Re: [Freeipa-devel] Kerberos implementation issues
Alexander Bokovoy wrote: On 22.06.2011 20:30, Simo Sorce wrote: Quick search on the internet did not reveal any. I found a Ruby GSSAPI library if this is of any help. https://github.com/zenchild/gssapi/wiki If only iwhd were written in Ruby rather than C. Maybe you can take mod_auth_kerb sources and adapt it for libmicrohttp, shouldn't be too much work, the crypto details are handled by libgssapi anyways. That seems to be a common case -- at least for nginx people did go the same way https://github.com/fintler/nginx-mod-auth-kerb Thanks to both of you for the tips. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Kerberos implementation issues
On Tue, Jun 21, 2011 at 04:48:08PM -0600, Pete Zaitcev wrote: On Tue, 21 Jun 2011 18:28:36 -0400 Dmitri Pal d...@redhat.com wrote: Dear Dmitri, thanks for the reply. I am reading curl source code now and I notice the distinction between Negotiate that comes from SPNEGO, and GSS-Negotiate. I'm looking for the definition of the latter. I am working on adding authentication/authorization to Image Warehouse (a.k.a. iwhd). It uses HTTP protocol, implemented with GNU Microhttpd. [...] So far, I gather that so-called SPNEGO protocol is what everyone uses (RFC 4178). It relies on GSS-API (2743/2744) and Kerberos (4121). There's also a Kerberos on Widows thing (4559), which actually defines the key pieces such as WWW-Authenticate: Negotiate. What web server you are using? It is mostly something that is used outside the application by the web server itself. As I mentioned, iwhd relies on GNU Microhttpd library to implement a webserver. According to http://www.gnu.org/software/libmicrohttpd/ there is only Support for basic and digest authentication (optional). As Dmitri already mentioned there is mod_auth_kerb for Apache which offers the Negotiate. It does GSSAPI but can handle SPNEGO as well and can authenticate an SPNEGO client if it can handle GSSAPI (SPNEGO is basically used to choose between GSSAPI or NTLMSSP). As long as GNU Microhttpd library does not support at least GSSAPI, but SPNEGO would be important for Windows clients, or can use Apache's mod_auth_kerb somehow, I would recommend like Dmitri to use an Apache in front of iwhd and let Apache forward the principal of the authenticated user in e.g. X_FORWARDED_USER header variable. Like with Apache you can use/configure mod_auth_kerb and if the client is configured to negotiate kerberos and the apache server has a keytab and an service principal (name) in KDC (freeIPA) you are all set. This is how the Katello prototype has been set up. I see, the vital part here is the need to register the service principal with the KDC. I was wondering about that too. Yes, both the client/user principal and the service principal must be know to the KDC so that both can trust each other. With freeIPA every user automatically will have it's own principal and every server added to the IPA domain (ipa-client-install or ipa host-add) gets a host principal host/fully.qualified.domain.name@YOUR.KERBEROS.REALM. For a web service you typically do not want to use the host principal but create one for the specific service HTTP/fully.qualified.domain.name@YOUR.KERBEROS.REALM with ipa service-add. If you don't have freeIPA but a plain KDC you have to use the kadmin utility to create the principals (and their keys). HTH bye, Sumit The transactions would require a state. You can try to do something that we are planning to do in IPA to reduce the cost of the re-negotiation on every request. We plan to use a cookie. But it all depends what are your transactions are for. Do they define the commit boundaries or they are just to reduce renegotiation? I am somewhat disaffected with cookies, as they have a lot of weaknesses (usually).. Certainly, turning around the 401 replies costs a lot, but until I know for myself that it cannot be avoided (by posting Authenticate header preventively), I am going to examine the facts a little more. However, if FreeIPA team comes up with standard way to keep tickets in cookies, I would like to hear the details. Thanks again, -- Pete ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Kerberos implementation issues
Sumit Bose wrote: On Tue, Jun 21, 2011 at 04:48:08PM -0600, Pete Zaitcev wrote: On Tue, 21 Jun 2011 18:28:36 -0400 Dmitri Pal d...@redhat.com wrote: Dear Dmitri, thanks for the reply. I am reading curl source code now and I notice the distinction between Negotiate that comes from SPNEGO, and GSS-Negotiate. I'm looking for the definition of the latter. I am working on adding authentication/authorization to Image Warehouse (a.k.a. iwhd). It uses HTTP protocol, implemented with GNU Microhttpd. [...] So far, I gather that so-called SPNEGO protocol is what everyone uses (RFC 4178). It relies on GSS-API (2743/2744) and Kerberos (4121). There's also a Kerberos on Widows thing (4559), which actually defines the key pieces such as WWW-Authenticate: Negotiate. What web server you are using? It is mostly something that is used outside the application by the web server itself. As I mentioned, iwhd relies on GNU Microhttpd library to implement a webserver. According to http://www.gnu.org/software/libmicrohttpd/ there