Implement support for kerberos authentication #13
Conversation
There was a problem hiding this comment.
Hey @tsipinakis thank you very much for your work, this looks awesome. A few minor changes.
tsipinakis
force-pushed
the
gssapi
branch
12 times, most recently
from
89c5fb1 to
e19f4f1
Compare
tsipinakis
changed the title
| @@ -3,6 +3,7 @@ package webhook | |||
| import ( | |||
| "net" | |||
|
|
|||
| auth2 "github.com/containerssh/libcontainerssh/auth" | |||
There was a problem hiding this comment.
I would prefer aliasing the internal auth to internalAuth or this one to publicAuth. Using numbered aliases does not help readability.
There was a problem hiding this comment.
This is following the existing naming used in other parts of the project (grep for config2). It should probably be changed globally later.
| @@ -25,6 +25,18 @@ kadmin.local -q "addprinc -pw ${KERBEROS_PASSWORD} ${KERBEROS_USERNAME}" | |||
| echo -n "" >/etc/krb5kdc/kadm5.acl | |||
| echo "${KERBEROS_USERNAME}@TESTING.CONTAINERSSH.IO *" >>/etc/krb5kdc/kadm5.acl | |||
|
|
|||
| echo -e "\e[32mAdding host principal testing.containerssh.io ...\e[0m" | |||
| kadmin.local -q "addprinc -randkey host/testing.containerssh.io" | |||
There was a problem hiding this comment.
Ideally, we wouldn't hard-code credentials but pass them via environment variables like above. However, I can live with this.
|
@janosdebugs Ready for another round of reviews :) |
| AllowPassword bool `json:"allowPassword" yaml:"allowPassword" default:"true"` | ||
| // ConfigPath is the path of the kerberos configuration file. This is | ||
| // only used for password authentication. | ||
| ConfigPath string `json:"configPath" yaml:"configPath" default:"/etc/containerssh/krb5.conf"` |
There was a problem hiding this comment.
The main reason to do so would be centralized configuration. If people we add configuration via other means then having one centralized configuration structure would make that easier. (e.g. if we ever introduce a webhook on-connection) I'm fine leaving it as an external file for now, but we should keep this in mind for the future and not add too many external configuration files.
| EnforceUsername bool `json:"enforceUsername" yaml:"enforceUsername" default:"true"` | ||
| // CredentialCachePath is the path in which the kerberos credentials | ||
| // will be written inside the user containers. | ||
| CredentialCachePath string `json:"credentialCachePath" yaml:"credentialCachePath" default:"/tmp/krb5cc"` |
There was a problem hiding this comment.
Let's make sure this file has the proper permissions. (0600)
There was a problem hiding this comment.
It does, the agent write-file command currently only writes with 0600 permissions.
https://github.com/ContainerSSH/agent/pull/3/files#diff-0965f1fa88ac40fcfc62a7eb27c953cf287c8d9a10e80f5d6e84aeb165322594R15
internal/auth/client_kerberos.go
Outdated
| if k.client.config.EnforceUsername && field.UserName != k.username { | ||
| return message.NewMessage( | ||
| message.EAuthKerberosVerificationFailed, | ||
| "Verify() returned unverified but no error", |
There was a problem hiding this comment.
Yes, down the line we want to create a web client and that client will support authentication error messages.
internal/docker/docker_impl.go
Outdated
| if d.config.Execution.Mode == config.DockerExecutionModeSession && d.config.Execution.DisableAgent { | ||
| return message.NewMessage( | ||
| message.EDockerWriteFileFailed, | ||
| "Agent needs to be enable in order to write files", |
There was a problem hiding this comment.
Let's make sure this text is at least grammatically correct.
tsipinakis
force-pushed
the
gssapi
branch
3 times, most recently
from
25d8fc2 to
4103ae1
Compare
ghost
enabled auto-merge (squash)
Please describe the change you are making
Implement a kerberos authentication flow. It includes an additional webhook to the authentication server for authorization.
The authentication method requires the keytab to be mounted in the container (or be present on the host).
Example configuration:
In order to run this, the changes from ContainerSSH/agent#3 and ContainerSSH/gokrb5#2
TODO:
principalUserto authz request in case ticket username != ssh usernameAre you the owner of the code you are sending in, or do you have permission of the owner?
Sent with permission of the owner
The code will be published under the MIT-0 license. Have you read and understood this license?
Yes