GSSAPI Authentication

This page describes how to configure GSSAPI authentication.

Overview

As of version 1.2.0, Dante supports SOCKS version 5 GSSAPI authentication. Typically used with Kerberos, it allows secure authentication and encryption of data transferred.

Environment setup

The Dante server supports GSSAPI authentication via Kerberos, with both MIT Kerberos and Heimdal supported. This page assumes that Kerberos has been configured and is working. Descriptions on how to configure Kerberos can be found in several places, including the following:

• MIT
• Heimdal

Before authentication with a SOCKS server with GSSAPI it is necessary to obtain a Kerberos ticket. Depending on the OS configuration, a ticket might be obtained at login, or it might be necessary to run kinit or a similar program. By using the klist command it should generally be possible to verify whether a valid ticket exists, in which case, output similar to this should be printed:

Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: user@EXAMPLE.ORG

  Issued           Expires          Principal           
Oct 25 16:38:28  Oct 26 17:38:28  krbtgt/EXAMPLE.ORG@EXAMPLE.ORG

Without a valid ticket it will not be possible to authenticate. By enabling logging in both the server and client it should be possible to analyze any problems. The client and server configuration pages describe how to do this.

#gssapi.enctype: clear integrity confidentiality
#gssapi.keytab: FILE:/etc/sockd.keytab
#gssapi.servicename: "rcmd"

Several GSSAPI related keywords, such as the above, can be used in the server configuration file, but it should not be necessary to change these from their default values. It is currently not possible to change the defaults globally, but they can be overridden in the pass rules.

#server compatibility with NEC-style gssapi clients
client pass {
        from: 192.0.2.0/24 to: 0.0.0.0/0
	log: error # connect disconnect
        clientcompatibility: necgssapi
}

If the server needs to work with clients that rely on the GSSAPI handling behavior of the NEC SOCKS server, it might be necessary to enable this type of behavior by setting the clientcompatibility keyword to necgssapi in the client pass rules in the server.

The server will still work with clients that do not require this. It should only be enabled if clients that require this need to access the server because they depend on a bug in the GSSAPI implementation in SOCKS servers based on the NEC SOCKS code.

Note that this bug results in a less secure session than would otherwise be used; it is thus not recommended that this option is enabled unless it is needed.

#client compatibility with NEC-style gssapi servers
route {                                                                        
        from: 0.0.0.0/0 to: 0.0.0.0/0 via: 192.0.2.1 port = 1080            
        proxyprotocol: socks_v4 socks_v5
        method: gssapi
        clientcompatibility: necgssapi
}

A similar clientcompatibility value can be set in the client configuration file, in order for the Dante client to work with servers that rely on the non-standard behavior of the NEC SOCKS client.

Server privileges

No special privileges will typically be required to use this authentication method.

Example clientmethod usage

There is no separate gssapi clientmethod.

Example method usage

#authentication methods
method: gssapi

#generic pass statement - bind/outgoing traffic
pass {  
        from: 0.0.0.0/0 to: 0.0.0.0/0
        command: bind connect udpassociate
        log: error # connect disconnect iooperation
        method: gssapi
}

The authentication configuration template can be used directly for outgoing traffic, it is only necessary to specify the method name.

The gssapi method cannot be used for incoming traffic (bindreply, udpreply).