Apache Kerby, as an Apache Directory sub project, is a Java Kerberos binding. It provides a rich, intuitive and interoperable implementation, library, KDC and various facilities that integrates PKI, OTP and token (OAuth2) as desired in modern environments such as cloud, Hadoop and mobile.
A Krb client API for applications to interact with KDC.
Please look at kerb-client for details.
Server side admin facilities.
Please look at kerb-admin for details.
Kerberos Server API.
Please look at kerb-server for details.
A simplified Kdc server. It can be imported by other project to work as a kdc server.
Please look at kerb-simplekdc for details.
A model driven ASN-1 encoding and decoding framework implemented with Java.
Please look at kerby-asn1 for details.
Please look at Kerby KDC for details.
Similar to MIT krb5 encryption types:
Encryption Type | Description |
---|---|
des-cbc-crc | DES cbc mode with CRC-32 (weak) |
des-cbc-md4 | DES cbc mode with RSA-MD4 (weak) |
des-cbc-md5 | DES cbc mode with RSA-MD5 (weak) |
des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd | Triple DES cbc mode with HMAC/sha1 |
des-hmac-sha1 | DES with HMAC/sha1 (weak) |
aes256-cts-hmac-sha1-96 aes256-cts AES-256 | CTS mode with 96-bit SHA-1 HMAC |
aes128-cts-hmac-sha1-96 aes128-cts AES-128 | CTS mode with 96-bit SHA-1 HMAC |
arcfour-hmac rc4-hmac arcfour-hmac-md5 | RC4 with HMAC/MD5 |
arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp | Exportable RC4 with HMAC/MD5 (weak) |
camellia256-cts-cmac camellia256-cts | Camellia-256 CTS mode with CMAC |
camellia128-cts-cmac camellia128-cts | Camellia-128 CTS mode with CMAC |
des | The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak) |
des3 | The triple DES family: des3-cbc-sha1 |
aes | The AES family: aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96 |
rc4 | The RC4 family: arcfour-hmac |
camellia | The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac |
A standalone KDC server that can integrate various identity backends including:
The Apache Kerby is also available as a Maven dependency.
<dependency> <groupId>org.apache.kerby</groupId> <artifactId>kerb-client-api-all</artifactId> <version>${kerby-version}</version> </dependency>
<dependency> <groupId>org.apache.kerby</groupId> <artifactId>kerb-server-api-all</artifactId> <version>${kerby-version}</version> </dependency>
<dependency> <groupId>org.apache.kerby</groupId> <artifactId>kerby-asn1</artifactId> <version>${kerby-version}</version> </dependency>
<dependency> <groupId>org.apache.kerby</groupId> <artifactId>kerb-simplekdc</artifactId> <version>${kerby-version}/version> </dependency>
Apache License V2.0
Sub-task
[DIRKRB-123] - Implementing cross-realm support [DIRKRB-551] - Data type conversion between GSSAPI interface and Kerby [DIRKRB-555] - Implement GSSNameSpi interface [DIRKRB-559] - Validataion of ApReq and ApRep message in peer node [DIRKRB-560] - Implement GSSContextSpi interface [DIRKRB-565] - Implement Gss tokens defined in RFC 4121 [DIRKRB-566] - Implement Gss tokens defined in RFC 1964 [DIRKRB-568] - Using RFC 4121 tokens in KerbyContext [DIRKRB-571] - Add encryptRaw interface for GssToken encryption [DIRKRB-576] - Add test for client-server based on Kerby GssApi [DIRKRB-581] - Imcompatible token header in init context against JDK GssApi
Bug
