README
¶
Kerberos-Attestor
Overview
The Kerberos-Attestor is a plugin for the SPIRE server and agent that allows SPIRE to automatically attest nodes that are joined to a domain backed by the Kerberos authentication protocol. SPIRE is an open-source implementation of the SPIFFE, which is a set of standards to provide authentication and trust to disparate micro-services operating in heterogeneous cloud-native environments. The predominant on-premise authentication protocol is Kerberos through Active Directory, and with the Kerberos-Attestor, environments backed by SPIRE can provide trust leveraging existing enterprise identity stacks.
Base SVID SPIFFE ID Format
An agent attested by the Kerberos-Attestor plugin will have a base SVID SPIFFE ID in this format:
spiffe://<trust_domain>/spire/agent/kerberos/<realm>/<principal_name>
Compilation
There are two ways to get the plugin--using go install to build and install it or alternatively, build it from source.
Go Install
Running the following commands will download, build, and install the Kerberos-Attestor server and agent in your ${GOPATH}/bin directory by default, or in the path set by the ${GOBIN} environment variable.
- Server:
go install github.com/spiffe/kerberos-attestor/server
- Agent:
go install github.com/spiffe/kerberos-attestor/agent
Build from Source
- Clone this repo:
git clone https://github.com/spiffe/kerberos-attestor ${GOPATH}/src/github.com/spiffe/kerberos-attestor
cd ${GOPATH}/src/github.com/spiffe/kerberos-attestor
- Build the Kerberos-Attestor:
make build
- Binaries for the server and agent should be in the
bin/directory
Installation and Configuration
Kerberos-Attestor Server Plugin
- Edit the SPIRE Server config file to add the Kerberos-Attestor server plugin config:
vim <SPIRE Installation Directory>/conf/server/server.conf
- Add the following HCL blob to the "plugins" section of the config file:
NodeAttestor "kerberos_attestor" {
plugin_cmd = "${GOPATH}/src/github.com/spiffe/kerberos-attestor/bin/server"
enabled = true
plugin_data {
krb_realm = "<realm>"
krb_conf_path = "/etc/krb5.conf"
krb_keytab_path = "/etc/krb5.keytab"
}
}
- Replace
plugin_cmdwith the path to the Kerberos-Attestor server binary compiled earlier - Replace
krb_realmwith the real Kerberos realm krb_conf_pathandkrb_keytab_pathpoint to the default paths to the Kerberos config file and Keytab file
Kerberos-Attestor Agent Plugin
- Edit the SPIRE Agent config file to add the Kerberos-Attestor agent plugin config:
vim <SPIRE Installation Directory>/conf/agent/agent.conf
- Add the following HCL blob to the "plugins" section of the config file:
NodeAttestor "kerberos_attestor" {
plugin_cmd = "${GOPATH}/src/github.com/spiffe/kerberos-attestor/bin/agent"
enabled = true
plugin_data {
krb_realm = "<realm>"
krb_conf_path = "/etc/krb5.conf"
krb_keytab_path = "/etc/krb5.keytab"
spn = "<service principal name>"
}
}
- Replace
plugin_cmdwith the path to the Kerberos-Attestor agent binary compiled earlier - Replace
krb_realmwith the real Kerberos realm krb_conf_pathandkrb_keytab_pathpoint to the default paths to the Kerberos config file and Keytab file- Replace
spnwith the real Service Principal Name of the keytab file of the Kerberos attestor server
- Remove Join-Token NodeAttestor plugin config from this file as a SPIRE Agent can only use one NodeAttestor plugin at-a-time
Start SPIRE with Kerberos-Attestor Plugins
SPIRE Server
cd <SPIRE Installation Directory>
./spire-server run
SPIRE Agent
cd <SPIRE Installation Directory>
./spire-agent run
Selectors Generated by Kerberos-Attestor Server Plugin
| Selector | Example | Description |
|---|---|---|
| pn | pn:host/216.3.128.12 |
Principal name of the agent |
Directories