Documentation ¶
Overview ¶
Package client provides a client library and methods for Kerberos 5 authentication.
Index ¶
- Constants
- func AssumePreAuthentication(b bool) func(*Settings)
- func DisablePAFXFAST(b bool) func(*Settings)
- func EnableCertAuth(b bool) func(*Settings)
- func Logger(l *log.Logger) func(*Settings)
- func SetpreAuthEType(etype int32) func(*Settings)
- type Cache
- type CacheEntry
- type Client
- func NewFromCCache(c *credentials.CCache, krb5conf *config.Config, settings ...func(*Settings)) (*Client, error)
- func NewWithKeytab(username, realm string, kt *keytab.Keytab, krb5conf *config.Config, ...) *Client
- func NewWithPassword(username, realm, password string, krb5conf *config.Config, ...) *Client
- func (cl *Client) ASExchange(realm string, ASReq messages.ASReq, referral int) (messages.ASRep, error)
- func (cl *Client) AddSession(tgt messages.Ticket, dep messages.EncKDCRepPart)
- func (cl *Client) AffirmLogin() error
- func (cl *Client) ChangePasswd(newPasswd string) (bool, error)
- func (cl *Client) Destroy()
- func (cl *Client) Diagnostics(w io.Writer) error
- func (cl *Client) GetCachedEntry(spn string) (CacheEntry, bool)
- func (cl *Client) GetCachedTicket(spn string) (messages.Ticket, types.EncryptionKey, bool)
- func (cl *Client) GetServiceTicket(spn string) (messages.Ticket, types.EncryptionKey, error)
- func (cl *Client) GetServiceTicketS4U2Proxy(spn string, userTGS messages.Ticket) (messages.Ticket, messages.EncKDCRepPart, error)
- func (cl *Client) IsConfigured() (bool, error)
- func (cl *Client) Key(etype etype.EType, kvno int, krberr *messages.KRBError) (types.EncryptionKey, int, error)
- func (cl *Client) Log(format string, v ...interface{})
- func (cl *Client) Login() error
- func (cl *Client) Print(w io.Writer)
- func (cl *Client) TGSExchange(tgsReq messages.TGSReq, kdcRealm string, tgt messages.Ticket, ...) (messages.TGSReq, messages.TGSRep, error)
- func (cl *Client) TGSREQGenerateAndExchange(spn types.PrincipalName, kdcRealm string, tgt messages.Ticket, ...) (tgsReq messages.TGSReq, tgsRep messages.TGSRep, err error)
- type Settings
Constants ¶
const ( KRB5_KPASSWD_SUCCESS = 0 KRB5_KPASSWD_MALFORMED = 1 KRB5_KPASSWD_HARDERROR = 2 KRB5_KPASSWD_AUTHERROR = 3 KRB5_KPASSWD_SOFTERROR = 4 KRB5_KPASSWD_ACCESSDENIED = 5 KRB5_KPASSWD_BAD_VERSION = 6 KRB5_KPASSWD_INITIAL_FLAG_NEEDED = 7 )
Kpasswd server response codes.
Variables ¶
This section is empty.
Functions ¶
func AssumePreAuthentication ¶
AssumePreAuthentication used to configure the client to assume pre-authentication is required.
s := NewSettings(AssumePreAuthentication(true))
func DisablePAFXFAST ¶
DisablePAFXFAST used to configure the client to not use PA_FX_FAST.
s := NewSettings(DisablePAFXFAST(true))
func EnableCertAuth ¶
EnableCertAuth used to configure the client auth via cert
s := NewSettings(EnableCertAuth(true))
func SetpreAuthEType ¶
Types ¶
type Cache ¶
type Cache struct { Entries map[string]CacheEntry // contains filtered or unexported fields }
Cache for service tickets held by the client.
func (*Cache) RemoveEntry ¶
RemoveEntry removes the cache entry for the defined SPN.
type CacheEntry ¶
type CacheEntry struct { SPN string Ticket messages.Ticket `json:"-"` AuthTime time.Time StartTime time.Time EndTime time.Time RenewTill time.Time SessionKey types.EncryptionKey `json:"-"` }
CacheEntry holds details for a cache entry.
type Client ¶
type Client struct { Credentials *credentials.Credentials Config *config.Config // contains filtered or unexported fields }
Client side configuration and state.
func NewFromCCache ¶
func NewFromCCache(c *credentials.CCache, krb5conf *config.Config, settings ...func(*Settings)) (*Client, error)
NewFromCCache create a client from a populated client cache.
