Waffle for Linux (Laffle)

[wnts2know]

Hello,

I am intrested in WAFFLE like solution for linux.

I've decided that if such doesn't exist - it might be a good idea to create one.

I've started reading the WAFFLE code, in hopes that similiar things can be done for linux.

However, it is possible that the all idea ins't possible/doable.

So

is there any reason why the attempt to write WAFFLE for linux servers might not work?

Thanks

[Daniel Doubrovkine]

Waffle relies on the Windows SSPI, which doesn't exist on *nix. I think the latter is 90% of the value, so having waffle and some other kind of integration with Windows auth which isn't as seamless is not very useful.

There're other projects that do Negotiate on Linux listed in the WAFFLE readme.

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

--

dB. | Moscow - Geneva - Seattle - New York
dblock.org - @dblockdotorg

[Daniel Doubrovkine]

I *LOVE* the Laffle name though, clever.

[wnts2know]

Hello,

What I've decided - and I need your help deciding if it not some how blocked by WAFFLE:

My aim is to authenticate Windows clients to Unix/Linux.

One way to acheive this is by using windows servers before my Web servers, but that's not efficient since I only need windows once in the connection establishment - and also it requires me to change my archeiticture.

What I had in mind can help a lot of people who want to use Kerberos from Windows to *nix -

It is the idea that the *nix server can redirect every part of the WAFFLE negotiate process to a Windows server.

That means that the *nix server is responsible for determening which user is logged in (easy using session id).

This solution can be great for avoiding complicated solutions like samba etc.

It also solves the cross-domain problems in Keberos itself - since we can run a Windows server with multiple domains - all running WAFFLE, and the *nix server can choose and dispatch autentication queries - just to the right process on the right the domain.

Question:

1. My only question in all this - is there no blocking against this in the waffle code - since that same *nix server is impersonating the windows client essentialy?

I don't think there is such a problem - but better safe then sorry.

Suggestion:

Another problem is that in this solution the *nix server has to act just like the WAFFLE running server should (to allow the server to get the token), the difference is that the *nix server is  a proxy to the Win server.

I think it be a good idea to re-organize the code to contain this part in common, and the "what to do" with tokens - can be an interface - one implemented with the all the WAFFLE current code, and another can be an abstract class used as a proxy to a Win server - can the programmer can add his own functionaliy - like cross-domain treatments.

I wouldn't mind contributing this part to the product.

But what do you think?

I peronally think this would help a lot of people struggling with mixed envoirnments.

But is doable?

Thank you.

בתאריך יום חמישי, 18 באפריל 2013 14:47:22 UTC+3, מאת Daniel Doubrovkine:

[wnts2know]

Come to think about -

a simple input strean redirect + http headers + setting http header keep alive might just be enough

Gone testing

בתאריך יום רביעי, 24 באפריל 2013 04:08:28 UTC+3, מאת wnts2know:

[Daniel Doubrovkine]

I *think* this is not doable, but I am ready to be proven wrong.

An Active Directory domain is a matter of trust - you have a client that's joined to the domain and has exchanged cryptographic information to establish a trust. The AD knows about the client and the client knows about the AD, and both can prove to each-other that they are the client and the AD, not some other rogue machine impersonating.

The server is another machine that has joined the AD, same as above.

The whole NTLM or Kerberos protocol allow a client to establish the same level of trust with the server, using an AD as the arbiter. 

So you cannot insert a machine in the middle and just forward everything. That would be a man-in-the-middle attack. Browsers that implement the Negotiate protocol will create a ticket for that target Linux box, but it cannot forward that and actually authenticate. That's called delegation, the Linux machine would need to fully participate in this AD story to do this. 

There're some attempts at doing just that, one is Likewise Open. You could build something on top of that probably.

[wnts2know]

I beg to differ - because the actual authentication is done using AD, third party,

you can redirect it between 10 computer, after all there are actual routers in the way.

It is the client''s repsonsibility to authenticate the server - as well, this is by SSL - for example.

Even in SSL - you can put a man in the middle - and only the non-middle factors can enctypt/decrypt.

So the smae goes here,

But I still need to prove it.

בתאריך יום רביעי, 24 באפריל 2013 14:52:05 UTC+3, מאת Daniel Doubrovkine:

[Daniel Doubrovkine]

Let us know.

[wnts2know]

Hey.

Using your: http://code.dblock.org/pure-java-waffle

pure java waffle example, I was able to put a third party code of sockets in the middle and it worked.

---------------------

Yet, I want to work with servlets, since my web server is made up of servlets.

I have been having problems with just the Waffle being a servlet and the client using HttpUrlConnection -

I wrote about in here:

http://stackoverflow.com/questions/16226628/redirecting-persistent-http-requests-and-responses-using-sockets

---------------------

I also thought about using a servlet in the middle and writing hand made HTTPs

but that doesn't work very well either.

