Jonathan Turner
d48bee35ed
gssapi
|
9 年之前 | |
|---|---|---|
| GSSAPI | 9 年之前 | |
| asn1tools | 9 年之前 | |
| client | 9 年之前 | |
| config | 9 年之前 | |
| credentials | 9 年之前 | |
| crypto | 9 年之前 | |
| iana | 9 年之前 | |
| keytab | 9 年之前 | |
| messages | 9 年之前 | |
| testdata | 9 年之前 | |
| testenv | 9 年之前 | |
| types | 9 年之前 | |
| .gitignore | 9 年之前 | |
| LICENSE | 9 年之前 | |
| README.md | 9 年之前 | |
| debug.go | 9 年之前 |
README.md
gokrb5
This is work in progress and does not yet fully work...
Implemented Encryption & Checksum Types
The currently implemented encrytion types are:
| Implementation | Encryption ID | Checksum ID |
|---|---|---|
| aes128-cts-hmac-sha1-96 | 17 | 15 |
| aes256-cts-hmac-sha1-96 | 18 | 16 |
Usage
Configuration
The gokrb5 libraries use the same krb5.conf configuration file format as MIT Kerberos, described here. Config instances can be created by loading from a file path or by passing a string, io.Reader or bufio.Scanner to the relevant method:
import "github.com/jcmturner/gokrb5/config"
cfg, err := config.Load("/path/to/config/file")
cfg, err := config.NewConfigFromString(krb5Str) //String must have appropriate newline separations
cfg, err := config.NewConfigFromReader(reader)
cfg, err := config.NewConfigFromScanner(scanner)
Keytab files
Standard keytab files can be read from a file or from a slice of bytes:
import "github.com/jcmturner/gokrb5/keytab"
ktFromFile, err := keytab.Load("/path/to/file.keytab")
ktFromBytes, err := keytab.Parse(b)
Kerberos Client
Create a client instance with either a password or a keytab:
import "github.com/jcmturner/gokrb5/client"
cl := client.NewClientWithPassword("username", "REALM.COM", "password")
cl := client.NewClientWithKeytab("username", "REALM.COM", kt)
Provide configuration to the client:
cl.WithConfig(cfg)
Login:
err := cl.Login
(Optional) Enable automatic refresh of Kerberos Ticket Granting Ticket (TGT):
cl.EnableAutoSessionRenewal()
Request a Serivce ticket for a Service Principal Name (SPN). This method will use the client's cache either returning a valid cached ticket, renewing a cached ticket with the KDC or requesting a new ticket from the KDC. Therefore the GetServiceTicket method can be continually used for the most efficient interaction with the KDC.
tkt, err := cl.GetServiceTicket("HTTP/host.test.gokrb5")
References
RFCs
- RFC 4120 The Kerberos Network Authentication Service (V5) text html
- RFC 3961 Encryption and Checksum Specifications for Kerberos 5 text html
- RFC 3962 Advanced Encryption Standard (AES) Encryption for Kerberos 5 text html
- RFC 4121 The Kerberos Version 5 GSS-API Mechanism text html
- RFC 4178 The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism text html
- RFC 4559 SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows text html
- RFC 6806 Kerberos Principal Name Canonicalization and Cross-Realm Referrals text html
- RFC 6113 A Generalized Framework for Kerberos Pre-Authentication text html
- IANA Assigned Kerberos Numbers
- HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol - Part 1
- HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol - Part 2
- Microsoft PAC Validation
- Microsoft Kerberos Protocol Extensions
Useful Links
Thanks
- Greg Hudson from the MIT Consortium for Kerberos and Internet Trust for providing useful advice.
Known Issues
| Issue | Worked around? | References |
|---|---|---|
| Golang's ASN1 package cannot unmarshal into slice of asn1.RawValue | Yes | https://github.com/golang/go/issues/17321 |
| Golang's ASN1 package cannot marshal into a GeneralString | Yes - using https://github.com/jcmturner/asn1 | https://github.com/golang/go/issues/18832 |
| Golang's ASN1 package cannot marshal into slice of strings and pass stringtype parameter tags to members | Yes - using https://github.com/jcmturner/asn1 | https://github.com/golang/go/issues/18834 |
| Golang's ASN1 package cannot marshal with application tags | Yes |