kerby
kerby copied to clipboard
ubccr
Go wrapper for Kerberos GSSAPI
`authenticate_gss_client_init()` seems to have this idea that one must have a separate credential handle for credentials to delegate. Credential delegation is just a flag.
You shouldn't need to use the `krb5` API, as is done in [kerby.go](https://github.com/ubccr/kerby/blob/master/kerby.go), in `ServerPrincipalDetails()`, which is unused and undocumented anyways. Just remove it.
The README discusses using client keytabs. This is not important, and it's mostly useless. Just use `GSS_C_NO_CREDENTIAL` as the credential handle on the initiator and acceptor sides.
``` else if (principal && *principal) { gss_name_t name; principal_token.length = strlen(principal); principal_token.value = (char *)principal; state->maj_stat = gss_import_name( &state->min_stat, &principal_token, GSS_C_NT_USER_NAME, &name ); ``` The name type has to...
Calling the client principal name a "username" is problematic. When I started looking at this I immediately feared there might be post-processing of the name to truncate any `@REALM` portions....
In `authenticate_gss_server_step` there are two memory leaks: - `target_name` gets malloc'd by `gss_inquire_context`, but never gets free'd by `gss_release_name`. See `targ_name` [here](https://docs.oracle.com/cd/E36784_01/html/E36875/gss-inquire-context-3gss.html). - `output_token` gets malloc'd in `gss_display_name` on line...
``` /usr/include/gssapi/gssapi.h:598:1: note: 'gss_release_buffer' has been explicitly marked deprecated here ``` I'm not sure what I need to do to get this to compile. Searching around looks like this repo...
Add support for kerberos authentication to follow redirect responses from web server.