Apache Kerby is a Java Kerberos binding. It provides a rich, intuitive and interoperable implementation, library, KDC and various facilities that integrates PKI, OTP and token (OAuth2) as desired in modern environments such as cloud, Hadoop and mobile.
- Aims as a Java Kerberos binding, with rich and integrated facilities that integrate Kerberos, PKI and token (OAuth2) for both client and server sides.
- Provides client APIs at the Kerberos protocol level to interact with a KDC server through AS and TGS exchanges.
- Provides a standalone KDC server that supports various identity back ends including memory based, Json file based, LDAP backed and even Zookeeper backed.
- Provides an embedded KDC server that applications can easily integrate into products, unit tests or integration tests.
- Supports FAST/Preauthentication framework to allow popular and useful authentication mechanisms.
- Supports PKINIT mechanism to allow clients to request tickets using x509 certificate credentials.
- Supports Token Preauth mechanism to allow clients to request tickets using JWT tokens.
- Supports OTP mechanism to allow clients to request tickets using One Time Password.
- Provides support for JAAS, GSSAPI and SASL frameworks that applications can leverage.
- Minimal dependencies, the core part is ensured to depend only on JRE and SLF4J, for easy use and maintenance.
A Krb client API for applications to interact with KDC.
Please look at kerb-client for details.
Server side admin facilities.
Please look at kerb-admin for details.
Kerberos Server API.
Please look at kerb-server for details.
A simplified Kdc server. It can be imported by other project to work as a kdc server.
Please look at kerb-simplekdc for details.
How to play with the standalone KDC
Please look at Kerby KDC for details.
Please look at kerby-asn1 for details.
Kerberos Crypto and Encryption Types
Implementing des, des3, rc4, aes, camellia encryption and corresponding checksum types Interoperates with MIT Kerberos and Microsoft AD Independent of Kerberos code in JRE, but rely on JCE
|des-cbc-crc||DES cbc mode with CRC-32 (weak)|
|des-cbc-md4||DES cbc mode with RSA-MD4 (weak)|
|des-cbc-md5||DES cbc mode with RSA-MD5 (weak)|
|des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd||Triple DES cbc mode with HMAC/sha1|
|des-hmac-sha1||DES with HMAC/sha1 (weak)|
|aes256-cts-hmac-sha1-96 aes256-cts AES-256||CTS mode with 96-bit SHA-1 HMAC|
|aes128-cts-hmac-sha1-96 aes128-cts AES-128||CTS mode with 96-bit SHA-1 HMAC|
|arcfour-hmac rc4-hmac arcfour-hmac-md5||RC4 with HMAC/MD5|
|arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp||Exportable RC4 with HMAC/MD5 (weak)|
|camellia256-cts-cmac camellia256-cts||Camellia-256 CTS mode with CMAC|
|camellia128-cts-cmac camellia128-cts||Camellia-128 CTS mode with CMAC|
|des||The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)|
|des3||The triple DES family: des3-cbc-sha1|
|aes||The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96|
|rc4||The RC4 family: arcfour-hmac|
|camellia||The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac|
A standalone KDC server that can integrate various identity back ends including:
- It is default Identity Backend, and no cofiguration is needed. This backend is for no permanent storage requirements.
- It implemented by Gson which is used to convert Java Objects into their JSON representation and convert a JSON string to an equivalent Java object. A json file will be created in “backend.json.dir”. This backend is for small, easy, development and test environment.
- Currently it uses an embedded Zookeeper. In follow up it will be enhanced to support standalone Zookeeper cluster for replication and reliability. Zookeeper backend would be a good choice for high reliability, high performance and high scalability requirement and scenarios.
- The Ldap server can be standalone or embedded using ApacheDS server as the backend. It is used when there is exist ldap server.
- A backend based on Apache Mavibot(an MVCC BTree library).
- Include UDP and TCP transport.
- Default KDC server implementation.
- The Networking Classes in the JDK is used.
- Netty based KDC server implementation.
- Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients.
- With better throughput, lower latency.
- This is used to initialize and prepare all kinds of KDC side materials, like initializing concrete back end, setting up master keys, necessary principals (tgs, kadmin) and etc.
- Command-line interfaces to the Kerby administration system.
- Obtains and caches an initial ticket-granting ticket for principal.
- Lists the Kerby principal and tickets held in a credentials cache, or the keys held in a keytab file.
Kerby Lib Projects
- kerby-asn1. A model driven ASN-1 encoding and decoding framework
- kerby-config. A unified configuration API that aims to support various configuration file formats, like XML, INI, even Java Map and Properties.
- The core part is ensured to only depend on the JRE and SLF4J. Every external dependency is taken carefully and maintained separately.
- Nimbus JOSE + JWT, needed by token-provider and TokenPreauth mechanism.
- Netty, needed by netty based KDC server.
- Zookeeper, needed by zookeeper identity backend.
How to use library
The Apache Kerby is also available as a Maven dependency:
Apache License V2.0
How to contribute