Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

"...Unix, MS-DOS, and Windows NT (also known as the Good, the Bad, and the Ugly)." (By Matt Welsh)

devel / comp.protocols.kerberos / Re: How to get Kerberos token for proxy authentication

SubjectAuthor
o Re: How to get Kerberos token for proxy authenticationSimo Sorce

1
Re: How to get Kerberos token for proxy authentication

<mailman.75.1711101816.2322.kerberos@mit.edu>

  copy mid

https://www.novabbs.com/devel/article-flat.php?id=527&group=comp.protocols.kerberos#527

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: sim...@redhat.com (Simo Sorce)
Newsgroups: comp.protocols.kerberos
Subject: Re: How to get Kerberos token for proxy authentication
Date: Fri, 22 Mar 2024 06:03:25 -0400
Organization: Red Hat
Lines: 56
Message-ID: <mailman.75.1711101816.2322.kerberos@mit.edu>
References: <1182031369.5745575.1710653866918.ref@mail.yahoo.com>
<1182031369.5745575.1710653866918@mail.yahoo.com>
<202403180011.42I0Bfq8004419@hedwig.cmf.nrl.navy.mil>
<1971540388.4984456.1710851301228@mail.yahoo.com>
<202403200124.42K1Ogwb031014@hedwig.cmf.nrl.navy.mil>
<1607837619.5406090.1710931234295@mail.yahoo.com>
<202403201533.42KFXFYr006534@hedwig.cmf.nrl.navy.mil>
<ZfxRGUGVIIXJ42x+@gozer.tproa.net>
<05320bda8e2e16ad5268d7b2b2c87ad372c7871d.camel@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="15298"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Evolution 3.48.4 (3.48.4-1.fc38)
To: Thomas Kula <kula@tproa.net>, kerberos@mit.edu
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com
header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256
header.s=selector2-mitprod-onmicrosoft-com header.b=iH8XNhIq;
dkim=pass (1024-bit key,
unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
header.s=mimecast20190719 header.b=MdxCNyLI
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=nXyd2KWYHBO0W/UbmAGcXdBO7i8rdkoKK9FYwLnRIN9+madrW10lpQn+ovHIWTkEvEVavdCO7ItxJkHXf4qWZ1FlA9kL2L8PHiS1QkpODCHb0TbfRhSMpjjl+cHlfnadqVlv8jZaURJaP1YGhxLi/6K9g8T/OJQgz6yaxjB68HwO8kWyxH3ySWQBVg669rGrYyFRp7oEefsTXB4dvB3d+3qb2RYpvVwVI9VgIw7YXGdjVuSDEABH4XDyl1PRucyls6Luf5jANYhGW5IM1YeYkqfKKAtrTIy1CayaDY2kkpzQGbdzumH/2VBPgaJNa1XOabtDBxX4V5714HC94/aGoA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=YmKOdmKteqYypg8y2B1xVhxHJSqzTn3Z9ZSWx6wuFX8=;
b=ehLzXBUt9WgBR6BKB16/UXTjgO1XcB9sIlkR7ZepSJrW8EBw+yPvOF7r6xt41eY0XsczUz6doEFF31eFw2UaF2nQTK2qJ9K4f30MWw+WSInFcJ2UawTJwPctXvdw4CRuo/h97lL6BxDu5GWsyEON2f4J4R7pzbiWrLiHo7W3/94/9PjpVaqFj3cf0HtW/QHK1wddH3QbIrcxwlFzjsCEzMzd/+Vjom2GnBYs4mYwxQBUTrvZ6I5ZsNCxYwuofIBPVAS5qujoi8BqAO5sVBUvp4g1LxHH2YWNdG+aZEwguli7v4fV8YNdmwxWnRbz5jTAaXNizks+YYlVwpCTsg7g9A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
170.10.129.124) smtp.rcpttodomain=mit.edu smtp.mailfrom=redhat.com;
dmarc=pass (p=none sp=none pct=100) action=none header.from=redhat.com;
dkim=pass (signature was verified) header.d=redhat.com; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=YmKOdmKteqYypg8y2B1xVhxHJSqzTn3Z9ZSWx6wuFX8=;
b=iH8XNhIqwekZEm+6HVd98jV+AWu7VeAxkemI2paS10v8dbgDZvpSDT4TE44NszgvygDhYRU7vaJaiVoH6JU2KKuN489tZ3jqS5MPF1im495qJT9v/FvGbfCCZBkgS+nPr9Bx1za/s3qEXvnHQPbHTiPuG+SlmTCr2u44PYD5uME=
Authentication-Results: spf=pass (sender IP is 170.10.129.124)
smtp.mailfrom=redhat.com; dkim=pass (signature was verified)
header.d=redhat.com;dmarc=pass action=none header.from=redhat.com;
Received-SPF: Pass (protection.outlook.com: domain of redhat.com designates
170.10.129.124 as permitted sender) receiver=protection.outlook.com;
client-ip=170.10.129.124; helo=us-smtp-delivery-124.mimecast.com; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1711101809;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=YmKOdmKteqYypg8y2B1xVhxHJSqzTn3Z9ZSWx6wuFX8=;
b=MdxCNyLIp9jAFziMTAfFqdqyjagbfEAxJndWDarW8883zd7wWr1RYMD3d9SvtbUGwrEMqG
75a6fRM23phu7Zi8lxkOlAKrzU3rnPUqNJf4jA17NVmYULjIma2VXqv5IyBdXxTyTH0Aqi
