Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/ssh: Support GSSAPI AuthMethod #25899

Open
quentinmit opened this Issue Jun 15, 2018 · 4 comments

Comments

Projects
None yet
5 participants
@quentinmit
Copy link
Contributor

quentinmit commented Jun 15, 2018

As defined in RFC 4462

This is commonly used for (MIT/Heimdal/Active Directory) Kerberos authentication, though other GSSAPI mechanisms exist.

There are several different GSSAPI implementations available for Go (e.g. https://gopkg.in/jcmturner/gokrb5.v5, https://github.com/apcera/gssapi). It probably doesn't make sense to bless one of these external packages in x/crypto/ssh, so I would instead suggest that a callback- or interface-based AuthMethod be defined, so the user can plug in the GSSAPI mechanism of their choice.

I think modern SSH servers only support the gssapi-with-mic auth method, though some patched SSH servers (Debian for instance) also support the gssapi-keyex auth method. The latter auth method is significantly more complicated, so I would suggest starting only with gssapi-with-mic.

@gopherbot gopherbot added this to the Unreleased milestone Jun 15, 2018

@agnivade

This comment has been minimized.

Copy link
Member

agnivade commented Jun 16, 2018

/cc @hanwen

@hanwen

This comment has been minimized.

Copy link
Contributor

hanwen commented Jun 25, 2018

I don't want to add generic callbacks to the API either.

Is it possible to structure the code such that it effectively becomes a drop-in? Eg. a file that you would add to a local checkout that implements?

Is there a split in the structure that we could apply (eg. putting packetConn into an internal/ package) so you could add a separate gss/ subpackage, without affecting the rest of the SSH code?

@jorgemarey

This comment has been minimized.

Copy link

jorgemarey commented Jun 26, 2018

Hi,

I just saw this issue. We needed to use kerberos ssh authentication from a golang client.

I did this: golang/crypto@master...jorgemarey:f-gssapi-auth (showing changes)

I don't know if it's ok. I could make some changes it you think the code needs it. I tested it with https://github.com/apcera/gssapi (by implementing the interface) and it worked fine.

@hanwen

This comment has been minimized.

Copy link
Contributor

hanwen commented Jun 28, 2018

You can try to run this against an existing GSSAPI server.

The tricky bit is that for it to be promoted into the crypto library, I want to see a test. That means either writing a server side support too (which implies integrating with some existing kerberos package), or testing against an OpenSSH server configured to use Kerberos.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.