is only Support for basic and digest authentication (optional). As Dmitri already mentioned there is mod_auth_kerb for Apache which offers the Negotiate. It does GSSAPI but can handle SPNEGO as well and can authenticate an SPNEGO client if it can handle GSSAPI (SPNEGO is basically used to choose between GSSAPI or NTLMSSP). As long as GNU Microhttpd library does not support at least GSSAPI, but SPNEGO would be important for Windows clients, or can use Apache's mod_auth_kerb somehow, I would recommend like Dmitri to use an Apache in front of iwhd and let Apache forward the principal of the authenticated user in e.g. X_FORWARDED_USER header variable. Unfortunately, replacing (in iwhd) an embedded component like libmicrohttpd may be er, ... challenging. iwhd can be configured to as both server and client, and can use arbitrary port numbers, so deferring to Apache seems infeasible. For example, one use case is to run two interconnected iwhd servers, one upstream and another downstream, as demonstrated in iwhd's t/replication test case. Even if we were to give up this functionality (currently not required by any iwhd client), requiring an additional, private-to-iwhd, kerb-enabled Apache server sounds like disproportionate overhead for an otherwise small daemon. Our best bet may be to find an embeddable httpd server that supports GSSAPI. Do any of you know of one? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Kerberos implementation issues
On 06/21/2011 06:48 PM, Pete Zaitcev wrote: I am somewhat disaffected with cookies, as they have a lot of weaknesses (usually).. Certainly, turning around the 401 replies costs a lot, but until I know for myself that it cannot be avoided (by posting Authenticate header preventively), I am going to examine the facts a little more. However, if FreeIPA team comes up with standard way to keep tickets in cookies, I would like to hear the details. We will see what we would be able to come up. Tickets to watch: https://fedorahosted.org/freeipa/ticket/215 https://fedorahosted.org/freeipa/ticket/225 Both are in Deferred bucket as there are no firm plans. We will see when we would be able look into these tickets. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Kerberos implementation issues
On Tue, 21 Jun 2011 18:28:36 -0400 Dmitri Pal d...@redhat.com wrote: Dear Dmitri, thanks for the reply. I am reading curl source code now and I notice the distinction between Negotiate that comes from SPNEGO, and GSS-Negotiate. I'm looking for the definition of the latter. I am working on adding authentication/authorization to Image Warehouse (a.k.a. iwhd). It uses HTTP protocol, implemented with GNU Microhttpd. [...] So far, I gather that so-called SPNEGO protocol is what everyone uses (RFC 4178). It relies on GSS-API (2743/2744) and Kerberos (4121). There's also a Kerberos on Widows thing (4559), which actually defines the key pieces such as WWW-Authenticate: Negotiate. What web server you are using? It is mostly something that is used outside the application by the web server itself. As I mentioned, iwhd relies on GNU Microhttpd library to implement a webserver. Like with Apache you can use/configure mod_auth_kerb and if the client is configured to negotiate kerberos and the apache server has a keytab and an service principal (name) in KDC (freeIPA) you are all set. This is how the Katello prototype has been set up. I see, the vital part here is the need to register the service principal with the KDC. I was wondering about that too. The transactions would require a state. You can try to do something that we are planning to do in IPA to reduce the cost of the re-negotiation on every request. We plan to use a cookie. But it all depends what are your transactions are for. Do they define the commit boundaries or they are just to reduce renegotiation? I am somewhat disaffected with cookies, as they have a lot of weaknesses (usually).. Certainly, turning around the 401 replies costs a lot, but until I know for myself that it cannot be avoided (by posting Authenticate header preventively), I am going to examine the facts a little more. However, if FreeIPA team comes up with standard way to keep tickets in cookies, I would like to hear the details. Thanks again, -- Pete ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Kerberos implementation issues
Dmitri Pal wrote: On 06/22/2011 07:44 AM, Jim Meyering wrote: Our best bet may be to find an embeddable httpd server that supports GSSAPI. Do any of you know of one? Quick search on the internet did not reveal any. I found a Ruby GSSAPI library if this is of any help. https://github.com/zenchild/gssapi/wiki If only iwhd were written in Ruby rather than C. Hm I thought everything is written on Ruby nowadays :-) at least most of the cloud infrusturucture services we integrate. Good to hear that something is still written in plain old C. Is there any architectural diagram and high level overview of the project that we can take a look at? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Kerberos implementation issues
