README ¶
gokrb5
It is recommended to use the latest version:
Development will be focused on the latest major version. New features will only be targeted at this version.
Versions | Dependency Management | Import Path | Usage | Godoc | Go Report Card |
---|---|---|---|---|---|
Go modules | import "github.com/jcmturner/gokrb5/v8/{sub-package}" | ||||
gopkg.in | import "gopkg.in/jcmturner/gokrb5.v7/{sub-package}" |
Go Version Support
gokrb5 may work with other versions of Go but they are not tested.
Features
- Pure Go - no dependency on external libraries
- No platform specific code
- Server Side
- HTTP handler wrapper implements SPNEGO Kerberos authentication
- HTTP handler wrapper decodes Microsoft AD PAC authorization data
- Client Side
- Client that can authenticate to an SPNEGO Kerberos authenticated web service
- Ability to change client's password
- General
- Kerberos libraries for custom integration
- Parsing Keytab files
- Parsing krb5.conf files
- Parsing client credentials cache files such as
/tmp/krb5cc_$(id -u $(whoami))
Implemented Encryption & Checksum Types
Implementation | Encryption ID | Checksum ID | RFC |
---|---|---|---|
des3-cbc-sha1-kd | 16 | 12 | 3961 |
aes128-cts-hmac-sha1-96 | 17 | 15 | 3962 |
aes256-cts-hmac-sha1-96 | 18 | 16 | 3962 |
aes128-cts-hmac-sha256-128 | 19 | 19 | 8009 |
aes256-cts-hmac-sha384-192 | 20 | 20 | 8009 |
rc4-hmac | 23 | -138 | 4757 |
The following is working/tested:
- Tested against MIT KDC (1.6.3 is the oldest version tested against) and Microsoft Active Directory (Windows 2008 R2)
- Tested against a KDC that supports PA-FX-FAST.
- Tested against users that have pre-authentication required using PA-ENC-TIMESTAMP.
- Microsoft PAC Authorization Data is processed and exposed in the HTTP request context. Available if Microsoft Active Directory is used as the KDC.
Contributing
If you are interested in contributing to gokrb5, great! Please read the contribution guidelines.
References
- RFC 3244 Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols
- RFC 4120 The Kerberos Network Authentication Service (V5)
- RFC 3961 Encryption and Checksum Specifications for Kerberos 5
- RFC 3962 Advanced Encryption Standard (AES) Encryption for Kerberos 5
- RFC 4121 The Kerberos Version 5 GSS-API Mechanism
- RFC 4178 The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism
- RFC 4559 SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows
- RFC 4757 The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows
- RFC 6806 Kerberos Principal Name Canonicalization and Cross-Realm Referrals
- RFC 6113 A Generalized Framework for Kerberos Pre-Authentication
- RFC 8009 AES Encryption with HMAC-SHA2 for Kerberos 5
- IANA Assigned Kerberos Numbers
- HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol - Part 1
- HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol - Part 2
- Microsoft PAC Validation
- Microsoft Kerberos Protocol Extensions
- Windows Data Types
Useful Links
Thanks
- Greg Hudson from the MIT Consortium for Kerberos and Internet Trust for providing useful advice.
Contributing
Thank you for your interest in contributing to gokrb5 please read the contribution guide as it should help you get started.
Known Issues
Issue | Worked around? | References |
---|---|---|
The Go standard library's encoding/asn1 package cannot unmarshal into slice of asn1.RawValue | Yes | https://github.com/golang/go/issues/17321 |
The Go standard library's encoding/asn1 package cannot marshal into a GeneralString | Yes - using https://github.com/jcmturner/gofork/tree/master/encoding/asn1 | https://github.com/golang/go/issues/18832 |
The Go standard library's encoding/asn1 package cannot marshal into slice of strings and pass stringtype parameter tags to members | Yes - using https://github.com/jcmturner/gofork/tree/master/encoding/asn1 | https://github.com/golang/go/issues/18834 |
The Go standard library's encoding/asn1 package cannot marshal with application tags | Yes | |
The Go standard library's x/crypto/pbkdf2.Key function uses the int type for iteraction count limiting meaning the 4294967296 count specified in https://tools.ietf.org/html/rfc3962 section 4 cannot be met on 32bit systems | Yes - using https://github.com/jcmturner/gofork/tree/master/x/crypto/pbkdf2 | https://go-review.googlesource.com/c/crypto/+/85535 |
Documentation ¶
Overview ¶
Package gokrb5 provides a Kerberos 5 implementation for Go.
This is a pure Go implementation and does not have dependencies on native libraries.
Feature include:
Server Side ¶
HTTP handler wrapper implements SPNEGO Kerberos authentication.
HTTP handler wrapper decodes Microsoft AD PAC authorization data.
Client Side ¶
Client that can authenticate to an SPNEGO Kerberos authenticated web service.
Ability to change client's password.
General ¶
Kerberos libraries for custom integration.
Parsing Keytab files.
Parsing krb5.conf files.
