Package client provides a client library and methods for Kerberos 5 authentication.



    This section is empty.


    This section is empty.


    func SetSPNEGOHeader

    func SetSPNEGOHeader(creds credentials.Credentials, tkt messages.Ticket, sessionKey types.EncryptionKey, r *http.Request) error

      SetSPNEGOHeader sets the provided ticket as the SPNEGO authorization header on HTTP request object.


      type Cache

      type Cache struct {
      	Entries map[string]CacheEntry
      	// contains filtered or unexported fields

        Cache for client tickets.

        func NewCache

        func NewCache() *Cache

          NewCache creates a new client ticket cache instance.

          func (*Cache) RemoveEntry

          func (c *Cache) RemoveEntry(spn string)

            RemoveEntry removes the cache entry for the defined SPN.

            type CacheEntry

            type CacheEntry struct {
            	Ticket     messages.Ticket
            	AuthTime   time.Time
            	StartTime  time.Time
            	EndTime    time.Time
            	RenewTill  time.Time
            	SessionKey types.EncryptionKey

              CacheEntry holds details for a client cache entry.

              type Client

              type Client struct {
              	Credentials *credentials.Credentials
              	Config      *config.Config
              	GoKrb5Conf  *Config
              	Cache *Cache
              	// contains filtered or unexported fields

                Client side configuration and state.

                func NewClientFromCCache

                func NewClientFromCCache(c credentials.CCache) (Client, error)

                  NewClientFromCCache create a client from a populated client cache.

                  WARNING: If you do not add a keytab or password to the client then the TGT cannot be renewed and a failure will occur after the TGT expires.

                  func NewClientWithKeytab

                  func NewClientWithKeytab(username, realm string, kt keytab.Keytab) Client

                    NewClientWithKeytab creates a new client from a keytab credential.

                    func NewClientWithPassword

                    func NewClientWithPassword(username, realm, password string) Client

                      NewClientWithPassword creates a new client from a password credential.

                      func (*Client) ASExchange

                      func (cl *Client) ASExchange(realm string, referral int) error

                        ASExchange performs an AS exchange for the client to retrieve a TGT.

                        func (*Client) AddSession

                        func (cl *Client) AddSession(tkt messages.Ticket, dep messages.EncKDCRepPart)

                          AddSession adds a session for a realm with a TGT to the client's session cache. A goroutine is started to automatically renew the TGT before expiry.

                          func (*Client) GetCachedTicket

                          func (cl *Client) GetCachedTicket(spn string) (messages.Ticket, types.EncryptionKey, bool)

                            GetCachedTicket returns a ticket from the cache for the SPN. Only a ticket that is currently valid will be returned.

                            func (*Client) GetServiceTicket

                            func (cl *Client) GetServiceTicket(spn string) (messages.Ticket, types.EncryptionKey, error)

                              GetServiceTicket makes a request to get a service ticket for the SPN specified SPN format: <SERVICE>/<FQDN> Eg. HTTP/ The ticket will be added to the client's ticket cache

                              func (*Client) GetSessionFromPrincipalName

                              func (cl *Client) GetSessionFromPrincipalName(spn types.PrincipalName) (*session, error)

                                GetSessionFromPrincipalName returns the session for the realm of the principal provided.

                                func (*Client) GetSessionFromRealm

                                func (cl *Client) GetSessionFromRealm(realm string) (sess *session, err error)

                                  GetSessionFromRealm returns the session for the realm provided.

                                  func (*Client) IsConfigured

                                  func (cl *Client) IsConfigured() (bool, error)

                                    IsConfigured indicates if the client has the values required set.

                                    func (*Client) Key

                                    func (cl *Client) Key(etype etype.EType, krberr messages.KRBError) (types.EncryptionKey, error)

                                      Key returns a key for the client. Preferably from a keytab and then generated from the password. The KRBError would have been returned from the KDC and must be of type KDC_ERR_PREAUTH_REQUIRED. If a KRBError is not available pass nil and a key will be returned from the credentials keytab.

                                      func (*Client) LoadConfig

                                      func (cl *Client) LoadConfig(cfgPath string) (*Client, error)

                                        LoadConfig loads the Kerberos configuration for the client from file path specified.

                                        func (*Client) Login

                                        func (cl *Client) Login() error

                                          Login the client with the KDC via an AS exchange.

                                          func (*Client) RenewTicket

                                          func (cl *Client) RenewTicket(e CacheEntry) (CacheEntry, error)

                                            RenewTicket renews a cache entry ticket

                                            func (*Client) SendToKDC

                                            func (cl *Client) SendToKDC(b []byte, realm string) ([]byte, error)

                                              SendToKDC performs network actions to send data to the KDC.

                                              func (*Client) SetSPNEGOHeader

                                              func (cl *Client) SetSPNEGOHeader(r *http.Request, spn string) error

                                                SetSPNEGOHeader gets the service ticket and sets it as the SPNEGO authorization header on HTTP request object. To auto generate the SPN from the request object pass a null string "".

                                                func (*Client) TGSExchange

                                                func (cl *Client) TGSExchange(spn types.PrincipalName, kdcRealm string, tkt messages.Ticket, sessionKey types.EncryptionKey, renewal bool, referral int) (tgsReq messages.TGSReq, tgsRep messages.TGSRep, err error)

                                                  TGSExchange performs a TGS exchange to retrieve a ticket to the specified SPN. The ticket retrieved is added to the client's cache.

                                                  func (*Client) WithConfig

                                                  func (cl *Client) WithConfig(cfg *config.Config) *Client

                                                    WithConfig sets the Kerberos configuration for the client.

                                                    func (*Client) WithKeytab

                                                    func (cl *Client) WithKeytab(kt keytab.Keytab) *Client

                                                      WithKeytab adds a keytab to the client

                                                      func (*Client) WithPassword

                                                      func (cl *Client) WithPassword(password string) *Client

                                                        WithPassword adds a password to the client

                                                        type Config

                                                        type Config struct {
                                                        	DisablePAFXFast              bool
                                                        	AssumePAEncTimestampRequired bool

                                                          Config struct holds GoKRB5 specific client configurations. Set Disable_PA_FX_FAST to true to force this behaviour off. Set Assume_PA_ENC_TIMESTAMP_Required to send the PA_ENC_TIMESTAMP pro-actively rather than waiting for a KRB_ERROR response from the KDC indicating it is required.