CAF::Kerberos - Class for Kerberos handling using GSSAPI.


This class handles Kerberos tickets and some utitlities like kerberos en/decryption.

To create a new ticket for principal SERVICE/host@REALM (using default (server) keytab for the TGT), you can use

my $krb = CAF::Kerberos->new(
    principal => 'SERVICE/host@REALM',
    log => $self,
return if(! defined($krb->get_context());

### set environment to temporary credential cache
### temporary cache is cleaned-up during destroy of $krb
local %ENV;


  • _initialize

    Initialize the kerberos object. Arguments:

    Optional arguments

    • log

      A CAF::Reporter object to log to.

    • lifetime, keytab

      Ticket lifetime and keytab are passed to update_ticket_options method.

    • primary, instances, realm, principal

      Principal primary, instances, realm and principal are passed to update_principal method.

  • update_ticket_options

    Update ticket details using optional named arguments (and set the keytab ENV attributes).

    • lifetime

      Requested lifetime. (There is no verification if the actual lifetime is this long).

    • keytab

      Set the keytab to use to create the TGT.

  • update_principal

    Set the principal details (primary, instances and/or realm) using following optional named arguments

    • primary

      The primary component (i.e. username or service) (cannot be empty string).

    • instances

      Array reference with instances for the principal

    • realm

      The realm.

    • principal

      The principal string, will be split in above components. Any individual component specified will precede the value from this string.

  • create_credential_cache

    Create the credential cache and add the KRB5CCNAME to the temp environment. Returns SUCCESS on success, undef otherwise (see fail attribute).

  • get_context

    Create a GSSAPI::Context.

    Following options are supported

    • name

      The GSSAPI::Name instance to use. If undef, get_name method will be used to create one.

    • iflags

      Input flags/bits for the Context to create to support certain service options. (See e.g. _spnego_iflags). Defaults to 0.

    • itoken

      Input token (GSS_C_NO_BUFFER is used if not defined).

    Returns the output token in case of succes, undef in case of failure.

  • get_name

    Return a imported GSSAPI::Name instance.

    Returns undef on failure.

    Optional principal hashref is passed to _principal_string.


    On DESTROY, following cleanup will be triggered

    • Cleanup of credential cache
  • _principal_string

    Convert the principal hashref into a principal string.

    Optional principal hashref can be passed, if none is provided, use the instance $self-{principal}>.

    Returns the principal string, undef in case or problem.

  • _split_principal_string

    Split a principal string in primary, instances and realm components.

    Returns a hashref with the components, undef incase the string is invalid.

  • _spnego_iflags

    Create the SPNEGO iflags for Context instance.

    Optional $delegate boolean.

  • _gss_decrypt

    Given token, decrypt inbuf that is encrypted with GSSAPI wrap'ping. Returns human readable GSSAPI::Name and decrypted output buffer. Returns undef on failure.

  • _gss_status

    Evaulatues status: on success, returns SUCCESS reports with verbose, on failure returns fail (The fail message is set in the fail attribute).

    Optional text can be used to construct the message prefix.

  • _gssapi_{init,accept,wrap,unwrap,import,display}

    Interfaces to GSSAPI methods returning a GSSAPI::Status instance.

    Given an instance of GSSAPI::Context (for accept,init,valid_time_left,wrap,unwrap) or GSSAPI::Name (for display,import), call the metod on the instacne with the remaining arguments. The returned status is processed by _gss_status.

    Returns undef in case of failure (with message in fail attribute), SUCCESS otherwise.

  • _process

    Run arrayref $cmd via CAF::Process-new->output> in updated environment.

    Returns the output.

  • _kinit

    Obtain the TGT using kinit, using the credential cache specified in the 'KRB5CCNAME' environment variable.

    Principal used is generated via _principal_string.

    Returns SUCCESS on success, undef otherwise.