ads-kerberos
    TypeScript icon, indicating that this package has built-in type declarations

    1.1.3 • Public • Published

    Kerberos

    Build Status

    The kerberos package is a C++ extension for Node.js that provides cross-platform support for kerberos authentication using GSSAPI on linux/osx, and SSPI on windows. Much of the code in this module is adapted from ccs-kerberos and winkerberos.

    Requirements

    Linux

    • python v2.7
    • make
    • A proper C/C++ compiler toolchain, like GCC
    • Distribution-specific kerberos packages (e.g. krb5-dev on Ubuntu)

    macOS

    • Xcode Command Line Tools: Can be installed with xcode-select --install
    • Distribution-specific kerberos packages (e.g. krb5 on Homebrew)

    Windows

    • Option 1: Install all the required tools and configurations using Microsoft's windows-build-tools by running npm install -g windows-build-tools from an elevated PowerShell (run as Administrator).

    • Option 2: Install dependencies and configuration manually

      1. Visual C++ Build Environment:
      • Option 1: Install Visual C++ Build Tools using the Default Install option.
      • Option 2: Install Visual Studio 2015 (or modify an existing installation) and select Common Tools for Visual C++ during setup.

      💡 [Windows Vista / 7 only] requires .NET Framework 4.5.1

      1. Install Python 2.7 or Miniconda 2.7 (v3.x.x is not supported), and run npm config set python python2.7
      2. Launch cmd, npm config set msvs_version 2015

    Installation

    Now you can install kerberos with the following:

    npm install kerberos

    Testing

    Run the test suite using:

    npm test

    NOTE: The test suite requires an active kerberos deployment, see test/scripts/travis.sh to better understand these requirements.

    Documentation

    Classes

    KerberosClient
    KerberosServer

    Functions

    checkPassword(username, password, service, [defaultRealm], [callback])Promise

    This function provides a simple way to verify that a user name and password match those normally used for Kerberos authentication. It does this by checking that the supplied user name and password can be used to get a ticket for the supplied service. If the user name does not contain a realm, then the default realm supplied is used.

    For this to work properly the Kerberos must be configured properly on this machine. That will likely mean ensuring that the edu.mit.Kerberos preference file has the correct realms and KDCs listed.

    IMPORTANT: This method is vulnerable to KDC spoofing attacks and it should only be used for testing. Do not use this in any production system - your security could be compromised if you do.

    principalDetails(service, hostname, [callback])Promise

    This function returns the service principal for the server given a service type and hostname.

    Details are looked up via the /etc/keytab file.

    initializeClient(service, [options], [callback])Promise

    Initializes a context for client-side authentication with the given service principal.

    initializeServer(service, [callback])Promise

    Initializes a context for server-side authentication with the given service principal.

    KerberosClient

    Properties

    Name Type Description
    username string The username used for authentication
    response string The last response received during authentication steps
    responseConf string Indicates whether confidentiality was applied or not (GSSAPI only)
    contextComplete boolean Indicates that authentication has successfully completed or not

    kerberosClient.step(challenge, [callback])

    Param Type Description
    challenge string A string containing the base64-encoded server data (which may be empty for the first step)
    [callback] function

    Processes a single kerberos client-side step using the supplied server challenge.

    Returns: Promise - returns Promise if no callback passed

    kerberosClient.wrap(challenge, [options], [callback])

    Param Type Description
    challenge string The response returned after calling unwrap
    [options] object Optional settings
    [options.user] string The user to authorize
    [callback] function

    Perform the client side kerberos wrap step.

    Returns: Promise - returns Promise if no callback passed

    kerberosClient.unwrap(challenge, [callback])

    Param Type Description
    challenge string A string containing the base64-encoded server data
    [callback] function

    Perform the client side kerberos unwrap step

    Returns: Promise - returns Promise if no callback passed

    KerberosServer

    Properties

    Name Type Description
    username string The username used for authentication
    response string The last response received during authentication steps
    targetName string The target used for authentication
    contextComplete boolean Indicates that authentication has successfully completed or not

    kerberosServer.step(challenge, [callback])

    Param Type Description
    challenge string A string containing the base64-encoded client data
    [callback] function

    Processes a single kerberos server-side step using the supplied client data.

    Returns: Promise - returns Promise if no callback passed

    checkPassword(username, password, service, [defaultRealm], [callback])

    Param Type Description
    username string The Kerberos user name. If no realm is supplied, then the defaultRealm will be used.
    password string The password for the user.
    service string The Kerberos service to check access for.
    [defaultRealm] string The default realm to use if one is not supplied in the user argument.
    [callback] function

    This function provides a simple way to verify that a user name and password match those normally used for Kerberos authentication. It does this by checking that the supplied user name and password can be used to get a ticket for the supplied service. If the user name does not contain a realm, then the default realm supplied is used.

    For this to work properly the Kerberos must be configured properly on this machine. That will likely mean ensuring that the edu.mit.Kerberos preference file has the correct realms and KDCs listed.

    IMPORTANT: This method is vulnerable to KDC spoofing attacks and it should only be used for testing. Do not use this in any production system - your security could be compromised if you do.

    Returns: Promise - returns Promise if no callback passed

    principalDetails(service, hostname, [callback])

    Param Type Description
    service string The Kerberos service type for the server.
    hostname string The hostname of the server.
    [callback] function

    This function returns the service principal for the server given a service type and hostname.

    Details are looked up via the /etc/keytab file.

    Returns: Promise - returns Promise if no callback passed

    initializeClient(service, [options], [callback])

    Param Type Description
    service string A string containing the service principal in the form 'type@fqdn' (e.g. 'imap@mail.apple.com').
    [options] object Optional settings
    [options.principal] string Optional string containing the client principal in the form 'user@realm' (e.g. 'jdoe@example.com').
    [options.gssFlags] number Optional integer used to set GSS flags. (e.g. GSS_C_DELEG_FLAG
    [options.mechOID] number Optional GSS mech OID. Defaults to None (GSS_C_NO_OID). Other possible values are GSS_MECH_OID_KRB5, GSS_MECH_OID_SPNEGO.
    [callback] function

    Initializes a context for client-side authentication with the given service principal.

    Returns: Promise - returns Promise if no callback passed

    initializeServer(service, [callback])

    Param Type Description
    service string A string containing the service principal in the form 'type@fqdn' (e.g. 'imap@mail.apple.com').
    [callback] function

    Initializes a context for server-side authentication with the given service principal.

    Returns: Promise - returns Promise if no callback passed

    Install

    npm i ads-kerberos

    DownloadsWeekly Downloads

    1

    Version

    1.1.3

    License

    Apache-2.0

    Unpacked Size

    142 kB

    Total Files

    28

    Last publish

    Collaborators

    • anthonydresser