Easy GSSAPI authentication

March 29, 2018

We have many services which are protected with GSSAPI authentication. When accessing these services in some automated fashion from a script (e.g. for a cronjob) it is typically necessary to use a keytab file and do a “kinit” or equivalent. Often we use the k5start tool to do that, either as one-off or running in the background as a daemon to manage a credentials cache. Alternatively, in various Perl scripts we do something similar using the Authen::Krb5 module. Kenny MacDonald in IS recently pointed me at a fairly new feature of the GSSAPI libraries which means that most of the time this is no longer necessary. Instead it is just a case of setting two environment variables – KRB5_CLIENT_KTNAME for the path to the keytab file and KRB5CCNAME for the credentials cache. The GSSAPI library will then do the work of maintaining the credentials cache. This works nicely with the Perl LWP framework, for example:

$ENV{KRB5_CLIENT_KTNAME} = '/etc/foo.keytab';
$ENV{KRB5CCNAME} = '/var/tmp/foo.ccache';

my $ua = LWP::UserAgent->new();
my $req = HTTP::Request->new( GET => "https://www.example.org/auth_site/" );
my $response = $ua->request($req);

Note that for this to succeed the LWP::Authen::Negotiate and LWP::Protocol::https modules must be installed. The principal used is apparently the first encountered in the keytab file, there does not appear to be anyway to control that selection which means keytab containing multiple principals may be problematic.