And I also thought about --

taking httpUrlConnection code in the servlet and 

put in remark all their special hadling for negotiation,

so that I can put those headers myself.

---------------------

Confused...

But it can work!

-------------------

Another way is to split the waffle code to two parts:

the challenge generation and other parts to be done in my web, and the actual win things to be sent in one big request to a Win server running the JNA based code.

------------------

Question: Can you help somehow?

Question 2: Is there a way to support only Kerberos without NTLM at all (not negotiation).?

Thank you.

בתאריך יום חמישי, 18 באפריל 2013 07:31:16 UTC+3, מאת wnts2know:

[wnts2know]

By the way,

there is no security flaw.

This is legitimate, Kerberos provides auth only

Not encryption, right?

So men in the middle can all see, as well as routers -

But without enc, man in the middle can arrive 30 minutes after the negotiation process took place, and still see all the information.

Just because he is present at the negotiation, doesn't mean anything -

He cant even fake the identity,

since the challenges will differ

So my plan is to add SSL so that my web servers will also authenticate to my clients - this will add encryption

Hope you agree

בתאריך יום שישי, 26 באפריל 2013 05:06:04 UTC+3, מאת wnts2know:

[Daniel Doubrovkine]

If all you want is a generic proxy, use a proxy that's already built for that purpose - Squid, HAProxy, etc.

For your second question, Waffle supports listing acceptable protocols (search for "Negotiate" under "init-param" in https://github.com/dblock/waffle/blob/master/Docs/ServletSingleSignOnSecurityFilter.md), but I think most clients don't know what to do if you challenge them with "Kerberos", they only know "Negotiate" and "NTLM". Negotiate will choose Kerberos where possible. And sometimes domain policies disable NTLM, but I don't know how to do that.

Split your proxy and your server to 2 machines. I bet you a dollar it won't work anymore.

--

You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[wnts2know]

Hey,

unfortunetly, I haven''t been able to find an easy solution.

What I began doing is deconstruct the WAFFLE code into two:

1. The NegotationSecurityFilter

which will perform operations using httpUrlConnection to another windows server which will have exactly the origianl WAFFLE code, but with a new negotiation header: reponseCode

that will keep the "real" response code, while the new Win-Waffle will always return 200 to prevent my HttpUrlConnection on the Unix to start negotating.

Then, all the headers returned from Win-waffle will be written to the response of the Unix-Waffle

as well as the actual reponsecode.

This isn't very pretty, but has some elegance

Myabe I can think of a design which will allow us to (using special configuration)

to incorporate this as the WAFFLE product -

and then if all the tests I'm running now - work -

This could be a FAQ advice for people like me, wanting a Windows to Unix/Linux solution.

I will let you know

בתאריך יום חמישי, 18 באפריל 2013 07:31:16 UTC+3, מאת wnts2know:

Hello,

[wnts2know]

It works perfectly. Without changing WAFFLE code. I will write my code here a bit later.

[wnts2know]

Hi, I got it work without chaning waffle. Hope this can make to the FAQ.

If you are interested in using Negotiation based authentication in Linux/Unix etc., you can setup a windows server and use it as an auxiliary for reaching the Active Directory from the Linux/Unix server.

1. Setup a new windows server/s (multiple for availability)

2. Downaload and install waffle on it as described.

3. Add a preceding filter (Windows filter*) to the NegotiateSecurityFilter

4. Add a filter (NonWindows filter*) to your Unix/Linux server (this will redirect all calls to this machine to the Windows machine)

-------------------------------------------------------------------------------

*Windows filter:

/**The windows filter - Makes sure that all 401 (Unautherized) statuses are repalced with 200 (OK) and send the actual response code in a header. Otherwise, the Linux/Unix themsevles might start a Negotiaion. In order to acheive this, we wrap the reponse as WrapHttpServletResponse:*/

    public class WindowsFilter implemets Filter{

public void doFilter(ServletRequest request, ServletResponse response,

FilterChain chain) throws IOException, ServletException {

HttpServletRequest httpRequest = (HttpServletRequest) request;

HttpServletResponse httpResponse = (HttpServletResponse) response;

WrapHttpServletResponse wrappedResponse = new WrapHttpServletResponse(

httpResponse);

try {

chain.doFilter(request, wrappedResponse);

final String PRINCIPAL_SESSION_KEY = NegotiateSecurityFilter.class.getName() + ".PRINCIPAL";

HttpSession ses =  httpRequest.getSession(false);

if(ses != null){

                                //send actual authenticated identity to the Linux server

WindowsPrincipal p = (WindowsPrincipal) ses.getAttribute(PRINCIPAL_SESSION_KEY);

httpResponse.setHeader("myFQN", p.getName());

}

} finally {

response.flushBuffer();

}

}

       //interferes with sendError and setStatus. All other methods are simple redirections to the wrapped object

       public class WrapHttpServletResponse implements HttpServletResponse {

private HttpServletResponse _hss;

private int _status;

private int _error;

public WrapHttpServletResponse(HttpServletResponse hss) {

_hss = hss;

}

@Override

public void sendError(int arg0) throws IOException {

sendError(arg0, null);

}

@Override

public void sendError(int arg0, String arg1) throws IOException {

_hss.setHeader("myResponseCode", String.valueOf(arg0));

if (arg0 == HttpServletResponse.SC_UNAUTHORIZED) {//replace 401 with 200

_hss.sendError(HttpServletResponse.SC_OK);

} else {

_hss.sendError(arg0);

}

}

@Override

public void setStatus(int arg0) {

_status = arg0;

_hss.setHeader("myResponseCode", "" + arg0);

if (arg0 == HttpServletResponse.SC_UNAUTHORIZED) {

_hss.setStatus(HttpServletResponse.SC_OK);

} else {

_hss.setStatus(arg0);

}

}

               //All other methods are simple, for example:

               public void setHeader(String arg0, String arg1){

                     _hss.setHeader(arg0, arg1);

               }

}

----------------------------------------------------------------

The NonWindowsFilter:

public void doFilter(ServletRequest orequest, ServletResponse oresponse,

FilterChain chain) throws IOException, ServletException {

URL u = new URL("https://serverIp:port/servlet");

HttpURLConnection c = (HttpURLConnection) u.openConnection();

c.setRequestMethod("GET");

c.setRequestProperty("Connection", "keep-alive");

c.setDoOutput(true);

HttpServletRequest request = (HttpServletRequest) orequest;

HttpServletResponse response = (HttpServletResponse) oresponse;

//determine logic for keeping authentication active - like session id

boolean needsAuthentication = true;

if (needsAuthentication) {

//Redirect all headers from input (station) to waffle-windows server

Enumeration<String> headers = request.getHeaderNames();

while (headers.hasMoreElements()) {

String headerKey = headers.nextElement();

String headerValue = request.getHeader(headerKey);

c.setRequestProperty(headerKey, headerValue);

}

//Redirect all headers from response back to the server

Map<String, List<String>> resHeaders = c.getHeaderFields();

Set<String> keys = resHeaders.keySet();

for (String key : keys) {

List<String> m = resHeaders.get(key);

for (String mm : m) {

response.addHeader(key, mm);

}

}

//The actual responsecode is kept in a header to prevent the HttpUrlConnection in this machine

//to prevent it from perform Negotiation by itself. The c.getResponseCode always equals            HttpServletResponse.SC_OK

String code = c.getHeaderField("myResponseCode");

int resp = code==null?HttpServletResponse.SC_OK:Integer.parseInt(code);

if (resp != HttpServletResponse.SC_OK) {

response.setHeader("Connection", "keep-alive");

response.sendError(resp);

response.flushBuffer();

return;

} else {

chain.doFilter(request, response);

String fqn = c.getHeaderField("myFQN");

System.out.println("Successfully logged in:" + fqn);

c.disconnect();//cleans the connection when it is done

}

} else {

chain.doFilter(request, response);

}

}

----------------------------------------------

Also, I tried it with encryption and so id doesn't interfere with HTTPS.

That's it.

Quite simple.

[Daniel Doubrovkine]

Do you have this running on actual multiple servers in a network?

--

You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[wnts2know]

Hi.

Yes it works perfectly. I had to wrap the request as well. I think all the wrapping can be avoided if I use different http client. I will write the full complete working code soon here.

Also, i have a different problem. Regardless of my solution, I cant seem to make it work kerberos. Only ntlm by default.

My active directory team said kerberos is enabled snd i dont have any special configuration.

[Daniel Doubrovkine]

As I said, I don't think this should work. Especially not with Kerberos where the client uses the destination SPN to encrypt things.

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[wnts2know]

1. The whole idea is that linux is a router, that performs tunneling - and like I said there are actual routers on the way!!!

NTLM works fine so far.

2. But no, I mean - I am using the Waffle the standard way now - Windows client vs. Windows server. And still, I only get NTLM working. I am using an internet explorer configured to support negotiation or HttpUrlConnection that supports negotaition.

What am I doing wrong?

3. I was wondering how the all Kerberos works here? Usually, you need to get a Kerberos Service ticket for the certain Service. So, how does the NegotiateSecurityFilter registers the service as a valid service? What's the magic here?

Thank you.

Are there any users that kerberos works for them? What java http client are they using?

[Daniel Doubrovkine]

Most people here use Kerberos. Go through the standard troubleshooting first, you probably just don't have a valid SPN.

