-
1. Re: How to use SPNEGO auth without keytab
mchoma Jun 21, 2017 2:24 AM (in response to kmark)Interesting question. I have never seen wildfly keytab-less configuration neither.
As I understand keytab is used to authenticate server to KDC. e.g. HTTP/jboss.org@JBOSS.ORG.
How would you expect server will provide these information interactively? You know client is providing user kerberos ticket user@JBOSS.ORG. Do you mean client should somehow provide also HTTP/jboss.org@JBOSS.ORG kerberos ticket? Or just password for HTTP/jboss.org@JBOSS.ORG ?
But I think that would be secure risk passing service ticket or service password over unsecured network.
Could you provide Tomcat keytab-less configuration link to article/tutorial to understand better what would you like to achieve.
-
2. Re: How to use SPNEGO auth without keytab
kmark Jun 22, 2017 4:10 PM (in response to mchoma)What I would like to achieve is to simply store the user/pass in a config file or something similar on the server itself and provide them directly to the pre-authentication process. What I have currently in Tomcat is an HTTP filter (Configuring Authentication Filter for Tomcat) which is registered in a web.xml in the conf folder of the Tomcat instance. This is the filter registration within the web.xml:
<filter>
<filter-name>SpnegoHttpFilter</filter-name>
<filter-class>net.sourceforge.spnego.SpnegoHttpFilter</filter-class>
<init-param>
<param-name>spnego.allow.basic</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.allow.localhost</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.allow.unsecure.basic</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.login.client.module</param-name>
<param-value>spnego-client</param-value>
</init-param>
<init-param>
<param-name>spnego.krb5.conf</param-name>
<param-value>krb5.conf</param-value>
</init-param>
<init-param>
<param-name>spnego.login.conf</param-name>
<param-value>login.conf</param-value>
</init-param>
<init-param>
<param-name>spnego.preauth.username</param-name>
<param-value>[user]</param-value>
</init-param>
<init-param>
<param-name>spnego.preauth.password</param-name>
<param-value>[pass]</param-value>
</init-param>
<init-param>
<param-name>spnego.login.server.module</param-name>
<param-value>spnego-server</param-value>
</init-param>
<init-param>
<param-name>spnego.prompt.ntlm</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>spnego.logger.level</param-name>
<param-value>1</param-value>
</init-param>
</filter>
So here the preauth creds are being directly provided to the mechanism to perform the authentication for the server. From my understanding, once the server authorizes with the KDC, it will be given a Ticket Granting Ticket and so it would not have to be done interactively. It is just done once at startup and everyone else simply calls the server's services and it then authenticates/authorizes them itself using its TGT.
As far as the guides I've been using. I have been piecing together bits from various places. Here are some I've been using: Negotiation User Guide (out of date I think?), How to implement Kerberos authentication with a Simple REST Web App, How to Setup SSO with Kerberos - Red Hat Customer Portal, Does WildFly support SPNego Authetication?
So I'm kinda of all over the place trying to do what I wanted. Not sure if that answered all of your questions though. Please let me know if there is more you need to look at.
Thanks!
-
3. Re: How to use SPNEGO auth without keytab
mchoma Jun 23, 2017 1:40 AM (in response to kmark)I think I understand now. No, you can not specify ticket password in plaintext. This limitation is inherited from used JAAS Krb5LoginModule [1], which is used under hood and that does not allow this.
[1] Krb5LoginModule (Java Authentication and Authorization Service )
-
4. Re: How to use SPNEGO auth without keytab
kmark Jun 23, 2017 10:02 AM (in response to mchoma)That's quite unfortunate, but then again, I understand its much more secure and really the way to go if you want to code this. I'm curious though, the SPNEGO HTTP Filter injects the creds through a CallbackHandler within the Krb5 Login Module, do you know how to get a Callback Handler injected into the Login Module? I can go that route instead. The only other thing I am finding is that you have to create another Login Module to update a shared state map and let it use that? Is that right, or is there an easier way?