-
Notifications
You must be signed in to change notification settings - Fork 17.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
x/crypto/ssh: Support GSSAPI AuthMethod #25899
Comments
/cc @hanwen |
I don't want to add generic callbacks to the API either. Is it possible to structure the code such that it effectively becomes a drop-in? Eg. a file that you would add to a local checkout that implements? Is there a split in the structure that we could apply (eg. putting packetConn into an internal/ package) so you could add a separate gss/ subpackage, without affecting the rest of the SSH code? |
Hi, I just saw this issue. We needed to use kerberos ssh authentication from a golang client. I did this: golang/crypto@master...jorgemarey:f-gssapi-auth (showing changes) I don't know if it's ok. I could make some changes it you think the code needs it. I tested it with https://github.com/apcera/gssapi (by implementing the interface) and it worked fine. |
You can try to run this against an existing GSSAPI server. The tricky bit is that for it to be promoted into the crypto library, I want to see a test. That means either writing a server side support too (which implies integrating with some existing kerberos package), or testing against an OpenSSH server configured to use Kerberos. |
I believe this was done in CL 170919 |
As defined in RFC 4462
This is commonly used for (MIT/Heimdal/Active Directory) Kerberos authentication, though other GSSAPI mechanisms exist.
There are several different GSSAPI implementations available for Go (e.g. https://gopkg.in/jcmturner/gokrb5.v5, https://github.com/apcera/gssapi). It probably doesn't make sense to bless one of these external packages in x/crypto/ssh, so I would instead suggest that a callback- or interface-based AuthMethod be defined, so the user can plug in the GSSAPI mechanism of their choice.
I think modern SSH servers only support the
gssapi-with-mic
auth method, though some patched SSH servers (Debian for instance) also support thegssapi-keyex
auth method. The latter auth method is significantly more complicated, so I would suggest starting only withgssapi-with-mic
.The text was updated successfully, but these errors were encountered: