processone
Adds GSSAPI SASL mechanism
This is a WIP patch to bring GSSAPI-based authentication into this library and ultimately into ejabberd.
Current issues:
- Due to limitations in the underlying egssapi library only Kerberos v5 is supported
- This patch has only been tested on x86-64 Linux. Since GSSAPI is platform- and architecture-independent it should work on other platforms as well however.
- According to RFC 4752 a server
MUST NOTadvertise the GSSAPI mechanism if it can't authenticate as the requested service/host principal. There's currently no mechanism to indicate availability of GSSAPI on a per-host basis. - The afformentioned RFC 4752 notes a number of
SHOULD/SHOULD NOTs this patch currently ignores, e.g. aquisition of credentials. Most of them are limitations in the underlying egssapi library.
Main reason for opening this PR is to give current work being done more visibility given processone/ejabberd#1586 processone/ejabberd#1595 and the entire discussion around that.
TODOs
- [ ] Expose more API surface in egssapi. Mostly auxiliary functions like
gss_acquire_credthat would be nice to have. - [ ] Improve the NIF code. The C code is currently taken straight from mikma/egssapi. Additioal work should be put into ensuring it's safe, or — depending on platform availability requirements — rewrite it in Rust.
- [ ] Documentation. GSSAPI has some rather nasty quirks one needs to be aware of.
Hi @dequbed, many thanks for your contribution!
In order for us to evaluate and accept your PR, we ask that you sign a contribution license agreement. It's all electronic and will take just minutes.
You did it @dequbed!
Thank you for signing the ProcessOne Contribution License Agreement.
We will have a look at your contribution!
@dequbed: Have you progressed on it, one year after the PR creation? :)