[Daniel Doubrovkine]

If you're going to put a Tomcat in production, most likely you'll want it to run as a service. That does change some privileges, but that's another story.

On Wed, May 15, 2013 at 3:43 PM, wnts2know <shimon...@gmail.com> wrote:

Hi,

Should my tomcat run as an actual service (services.msc)?

https://github.com/dblock/waffle/blob/master/Docs/ServletSingleSignOnSecurityFilter.md - doesn't imply this,

but troubleashooting does.

Could this be the problem? I will check it in a few hours back at the office.

Thank you,

wnts2know

[wnts2know]

I was and still am under the impression that Waffle doesn't require an explicit SetSPN registration command to be run in order for it to work.

Am I wrong?

Thank you.

[Ryan McKinley]

On Wed, May 15, 2013 at 1:59 PM, wnts2know <shimon...@gmail.com> wrote:

I was and still am under the impression that Waffle doesn't require an explicit SetSPN registration command to be run in order for it to work.

Check:

https://github.com/dblock/waffle/blob/master/Docs/Troubleshooting.md

For Kerberos to work, I am pretty sure you will need an SPN registered.

ryan

[Daniel Doubrovkine]

You're wrong.

[wnts2know]

http://code.dblock.org/single-sign-on-tomcat-negotiate-authenticator-kerberos-ntlm-w-waffle -

this link even though old (1.3) states: 

"SPNEGO Sourceforge: it’s a nightmare to configure, doesn’t work without an Active Directory domain and requires an SPN"

This made me believe that Waffle doesn't require SPN registered.

Too bad this doesn't appear on:

https://github.com/dblock/waffle/blob/master/Docs/ServletSingleSignOnSecurityFilter.md

[Ryan McKinley]

Lots of stuff in Waffle works great without an SPN (u/p login, NTLM, etc) -- to do kerberos you need an SPN.

ryan

[Daniel Doubrovkine]

Thanks Ryan, you're correct. The sourceforge project *always* requires an SPN.

[wnts2know]

Okay.

So, I contacted my ActiveDriectory people.

They said they set the following:

setspn -A HTTP/machine:port

setspn -A HTTP/machine.fqn-suffix:port

I retried and got no luck (still only NTLM)

I viewed the HTTP headers passed.

the client sent a regular Get request

The server responded with

WWW-authentication = NTLM

WWW-authentication = Negotiate

WWW-authentication = Basic "realm=Basic..."

Then the client responded with:

Authorization = NTLM TIR... (long gibrish).

It appears that client already has its mind set on NTLM.

I even tried making sure that only WWW-Negotiate passes to the client,

and then I got a null in the AuthorizationHeader,

which then led to an NTLM authentication.

I am using an HttpUrlConnection /

I also tried with firefox after the about:config configuration as in the roubleshooting /

I also tried with Iexplorer after setting up all the required configurations.

To clearify, I am not using the Linux/Windows wrapping the post started with - but old fashion NegotiateSecurityFilter.

Thank you.

[Daniel Doubrovkine]

Your server configuration needs to be responding with Negotiate first. That's something you've modified in the list of valid authentications in your server's config.

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

[wnts2know]

Hi. Like I said. I did what you are suggesting, but the client doesn't respond with an autherization header.

[Daniel Doubrovkine]

When you say

The server responded with

WWW-authentication = NTLM

WWW-authentication = Negotiate

WWW-authentication = Basic "realm=Basic..."

This needs to be

The server responded with

WWW-authentication = Negotiate

WWW-authentication = NTLM

WWW-authentication = Basic "realm=Basic..."

(Negotiate first)

Do you have that? If not, this is a misconfiguration in your app.

On Fri, May 17, 2013 at 11:04 AM, wnts2know <shimon...@gmail.com> wrote:

Hi. Like I said. I did what you are suggesting, but the client doesn't respond with an autherization header.

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[wnts2know]

Yes. Definitley.

But the client does not send an anticipated autherization header. and NegotiateSecurityFilterProvider logs that is null. And so it defaults to Ntlm again. Even though security package is said to be Negotiate.

-------Question 2--------
My server and client are both on the same domain. But a Question I always forget to ask. Is there support for cross domain Kerberos? It's not blocked by waffle somehow, write?

[Daniel Doubrovkine]

Client selects the protocol that it believes is best for it. So most likely Kerberos or client are not configured properly on this domain. Make sure you're using IE, that the machine is in the domain, that the SPN is set, etc. I really don't know much about why a client would prefer NTLM to Kerberos and in what case.

Question 2: If domains have trust, yes. 

--
You received this message because you are subscribed to the Google Groups "waffle" group.
To unsubscribe from this group and stop receiving emails from it, send an email to waffle-users...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.