x/crypto/ssh: Support GSSAPI AuthMethod #25899
Comments
/cc @hanwen |
I don't want to add generic callbacks to the API either. Is it possible to structure the code such that it effectively becomes a drop-in? Eg. a file that you would add to a local checkout that implements? Is there a split in the structure that we could apply (eg. putting packetConn into an internal/ package) so you could add a separate gss/ subpackage, without affecting the rest of the SSH code? |
Hi, I just saw this issue. We needed to use kerberos ssh authentication from a golang client. I did this: golang/crypto@master...jorgemarey:f-gssapi-auth (showing changes) I don't know if it's ok. I could make some changes it you think the code needs it. I tested it with https://github.com/apcera/gssapi (by implementing the interface) and it worked fine. |
You can try to run this against an existing GSSAPI server. The tricky bit is that for it to be promoted into the crypto library, I want to see a test. That means either writing a server side support too (which implies integrating with some existing kerberos package), or testing against an OpenSSH server configured to use Kerberos. |
you can refer to these two: |
As defined in RFC 4462
This is commonly used for (MIT/Heimdal/Active Directory) Kerberos authentication, though other GSSAPI mechanisms exist.
There are several different GSSAPI implementations available for Go (e.g. https://gopkg.in/jcmturner/gokrb5.v5, https://github.com/apcera/gssapi). It probably doesn't make sense to bless one of these external packages in x/crypto/ssh, so I would instead suggest that a callback- or interface-based AuthMethod be defined, so the user can plug in the GSSAPI mechanism of their choice.
I think modern SSH servers only support the
gssapi-with-mic
auth method, though some patched SSH servers (Debian for instance) also support thegssapi-keyex
auth method. The latter auth method is significantly more complicated, so I would suggest starting only withgssapi-with-mic
.The text was updated successfully, but these errors were encountered: