Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/ssh: Support GSSAPI AuthMethod #25899

Open
quentinmit opened this issue Jun 15, 2018 · 4 comments
Open

x/crypto/ssh: Support GSSAPI AuthMethod #25899

quentinmit opened this issue Jun 15, 2018 · 4 comments
Milestone

Comments

@quentinmit
Copy link
Contributor

@quentinmit quentinmit commented Jun 15, 2018

As defined in RFC 4462

This is commonly used for (MIT/Heimdal/Active Directory) Kerberos authentication, though other GSSAPI mechanisms exist.

There are several different GSSAPI implementations available for Go (e.g. https://gopkg.in/jcmturner/gokrb5.v5, https://github.com/apcera/gssapi). It probably doesn't make sense to bless one of these external packages in x/crypto/ssh, so I would instead suggest that a callback- or interface-based AuthMethod be defined, so the user can plug in the GSSAPI mechanism of their choice.

I think modern SSH servers only support the gssapi-with-mic auth method, though some patched SSH servers (Debian for instance) also support the gssapi-keyex auth method. The latter auth method is significantly more complicated, so I would suggest starting only with gssapi-with-mic.

@gopherbot gopherbot added this to the Unreleased milestone Jun 15, 2018
@agnivade
Copy link
Contributor

@agnivade agnivade commented Jun 16, 2018

/cc @hanwen

@hanwen
Copy link
Contributor

@hanwen hanwen commented Jun 25, 2018

I don't want to add generic callbacks to the API either.

Is it possible to structure the code such that it effectively becomes a drop-in? Eg. a file that you would add to a local checkout that implements?

Is there a split in the structure that we could apply (eg. putting packetConn into an internal/ package) so you could add a separate gss/ subpackage, without affecting the rest of the SSH code?

@jorgemarey
Copy link

@jorgemarey jorgemarey commented Jun 26, 2018

Hi,

I just saw this issue. We needed to use kerberos ssh authentication from a golang client.

I did this: golang/crypto@master...jorgemarey:f-gssapi-auth (showing changes)

I don't know if it's ok. I could make some changes it you think the code needs it. I tested it with https://github.com/apcera/gssapi (by implementing the interface) and it worked fine.

@hanwen
Copy link
Contributor

@hanwen hanwen commented Jun 28, 2018

You can try to run this against an existing GSSAPI server.

The tricky bit is that for it to be promoted into the crypto library, I want to see a test. That means either writing a server side support too (which implies integrating with some existing kerberos package), or testing against an OpenSSH server configured to use Kerberos.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
You can’t perform that action at this time.