Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
x/crypto/ssh: Support GSSAPI AuthMethod #25899
As defined in RFC 4462
This is commonly used for (MIT/Heimdal/Active Directory) Kerberos authentication, though other GSSAPI mechanisms exist.
There are several different GSSAPI implementations available for Go (e.g. https://gopkg.in/jcmturner/gokrb5.v5, https://github.com/apcera/gssapi). It probably doesn't make sense to bless one of these external packages in x/crypto/ssh, so I would instead suggest that a callback- or interface-based AuthMethod be defined, so the user can plug in the GSSAPI mechanism of their choice.
I think modern SSH servers only support the
I don't want to add generic callbacks to the API either.
Is it possible to structure the code such that it effectively becomes a drop-in? Eg. a file that you would add to a local checkout that implements?
Is there a split in the structure that we could apply (eg. putting packetConn into an internal/ package) so you could add a separate gss/ subpackage, without affecting the rest of the SSH code?
I just saw this issue. We needed to use kerberos ssh authentication from a golang client.
I did this: golang/crypto@master...jorgemarey:f-gssapi-auth (showing changes)
I don't know if it's ok. I could make some changes it you think the code needs it. I tested it with https://github.com/apcera/gssapi (by implementing the interface) and it worked fine.
You can try to run this against an existing GSSAPI server.
The tricky bit is that for it to be promoted into the crypto library, I want to see a test. That means either writing a server side support too (which implies integrating with some existing kerberos package), or testing against an OpenSSH server configured to use Kerberos.