Be sent while curl contributor in this area. Here is what you need to know:
curl(1) itself knows nothing about Kerberos and will not interact with either your credential cache or your keytab file. He will delegate all calls to the GSS-API implementation that will make you magic. What magic depends on the library, Heimdal and MIT Kerberos.
Based on your question, I assume that you have little knowledge about Kerberos and you just want to automate API calls to REST endpoints protected by SPNEGO.
Here is what you need to do:
- Unix-like OS
- Install at least MIT Kerberos 1.11
- Install at least
curl 7.38.0 in MIT Kerberos - Confirm this with
curl --version , which mentions the GSS-API and SPNEGO and ldd associated with your version of MIT Kerberos. - Create a keytab client key for a service principal using
ktutil or mskutil - Try to get TGT using the keytab client
kinit -k -t <path-to-keytab> <principal-from-keytab> - Confirm with
klist that you have a cache cache
Now the environment is ready to go:
- Export
KRB5CCNAME=<some-non-default-path> - Export
KRB5_CLIENT_KTNAME=<path-to-keytab> - Call
curl --negotiate -u : <URL>
MIT Kerberos will detect that both environment variables are set, check them, automatically get TGT with keytab, request a service ticket and go to curl . You are done.
Note : this will not work with Heimdal.
Michael-o
source share