The rkerberos library provides a Ruby interface for Kerberos.
Some basic usage:
require 'rkerberos'
# Client
krb = Kerberos::Krb5.new
puts krb.default_realm
puts krb.default_principal
puts krb.get_permitted_enctypes.keys.join(',')
# Credentials cache
cc = Kerberos::Krb5::CredentialsCache.new
krb.verify_init_creds(nil, nil, cc)
puts cc.primary_principal
# Keytab
kt_name = Kerberos::Krb5::Keytab.new.default_name # e.g. "FILE:/etc/krb5.keytab"
krb.get_init_creds_keytab('host/server.example.com', kt_name)
krb.get_init_creds_keytab('host/server.example.com', kt_name, nil, cc) # or write to cache
# Admin
Kerberos::Kadm5.new(principal: ENV['KRB5_ADMIN_PRINCIPAL'], password: ENV['KRB5_ADMIN_PASSWORD']) do |kadmin|
kadmin.create_principal('newuser@EXAMPLE.COM', 'initialpass')
kadmin.set_password('newuser@EXAMPLE.COM', 'betterpass')
kadmin.delete_principal('newuser@EXAMPLE.COM')
end
# Contexts
ctx = Kerberos::Krb5::Context.new # standard context
ctx = Kerberos::Krb5::Context.new(profile: '/etc/krb5.conf') # or use a profile
ctx = Kerberos::Krb5::Context.new(secure: true) # or use a secure context
ctx.closeInstall krb5 development libraries using your package manager. For example:
# Debian/Ubuntu
sudo apt-get install libkrb5-dev
# Fedora/RHEL
sudo dnf install krb5-devel
Then install this gem:
gem install rkerberos
or if using bundler:
bundle install
Kerberos 1.7.0 or later, including admin header and library files.
Install krb5 using homebrew:
`brew install krb5`
then install this gem using the homebrew version of krb5:
# Or '/opt/homebrew/opt/krb' depending on your system
`gem install rkerberos -- --with-rkerberos-dir=/usr/local/opt/krb5`
or if using bundler:
`bundle config --global build.rkerberos --with-rkerberos-dir=/usr/local/opt/krb5`
`bundle install`
- Ruby 3.4 or later
- Docker or Podman
- docker-compose or podman-compose
-
Start the Kerberos and LDAP services:
docker-compose up -d
-
Run the test suite:
docker-compose run --rm rkerberos-test bundle exec rspec -
Stop the services when done:
docker-compose down
Add the
--remove-orphansswitch if it's being a pain.
-
Start the Kerberos and LDAP services:
podman-compose up -d
-
Run the test suite:
podman-compose run --rm rkerberos-test
-
Stop the services when done:
podman-compose down
If you make changes to the Ruby code or C extensions:
-
Rebuild the test container:
podman-compose build --no-cache rkerberos-test
-
Run the tests again:
podman-compose run --rm rkerberos-test
Alternatively, you can just run containerized tests via the spec:compose
Rake task. This task runs the same containerized workflow used above and
prefers podman-compose with a docker-compose fallback.
# build image and run RSpec inside the test container
rake spec:compose
# skip the build step by passing a positional or named argument:
# (equivalent forms)
rake spec:compose[true]
rake "spec:compose[fast=true]"The test environment includes:
- MIT Kerberos KDC (Key Distribution Center)
- OpenLDAP server for directory services
- Pre-configured test principals and keytabs
The rkerberos library is a repackaging of my custom branch of the krb5_auth library. Eventually the gem djberg96-krb5_auth will be removed from the gem index.
This code was written for the MIT Kerberos library. It has not been tested with the Heimdal Kerberos library.
- Create a separate class for the replay cache.
- Better credentials cache support.
- Ability to add and delete keytab entries.
- Daniel Berger
- Dominic Cleal
- Simon Levermann
rkerberos is distributed under the Artistic-2.0 license.