krb5

package module

v0.1.0 Latest Latest Go to latest Published: Feb 15, 2026 License: Apache-2.0 Imports: 0 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/go-krb5/krb5

Links

Open Source Insights

README ¶

krb5

Kerberos 5 implementation in pure go.

Thanks

This library literally could not exist without Jonathan Turner. We are unaware of the circumstances but his activity on GitHub seems to have ceased which is a significant loss for the community. Ultimately this is his org, and we're just the current stewards.

Jonathan Turner for the Original and Related Repositories
Greg Hudson from the MIT Consortium for Kerberos and Internet Trust for providing useful advice.

Features

Pure Go - no dependency on external libraries
No platform specific code
Server Side
- HTTP handler wrapper implements SPNEGO Kerberos authentication
- HTTP handler wrapper decodes Microsoft AD PAC authorization data
Client Side
- Client that can authenticate to an SPNEGO Kerberos authenticated web service
- Ability to change client's password
General
- Kerberos libraries for custom integration
- Parsing Keytab files
- Parsing krb5.conf files
- Parsing client credentials cache files such as /tmp/krb5cc_$(id -u $(whoami))

Support

This library; unless otherwise explicitly expressed; will officially support versions of go which are currently supported by the go maintainers (usually 3 minor versions) with a brief transition time (usually 1 patch release of go, for example if go 1.21.0 is released, we will likely still support go 1.17 until go 1.21.1 is released). These specific rules apply at the time of a published release.

This library in our opinion handles a critical element of security in a dependent project, and we aim to avoid backwards compatibility at the cost of security wherever possible. We also consider this especially important in a language like go where their backwards compatibility when upgrading the compile tools is usually flawless.

Changes to the supported version of go in the positive direction (i.e. older versions deprecated and newer versions added) will never be considered a breaking change for this library.

This policy means that users who wish to build this with older versions of go may find there are features being used which are not available in that version. The current intentionally supported versions of go are as follows:

go 1.26
go 1.25
~~go 1.24~~ (not supported by encoding/asn1 using reflect.TypeAssert)

Additional Notes and Documentation

To Do

Encryption/Checksum Support:
- Investigate mechanisms to have an encryption type registry to allow implementation of deprecated algorithms which are not enabled by default
- Implement most algorithms
CI Workflows:
- Unit Tests
- Integration Tests
- Coverage
- Renovate
Document Breaking Changes
Setup Governance
Engage Community to assist in merging PR's and ensure they receive the adequate credit
Overhaul go docs
Error Cleanup and Overhaul
Improve Project Test Coverage

Implementation

The following section contains some implementation specific information.

Encryption & Checksum Types

Type	Implemented	Encryption ID	Checksum ID	Documentation
des-cbc-crc	No (deprecated, insecure)	1	1	RFC3961, RFC6649
des-cbc-md4	No (deprecated, insecure)	2	3	RFC3961, RFC6649
des-cbc-md5	No (deprecated, insecure)	3	8	RFC3961, RFC6649
des3-cbc-md5	No (deprecated, insecure)	5	8	RFC3961, RFC8429
des3-cbc-sha1	No (deprecated, insecure)	7	13	RFC3961, RFC8429
des3-cbc-sha1	No	8	13	RFC3961
dsaWithSHA1-CmsOID	No	9	10	RFC3961
md5WithRSAEncryption-CmsOID	No	10	7	RFC3961
sha1WithRSAEncryption-CmsOID	No	11	14	RFC3961
rc2CBC-EnvOID	No	12	N/A	RFC3961
rsaEncryption-EnvOID	No	13	N/A	RFC3961
rsaES-OAEP-ENV-OID	No	14	N/A	RFC3961
des-ede3-cbc-Env-OID	No	15	N/A	RFC3961
des3-cbc-sha1-kd	Yes (deprecated, insecure)	16	12	RFC3961, RFC8429
aes128-cts-hmac-sha1-96	Yes	17	15	RFC3962
aes256-cts-hmac-sha1-96	Yes	18	16	RFC3962
aes128-cts-hmac-sha256-128	Yes	19	19	RFC8009
aes256-cts-hmac-sha384-192	Yes	20	20	RFC8009
rc4-hmac	Yes (deprecated, insecure)	23	-138	RFC4757, RFC8429
rc4-hmac-exp	No (deprecated, insecure)	24	-138	RFC4757, RFC6649
camellia128-cts-cmac	No	25	17	RFC6803
camellia256-cts-cmac	No	25	18	RFC6803

Tested Scenarios

The following is working/tested:

Tested against MIT KDC (1.6.3 is the oldest version tested against) and Microsoft Active Directory (Windows 2008 R2)
Tested against a KDC that supports PA-FX-FAST.
Tested against users that have pre-authentication required using PA-ENC-TIMESTAMP.
Microsoft PAC Authorization Data is processed and exposed in the HTTP request context. Available if Microsoft Active Directory is used as the KDC.

Known Issues

Issue	Worked around?	References
The Go standard library's encoding/asn1 package cannot unmarshal into slice of asn1.RawValue	Yes	https://github.com/golang/go/issues/17321
The Go standard library's encoding/asn1 package cannot marshal into a GeneralString	Yes - using https://github.com/go-krb/x/tree/master/encoding/asn1	https://github.com/golang/go/issues/18832
The Go standard library's encoding/asn1 package cannot marshal into slice of strings and pass stringtype parameter tags to members	Yes - using https://github.com/go-krb/x/tree/master/encoding/asn1	https://github.com/golang/go/issues/18834
The Go standard library's encoding/asn1 package cannot marshal with application tags	Yes
The Go standard library's x/crypto/pbkdf2.Key function uses the int type for iteraction count limiting meaning the 4294967296 count specified in https://tools.ietf.org/html/rfc3962 section 4 cannot be met on 32bit systems	Yes - using https://github.com/go-crypt/x/tree/master/pbkdf2	https://go-review.googlesource.com/c/crypto/+/85535

Documentation ¶

Overview ¶

Package krb5 provides a Kerberos 5 implementation for Go.

