Kerberos Authentication question(s)

Albert C. Baker III albert at voltage.com
Wed Jun 24 14:07:50 EDT 2015 

I am using the Java class org.apache.hadoop.security.
authentication.server.AuthenticationFilter from Apache 
Hadoop 2.5.0 as a filter in front of a Tomcat 6 Servlet we 
wish to add Kerberos authentication to.

I am attempting to write some test cases against this filter 
so that we have a better understanding of how it 
works and what it does.  

In order for the filter to authenticate a user, it is reading the 
'Authorization' header of the HTTP request, 
expecting the value to contain 'Negotiate <base64 encoded data>' 

My understanding of how Kerberos works leads me to believe that I 
should be able to write code while creating my 
HTTP request that looks something like this:

  // normally the server principal keytab is not available from the 
client side,
  // but for the purpose of making test cases I see no problem with 
sharing the keytab
  // between the client side and the server side
  javax.security.auth.kerberos.Keytab kt = KeyTab.getInstance("keytab");
  KerberosKey keys[] = kt.getKeys("HTTP/voltage-pp-
0000.albert.int at ALBERTS.INT");

  SomeTokenType token = new SomeTokenType();
  <code to set token parameters>

  // my understanding of Kerberos is that the only cyphertext key 
  // needed on this token
  // is one of the server principal's keys from the Keytab file 
  // (which does contain ~5 
  // keys of different sizes and types, I've checked)
  EncryptedTokenType etoken = <encrypt token with a key from keys>
  byte[] array = etoken.getBytes();

  httprequest.addHeader("Authorization","Negotiate " + new 
Base64(0).encode(array));

So, questions here:
  1) What is the Java Class that embodies the Kerberos Auth Token sent
     in "Authorization Negotiate"?
  2) What fields of that auth token have to be set to what values?
  3) What is the encryption algorithm used to encrypt the auth token
     against the keytab key?
  4) What is the best keytab key to use?
  5) What is the mechanism for byte-serializing the auth token, once
     encrypted?

I have done significant research on the internet, and have found no
answer to this, and exploring the source code available leads into
some very complex interactions between interfaces and implementations
thereof...

Any leads on how to figure this out would be greatly appreciated!

More information about the Kerberos mailing list