[Freeipa-devel] Kerberos implementation issues

Dmitri Pal dpal at redhat.com
Tue Jun 21 22:28:36 UTC 2011 

On 06/21/2011 06:06 PM, Pete Zaitcev wrote:
> Dear Sumit:
>
> I heard from Mike Orazi that Dmitry recommened you as an expert in
> Kerberos issues. I am working on adding authentication/authorization
> to Image Warehouse (a.k.a. iwhd). It uses HTTP protocol, implemented
> with GNU Microhttpd. The general plan is to use FreeIPA as the
> auth provider, but for now I have a different question: what protocol
> should I implement for HTTP transactions?
>
> The client is expected to use Kerberos to obtain a session ticket,
> and something like that happens on the server as well. Then, the HTTP
> is authenticated and authorized.
>
> So far, I gather that so-called "SPNEGO" protocol is what everyone
> uses (RFC 4178). It relies on GSS-API (2743/2744) and Kerberos (4121).
> There's also a "Kerberos on Widows" thing (4559), which actually
> defines the key pieces such as "WWW-Authenticate: Negotiate".
>
> The one strange thing though is that curl seems to imply having a
> support for "Negotiate" authentication type separate from SPNEGO.
> Fedora, while being the main target for FreeIPA, ships curl without
> SPNEGO. So, I suspect that I may be missing a protocol to implement.
>
> Yours,
> -- Pete
SPNEGO is the MSFT flavor of the negotiation protocol.
http://en.wikipedia.org/wiki/SPNEGO
I do not remember the details but it is different from "Negotiate",
which is the pure GSSAPI with Kerberos what is used everywhere in Fedora
and RHEL.

What web server you are using? It is mostly something that is used
outside the application by the web server itself.
Like with Apache you can use/configure mod_auth_kerb and if the client
is configured to negotiate kerberos and the apache server has a keytab
and an service principal (name) in KDC (freeIPA) you are all set.
This is how the Katello prototype has been set up.

So the point is that you do not need to implement the Kerberos
Negotiation the web server should do it for you. Katello is currently
set up with the Apache server in the proxy mode so that it does the
negotiation and then proxies the traffic to the actual app.

The transactions would require a state. You can try to do something that
we are planning to do in IPA to reduce the cost of the re-negotiation on
every request. We plan to use a cookie. But it all depends what are your
transactions are for. Do they define the "commit" boundaries or they are
just to reduce renegotiation?

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list