时间戳

首页 > 解决方案 > How to read display name from kerberos service ticket

ruby-on-rails - How to read display name from kerberos service ticket

问题描述

After application service gets a Kerberos service ticket from the client over HTTP header. How we can read cname (aka UPN) from the ticket.

I'm using ruby this ruby gem https://github.com/zenchild/gssapi reading service ticket from header (Authorization). And If I try to read display_name (cname) right after request come it's working fine.

Result: example@local.com

But, When I do test with actual service token as a string and keytab file I'm getting error that no display name in memory.

*** GSSAPI::GssApiError Exception: gss_display_name did not return GSS_S_COMPLETE but 131072: An invalid name was supplied unknown mech-code 0 for mech unknown

host = "example.org"
service = "HTTP/example.org@example.org"
token = "Negotiate YIIGUAYGKwYBBQUCoIIGRDCCBkCgMDAuBgkqhk....."
keytab = "/home/ubuntu/keytab.keytab"

gss = GSSAPI::Simple.new(host, service, keytab)
credResult = gss.acquire_credentials
puts 'Read cred form keytab: ' + "#{credResult}"

contextResult = gss.accept_context(Base64.strict_decode64(token))
puts 'Hello, ' + "#{gss.display_name}"

From RFC 4178 docs (https://www.rfc-editor.org/rfc/rfc4120.html#section-5.5.1) cname (UPN) should be in kerberos ticket's authenticator and able to decrypt and parse it with the app secret key.

I suspect that the GSSAPI C library doing something over TCP protocol storing cname (UPN) somewhere in memory and memory address as stored global variable, not able to read it.

Or I'm misunderstanding some part of GSSAPI implementation.

Here are my questions

  1. Is it possible to get cname from service token as string?

  2. How peoples do offline test with Kerberos authentication for application service?

标签: ruby-on-railsrubyrubygemskerberos

解决方案

我花了很多时间来了解 Kerberos 协议是如何工作的。让我把我能知道的留在这儿。

GSSAPI ruby​​ gem是 GSAAPI 库简单版本的包装 gem,仅用于针对 Keytab 文件严格验证 Kerberos 令牌。

实际上,GSSAPI 是另一个包含 Kerberos 票证的规范。听起来像俄罗斯套娃。

  1. RFC1508
  2. RFC4178
  3. RFC4120

并且GSSAPI 简单实现本身非常严格,就像一旦 GSSAPI 令牌通过所有验证,您就可以从 Kerberos 票证中获取 UPN。否则,你只会得到错误。

因此,Ruby gem 将值传递到 GSSAPI::Simple C 库并获取结果。这就是您无法从过期或无效的 Kerberos 票证中获取 UPN 的原因。

Ruby gem 有一个小问题,当您从 C 库中收到错误时会抛出非常非常长的错误消息,因为它使用另一个 gem 来帮助用 Ruby 代码包装 C 代码,而无需使用本机 C 代码。长时间的错误让我很困惑,需要一些时间来了解实际问题。

无论如何,如果您对这个 gem 感兴趣,我建议您删除一些内存清理错误,如下所示:https ://github.com/zenchild/gssapi/pull/29

此外,如果您确实需要从 Kerberos 票证中获取 UPN,即使票证已过期或无效。您需要使用 RFC 4020 规范 (KRB_AP_REQ) 解析 Kerberos 令牌。 https://www.rfc-editor.org/rfc/rfc4120.html#section-3.2

为此,您可以使用Kerberos V5 的 MIT Kerberos 库。但是这个图书馆非常庞大。还使用大量全局内存地址(也许是安全原因)。

或者,也许您可​​以使用以下一些实现。

Java 实现

WIP 状态 ruby​​ 实现

推荐阅读