Kerberos authentication with Apache Kerberos Module
Hi,
Using the Java GSS tutorials, I have been able to create code to successfully authenticate with our KDC server or from a local ticket cache.
However, I have been unsuccessful in using the obtained credentials to perform client authentication with a web server running Apache using Kerberos for authentication (mod_kerberos).
I have tried to use an SSLSocket to connect to the server, which works fine. To request a page that requires client side authentication, I have passed the necessary client headers, over the socket connection e.g.
GET: http://www.myhost.com/protected_page.html
HOST: www.myhost.com
AUTHENTICATE: negotiate XXXXX
However, I do not know what to put in place of XXXXX. Using some PHP code and Firefox, I have been able to observe what Firefox is passing to the web server to perform client side authentication. It is clearly passing a base64 encoded string, which is related to the cached Kerberos credentials.
Can anyone tell me, how I can use Java and GSS to perform client side authentication with an Apache web server that is using the Kerberos authentication module? I know it is possible to do so using SPEGNO in a Windows environment, but this is a Linux/Unix environment, so it is not an option.
Thanks for any help or advice,
Neil.
[1332 byte] By [
MagicUKa] at [2007-10-3 6:20:58]
What version of JDK are you using ?Java SE 6.0 includes support for SPNEGO authentication scheme in HTTP. You can download Java SE 6.0 from: http://download.java.net/jdk6/binaries/Seema
Hi,
Thanks for the quick reply.
I am using the latest JDK (version 6) - forgot to mention that in my last post. We are in a Linux/Unix Kerberos environment so SPNEGO is not an option unfortunately.
Out of curiosity, I did try the SPNEGO tutorial example, but it didn't work - I may have mis-understood, but I thought SPNEGO only worked with Windows?
Best regards,
Neil.
SPNEGO authentication is only possible with browsers and platforms that support the
SPNEGO protocol. IE includes support for SPNEGO.
If you attempt to use "Negotiate" authentication scheme in HTTP, this will use
the SPNEGO mechanism.
Here is the Java GSS guide that includes sample code for Java GSS/SPNEGO
and HTTP/SPNEGO authentication.
http://download.java.net/jdk6/docs/technotes/guides/security/jgss/lab/index.html
For the "Negotiate" auth scheme, you'll need to setup an IIS server and configure IE.
Seema
Hi,
I managed to get the authentication to work in Java 1.6 eventually. Setting the system property http.auth.preference to "Kerberos" seemed to help.
One last question though... I have noticed that Java 1.6 under SuSE Linux / KDE, doesn't pick-up the Kerberos credential cache by default.
In /tmp, the credential cache is named like so:
/tmp/krb5cc_1001_XXXX
Where 1001 is the user's UID and XXXX is a random set of characters. If a symbolic link is made called krb5cc_1001 that links to the cache, then Java correctly uses the cached credentials.
Unfortunately, each time the user's credentials are re-newed, a new cache is created.
Is there a way to tell Java to pick up the correct cache without manual intervention?
Thanks for any help,
Neil.
By default, MIT Kerberos stores the Kerberos ticket in the file /tmp/krb5cc_uid.
Java Kerberos picks up native Kerberos ticket cache from the default location.
If the ticket cache is not available, it will look for the cache in the users home dir. {user.home}{file.separator}krb5cc_{user.name}.
Java Krb5LoginModule provides an option to "ticketCache" to specify the ticket cache
location. You can override the ticket cache location by using this option. However,
if your ticket cache location changes each time, this will need to be updated.
What version of SuSE Linux are you using ? What version of Kerberos does this
platform provide ? Are these extra characters added by default ?
Seema
Hi Seema,
The name of the current ticket cache changes every 8 hours, but it is always named /tmp/krb5cc_{uid}_{random_chars}. The extra characters are always added. The version of Kerberos is the standard MIT version.
I have spoken to our Kerberos experts, and I have been told that the random characters are created by the Kerberos Pam5 authentication module (pam_krb5).
Edit: The location of the Kerberos ticket cache can be found from the environment variable "KRB5CCNAME".
Does this help at all?
Thanks for your help,
Neil.
Message was edited by:
MagicUK
Here are your options:
1) Configure Krb5LoginModule programmatically.
If the environment variable KRB5CC_NAME points to the ticket cache location,
(which is updated each time), you can configure the Krb5LoginModule
programmatically and set the "ticketCache" option to the value obtained
from KRB5CC_NAME.
Refer to following docs for details:
http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/LoginConfigFile.html
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/AppConfigurationEntry.html
2) Use native Kerberos from the platform
Java SE 6 provides support for native GSS/Kerberos on Solaris/Linux platforms.
NOTE: If native GSS/Kerberos on your platform does not have support for SPNEGO,
you will not be able to use this option.
For details refer to following docs:
http://download.java.net/jdk6/docs/technotes/guides/security/jgss/jgss-features.html
Seema
Hi Seema,
Thanks again for your advice. I followed step 1 and sub classed the Krb5LoginModule to make use of the environment variable should the user desire by adding an extra configuration option for the login config file.
Source code available if desired.
That's the last of my queries ;-)
Best regards,
Neil.
