SSO Application needs username from GSSName (or GSSAPI)

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

SSO Application needs username from GSSName (or GSSAPI)

amit
Hi,

I am trying to use kerberos authentication using GSS-API in java.
We have following two methods to getGSSName once we get the TGT form KDC.

1. GSSCredential cred = manager.createCredential(GSSCredential.INITIATE_ONLY);
2. GSSName gssName = cred.getName();

The format of GSSName is <USERNAME>@<REALM_NAME>

As my application is using SSO, it does not have username and need to get it from above mentioned GSSName.
We can have username including '@' character so simple cropping of string on the basis of first existence of '@' character won't work as username can have '@'.

So, the other way remains is to crop GSSName with the last existence of '@' character in a string (if realm_name can not have '@' char).

Could anyone please help me in clarifying if we can have '@' character in realm_name or not?
If realm_name can have '@' character, is there any other way to get USERNAME from some GSSAPI?

Thank you,
Amit K
Reply | Threaded
Open this post in threaded view
|

Re: SSO Application needs username from GSSName (or GSSAPI)

Simo Sorce-3
On Fri, 2014-08-01 at 00:02 -0700, amit wrote:

> Hi,
>
> I am trying to use kerberos authentication using GSS-API in java.
> We have following two methods to getGSSName once we get the TGT form KDC.
>
> 1. GSSCredential cred =
> manager.createCredential(GSSCredential.INITIATE_ONLY);
> 2. GSSName gssName = cred.getName();
>
> The format of GSSName is <USERNAME>@<REALM_NAME>
>
> As my application is using SSO, it does not have username and need to get it
> from above mentioned GSSName.
> We can have username including '@' character so simple cropping of string on
> the basis of first existence of '@' character won't work as username can
> have '@'.
>
> So, the other way remains is to crop GSSName with the last existence of '@'
> character in a string (if realm_name can not have '@' char).
>
> Could anyone please help me in clarifying if we can have '@' character in
> realm_name or not?
> If realm_name can have '@' character, is there any other way to get USERNAME
> from some GSSAPI?

Does your implementation support gss_localname() ?

Simo.

--
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: SSO Application needs username from GSSName (or GSSAPI)

Nico Williams
On Fri, Aug 1, 2014 at 12:47 PM, Simo Sorce <[hidden email]> wrote:
> On Fri, 2014-08-01 at 00:02 -0700, amit wrote:

> Does your implementation support gss_localname() ?

Amit is using the Java bindings, so "no" :(
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: SSO Application needs username from GSSName (or GSSAPI)

amit
Thank you Simo & Nico,

Simo, Nico is right about my application.

Please have a look at the following link which talks about realm name in kerberos.
It says that you can have anything as a realm name but when it comes to follow the conventions, realm name should be a domain name in capital letters.
http://web.mit.edu/kerberos/krb5-devel/doc/admin/realm_config.html

So, assuming that customers will always follow the conventions of kerberos and will keep the realm name as a capital letter of domain name.

Again, following link talks about what restrictions domain name have.
https://www.register.com/policy/domain-extension-rules.rcmx

So, it looks like domain name can never have '@' sign in it (which intern says that realm name will never have the '@' sign in it).

Cropping the GSSName string with its last index of '@' will give me the username.

Please let me know if I am mistaken somewhere.
Reply | Threaded
Open this post in threaded view
|

Re: SSO Application needs username from GSSName (or GSSAPI)

Spike_White
In reply to this post by amit
Amit,

The problem with what you're suggesting is that it's a static conversion.   Admittedly, the static conversion that usually (but not always) desired.

If you use krb5_aname_to_localname() instead,  by default it does the same conversion.  But additionally, the site administrator is able to write his or her own auth_to_local rules, if this default conversion is not what's desired.

Here's an example, from http://web.mit.edu/kerberos/krb5-1.4/krb5-1.4.1/doc/krb5-admin/realms--krb5.conf-.html
[realms]
              ATHENA.MIT.EDU = {
                  auth_to_local = {
                      RULE:[2:$1](johndoe)s/^.*$/guest/
                      RULE:[2:$1;$2](^.*;admin$)s/;admin$//
                      RULE:[2:$2](^.*;root)s/^.*$/root/
                      DEFAULT
                      }
                  }





Date: Tue, 5 Aug 2014 04:55:33 -0700 (PDT)
From: amit
Subject: Re: SSO Application needs username from GSSName (or GSSAPI)
To: [hidden email]
Message-ID:
Content-Type: text/plain; charset=us-ascii

Thank you Simo & Nico,

Simo, Nico is right about my application.

Please have a look at the following link which talks about realm name in kerberos.
It says that you can have anything as a realm name but when it comes to follow the conventions, realm name should be a domain name in capital letters.
http://web.mit.edu/kerberos/krb5-devel/doc/admin/realm_config.html

So, assuming that customers will always follow the conventions of kerberos and will keep the realm name as a capital letter of domain name.

Again, following link talks about what restrictions domain name have.
https://www.register.com/policy/domain-extension-rules.rcmx

So, it looks like domain name can never have '@' sign in it (which intern says that realm name will never have the '@' sign in it).

Cropping the GSSName string with its last index of '@' will give me the username.

Please let me know if I am mistaken somewhere.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: SSO Application needs username from GSSName (or GSSAPI)

Nico Williams
In reply to this post by amit
Dropping the realm part is very dangerous.  Don't do it.

Instead you'll have to maintain a lookup table.  You should ask Oracle
to improve their JGSS interfaces, keep up pace with the rest of the
GSS universe.

Nico
--
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev