Kerberos NPM | npm.io

Kerberos

The kerberos package is a C++ extension for Node.js that provides cross-platform support for kerberos authentication using GSSAPI on linux/osx, and SSPI on windows. Much of the code in this module is adapted from ccs-kerberos and winkerberos.

Requirements

Linux

python v2.7
make
A proper C/C++ compiler toolchain, like GCC
Distribution-specific kerberos packages (e.g. krb5-dev on Ubuntu)

macOS

Xcode Command Line Tools: Can be installed with xcode-select --install
Distribution-specific kerberos packages (e.g. krb5 on Homebrew)

Windows

Option 1: Install all the required tools and configurations using Microsoft's windows-build-tools by running npm install -g windows-build-tools from an elevated PowerShell (run as Administrator).
Option 2: Install dependencies and configuration manually
1. Visual C++ Build Environment:
- Option 1: Install Visual C++ Build Tools using the Default Install option.
- Option 2: Install Visual Studio 2015 (or modify an existing installation) and select Common Tools for Visual C++ during setup.
:bulb: Windows Vista / 7 only requires .NET Framework 4.5.1
1. Install Python 2.7 or Miniconda 2.7 (v3.x.x is not supported), and run npm config set python python2.7
2. Launch cmd, npm config set msvs_version 2015

MongoDB Node.js Driver Version Compatibility

Only the following version combinations with the MongoDB Node.js Driver are considered stable.

	`kerberos@1.x`	`kerberos@2.x`
`mongodb@6.x`	N/A	✓
`mongodb@5.x`	✓	✓
`mongodb@4.x`	✓	✓
`mongodb@3.x`	✓	N/A

Installation

Now you can install kerberos with the following:

npm install kerberos

Testing

Run the test suite using:

npm test

NOTE: The test suite requires an active kerberos deployment, see test/scripts/travis.sh to better understand these requirements.

Documentation

Classes

Functions

KerberosClient

Properties

Name	Type	Description
username	string	The username used for authentication
response	string	The last response received during authentication steps
responseConf	string	Indicates whether confidentiality was applied or not (GSSAPI only)
contextComplete	boolean	Indicates that authentication has successfully completed or not

KerberosClient

kerberosClient.step(challenge, callback)

Param	Type	Description
challenge	string	A string containing the base64-encoded server data (which may be empty for the first step)
callback	function

Processes a single kerberos client-side step using the supplied server challenge.

Returns: Promise - returns Promise if no callback passed

kerberosClient.wrap(challenge, options, callback)

Param	Type	Description
challenge	string	The response returned after calling `unwrap`
options	object	Optional settings
options.user	string	The user to authorize
callback	function

Perform the client side kerberos wrap step.

Returns: Promise - returns Promise if no callback passed

kerberosClient.unwrap(challenge, callback)

Param	Type	Description
challenge	string	A string containing the base64-encoded server data
callback	function

Perform the client side kerberos unwrap step

Returns: Promise - returns Promise if no callback passed

KerberosServer

Properties

Name	Type	Description
username	string	The username used for authentication
response	string	The last response received during authentication steps
targetName	string	The target used for authentication
contextComplete	boolean	Indicates that authentication has successfully completed or not

kerberosServer.step(challenge, callback)

Param	Type	Description
challenge	string	A string containing the base64-encoded client data
callback	function

Processes a single kerberos server-side step using the supplied client data.

Returns: Promise - returns Promise if no callback passed

checkPassword(username, password, service, defaultRealm, callback)

Param	Type	Description
username	string	The Kerberos user name. If no realm is supplied, then the `defaultRealm` will be used.
password	string	The password for the user.
service	string	The Kerberos service to check access for.
defaultRealm	string	The default realm to use if one is not supplied in the user argument.
callback	function

This function provides a simple way to verify that a user name and password match those normally used for Kerberos authentication. It does this by checking that the supplied user name and password can be used to get a ticket for the supplied service. If the user name does not contain a realm, then the default realm supplied is used.

For this to work properly the Kerberos must be configured properly on this machine. That will likely mean ensuring that the edu.mit.Kerberos preference file has the correct realms and KDCs listed.

IMPORTANT: This method is vulnerable to KDC spoofing attacks and it should only be used for testing. Do not use this in any production system - your security could be compromised if you do.

Returns: Promise - returns Promise if no callback passed

principalDetails(service, hostname, callback)

Param	Type	Description
service	string	The Kerberos service type for the server.
hostname	string	The hostname of the server.
callback	function

This function returns the service principal for the server given a service type and hostname.

Details are looked up via the /etc/keytab file.

Returns: Promise - returns Promise if no callback passed

initializeClient(service, options, callback)

Param	Type	Description
service	string	A string containing the service principal in the form 'type@fqdn' (e.g. 'imap@mail.apple.com').
options	object	Optional settings
options.principal	string	Optional string containing the client principal in the form 'user@realm' (e.g. 'jdoe@example.com').
options.gssFlags	number	Optional integer used to set GSS flags. (e.g. GSS_C_DELEG_FLAG	GSS_C_MUTUAL_FLAG	GSS_C_SEQUENCE_FLAG will allow for forwarding credentials to the remote host)
options.mechOID	number	Optional GSS mech OID. Defaults to None (GSS_C_NO_OID). Other possible values are `GSS_MECH_OID_KRB5`, `GSS_MECH_OID_SPNEGO`.
callback	function