1

My application is using Kerberos authentication. My application is delivered via docker images. Docker image can be run on any host. Keytab file which is used by Kerberos for authentication contains host name and encrypted password of the principal.

Is it possible to generate keytab file for docker image which would work for any host image is placed to?

In other words, when Kerberos is performing authentication of the host - it is checking hostname of docker image, or hostname of the docker host, or not checking it at all? Is there any other issues with creating keytab for docker image?

MiamiBeach
  • 3,261
  • 6
  • 28
  • 54
  • It's a significant security risk that you can trivially `docker cp` the keytab out and use it anywhere. I'd create host-specific keytabs normally and inject them using Docker bind mounts. – David Maze Sep 29 '20 at 11:33
  • But can I really use it anywhere? As far as I understand keytab is bound to hostname? – MiamiBeach Sep 29 '20 at 12:00
  • A keytab file contains passwords -- for 1..N Kerberos principals, using 1..M encryption algorithms. Now, in the special case that your principal is a `host` SPN, for a **machine with a canonical DNS alias** that has been "bound" to a Kerberos KDC... not sure how that would work for a container with no public DNS record. – Samson Scharfrichter Sep 30 '20 at 07:30
  • Kerberos has been around for 30 years, it does not support Docker (nor load balancers) natively. For LB there are server-side tweaks. For Docker... duh. – Samson Scharfrichter Sep 30 '20 at 07:32
  • If all your requests are routed through a common face URL, then it is possible to use same keytab, provided the domain (realm) is common or trusted. Generate keytab entry for the SPN of face URL and it should work. – Bhushan Karmarkar Sep 30 '20 at 09:56
  • @SamsonScharfrichter, I have foound a similair question here: https://stackoverflow.com/questions/42568974/can-you-create-kerberos-principals-where-the-hostname-is-flexible-docker, looks like I need to create a keytab with some virtual (fake) host and place it on each docker, and it should work. Not sure if my understanding is correct. – MiamiBeach Oct 07 '20 at 09:08

0 Answers0