, but I'll do my best to address everything I think you're asking.
Firstly, I just want to clear this up:
Upon successful authentication a TGT is returned that can be used for
any future interaction with any Kerberos service in the system
That's not quite correct. The TGT enables the user to request service
tickets from the KDC for specific services. The service ticket is what
gives the user access to a specific service. The TGT is used to prove the
user's identity to the KDC when requesting a service ticket.
Client asks for something from my server - My server needs access to
customer's HDFS, which requires Kerberos auth - Server authenticates
without asking the client to authenticate again
This is a common enough problem and the Kerberos solution is called delegation. You should try to use Kerberos delegation in preference to coming up with your own solution. That said, how well supported it is depends on the technology stack you're using.
There are 2 kinds of delegation supported by Kerberos. The first kind is just called "delegation" and it works by sending the user's TGT to the service along with the service ticket. The service can then use the TGT to get new service tickets from the KDC on behalf of the user. The disadvantage of this approach is that once a service gets a user's TGT, it can effectively impersonate that user to any service that the user would be able to access. You might not want the service to have that level of freedom.
The second kind of delegation is called constrained delegation (also known as services4user or S4U). With this approach, the client doesn't send it's TGT to the service, but the service is allowed to ask the KDC for a service ticket to impersonate the user anyway. The services that can do this have to be whitelisted on the KDC, along with the services that they can request tickets for. This ultimately makes for a more secure approach because the service can't impersonate that user to just any service.
A more senior engineer recommended I look into SASL so that we might
support several auth protocols simultaneously; standard customers can
authenticate their users with the PLAIN method (over TLS), for
instance, while other customers could limit authentication to only the
GSSAPI method
Yes this is a good idea. Specifically, I'd recommend that you use the exact same session authentication mechanism for all users. The only difference for Kerberos users should be the way in which they get a session. You can set up a Kerberos-protected login URL that gets them a session without challenging them for credentials. Any user that hits this URL and doesn't have Kerberos credentials can just be redirected to a login page, which ultimately gets them the same session object (once they log in).
On the back end, the credential checking logic can use SASL to pass Kerberos users through to the KDC, and others through to your local authentication mechanism. This gives you a seamless fallback mechanism for situations when Kerberos doesn't work for the Kerberos users (which can happen easily enough due to things like clock skew etc.)
There is a big downside to this, though: pretend the customer's
Kerberos system has two realms: one with access to HDFS and one
without. If users of both reals are allowed to use my system, but only
one set can use HDFS, then I will need my own logic (and potentially
objects in a DB) to determine who can perform actions that will
require access to HDFS and who cannot.
This kind of thing is exactly the reason that you should use Kerberos delegation instead of coming up with your own custom solution. With Kerberos delegation, the KDC administrator control who can access what. If your service tries to impersonate a user to HDFS, and they are not allowed to access it, that authentication step will just fail and everything will be ok.
If you try to shadow the KDC's authorization rules in your own application, sooner or later they'll get out of sync and bad things will happen.
answered Mar 26 at 15:44
John BJohn B
1,2163 gold badges19 silver badges24 bronze badges
It's not clear exactly what your question(s) are, but I'll do my best to address everything I think you're asking.
Firstly, I just want to clear this up:
Upon successful authentication a TGT is returned that can be used for
any future interaction with any Kerberos service in the system
That's not quite correct. The TGT enables the user to request service
tickets from the KDC for specific services. The service ticket is what
gives the user access to a specific service. The TGT is used to prove the
user's identity to the KDC when requesting a service ticket.
Client asks for something from my server - My server needs access to
customer's HDFS, which requires Kerberos auth - Server authenticates
without asking the client to authenticate again
This is a common enough problem and the Kerberos solution is called delegation. You should try to use Kerberos delegation in preference to coming up with your own solution. That said, how well supported it is depends on the technology stack you're using.
There are 2 kinds of delegation supported by Kerberos. The first kind is just called "delegation" and it works by sending the user's TGT to the service along with the service ticket. The service can then use the TGT to get new service tickets from the KDC on behalf of the user. The disadvantage of this approach is that once a service gets a user's TGT, it can effectively impersonate that user to any service that the user would be able to access. You might not want the service to have that level of freedom.
The second kind of delegation is called constrained delegation (also known as services4user or S4U). With this approach, the client doesn't send it's TGT to the service, but the service is allowed to ask the KDC for a service ticket to impersonate the user anyway. The services that can do this have to be whitelisted on the KDC, along with the services that they can request tickets for. This ultimately makes for a more secure approach because the service can't impersonate that user to just any service.
A more senior engineer recommended I look into SASL so that we might
support several auth protocols simultaneously; standard customers can
authenticate their users with the PLAIN method (over TLS), for
instance, while other customers could limit authentication to only the
GSSAPI method
Yes this is a good idea. Specifically, I'd recommend that you use the exact same session authentication mechanism for all users. The only difference for Kerberos users should be the way in which they get a session. You can set up a Kerberos-protected login URL that gets them a session without challenging them for credentials. Any user that hits this URL and doesn't have Kerberos credentials can just be redirected to a login page, which ultimately gets them the same session object (once they log in).
On the back end, the credential checking logic can use SASL to pass Kerberos users through to the KDC, and others through to your local authentication mechanism. This gives you a seamless fallback mechanism for situations when Kerberos doesn't work for the Kerberos users (which can happen easily enough due to things like clock skew etc.)
