Hi,
I have a requirement to authenticate my application (Golang)  against a proxy server which requires Kerberos authentication.
I have achieved this on Windows using github/alexbrainman/sspi Golang package.From that package I basically call  negotiate.AcquireCurrentUserCredentials() and negotiate.NewClientContext() to get the client token which gets passed to the proxy server
in Proxy-Authorization header.
I want to achieve the same on macOS and looking for suitable libraries.  Can I use MIT Kerberos library for this purpose ?what are the APIs equivalent to get client token without prompting the user for password ? The user would have acquired Kerberos
ticket on sign-in as a domain user. Appreciate any inputs on this. Thank you. -mk



--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Copy: kerberos@mit.edu (kerberos@mit.edu)

Hi, I have a requirement to authenticate my application
(Golang)  against a proxy server which requires Kerberos
authentication. I have achieved this on Windows using >github/alexbrainman/sspi Golang package.From that package I
basically call  negotiate.AcquireCurrentUserCredentials() and >negotiate.NewClientContext() to get the client token which gets passed
to the proxy server in Proxy-Authorization header. I want to achieve
the same on macOS and looking for suitable libraries.  Can I use MIT >Kerberos library for this purpose ?what are the APIs equivalent to get >client token without prompting the user for password ? The user would
have acquired Kerberos ticket on sign-in as a domain user.

I believe you would want to use the GSSAPI for this. If your header
looks like:

Proxy-Authorization: Negotiate <base64 encoded data>

Then definitely you want to use that. You could use libcurl as example
code if you wanted to see what this would look like.

--Ken

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Copy: kerberos@mit.edu (kerberos@mit.edu)

Thanks Ken,I understand I need to use GSSAPI for Linux/MacOS platforms. I was wondering if I can use MIT Kerberos GSSAPI for the same. Does libcurl use MIT Kerberos gssapi ?
Yes my proxy header would look exactly like you mentioned.
Thank-you.

Yahoo Mail: Search, organise, conquer

On Mon, 18 Mar 2024 at 12:11 am, Ken Hornstein<kenh@cmf.nrl.navy.mil> wrote: >Hi, I have a requirement to authenticate my application

(Golang)  against a proxy server which requires Kerberos
authentication.  I have achieved this on Windows using >github/alexbrainman/sspi Golang package.From that package I
basically call  negotiate.AcquireCurrentUserCredentials() and >negotiate.NewClientContext() to get the client token which gets passed
to the proxy server in Proxy-Authorization header.  I want to achieve
the same on macOS and looking for suitable libraries.  Can I use MIT >Kerberos library for this purpose ?what are the APIs equivalent to get >client token without prompting the user for password ? The user would
have acquired Kerberos ticket on sign-in as a domain user.

I believe you would want to use the GSSAPI for this.  If your header
looks like:

Proxy-Authorization: Negotiate <base64 encoded data>

Then definitely you want to use that.  You could use libcurl as example
code if you wanted to see what this would look like.

--Ken


--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Copy: kerberos@mit.edu (kerberos@mit.edu)

Thanks Ken,I understand I need to use GSSAPI for Linux/MacOS
platforms. I was wondering if I can use MIT Kerberos GSSAPI for the
same. Does libcurl use MIT Kerberos gssapi ? Yes my proxy header would
look exactly like you mentioned. Thank-you.

You should be able to use the MIT Kerberos GSSAPI implementation fine
for this (but I think either MIT Kerberos or Heimdal would work; on
MacOS X it might be easier to use the native GSSAPI implementation which
would be Heimdal). My understanding is that libcurl can link against
either Heimdal or MIT Kerberos, but you should probably investigate that yourself.

--Ken

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Copy: kerberos@mit.edu (kerberos@mit.edu)

Thanks again Ken.
My application is written in Go. So I'm looking for Kerberos implementation that can be easily integrated with my application. Hence I  was considering MIT Kerberos and using C bindings to call those APIs from my Go code.
"MacOS X it might be easier to use the native GSSAPI implementation which would be Heimdal"

Here did you mean developer.apple.com/documentation/gss ? Isn't that in Swift ? I will explore libcurl code thank-you.

Yahoo Mail: Search, organise, conquer

On Wed, 20 Mar 2024 at 1:24 am, Ken Hornstein<kenh@cmf.nrl.navy.mil> wrote: >Thanks Ken,I understand I need to use GSSAPI for Linux/MacOS

platforms. I was wondering if I can use MIT Kerberos GSSAPI for the
same. Does libcurl use MIT Kerberos gssapi ? Yes my proxy header would
look exactly like you mentioned.  Thank-you.

