jimhall.sh | grep "interesting things"

Part 3 Mainly a place to write down some things learned

Archive

About

Categories

Tags

Subscribe

20 May 2021

Using Kerberos Authentication With RAD

by Jim Hall

I am considering doing some experiments with Solaris RAD with LDAP naming services and use it as a foundation for application authentication using using Kerberos.

This post is a quick proof of concept and allowing me to kind of kick off my documentation process. Given that I have successfully configured Kerberos and LDAP on Solaris 11.4 I wanted to validate the following:

High Level Steps

Detailed Steps

Record of RAD authentication (curl commands run on my Mac)

curl -c cookie.txt -X POST --cacert host.crt --header 'Content-Type:application/json' --data '@login.json' https://balder.norsestuff.com:6788/api/authentication/1.0/Session/
{
  "username": "jhall",
  "password": "<kerberos password>",
  "scheme": "pam",
  "preserve": true,
  "timeout": -1
}
{
        "status": "success",
        "payload": {
                "href": "/api/com.oracle.solaris.rad.authentication/1.0/Session/_rad_reference/3328"
        }
}
header,101,2,connect to RAD,,balder,2021-05-13 21:32:53.841-04:00
subject,jhall,jhall,staff,jhall,staff,0,2004100041,54270 6788 ::ffff:10.0.0.69
return,success,0

Use generated cookie to run the SMF command in the blog post

(modified for my environment):

curl -b cookie.txt --cacert host.crt -H 'Content-Type:application/json' -X GET https://balder.norsestuff.com:6788/api/com.oracle.solaris.rad.smf/1.0/Service/system%2Frad/instances
{
        "status": "success",
        "payload": [
                "local",
                "remote"
        ]
}
header,101,2,connect to RAD,,balder,2021-05-13 21:32:59.520-04:00
subject,jhall,jhall,staff,jhall,staff,0,1530906022,54271 6788 ::ffff:10.0.0.69
return,success,0
header,101,2,logout,,balder,2021-05-13 21:32:59.598-04:00
subject,jhall,jhall,staff,jhall,staff,0,1530906022,54271 6788 ::ffff:10.0.0.69
return,success,0

Use generated cookie again for second SMF RAD command in blog post:

curl -b cookie.txt --cacert host.crt -H 'Content-Type:application/json' -X GET https://balder.norsestuff.com:6788/api/com.oracle.solaris.rad.smf/1.0/Instance/system%2Frad,remote/state
{
        "status": "success",
        "payload": "ONLINE"
}
header,101,2,connect to RAD,,balder,2021-05-13 21:36:06.090-04:00
subject,jhall,jhall,staff,jhall,staff,0,1482710200,54314 6788 ::ffff:10.0.0.69
return,success,0
header,101,2,logout,,balder,2021-05-13 21:36:06.098-04:00
subject,jhall,jhall,staff,jhall,staff,0,1482710200,54314 6788 ::ffff:10.0.0.69
return,success,0

Conclusion

This worked out well. I was able to use RAD to authenticate to a non-root user. The fact that I was using kerberos in the PAM stack was “no big deal”. This will allow me to proceed with further validation that I can use this mechanism as a web based authentication method for applications.

Reference // Appendix

header,85,2,login - ssh,,balder,2021-05-13 21:44:25.705-04:00
subject,jhall,jhall,staff,jhall,staff,6423,1118693340,54412 22 10.0.0.69
return,success,0
# auditconfig -getpolicy -t
active audit policies = argv,cnt
# auditconfig -setpolicy +perzone
# auditconfig -getpolicy -t
active audit policies = argv,cnt,perzone
# svcadm enable auditd
# tail -0f $(find /var/share/audit -name $(ls -rt /var/audit | tail -1)) | praudit -x
categories: computing
tags: solaris - rad - kerberos - ldap