The Kerberos-Attestor is a plugin for the SPIRE server and agent that allows SPIRE to automatically attest nodes that are joined to a domain backed by the Kerberos authentication protocol. SPIRE is an open-source implementation of the SPIFFE, which is a set of standards to provide authentication and trust to disparate micro-services operating in heterogeneous cloud-native environments. The predominant on-premise authentication protocol is Kerberos through Active Directory, and with the Kerberos-Attestor, environments backed by SPIRE can provide trust leveraging existing enterprise identity stacks.

An agent attested by the Kerberos-Attestor plugin will have a base SVID SPIFFE ID in this format:

spiffe://<trust_domain>/spire/agent/kerberos_attestor/<KRB_REALM>/<agent_fqdn>

These instructions require a running SPIRE server and agent each on a PhotonOS 2.0 host. Both hosts should also be domain joined or promoted as a domain controller using Project Lightwave.

Pre-Requisite Installation Guides

• Follow the PhotonOS Download Guide to learn how to obtain the OS and set it up
• Follow the Project Lightwave README to learn how to install and configure Lightwave, promote domain controllers, and join clients to the domain on PhotonOS 2.0
• Follow SPIRE README to learn how to install and configure both the SPIRE Server and Agent

There are two ways to get the plugin--using go install to build and install it or alternatively, build it from source.

Go Install

Running the following commands will download, build, and install the Kerberos-Attestor server and agent in your ${GOPATH}/bin directory by default, or in the path set by the ${GOBIN} environment variable.

• Server:
  • go install github.com/spiffe/kerberos-attestor/server
• Agent:
  • go install github.com/spiffe/kerberos-attestor/agent

Build from Source

1. Clone this repo:

git clone https://github.com/spiffe/kerberos-attestor ${GOPATH}/src/github.com/spiffe/kerberos-attestor
cd ${GOPATH}/src/github.com/spiffe/kerberos-attestor

2. Install utilities such as Glide:

make utils

3. Install dependencies:

glide up

4. Build the Kerberos-Attestor:

make build

5. Binaries for the server and agent should be in the bin/ directory

Kerberos-Attestor Server Plugin

1. Edit the SPIRE Server config file to add the Kerberos-Attestor server plugin config:

vim <SPIRE Installation Directory>/conf/server/server.conf

2. Add the following HCL blob to the "plugins" section of the config file:

NodeAttestor "kerberos_attestor" {
    plugin_cmd = "${GOPATH}/src/github.com/spiffe/kerberos-attestor/bin/server"
    enabled = true
    plugin_data {
        krb_realm = "LIGHTWAVE.LOCAL"
        krb_conf_path = "/etc/krb5.conf"
        krb_keytab_path = "/etc/krb5.keytab"
    }
}

• Replace plugin_cmd with the path to the Kerberos-Attestor server binary compiled earlier
• Replace krb_realm with the domain that you promoted when configuring Lightwave in all caps
• krb_conf_path and krb_keytab_path point to the default paths to the Kerberos config file and Keytab that are created during Lightwave promotion/join. Do not modify these unless you are using a different Kerberos provider, or have changed the default paths for your own purposes

Kerberos-Attestor Agent Plugin

1. Edit the SPIRE Agent config file to add the Kerberos-Attestor agent plugin config:

vim <SPIRE Installation Directory>/conf/agent/agent.conf

2. Add the following HCL blob to the "plugins" section of the config file:

NodeAttestor "kerberos_attestor" {
    plugin_cmd = "${GOPATH}/src/github.com/spiffe/kerberos-attestor/bin/agent"
    enabled = true
    plugin_data {
        krb_realm = "LIGHTWAVE.LOCAL"
        krb_conf_path = "/etc/krb5.conf"
        krb_keytab_path = "/etc/krb5.keytab"
        server_fqdn = "<FQDN of SPIRE Server>"
    }
}

• Replace plugin_cmd with the path to the Kerberos-Attestor server binary compiled earlier
• Replace krb_realm with the domain that you promoted when configuring Lightwave in all caps
• krb_conf_path and krb_keytab_path point to the default paths to the Kerberos config file and Keytab that are created during Lightwave promotion/join. Do not modify these unless you are using a different Kerberos provider, or have changed the default paths for your own purposes
• Replace server_fqdn with the FQDN of the SPIRE Server. This needs to be in FQDN format (without the final .). For example, spire-server.lightwave.local

3. Remove Join-Token NodeAttestor plugin config from this file as a SPIRE Agent can only use one NodeAttestor plugin at-a-time

SPIRE Server

cd <SPIRE Installation Directory>
./spire-server run

SPIRE Server

cd <SPIRE Installation Directory>
./spire-agent run