The latest articles on DEV Community by Darren (@da1rren). https://dev.to/da1rren https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1055741%2F91b9e6a3-efe8-4979-8ec4-52de72754aab.jpeg https://dev.to/da1rren en Darren Thu, 30 Mar 2023 20:05:35 +0000 https://dev.to/da1rren/escaping-kerberos-with-some-simple-kubernetes-tricks-3hal https://dev.to/da1rren/escaping-kerberos-with-some-simple-kubernetes-tricks-3hal <p>Kerberos historically presented a transparent method of authentication that found itself embraced by windows admins throughout windows enterprises. However as we migrate more services from the old world of windows servers running IIS I've found myself typically having to create IIS servers running a container that converts a modern jwt bearer token to a kerberos token. A scenario that I find brittle and unappealing as rather than migrate away from windows I'm spinning up more systems that need decommissioning.</p> <h2> The Dotnet Solution </h2> <p>That is until I discovered <a href="https://github.com/dotnet/Kerberos.NET">Kerberos.net</a>. Kerberos.net is a small managed implementation of the kerberos protocol. So instead of spinning up new windows servers and joining them we can instead use a tiny dotnet library to integrate directly to the kerberos service. All it takes is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="kt">var</span> <span class="n">client</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">KerberosClient</span><span class="p">();</span> <span class="kt">var</span> <span class="n">kerbCred</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">KerberosPasswordCredential</span><span class="p">(</span><span class="s">"user@domain.com"</span><span class="p">,</span> <span class="s">"userP@ssw0rd!"</span><span class="p">);</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">Authenticate</span><span class="p">(</span><span class="n">kerbCred</span><span class="p">);</span> <span class="kt">var</span> <span class="n">ticket</span> <span class="p">=</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">GetServiceTicket</span><span class="p">(</span><span class="s">"host/appservice.corp.identityintervention.com"</span><span class="p">);</span> <span class="kt">var</span> <span class="n">header</span> <span class="p">=</span> <span class="s">"Negotiate "</span> <span class="p">+</span> <span class="n">Convert</span><span class="p">.</span><span class="nf">ToBase64String</span><span class="p">(</span><span class="n">ticket</span><span class="p">.</span><span class="nf">EncodeGssApi</span><span class="p">().</span><span class="nf">ToArray</span><span class="p">());</span> </code></pre> </div> <p>With those 5 lines of code you’ve just saved yourself the cost of a windows server &amp; the added maintenance. If you happen to be dotnet users this option is by far the easiest.</p> <h2> But I'm not using dotnet </h2> <p>But what if like myself you find yourself in the situation where you need to support a node &amp; golang applications. Well for the moment the easiest option is to build a small transparent reverse proxy that transparently swaps out another form of authentication like your pod identity token for a kerberos token. Its not perfect, we're still introducing another hop but it still beats out spinning up more windows servers.</p> <p>You can do this by building a small <a href="https://microsoft.github.io/reverse-proxy/articles/getting-started.html">Yarp Proxy</a> and adding a tiny piece of transform middleware to automatically include the kerberos negotiate header on successful authentication. For example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight csharp"><code><span class="k">using</span> <span class="nn">Yarp.ReverseProxy.Transforms</span><span class="p">;</span> <span class="kt">var</span> <span class="n">builder</span> <span class="p">=</span> <span class="n">WebApplication</span><span class="p">.</span><span class="nf">CreateBuilder</span><span class="p">(</span><span class="n">args</span><span class="p">);</span> <span class="n">builder</span><span class="p">.</span><span class="n">Services</span><span class="p">.</span><span class="nf">AddReverseProxy</span><span class="p">()</span> <span class="p">.</span><span class="nf">LoadFromConfig</span><span class="p">(</span><span class="n">builder</span><span class="p">.</span><span class="n">Configuration</span><span class="p">.</span><span class="nf">GetSection</span><span class="p">(</span><span class="s">"ReverseProxy"</span><span class="p">))</span> <span class="p">.</span><span class="nf">AddTransforms</span><span class="p">(</span><span class="n">builderContext</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="n">builderContext</span><span class="p">.</span><span class="nf">AddRequestTransform</span><span class="p">(</span><span class="k">async</span> <span class="n">transformContext</span> <span class="p">=&gt;</span> <span class="p">{</span> <span class="kt">var</span> <span class="n">client</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">KerberosClient</span><span class="p">();</span> <span class="kt">var</span> <span class="n">kerbCred</span> <span class="p">=</span> <span class="k">new</span> <span class="nf">KerberosPasswordCredential</span><span class="p">(</span><span class="s">"user@domain.com"</span><span class="p">,</span> <span class="s">"userP@ssw0rd!"</span><span class="p">);</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">Authenticate</span><span class="p">(</span><span class="n">kerbCred</span><span class="p">);</span> <span class="kt">var</span> <span class="n">ticket</span> <span class="p">=</span> <span class="k">await</span> <span class="n">client</span><span class="p">.</span><span class="nf">GetServiceTicket</span><span class="p">(</span><span class="s">"host/appservice.corp.identityintervention.com"</span><span class="p">);</span> <span class="kt">var</span> <span class="n">header</span> <span class="p">=</span> <span class="s">"Negotiate "</span> <span class="p">+</span> <span class="n">Convert</span><span class="p">.</span><span class="nf">ToBase64String</span><span class="p">(</span><span class="n">ticket</span><span class="p">.</span><span class="nf">EncodeGssApi</span><span class="p">().</span><span class="nf">ToArray</span><span class="p">());</span> <span class="n">transformContext</span><span class="p">.</span><span class="n">ProxyRequest</span><span class="p">.</span><span class="n">Headers</span><span class="p">.</span><span class="nf">Add</span><span class="p">(</span><span class="s">"Authorization"</span><span class="p">,</span> <span class="n">header</span><span class="p">);</span> <span class="p">});</span> <span class="p">});</span> <span class="kt">var</span> <span class="n">app</span> <span class="p">=</span> <span class="n">builder</span><span class="p">.</span><span class="nf">Build</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">MapReverseProxy</span><span class="p">();</span> <span class="n">app</span><span class="p">.</span><span class="nf">Run</span><span class="p">();</span> </code></pre> </div> <p>Chuck it in a docker container and it makes for an okay workaround and with some clever configuration you can you a single deployment to handle the traffic to all your existing kerberos protected services.</p> <h2> The envoy solution (coming soon) </h2> <p>The best solution would be a kerberos wasm filter that can be integrated directly into envoy to automatically handle windows authentication to any external services transparently. However, wasm is currently quite unstable for dotnet. But hopefully with a bit more time we’ll able to permanently remove the need to make any changes when integrating with systems using Kerberos. Stay tuned for a follow up post when wasm stabilizes.</p> <h2> To Conclude </h2> <p>Ideally we wouldn't need this stepping stone but the reality is, a progressive approach is usually the supior option. The above workarounds give straight forward ways to overcome challenges when dealing with Kerberos in a cloud world.</p> kubernetes dotnet devops