Version: v7.3.4 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Jan 13, 2020 License: Apache-2.0 Imports: 14 Imported by: 0



Package service provides server side integrations for Kerberos authentication.



This section is empty.


This section is empty.


func ClientAddress

func ClientAddress(h types.HostAddress) func(*Settings)

ClientAddress used to configure service side with the clients host address to be used during validation.

s := NewSettings(kt, ClientAddress(h))

func DecodePAC

func DecodePAC(b bool) func(*Settings)

DecodePAC used to configure service side to enable/disable PAC decoding if the PAC is present. Defaults to enabled if not specified.

s := NewSettings(kt, DecodePAC(false))

func KeytabPrincipal

func KeytabPrincipal(p string) func(*Settings)

KeytabPrincipal used to override the principal name used to find the key in the keytab.

s := NewSettings(kt, KeytabPrincipal("someaccount"))

func Logger

func Logger(l *log.Logger) func(*Settings)

Logger used to configure service side with a logger.

s := NewSettings(kt, Logger(l))

func MaxClockSkew

func MaxClockSkew(d time.Duration) func(*Settings)

MaxClockSkew used to configure service side with the maximum acceptable clock skew between the service and the issue time of kerberos tickets

s := NewSettings(kt, MaxClockSkew(d))

func RequireHostAddr

func RequireHostAddr(b bool) func(*Settings)

RequireHostAddr used to configure service side to required host addresses to be specified in Kerberos tickets.

s := NewSettings(kt, RequireHostAddr(true))

func SName

func SName(sname string) func(*Settings)

SName used provide a specific service name to the service settings.

s := NewSettings(kt, SName("HTTP/"))

func VerifyAPREQ

func VerifyAPREQ(APReq messages.APReq, s *Settings) (bool, *credentials.Credentials, error)

VerifyAPREQ verifies an AP_REQ sent to the service. Returns a boolean for if the AP_REQ is valid and the client's principal name and realm.


type Cache

type Cache struct {
	// contains filtered or unexported fields

Cache for tickets received from clients keyed by fully qualified client name. Used to track replay of tickets.

func GetReplayCache

func GetReplayCache(d time.Duration) *Cache

GetReplayCache returns a pointer to the Cache singleton.

func (*Cache) AddEntry

func (c *Cache) AddEntry(sname types.PrincipalName, a types.Authenticator)

AddEntry adds an entry to the Cache.

func (*Cache) ClearOldEntries

func (c *Cache) ClearOldEntries(d time.Duration)

ClearOldEntries clears entries from the Cache that are older than the duration provided.

func (*Cache) IsReplay

func (c *Cache) IsReplay(sname types.PrincipalName, a types.Authenticator) bool

IsReplay tests if the Authenticator provided is a replay within the duration defined. If this is not a replay add the entry to the cache for tracking.

type KRB5BasicAuthenticator

type KRB5BasicAuthenticator struct {
	BasicHeaderValue string
	// contains filtered or unexported fields

KRB5BasicAuthenticator implements interface. It takes username and password so can be used for basic authentication.

func NewKRB5BasicAuthenticator

func NewKRB5BasicAuthenticator(headerVal string, krb5conf *config.Config, serviceSettings *Settings, clientSettings *client.Settings) KRB5BasicAuthenticator

NewKRB5BasicAuthenticator creates a new NewKRB5BasicAuthenticator

func (KRB5BasicAuthenticator) Authenticate

func (a KRB5BasicAuthenticator) Authenticate() (i goidentity.Identity, ok bool, err error)

Authenticate and return the identity. The boolean indicates if the authentication was successful.

func (KRB5BasicAuthenticator) Mechanism

func (a KRB5BasicAuthenticator) Mechanism() string

Mechanism returns the authentication mechanism.

type Settings

type Settings struct {
	Keytab *keytab.Keytab
	// contains filtered or unexported fields

Settings defines service side configuration settings.

func NewSettings

func NewSettings(kt *keytab.Keytab, settings ...func(*Settings)) *Settings

NewSettings creates a new service Settings.

func (*Settings) ClientAddress

func (s *Settings) ClientAddress() types.HostAddress

ClientAddress returns the client host address which has been provided to the service.

func (*Settings) DecodePAC

func (s *Settings) DecodePAC() bool

DecodePAC indicates whether the service should decode any PAC information present in the ticket.

func (*Settings) KeytabPrincipal

func (s *Settings) KeytabPrincipal() *types.PrincipalName

KeytabPrincipal returns the principal name used to find the key in the keytab if it has been overridden.

func (*Settings) Logger

func (s *Settings) Logger() *log.Logger

Logger returns the logger instances configured for the service. If none is configured nill will be returned.

func (*Settings) MaxClockSkew

func (s *Settings) MaxClockSkew() time.Duration

MaxClockSkew returns the maximum acceptable clock skew between the service and the issue time of kerberos tickets. If none is defined a duration of 5 minutes is returned.

func (*Settings) RequireHostAddr

func (s *Settings) RequireHostAddr() bool

RequireHostAddr indicates if the service should require the host address to be included in the ticket.

func (*Settings) SName

func (s *Settings) SName() string

SName returns the specific service name to the service.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL