libgssapi and libkrb5 bindings for haskell

Latest on Hackage:

This package is not currently in any snapshots. If you're interested in using it, we recommend adding it to Stackage Nightly. Doing so will make builds more reliable, and allow to host generated Haddocks.

BSD3 licensed by Ondrej Palkovsky

Build Status Hackage

GSSAPI and Kerberos bindings for Haskell

This library provides a simplified kerberos and GSSAPI bindings for the SPNEGO authentication.

Short story

On the AD side, you need to

  • Create a new user, whose name should be the service name you'll be using Kerberos authentication on. E.g. app.example.
  • Set the "User cannot change password" and "Password never expires" options on the account
  • Set a strong password on it

From a Windows cmd.exe window, generate the service principals and keytabs for this user. You need an SPN named host/, and another named HTTP/ It is crucial that is the DNS name of your web site in the intranet, and it is an A record. Given that app.example is the account name you created, you would execute:

C:\> ktpass -princ host/ -mapuser
EXAMPLECOM\app.example -pass * -out host.keytab -ptype KRB5_NT_PRINCIPAL -crypto All

C:\> ktpass -princ HTTP/ -mapuser
EXAMPLECOM\app.example -pass * -out http.keytab -ptype KRB5_NT_PRINCIPAL -crypto All

Verify that the correct SPNs are created:

C:\> setspn -Q */

it should yield both the HTTP/ and host/ SPNs, both mapped to the app.example user.

On the server side you need to

Create a krb5.keytab using ktutil, concatenating together the two SPNs keytabs:

# ktutil
ktutil:  rkt host.keytab
ktutil:  rkt http.keytab
ktutil:  wkt /etc/krb5.keytab
ktutil:  quit

Verify that the created keytab file has been built correctly:

# klist -kt /etc/krb5.keytab
Keytab name: WRFILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
9 02/19/13 04:02:48 HTTP/
8 02/19/13 04:02:48 host/

Key version numbers (KVNO) will be different in your case.

Verify that you are able to authenticate using the keytab, without password:

# kinit -5 -V -k -t /etc/krb5.keytab HTTP/
  Authenticated to Kerberos v5

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: HTTP/

Valid starting     Expires            Service principal
02/19/13 17:37:42  02/20/13 03:37:40  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        renew until 02/20/13 17:37:42

Make the keytab file accessible only by appropriate users or groups

# chmod 440 /etc/krb5.keytab
# chown root:nginx /etc/krb5.keytab

There are some issues regarding kvno changes

You can generate keys on the server by

$ kinit ....
# Note down kvno from next commands
$ kvno HTTP/
$ kvno host/
# Add new keys to /etc/krb5.keytab (enter -k KVNO from previous commands)
# Use the ciphers you need for your systems
$ ktutil
addent -password -p HTTP/ -k 12 -e arcfour-hmac
addent -password -p host/ -k 12 -e arcfour-hmac
wkt /etc/krb5.keytab


Relax base library constraints to allow 8.2 GHC.

Better exception handling. GssException now contains both major and minor code and description for both.

Depends on 4 packages:
Used by 1 package:
comments powered byDisqus