search

hashicorp / vault-plugin-auth-kerberos

A plugin for HashiCorp Vault enabling Kerberos authentication.
Mozilla Public License 2.0
17 stars 17 forks source link

Add remove_instance_name config to CLI and mount config #68

Closed jasonodonnell closed 2 years ago

jasonodonnell commented 2 years ago

It's not uncommon when generating keytab files for users to include hostnames in the service principal name, for example:

ktutil:  list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
   1    2 bob/hashi-J67927WY11@CORP.EXAMPLE.NET

Some users want the CLI to strip these instances if they're found while parsing the keytab during login to avoid authentication issues when searching LDAP for the user. To do this, I added a new CLI login parameter remove_instance_name, which will remove any instance names from the keytab file. It then sends the modified keytab file to Vault to be used for the login request.

Using this new parameter, a login might look like this:

$ vault login -method=kerberos \
      username=bob \
      service=HTTP/127.0.0.1 \
      realm=CORP.EXAMPLE.NET \
      keytab_path=./bob.keytab  \
      krb5conf_path=./configs/krb5.conf \
      disable_fast_negotiation=false \
      remove_instance_name=true

To enable server side trimming, I added a new config to the kerberos config, with the same name remove_instance_name:

vault write auth/kerberos/config \
    keytab=@vault.keytab.base64 \
    service_account="vault" \
    remove_instance_name=true