EldoS | Feel safer!

Software components for data protection, secure storage and transfer

GSS-API, Kerberos how-to

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#12743
Posted: 03/09/2010 06:47:20
by Pavel Krehula (Basic support level)
Joined: 03/09/2010
Posts: 2

Hello,
As SecureBlackBoxfrom 7.1 supports gss-api I want to try to use it in our project. For the moment it is not successfull.
Is there any how-to or documentation for gss-api support in SecureBlackBox?

Pavel
#12744
Posted: 03/09/2010 07:59:32
by Dmytro Bogatskyy (EldoS Corp.)

Here is a samples from ToDo list for documentation:

GSS-API user authentication (using gssapi-with-mic):
Code
var Mech : TElGSSWinAuthMechanism;
Mech := TElGSSWinAuthMechanism.Create();
SSHClient.GSSMechanism := Mech;
SSHClient.AuthenticationTypes := SSHClient.AuthenticationTypes or SSH_AUTH_TYPE_GSSAPI_WITH_MIC;
...
SSHClient.Open();
...
// Clearing:
SSHClient.GSSMechanism := nil;
FreeAndNil(Mech);
FreeAndNil(SSHClient);


Authentication using GSS-API key exchange:
Code
var Mech : TElGSSWinAuthMechanism;
Mech := TElGSSWinAuthMechanism.Create();
Mech.AuthProtocols := [apKerberos]; // e.g. enabling Kerberos protocol only
SSHClient.GSSMechanism := Mech;
SSHClient.AuthenticationTypes := SSHClient.AuthenticationTypes or SSH_AUTH_TYPE_GSSAPI_KEYEX;
// enabling KEX algorithm and raising priority:
SSHClient.KexAlgorithms[SSH_KEX_GSS_GROUP_EXCHANGE] := True;
SSHClient.KexAlgorithmPriorities[SSH_KEX_GSS_GROUP_EXCHANGE] := 1;
...
SSHClient.Open();
...
// Clearing:
SSHClient.GSSMechanism := nil;
FreeAndNil(Mech);
FreeAndNil(SSHClient);


Some more info:
GSS-API properties for TElSSHClient, TElSimpleSFTPClient, TElSimpleSSHClient classes:
property GSSMechanism : TElGSSBaseMechanism - specifies GSS-API mechanism to authenticate a user. There is three predefined GSS-API mechanisms: TElGSSWinAuthMechanism and TElGSSAPIMechanism, TElGSSMechanismCollection. GSSMechanism instance is not freed automatically.

property GSSHostName : string - the fully qualified host name
property GSSDelegateCredentials : Boolean - turn on credential delegation.

Constants from SBSSHConstants unit (SBSSHConstants.Unit class for .Net):
SSH_AUTH_TYPE_GSSAPI_KEYEX - For authentication using GSS-API key exchange. The authentication method name for this protocol is "gssapi-keyex"
SSH_AUTH_TYPE_GSSAPI_WITH_MIC - For GSS-API user authentication. The authentication method name for this protocol is "gssapi-with-mic".

Constants for GSS-API authenticated Diffie-Hellman key exchange:
SSH_KEX_GSS_GROUP_EXCHANGE - for gss-gex-sha1-*
SSH_KEX_GSS_GROUP - for gss-group1-sha1-*
SSH_KEX_GSS_GROUP_14 - for gss-group14-sha1-*
#12793
Posted: 03/15/2010 02:36:22
by Pavel Krehula (Basic support level)
Joined: 03/09/2010
Posts: 2

Thanks, your description was very helpfull.

Using GSSHostName property forces client to query for host/hostname.
Is there any possibility how to query for cross-realm ticket (i.e. ktbtgt/hostname)?
#12797
Posted: 03/15/2010 06:32:06
by Dmytro Bogatskyy (EldoS Corp.)

Quote
Is there any possibility how to query for cross-realm ticket (i.e. ktbtgt/hostname)?

It is not possible at the moment, by default a fully qualified domain name (FQDN) translated to host principal name.
For the next version I'll add a possibility to accept service principal name as GSSHostName property value.

Reply

Statistics

Topic viewed 1666 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!