{"id":22928183,"url":"https://github.com/cea-hpc/kfs","last_synced_at":"2025-05-13T01:51:45.730Z","repository":{"id":145408441,"uuid":"178222641","full_name":"cea-hpc/kfs","owner":"cea-hpc","description":"HTTPS file server serving files from Kerberos shares","archived":false,"fork":false,"pushed_at":"2025-03-26T15:36:34.000Z","size":117,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":15,"default_branch":"master","last_synced_at":"2025-03-26T16:37:07.207Z","etag":null,"topics":["cea","go","https","kerberos"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cea-hpc.png","metadata":{"files":{"readme":"README.asciidoc","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-03-28T14:40:26.000Z","updated_at":"2025-03-26T15:36:38.000Z","dependencies_parsed_at":null,"dependency_job_id":"e232cf76-adad-41f6-82cf-4f52029eb9c0","html_url":"https://github.com/cea-hpc/kfs","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cea-hpc%2Fkfs","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cea-hpc%2Fkfs/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cea-hpc%2Fkfs/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cea-hpc%2Fkfs/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cea-hpc","download_url":"https://codeload.github.com/cea-hpc/kfs/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253856617,"owners_count":21974576,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cea","go","https","kerberos"],"created_at":"2024-12-14T09:17:44.449Z","updated_at":"2025-05-13T01:51:45.700Z","avatar_url":"https://github.com/cea-hpc.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"kfs\n===\n\nimage:https://travis-ci.org/cea-hpc/kfs.svg?branch=master[\"Build Status\", link=\"https://travis-ci.org/cea-hpc/kfs\"]\n\nkfs is a HTTPS file server serving files from Kerberos shares. It can be\nconfigured to expose different shares and/or directories on a same share.\n\nHow does it work?\n-----------------\n\nThe main program is kfs which is a daemon listening to HTTPS requests. When a\nconnection is made it authenticates the user using either SPNEGO or her\nlogin/password. If SPNEGO is used, the user must delegate her Kerberos\ncredentials to the server.\n\nOnce the user is authenticated, the server will acquire new Kerberos\ncredentials which will be saved in a file owned by the user in +/tmp+. It will\nthen spawn a simple HTTP server as the user which will be able to access the\nuser files thanks to the previously acquired credentials. The main server will\nact as a proxy between the user and the spawned HTTP server.\n\nThe user HTTP server will live until the Kerberos credentials expire or after\na time defined in the configuration. If the user initiates another connection\nduring this period, new credentials will be acquired and the lifetime of the\nserver will be extended accordingly.\n\nInstalling\n----------\n\nInstall the Go compiler suite: see http://golang.org/doc/install for details.\n\nDefine and export the +$GOPATH+ directory where the source code will be\nunpacked (e.g. '$HOME/go'):\n\n\t$ export GOPATH=$HOME/go\n\t$ mkdir -p $GOPATH/src/github.com/cea-hpc\n\t$ cd $GOPATH/src/github.com/cea-hpc\n\t$ tar xvf kfs-X.Y.Z.tar.gz\n\nCompile binaries:\n\n\t$ cd kfs-X.Y.Z\n\t$ make\n\nInstall binaries in +/usr/sbin+:\n\n\t# make install\n\nThe server needs a configuration file to start (see next section for details):\n\n\t# kfs /path/to/kfs.yaml\n\nConfiguration\n-------------\n\nA sample commented configuration file is found in the +config+ directory.\n\nThe only required parameters are the certificate and key files used for HTTPS:\n\n*tls_cert_file*::\n\t[string] path to the certificate file.\n\n*tls_key_file*::\n\t[string] path to the key file.\n\nBy default the server listen on all interfaces on the 8080 port. It can be\nchanged with the *listen* parameter whose format is '[host]:port'. If 'host'\nis not specified the server will listen on all available IP addresses.\n\nThe following parameters are used to configure Kerberos authentication :\n\n*gssapi_lib_path*::\n\t[string] path to the gssapi library. It is empty by default and the\n\tprogram should automatically detect the library. If it is not the case\n\tthe path should be set with this parameter.\n\n*keytab*::\n\t[string] path to the service keytab file. By default it is\n\t'/etc/krb5.keytab'.\n\n*service_name*::\n\t[string] Kerberos service name. By default it is 'HTTP/\u003cfully\n\tqualified domain name\u003e'.\n\n*realms*::\n\t[list of strings] Kerberos realms to authenticate users. They are\n\ttried sequentially until one is able to authenticate the user. Default\n\tis empty and administrators should add their realm(s).\n\nThe next parameters are used to configure the user process which will access\nuser files:\n\n*user_file_server*::\n\t[string] path to the 'kfs-user' helper binary. The default is\n\t'kfs-user'.\n\n*max_lifetime*::\n\t[string] this is the maximum lifetime of the user file server. The\n\tformat is a sequence of integers with a unit suffix: 'h' for hour, 'm'\n\tfor minute, 's' for second (e.g.  '2m40s', '1h', etc.). By default it\n\tis empty and the lifetime is the same as the acquired Kerberos user\n\tcredentials.\n\n*routes*::\n\t[mapping] this defines the routes for the user web server. The keys\n\tare start of URL path (e.g. '/listings'). The values are the\n\tfile-system path it provides access to. The patterns '\\{\\{HOME}}' and\n\t'\\{\\{USER}}' will respectively be replaced by the user home directory\n\tand the user login name. If the parameter is empty the default\n\tassociation is '/: \"\\{\\{HOME}}\"' which gives access to the full user\n\thome directory. A more restrictive mapping can be defined like in the\n\tfollowing example:\n\n\troutes:\n\t    /listings: \"{{HOME}}/listings\"\n\t    /scripts: \"{{HOME}}/scripts\"\n\nMiscellaneous\n-------------\n\nHelper files\n~~~~~~~~~~~~\n\nIn the +misc+ directory you can find a systemd service unit file and a SPEC\nfile to build a RPM for CentOS 7.\n\nHow to enable SPNEGO authentication in Curl/Firefox?\n~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n\nTo use SPNEGO authentication (i.e. not using login/password authentication)\nthe user needs to delegate its Kerberos credentials to the server.\n\nCurl\n^^^^\n\nThe user needs to use the +delegation+ command line parameter:\n\n\t$ curl --negotiate -u ':' --delegation always https://kfs.domain.tld/listings/sample.txt\n\nFirefox\n^^^^^^^\n\nTwo options must be configured in Firefox:\n\n*network.negotiate-auth.trusted-uris*::\n\tTo enable SPNEGO authentication if you already have a ticket. The name\n\tof the kfs server should be added to the list.\n\n*network.negotiate-auth.delegation-uris*::\n\tTo enable the delegation of the user credentials to the kfs server.\n\tThe name of the kfs server should be added to the list.\n\nCopying\n-------\n\nCopyright (C) 2018-2023 CEA/DAM/DIF\n\nkfs is distributed under the CeCILL-B, a French transposition of the BSD\nlicense. See the included files +Licence_CeCILL-B_V1-en.txt+ (English version)\nand +Licence_CeCILL-B_V1-fr.txt+ (French version) or visit\nhttp://www.cecill.info for details.\n\nAuthor\n------\n\nArnaud Guignard \u003carnaud.guignard@cea.fr\u003e\n\n// vim:tw=78:ft=asciidoc:\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcea-hpc%2Fkfs","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcea-hpc%2Fkfs","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcea-hpc%2Fkfs/lists"}