[39568] in Kerberos
Re: Golang GSSAPI spec
daemon@ATHENA.MIT.EDU (Osipov, Michael \(IN IT IN\) via K)
Fri Oct 24 04:07:11 2025
Message-ID: <da56bcf3-d17c-476e-983f-9f88326f097c@innomotics.com>
Date: Fri, 24 Oct 2025 10:06:30 +0200
To: kerberos@mit.edu
Content-Language: en-US
In-Reply-To: <CAExmWcgo0ZHmJB4or0isZtwy=an7tD+SpzQ=_ymYd6RfZBEtSA@mail.gmail.com>
MIME-Version: 1.0
From: "Osipov, Michael \(IN IT IN\) via Kerberos" <kerberos@mit.edu>
Reply-To: "Osipov, Michael \(IN IT IN\)" <michael.osipov@innomotics.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
On 2025-10-24 02:53, Jake Scott wrote:
> Hi there..
>
> I've been working on a spec for GSSAPI on Go similar to RFC2744 and RFC2853
> for C and Java. I have a working implementation of the described interface
> and a provider that wraps the MIT & Heimdal C libraries. The idea is to
> provide an idomatic interface for Go developers that supports multiple
> providers (like the C provider or a pure Go provider at some point).
>
> I would love some feedback before launching this on the world! It is
> currently in beta, and the docs/code are at:
>
>...
> I know the C folks probably won't be keen on the more OO approach - would
> be interested to know how people think this compares with the Java
> interface though and whether there have been any issues to be aware of with
> this approach.
Hi Jake,
this is a pleasant surprise to see this for Go as well. We've been using
Go for some smaller projects at $work and it might get
interesting/required, though my personal knowledge/understanding in/of
Go is very limited. I have strong knowledge especially in Java (JGSS)
and py-gssapi. I have a few questions/pointers for you:
* Have you looked into py-gssapi? It is a very clean, yet convenient
wrapper your C GSS-API. I have been using it at low-level and high-level
with please without the need to resort to C?
* The JGSS RFC is very dated and lacks a lot of features which have been
introduced in the C API in the past decade. There is now also an
ExtendedJGSSContext you might want to check.
* You should write to security-dev@openjdk mailing list and ask Max
(Weijun Wang). He is the lead guy for JGSS impl at Oracle. Feel free to
mention my name.
* You should not make the API public too soon, stuff like this takes
time and will then set to stone. Every change can break people's stuff.
* Since you support Apple Kerberos, see
https://github.com/curl/curl/issues/19109. This might be interesting for
you.
* FreeBSD base Kerbros: The ancient Heimdal has been replaced with MIT
Kerberos 1.22.1 in the base system for 15. You might want to check that.
* Being spoiled from the Python integration I want to ask you this:
** Does it easily plug into Go's URL transport library, e.g.,
py-requests-gssapi to authenticate via SPENGO?
** Python uses OpenLDAP libs with Cyrus SASL where SASL GSSAPI mech
comes for free, I have seen that you provide LDAP examples as well, how
trivial is it to make this happen in the Go impl too? This might get
interesting for us as well (LDAP calls to Active Directory)?
Thank you!
PS: I truly like
https://github.com/golang-auth/go-gssapi-c?tab=readme-ov-file#go-gssapi-c-bindings-provider
you really did your homework. Kudos to your professionalism!
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
