thparkth has asked for the wisdom of the Perl Monks concerning the following question:

I have a bunch of users in a UNIX kerberos environment. They already have valid kerberos credentials. On the basis of these they can ssh from host to host and use other single-sign-on services without ever having to re-enter their username and password.

Now I'd like to write a network service and accompanying command line client so that properly authorized users could remotely kick off some actions.

I'd like to be able to authenticate the remote users based on their existing Kerberos credentials, which I believe is way more secure than asking for their username and password again, and somehow getting it across the network securely.

Does anyone know how I can write a kerberos-aware client and server in Perl? I can't find anything appropriate on CPAN...

Cheers, Andrew

  • Comment on How can I write a Kerberos service in Perl?

Replies are listed 'Best First'.
Re: How can I write a Kerberos service in Perl?
by Fletch (Bishop) on Jan 14, 2008 at 15:15 UTC

    Not to directly answer your question, but: since you've got ssh working Kerberosly (Kerberized?), why look for more problems writing your own protocol and endpoints? Set up sudo or the like and let them ssh in to whatever target box and use that to kick off whatever service.

    (Or perhaps I'm misunderstanding what you're trying to start. More details as to what you're trying to do and why you think you need a dedicated server that's gotta speak kerberos itself might help)

    Update: And after some thought a suggestion if you are bound and determined to do your own service: if your OS supports Kerberos through pam you might could use Authen::PAM to do the Kerberezation under pam's covers rather than trying to do it yourself (then again I don't know how you handle using pam from a stand-alone service so that might be a wild goose chase . . .).

    The cake is a lie.
    The cake is a lie.
    The cake is a lie.

[reply]
      The users don't have permission to log in interactively on the servers in question, and it's rather important to the security model that this should remain the case.

      I don't think PAM is any help to me here since as I understand it, there is no mechanism to pass PAM the user's existing credentials, for it to pass on in turn to the kerberos libraries.

      From reading around I think the answer involves GSSAPI, which there is a CPAN module for but which will take me some time to digest!

[reply]

        OpenSSH can be configured to only allow users to run certain commands rather than being given a login shell. You should be able to setup an otherwise unprivileged account which can only run "sudo start_my_service" (and I believe the authenticating SSH key is available to that so you could link back to the remote user).

        I'd just be more comfortable using something off the shelf and highly visible (that's been gone over by lots of eyeballs) like OpenSSH before going it alone. (Not that you're doing it completely from scratch since you'd be using a sane and tested interface in GSSAPI, just that any bugs you put in (and we all are bound to put them in sometime . . . :) in your implementation wouldn't be subject to external scrutiny))

        (And I was afraid PAM would be a wild goose chase; now that I think about it it's more about controlling local authorization once the remote side's authenticated. NEED MOR CAFFEINE . . . )

        The cake is a lie.
        The cake is a lie.
        The cake is a lie.

[reply]

Back to Seekers of Perl Wisdom