Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adds GSSAPI SASL mechanism #56

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Conversation

dequbed
Copy link

@dequbed dequbed commented Mar 9, 2021

This is a WIP patch to bring GSSAPI-based authentication into this library and ultimately into ejabberd.

Current issues:

  • Due to limitations in the underlying egssapi library only Kerberos v5 is supported
  • This patch has only been tested on x86-64 Linux. Since GSSAPI is platform- and architecture-independent it should work on other platforms as well however.
  • According to RFC 4752 a server MUST NOT advertise the GSSAPI mechanism if it can't authenticate as the requested service/host principal. There's currently no mechanism to indicate availability of GSSAPI on a per-host basis.
  • The afformentioned RFC 4752 notes a number of SHOULD/SHOULD NOTs this patch currently ignores, e.g. aquisition of credentials. Most of them are limitations in the underlying egssapi library.

Main reason for opening this PR is to give current work being done more visibility given processone/ejabberd#1586 processone/ejabberd#1595 and the entire discussion around that.

TODOs

  • Expose more API surface in egssapi. Mostly auxiliary functions like gss_acquire_cred that would be nice to have.
  • Improve the NIF code. The C code is currently taken straight from mikma/egssapi. Additioal work should be put into ensuring it's safe, or — depending on platform availability requirements — rewrite it in Rust.
  • Documentation. GSSAPI has some rather nasty quirks one needs to be aware of.

@p1bot
Copy link
Collaborator

p1bot commented Mar 9, 2021

Hi @dequbed, many thanks for your contribution!

In order for us to evaluate and accept your PR, we ask that you sign a contribution license agreement. It's all electronic and will take just minutes.

@p1bot p1bot added the cla-missing Contributor needs to sign Contribution License Agreement label Mar 9, 2021
@p1bot
Copy link
Collaborator

p1bot commented Mar 9, 2021

You did it @dequbed!

Thank you for signing the ProcessOne Contribution License Agreement.

We will have a look at your contribution!

@p1bot p1bot removed the cla-missing Contributor needs to sign Contribution License Agreement label Mar 9, 2021
@Neustradamus
Copy link

@dequbed: Thanks to have started to work on it!

@lemenkov
Copy link

Thanks for reviving it!

@Neustradamus
Copy link

@dequbed: Have you progressed on it?

1 similar comment
@Neustradamus
Copy link

@dequbed: Have you progressed on it?

@Neustradamus
Copy link

@dequbed: Have you progressed on it, one year after the PR creation? :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants