On Mon, Jul 27, 2009 at 6:07 PM, Bryan Boone<bryan-bo...@msn.com> wrote: > > Hi everyone I have a noob question for ya. > > > > I need to develop a website for a company that uses kerberos login, the web > server resides on a different server than the kerberos server. Unfortunatly > I cannot use the built in PHP functions for kerberos, so I need to write my > own C kerberos client as a PHP extension.
Hi Bryan, You don't need a full-blown kerberos client. For SSO you just need an "accept_sec_context" function that consumes the base64 encoded tokens supplied by the browser and emits base64 encoded tokens to send to the browser. This function would largely call GSSAPI's gss_accept_sec_context or Windows' AcceptSecurityContext. For explicit username / password based logins you just need to call krb5_get_init_creds_password. However, it sounds like you're using Apache in which case there are already a few modules that do GSSAPI authentication. In particular there's mod_auth_kerb. You also mention PHP in which case check out http://www.ioplex.com/plexcel.html which does everything you want and a whole lot more. > Also to eliminate possible man-in-the-middle attacks, I need to have the > keytab file manually uploaded to the web server. The keytab is required to participate in any form of Kerberos authentication. By MITM I believe you're referring to validating the client supplied ticket. There's a verify-something-or-other function in the krb5 API for this. I don't recall the name of it. Someone else will probably chime in with the name of it. I don't know if mod_auth_kerb does explicit logins using krb5_get_init_creds_password. > My question is, what methods are best for accomplishing my task. Can this be > accomplished with the pam_krb5 api, the SASL for GSSAPI, or do I need to > stick with native GSSAPI? Which one would be easier for a noob? There are two methods. There is the explicit username and password based login as I mentioned which would require using krb5_get_init_creds_password or on Windows I believe you would have to do InitSecurityContext and AcceptSecurityContext in a loop (is there a short cut for this?). But there is also something called SPNEGO (which IE and MS call "Negotiate"). SPNEGO is a Single Sign-On (SSO) form of authentication which ultimately means that, with a properly configured browser, the user goes straight in without entering a password at all. On corporate intranets this is a highly desirable feature. You do not want to do anything with PAM or SASL. Mike -- Michael B Allen Java Active Directory Integration http://www.ioplex.com/ ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos