Important: This documentation covers Yarn 1 (Classic).
For Yarn 2+ docs and migration guide, see yarnpkg.com.

Package detail

kerberos

mongodb-js376.8kApache-2.02.2.1TypeScript support: definitely-typed

Kerberos library for Node.js

kerberos, security, authentication

readme

Kerberos

The kerberos package is a C++ extension for Node.js that provides cross-platform support for kerberos authentication using GSSAPI on linux/osx, and SSPI on windows. Much of the code in this module is adapted from ccs-kerberos and winkerberos.

Requirements

Linux

  • python v2.7
  • make
  • A proper C/C++ compiler toolchain, like GCC
  • Distribution-specific kerberos packages (e.g. krb5-dev on Ubuntu)

macOS

  • Xcode Command Line Tools: Can be installed with xcode-select --install
  • Distribution-specific kerberos packages (e.g. krb5 on Homebrew)

Windows

  • Option 1: Install all the required tools and configurations using Microsoft's windows-build-tools by running npm install -g windows-build-tools from an elevated PowerShell (run as Administrator).

  • Option 2: Install dependencies and configuration manually

    1. Visual C++ Build Environment:
      • Option 1: Install Visual C++ Build Tools using the Default Install option.
      • Option 2: Install Visual Studio 2015 (or modify an existing installation) and select Common Tools for Visual C++ during setup.

    :bulb: [Windows Vista / 7 only] requires .NET Framework 4.5.1

    1. Install Python 2.7 or Miniconda 2.7 (v3.x.x is not supported), and run npm config set python python2.7
    2. Launch cmd, npm config set msvs_version 2015

MongoDB Node.js Driver Version Compatibility

Only the following version combinations with the MongoDB Node.js Driver are considered stable.

| | `kerberos@1.x|kerberos@2.x| | ------------- | -------------- | -------------- | |mongodb@6.x| N/A | ✓ | |mongodb@5.x| ✓ | ✓ | |mongodb@4.x| ✓ | ✓ | |mongodb@3.x` | ✓ | N/A |

Installation

Now you can install kerberos with the following:

npm install kerberos

Prebuild Platforms

Below are the platforms that are available as prebuilds on each github release. prebuild-install downloads these automatically depending on the platform you are running npm install on.

  • Linux GLIBC 2.23 or later
    • s390x
    • arm64
    • x64
  • MacOS universal binary
    • x64
    • arm64
  • Windows
    • x64

Release Integrity

Releases are created automatically and signed using the Node team's GPG key. This applies to the git tag as well as all release packages provided as part of a GitHub release. To verify the provided packages, download the key and import it using gpg:

gpg --import node-driver.asc

The GitHub release contains a detached signature file for the NPM package (named kerberos-X.Y.Z.tgz.sig).

The following command returns the link npm package. 

npm view kerberos@vX.Y.Z dist.tarball

Using the result of the above command, a curl command can return the official npm package for the release.

To verify the integrity of the downloaded package, run the following command:

gpg --verify kerberos-X.Y.Z.tgz.sig kerberos-X.Y.Z.tgz

[!Note] No verification is done when using npm to install the package. To ensure release integrity when using npm, download the tarball manually from the GitHub release, verify the signature, then install the package from the downloaded tarball using npm install mongodb-X.Y.Z.tgz.

To verify the native .node packages, follow the same steps as above.

Testing

Run the test suite using:

docker run -i -v PATH_TO_KERBEROS_REPO:/app -w /app -e PROJECT_DIRECTORY=/app ubuntu:20.04 /bin/bash /app/.evergreen/run-tests-ubuntu.sh

NOTE: The test suite requires an active kerberos deployment.

Documentation

Classes

KerberosClient
KerberosServer

Functions

checkPassword(username, password, service, [defaultRealm], [callback])Promise

This function provides a simple way to verify that a user name and password match those normally used for Kerberos authentication. It does this by checking that the supplied user name and password can be used to get a ticket for the supplied service. If the user name does not contain a realm, then the default realm supplied is used.

For this to work properly the Kerberos must be configured properly on this machine. That will likely mean ensuring that the edu.mit.Kerberos preference file has the correct realms and KDCs listed.

IMPORTANT: This method is vulnerable to KDC spoofing attacks and it should only be used for testing. Do not use this in any production system - your security could be compromised if you do.

principalDetails(service, hostname, [callback])Promise

This function returns the service principal for the server given a service type and hostname.

Details are looked up via the /etc/keytab file.

initializeClient(service, [options], [callback])Promise

Initializes a context for client-side authentication with the given service principal.

initializeServer(service, [callback])Promise

Initializes a context for server-side authentication with the given service principal.

KerberosClient

Properties

Name Type Description
username string The username used for authentication
response string The last response received during authentication steps
responseConf string Indicates whether confidentiality was applied or not (GSSAPI only)
contextComplete boolean Indicates that authentication has successfully completed or not

kerberosClient.step(challenge, [callback])

Param Type Description
challenge string A string containing the base64-encoded server data (which may be empty for the first step)
[callback] function

Processes a single kerberos client-side step using the supplied server challenge.