a0OFSZfke3xVbincjmyuG1Uhtecd4SQ=
X-MC-Unique: 1NMThLxBOga7IDZOFAW8-Q-1
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1711101808; x=1711706608;
h=mime-version:user-agent:content-transfer-encoding:organization
:references:in-reply-to:date:to:from:subject:message-id
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=YmKOdmKteqYypg8y2B1xVhxHJSqzTn3Z9ZSWx6wuFX8=;
b=wx8PSrFG2Zk7gTY0HLF+69wrKzagWo9ODqbHOJUEv6N8p2935uFceLkVzvZx4knlGA
m2TPJLLEkqYU1W2p+010V+5B6Gla6fhTReczrEqxOTi3780//ZJr1oohWsX0GHq86gz6
LP309j37Fqm2rJM7PIHDcXdsid2TOyeJOk3igu6krGdLBanfbd2QkwHw4Q1R8klqyHtJ
oHfI0TQyCqdWe2b2OP/Qd9QUhmB2qIMe/nW6tKqqtq+VsJIHAeBbjHPNHpoM3WEA0Khe
l+pFh2CHOYw7zOPhsEl7Xq7L4ElBX+3lDv2OzY4AYryhQD1jZgUKAJt4kuIC/4pXCqua
Ypug==
X-Forwarded-Encrypted: i=1;
AJvYcCVznKKZDx2uWyr2SV7PYszyx9o6M/36FrvYga//xSbGGJG7gejbaDsJKxKnaiBHVBQu4A1lLv8r20XlvXsv0hbU
X-Gm-Message-State: AOJu0YxoPIVsk36ffeNXASoko52wFdet7izOLB1jexGEjMxlVf3RGBXV
ybR2Jl/ob9Rvl3ujvdGvNy96BTNxk2o1MeAfO/MQQ1F4E7SvwCDyAlcmraL+pK+t7YZBbAstrE5
FB0Pwxo/lQRbl+B1vtqWadY51F8Lp1DLhSrCmhF1aaMjBcGHqQUEtKA==
X-Received: by 2002:a05:6214:234e:b0:691:43bd:f3ed with SMTP id
hu14-20020a056214234e00b0069143bdf3edmr1966500qvb.57.1711101808179;
Fri, 22 Mar 2024 03:03:28 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IHDbbVoumzVhfYLHKKPfhKkS2UTKbGZ/Wrq/7aLQUMNCzianR0dpXyRdIZ1Nu/Pxl4tsxfrjg==
X-Received: by 2002:a05:6214:234e:b0:691:43bd:f3ed with SMTP id
hu14-20020a056214234e00b0069143bdf3edmr1966481qvb.57.1711101807895;
Fri, 22 Mar 2024 03:03:27 -0700 (PDT)
In-Reply-To: <ZfxRGUGVIIXJ42x+@gozer.tproa.net>
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CY4PEPF0000EDD3:EE_|SA3PR01MB7920:EE_
X-MS-Office365-Filtering-Correlation-Id: bb2d4cc5-7d19-437e-f292-08dc4a5753b5
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 0
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: SS5ue6OFU9aRrae7f6/IUY6wsut3fgYz+Hn88+a+VY6K8l6tROoT+dVDjweScsPWW3LJDLcXsmbOxioDN/q6AFs9PxRsikEL49h6XZPz+5IKxxnP6783+OWnGU6j5GwPPiVnuPkAMuLT16QWZ/zh/1jXjFc7SFtLlpwowDMjDRruERneVCSlNlaMd7yn627+w++o5SLEuMNEtfPKDfZuM4ly5K7i5trIGtPL4p/Hc/kRX4/HOUeeTMyyIAyqov0gtFPHad9CZLn2ZmEfNhC4AthxmQRSSogf5u5e413bGLZFShjGcTNwbG8r7KGKPmWe2BoFURZZqdfr1S7L+EQTAK0jX9CZdRzKq/wqXwj3dHK/azqkLtrNTTRfIE3JDRzeVowoR9BBukPAj74/weii9Wbpo70K9akc51hQlnEAMvj65XZx1cUHpPBCCCvwhTngB3jmIJ6aTOEbs7QAJ5e+dqUfG10GeNM668i+JBjMdtcKEJ5PjTsjJH7fLeWJQEkeDI83nTmBMVrZVw54nctQ+omH/MLdds4HNHKbTbVr2mYiY93W2X+q6vFktrPFEzdUegiknD3uN72O7a9qcvki9r4Ej2bPFH+feSNc4dcgr8OOx48Ejd76VQ8QivJxdq4VKedJvkKnc+TOcX6x0PgaOfX3X1ISuWL/qbNQOOkTk9cG1vq98fYGNwptqVrJWMke
X-Forefront-Antispam-Report: CIP:170.10.129.124; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM; H:us-smtp-delivery-124.mimecast.com;
PTR:us-smtp-delivery-124.mimecast.com; CAT:NONE;
SFS:(13230031)(376005)(48200799009)(61400799018); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mitprod.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Mar 2024 10:03:30.4936 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: bb2d4cc5-7d19-437e-f292-08dc4a5753b5
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CY4PEPF0000EDD3.namprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA3PR01MB7920
X-MIME-Autoconverted: from quoted-printable to 8bit by mailman.mit.edu id
42MA3XAf342272
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <05320bda8e2e16ad5268d7b2b2c87ad372c7871d.camel@redhat.com>
X-Mailman-Original-References: <1182031369.5745575.1710653866918.ref@mail.yahoo.com>
<1182031369.5745575.1710653866918@mail.yahoo.com>
<202403180011.42I0Bfq8004419@hedwig.cmf.nrl.navy.mil>
<1971540388.4984456.1710851301228@mail.yahoo.com>
<202403200124.42K1Ogwb031014@hedwig.cmf.nrl.navy.mil>
<1607837619.5406090.1710931234295@mail.yahoo.com>
<202403201533.42KFXFYr006534@hedwig.cmf.nrl.navy.mil>
<ZfxRGUGVIIXJ42x+@gozer.tproa.net>
 by: Simo Sorce - Fri, 22 Mar 2024 10:03 UTC

