gssapi

Documentation

Overview

Package gssapi provides implementations of golang.org/x/crypto/ssh.GSSAPIClient for SSH GSSAPI-with-MIC authentication (RFC 4462).

Two implementations are available:

• Krb5Client: Pure Go implementation using gokrb5/v8. No CGO required.
• CGOClient: System GSSAPI library via CGO. Requires libgssapi_krb5 headers and is only compiled when CGO is enabled (//go:build cgo).

Both implement ssh.GSSAPIClient and can be passed directly to github.com/jamesits/sshconf/pkg/sshclient.UI.GSSAPIClient.

Index

• type CGOClient
  • func NewCGOClient() *CGOClient
  • func (c *CGOClient) DeleteSecContext() error
  • func (c *CGOClient) GetMIC(micField []byte) ([]byte, error)
  • func (c *CGOClient) InitSecContext(target string, token []byte, isGSSDelegCreds bool) (outputToken []byte, needContinue bool, err error)
• type Krb5Client
  • func NewKrb5ClientFromCCache(ccachePath string, cfg Krb5Config) (*Krb5Client, error)
  • func NewKrb5ClientFromKeytab(username, realm, keytabPath string, cfg Krb5Config) (*Krb5Client, error)
  • func NewKrb5ClientFromPassword(username, realm, password string, cfg Krb5Config) (*Krb5Client, error)
  • func (c *Krb5Client) DeleteSecContext() error
  • func (c *Krb5Client) GetMIC(micField []byte) ([]byte, error)
  • func (c *Krb5Client) InitSecContext(target string, token []byte, isGSSDelegCreds bool) (outputToken []byte, needContinue bool, err error)
• type Krb5Config

Types

type CGOClient

type CGOClient struct {
	// contains filtered or unexported fields
}

CGOClient implements ssh.GSSAPIClient using the system GSSAPI library (typically MIT Kerberos or Heimdal) via CGO. This requires libgssapi_krb5 to be installed and is only available when CGO is enabled.

Build with: go build (CGO_ENABLED=1 is the default)

This implementation delegates all Kerberos operations to the system library, which handles credential caching, keytab lookup, and configuration via /etc/krb5.conf automatically.

func NewCGOClient

func NewCGOClient() *CGOClient

NewCGOClient creates a new CGOClient. The system GSSAPI library handles credential acquisition automatically from the default credential cache or keytab.

func (*CGOClient) DeleteSecContext

func (c *CGOClient) DeleteSecContext() error

DeleteSecContext implements ssh.GSSAPIClient. It releases the GSSAPI security context and target name.

func (*CGOClient) GetMIC

func (c *CGOClient) GetMIC(micField []byte) ([]byte, error)

GetMIC implements ssh.GSSAPIClient. It calls gss_get_mic() to generate a Message Integrity Code over the SSH session ID.

func (*CGOClient) InitSecContext

func (c *CGOClient) InitSecContext(target string, token []byte, isGSSDelegCreds bool) (outputToken []byte, needContinue bool, err error)

InitSecContext implements ssh.GSSAPIClient. It calls the system gss_init_sec_context() to perform the Kerberos authentication token exchange.

type Krb5Client

type Krb5Client struct {
	// contains filtered or unexported fields
}

Krb5Client implements ssh.GSSAPIClient using the pure Go gokrb5/v8 library. No CGO or system Kerberos libraries are required.

func NewKrb5ClientFromCCache

func NewKrb5ClientFromCCache(ccachePath string, cfg Krb5Config) (*Krb5Client, error)

NewKrb5ClientFromCCache creates a Krb5Client from an existing credential cache. If ccachePath is empty, it reads the KRB5CCNAME environment variable, falling back to /tmp/krb5cc_<uid>.

func NewKrb5ClientFromKeytab

func NewKrb5ClientFromKeytab(username, realm, keytabPath string, cfg Krb5Config) (*Krb5Client, error)

NewKrb5ClientFromKeytab creates a Krb5Client from a keytab file. The client automatically performs AS exchange to obtain a TGT.

func NewKrb5ClientFromPassword

func NewKrb5ClientFromPassword(username, realm, password string, cfg Krb5Config) (*Krb5Client, error)

NewKrb5ClientFromPassword creates a Krb5Client using username/password authentication. The client performs AS exchange to obtain a TGT.

func (*Krb5Client) DeleteSecContext

func (c *Krb5Client) DeleteSecContext() error

DeleteSecContext implements ssh.GSSAPIClient. It clears the security context state.

func (*Krb5Client) GetMIC

func (c *Krb5Client) GetMIC(micField []byte) ([]byte, error)

GetMIC implements ssh.GSSAPIClient. It generates a MIC (Message Integrity Code) over the SSH session ID using the Kerberos session key, per RFC 4462.

func (*Krb5Client) InitSecContext

func (c *Krb5Client) InitSecContext(target string, token []byte, isGSSDelegCreds bool) (outputToken []byte, needContinue bool, err error)

InitSecContext implements ssh.GSSAPIClient. It performs the GSSAPI/Kerberos token exchange for SSH authentication per RFC 4462.

On the first call (token is empty), it obtains a service ticket and generates an AP-REQ wrapped in a GSSAPI initial context token.

On subsequent calls (mutual authentication), it processes the server's AP-REP response.

type Krb5Config

type Krb5Config struct {
	// ConfigPath is the path to krb5.conf. If empty, tries /etc/krb5.conf.
	ConfigPath string

	// ConfigString is an alternative to ConfigPath: the krb5.conf contents
	// as a string. ConfigPath takes precedence if set.
	ConfigString string
}

Krb5Config configures the Kerberos client for GSSAPI authentication.