client

Documentation

Overview

Package client provides a client library and methods for Kerberos 5 authentication.

Index

• Constants
• func SetSPNEGOHeader(creds credentials.Credentials, tkt messages.Ticket, ...) error
• type Cache
  • func NewCache() *Cache
  • func (c *Cache) RemoveEntry(spn string)
• type CacheEntry
• type Client
  • func NewClientFromCCache(c credentials.CCache) (Client, error)
  • func NewClientWithKeytab(username, realm string, kt keytab.Keytab) Client
  • func NewClientWithPassword(username, realm, password string) Client
  • func (cl *Client) ASExchange(realm string, ASReq messages.ASReq, referral int) (messages.ASRep, error)
  • func (cl *Client) AddSession(tgt messages.Ticket, dep messages.EncKDCRepPart)
  • func (cl *Client) ChangePasswd(newPasswd string) (bool, error)
  • func (cl *Client) Destroy()
  • func (cl *Client) GetCachedTicket(spn string) (messages.Ticket, types.EncryptionKey, bool)
  • func (cl *Client) GetServiceTicket(spn string) (messages.Ticket, types.EncryptionKey, error)
  • func (cl *Client) IsConfigured() (bool, error)
  • func (cl *Client) Key(etype etype.EType, krberr messages.KRBError) (types.EncryptionKey, error)
  • func (cl *Client) LoadConfig(cfgPath string) (*Client, error)
  • func (cl *Client) Login() error
  • func (cl *Client) SetSPNEGOHeader(r *http.Request, spn string) error
  • func (cl *Client) TGSExchange(spn types.PrincipalName, kdcRealm string, tgt messages.Ticket, ...) (tgsReq messages.TGSReq, tgsRep messages.TGSRep, err error)
  • func (cl *Client) TGSREQ(tgsReq messages.TGSReq, kdcRealm string, tgt messages.Ticket, ...) (messages.TGSReq, messages.TGSRep, error)
  • func (cl *Client) WithConfig(cfg *config.Config) *Client
  • func (cl *Client) WithKeytab(kt keytab.Keytab) *Client
  • func (cl *Client) WithPassword(password string) *Client
• type Config

Constants

const (
	KRB5_KPASSWD_SUCCESS             = 0
	KRB5_KPASSWD_MALFORMED           = 1
	KRB5_KPASSWD_HARDERROR           = 2
	KRB5_KPASSWD_AUTHERROR           = 3
	KRB5_KPASSWD_SOFTERROR           = 4
	KRB5_KPASSWD_ACCESSDENIED        = 5
	KRB5_KPASSWD_BAD_VERSION         = 6
	KRB5_KPASSWD_INITIAL_FLAG_NEEDED = 7
)

Kpasswd server response codes.

Functions

func SetSPNEGOHeader

func SetSPNEGOHeader(creds credentials.Credentials, tkt messages.Ticket, sessionKey types.EncryptionKey, r *http.Request) error

SetSPNEGOHeader sets the provided ticket as the SPNEGO authorization header on HTTP request object.

Types

type Cache

type Cache struct {
	Entries map[string]CacheEntry
	// contains filtered or unexported fields
}

Cache for client tickets.

func NewCache

func NewCache() *Cache

NewCache creates a new client ticket cache instance.

func (*Cache) RemoveEntry

func (c *Cache) RemoveEntry(spn string)

RemoveEntry removes the cache entry for the defined SPN.

type CacheEntry

type CacheEntry struct {
	Ticket     messages.Ticket
	AuthTime   time.Time
	StartTime  time.Time
	EndTime    time.Time
	RenewTill  time.Time
	SessionKey types.EncryptionKey
}

CacheEntry holds details for a client cache entry.

type Client

type Client struct {
	Credentials *credentials.Credentials
	Config      *config.Config
	GoKrb5Conf  Config
	// contains filtered or unexported fields
}

Client side configuration and state.

func NewClientFromCCache

func NewClientFromCCache(c credentials.CCache) (Client, error)

NewClientFromCCache create a client from a populated client cache.

