Kerberos Authentication
In PrivX you may enable Kerberos Single Sign On (SSO) for PrivX users belonging to one AD/LDAP user directory. Users from that directory can, after initial login to a Kerberos client, log into the PrivX GUI without having to retype their credentials.
Prerequisites
Ensure and perform the following before setting up Kerberos authentication for PrivX:
You need a functioning Kerberos Key Distribution Center (KDC) and admin server. These services may be run on the same server.
Kerberos servers must be able to resolve the host names of your PrivX servers.
Users must be part of a AD/LDAP user directory. The user directory must have been added to PrivX. Furthermore, users from that directory must have access to some Kerberos client for obtaining their Kerberos tickets (such as Windows login or
kinit
). Note that you may only enable Kerberos authentication for one user directory in PrivX at any time.For more information about adding user directories to PrivX, see Importing Users from AD/LDAP
Kerberos Setup
To enable Kerberos authentication for PrivX users belonging to a user directory, repeat the following steps for all your PrivX servers:
To add PrivX as a service to Kerberos, create a unique service principal for the PrivX server. The principal name must follow the syntax:
HTTP/privx.example.com@EXAMPLE.COM
Replace the example values as follows:
privx.example.com
- the PrivX server name.EXAMPLE.COM
- the name of your Kerberos realm.
To allow the PrivX to authenticate against the KDC, obtain a keytab of the PrivX service principal. The keytab entries should be encrypted using algorithms supported by your Kerberos environment. If using Windows Kerberos, also ensure the keytab is mapped to the user account associated with the PrivX service principal.
🚧 Caution
Ensure that the keytab is never exposed to unauthorized personnel. Malicious users with access to the keytab may use it to impersonate services.
On your PrivX server, add the keytab to
/etc/krb5.keytab
.Also ensure the keytab-file is readable by the local user privx. For example:
# chown privx:privx /etc/krb5.keytab # chmod 0400 /etc/krb5.keytab
Configure your PrivX server to connect to your KDC. To do this, add a similar configuration to
/etc/krb5.conf
on the PrivX server:[libdefaults] default_realm = EXAMPLE.COM # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true [realms] EXAMPLE.COM = { kdc = dc.example.com admin_server = dc.example.com } [login] krb4_convert = true krb4_get_tickets = false
Adjust the configuration according to your Kerberos environment. You will at least have to change
default_realm
to the actual name of your Kerberos realm, change the[realms]
section to include the actual name of your Kerberos realm, and to specify the addresses of its KDC and Kerberos admin server.Save your changes to the file.
On the PrivX server, adjust the PrivX settings in
/opt/privx/etc/auth-default-config.toml
. You will have to set the following:kerberos_enabled
- set to truekerberos_service_name
- set this equal to the PrivX service principal.kerberos_directory_name
- the name of the user directory for which Kerberos is enabled. For a list of directories and their names, see the Settings→Directories page in the PrivX GUI.kerberos_realm_name
- the name of your Kerberos realm.
Example values for these settings:
kerberos_enabled=true kerberos_service_name="HTTP/privx.example.com@EXAMPLE.COM" kerberos_directory_name="Example AD 01" kerberos_realm_name="EXAMPLE.COM"
Save your changes to the file.
On the PrivX server, restart PrivX services to apply the changes:
# systemctl restart privx
Once you have completed these steps on each PrivX server, Kerberos SSO is enabled.
Logging in with Kerberos
After you have set up kerberos SSO, PrivX users belonging to the configured user directory can log in as follows:
Obtain your Kerberos ticket, for example, by logging into a machine with Kerberos authentication or by running
kinit
.Access the PrivX login page. You will be automatically logged into PrivX, without having to re-enter your credentials.