SkillAgentSearch skills...

Kerberos

Kerberos library for node.js

GenerateConvertImprove

Install / Use

/learn @mongodb-js/Kerberos
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

Kerberos

The kerberos package is a C++ extension for Node.js that provides cross-platform support for kerberos authentication using GSSAPI on linux/osx, and SSPI on windows. Much of the code in this module is adapted from ccs-kerberos and winkerberos.

Requirements

Linux

  • python v2.7
  • make
  • A proper C/C++ compiler toolchain, like GCC
  • Distribution-specific kerberos packages (e.g. krb5-dev on Ubuntu)

macOS

  • Xcode Command Line Tools: Can be installed with xcode-select --install
  • Distribution-specific kerberos packages (e.g. krb5 on Homebrew)

Windows

  • Option 1: Install all the required tools and configurations using Microsoft's windows-build-tools by running npm install -g windows-build-tools from an elevated PowerShell (run as Administrator).
  • Option 2: Install dependencies and configuration manually
  1. Visual C++ Build Environment:
  • Option 1: Install Visual C++ Build Tools using the Default Install option.
  • Option 2: Install Visual Studio 2015 (or modify an existing installation) and select Common Tools for Visual C++ during setup.

:bulb: [Windows Vista / 7 only] requires .NET Framework 4.5.1

  1. Install Python 2.7 or Miniconda 2.7 (v3.x.x is not supported), and run npm config set python python2.7
  2. Launch cmd, npm config set msvs_version 2015

MongoDB Node.js Driver Version Compatibility

Only the following version combinations with the MongoDB Node.js Driver are considered stable.

| | kerberos@1.x | kerberos@2.x | kerberos@7.x | | ------------- | -------------- | -------------- | -------------- | | mongodb@7.x | N/A | N/A | ✓ | | mongodb@6.x | N/A | ✓ | N/A | | mongodb@5.x | ✓ | ✓ | N/A | | mongodb@4.x | ✓ | ✓ | N/A | | mongodb@3.x | ✓ | N/A | N/A |

Installation

Now you can install kerberos with the following:

npm install kerberos

Support Strategy

There are two support tiers:

  • Tier 1: These platforms represent the majority of our users. Test failures on tier 1 platforms will block releases.
  • Experimental: Test suite may not exist or may not pass. Test failures on experimental platforms do not block releases. Contributions to improve support for these platforms are welcome.

Prebuild Platforms

Below are the platforms that are available as prebuilds on each github release. prebuild-install downloads these automatically depending on the platform you are running npm install on.

| Operating System | Platform | Support Type | | ------------------------- | -------- | ------------ | | Linux GLIBC 2.28 or later | s390x | Tier 1 | | Linux GLIBC 2.28 or later | arm64 | Tier 1 | | Linux GLIBC 2.28 or later | x64 | Tier 1 | | MacOS universal binary | x64 | Tier 1 | | MacOS universal binary | arm64 | Tier 1 | | Windows | x64 | Tier 1 | | Windows | arm64 | Experimental |

Release Integrity

Releases are created automatically and signed using the Node team's GPG key. This applies to the git tag as well as all release packages provided as part of a GitHub release. To verify the provided packages, download the key and import it using gpg:

gpg --import node-driver.asc

The GitHub release contains a detached signature file for the NPM package (named kerberos-X.Y.Z.tgz.sig).

The following command returns the link npm package.

npm view kerberos@vX.Y.Z dist.tarball

Using the result of the above command, a curl command can return the official npm package for the release.

To verify the integrity of the downloaded package, run the following command:

gpg --verify kerberos-X.Y.Z.tgz.sig kerberos-X.Y.Z.tgz

[!Note] No verification is done when using npm to install the package. To ensure release integrity when using npm, download the tarball manually from the GitHub release, verify the signature, then install the package from the downloaded tarball using npm install mongodb-X.Y.Z.tgz.

To verify the native .node packages, follow the same steps as above.

Testing

Run the test suite using:

docker run -i -v PATH_TO_KERBEROS_REPO:/app -w /app -e PROJECT_DIRECTORY=/app ubuntu:20.04 /bin/bash
/app/.evergreen/run-tests-ubuntu.sh

NOTE: The test suite requires an active kerberos deployment.