WARNING: A client created from CCache does not automatically renew TGTs and a failure will occur after the TGT expires.

func NewClientWithKeytab

func NewClientWithKeytab(username, realm string, kt keytab.Keytab) Client

NewClientWithKeytab creates a new client from a keytab credential.

func NewClientWithPassword

func NewClientWithPassword(username, realm, password string) Client

NewClientWithPassword creates a new client from a password credential. Set the realm to empty string to use the default realm from config.

func (*Client) ASExchange

func (cl *Client) ASExchange(realm string, ASReq messages.ASReq, referral int) (messages.ASRep, error)

ASExchange performs an AS exchange for the client to retrieve a TGT.

func (*Client) AddSession

func (cl *Client) AddSession(tgt messages.Ticket, dep messages.EncKDCRepPart)

AddSession adds a session for a realm with a TGT to the client's session cache. A goroutine is started to automatically renew the TGT before expiry.

func (*Client) ChangePasswd

func (cl *Client) ChangePasswd(newPasswd string) (bool, error)

ChangePasswd changes the password of the client to the value provided.

func (*Client) Destroy

func (cl *Client) Destroy()

Destroy stops the auto-renewal of all sessions and removes the sessions and cache entries from the client.

func (*Client) GetCachedTicket

func (cl *Client) GetCachedTicket(spn string) (messages.Ticket, types.EncryptionKey, bool)

GetCachedTicket returns a ticket from the cache for the SPN. Only a ticket that is currently valid will be returned.

func (*Client) GetServiceTicket

func (cl *Client) GetServiceTicket(spn string) (messages.Ticket, types.EncryptionKey, error)

GetServiceTicket makes a request to get a service ticket for the SPN specified SPN format: <SERVICE>/<FQDN> Eg. HTTP/www.example.com The ticket will be added to the client's ticket cache

func (*Client) IsConfigured

func (cl *Client) IsConfigured() (bool, error)

IsConfigured indicates if the client has the values required set.

func (*Client) Key

func (cl *Client) Key(etype etype.EType, krberr messages.KRBError) (types.EncryptionKey, error)

Key returns a key for the client. Preferably from a keytab and then generated from the password. The KRBError would have been returned from the KDC and must be of type KDC_ERR_PREAUTH_REQUIRED. If a KRBError is not available pass messages.KRBError{} and a key will be returned from the credentials keytab.

func (*Client) LoadConfig

func (cl *Client) LoadConfig(cfgPath string) (*Client, error)

LoadConfig loads the Kerberos configuration for the client from file path specified.

func (*Client) Login

func (cl *Client) Login() error

Login the client with the KDC via an AS exchange.

func (*Client) SetSPNEGOHeader

func (cl *Client) SetSPNEGOHeader(r *http.Request, spn string) error

SetSPNEGOHeader gets the service ticket and sets it as the SPNEGO authorization header on HTTP request object. To auto generate the SPN from the request object pass a null string "".

func (*Client) TGSExchange

func (cl *Client) TGSExchange(spn types.PrincipalName, kdcRealm string, tgt messages.Ticket, sessionKey types.EncryptionKey, renewal bool, referral int) (tgsReq messages.TGSReq, tgsRep messages.TGSRep, err error)

TGSExchange performs a TGS exchange to retrieve a ticket to the specified SPN. The ticket retrieved is added to the client's cache.

func (*Client) TGSREQ

func (cl *Client) TGSREQ(tgsReq messages.TGSReq, kdcRealm string, tgt messages.Ticket, sessionKey types.EncryptionKey, referral int) (messages.TGSReq, messages.TGSRep, error)

TGSREQ exchanges the provides TGS_REQ with the KDC to retrieve a TGS_REP

func (*Client) WithConfig

func (cl *Client) WithConfig(cfg *config.Config) *Client

WithConfig sets the Kerberos configuration for the client.

func (*Client) WithKeytab

func (cl *Client) WithKeytab(kt keytab.Keytab) *Client

WithKeytab adds a keytab to the client

func (*Client) WithPassword

func (cl *Client) WithPassword(password string) *Client

WithPassword adds a password to the client

type Config

type Config struct {
	DisablePAFXFast              bool
	AssumePAEncTimestampRequired bool
	// contains filtered or unexported fields
}

Config struct holds GoKRB5 specific client configurations. Set Disable_PA_FX_FAST to true to force this behaviour off. Set Assume_PA_ENC_TIMESTAMP_Required to send the PA_ENC_TIMESTAMP pro-actively rather than waiting for a KRB_ERROR response from the KDC indicating it is required.