Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

download a file from a server with kerberos authentication

I'm trying to script from a linux shell downloading a file from a webserver over https that is protected with with kerberos authentication. I've tried using wget and curl but neither of those seem to support kerberos over https.

Is there a linux commandline utility that supports kerberos over https? And if so how do you use it?

like image 542
Alex Q Avatar asked Jul 01 '12 17:07

Alex Q


2 Answers

It's entirely possible with curl if it has GSS-Negotiate. Check with curl -V it should return a Features line with GSS-Negotiate in it (Ubuntu 12.04 has it in package). You also need Kerberos client tools (like krb5-user on Ubuntu) and setup your /etc/krb5.conf with REALM and kdc. See MIT docs

To begin with you must be able to get a ticket from the same KDC that the webserver uses (ignoring more complex possibilities). And also the domain you are going to GET from must have a proper reverse pointer or be configured in your /etc/hosts so check your DNS.

Start with kinit <some user principal>

Then you can curl your way to the URL you want to check. A fake user is required for curl to accept your negotiate (but not actually used, doesn't matter what username or password.) I also use a --trace-ascii- to get the Kerberos errors.

For example:

 curl  --negotiate -u foo --trace-ascii -  http://intranet/

If you see:

== Info: gss_init_sec_context() failed: : Credentials cache file '/tmp/krb5cc_0' not found<= Recv header, 29 bytes (0x1d)

Then you forgot kinit or it didn't succeed.

If you see something like that but with krb5kdc_err_s_principal_unknown then the name that the kerberos library constructed with a reverse pointer or host entry has no corresponding principal at the KDC contacted.

Otherwise if the server sends the proper HTTP/1.1 401: Authorization Required and WWW-Authenticate: Negotiate you get authenticated.

like image 126
Gerrit Avatar answered Dec 04 '22 07:12

Gerrit


Check the curl man pages. You can use --negotiate to use SPNego/GSSAPI/Kerberos. Most of the webservers support SPNego.

like image 42
R V Marti Avatar answered Dec 04 '22 06:12

R V Marti