Menu
I'm trying to script from a linux shell downloading a file from a webserver over https that is protected with with kerberos authentication. I've tried using wget and curl but neither of those seem to support kerberos over https.
Is there a linux commandline utility that supports kerberos over https? And if so how do you use it?
542
It's entirely possible with curl if it has GSS-Negotiate. Check with curl -V it should return a Features line with GSS-Negotiate in it (Ubuntu 12.04 has it in package). You also need Kerberos client tools (like krb5-user on Ubuntu) and setup your /etc/krb5.conf with REALM and kdc. See MIT docs
To begin with you must be able to get a ticket from the same KDC that the webserver uses (ignoring more complex possibilities). And also the domain you are going to GET from must have a proper reverse pointer or be configured in your /etc/hosts so check your DNS.
Start with kinit <some user principal>
Then you can curl your way to the URL you want to check. A fake user is required for curl to accept your negotiate (but not actually used, doesn't matter what username or password.) I also use a --trace-ascii- to get the Kerberos errors.
For example:
curl --negotiate -u foo --trace-ascii - http://intranet/
If you see:
== Info: gss_init_sec_context() failed: : Credentials cache file '/tmp/krb5cc_0' not found<= Recv header, 29 bytes (0x1d)
Then you forgot kinit or it didn't succeed.
If you see something like that but with krb5kdc_err_s_principal_unknown then the name that the kerberos library constructed with a reverse pointer or host entry has no corresponding principal at the KDC contacted.
Otherwise if the server sends the proper HTTP/1.1 401: Authorization Required and WWW-Authenticate: Negotiate you get authenticated.
126
Check the curl man pages. You can use --negotiate to use SPNego/GSSAPI/Kerberos. Most of the webservers support SPNego.
42
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
