Being a once-in-a-while-contributor to curl
in that area. Here is what you need to know:
curl(1)
itself knows nothing about Kerberos and will not interact neither with your credential cache nor your keytab file. It will delegate all calls to a GSS-API implementation which will do the magic for you. What magic depends on the library, Heimdal and MIT Kerberos.
Based on your question, I assume that you have little knowledge about Kerberos and want simply automate API calls to a REST endpoints secured by SPNEGO.
Here is what you need to do:
- Have a Unix-like OS
- Install at least MIT Kerberos 1.11
- Install at least
curl
7.38.0 against MIT Kerberos
- Verify this with
curl --version
mentioning GSS-API and SPNEGO and with ldd
linked against your MIT Kerberos version.
- Create a client keytab for the service principal with
ktutil
or mskutil
- Try to obtain a TGT with that client keytab by
kinit -k -t <path-to-keytab> <principal-from-keytab>
- Verify with
klist
that you have a ticket cache
Environment is now ready to go:
- Export
KRB5CCNAME=<some-non-default-path>
- Export
KRB5_CLIENT_KTNAME=<path-to-keytab>
- Invoke
curl --negotiate -u : <URL>
MIT Kerberos will detect that both environment variables are set, inspect them, automatically obtain a TGT with your keytab, request a service ticket and pass to curl
. You are done.
Note: this will not work with Heimdal.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…