logo_kerberos.gif

Difference between revisions of "Projects/HTTP Transport"

From K5Wiki
Jump to: navigation, search
(New page: {{project-early}} ==Overview== This project intends to add HTTP and HTTPS transport to Kerberos traffic. This change is useful especially for firewall configurations that allow traffic ...)
 
Line 16: Line 16:
   
 
The existence of Microsoft's mechanism can be seen [http://msdn.microsoft.com/en-us/library/hh553774.aspx here]. It uses POST requests which is much more in keeping with the HTTP specification than GET, and it also uses HTTPS, though it is not known whether this is required.
 
The existence of Microsoft's mechanism can be seen [http://msdn.microsoft.com/en-us/library/hh553774.aspx here]. It uses POST requests which is much more in keeping with the HTTP specification than GET, and it also uses HTTPS, though it is not known whether this is required.
  +
  +
==Implementation Design==
  +
  +
==Test Plan==
  +
  +
Due to the nature of the changes, it will be extremely difficult to write test cases for the new code. To combat this, code has been written to implement the "other side" (on the KDC-end) of HTTP/HTTPS transport as a reference implementation. That code, including its implementation of the client-end of the HTTP/HTTPS pipe, can be found [https://github.com/frozencemetery/krb-proxies here].

Revision as of 14:37, 12 August 2013

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


Overview

This project intends to add HTTP and HTTPS transport to Kerberos traffic. This change is useful especially for firewall configurations that allow traffic on port 80/443 but not on port 88.

Precedent

Both Heimdal and Microsoft Kerberos have such a technology.

Heimdal

Heimdal has such a mechanism as seen here. It uses a GET request with a base64-encoded version of the UDP traffic. This is not particularly in keeping with the HTTP specification, since a GET request should not incur change to the server. Additionally, Apache has a URL length for GET of about 4000 characters, and requests of this nature come too close to that length limit for comfort. It uses a separate field in krb5.conf for specification of the http_proxy to be used. There is almost no evidence of this in use in the wild.

Microsoft

The existence of Microsoft's mechanism can be seen here. It uses POST requests which is much more in keeping with the HTTP specification than GET, and it also uses HTTPS, though it is not known whether this is required.

Implementation Design

Test Plan

Due to the nature of the changes, it will be extremely difficult to write test cases for the new code. To combat this, code has been written to implement the "other side" (on the KDC-end) of HTTP/HTTPS transport as a reference implementation. That code, including its implementation of the client-end of the HTTP/HTTPS pipe, can be found here.