发表新帖
发表新帖

Kerberos authentication in Node.js https.get or https.request

后端 未结
关注
5 1682
失恋的感觉
失恋的感觉 2020-12-05 15:13

I\'m trying to write a simple script that requests some data from a tool on an internal network. Here is the code:

#!/usr/bin/node

var https = require(\'htt
相关标签:
5条回答
  • 庸人自扰
    2020-12-05 15:29

    If you are on Windows, you can use the SSPI interface. It is exposed on Node with the project node-expose-sspi.

    The SSPI interface allows you to write any client or server using SSO (NTLM and Kerberos).

    https://github.com/jlguenego/node-expose-sspi

    Note: I am the author of node-expose-sspi.

    0 讨论(0)
  • 礼貌的吻别
    2020-12-05 15:31

    In Paul Scheltema's answer, you need to get ticketdata from depth of operating system. You (or a module on behalf of you) must use GSS-API to have ticketdata generated by Active Directory for you.

    Such mechanism is present in Chrome, but it seems that it's not included in Node.js (only the javascript engine from Chrome), so you may need to add a module, for example:

    • Passport-Kerberos: https://www.npmjs.org/package/passport-kerberos and http://passportjs.org/guide/
    • Kerberos (npm install kerberos)
    • In source code of Node.js at github there's a trace that someone has been using Bones module for that (https://github.com/joyent/node/search?q=kerberos&ref=cmdform). 3 years ago, with DES (this encoding type is very weak and has been deprecated for years)

    To install/compile such module you may need to have Visual Studio.

    To set up environment, - On all computers you must have tcp and udp enabled on ports 88 (Kerberos) and 53 (dns). - On Windows Server Active Directory must be running (ldap, dns, kdc) - On the page https://www.npmjs.org/package/passport-kerberos they use term REALM. It's a name of domain, written uppercase.

    0 讨论(0)
  • 眼角桃花
    2020-12-05 15:40

    2020 UPD:

    The newer version of kerberos npm package has much less methods. But I make it work:

    const kerberos = require('kerberos').Kerberos;
const fetch = require('node-fetch');

(async () => {
    const client = await kerberos.initializeClient("HTTP@site.internal.net", {
        mechOID: kerberos.GSS_MECH_OID_SPNEGO,
    })

    const ticket = await client.step("")

    const resp = await fetch("https://site.internal.net/api/v1/hello", {
        headers: {
            'Authorization': 'Negotiate ' + ticket
        }
    })

    console.log(await resp.json())
})();

    Works perfectly at Windows and Linux, should work at macOS too.

    0 讨论(0)
  • 梦毁少年i
    2020-12-05 15:49

    I have gotten this to work using "kerberos" module, version 0.0.12. I have created a Gist with the working example:

    https://gist.github.com/dmansfield/c75817dcacc2393da0a7

    Basically, you use three methods to obtain the "Authorization" header data:

    • authGSSClientInit, which requires the service name, e.g. HTTP@somehost.com
    • authGSSClientStep, which requires the existence of a credentials cache (on Linux you get this by doing "kinit" and can verify it with "klist"), and actually gives you back the base64 stuff you need (without the leading "Negotiate " string)
    • authGSSClientClean, which frees all allocated memory structures

    Then you create an "Authorization" header (NOT WWW-Authenticate as shown above, which is what the server sends back) and it should work.

    Note also: typically, web browsers request a resource, get a 401 back with a WWW-Authenticate: Negotiate header in the response, then re-request the resource with the ticket data supplied in the "Authorization" header. This two-step dance happens for every resource. I'm not sure if it means anything or not.

    0 讨论(0)
  • 太阳男子
    2020-12-05 15:56

    from http://docs.oracle.com/cd/E24191_01/common/tutorials/authn_kerberos_service.html

    Client Token Location for Message-Level Standards: The Kerberos Service ticket can either be sent in the Authorization HTTP header or inside the message itself, for example, inside a element. Alternatively, it may be contained within a message attribute. Select one of the following options:

    so instead of your username:password you provide the ticket

    alternatively you can as stated below that information put it in the message body or as a message attribute

    var request = https.request(options, function(resource) {
  var chunks = [];
   resource.on('data', function (chunk) {
     chunks.push(chunk);
   });
   resource.on('end', function () {
     var data = chunks.join('');
     console.log(data);
   });
}

request.on('error',...)
request.send('<body-with-ticket>');
request.end();

    EDIT:

    the "" part was my example of where to use the ticket, put it in a multiytype body and send that, alternatively use the WWW-Authenticate header to send it

    eg. add it to the options on https.request

    options = {
    host: 'hostname',
    port: 443, 
    'WWW-Authenticate': 'Negotiate ' + ticketdata
};

    google has some nice diagrams on how it works: https://developers.google.com/search-appliance/kb/secure/kerberos-diagram

    0 讨论(0)
 看不清?
提交回复
热议问题