WARNING: A client created from CCache does not automatically renew TGTs and a failure will occur after the TGT expires.
func NewWithKeytab ¶
func NewWithKeytab(username, realm string, kt *keytab.Keytab, krb5conf *config.Config, settings ...func(*Settings)) *Client
NewWithKeytab creates a new client from a keytab credential.
func NewWithPassword ¶
func NewWithPassword(username, realm, password string, krb5conf *config.Config, settings ...func(*Settings)) *Client
NewWithPassword creates a new client from a password credential. Set the realm to empty string to use the default realm from config.
func (*Client) ASExchange ¶
func (cl *Client) ASExchange(realm string, ASReq messages.ASReq, referral int) (messages.ASRep, error)
ASExchange performs an AS exchange for the client to retrieve a TGT.
func (*Client) AddSession ¶
func (cl *Client) AddSession(tgt messages.Ticket, dep messages.EncKDCRepPart)
AddSession adds a session for a realm with a TGT to the client's session cache. A goroutine is started to automatically renew the TGT before expiry.
func (*Client) AffirmLogin ¶
AffirmLogin will only perform an AS exchange with the KDC if the client does not already have a TGT.
func (*Client) ChangePasswd ¶
ChangePasswd changes the password of the client to the value provided.
func (*Client) Destroy ¶
func (cl *Client) Destroy()
Destroy stops the auto-renewal of all sessions and removes the sessions and cache entries from the client.
func (*Client) Diagnostics ¶
Diagnostics runs a set of checks that the client is properly configured and writes details to the io.Writer provided.
func (*Client) GetCachedEntry ¶
func (cl *Client) GetCachedEntry(spn string) (CacheEntry, bool)
GetCachedEntry returns a cache entry from the cache for the SPN. Only a entry that is currently valid will be returned.
func (*Client) GetCachedTicket ¶
GetCachedTicket returns a ticket from the cache for the SPN. Only a ticket that is currently valid will be returned.
func (*Client) GetServiceTicket ¶
GetServiceTicket makes a request to get a service ticket for the SPN specified SPN format: <SERVICE>/<FQDN> Eg. HTTP/www.example.com The ticket will be added to the client's ticket cache
func (*Client) GetServiceTicketS4U2Proxy ¶
func (cl *Client) GetServiceTicketS4U2Proxy(spn string, userTGS messages.Ticket) (messages.Ticket, messages.EncKDCRepPart, error)
GetServiceTicketS4U2Proxy makes a request to get a service ticket for user to Proxy SPN specified SPN format: <SERVICE>/<FQDN> Eg. HTTP/www.example.com The ticket will be added to the client's ticket cache // TODO own cache
func (*Client) IsConfigured ¶
IsConfigured indicates if the client has the values required set.
func (*Client) Key ¶
func (cl *Client) Key(etype etype.EType, kvno int, krberr *messages.KRBError) (types.EncryptionKey, int, error)
Key returns the client's encryption key for the specified encryption type and its kvno (kvno of zero will find latest). The key can be retrieved either from the keytab or generated from the client's password. If the client has both a keytab and a password defined the keytab is favoured as the source for the key A KRBError can be passed in the event the KDC returns one of type KDC_ERR_PREAUTH_REQUIRED and is required to derive the key for pre-authentication from the client's password. If a KRBError is not available, pass nil to this argument.
func (*Client) TGSExchange ¶
func (cl *Client) TGSExchange(tgsReq messages.TGSReq, kdcRealm string, tgt messages.Ticket, sessionKey types.EncryptionKey, referral int) (messages.TGSReq, messages.TGSRep, error)
TGSExchange exchanges the provided TGS_REQ with the KDC to retrieve a TGS_REP. Referrals are automatically handled. The client's cache is updated with the ticket received.
func (*Client) TGSREQGenerateAndExchange ¶
func (cl *Client) TGSREQGenerateAndExchange(spn types.PrincipalName, kdcRealm string, tgt messages.Ticket, sessionKey types.EncryptionKey, renewal bool) (tgsReq messages.TGSReq, tgsRep messages.TGSRep, err error)
TGSREQGenerateAndExchange generates the TGS_REQ and performs a TGS exchange to retrieve a ticket to the specified SPN.
type Settings ¶
type Settings struct {
// contains filtered or unexported fields
}
Settings holds optional client settings.
func NewSettings ¶
NewSettings creates a new client settings struct.
func (*Settings) AssumePreAuthentication ¶
AssumePreAuthentication indicates if the client should proactively assume using pre-authentication.
func (*Settings) DisablePAFXFAST ¶
DisablePAFXFAST indicates is the client should disable the use of PA_FX_FAST.