Directories ¶
Path | Synopsis |
---|---|
Package asn1tools provides tools for managing ASN1 marshaled data.
|
Package asn1tools provides tools for managing ASN1 marshaled data. |
Package client provides a client library and methods for Kerberos 5 authentication.
|
Package client provides a client library and methods for Kerberos 5 authentication. |
Package config implements KRB5 client and service configuration as described at https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html
|
Package config implements KRB5 client and service configuration as described at https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html |
Package credentials provides credentials management for Kerberos 5 authentication.
|
Package credentials provides credentials management for Kerberos 5 authentication. |
Package crypto implements cryptographic functions for Kerberos 5 implementation.
|
Package crypto implements cryptographic functions for Kerberos 5 implementation. |
common
Package common provides encryption methods common across encryption types
|
Package common provides encryption methods common across encryption types |
etype
Package etype provides the Kerberos Encryption Type interface
|
Package etype provides the Kerberos Encryption Type interface |
rfc3961
Package rfc3961 provides encryption and checksum methods as specified in RFC 3961
|
Package rfc3961 provides encryption and checksum methods as specified in RFC 3961 |
rfc3962
Package rfc3962 provides encryption and checksum methods as specified in RFC 3962
|
Package rfc3962 provides encryption and checksum methods as specified in RFC 3962 |
rfc4757
Package rfc4757 provides encryption and checksum methods as specified in RFC 4757
|
Package rfc4757 provides encryption and checksum methods as specified in RFC 4757 |
rfc8009
Package rfc8009 provides encryption and checksum methods as specified in RFC 8009
|
Package rfc8009 provides encryption and checksum methods as specified in RFC 8009 |
Package gssapi implements Generic Security Services Application Program Interface required for SPNEGO kerberos authentication.
|
Package gssapi implements Generic Security Services Application Program Interface required for SPNEGO kerberos authentication. |
Package iana provides Kerberos 5 assigned numbers.
|
Package iana provides Kerberos 5 assigned numbers. |
addrtype
Package addrtype provides Address type assigned numbers.
|
Package addrtype provides Address type assigned numbers. |
adtype
Package adtype provides Authenticator type assigned numbers.
|
Package adtype provides Authenticator type assigned numbers. |
asnAppTag
Package asnAppTag provides ASN1 application tag numbers.
|
Package asnAppTag provides ASN1 application tag numbers. |
chksumtype
Package chksumtype provides Kerberos 5 checksum type assigned numbers.
|
Package chksumtype provides Kerberos 5 checksum type assigned numbers. |
errorcode
Package errorcode provides Kerberos 5 assigned error codes.
|
Package errorcode provides Kerberos 5 assigned error codes. |
etypeID
Package etypeID provides Kerberos 5 encryption type assigned numbers.
|
Package etypeID provides Kerberos 5 encryption type assigned numbers. |
flags
Package flags provides Kerberos 5 flag assigned numbers.
|
Package flags provides Kerberos 5 flag assigned numbers. |
keyusage
Package keyusage provides Kerberos 5 key usage assigned numbers.
|
Package keyusage provides Kerberos 5 key usage assigned numbers. |
msgtype
Package msgtype provides Kerberos 5 message type assigned numbers.
|
Package msgtype provides Kerberos 5 message type assigned numbers. |
nametype
Package nametype provides Kerberos 5 principal name type numbers.
|
Package nametype provides Kerberos 5 principal name type numbers. |
patype
Package patype provides Kerberos 5 pre-authentication type assigned numbers.
|
Package patype provides Kerberos 5 pre-authentication type assigned numbers. |
trtype
Package trtype provides Transited Encoding Type assigned numbers.
|
Package trtype provides Transited Encoding Type assigned numbers. |
Package kadmin provides Kerberos administration capabilities.
|
Package kadmin provides Kerberos administration capabilities. |
Package keytab implements Kerberos keytabs: https://web.mit.edu/kerberos/krb5-devel/doc/formats/keytab_file_format.html.
|
Package keytab implements Kerberos keytabs: https://web.mit.edu/kerberos/krb5-devel/doc/formats/keytab_file_format.html. |
Package krberror provides error type and functions for gokrb5.
|
Package krberror provides error type and functions for gokrb5. |
Package messages implements Kerberos 5 message types and methods.
|
Package messages implements Kerberos 5 message types and methods. |
Package pac implements Microsoft Privilege Attribute Certificate (PAC) processing.
|
Package pac implements Microsoft Privilege Attribute Certificate (PAC) processing. |
Package service provides server side integrations for Kerberos authentication.
|
Package service provides server side integrations for Kerberos authentication. |
Package spnego implements the Simple and Protected GSSAPI Negotiation Mechanism for Kerberos authentication.
|
Package spnego implements the Simple and Protected GSSAPI Negotiation Mechanism for Kerberos authentication. |
Package test provides useful resources for the testing of gokrb5.
|
Package test provides useful resources for the testing of gokrb5. |
Package types provides Kerberos 5 data types.
|
Package types provides Kerberos 5 data types. |