Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Request for kvno support #14

Open
JTBS opened this issue Jan 25, 2019 · 8 comments
Open

Request for kvno support #14

JTBS opened this issue Jan 25, 2019 · 8 comments
Assignees

Comments

@JTBS
Copy link

JTBS commented Jan 25, 2019

Hi,

This node module is very useful.
I have scenario to do Kerberos Constrained Delegation.
I see that this is available through kvno tool and source is in latest "krb5" repo.

Looks like you are exposing kinit and other useful tools already through node in this module.
Is there any plan OR can you please share few pointers on how I can add support for kvno, so that I can do constrained delegation from my NodeJS REST API?

Thanks

@RReivax
Copy link
Contributor

RReivax commented Jan 28, 2019

Hi,

If I understand correctly, you want to be able to reproduce a kvno -U delagated_user service from this module?

I can have a look, but basically, we need to bind the necessary functions from MIT Kerberos krb5 lib (like krb5_get_credentials_for_user) and implement a kvno function in the node.js library to expose it in the module.

Another way of doing so is to entirely code the kvno function in the C++ addon, and bind the function kvno directly without binding krb5 functions first, but this is not the approach we have been going for so far (but it can still be considered).

@JTBS
Copy link
Author

JTBS commented Jan 29, 2019

Hi RReivax,

That would be really great if you can add this feature to node module just like you mentioned.
As of now I just compiled krb5 source https://github.com/krb5/krb5 and just testing kvno.

Will it be possible to share any pointers - so that I can at least get this working locally with just linux/rhel env - to get verify our end to end scenarios. I can get updated module once you are ready?

Thanks for getting back.

@RReivax
Copy link
Contributor

RReivax commented Jan 31, 2019

Hi JTBS,

You can use a function like child_process.exec() to launch a bash command so that you can test your scenarios.

I started implementing a kvno function for this module, I will keep you updated.

@JTBS
Copy link
Author

JTBS commented Jan 31, 2019

RReivax,
Its really nice of you and appreciate your work. Will share details with our team once you have an update.
Meanwhile, I will try what you suggested.
Thanks

@RReivax RReivax self-assigned this Jan 31, 2019
RReivax added a commit that referenced this issue Feb 1, 2019
* Only handle options:
  -c ccache (ccname option)
  -k keytab (keytab option)
@RReivax
Copy link
Contributor

RReivax commented Feb 1, 2019

Hi JBTS,

I implemented a basic kvno function, but it doesn't handle constraint delegation (-U option of kvno), as I cannot find where the function krb5_get_credentials_for_user is defined. It is not in the krb5 API. Do you have any clue of what file I should be including? I see it is part of the S4U2Self extension of Kerberos, but I couldn't find how to make it work.

(The current kvno function is not fully tested and maybe unstable)

@JTBS
Copy link
Author

JTBS commented Feb 4, 2019

Hi RReviax,
Below is link that seems to have all changes related to KDC option -U
krb5/krb5@0e39f8a#diff-cf674a1028baa36e65b3d081c444f7d8

What version of KRB5 source you are using.
I believe I got source of 1.17 and was able to build/test -U option - although it did not work towards end due to KDC side settings that I am checking:
https://web.mit.edu/kerberos/krb5-1.17/

Thanks again for all your effort on this.

@RReivax
Copy link
Contributor

RReivax commented Feb 8, 2019

@JTBS I was compiling it using the installed libraries only, that is to say, the result of a make install of the downloaded source ( https://web.mit.edu/kerberos/krb5-1.17/ ), or using system packet managers.
It makes it easier to use this module, as the only requirement is to install the libs (eg. yum install krb5-devel && npm install krb5, and you are good to go).

I'll have to change the way the module is distributed for this feature. I can ship the krb5 lib tar.gz file (8,4M). I may also use prebuild and prebuild-install to distribute the addon already compiled. I'll look into it soon.

@JTBS
Copy link
Author

JTBS commented Mar 8, 2019

Hi, really appreciate all your effort and taking this time. Nice of you.
Please let me know how to get your changes when ready.
We are planning to do full testing of this our DEV env.
Have a nice weekend.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants