当使用 - 与curl协商时，是否需要keytab文件？ [英] When using --negotiate with curl, is a keytab file required?

问题描述

描述如何使用文档连接到kerberos安全端点显示如下：

  curl -i --negotiate -u：http：//< ; HOST>：< PORT> / webhdfs / v1 /< PATH>？op = ...
  

必须提供 -u 标志，但被curl忽略。

$ - negotiate 选项是否会导致curl查找预先使用<$ c创建的密钥表$ c> kinit 命令，或者会提示输入凭据？

如果查找keytab文件，命令将查找哪个文件名对于 curl $ c>在该区域。这里是你需要知道的：

curl（1）本身对Kerberos一无所知，与您的凭证缓存或您的密钥表文件。它会将所有的调用委托给一个GSS-API实现，它将为你带来魔力。什么魔力取决于图书馆，Heimdal和MIT Kerberos。基于你的问题，我假设你对Kerberos知之甚少，并希望简单地将API调用自动化到REST终端获得SPNEGO的保障。

以下是您需要做的事情：

1. 安装一个类Unix操作系统


2. 至少安装MIT Kerberos 1.11


3. 安装至少 curl 7.38.0针对MIT Kerberos


4. 使用 curl --version 提及GSS-API 和 SPNEGO和 ldd 与您的MIT Kerberos版本链接。


5. 为服务主体创建一个客户端 keytab使用 ktutil 或 mskutil


6. 尝试获取 client keytab由 kinit -k -t< path-to-keytab> < principal-from-keytab>


7. 通过 klist 验证您有票证缓存
li>

环境已准备就绪：

8. 导出 KRB5CCNAME =< some-non-default-path>


9. 导出 KRB5_CLIENT_KTNAME =< path-to-keytab>


10. 调用 curl --negotiate -u：< URL>




MIT Kerberos会检测到设置了两个环境变量，检查它们，使用keytab自动获取TGT，请求服务并传递给 curl 。您完成了。





注意：这对Heimdal无效。




The documentation describing how to connect to a kerberos secured endpoint shows the following:

curl -i --negotiate -u : "http://<HOST>:<PORT>/webhdfs/v1/<PATH>?op=..."

The -u flag has to be provided but is ignored by curl.

Does the --negotiate option cause curl to look for a keytab that was created beforehand with the kinit command, or will curl prompt for credentials?

If it looks for a keytab file, what filename will the command be looking for?

解决方案

Being a once-in-a-while-contributor to curl in that area. Here is what you need to know:

curl(1) itself knows nothing about Kerberos and will not interact neither with your credential cache nor your keytab file. It will delegate all calls to a GSS-API implementation which will do the magic for you. What magic depends on the library, Heimdal and MIT Kerberos.

Based on your question, I assume that you have little knowledge about Kerberos and want simply automate API calls to a REST endpoints secured by SPNEGO.

Here is what you need to do:

1. Have a Unix-like OS
2. Install at least MIT Kerberos 1.11
3. Install at least curl 7.38.0 against MIT Kerberos
4. Verify this with curl --version mentioning GSS-API and SPNEGO and with ldd linked against your MIT Kerberos version.
5. Create a client keytab for the service principal with ktutil or mskutil
6. Try to obtain a TGT with that client keytab by kinit -k -t <path-to-keytab> <principal-from-keytab>
7. Verify with klist that you have a ticket cache

Environment is now ready to go:

8. Export KRB5CCNAME=<some-non-default-path>
9. Export KRB5_CLIENT_KTNAME=<path-to-keytab>
10. Invoke curl --negotiate -u : <URL>

MIT Kerberos will detect that both environment variables are set, inspect them, automatically obtain a TGT with your keytab, request a service ticket and pass to curl. You are done.

Note: this will not work with Heimdal.

这篇关于当使用 - 与curl协商时，是否需要keytab文件？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！