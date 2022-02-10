The
kerberos package is a C++ extension for Node.js that provides cross-platform support for kerberos authentication using GSSAPI on linux/osx, and SSPI on windows. Much of the code in this module is adapted from ccs-kerberos and winkerberos.
Linux
python v2.7
make
krb5-dev on Ubuntu)
macOS
Xcode Command Line Tools: Can be installed with
xcode-select --install
krb5 on Homebrew)
Windows
Option 1: Install all the required tools and configurations using Microsoft's windows-build-tools by running
npm install -g windows-build-tools from an elevated PowerShell (run as Administrator).
Option 2: Install dependencies and configuration manually
💡 [Windows Vista / 7 only] requires .NET Framework 4.5.1
v3.x.x is not supported), and run
npm config set python python2.7
npm config set msvs_version 2015
Now you can install
kerberos with the following:
npm install kerberos
Run the test suite using:
npm test
NOTE: The test suite requires an active kerberos deployment, see
test/scripts/travis.sh to better understand these requirements.
Promise
This function provides a simple way to verify that a user name and password match those normally used for Kerberos authentication. It does this by checking that the supplied user name and password can be used to get a ticket for the supplied service. If the user name does not contain a realm, then the default realm supplied is used.
For this to work properly the Kerberos must be configured properly on this machine. That will likely mean ensuring that the edu.mit.Kerberos preference file has the correct realms and KDCs listed.
IMPORTANT: This method is vulnerable to KDC spoofing attacks and it should only be used for testing. Do not use this in any production system - your security could be compromised if you do.
Promise
This function returns the service principal for the server given a service type and hostname.
Details are looked up via the
/etc/keytab file.
Promise
Initializes a context for client-side authentication with the given service principal.
Promise
Initializes a context for server-side authentication with the given service principal.
Properties
|Name
|Type
|Description
|username
string
|The username used for authentication
|response
string
|The last response received during authentication steps
|responseConf
string
|Indicates whether confidentiality was applied or not (GSSAPI only)
|contextComplete
boolean
|Indicates that authentication has successfully completed or not
|Param
|Type
|Description
|challenge
string
|A string containing the base64-encoded server data (which may be empty for the first step)
|[callback]
function
Processes a single kerberos client-side step using the supplied server challenge.
Returns:
Promise - returns Promise if no callback passed
|Param
|Type
|Description
|challenge
string
|The response returned after calling
unwrap
|[options]
object
|Optional settings
|[options.user]
string
|The user to authorize
|[callback]
function
Perform the client side kerberos wrap step.
Returns:
Promise - returns Promise if no callback passed
|Param
|Type
|Description
|challenge
string
|A string containing the base64-encoded server data
|[callback]
function
Perform the client side kerberos unwrap step
Returns:
Promise - returns Promise if no callback passed
Properties
|Name
|Type
|Description
|username
string
|The username used for authentication
|response
string
|The last response received during authentication steps
|targetName
string
|The target used for authentication
|contextComplete
boolean
|Indicates that authentication has successfully completed or not
|Param
|Type
|Description
|challenge
string
|A string containing the base64-encoded client data
|[callback]
function
Processes a single kerberos server-side step using the supplied client data.
Returns:
Promise - returns Promise if no callback passed
|Param
|Type
|Description
|username
string
|The Kerberos user name. If no realm is supplied, then the
defaultRealm will be used.
|password
string
|The password for the user.
|service
string
|The Kerberos service to check access for.
|[defaultRealm]
string
|The default realm to use if one is not supplied in the user argument.
|[callback]
function
Returns:
Promise - returns Promise if no callback passed
|Param
|Type
|Description
|service
string
|The Kerberos service type for the server.
|hostname
string
|The hostname of the server.
|[callback]
function
Returns:
Promise - returns Promise if no callback passed
|Param
|Type
|Description
|service
string
|A string containing the service principal in the form 'type@fqdn' (e.g. 'imap@mail.apple.com').
|[options]
object
|Optional settings
|[options.principal]
string
|Optional string containing the client principal in the form 'user@realm' (e.g. 'jdoe@example.com').
|[options.gssFlags]
number
|Optional integer used to set GSS flags. (e.g. GSS_C_DELEG_FLAG
|[options.mechOID]
number
|Optional GSS mech OID. Defaults to None (GSS_C_NO_OID). Other possible values are
GSS_MECH_OID_KRB5,
GSS_MECH_OID_SPNEGO.
|[callback]
function
Initializes a context for client-side authentication with the given service principal.
Returns:
Promise - returns Promise if no callback passed
|Param
|Type
|Description
|service
string
|A string containing the service principal in the form 'type@fqdn' (e.g. 'imap@mail.apple.com').
|[callback]
function
Initializes a context for server-side authentication with the given service principal.
Returns:
Promise - returns Promise if no callback passed