Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@repacks/kerberos
Advanced tools
If your build system is prevented from downloading the binaries for the kerberos
package by a firewall, you will need to create a mirror of the binaries inside your intranet. However, this package is available for those cases where this is not possible.
Check out the link below for more details on what issues it solves.
https://www.mongodb.com/community/forums/t/kerberos-npm-module-how-do-prebuilt-binaries-work/108424
This package is an exact duplicate of the Kerberos package. Additionally, it has embedded the assets included in the Github release.
The kerberos
package is a C++ extension for Node.js that provides cross-platform support for kerberos authentication using GSSAPI on linux/osx, and SSPI on windows. Much of the code in this module is adapted from ccs-kerberos and winkerberos.
Linux
python
v2.7make
krb5-dev
on Ubuntu)macOS
Xcode Command Line Tools
: Can be installed with xcode-select --install
krb5
on Homebrew)Windows
Option 1: Install all the required tools and configurations using Microsoft's windows-build-tools by running npm install -g windows-build-tools
from an elevated PowerShell (run as Administrator).
Option 2: Install dependencies and configuration manually
Option 1: Install Visual C++ Build Tools using the Default Install option.
Option 2: Install Visual Studio 2015 (or modify an existing installation) and select Common Tools for Visual C++ during setup.
:bulb: [Windows Vista / 7 only] requires .NET Framework 4.5.1
v3.x.x
is not supported), and run npm config set python python2.7
npm config set msvs_version 2015
Now you can install kerberos
with the following:
npm install kerberos
Run the test suite using:
npm test
NOTE: The test suite requires an active kerberos deployment, see test/scripts/travis.sh
to better understand these requirements.
Promise
This function provides a simple way to verify that a user name and password match those normally used for Kerberos authentication. It does this by checking that the supplied user name and password can be used to get a ticket for the supplied service. If the user name does not contain a realm, then the default realm supplied is used.
For this to work properly the Kerberos must be configured properly on this machine. That will likely mean ensuring that the edu.mit.Kerberos preference file has the correct realms and KDCs listed.
IMPORTANT: This method is vulnerable to KDC spoofing attacks and it should only be used for testing. Do not use this in any production system - your security could be compromised if you do.
Promise
This function returns the service principal for the server given a service type and hostname.
Details are looked up via the /etc/keytab
file.
Promise
Initializes a context for client-side authentication with the given service principal.
Promise
Initializes a context for server-side authentication with the given service principal.
Properties
Name | Type | Description |
---|---|---|
username | string | The username used for authentication |
response | string | The last response received during authentication steps |
responseConf | string | Indicates whether confidentiality was applied or not (GSSAPI only) |
contextComplete | boolean | Indicates that authentication has successfully completed or not |
Param | Type | Description |
---|---|---|
challenge | string | A string containing the base64-encoded server data (which may be empty for the first step) |
[callback] | function |
Processes a single kerberos client-side step using the supplied server challenge.
Returns: Promise
- returns Promise if no callback passed
Param | Type | Description |
---|---|---|
challenge | string | The response returned after calling unwrap |
[options] | object | Optional settings |
[options.user] | string | The user to authorize |
[callback] | function |
Perform the client side kerberos wrap step.
Returns: Promise
- returns Promise if no callback passed
Param | Type | Description |
---|---|---|
challenge | string | A string containing the base64-encoded server data |
[callback] | function |
Perform the client side kerberos unwrap step
Returns: Promise
- returns Promise if no callback passed
Properties
Name | Type | Description |
---|---|---|
username | string | The username used for authentication |
response | string | The last response received during authentication steps |
targetName | string | The target used for authentication |
contextComplete | boolean | Indicates that authentication has successfully completed or not |
Param | Type | Description |
---|---|---|
challenge | string | A string containing the base64-encoded client data |
[callback] | function |
Processes a single kerberos server-side step using the supplied client data.
Returns: Promise
- returns Promise if no callback passed
Param | Type | Description |
---|---|---|
username | string | The Kerberos user name. If no realm is supplied, then the defaultRealm will be used. |
password | string | The password for the user. |
service | string | The Kerberos service to check access for. |
[defaultRealm] | string | The default realm to use if one is not supplied in the user argument. |
[callback] | function |
This function provides a simple way to verify that a user name and password match those normally used for Kerberos authentication. It does this by checking that the supplied user name and password can be used to get a ticket for the supplied service. If the user name does not contain a realm, then the default realm supplied is used.
For this to work properly the Kerberos must be configured properly on this machine. That will likely mean ensuring that the edu.mit.Kerberos preference file has the correct realms and KDCs listed.
IMPORTANT: This method is vulnerable to KDC spoofing attacks and it should only be used for testing. Do not use this in any production system - your security could be compromised if you do.
Returns: Promise
- returns Promise if no callback passed
Param | Type | Description |
---|---|---|
service | string | The Kerberos service type for the server. |
hostname | string | The hostname of the server. |
[callback] | function |
This function returns the service principal for the server given a service type and hostname.
Details are looked up via the /etc/keytab
file.
Returns: Promise
- returns Promise if no callback passed
Param | Type | Description |
---|---|---|
service | string | A string containing the service principal in the form 'type@fqdn' (e.g. 'imap@mail.apple.com'). |
[options] | object | Optional settings |
[options.principal] | string | Optional string containing the client principal in the form 'user@realm' (e.g. 'jdoe@example.com'). |
[options.gssFlags] | number | Optional integer used to set GSS flags. (e.g. GSS_C_DELEG_FLAG |
[options.mechOID] | number | Optional GSS mech OID. Defaults to None (GSS_C_NO_OID). Other possible values are GSS_MECH_OID_KRB5 , GSS_MECH_OID_SPNEGO . |
[callback] | function |
Initializes a context for client-side authentication with the given service principal.
Returns: Promise
- returns Promise if no callback passed
Param | Type | Description |
---|---|---|
service | string | A string containing the service principal in the form 'type@fqdn' (e.g. 'imap@mail.apple.com'). |
[callback] | function |
Initializes a context for server-side authentication with the given service principal.
Returns: Promise
- returns Promise if no callback passed
FAQs
Kerberos library for Node.js
We found that @repacks/kerberos demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.