basic authentication ccache

[overbum]

in Web servers there is a feature to store user credential cache to internal directory to use it is on page during it is not expired. When I am successfully authenticated in Login window I still look requests from flask to KDC servers for any action on web site. The first TGT and then TGS for the HTTP TGS. If thousands of users asked website at once so KDC servers would be failed by DDoS. I guess there is no cache mechanism inside but it sould be by default. For example curl client application uses the linux native gssapi library so you can see all you tickets using klist tool. And new any action doesn't require KDC during the closest 24h (default lifetime).

[COUR4G3]

There is probably a way to set the ccache on the gssapi.SecurityContext or alternatively maybe by an environment variable. I'll have to take a look into it.

[COUR4G3]

https://github.com/pythongssapi/python-gssapi/blob/main/docs/source/credstore.rst#ccache

Seems there is a ccache keyword.

[overbum]

does you mean gssapi.raw.store_cred_into({'ccache': ccache}, cred.creds, usage='initiate', overwrite=True) is enough to define ccache?

btw apache mod "mod_auth_gssapi" has GssapiBasicTicketTimeout attribute not to flood KDCs for each browser request Is it possible to use same one inside flask mod?

[COUR4G3]

I dug through the tests and found use of the credential cache to store and acquire credentials here:

https://github.com/pythongssapi/python-gssapi/blob/a2539647bdcdd5843be2cb4cdeaf5c678043378d/gssapi/tests/test_raw.py#L451

[COUR4G3]

I had a look at the source code for "mod_auth_gssapi" and I can't see how GssapiBasicTicketTimeout is implemented so can't really give any advice on that.

I wonder if simply setting KRB5 environment variables like KRB5CCNAME and KRB5_KTNAME might help.

[overbum]

both KRB5_KTNAME and KRB5CCNAME are local environment in Linux only. It is fit for automated systems to authenticate by keytab and to re-use specific ccache (FILE or KEYRING/KCM) in user session. Also KRB5_KTNAME need to define service keytab (like HTTP/hostname@REALM) to decrypt incoming user TGS.

For example OpenJDK Java built-in module (JAAS krb5LoginModule) doesn't support ccache storing mechanism so there is no sense to export. If to turn on MIT support by GSSAPI bridge (jgss.native true) you can use those variables like you would build C/C++ application (MIT is C-oriented). BTW it's the best way to optimize Java applications (client or server) not to flood KDCs by independent JVM thread. Using jgss.native stores common ccache for anyone. It is classic conflict between Java developers and Security administrator. But It isn't our case.

Here we discussed an external job using web-browser client that connects user to web service indirectly. Redhat uses httpd with gssapi module in own IdP system (FreeIPA stream) to authenticate user by kinit to ccache file into /var/run/ccache dir (something like). Of course default httpd can do it too. For example Tomcat can't do (because Java oriented server and only Java app shoud have jgss.native bridge) and Nginx can't do because it is only simple SPNEGO support without ccache.

Well I will look your link hope it's useful.

[COUR4G3]

I've started setting up a new Kerberos environment for me to do some testing and enhancements to this library, but it'll be a few more days before I'm familiar enough - and then I can actually start hacking away at a solution, as well as solutions to other issues i.e. basic authentication fallback etc.

I completely forgot about this issue: https://github.com/COUR4G3/flask-gssapi/issues/14#issuecomment-920095263 where they were using ccache for delegation. I never got around to documenting it and making the raw the functions easier to access but also might help you.

[COUR4G3]

Apologies if my terminology or reference to Kerberos principles is unclear, has been a few years since I worked in a Microsoft environment and I haven't needed to spend much time integrating into my FreeIPA system.