kerberosauthenticator

An Authenticator for JupyterHub that authenticates using Kerberos.

Installation

kerberosauthenticator should be installed in the same Python environment as the JupyterHub server.

Install with Pip:

pip install jupyterhub-kerberosauthenticator

Install from source:

pip install git+https://github.com/jupyterhub/kerberosauthenticator.git

Configuration

Kerberos authentication requires a keytab for the HTTP service principle for the host running JupyterHub. Keytabs can be created on the command-line as follows:

$ kadmin -q "addprinc -randkey HTTP/FQDN"
$ kadmin -q "xst -norandkey -k HTTP.keytab HTTP/FQDN"

where FQDN is the fully qualified domain name of the host running JupyterHub. This keytab should be readable only by admins and other services that may need it, and is typically stored with the JupyterHub configuration at /etc/jupyterhub/HTTP.keytab:

# Move the keytab to some expected location
$ mv HTTP.keytab /etc/jupyterhub/HTTP.keytab

# Make the keytab readable/writable only by jupyterhub and the admin group
$ chmod 440 /etc/jupyterhub/HTTP.keytab
$ chown jupyterhub:admin /etc/jupyterhub/HTTP.keytab

To enable kerberosauthenticator, add the following lines to your jupyterhub_config.py:

c.JupyterHub.authenticator_class = 'kerberosauthenticator.KerberosAuthenticator'
c.JupyterHub.keytab = '/etc/jupyterhub/HTTP.keytab'

For many systems these parameters will be sufficient. Authenticators support several other options such as whitelists or post-auth hooks. For more information on all configuration options, see Configuration Options.

Enabling Kerberos Authentication in Your Browser

For Kerberos authentication to work properly, you usually have to enable support for it in your browser. For more information see this guide from Cloudera.

Additional Resources

If you’re interested in kerberosauthenticator, you may also be interested in a few other libraries:

A (not complete) list of other authenticators can be found in the JupyterHub Wiki.