The kerberos package is a C++ extension for Node.js that provides cross-platform support for kerberos authentication using GSSAPI on linux/osx, and SSPI on windows. Much of the code in this module is adapted from ccs-kerberos and winkerberos.

Requirements

Linux

• python v2.7
• make
• A proper C/C++ compiler toolchain, like GCC
• Distribution-specific kerberos packages (e.g. krb5-dev on Ubuntu)

macOS

• Xcode Command Line Tools: Can be installed with xcode-select --install
• Distribution-specific kerberos packages (e.g. krb5 on Homebrew)

Windows

• Option 1: Install all the required tools and configurations using Microsoft's windows-build-tools by running npm install -g windows-build-tools from an elevated PowerShell (run as Administrator).
• Option 2: Install dependencies and configuration manually

1. Visual C++ Build Environment:

• Option 1: Install Visual C++ Build Tools using the Default Install option.
• Option 2: Install Visual Studio 2015 (or modify an existing installation) and select Common Tools for Visual C++ during setup.

:bulb: [Windows Vista / 7 only] requires .NET Framework 4.5.1

2. Install Python 2.7 or Miniconda 2.7 (v3.x.x is not supported), and run npm config set python python2.7
3. Launch cmd, npm config set msvs_version 2015

MongoDB Node.js Driver Version Compatibility

Only the following version combinations with the MongoDB Node.js Driver are considered stable.

	kerberos@1.x	kerberos@2.x	kerberos@7.x
mongodb@7.x	N/A	N/A	✓
mongodb@6.x	N/A	✓	N/A
mongodb@5.x	✓	✓	N/A
mongodb@4.x	✓	✓	N/A
mongodb@3.x	✓	N/A	N/A

Installation

Now you can install kerberos with the following:

npm install kerberos

Support Strategy

There are two support tiers:

• Tier 1: These platforms represent the majority of our users. Test failures on tier 1 platforms will block releases.
• Experimental: Test suite may not exist or may not pass. Test failures on experimental platforms do not block releases. Contributions to improve support for these platforms are welcome.

Prebuild Platforms

Below are the platforms that are available as prebuilds on each github release. prebuild-install downloads these automatically depending on the platform you are running npm install on.

Operating System	Platform	Support Type
Linux GLIBC 2.28 or later	s390x	Tier 1
Linux GLIBC 2.28 or later	arm64	Tier 1
Linux GLIBC 2.28 or later	x64	Tier 1
MacOS universal binary	x64	Tier 1
MacOS universal binary	arm64	Tier 1
Windows	x64	Tier 1
Windows	arm64	Experimental

Release Integrity

Releases are created automatically and signed using the Node team's GPG key. All release packages provided as part of a GitHub release are signed. To verify the provided packages, download the key and import it using gpg:

gpg --import node-driver.asc

The GitHub release contains a detached signature file for the NPM package (named kerberos-X.Y.Z.tgz.sig).

The following command returns the link npm package.

npm view kerberos@vX.Y.Z dist.tarball

Using the result of the above command, a curl command can return the official npm package for the release.

To verify the integrity of the downloaded package, run the following command:

gpg --verify kerberos-X.Y.Z.tgz.sig kerberos-X.Y.Z.tgz

To verify the native .node packages, follow the same steps as above.

Releases published to the npm registry also include a provenance attestation, which cryptographically links the package to its source repository and build workflow. To verify provenance:

npm audit signatures

Testing

Run the test suite using:

docker run -i -v PATH_TO_KERBEROS_REPO:/app -w /app -e PROJECT_DIRECTORY=/app ubuntu:20.04 /bin/bash
/app/.evergreen/run-tests-ubuntu.sh

NOTE: The test suite requires an active kerberos deployment.

Documentation

Classes

KerberosClient

KerberosServer

Constants

GSS_C_DELEG_FLAG

GSS_C_MUTUAL_FLAG

GSS_C_REPLAY_FLAG

GSS_C_SEQUENCE_FLAG

GSS_C_CONF_FLAG

GSS_C_INTEG_FLAG

GSS_C_ANON_FLAG

GSS_C_PROT_READY_FLAG

GSS_C_TRANS_FLAG

GSS_C_NO_OID

GSS_MECH_OID_KRB5

GSS_MECH_OID_SPNEGO

version

Functions

checkPassword(username, password, service, [defaultRealm]) ⇒ Promise.<null>

This function provides a simple way to verify that a user name and password match those normally used for Kerberos authentication. It does this by checking that the supplied user name and password can be used to get a ticket for the supplied service. If the user name does not contain a realm, then the default realm supplied is used.

For this to work properly the Kerberos must be configured properly on this machine. That will likely mean ensuring that the edu.mit.Kerberos preference file has the correct realms and KDCs listed.

IMPORTANT: This method is vulnerable to KDC spoofing attacks and it should only be used for testing. Do not use this in any production system - your security could be compromised if you do.

principalDetails(service, hostname) ⇒ Promise

This function returns the service principal for the server given a service type and hostname.

Details are looked up via the /etc/keytab file.

initializeClient(service, [options]) ⇒ Promise.<KerberosClient>

Initializes a context for client-side authentication with the given service principal.

initializeServer(service) ⇒ Promise.<KerberosServer>

Initializes a context for server-side authentication with the given service principal.

KerberosClient

Properties

Name	Type	Description
username	string	The username used for authentication
response	string	The last response received during authentication steps
responseConf	string	Indicates whether confidentiality was applied or not (GSSAPI only)
contextComplete	boolean	Indicates that authentication has successfully completed or not

• KerberosClient

  • .step(challenge)

  • .wrap(challenge, [options])

  • .unwrap(challenge)

kerberosClient.step(challenge)

Param	Type	Description
challenge	string	A string containing the base64-encoded server data (which may be empty for the first step)

Processes a single kerberos client-side step using the supplied server challenge.

kerberosClient.wrap(challenge, [options])

Param	Type	Description
challenge	string	The response returned after calling unwrap
[options]	object	Options
[options.user]	string	The user to authorize
[options.protect]	boolean	Indicates if the wrap should request message confidentiality

Perform the client side kerberos wrap step.

kerberosClient.unwrap(challenge)

Param	Type	Description
challenge	string	A string containing the base64-encoded server data

Perform the client side kerberos unwrap step

KerberosServer

Properties

Name	Type	Description
username	string	The username used for authentication
response	string	The last response received during authentication steps
targetName	string	The target used for authentication
contextComplete	boolean	Indicates that authentication has successfully completed or not

kerberosServer.step(challenge)

Param	Type	Description
challenge	string	A string containing the base64-encoded client data

Processes a single kerberos server-side step using the supplied client data.

GSS_C_DELEG_FLAG

GSS_C_MUTUAL_FLAG

GSS_C_REPLAY_FLAG

GSS_C_SEQUENCE_FLAG

GSS_C_CONF_FLAG

GSS_C_INTEG_FLAG

GSS_C_ANON_FLAG

GSS_C_PROT_READY_FLAG

GSS_C_TRANS_FLAG

GSS_C_NO_OID

GSS_MECH_OID_KRB5

GSS_MECH_OID_SPNEGO

version

checkPassword(username, password, service, [defaultRealm])

Param	Type	Description
username	string	The Kerberos user name. If no realm is supplied, then the defaultRealm will be used.
password	string	The password for the user.
service	string	The Kerberos service to check access for.
[defaultRealm]	string	The default realm to use if one is not supplied in the user argument.

This function provides a simple way to verify that a user name and password match those normally used for Kerberos authentication. It does this by checking that the supplied user name and password can be used to get a ticket for the supplied service. If the user name does not contain a realm, then the default realm supplied is used.

For this to work properly the Kerberos must be configured properly on this machine. That will likely mean ensuring that the edu.mit.Kerberos preference file has the correct realms and KDCs listed.

IMPORTANT: This method is vulnerable to KDC spoofing attacks and it should only be used for testing. Do not use this in any production system - your security could be compromised if you do.

Returns: Promise.<null> - returns Promise that rejects if the password is invalid

principalDetails(service, hostname)

Param	Type	Description
service	string	The Kerberos service type for the server.
hostname	string	The hostname of the server.

This function returns the service principal for the server given a service type and hostname.

Details are looked up via the /etc/keytab file.

Returns: Promise - returns Promise

initializeClient(service, [options])

Param	Type	Description
service	string	A string containing the service principal in the form 'type@fqdn' (e.g. 'imap@mail.apple.com').
[options]	object	Optional settings
[options.principal]	string	Optional string containing the client principal in the form 'user@realm' (e.g. 'jdoe@example.com').
[options.flags]	number	Optional integer used to set GSS flags. (e.g. GSS_C_DELEG_FLAG|GSS_C_MUTUAL_FLAG|GSS_C_SEQUENCE_FLAG will allow for forwarding credentials to the remote host)
[options.mechOID]	number	Optional GSS mech OID. Defaults to None (GSS_C_NO_OID). Other possible values are GSS_MECH_OID_KRB5, GSS_MECH_OID_SPNEGO.
[options.user]	string	The username with which to authenticate. Only used on Windows.
[options.pass]	string	The password with which to authenticate. Only used on Windows.

Initializes a context for client-side authentication with the given service principal.

Returns: Promise.<KerberosClient> - returns Promise

initializeServer(service)

Param	Type	Description
service	string	A string containing the service principal in the form 'type@fqdn' (e.g. 'imap@mail.apple.com').

Initializes a context for server-side authentication with the given service principal.

Returns: Promise.<KerberosServer> - returns Promise