There is a big downside to this, though: pretend the customer's
Kerberos system has two realms: one with access to HDFS and one
without. If users of both reals are allowed to use my system, but only
one set can use HDFS, then I will need my own logic (and potentially
objects in a DB) to determine who can perform actions that will
require access to HDFS and who cannot.
This kind of thing is exactly the reason that you should use Kerberos delegation instead of coming up with your own custom solution. With Kerberos delegation, the KDC administrator control who can access what. If your service tries to impersonate a user to HDFS, and they are not allowed to access it, that authentication step will just fail and everything will be ok.
If you try to shadow the KDC's authorization rules in your own application, sooner or later they'll get out of sync and bad things will happen.
answered Mar 26 at 15:44
John BJohn B
1,2163 gold badges19 silver badges24 bronze badges
answered Mar 26 at 15:44
John BJohn B
1,2163 gold badges19 silver badges24 bronze badges
answered Mar 26 at 15:44
John BJohn B
1,2163 gold badges19 silver badges24 bronze badges
answered Mar 26 at 15:44
John BJohn B
1,2163 gold badges19 silver badges24 bronze badges
1,2163 gold badges19 silver badges24 bronze badges
Thank you for your response! This is very helpful. Let me ask you a tangentially-related question: How would a login page work for an application whose backend is using SASL for authentication? In other words, in a client/server setup where the client is a CLI, it is clear the client uses the client-side portions of a SASL implementation to handle the auth negotiation. But in the context of a login web page, would the backend login handler do both the client and server sides of the SASL negotiation?
– Joshua Gevirtz
Mar 27 at 12:29
The way we've done this on my project is by using openldap with sasl passthrough. This way, my web app just sees the authentication backend as ldap, but ldap is configured to pass through to the Kerberos KDC for certain users. I can't give you specific instructions for setting it up, beacuse I didn't actually do it myself, but if you google 'openldap sasl pass thorugh' or similar terms, you should find good info on how to do it. Similarly, getting your web app to talk to ldap should be straightforward enough as it's a pretty common use case. I hope that helps!
– John B
Mar 27 at 12:44
add a comment |
Thank you for your response! This is very helpful. Let me ask you a tangentially-related question: How would a login page work for an application whose backend is using SASL for authentication? In other words, in a client/server setup where the client is a CLI, it is clear the client uses the client-side portions of a SASL implementation to handle the auth negotiation. But in the context of a login web page, would the backend login handler do both the client and server sides of the SASL negotiation?
– Joshua Gevirtz
Mar 27 at 12:29
The way we've done this on my project is by using openldap with sasl passthrough. This way, my web app just sees the authentication backend as ldap, but ldap is configured to pass through to the Kerberos KDC for certain users. I can't give you specific instructions for setting it up, beacuse I didn't actually do it myself, but if you google 'openldap sasl pass thorugh' or similar terms, you should find good info on how to do it. Similarly, getting your web app to talk to ldap should be straightforward enough as it's a pretty common use case. I hope that helps!
– John B
Mar 27 at 12:44
Thank you for your response! This is very helpful. Let me ask you a tangentially-related question: How would a login page work for an application whose backend is using SASL for authentication? In other words, in a client/server setup where the client is a CLI, it is clear the client uses the client-side portions of a SASL implementation to handle the auth negotiation. But in the context of a login web page, would the backend login handler do both the client and server sides of the SASL negotiation?
– Joshua Gevirtz
Mar 27 at 12:29
Thank you for your response! This is very helpful. Let me ask you a tangentially-related question: How would a login page work for an application whose backend is using SASL for authentication? In other words, in a client/server setup where the client is a CLI, it is clear the client uses the client-side portions of a SASL implementation to handle the auth negotiation. But in the context of a login web page, would the backend login handler do both the client and server sides of the SASL negotiation?
– Joshua Gevirtz
Mar 27 at 12:29
The way we've done this on my project is by using openldap with sasl passthrough. This way, my web app just sees the authentication backend as ldap, but ldap is configured to pass through to the Kerberos KDC for certain users. I can't give you specific instructions for setting it up, beacuse I didn't actually do it myself, but if you google 'openldap sasl pass thorugh' or similar terms, you should find good info on how to do it. Similarly, getting your web app to talk to ldap should be straightforward enough as it's a pretty common use case. I hope that helps!
– John B
Mar 27 at 12:44
The way we've done this on my project is by using openldap with sasl passthrough. This way, my web app just sees the authentication backend as ldap, but ldap is configured to pass through to the Kerberos KDC for certain users. I can't give you specific instructions for setting it up, beacuse I didn't actually do it myself, but if you google 'openldap sasl pass thorugh' or similar terms, you should find good info on how to do it. Similarly, getting your web app to talk to ldap should be straightforward enough as it's a pretty common use case. I hope that helps!
– John B
Mar 27 at 12:44
add a comment |
Got a question that you can’t ask on public Stack Overflow? Learn more about sharing private information with Stack Overflow for Teams.
Got a question that you can’t ask on public Stack Overflow? Learn more about sharing private information with Stack Overflow for Teams.
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f55344459%2fkerberos-through-sasl-do-i-need-to-get-the-ticket%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