You should be able to use the MIT Kerberos GSSAPI implementation fine
for this (but I think either MIT Kerberos or Heimdal would work; on
MacOS X it might be easier to use the native GSSAPI implementation which
would be Heimdal).  My understanding is that libcurl can link against
either Heimdal or MIT Kerberos, but you should probably investigate that yourself.

--Ken


--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Copy: kerberos@mit.edu (kerberos@mit.edu)

Thanks again Ken. My application is written in Go. So I'm looking
for Kerberos implementation that can be easily integrated with my >application. Hence I  was considering MIT Kerberos and using C bindings
to call those APIs from my Go code. "MacOS X it might be easier to use
the native GSSAPI implementation which would be Heimdal"

Here did you mean developer.apple.com/documentation/gss ? Isn't that in
Swift ? I will explore libcurl code thank-you.

I can't speak for the Swift API, but Heimdal on MacOS X also provides a standard C API for the GSSAPI functions. I don't have much experience
with Go but if you can call C functions from within it (and I have to
believe that is possible) then doing so for Heimdal should be fine.
There might be a few differences in term of what GSSAPI extension
functions are available but from what you describe you should only need
the standard GSSAPI functions.

--Ken

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Copy: kerberos@mit.edu

Are you familiar with https://github.com/jcmturner/gokrb5? I've used it
in the past with some experiments in some Go code I was working on, I
wasn't touching GSSAPI but there's at least some GSSAPI code in there.
Might be worth checking out as it's native Go code, no cgo wrapping.

I would caution you that if you are targeting MacOS X as a platform, one
of the most important things is integration with the native credential
cache format (especially if you are assuming your credentials are being acquired as part of the single signon process). On MacOS X the default credential cache uses a RPC mechanism to talk to a daemon process (and
that has actually changed to a DIFFERENT RPC service in more recent
versions of MacOS X). My brief look at gokrb5 suggests that it only
supports the FILE credential cache type.

--Ken

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Mar 20, 2024 at 11:33:16AM -0400, Ken Hornstein via Kerberos wrote:

Thanks again Ken. My application is written in Go. So I'm looking
for Kerberos implementation that can be easily integrated with my >application. Hence I  was considering MIT Kerberos and using C bindings
to call those APIs from my Go code. "MacOS X it might be easier to use
the native GSSAPI implementation which would be Heimdal"

Here did you mean developer.apple.com/documentation/gss ? Isn't that in >Swift ? I will explore libcurl code thank-you.

I can't speak for the Swift API, but Heimdal on MacOS X also provides a standard C API for the GSSAPI functions. I don't have much experience
with Go but if you can call C functions from within it (and I have to
believe that is possible) then doing so for Heimdal should be fine.
There might be a few differences in term of what GSSAPI extension
functions are available but from what you describe you should only need
the standard GSSAPI functions.

Are you familiar with https://github.com/jcmturner/gokrb5? I've used it
in the past with some experiments in some Go code I was working on, I
wasn't touching GSSAPI but there's at least some GSSAPI code in there.
Might be worth checking out as it's native Go code, no cgo wrapping.

--
Thomas L. Kula | kula@tproa.net | https://kula.tproa.net/

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: kerberos@mit.edu

On Thu, 2024-03-21 at 11:24 -0400, Thomas Kula wrote:

On Wed, Mar 20, 2024 at 11:33:16AM -0400, Ken Hornstein via Kerberos wrote:

Thanks again Ken. My application is written in Go. So I'm looking
for Kerberos implementation that can be easily integrated with my application. Hence I  was considering MIT Kerberos and using C bindings to call those APIs from my Go code. "MacOS X it might be easier to use the native GSSAPI implementation which would be Heimdal"

Here did you mean developer.apple.com/documentation/gss ? Isn't that in Swift ? I will explore libcurl code thank-you.

I can't speak for the Swift API, but Heimdal on MacOS X also provides a standard C API for the GSSAPI functions. I don't have much experience
with Go but if you can call C functions from within it (and I have to believe that is possible) then doing so for Heimdal should be fine.
There might be a few differences in term of what GSSAPI extension
functions are available but from what you describe you should only need
the standard GSSAPI functions.

Are you familiar with https://github.com/jcmturner/gokrb5? I've used it
in the past with some experiments in some Go code I was working on, I
wasn't touching GSSAPI but there's at least some GSSAPI code in there.
Might be worth checking out as it's native Go code, no cgo wrapping.

Last time I checked that code was kept together with spit and tape, and
was far from what I would consider usable in production for general
use.
It implements the minimum set of code needed for the specific use case
and specific file credential of the person that built it, and will fall
apart as soon as you do anything funny.

There is also no guarantee it is secure.

As much as I understand the desire of new languages to have "native
code" I strongly suggest to avoid the urge in this case. Both Heimdal
and MIT Kerberos have decades of development behind them, not something
you reproduce in a "summer of coding".

HTH,
Simo.

--
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: kerberos@mit.edu (kerberos@mit.edu)
To: simo@redhat.com (Simo Sorce)

Thank you. Yes, as suggested here, I am looking into using ether MIT or Heimdal Kerberos implementation.

On Friday, 22 March 2024 at 10:05:38 GMT, Simo Sorce <simo@redhat.com> wrote:

On Thu, 2024-03-21 at 11:24 -0400, Thomas Kula wrote:

On Wed, Mar 20, 2024 at 11:33:16AM -0400, Ken Hornstein via Kerberos wrote:

Thanks again Ken.  My application is written in Go. So I'm looking
for Kerberos implementation that can be easily integrated with my application. Hence I  was considering MIT Kerberos and using C bindings to call those APIs from my Go code.  "MacOS X it might be easier to use the native GSSAPI implementation which would be Heimdal"

Here did you mean developer.apple.com/documentation/gss ? Isn't that in Swift ? I will explore libcurl code thank-you.

I can't speak for the Swift API, but Heimdal on MacOS X also provides a standard C API for the GSSAPI functions.  I don't have much experience with Go but if you can call C functions from within it (and I have to believe that is possible) then doing so for Heimdal should be fine.
There might be a few differences in term of what GSSAPI extension
functions are available but from what you describe you should only need
the standard GSSAPI functions.

Are you familiar with https://github.com/jcmturner/gokrb5? I've used it
in the past with some experiments in some Go code I was working on, I
wasn't touching GSSAPI but there's at least some GSSAPI code in there.
Might be worth checking out as it's native Go code, no cgo wrapping.

Last time I checked that code was kept together with spit and tape, and
was far from what I would consider usable in production for general
use.
It implements the minimum set of code needed for the specific use case
and specific file credential of the person that built it, and will fall
apart as soon as you do anything funny.

There is also no guarantee it is secure.

As much as I understand the desire of new languages to have "native
code" I strongly suggest to avoid the urge in this case. Both Heimdal
and MIT Kerberos have decades of development behind them, not something
you reproduce in a "summer of coding".

HTH,
Simo.

--
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc









________________________________________________
Kerberos mailing list          Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos


--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: kerberos@mit.edu (kerberos@mit.edu)
To: simo@redhat.com (Simo Sorce)

Hi again,
I am looking at the implementing this (getting Kerberos service token) in C using Heimdal Kerberos library.
In Golang using this go package https://github.com/alexbrainman/sspi it was simply two calls as below:

cred=negotiate.AcquireCurrentCredentials()token = negotiate.NewClientContext(cred, spn)
However it looks bit complex in C using MIT/Heimdal library. I am looking at this example mentioned in the RFC herehttps://datatracker.ietf.org/doc/html/rfc7546.html#section-5.1
Just checking if someone has done a similar thing and I am on the right track. Thank you.


t


RFC 7546: Structure of the Generic Security Service (GSS) Negotiation Loop

|
|
|
| | |

|

|
|
| |
RFC 7546: Structure of the Generic Security Service (GSS) Negotiation Loop

This document specifies the generic structure of the negotiation loop to establish a Generic Security Service (G...
|

|

|




On Sunday, 24 March 2024 at 19:44:01 GMT, m_a_n_j_u_s_k--- via Kerberos <kerberos@mit.edu> wrote:

Thank you. Yes, as suggested here, I am looking into using ether MIT or Heimdal Kerberos implementation.

