Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/ssh: Support GSSAPI AuthMethod #25899

Closed
quentinmit opened this issue Jun 15, 2018 · 6 comments
Closed

x/crypto/ssh: Support GSSAPI AuthMethod #25899

quentinmit opened this issue Jun 15, 2018 · 6 comments

Comments

@quentinmit
Copy link
Contributor

As defined in RFC 4462

This is commonly used for (MIT/Heimdal/Active Directory) Kerberos authentication, though other GSSAPI mechanisms exist.

There are several different GSSAPI implementations available for Go (e.g. https://gopkg.in/jcmturner/gokrb5.v5, https://github.com/apcera/gssapi). It probably doesn't make sense to bless one of these external packages in x/crypto/ssh, so I would instead suggest that a callback- or interface-based AuthMethod be defined, so the user can plug in the GSSAPI mechanism of their choice.

I think modern SSH servers only support the gssapi-with-mic auth method, though some patched SSH servers (Debian for instance) also support the gssapi-keyex auth method. The latter auth method is significantly more complicated, so I would suggest starting only with gssapi-with-mic.

@gopherbot gopherbot added this to the Unreleased milestone Jun 15, 2018
@agnivade
Copy link
Contributor

/cc @hanwen

@hanwen
Copy link
Contributor

hanwen commented Jun 25, 2018

I don't want to add generic callbacks to the API either.

Is it possible to structure the code such that it effectively becomes a drop-in? Eg. a file that you would add to a local checkout that implements?

Is there a split in the structure that we could apply (eg. putting packetConn into an internal/ package) so you could add a separate gss/ subpackage, without affecting the rest of the SSH code?

@jorgemarey
Copy link

Hi,

I just saw this issue. We needed to use kerberos ssh authentication from a golang client.

I did this: golang/crypto@master...jorgemarey:f-gssapi-auth (showing changes)

I don't know if it's ok. I could make some changes it you think the code needs it. I tested it with https://github.com/apcera/gssapi (by implementing the interface) and it worked fine.

@hanwen
Copy link
Contributor

hanwen commented Jun 28, 2018

You can try to run this against an existing GSSAPI server.

The tricky bit is that for it to be promoted into the crypto library, I want to see a test. That means either writing a server side support too (which implies integrating with some existing kerberos package), or testing against an OpenSSH server configured to use Kerberos.

@yiya1989
Copy link

you can refer to these two:
https://github.com/yiya1989/sshkrb5/blob/main/examples/sshwithkrb5.go
https://github.com/nhywieza/sshgssapi

@seankhliao
Copy link
Member

I believe this was done in CL 170919

@golang golang locked and limited conversation to collaborators Nov 2, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

7 participants