This is a pure Go implementation and does not have dependencies on native libraries.

Feature include:

Server Side ¶

HTTP handler wrapper implements SPNEGO Kerberos authentication.

HTTP handler wrapper decodes Microsoft AD PAC authorization data.

Client Side ¶

Client that can authenticate to an SPNEGO Kerberos authenticated web service.

Ability to change client's password.

General ¶

Kerberos libraries for custom integration.

Parsing Keytab files.

Parsing krb5.conf files.

Source Files ¶

View all Source files

doc.go

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
asn1tools Package asn1tools provides tools for managing ASN1 marshaled data.	Package asn1tools provides tools for managing ASN1 marshaled data.
client Package client provides a client library and methods for Kerberos 5 authentication.	Package client provides a client library and methods for Kerberos 5 authentication.
config Package config implements KRB5 client and service configuration as described at https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html	Package config implements KRB5 client and service configuration as described at https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html
credentials Package credentials provides credentials management for Kerberos 5 authentication.	Package credentials provides credentials management for Kerberos 5 authentication.
crypto Package crypto implements cryptographic functions for Kerberos 5 implementation.	Package crypto implements cryptographic functions for Kerberos 5 implementation.
common Package common provides encryption methods common across encryption types.	Package common provides encryption methods common across encryption types.
etype Package etype provides the Kerberos Encryption Type interface.	Package etype provides the Kerberos Encryption Type interface.
rfc3961 Package rfc3961 provides encryption and checksum methods as specified in RFC 3961.	Package rfc3961 provides encryption and checksum methods as specified in RFC 3961.
rfc3962 Package rfc3962 provides encryption and checksum methods as specified in RFC 3962.	Package rfc3962 provides encryption and checksum methods as specified in RFC 3962.
rfc4757 Package rfc4757 provides encryption and checksum methods as specified in RFC 4757.	Package rfc4757 provides encryption and checksum methods as specified in RFC 4757.
rfc8009 Package rfc8009 provides encryption and checksum methods as specified in RFC 8009.	Package rfc8009 provides encryption and checksum methods as specified in RFC 8009.
gssapi Package gssapi implements Generic Security Services Application Program Interface required for SPNEGO kerberos authentication.	Package gssapi implements Generic Security Services Application Program Interface required for SPNEGO kerberos authentication.
iana Package iana provides Kerberos 5 assigned numbers.	Package iana provides Kerberos 5 assigned numbers.
addrtype Package addrtype provides Address type assigned numbers.	Package addrtype provides Address type assigned numbers.
adtype Package adtype provides Authenticator type assigned numbers.	Package adtype provides Authenticator type assigned numbers.
asn1apptag Package asn1apptag provides ASN1 application tag numbers.	Package asn1apptag provides ASN1 application tag numbers.
chksumtype Package chksumtype provides Kerberos 5 checksum type assigned numbers.	Package chksumtype provides Kerberos 5 checksum type assigned numbers.
errorcode Package errorcode provides Kerberos 5 assigned error codes.	Package errorcode provides Kerberos 5 assigned error codes.
etypeID Package etypeID provides Kerberos 5 encryption type assigned numbers.	Package etypeID provides Kerberos 5 encryption type assigned numbers.
flags Package flags provides Kerberos 5 flag assigned numbers.	Package flags provides Kerberos 5 flag assigned numbers.
keyusage Package keyusage provides Kerberos 5 key usage assigned numbers.	Package keyusage provides Kerberos 5 key usage assigned numbers.
msgtype Package msgtype provides Kerberos 5 message type assigned numbers.	Package msgtype provides Kerberos 5 message type assigned numbers.
nametype Package nametype provides Kerberos 5 principal name type numbers.	Package nametype provides Kerberos 5 principal name type numbers.
patype Package patype provides Kerberos 5 pre-authentication type assigned numbers.	Package patype provides Kerberos 5 pre-authentication type assigned numbers.
trtype Package trtype provides Transited Encoding Type assigned numbers.	Package trtype provides Transited Encoding Type assigned numbers.
kadmin Package kadmin provides Kerberos administration capabilities.	Package kadmin provides Kerberos administration capabilities.
keytab Package keytab implements Kerberos keytabs: https://web.mit.edu/kerberos/krb5-latest/doc/formats/keytab_file_format.html.	Package keytab implements Kerberos keytabs: https://web.mit.edu/kerberos/krb5-latest/doc/formats/keytab_file_format.html.
krberror Package krberror provides error type and functions for krb5.	Package krberror provides error type and functions for krb5.
messages Package messages implements Kerberos 5 message types and methods.	Package messages implements Kerberos 5 message types and methods.
pac Package pac implements Microsoft Privilege Attribute Certificate (PAC) processing.	Package pac implements Microsoft Privilege Attribute Certificate (PAC) processing.
service Package service provides server side integrations for Kerberos authentication.	Package service provides server side integrations for Kerberos authentication.
spnego Package spnego implements the Simple and Protected GSSAPI Negotiation Mechanism for Kerberos authentication.	Package spnego implements the Simple and Protected GSSAPI Negotiation Mechanism for Kerberos authentication.
test Package test provides useful resources for the testing of krb5.	Package test provides useful resources for the testing of krb5.
types Package types provides Kerberos 5 data types.	Package types provides Kerberos 5 data types.