Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

PHP kerberos delegation

Tags:

php

curl

kerberos

How could I forward kerberos auth to another server (using CURL) with php. I have $_SERVER['KRB5CCNAME'] in my request and I need to delegate this to another server using curl.

How can this be done?

Code:

$ch = curl_init();

$url = 'http://www.somesite.com/info.php';

@curl_setopt($ch, CURLOPT_HTTPGET, 1);

@curl_setopt($ch, CURLOPT_GSSAPI_DELEGATION, CURLGSSAPI_DELEGATION_FLAG);
@curl_setopt($ch, CURLOPT_HTTPAUTH, CURLAUTH_GSSNEGOTIATE);
@curl_setopt($ch, CURLOPT_USERPWD, ":");

@curl_setopt($ch, CURLOPT_URL, $url);
@curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$resultContent = @curl_exec($ch);

$httpCode = @curl_getinfo($ch, CURLINFO_HTTP_CODE);

if(@curl_errno($ch))
{
    $msg = @curl_error($ch);
    curl_close($ch);
    die('Curl error: content: '.$this->resultContent.' code: '.$this->httpCode);
}

curl_close($ch);

die('R: code: '.$httpCode.' content: '. htmlspecialchars($resultContent));

EDIT:

I just figured it out that php 5.3 hasn't got CURLOPT_GSSAPI_DELEGATION, it's been added in 5.5.0 alpha 3. Working on an issue to see if that's the problem.

like image 260
dfilkovi Avatar asked Jul 01 '26 01:07

dfilkovi


1 Answers

As in http://curl.haxx.se/libcurl/c/curl_easy_setopt.html CURLOPT_GSSAPI_DELEGATION

Set the parameter to CURLGSSAPI_DELEGATION_FLAG to allow unconditional GSSAPI credential delegation. The delegation is disabled by default since 7.21.7. Set the parameter to CURLGSSAPI_DELEGATION_POLICY_FLAG to delegate only if the OK-AS-DELEGATE flag is set in the service ticket in case this feature is supported by the GSSAPI implementation and the definition of GSS_C_DELEG_POLICY_FLAG was available at compile-time.

OK-AS-DELEGATE flag should be set in the Kerberos service ticket (realm policy).

like image 55
Tonči Jukić Avatar answered Jul 03 '26 13:07

Tonči Jukić



Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!