gss

package
v1.2.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 13, 2023 License: BSD-3-Clause Imports: 27 Imported by: 4

Documentation

Overview

Package gss implements RFC 3645 GSS-TSIG functions. This permits sending signed dynamic DNS update messages to Windows servers that have the zone require "Secure only" updates.

Example client: 

import (
        "fmt"
        "time"

        "github.com/bodgit/tsig"
        "github.com/bodgit/tsig/gss"
        "github.com/miekg/dns"
)

func main() {
        dnsClient := new(dns.Client)
        dnsClient.Net = "tcp"

        gssClient, err := gss.NewClient(dnsClient)
        if err != nil {
                panic(err)
        }
        defer gssClient.Close()

        host := "ns.example.com:53"

        // Negotiate a context with the chosen server using the
        // current user. See also
        // gssClient.NegotiateContextWithCredentials() and
        // gssClient.NegotiateContextWithKeytab() for alternatives
        keyname, _, err := gssClient.NegotiateContext(host)
        if err != nil {
                panic(err)
        }

        dnsClient.TsigProvider = gssClient

        // Use the DNS client as normal

        msg := new(dns.Msg)
        msg.SetUpdate(dns.Fqdn("example.com"))

        insert, err := dns.NewRR("test.example.com. 300 A 192.0.2.1")
        if err != nil {
                panic(err)
        }
        msg.Insert([]dns.RR{insert})

        msg.SetTsig(keyname, tsig.GSS, 300, time.Now().Unix())

        rr, _, err := dnsClient.Exchange(msg, host)
        if err != nil {
                panic(err)
        }

        if rr.Rcode != dns.RcodeSuccess {
                fmt.Printf("DNS error: %s (%d)\n", dns.RcodeToString[rr.Rcode], rr.Rcode)
        }

        // Cleanup the context
        err = gssClient.DeleteContext(keyname)
        if err != nil {
                panic(err)
        }
}

Under the hood, GSSAPI is used on platforms other than Windows whilst Windows uses native SSPI which has a similar API.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func WithConfig added in v1.2.0 

func WithConfig(config string) func(*Client) error

WithConfig sets the Kerberos configuration used

func WithLogger added in v1.2.0 

func WithLogger(logger logr.Logger) func(*Client) error

WithLogger sets the logger used

Types

type Client added in v1.1.0 

type Client struct {
	// contains filtered or unexported fields
}

Client maps the TKEY name to the context that negotiated it as well as any other internal state.

func NewClient added in v1.1.0 

func NewClient(dnsClient *dns.Client, options ...func(*Client) error) (*Client, error)

NewClient performs any library initialization necessary. It returns a context handle for any further functions along with any error that occurred.

func (*Client) Close added in v1.1.0 

func (c *Client) Close() error

Close deletes any active contexts and unloads any underlying libraries as necessary. It returns any error that occurred.

func (*Client) DeleteContext added in v1.1.0 

func (c *Client) DeleteContext(keyname string) error

DeleteContext deletes the active security context associated with the given TKEY name. It returns any error that occurred.

func (*Client) Generate added in v1.1.0 

func (c *Client) Generate(msg []byte, t *dns.TSIG) ([]byte, error)

Generate generates the TSIG MAC based on the established context. It is called with the bytes of the DNS message, and the partial TSIG record containing the algorithm and name which is the negotiated TKEY for this context. It returns the bytes for the TSIG MAC and any error that occurred.

func (*Client) NegotiateContext added in v1.1.0 

func (c *Client) NegotiateContext(host string) (string, time.Time, error)

NegotiateContext exchanges RFC 2930 TKEY records with the indicated DNS server to establish a security context using the current user. It returns the negotiated TKEY name, expiration time, and any error that occurred.

func (*Client) NegotiateContextWithCredentials added in v1.1.0 

func (c *Client) NegotiateContextWithCredentials(host, domain, username, password string) (string, time.Time, error)

NegotiateContextWithCredentials exchanges RFC 2930 TKEY records with the indicated DNS server to establish a security context using the provided credentials. It returns the negotiated TKEY name, expiration time, and any error that occurred.

func (*Client) NegotiateContextWithKeytab added in v1.1.0 

func (c *Client) NegotiateContextWithKeytab(host, domain, username, path string) (string, time.Time, error)

NegotiateContextWithKeytab exchanges RFC 2930 TKEY records with the indicated DNS server to establish a security context using the provided keytab. It returns the negotiated TKEY name, expiration time, and any error that occurred.

func (*Client) SetConfig added in v1.2.0 

func (c *Client) SetConfig(config string) error

SetConfig sets the Kerberos configuration used by c

func (*Client) SetLogger added in v1.2.0 

func (c *Client) SetLogger(logger logr.Logger) error

SetLogger sets the logger used by c

func (*Client) Verify added in v1.1.0 

func (c *Client) Verify(stripped []byte, t *dns.TSIG) error

Verify verifies the TSIG MAC based on the established context. It is called with the bytes of the DNS message, and the TSIG record containing the algorithm, MAC, and name which is the negotiated TKEY for this context. It returns any error that occurred.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.