Dmitri Pal wrote: Dmitri Pal wrote: On 06/22/2011 07:44 AM, Jim Meyering wrote: Our best bet may be to find an embeddable httpd server that supports GSSAPI. Do any of you know of one? Quick search on the internet did not reveal any. I found a Ruby GSSAPI library if this is of any help. https://github.com/zenchild/gssapi/wiki If only iwhd were written in Ruby rather than C. Hm I thought everything is written on Ruby nowadays :-) at least most of the cloud infrusturucture services we integrate. Good to hear that something is still written in plain old C. Is there any architectural diagram and high level overview of the project that we can take a look at? Sure, http://git.fedorahosted.org/git?p=iwhd.git;a=blob;f=doc/image_repo.odt ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Kerberos implementation issues
On 06/22/2011 12:14 PM, Jim Meyering wrote: Sure, http://git.fedorahosted.org/git?p=iwhd.git;a=blob;f=doc/image_repo.odt Does not open for me. I tried saving but it saves as 0-byte doc -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Kerberos implementation issues
On Wed, 2011-06-22 at 16:18 +0200, Jim Meyering wrote: Dmitri Pal wrote: On 06/22/2011 07:44 AM, Jim Meyering wrote: Our best bet may be to find an embeddable httpd server that supports GSSAPI. Do any of you know of one? Quick search on the internet did not reveal any. I found a Ruby GSSAPI library if this is of any help. https://github.com/zenchild/gssapi/wiki If only iwhd were written in Ruby rather than C. Maybe you can take mod_auth_kerb sources and adapt it for libmicrohttp, shouldn't be too much work, the crypto details are handled by libgssapi anyways. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Kerberos implementation issues
On Wed, 22 Jun 2011 09:15:48 -0400 Jeff Darcy jda...@redhat.com wrote: (1) Have we definitively concluded that it's not possible to implement the pieces we need on top of the core libmicrohttpd code? I hooked into rest.c:access_handler_0(), using MHD_lookup_connection_value and friends for now. Seems working, without SSL at least. (2) Has anyone tried looking at the libmicrohttpd code, or talking to the libmicrohttpd authors, to evaluate the feasibility of adding the features we need there? No, I haven't. Actually once I'm done maybe we can send them a patch to implement Negotiate authentication. -- Pete ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Kerberos implementation issues
Hi, On 22.06.2011 20:30, Simo Sorce wrote: Quick search on the internet did not reveal any. I found a Ruby GSSAPI library if this is of any help. https://github.com/zenchild/gssapi/wiki If only iwhd were written in Ruby rather than C. Maybe you can take mod_auth_kerb sources and adapt it for libmicrohttp, shouldn't be too much work, the crypto details are handled by libgssapi anyways. That seems to be a common case -- at least for nginx people did go the same way https://github.com/fintler/nginx-mod-auth-kerb -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] Kerberos implementation issues
On 06/21/2011 06:06 PM, Pete Zaitcev wrote: Dear Sumit: I heard from Mike Orazi that Dmitry recommened you as an expert in Kerberos issues. I am working on adding authentication/authorization to Image Warehouse (a.k.a. iwhd). It uses HTTP protocol, implemented with GNU Microhttpd. The general plan is to use FreeIPA as the auth provider, but for now I have a different question: what protocol should I implement for HTTP transactions? The client is expected to use Kerberos to obtain a session ticket, and something like that happens on the server as well. Then, the HTTP is authenticated and authorized. So far, I gather that so-called SPNEGO protocol is what everyone uses (RFC 4178). It relies on GSS-API (2743/2744) and Kerberos (4121). There's also a Kerberos on Widows thing (4559), which actually defines the key pieces such as WWW-Authenticate: Negotiate. The one strange thing though is that curl seems to imply having a support for Negotiate authentication type separate from SPNEGO. Fedora, while being the main target for FreeIPA, ships curl without SPNEGO. So, I suspect that I may be missing a protocol to implement. Yours, -- Pete SPNEGO is the MSFT flavor of the negotiation protocol. http://en.wikipedia.org/wiki/SPNEGO I do not remember the details but it is different from Negotiate, which is the pure GSSAPI with Kerberos what is used everywhere in Fedora and RHEL. What web server you are using? It is mostly something that is used outside the application by the web server itself. Like with Apache you can use/configure mod_auth_kerb and if the client is configured to negotiate kerberos and the apache server has a keytab and an service principal (name) in KDC (freeIPA) you are all set. This is how the Katello prototype has been set up. So the point is that you do not need to implement the Kerberos Negotiation the web server should do it for you. Katello is currently set up with the Apache server in the proxy mode so that it does the negotiation and then proxies the traffic to the actual app. The transactions would require a state. You can try to do something that we are planning to do in IPA to reduce the cost of the re-negotiation on every request. We plan to use a cookie. But it all depends what are your transactions are for. Do they define the commit boundaries or they are just to reduce renegotiation? -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel