Kerberos Authentication question(s)
Albert C. Baker III
albert at voltage.com
Wed Jun 24 14:07:50 EDT 2015
I am using the Java class org.apache.hadoop.security.
authentication.server.AuthenticationFilter from Apache
Hadoop 2.5.0 as a filter in front of a Tomcat 6 Servlet we
wish to add Kerberos authentication to.
I am attempting to write some test cases against this filter
so that we have a better understanding of how it
works and what it does.
In order for the filter to authenticate a user, it is reading the
'Authorization' header of the HTTP request,
expecting the value to contain 'Negotiate <base64 encoded data>'
My understanding of how Kerberos works leads me to believe that I
should be able to write code while creating my
HTTP request that looks something like this:
// normally the server principal keytab is not available from the
client side,
// but for the purpose of making test cases I see no problem with
sharing the keytab
// between the client side and the server side
javax.security.auth.kerberos.Keytab kt = KeyTab.getInstance("keytab");
KerberosKey keys[] = kt.getKeys("HTTP/voltage-pp-
0000.albert.int at ALBERTS.INT");
SomeTokenType token = new SomeTokenType();
<code to set token parameters>
// my understanding of Kerberos is that the only cyphertext key
// needed on this token
// is one of the server principal's keys from the Keytab file
// (which does contain ~5
// keys of different sizes and types, I've checked)
EncryptedTokenType etoken = <encrypt token with a key from keys>
byte[] array = etoken.getBytes();
httprequest.addHeader("Authorization","Negotiate " + new
Base64(0).encode(array));
So, questions here:
1) What is the Java Class that embodies the Kerberos Auth Token sent
in "Authorization Negotiate"?
2) What fields of that auth token have to be set to what values?
3) What is the encryption algorithm used to encrypt the auth token
against the keytab key?
4) What is the best keytab key to use?
5) What is the mechanism for byte-serializing the auth token, once
encrypted?
I have done significant research on the internet, and have found no
answer to this, and exploring the source code available leads into
some very complex interactions between interfaces and implementations
thereof...
Any leads on how to figure this out would be greatly appreciated!
More information about the Kerberos
mailing list