This repository has been archived by the owner on Nov 24, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #20 from wintoncode/improve_readme
Improve Readme
- Loading branch information
Showing
1 changed file
with
15 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,7 +2,7 @@ | |
| [](https://travis-ci.org/wintoncode/vault-plugin-auth-kerberos) | ||
|
|
||
| This is a standalone backend plugin for use with [Hashicorp Vault](https://www.github.com/hashicorp/vault). | ||
| This plugin allows for users to authenticate with Vault via Kerberos. | ||
| This plugin allows for users to authenticate with Vault via Kerberos/SPNEGO. | ||
|
|
||
| You can find binaries on the [Release page](https://github.com/wintoncode/vault-plugin-auth-kerberos/releases). | ||
|
|
||
|
|
@@ -19,7 +19,7 @@ except: | |
| import winkerberos as kerberos | ||
| import requests | ||
|
|
||
| service = "HTTP/vault.domain@YOUR-REALM.COM" | ||
| service = "HTTP/vault.domain" | ||
| rc, vc = kerberos.authGSSClientInit(service=service, mech_oid=kerberos.GSS_MECH_OID_SPNEGO) | ||
| kerberos.authGSSClientStep(vc, "") | ||
| kerberos_token = kerberos.authGSSClientResponse(vc) | ||
|
|
@@ -50,7 +50,7 @@ $ vault write sys/plugins/catalog/auth/kerberos sha_256="$(shasum -a 256 'vault- | |
| 2. Enable the Kerberos auth method: | ||
|
|
||
| ```sh | ||
| $ vault auth enable -passthrough-request-headers=Authorization kerberos | ||
| $ vault auth enable -passthrough-request-headers=Authorization -allowed-response-headers=www-authenticate kerberos | ||
| Success! Enabled kerberos auth method at: kerberos/ | ||
| ``` | ||
|
|
||
|
|
@@ -68,6 +68,10 @@ slot KVNO Principal | |
| ktutil: wkt vault.keytab | ||
| ``` | ||
|
|
||
| The KVNO (`-k 1`) should match the KVNO of the service account. An error will show in the vault logs if this is incorrect. | ||
|
|
||
| Different encryption types can also be added to the keytab, for example `-e rc4-hmac` with additional `addent` commands. | ||
|
|
||
| Then base64 encode it: | ||
| ```sh | ||
| base64 vault.keytab > vault.keytab.base64 | ||
|
|
@@ -77,7 +81,14 @@ base64 vault.keytab > vault.keytab.base64 | |
| vault write auth/kerberos/config [email protected] service_account="your_service_account" | ||
| ``` | ||
|
|
||
| 4. Configure LDAP backend to look up Vault policies. | ||
| 4. Add a SPNs (Service Principal Names) to your KDC for your service and service account. This should map the vault service to the account it is running as: | ||
| ```sh | ||
| # for Windows/Active Directory | ||
| setspn.exe -U -S HTTP/vault.domain:8200 your_service_account | ||
| setspn.exe -U -S HTTP/vault.domain your_service_account | ||
| ``` | ||
|
|
||
| 5. Configure LDAP backend to look up Vault policies. | ||
| Configuration for LDAP is identical to the [LDAP](https://www.vaultproject.io/docs/auth/ldap.html) | ||
| auth method, but writing to to the Kerberos endpoint: | ||
|
|
||
|
|
@@ -175,4 +186,3 @@ You can also specify a `TESTARGS` variable to filter tests like so: | |
| ```sh | ||
| $ make test TESTARGS='--run=TestConfig' | ||
| ``` | ||
|
|
||