On Thu, 2024-03-21 at 11:24 -0400, Thomas Kula wrote:
> On Wed, Mar 20, 2024 at 11:33:16AM -0400, Ken Hornstein via Kerberos wrote:
> > > Thanks again Ken. My application is written in Go. So I'm looking
> > > for Kerberos implementation that can be easily integrated with my
> > > application. Hence I  was considering MIT Kerberos and using C bindings
> > > to call those APIs from my Go code. "MacOS X it might be easier to use
> > > the native GSSAPI implementation which would be Heimdal"
> > >
> > > Here did you mean developer.apple.com/documentation/gss ? Isn't that in
> > > Swift ? I will explore libcurl code thank-you.
> >
> > I can't speak for the Swift API, but Heimdal on MacOS X also provides a
> > standard C API for the GSSAPI functions. I don't have much experience
> > with Go but if you can call C functions from within it (and I have to
> > believe that is possible) then doing so for Heimdal should be fine.
> > There might be a few differences in term of what GSSAPI extension
> > functions are available but from what you describe you should only need
> > the standard GSSAPI functions.
>
> Are you familiar with https://github.com/jcmturner/gokrb5? I've used it
> in the past with some experiments in some Go code I was working on, I
> wasn't touching GSSAPI but there's at least some GSSAPI code in there.
> Might be worth checking out as it's native Go code, no cgo wrapping.
>

Last time I checked that code was kept together with spit and tape, and
was far from what I would consider usable in production for general
use.
It implements the minimum set of code needed for the specific use case
and specific file credential of the person that built it, and will fall
apart as soon as you do anything funny.

There is also no guarantee it is secure.

As much as I understand the desire of new languages to have "native
code" I strongly suggest to avoid the urge in this case. Both Heimdal
and MIT Kerberos have decades of development behind them, not something
you reproduce in a "summer of coding".

HTH,
Simo.

--
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor