Kerberos protocol transition for linux?

Michael B Allen ioplex at gmail.com
Wed Nov 19 14:24:29 EST 2008 

On Wed, Nov 19, 2008 at 11:45 AM, S2 <some.r at ndom.mail.invalid> wrote:
> Michael B Allen wrote:
>> If you have PHP see the link in my sig about Plexcel. It certainly
>> could do what you describe.
>
> The back end services are a mix of Java, .NET, php and rails apps (on
> windows and on linux servers), so the proxy should be language
> independent and not require a module on the application server side.
> I am not sure I understood from the pdf how Plexcel works.
> All application servers can already speak SPNEGO, so that should be used
> to forward the Kerbeos credentials over HTTP (I did read SPNEGO on that
> page, but I am not sure how it is used).
> So what we would like to do is (fixed font required):
>
>    O
>   \|/          +-------------+         +-------------------+
>    |  -------> | Magic proxy | ------> | Protected Service |
>   / \   HTTP   +-------------+ SPNEGO  +-------------------+
>  User                ^
> from the             |
> Internet             |
>                      v
>                   +-----+
>                   | KDC |
>                   +-----+
>
> Do you think Plexcel could be the "Magic Proxy" Box?

Actually yes, I think Plexcel would work quite well for this.

Basically you would just write a PHP script that presented a logon
form and then used plexcel_logon [1] to associate the TGT with the
user's session ID. You'll need to use the putenv_krb5ccname option
with plexcel_new [2] so that the TGT is saved in a ccache file in the
plexcel/tmp directory. Once you have their TGT in a ccache file, you
can use an SPNEGO capable HTTP client like the cURL extension. In the
plexcel/examples directory, there's actually an example script that
uses the delegated TGT to query another SPNEGO protected page using
cURL (note that unlike Plexcel, using cURL to do SPNEGO requires a
valid local /etc/krb5.conf). Then you just need to look at the
hostname (or whatever you're using to address second tier requests),
build a cURL request with the original request input, send it to the
corresponding service and redirect the output of cURL back to the
client. Plexcel would also allow you to add nice access control at the
proxy level.

Note that you'll be invoking a PHP script with each request. Even
though Plexcel is fast and SPNEGO with the second tier is the elephant
in the room, a raw pure C proxy like Squid would give you better
throughput (albeit with less flexability). In practice I think your
level of awareness wrt protocol details like pipelining, chunked
responses, etc will be the important to real world performance of the
solution. But at the very least, building your "Magic Proxy" with
Plexcel would be an easy way to determine if it is possible and how it
can be done in an optimal way. Then you can worry more about
performance.

Your "Magic Proxy" idea is actually very interesting. One nice thing
about it is that I suspect the script itself should be no more than a
few hundred lines of code in one file. If it really works, send it my
way and maybe I'll tweak it up and support it like the Plexcel plugins
for Joomla! and MediaWiki (note these plugins are good examples of how
to use Plexcel correctly).

[1] http://www.ioplex.com/api/plexcel_logon.html
[2] http://www.ioplex.com/api/plexcel_new.html

>> PS: The '.invalid' address in your email actually stops gmail from
>> sending directly to you. You might want to try a valid TLD.
>
> That email account is not valid anyway.

I know but I'm saying gmail actually pops up a dialog that complains
the address is invalid. I have to actually remove the bogus address
before I can send. If you used @ndom.mail.invalid.net you might
improve your chances of getting responses.

Also we're drifting off topic with this thread. Contact me directly
with your real address if you have any further questions.

Mike

-- 
Michael B Allen
PHP Active Directory SPNEGO SSO
http://www.ioplex.com/

More information about the Kerberos mailing list