module KerberosAuthenticator

Constants

VERSION

Public Class Methods

authenticate!(username, password) click to toggle source

Authenticates a user using their password. @param username [String] a string representation of the user's principal @param password [String] the user's password @raise [Error] if Kerberos can't understand the principal or contact any KDCs for the principal's realm @raise [Error] if preauthentication fails (usually meaning that the user's password was incorrect) @raise [Error] if the KDC cannot find the user @return [TrueClass] always returns true if authentication succeeds without any error @see web.mit.edu/kerberos/krb5-1.14/doc/appdev/init_creds.html Initial credentials

# File lib/kerberos_authenticator.rb, line 28
def self.authenticate!(username, password)
  user = Krb5::Principal.new_with_name(username)
  creds = user.initial_creds_with_password(password, service)

  with_keytab do |kt|
    creds.verify!(server_princ, kt)
  end

  true
end
change_password!(username, old_password, new_password) click to toggle source

Change a user's password by authenticating with their current one. @raise [Error] if the attempt to change the password fails @return [TrueClass] always returns true if no error was raised

# File lib/kerberos_authenticator.rb, line 42
def self.change_password!(username, old_password, new_password)
  user = Krb5::Principal.new_with_name(username)
  user.change_password(old_password, new_password)
end
keytab_base64() click to toggle source
# File lib/kerberos_authenticator.rb, line 87
def self.keytab_base64
  @keytab_base64
end
keytab_base64=(v) click to toggle source
# File lib/kerberos_authenticator.rb, line 91
def self.keytab_base64=(v)
  @keytab_base64 = v
end
keytab_path() click to toggle source
# File lib/kerberos_authenticator.rb, line 95
def self.keytab_path
  @keytab_path
end
keytab_path=(v) click to toggle source
# File lib/kerberos_authenticator.rb, line 99
def self.keytab_path=(v)
  @keytab_path = v
end
krb5() click to toggle source

A convenience method to access the Krb5 module when using the setup method. @return [Krb5]

# File lib/kerberos_authenticator.rb, line 11
def self.krb5
  Krb5
end
server() click to toggle source
# File lib/kerberos_authenticator.rb, line 76
def self.server
  @server
end
server=(v) click to toggle source
# File lib/kerberos_authenticator.rb, line 80
def self.server=(v)
  @server = v
end
service() click to toggle source
# File lib/kerberos_authenticator.rb, line 66
def self.service
  @service
end
service=(v) click to toggle source
# File lib/kerberos_authenticator.rb, line 70
def self.service=(v)
  @service = v
end
setup() { |self| ... } click to toggle source

Supports setting KerberosAuthenticator up using a block.

# File lib/kerberos_authenticator.rb, line 16
def self.setup
  yield self
end

Private Class Methods

new_kt_tmp_file() click to toggle source
# File lib/kerberos_authenticator.rb, line 107
def self.new_kt_tmp_file
  return nil unless keytab_base64

  kt_tmp_file = Tempfile.new('krb5_kt', encoding: 'binary')
  kt_tmp_file.write(Base64.decode64(keytab_base64))
  kt_tmp_file.close

  kt_tmp_file
end
server_princ() click to toggle source
# File lib/kerberos_authenticator.rb, line 103
def self.server_princ
  server ? Krb5::Principal.new_with_name(server) : nil
end
with_keytab() { |kt| ... } click to toggle source
# File lib/kerberos_authenticator.rb, line 117
def self.with_keytab
  if keytab_base64
    kt_tmp_file = new_kt_tmp_file
    kt = Krb5::Keytab.new_with_name("FILE:#{kt_tmp_file.path}")
  elsif keytab_path
    kt = Krb5::Keytab.new_with_name("FILE:#{keytab_path}")
  else
    kt = Krb5::Keytab.default
  end

  # FIXME: This seems to protect against segfaults in OS X Kerberos as of 10.9.5
  #   when the keytab isn't accessible or doesn't exist.
  #   It probably indicates an underlying memory management mistake.
  #
  # REVIEW: It's hard to say whether calling this or leaving it out produces
  #   better error messages.
  kt.assert_has_content

  begin
    yield kt
  ensure
    kt_tmp_file.close! if kt_tmp_file
  end
end