Documentation

Classes

<dl> <dt><a href="#KerberosClient">KerberosClient</a></dt> <dd></dd> <dt><a href="#KerberosServer">KerberosServer</a></dt> <dd></dd> </dl>

Constants

<dl> <dt><a href="#GSS_C_DELEG_FLAG">GSS_C_DELEG_FLAG</a></dt> <dd></dd> <dt><a href="#GSS_C_MUTUAL_FLAG">GSS_C_MUTUAL_FLAG</a></dt> <dd></dd> <dt><a href="#GSS_C_REPLAY_FLAG">GSS_C_REPLAY_FLAG</a></dt> <dd></dd> <dt><a href="#GSS_C_SEQUENCE_FLAG">GSS_C_SEQUENCE_FLAG</a></dt> <dd></dd> <dt><a href="#GSS_C_CONF_FLAG">GSS_C_CONF_FLAG</a></dt> <dd></dd> <dt><a href="#GSS_C_INTEG_FLAG">GSS_C_INTEG_FLAG</a></dt> <dd></dd> <dt><a href="#GSS_C_ANON_FLAG">GSS_C_ANON_FLAG</a></dt> <dd></dd> <dt><a href="#GSS_C_PROT_READY_FLAG">GSS_C_PROT_READY_FLAG</a></dt> <dd></dd> <dt><a href="#GSS_C_TRANS_FLAG">GSS_C_TRANS_FLAG</a></dt> <dd></dd> <dt><a href="#GSS_C_NO_OID">GSS_C_NO_OID</a></dt> <dd></dd> <dt><a href="#GSS_MECH_OID_KRB5">GSS_MECH_OID_KRB5</a></dt> <dd></dd> <dt><a href="#GSS_MECH_OID_SPNEGO">GSS_MECH_OID_SPNEGO</a></dt> <dd></dd> <dt><a href="#version">version</a></dt> <dd></dd> </dl>

Functions

<dl> <dt><a href="#checkPassword">checkPassword(username, password, service, [defaultRealm])</a> ⇒ <code>Promise.&lt;null&gt;</code></dt> <dd><p>This function provides a simple way to verify that a user name and password match those normally used for Kerberos authentication. It does this by checking that the supplied user name and password can be used to get a ticket for the supplied service. If the user name does not contain a realm, then the default realm supplied is used.</p> <p>For this to work properly the Kerberos must be configured properly on this machine. That will likely mean ensuring that the edu.mit.Kerberos preference file has the correct realms and KDCs listed.</p> <p>IMPORTANT: This method is vulnerable to KDC spoofing attacks and it should only be used for testing. Do not use this in any production system - your security could be compromised if you do.</p> </dd> <dt><a href="#principalDetails">principalDetails(service, hostname)</a> ⇒ <code>Promise</code></dt> <dd><p>This function returns the service principal for the server given a service type and hostname.</p> <p>Details are looked up via the <code>/etc/keytab</code> file.</p> </dd> <dt><a href="#initializeClient">initializeClient(service, [options])</a> ⇒ <code><a href="#KerberosClient">Promise.&lt;KerberosClient&gt;</a></code></dt> <dd><p>Initializes a context for client-side authentication with the given service principal.</p> </dd> <dt><a href="#initializeServer">initializeServer(service)</a> ⇒ <code><a href="#KerberosServer">Promise.&lt;KerberosServer&gt;</a></code></dt> <dd><p>Initializes a context for server-side authentication with the given service principal.</p> </dd> </dl>

<a name="KerberosClient"></a>

KerberosClient

Properties

| Name | Type | Description | | --- | --- | --- | | username | <code>string</code> | The username used for authentication | | response | <code>string</code> | The last response received during authentication steps | | responseConf | <code>string</code> | Indicates whether confidentiality was applied or not (GSSAPI only) | | contextComplete | <code>boolean</code> | Indicates that authentication has successfully completed or not |

<a name="KerberosClient+step"></a>

kerberosClient.step(challenge)

| Param | Type | Description | | --- | --- | --- | | challenge | <code>string</code> | A string containing the base64-encoded server data (which may be empty for the first step) |

Processes a single kerberos client-side step using the supplied server challenge.

<a name="KerberosClient+wrap"></a>

kerberosClient.wrap(challenge, [options])

| Param | Type | Description | | --- | --- | --- | | challenge | <code>string</code> | The response returned after calling unwrap | | [options] | <code>object</code> | Options | | [options.user] | <code>string</code> | The user to authorize | | [options.protect] | <code>boolean</code> | Indicates if the wrap should request message confidentiality |

Perform the client side kerberos wrap step.

<a name="KerberosClient+unwrap"></a>

kerberosClient.unwrap(challenge)

| Param | Type | Description | | --- | --- | --- | | challenge | <code>string</code> | A string containing the base64-encoded server data |

Perform the client side kerberos unwrap step

<a name="KerberosServer"></a>

KerberosServer

Properties

| Name | Type | Description | | --- | --- | --- | | username | <code>string</code> | The username used for authentication | | response | <code>string</code> | The last response received during authentication steps | | targetName | <code>string</code> | The target used for authentication | | cont

mongodb-js

View profile

View on GitHub
GitHub Stars177
CategoryDevelopment
Updated2mo ago
Forks70
mongodb-js/kerberos

Languages

C++

Security Score

100/100

Audited on Feb 2, 2026

No findings