[39429] in Kerberos
Re: How to get Kerberos token for proxy authentication
daemon@ATHENA.MIT.EDU (m_a_n_j_u_s_k--- via Kerberos)
Tue Jun 4 08:32:44 2024
Date: Tue, 4 Jun 2024 12:31:26 +0000 (UTC)
To: Thomas Kula <kula@tproa.net>, "kerberos@mit.edu" <kerberos@mit.edu>,
Simo Sorce <simo@redhat.com>
Message-ID: <1164986234.1357879.1717504286646@mail.yahoo.com>
In-Reply-To: <1776768013.767181.1711309327191@mail.yahoo.com>
MIME-Version: 1.0
From: m_a_n_j_u_s_k--- via Kerberos <kerberos@mit.edu>
Reply-To: "m_a_n_j_u_s_k@yahoo.com" <m_a_n_j_u_s_k@yahoo.com>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi again,
I am looking at the implementing this (getting Kerberos service token) in C using Heimdal Kerberos library.
In Golang using this go package https://github.com/alexbrainman/sspi it was simply two calls as below:
cred=negotiate.AcquireCurrentCredentials()token = negotiate.NewClientContext(cred, spn)
However it looks bit complex in C using MIT/Heimdal library. I am looking at this example mentioned in the RFC herehttps://datatracker.ietf.org/doc/html/rfc7546.html#section-5.1
Just checking if someone has done a similar thing and I am on the right track. Thank you.
t
RFC 7546: Structure of the Generic Security Service (GSS) Negotiation Loop
|
|
|
| | |
|
|
|
| |
RFC 7546: Structure of the Generic Security Service (GSS) Negotiation Loop
This document specifies the generic structure of the negotiation loop to establish a Generic Security Service (G...
|
|
|
On Sunday, 24 March 2024 at 19:44:01 GMT, m_a_n_j_u_s_k--- via Kerberos <kerberos@mit.edu> wrote:
Thank you. Yes, as suggested here, I am looking into using ether MIT or Heimdal Kerberos implementation.
On Friday, 22 March 2024 at 10:05:38 GMT, Simo Sorce <simo@redhat.com> wrote:
On Thu, 2024-03-21 at 11:24 -0400, Thomas Kula wrote:
> On Wed, Mar 20, 2024 at 11:33:16AM -0400, Ken Hornstein via Kerberos wrote:
> > > Thanks again Ken. My application is written in Go. So I'm looking
> > > for Kerberos implementation that can be easily integrated with my
> > > application. Hence I was considering MIT Kerberos and using C bindings
> > > to call those APIs from my Go code. "MacOS X it might be easier to use
> > > the native GSSAPI implementation which would be Heimdal"
> > >
> > > Here did you mean developer.apple.com/documentation/gss ? Isn't that in
> > > Swift ? I will explore libcurl code thank-you.
> >
> > I can't speak for the Swift API, but Heimdal on MacOS X also provides a
> > standard C API for the GSSAPI functions. I don't have much experience
> > with Go but if you can call C functions from within it (and I have to
> > believe that is possible) then doing so for Heimdal should be fine.
> > There might be a few differences in term of what GSSAPI extension
> > functions are available but from what you describe you should only need
> > the standard GSSAPI functions.
>
> Are you familiar with https://github.com/jcmturner/gokrb5? I've used it
> in the past with some experiments in some Go code I was working on, I
> wasn't touching GSSAPI but there's at least some GSSAPI code in there.
> Might be worth checking out as it's native Go code, no cgo wrapping.
>
Last time I checked that code was kept together with spit and tape, and
was far from what I would consider usable in production for general
use.
It implements the minimum set of code needed for the specific use case
and specific file credential of the person that built it, and will fall
apart as soon as you do anything funny.
There is also no guarantee it is secure.
As much as I understand the desire of new languages to have "native
code" I strongly suggest to avoid the urge in this case. Both Heimdal
and MIT Kerberos have decades of development behind them, not something
you reproduce in a "summer of coding".
HTH,
Simo.
--
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
