gssapi: libgssapi and libkrb5 bindings for haskell
Downloads
- gssapi-0.2.0.0.tar.gz [browse] (Cabal source package)
- Package description (as included in the package)
Maintainer's Corner
For package maintainers and hackage trustees
Candidates
- No Candidates
| Versions [RSS] | 0.1.0.0, 0.2.0.0, 0.2.0.1 |
|---|---|
| Change log | ChangeLog.md |
| Dependencies | base (>=4.8 && <4.10), bytestring, resourcet, transformers [details] |
| License | BSD-3-Clause |
| Copyright | Ondrej Palkovsky |
| Author | Ondrej Palkovsky |
| Maintainer | palkovsky.ondrej@gmail.com |
| Category | Network |
| Home page | https://github.com/ondrap/gssapi |
| Source repo | head: git clone https://github.com/ondrap/gssapi.git |
| Uploaded | by ondrap at 2017-05-09T08:21:37Z |
| Distributions | NixOS:0.2.0.1 |
| Reverse Dependencies | 1 direct, 1 indirect [details] |
| Downloads | 2298 total (17 in the last 30 days) |
| Rating | (no votes yet) [estimated by Bayesian average] |
| Your Rating | |
| Status | Docs available [build log] Last success reported on 2017-05-09 [all 1 reports] |
Readme for gssapi-0.2.0.0
[back to package description]
GSSAPI and Kerberos bindings for Haskell
This library provides a simplified kerberos and GSSAPI bindings for the SPNEGO authentication.
- Modelled after spnego-http-auth-nginx-module
- See this on how to configure browsers
- See this on how to configure keys on the windows AD
Short story
On the AD side, you need to
- Create a new user, whose name should be the service name you'll be using Kerberos authentication on. E.g.
app.example. - Set the "User cannot change password" and "Password never expires" options on the account
- Set a strong password on it
From a Windows cmd.exe window, generate the service principals and keytabs for this user. You need an SPN named host/foo.example.com, and another named HTTP/foo.example.com. It is crucial that foo.example.com is the DNS name of your web site in the intranet, and it is an A record. Given that app.example is the account name you created, you would execute:
C:\> ktpass -princ host/foo.example.com@EXAMPLE.COM -mapuser
EXAMPLECOM\app.example -pass * -out host.keytab -ptype KRB5_NT_PRINCIPAL -crypto All
C:\> ktpass -princ HTTP/foo.example.com@EXAMPLE.COM -mapuser
EXAMPLECOM\app.example -pass * -out http.keytab -ptype KRB5_NT_PRINCIPAL -crypto All
Verify that the correct SPNs are created:
C:\> setspn -Q */foo.example.com
it should yield both the HTTP/ and host/ SPNs, both mapped to the app.example user.
On the server side you need to
Create a krb5.keytab using ktutil, concatenating together the two SPNs keytabs:
# ktutil
ktutil: rkt host.keytab
ktutil: rkt http.keytab
ktutil: wkt /etc/krb5.keytab
ktutil: quit
Verify that the created keytab file has been built correctly:
# klist -kt /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
9 02/19/13 04:02:48 HTTP/foo.example.com@EXAMPLE.COM
8 02/19/13 04:02:48 host/foo.example.com@EXAMPLE.COM
Key version numbers (KVNO) will be different in your case.
Verify that you are able to authenticate using the keytab, without password:
# kinit -5 -V -k -t /etc/krb5.keytab HTTP/foo.example.com
Authenticated to Kerberos v5
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/foo.example.com@EXAMPLE.COM
Valid starting Expires Service principal
02/19/13 17:37:42 02/20/13 03:37:40 krbtgt/EXAMPLE.COM@EXAMPLE.COM
renew until 02/20/13 17:37:42
Make the keytab file accessible only by appropriate users or groups
# chmod 440 /etc/krb5.keytab
# chown root:nginx /etc/krb5.keytab