README
¶
GSSAPI wrapper for gokrb5
The github.com/bodgit/gssapi package implements a GSSAPI-like wrapper around the github.com/jcmturner/gokrb5 package.
Sample Initiator (Client):
package main
import (
. "github.com/bodgit/gssapi"
"github.com/jcmturner/gokrb5/v8/gssapi"
)
func main() {
initiator, err := NewInitiator(WithRealm("EXAMPLE.COM"), WithUsername("test"), WithKeytab[Initiator]("test.keytab"))
if err != nil {
panic(err)
}
defer initiator.Close()
output, cont, err := initiator.Initiate("host/ssh.example.com", gssapi.ContextFlagInteg|gssapi.ContextFlagMutual, nil)
if err != nil {
panic(err)
}
// transmit output to Acceptor
signature, err := initiator.MakeSignature(message)
if err != nil {
panic(err)
}
// transmit message and signature to Acceptor
}
Sample Acceptor (Server):
package main
import (
. "github.com/bodgit/gssapi"
"github.com/jcmturner/gokrb5/v8/gssapi"
"github.com/jcmturner/gokrb5/v8/iana/nametype"
"github.com/jcmturner/gokrb5/v8/types"
)
func main() {
principal := types.NewPrincipalName(nametype.KRB_NT_SRV_HST, "host/ssh.example.com")
acceptor, err := NewAcceptor(WithServicePrincipal(&principal))
if err != nil {
panic(err)
}
defer acceptor.Close()
// receive input from Initiator
output, cont, err := acceptor.Accept(input)
if err != nil {
panic(err)
}
// transmit output back to Initiator
// receive message and signature from Initiator
if err := acceptor.VerifySignature(message, signature); err != nil {
panic(err)
}
}
Documentation
¶
Overview ¶
Package gssapi implements a simplified wrapper around the github.com/jcmturner/gokrb5 package.
Index ¶
- type Acceptor
- func (ctx *Acceptor) Accept(input []byte) ([]byte, bool, error)
- func (ctx *Acceptor) Close() error
- func (ctx *Acceptor) Established() bool
- func (ctx *Acceptor) Expiry() time.Time
- func (ctx *Acceptor) MakeSignature(message []byte) ([]byte, error)
- func (ctx *Acceptor) PeerName() string
- func (ctx *Acceptor) VerifySignature(message, signature []byte) error
- type Initiator
- func (ctx *Initiator) Close() error
- func (ctx *Initiator) Established() bool
- func (ctx *Initiator) Expiry() time.Time
- func (ctx *Initiator) Initiate(service string, flags int, input []byte) ([]byte, bool, error)
- func (ctx *Initiator) MakeSignature(message []byte) ([]byte, error)
- func (ctx *Initiator) PeerName() string
- func (ctx *Initiator) VerifySignature(message, signature []byte) error
- type Option
- func WithClockSkew[T Acceptor](clockSkew time.Duration) Option[T]
- func WithConfig[T Initiator](config string) Option[T]
- func WithDomain[T Initiator](domain string) Option[T]
- func WithKeytab[T Initiator | Acceptor](keytab string) Option[T]
- func WithLogger[T Initiator | Acceptor](logger logr.Logger) Option[T]
- func WithPassword[T Initiator](password string) Option[T]
- func WithRealm[T Initiator](realm string) Option[T]
- func WithServicePrincipal[T Acceptor](principal *types.PrincipalName) Option[T]
- func WithUsername[T Initiator](username string) Option[T]
- Bugs
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Acceptor ¶
type Acceptor struct {
// contains filtered or unexported fields
}
Acceptor represents the server side of the GSSAPI protocol.
func NewAcceptor ¶
NewAcceptor returns a new Acceptor.
func (*Acceptor) Accept ¶
Accept responds to the token from the Initiator, returning a token to be sent back to the Initiator and whether another round is required.
func (*Acceptor) Established ¶ added in v0.0.2
func (ctx *Acceptor) Established() bool
Established returns the context state.
func (*Acceptor) MakeSignature ¶
MakeSignature creates a MIC token against the provided input.
func (*Acceptor) PeerName ¶
func (ctx *Acceptor) PeerName() string
PeerName returns the peer Kerberos principal.
func (*Acceptor) VerifySignature ¶
VerifySignature verifies the MIC token against the provided input.
type Initiator ¶
type Initiator struct {
// contains filtered or unexported fields
}
Initiator represents the client side of the GSSAPI protocol.
func NewInitiator ¶
NewInitiator returns a new Initiator.
func (*Initiator) Established ¶ added in v0.0.2
func (ctx *Initiator) Established() bool
Established returns the context state.
func (*Initiator) Initiate ¶
Initiate creates a new context targeting the service with the desired flags along with the initial input token, which will initially be nil. The output token is returned and whether another round is required.
func (*Initiator) MakeSignature ¶
MakeSignature creates a MIC token against the provided input.
func (*Initiator) PeerName ¶
func (ctx *Initiator) PeerName() string
PeerName returns the peer Kerberos principal.
func (*Initiator) VerifySignature ¶
VerifySignature verifies the MIC token against the provided input.
type Option ¶
Option is the signature for all constructor options.
func WithClockSkew ¶
WithClockSkew sets the permitted amount of clock skew allowed between the Initiator and Acceptor.
func WithConfig ¶
WithConfig permits passing krb5.conf contents directly to an Initiator.
func WithDomain ¶
WithDomain sets the Kerberos domain in the Initiator.
func WithKeytab ¶
WithKeytab sets the keytab path in either an Initiator or Acceptor.
func WithLogger ¶
WithLogger configures a logr.Logger in either an Initiator or Acceptor.
func WithPassword ¶
WithPassword sets the password in the Initiator.
func WithServicePrincipal ¶
func WithServicePrincipal[T Acceptor](principal *types.PrincipalName) Option[T]
WithServicePrincipal sets the principal that is looked up in the keytab.
func WithUsername ¶
WithUsername sets the username in the Initiator.
Source Files