Returns: Promise - returns Promise if no callback passed

kerberosClient.wrap(challenge, [options], [callback])

Param Type Description
challenge string The response returned after calling unwrap
[options] object Optional settings
[options.user] string The user to authorize
[options.protect] boolean Indicates if the wrap should request message confidentiality
[callback] function

Perform the client side kerberos wrap step.

Returns: Promise - returns Promise if no callback passed

kerberosClient.unwrap(challenge, [callback])

Param Type Description
challenge string A string containing the base64-encoded server data
[callback] function

Perform the client side kerberos unwrap step

Returns: Promise - returns Promise if no callback passed

KerberosServer

Properties

Name Type Description
username string The username used for authentication
response string The last response received during authentication steps
targetName string The target used for authentication
contextComplete boolean Indicates that authentication has successfully completed or not

kerberosServer.step(challenge, [callback])

Param Type Description
challenge string A string containing the base64-encoded client data
[callback] function

Processes a single kerberos server-side step using the supplied client data.

Returns: Promise - returns Promise if no callback passed

checkPassword(username, password, service, [defaultRealm], [callback])

Param Type Description
username string The Kerberos user name. If no realm is supplied, then the defaultRealm will be used.
password string The password for the user.
service string The Kerberos service to check access for.
[defaultRealm] string The default realm to use if one is not supplied in the user argument.
[callback] function

This function provides a simple way to verify that a user name and password match those normally used for Kerberos authentication. It does this by checking that the supplied user name and password can be used to get a ticket for the supplied service. If the user name does not contain a realm, then the default realm supplied is used.

For this to work properly the Kerberos must be configured properly on this machine. That will likely mean ensuring that the edu.mit.Kerberos preference file has the correct realms and KDCs listed.

IMPORTANT: This method is vulnerable to KDC spoofing attacks and it should only be used for testing. Do not use this in any production system - your security could be compromised if you do.

Returns: Promise - returns Promise if no callback passed

principalDetails(service, hostname, [callback])

Param Type Description
service string The Kerberos service type for the server.
hostname string The hostname of the server.
[callback] function

This function returns the service principal for the server given a service type and hostname.

Details are looked up via the /etc/keytab file.

Returns: Promise - returns Promise if no callback passed

initializeClient(service, [options], [callback])

Param Type Description
service string A string containing the service principal in the form 'type@fqdn' (e.g. 'imap@mail.apple.com').
[options] object Optional settings
[options.principal] string Optional string containing the client principal in the form 'user@realm' (e.g. 'jdoe@example.com').
[options.flags] number Optional integer used to set GSS flags. (e.g. GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG will allow for forwarding credentials to the remote host)
[options.mechOID] number Optional GSS mech OID. Defaults to None (GSS_C_NO_OID). Other possible values are GSS_MECH_OID_KRB5, GSS_MECH_OID_SPNEGO.
[callback] function

Initializes a context for client-side authentication with the given service principal.

Returns: Promise - returns Promise if no callback passed

initializeServer(service, [callback])

Param Type Description
service string A string containing the service principal in the form 'type@fqdn' (e.g. 'imap@mail.apple.com').
[callback] function

Initializes a context for server-side authentication with the given service principal.

Returns: Promise - returns Promise if no callback passed

changelog

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.2.1 (2024-12-10)

Bug Fixes

  • NODE-6592: remove dependency on bindings (#220) (b07a5d2)

2.2.0 (2024-09-05)

Features

  • NODE-6333: Allow callers to specify the 'protect' flag (#198) (515f4bf)

2.1.2 (2024-08-12)

Bug Fixes

  • NODE-6320: macos runtime linking name conflict with SSL (#193) (d382b56)

2.1.1 (2024-08-06)

Bug Fixes

  • MONGOSH-1808: only build universal macos binaries when creating loadable_library (#186) (ec3ab7a)
  • NODE-6253: use runtime linking against system kerberos libraries by default (#188) (04044d2)
  • NODE-6265: add Spectre Mitigation and CFG (#190) (54b9799)
  • NODE-6108: allow building from source on latest Node.js 20.x (#172) (c1f7aca)

2.1.1-alpha.0 (2024-06-28)

Bug Fixes

2.1.0 (2023-11-21)

Features

  • NODE-5746: allow runtime linking against system kerberos library (#165) (ce2feb3)

2.0.3 (2023-09-01)

Bug Fixes

  • NODE-5600: use ubuntu 18 to build and publish (#162) (c02db0e)

2.0.2 (2023-08-28)

Features

  • NODE-5505: add compiler warnings and cast lengths (#158) (1e73b98)

2.0.1 (2022-07-14)

Bug Fixes

  • NODE-4297: bump prebuild install to 7.1.1 (#145) (142842f)

2.0.0 (2022-02-22)

⚠ BREAKING CHANGES

  • NODE-3848: update dependencies (#142)

Bug Fixes

  • NODE-3982: only pass username to SSPI if password is set (#141) (2d307a3)

2.0.0-beta.0 (2021-10-06)

⚠ BREAKING CHANGES

  • NODE-3472: convert to Node-API (#137)

Features

1.1.7 (2021-07-20)

Bug Fixes

  • NODE-2129: fix sporadic AcquireCredentialsHandle error (#133) (adf8346)
  • NODE-3350: do not export Init function symbol (#130) (acdd746)

1.1.6 (2021-07-20)

Bug Fixes

  • NODE-2129: fix sporadic AcquireCredentialsHandle error (#133) (adf8346)
  • NODE-3350: do not export Init function symbol (#130) (acdd746)

1.1.5 (2021-04-06)

Bug Fixes

  • temporarily roll back node-abi until lgeiger/node-abi/#90 is resolved (880ae2e)
  • build: make addon buildable as static library (#119) (786e7d8)

1.1.4 (2020-10-13)

1.1.3 (2019-08-27)

Bug Fixes

  • add support for node 12 (ae6755d)

1.1.2 (2018-11-01)

Bug Fixes

  • auth-process: only send username/password if provided (334ca9c)
  • auth-process: use canonicalized hostname in client init (b1802d1)

1.1.1 (2018-10-30)

Bug Fixes

  • sspi: only add password and domain if they are provided (bc48814)

1.1.0 (2018-10-26)

Bug Fixes

  • sspi: correct invalid null checks for user data (163bdb9)

Features

  • package: export the package version (5be618f)

1.0.0 (2018-08-15)

Bug Fixes

  • check-password: correctly validate parameters, fix test (b772dde)
  • common: ensure nan is being included everywhere appropriately (7bddb24)
  • context: add NewInstance methods, and make getters safer (fd4b852)
  • gss: fix issue with memory corruption (ff4167e)
  • kerberos: provide default gss flags (b365934)
  • legacy: support legacy import expectations (615b23f)
  • response: ensure null or client/server response is returned (083518f)
  • server: use the correct internal method name for server init (8c8dd35)
  • this: use the correct reference to this for object unwrapping (1acfb20)
  • unique_ptr: ensure we include <memory> where required (e3d9afb)
  • warnings: set clang compiler pragmas only when clang is detected (048479d)
  • win32: windows -> win32 in bindings.gyp (0221c06)
  • win32: cleanup client state in addon destructor (5394561)
  • win32: initialize with a domain, if one is provided (309ba61)

Features

  • async-worker: introduce a KerberosWorker using lambdas (1239ef7)
  • checkPassword: add implementation for checking krb5 passwords (60f476e)
  • clean: provide implementations for the clean methods (77a77ce)
  • client: add final wrap/unwrap api endpoints (016222f)
  • client: add implementation for client wrap/unwrap to win32 (994604c)
  • gss: add new methods for constructing state tracking types (274cad6)
  • jsdoc2md: add jsdoc2md support, and README template (60e1ee5)
  • kerberos: add getters to check for context completeness (6a9a01d)
  • kerberos: implement client/server init, move to worker file (1c857ea)
  • kerberos: return value for step is the challenge response (e153d24)
  • promises: allow to access all API by promise or callback (3b77430)
  • serverPrincipalDetails: add server pricipal details method (385fcd1)
  • src: begin to develop the new version of the module in src (f45da50)
  • sspi: introduce client initialization for SSPI (6a40301)
  • sspi: provide implementation for initializeClient (5943f1c)
  • step: implement client and server step methods (5a4327c)

0.0.23 07-03-2017

  • SSPI implemented missing sspiFreeCredentialsHandle to correctly cleanup credentials allocation on call to destructor of the C++ instance.
  • Updated nan.h dependency to 2.5.x series for Node 7.6.x or higher.

0.0.22 10-11-2016

  • Updated nan.h dependency to 2.4.x series for Node 6.8.x or higher.
  • The length calculations are off by one meaning it impossible to not set the password (Issue #54, http://www.github.com/tlbdk).

0.0.21 04-28-2016

  • Updated nan.h dependency to 2.3.x series for Node 6.0.

0.0.20 04-26-2016

  • Updated nan.h dependency to 2.2.x series.
  • Fixed minor compilation warnings due to v8 C++ ABI changes.

0.0.19 03-07-2016

  • Fix installation error (Issue #1).
  • Allow passing down off CANONICALIZE_HOST_NAME and SERVICE_REALM options.

0.0.18 01-19-2016

  • remove builderror.log.

0.0.17 10-30-2015

  • Reverted changes in package.json from 0.0.16.

0.0.16 10-26-2015

  • Removed (exit 0) on build to let correct failure happen.