kfs is a HTTPS file server serving files from Kerberos shares. It can be configured to expose different shares and/or directories on a same share.

The main program is kfs which is a daemon listening to HTTPS requests. When a connection is made it authenticates the user using either SPNEGO or her login/password. If SPNEGO is used, the user must delegate her Kerberos credentials to the server.

Once the user is authenticated, the server will acquire new Kerberos credentials which will be saved in a file owned by the user in /tmp. It will then spawn a simple HTTP server as the user which will be able to access the user files thanks to the previously acquired credentials. The main server will act as a proxy between the user and the spawned HTTP server.

The user HTTP server will live until the Kerberos credentials expire or after a time defined in the configuration. If the user initiates another connection during this period, new credentials will be acquired and the lifetime of the server will be extended accordingly.

Install the Go compiler suite: see http://golang.org/doc/install for details.

Define and export the $GOPATH directory where the source code will be unpacked (e.g. $HOME/go):

Compile binaries:

Install binaries in /usr/sbin:

The server needs a configuration file to start (see next section for details):

A sample commented configuration file is found in the config directory.

The only required parameters are the certificate and key files used for HTTPS:

tls_cert_file

[string] path to the certificate file.

tls_key_file

[string] path to the key file.

By default the server listen on all interfaces on the 8080 port. It can be changed with the listen parameter whose format is [host]:port. If host is not specified the server will listen on all available IP addresses.

The following parameters are used to configure Kerberos authentication :

gssapi_lib_path

[string] path to the gssapi library. It is empty by default and the program should automatically detect the library. If it is not the case the path should be set with this parameter.

keytab

[string] path to the service keytab file. By default it is /etc/krb5.keytab.

service_name

[string] Kerberos service name. By default it is HTTP/<fully qualified domain name>.

realms

[list of strings] Kerberos realms to authenticate users. They are tried sequentially until one is able to authenticate the user. Default is empty and administrators should add their realm(s).

The next parameters are used to configure the user process which will access user files:

user_file_server

[string] path to the kfs-user helper binary. The default is kfs-user.

max_lifetime

[string] this is the maximum lifetime of the user file server. The format is a sequence of integers with a unit suffix: h for hour, m for minute, s for second (e.g. 2m40s, 1h, etc.). By default it is empty and the lifetime is the same as the acquired Kerberos user credentials.

routes

[mapping] this defines the routes for the user web server. The keys are start of URL path (e.g. /listings). The values are the file-system path it provides access to. The patterns \{{HOME}} and \{{USER}} will respectively be replaced by the user home directory and the user login name. If the parameter is empty the default association is /: "\{{HOME}}" which gives access to the full user home directory. A more restrictive mapping can be defined like in the following example:

routes:
    /listings: "{{HOME}}/listings"
    /scripts: "{{HOME}}/scripts"

Copyright © 2018-2023 CEA/DAM/DIF

kfs is distributed under the CeCILL-B, a French transposition of the BSD license. See the included files Licence_CeCILL-B_V1-en.txt (English version) and Licence_CeCILL-B_V1-fr.txt (French version) or visit http://www.cecill.info for details.

Arnaud Guignard <[email protected]>