Kerberos Server Implementation

[Gupta, Divyansh]

Hi Kerberos@MIT,

I am attempting to create an application server with Kerberos server-side authentication. I am finding plenty of examples on how to do authentication as a Kerberos client, but not finding guides on Kerberos server-side. I was wondering if you could point me towards any guides or examples on how to do this? I am attempting it in Rust, but a C example that I can convert to Rust works just as well. Any help is appreciated.

Thank you,
Divyansh Gupta

[Roland C. Dowdeswell]

It's generally recommended to use GSSAPI these days for Kerberos.
https://github.com/elric1/gss-token has both client and server side
GSSAPI code that might help get you started.

--
Roland C. Dowdeswell https://Imrryr.ORG/

[Chris Hecker]

There are two samples in the Kerberos source that have both clients and
servers, I’m not at my computer but they’re called something like
sim_client and sample_client and server.

Chris

On Tue, Jan 11, 2022 at 14:44 Gupta, Divyansh via Kerberos <kerb...@mit.edu>
wrote:

> Hi Kerberos@MIT,

>
> I am attempting to create an application server with Kerberos server-side
> authentication. I am finding plenty of examples on how to do authentication
> as a Kerberos client, but not finding guides on Kerberos server-side. I was
> wondering if you could point me towards any guides or examples on how to do
> this? I am attempting it in Rust, but a C example that I can convert to
> Rust works just as well. Any help is appreciated.
>

> Thank you,
> Divyansh Gupta
> ________________________________________________
> Kerberos mailing list Kerb...@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

[Charles Hedrick]

src/appl/simple

For a real example, see github, clhedrick/kerberos.git, in directory kmkhomedir

This is a client-server pair designed to create home directories for users. When you’re using kerberized NFS the normal pam_mkhomedir won’t work, because it assumes that root can create directories in the file system. With kerberized NFS, root has no special privileges. So we have a pam_kmkhomedir that calls a process on the file server to do the creation.

If I were doing it again, I’d probably write it using GSSAPI rather than a basic Kerberos client / server. Then I could write the server as a web service in python and use libcurl on the client side. Unfortunately it doesn’t seem to be practical to write a pam module in anything other than C, but with libcurl all the GSSAPi stuff is handled by the library. If the client isn’t a pam module, it’s easy enough to write a GSSAPI client in python. (I can give you example client-server if you need it.)

[Russ Allbery]

Charles Hedrick <hed...@rutgers.edu> writes:

> This is a client-server pair designed to create home directories for
> users. When you’re using kerberized NFS the normal pam_mkhomedir won’t
> work, because it assumes that root can create directories in the file
> system. With kerberized NFS, root has no special privileges. So we have
> a pam_kmkhomedir that calls a process on the file server to do the
> creation.

> If I were doing it again, I’d probably write it using GSSAPI rather than
> a basic Kerberos client / server. Then I could write the server as a web
> service in python and use libcurl on the client side. Unfortunately it
> doesn’t seem to be practical to write a pam module in anything other
> than C, but with libcurl all the GSSAPi stuff is handled by the
> library. If the client isn’t a pam module, it’s easy enough to write a
> GSSAPI client in python. (I can give you example client-server if you
> need it.)

You may also be interested in remctl, which is designed to do this sort of
thing.

https://www.eyrie.org/~eagle/software/remctl/

--
Russ Allbery (ea...@eyrie.org) <https://www.eyrie.org/~eagle/>