[DIRKRB-520] - Fix findbugs issuse in Kerby ASN1, Kerby Config and Kerby PKIX [DIRKRB-636] - NPE in GssInitCred when no initial GSSCredential is passed to manager.createContext [DIRKRB-637] - NPE in GssAcceptCred when no initial GSSCredential is passed to manager.createContext [DIRKRB-638] - KerbyGssAppTest fails when there is no keytab on the service side [DIRKRB-642] - Remove the bytes util functions in GssTokenBase [DIRKRB-647] - Compilation error with java7 in gss module [DIRKRB-652] - Support dynamic load token provider [DIRKRB-656] - Compatibility problem with Kerberos when getting service ticket [DIRKRB-658] - KerbyTokenAppTest failed on Mac [DIRKRB-660] - Compatibility problem with hadoop when getting default credential cache [DIRKRB-664] - Upgrade Nimbus dependency [DIRKRB-666] - NPE if klist.sh is called on an empty cache [DIRKRB-667] - Kerby and Tool distributions are lacking required jars [DIRKRB-670] - Add checksum verification in TgsRequest
Improvement
[DIRKRB-651] - Add support to send a JWT AccessToken via the GSS API [DIRKRB-653] - Implement kinit -c -S to get service ticket [DIRKRB-657] - Implement kinit tool to get tgt ticket from remote realm [DIRKRB-661] - Add duration time parse support when parsing krb5.conf [DIRKRB-668] - Enable KDC backend connect to the HA Zookeeper Cluster [DIRKRB-669] - Authorization data needed by backend code create a circular project reference
New Feature
[DIRKRB-535] - Implementing GSSAPI module based on Kerby Kerberos library [DIRKRB-649] - Cross realm server side implementation
Task
[DIRKRB-654] - Add support to receive a JWT AccessToken via the GSS API [DIRKRB-655] - Add setting up cross realm authentication guide
Test
[DIRKRB-663] - Add some unit tests for cross realm
Bug
[DIRKRB-614] - Kerby (simplekdc) fails to handle unknown PADATA [DIRKRB-629] - ICMP Port Unreachable error message with GSS + default transport [DIRKRB-631] - Not compatible with MIT Kerberos 1.11+ [DIRKRB-633] - "Invalid signature file digest for Manifest main attributes" exception after running kinit tool [DIRKRB-634] - Failed to get service granting ticket from MIT KDC using Kerby client [DIRKRB-644] - ClassCastException in TokenPreauth [DIRKRB-645] - Start KerbyKdcServer should be failed if kdc_port already in use
Improvement
[DIRKRB-635] - Backends should be optional when building kerby [DIRKRB-641] - Implement kinit -k -i [DIRKRB-643] - Implement kinit -l -r [DIRKRB-646] - Add the feature of parsing time duration for kinit tool
New Feature
[DIRKRB-632] - Put claims from the JWT access token into the authorization data of the ticket
Sub-task
[DIRKRB-247] - Kerby's KDC supports MIT's kinit [DIRKRB-421] - Define transaction API for identity backend [DIRKRB-422] - Enhance json backend to support transaction for reasonable efficiency [DIRKRB-478] - Refine and enhance the client side library [DIRKRB-524] - XDR (RFC 4506) support
Bug
[DIRKRB-583] - Validate payload length declared in keytab [DIRKRB-584] - NPE if the token issuers value is not specified [DIRKRB-585] - Allow for optional expiry + NotBefore claims when processing a JWT token [DIRKRB-586] - NPE in KdcHandler on an Exception [DIRKRB-613] - Tests fails on systems with includedir in /etc/krb5.conf [DIRKRB-621] - 0x502 version keytab with multiple entries are not read properly [DIRKRB-624] - KdcServerTest failed with exception [DIRKRB-626] - Some improvement work for exception handling [DIRKRB-627] - Kerby hangs when the service principal is not known
Improvement
[DIRKRB-416] - Allow to support transaction for backend [DIRKRB-459] - Enhance the support for MIT krb5.conf configuration format [DIRKRB-482] - Break down KrbOption [DIRKRB-587] - Load JWT verification key from classpath as well [DIRKRB-588] - Support validation keys in different formats [DIRKRB-607] - Improve Simple KDC Server to be thread safe [DIRKRB-623] - Move the backend releated tests to backend modules
Task
[DIRKRB-155] - Add the missing Javadoc for kerby-asn1 module [DIRKRB-532] - Encode and decode XDR: Union and Struct
105 JIRA issues were resolved and with the following Features and important changes since 1.0.0-RC1: