Fwd: Queries for Kerb Auth using Certificates and KCD for linux Reverse Proxy
Russ Allbery
eagle at eyrie.org
Tue Sep 1 11:32:55 EDT 2015
Amit Thukral <amit.thukral403 at gmail.com> writes:
> I am trying to implement kerberos authentication between clients and
> windows KDC using certificates.
> The product on which this needs to be implemented is a linux based
> reverse proxy.
> We have already integrated a MIT Kerberos libraries with it and are able
> to authenticate clients with Windows KDC. i.e. we are able to get TGT
> on behalf the client (by setting forwardable flag for AS Req), pass it
> back to the browser (client) and thus client authenticates using that
> ticket with servers protected behind our product. But for this as, as
> of now, when a user trying to access a service protected behind our
> product, we prompt him with login form where he enters his credentials,
> using which we call krb5_get_init_creds_password api to send AS REQ and
> get TGT.
> Now, we want to achieve this using certificates.
If I'm understanding your problem description correctly, I'm not sure this
is possible. To get Kerberos tickets from a certificate (aka PKINIT), the
client that has access to the certificate private key needs to do this
directly. An intermediate cannot do this, since it doesn't have access to
the certificate private key. So if you're trying to get the Linux reverse
proxy to do the authentication on behalf of the user, that isn't going to
work.
Anyway, assuming I'm wrong and you're actually doing the authentication in
the client, the short version is that you should call these two functions:
krb5_get_init_creds_opt_set_pa(c, opts, "X509_user_identity", user);
krb5_get_init_creds_opt_set_pa(c, opts, "X509_anchors", anchors);
with an appropriate value for X509_user_identity and X509_pkinit_anchors,
respectively, and then do your krb5_get_init_creds_password call as normal
with a NULL password. If the KDC offers PKINIT, the Kerberos libraries
should try PKINIT with the identity and anchors configured there.
--
Russ Allbery (eagle at eyrie.org) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list