Request for kvno support
JTBS opened this issue · 8 comments
Hi,
This node module is very useful.
I have scenario to do Kerberos Constrained Delegation.
I see that this is available through kvno tool and source is in latest "krb5" repo.
Looks like you are exposing kinit and other useful tools already through node in this module.
Is there any plan OR can you please share few pointers on how I can add support for kvno, so that I can do constrained delegation from my NodeJS REST API?
Thanks
Hi,
If I understand correctly, you want to be able to reproduce a kvno -U delagated_user service
from this module?
I can have a look, but basically, we need to bind the necessary functions from MIT Kerberos krb5
lib (like krb5_get_credentials_for_user
) and implement a kvno
function in the node.js library to expose it in the module.
Another way of doing so is to entirely code the kvno
function in the C++ addon, and bind the function kvno
directly without binding krb5 functions first, but this is not the approach we have been going for so far (but it can still be considered).
Hi RReivax,
That would be really great if you can add this feature to node module just like you mentioned.
As of now I just compiled krb5 source https://github.com/krb5/krb5 and just testing kvno.
Will it be possible to share any pointers - so that I can at least get this working locally with just linux/rhel env - to get verify our end to end scenarios. I can get updated module once you are ready?
Thanks for getting back.
Hi JTBS,
You can use a function like child_process.exec()
to launch a bash command so that you can test your scenarios.
I started implementing a kvno
function for this module, I will keep you updated.
RReivax,
Its really nice of you and appreciate your work. Will share details with our team once you have an update.
Meanwhile, I will try what you suggested.
Thanks
Hi JBTS,
I implemented a basic kvno
function, but it doesn't handle constraint delegation (-U
option of kvno), as I cannot find where the function krb5_get_credentials_for_user
is defined. It is not in the krb5 API. Do you have any clue of what file I should be including? I see it is part of the S4U2Self extension of Kerberos, but I couldn't find how to make it work.
(The current kvno function is not fully tested and maybe unstable)
Hi RReviax,
Below is link that seems to have all changes related to KDC option -U
krb5/krb5@0e39f8a#diff-cf674a1028baa36e65b3d081c444f7d8
What version of KRB5 source you are using.
I believe I got source of 1.17 and was able to build/test -U option - although it did not work towards end due to KDC side settings that I am checking:
https://web.mit.edu/kerberos/krb5-1.17/
Thanks again for all your effort on this.
@JTBS I was compiling it using the installed libraries only, that is to say, the result of a make install
of the downloaded source ( https://web.mit.edu/kerberos/krb5-1.17/ ), or using system packet managers.
It makes it easier to use this module, as the only requirement is to install the libs (eg. yum install krb5-devel && npm install krb5
, and you are good to go).
I'll have to change the way the module is distributed for this feature. I can ship the krb5 lib tar.gz file (8,4M). I may also use prebuild
and prebuild-install
to distribute the addon already compiled. I'll look into it soon.
Hi, really appreciate all your effort and taking this time. Nice of you.
Please let me know how to get your changes when ready.
We are planning to do full testing of this our DEV env.
Have a nice weekend.