Other authentication methods

[splashx]

• Kerberos I have a use case where the Keybox would be seating behind a reverse proxy. Users are authenticated using Kerberos (PKINIT) - KeyBox in this case could support Kerberos Constrained Delegation.
• Radius

Any plans to extend authentication? :)

[skavanagh]

JAAS should be pretty configurable and there is a Kerberos module (not sure all the options)

http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html

https://docs.oracle.com/javase/7/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html

[splashx]

I may be mistaken, but not quite - the suggestion works when the user authenticates directly to KeyBox, e.g.:

user ----> https://keybox.example.com:8443/

I myself have tried this setup and it works without changing the code. Steps:

• configure /etc/krb5.conf @ keybox (realm, kdc address etc)
• create a "krb5" block in jass.conf

krb {
 com.sun.security.auth.module.Krb5LoginModule required;
};

• set "jassModule" to "krb5" on KeyBoxConfig.properties
• To login, the user enters username@EXAMPLE.COM (EXAMPLE.COM = realm) and the kerberos password

In cases where a reverse proxy is providing user the access, e.g.:

user -----> https://reverse-proxy.example.com/ -------> https://keybox.example.com:8443/ in my case: user -----> apache with ProxyPass+Kerberos(authn)+LDAP(authz) -----> keybox

The user doesn't really see the keybox address in the address bar but reverse-proxy.example.com (that's good). However the authentication happens at the reverse proxy level (using mod_auth_kerb) - if authn is successful, the user is then forwarded to keybox: CURRENTLY: keybox presents the user with the standard username/password+otp login page DESIRED: present the user to enter only the OTB code since the username/password authentication already happened before.

That is possible becuase the reverse proxy sends out extra header info via http (REMOTE_USER, etc), so Keybox should be able to work with that...