Xpra: Ticket #1691: kerberos authentication

Looks like we can use pykerberos, if only there were better examples.

See also #1255, #1692



Wed, 15 Nov 2017 11:39:41 GMT - Antoine Martin: status, description, milestone changed


Sat, 10 Mar 2018 12:05:12 GMT - Antoine Martin:

Added dumb implementation in r18693 using pykerberos.

Going forward, we should use the tokens rather than the password, and maybe even use python-gssapi for encryption?


Sun, 11 Mar 2018 10:38:10 GMT - Antoine Martin:

Based on centos 6: configuring a kerberos 5 server, and made harder by the fact that my LAN doesn't have a domain or DNS server...

hostname localdomain
/usr/sbin/kdb5_util create -s
cat > /etc/krb5.conf << EOF
includedir /etc/krb5.conf.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}
 default_realm = LOCALDOMAIN
[realms]
 LOCALDOMAIN = {
  kdc = localhost
  admin_server = localhost
 }
[domain_realm]
 localdomain = LOCALDOMAIN
EOF
echo "*/admin@LOCALDOMAIN	*" > /var/kerberos/krb5kdc/kadm5.acl
kadmind
krb5kdc
kadmin.local -q "addprinc test/admin"
kinit admin
kadmin -q "addprinc xpra"

The https://pythongssapi.github.io/python-gssapi/latest/gssapi.html.

For win32, we could use pykerberos.

client:

$ python
import gssapi
service_name = gssapi.Name("xpra")
ctx = gssapi.SecurityContext(name=service_name, usage="initiate")
k = ctx.step()

server:

from gssapi import creds as gsscreds
from gssapi import sec_contexts as gssctx
server_creds = gsscreds.Credentials(usage='accept')
server_ctx = gssctx.SecurityContext(creds=server_creds)
server_ctx.step(k)
print(server_ctx.complete)

client:

v,c = kerberos.authGSSClientInit("xpra")
assert v==1
kerberos.authGSSClientStep(c, "")
k = kerberos.authGSSClientResponse(c)

server:

v,c = kerberos.authGSSServerInit("xpra")
assert v==1
r = kerberos.authGSSServerStep(c, k)
assert r==1

Things to think about:


Mon, 12 Mar 2018 14:31:34 GMT - Antoine Martin:

The overloading of the "digest" list to add and detect support for "kerberos" and "gss" options is a bit ugly, but it is the most backwards compatible way. Older clients will just state that they don't support "kerberos" (or "gss") rather than failing in more obscure ways.

Examples:

xpra start --start-child="xterm" --bind-tcp=0.0.0.0:10000 --tcp-auth=kerberos-token,service=xpra
xpra start --start-child="xterm" --bind-tcp=0.0.0.0:10000 --tcp-auth=gss,service=xpra

TODO:


Sun, 18 Mar 2018 07:30:25 GMT - Antoine Martin: attachment set

patch for building with mingw


Sun, 18 Mar 2018 07:36:02 GMT - Antoine Martin:

On win32, building https://github.com/mongodb-labs/winkerberos/issues/21.


Sun, 18 Mar 2018 07:51:15 GMT - Antoine Martin:

Installing winkerberos from the modified source requires one more hack to prevent cx_freeze from messing up the packaging, as per stopping setup.py from installing as egg, we have to use pip to ensure it does not get installed as an egg:

pushd winkerberos-0.7.0
python2 setup.py sdist
popd
pip2 install ./winkerberos-0.7.0/dist/winkerberos-0.7.0.tar.gz
pip3 install ./winkerberos-0.7.0/dist/winkerberos-0.7.0.tar.gz

Sun, 18 Mar 2018 13:58:31 GMT - Antoine Martin:

First, install gss support: r18758, ie on x86_64:

pacman -S mingw-w64-x86_64-gss

Building python-gssapi:

(and if I got this wrong, gss won't work...)

(clean and repeat with python3)

Changes submitted upstream: support building against mingw headers.


Wed, 21 Mar 2018 12:49:04 GMT - Antoine Martin:

Lots of improvements in r18780 (see commit message).

Examples (add -d auth for debug):


Wed, 21 Mar 2018 15:40:48 GMT - Antoine Martin: owner, status changed

Updates:

Ready for testing. There are packages for most platforms.

@maxmylyn: apart from testing the obvious command lines (ie: comment:8), the difficult thing is testing single-sign-on with gss / kerberos because this requires a Authentication : kerberos Please keep this ticket tidy as this will be the reference until the details are wiki-ized.


Fri, 01 Jun 2018 11:46:35 GMT - Antoine Martin: status changed; resolution set


Sat, 23 Feb 2019 06:53:45 GMT - Antoine Martin:

The changes have been merged upstream, we should package this in mingw: #2170


Wed, 15 May 2019 11:12:21 GMT - Antoine Martin:

See also: #1796


Thu, 13 Feb 2020 16:03:35 GMT - Antoine Martin:

MSYS2 packaging for these modules: #2170.


Sat, 23 Jan 2021 05:31:12 GMT - migration script:

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/1691