    On Friday, 22 March 2024 at 10:05:38 GMT, Simo Sorce <simo@redhat.com> wrote: 

On Thu, 2024-03-21 at 11:24 -0400, Thomas Kula wrote:

On Wed, Mar 20, 2024 at 11:33:16AM -0400, Ken Hornstein via Kerberos wrote:

Thanks again Ken.  My application is written in Go. So I'm looking
for Kerberos implementation that can be easily integrated with my application. Hence I  was considering MIT Kerberos and using C bindings to call those APIs from my Go code.  "MacOS X it might be easier to use the native GSSAPI implementation which would be Heimdal"

Here did you mean developer.apple.com/documentation/gss ? Isn't that in Swift ? I will explore libcurl code thank-you.

I can't speak for the Swift API, but Heimdal on MacOS X also provides a standard C API for the GSSAPI functions.  I don't have much experience with Go but if you can call C functions from within it (and I have to believe that is possible) then doing so for Heimdal should be fine.
There might be a few differences in term of what GSSAPI extension
functions are available but from what you describe you should only need
the standard GSSAPI functions.

Are you familiar with https://github.com/jcmturner/gokrb5? I've used it
in the past with some experiments in some Go code I was working on, I
wasn't touching GSSAPI but there's at least some GSSAPI code in there.
Might be worth checking out as it's native Go code, no cgo wrapping.

Last time I checked that code was kept together with spit and tape, and
was far from what I would consider usable in production for general
use.
It implements the minimum set of code needed for the specific use case
and specific file credential of the person that built it, and will fall
apart as soon as you do anything funny.

There is also no guarantee it is secure.

As much as I understand the desire of new languages to have "native
code" I strongly suggest to avoid the urge in this case. Both Heimdal
and MIT Kerberos have decades of development behind them, not something
you reproduce in a "summer of coding".

HTH,
Simo.

--
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc









________________________________________________
Kerberos mailing list          Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
 
________________________________________________
Kerberos mailing list          Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos


--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Copy: kerberos@mit.edu

Hi again, I am looking at the implementing this (getting Kerberos
service token) in C using Heimdal Kerberos library. In Golang using
this go package https://github.com/alexbrainman/sspi it was simply two
calls as below:

cred=negotiate.AcquireCurrentCredentials()token = >negotiate.NewClientContext(cred, spn) However it looks bit complex in C
using MIT/Heimdal library. I am looking at this example mentioned in the
RFC herehttps://datatracker.ietf.org/doc/html/rfc7546.html#section-5.1
Just checking if someone has done a similar thing and I am on the right >track. Thank you.

I think you're comparing apples and oranges a bit there; those two calls
you mention (which from my look at that Golang library really only end
up as one SSPI call) are only a small part of the overall authentication
flow. The code in that RFC you reference is a mostly-complete GSSAPI application which includes a full loop and interprocess communication.

I'm going to repeat what I said last time: look at the libcurl source
code which already does this.

--Ken

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: kula@tproa.net (Thomas Kula)
To: kerberos@mit.edu (kerberos@mit.edu)

On Tue, 2024-06-04 at 12:31 +0000, m_a_n_j_u_s_k@yahoo.com wrote:

Hi again,

I am looking at the implementing this (getting Kerberos service
token) in C using Heimdal Kerberos library.

In Golang using this go package https://github.com/alexbrainman/sspi
it was simply two calls as below:

cred=negotiate.AcquireCurrentCredentials()
token = negotiate.NewClientContext(cred, spn)

However it looks bit complex in C using MIT/Heimdal library. I am
looking at this example mentioned in the RFC here https://datatracker.ietf.org/doc/html/rfc7546.html#section-5.1

Just checking if someone has done a similar thing and I am on the
right track. Thank you.

You are comparing a full loop with just setting up the initial context.

The two calls you have on those two lines are indeed equivalent to:

maj = gss_acquire_cred(&min, acceptor_name, GSS_C_INDEFINITE,
desired_mechs, cred_usage, creds,
actual_mechs, NULL);

and

maj = gss_init_sec_context(min, init_cred, &init_ctx,
accept_name, mech_type, GSS_C_DELEG_FLAG,
req_lifetime, GSS_C_NO_CHANNEL_BINDINGS,
&accept_token, NULL, &init_token, NULL,
NULL);


Where all those variables are set to default values.
Of course this is missing all error handling, and, if you use defaults
it will miss many nuances.

As Ken suggested you should look at real examples, libcurl may be a
way, I can also suggest this library of mine: ttps://github.com/gssapi/mod_auth_gssapi/blob/master/src/mod_auth_gssap
i.c

--
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)