krb5

package
v1.1.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 20, 2024 License: MIT Imports: 27 Imported by: 0

README

MS Kerberos Support

SHA-2 Support

Link

Windows systems do not support RFC8009 encryption types (SHA-2-based) at
all. Microsoft engineer gave a hint they are working on their support
for ~2025 but it will not be backported.

IPA KDC defaults to RFC8009 and only falls back to SHA-1-based ones
for trust to Active Directory. There are few places in MIT Kerberos KDC
where a choice of the signature or encryption type is made based on the
strongest key available for the krbtgt/... principal, which is always a
SHA-2-based one for new IPA deployments. For cross-realm operations we
have special logic to fall back to SHA-1-based ones for AD DCs. For
in-realm operations we don't and shouldn't as it would be a security
issue (downgrade of encryption algorithm to a less secure one).

Documentation

Overview

This package implements the KRB5 security service client as described in https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/190ab8de-dc42-49cf-bf1b-ea5705b7a087.

This package also contains client-side GSSAPI bindings (InitSecurityContext, Wrap, Unwrap and so on).

Index

Constants

This section is empty.

Variables

View Source 
var DefaultKRB5ConfPath = "/etc/krb5.conf"
View Source 
var (
	MechanismType = gssapi.OID{1, 2, 840, 113554, 1, 2, 2}
)

Functions

func AddEntry added in v1.0.3 

func AddEntry(kt *keytab.Keytab, entry *Entry) error

FIXME: this is a workaround to add an entry to the keytab.

func IsValidCredential 

func IsValidCredential(cred any) bool

func LoadKRB5Conf 

func LoadKRB5Conf(p string) (*config.Config, error)

func ParsedLibDefaults 

func ParsedLibDefaults(c *config.Config) *config.Config

func WithNTHash added in v1.0.3 

func WithNTHash(creds *credentials.Credentials, ntHash []byte, kvno int) *credentials.Credentials

Types

type APRep 

type APRep struct {
	messages.APRep
	EncAPRepPart
}

func (*APRep) DecryptEncPart 

func (m *APRep) DecryptEncPart(key types.EncryptionKey) error

func (*APRep) EncryptEncPart 

func (m *APRep) EncryptEncPart(e EncAPRepPart, key types.EncryptionKey) error

func (*APRep) Marshal 

func (m *APRep) Marshal() ([]byte, error)

func (*APRep) MarshalWithEncPart 

func (m *APRep) MarshalWithEncPart(e EncAPRepPart, key types.EncryptionKey) ([]byte, error)

func (*APRep) MarshalWithSeqNumber 

func (m *APRep) MarshalWithSeqNumber(seqNum int64, key types.EncryptionKey) ([]byte, error)

func (*APRep) SequenceNumber 

func (m *APRep) SequenceNumber() int64

func (*APRep) Unmarshal 

func (m *APRep) Unmarshal(b []byte) error

type APReq 

type APReq messages.APReq

func (*APReq) DecryptAuthenticator 

func (m *APReq) DecryptAuthenticator(key types.EncryptionKey) error

func (*APReq) Marshal 

func (m *APReq) Marshal() ([]byte, error)

func (*APReq) SequenceNumber 

func (m *APReq) SequenceNumber() int64

func (*APReq) Unmarshal 

func (m *APReq) Unmarshal(b []byte) error

type Authentifier 

type Authentifier struct {
	// The authentifier configuration.
	Config *Config

	// The AP Req message.
	APReq *APReq
	// The AP Rep message.
	APRep *APRep
	// The session key.
	SessionKey types.EncryptionKey
	// Exported session key.
	ExportedSessionKey []byte
	// contains filtered or unexported fields
}

func (*Authentifier) APReply 

func (a *Authentifier) APReply(ctx context.Context, b []byte) ([]byte, error)

func (*Authentifier) APRequest 

func (a *Authentifier) APRequest(ctx context.Context) ([]byte, error)

func (*Authentifier) MakeInboundSignature 

func (a *Authentifier) MakeInboundSignature(ctx context.Context, forSign [][]byte) ([]byte, error)

func (*Authentifier) MakeOutboundSignature 

func (a *Authentifier) MakeOutboundSignature(ctx context.Context, forSign [][]byte) ([]byte, error)

func (*Authentifier) OutboundSignatureSize 

func (a *Authentifier) OutboundSignatureSize(ctx context.Context, conf bool) int

func (*Authentifier) UnwrapInboundPayload 

func (a *Authentifier) UnwrapInboundPayload(ctx context.Context, forSign, forSeal [][]byte, sgn []byte) (bool, error)

func (*Authentifier) WrapOutboundPayload 

func (a *Authentifier) WrapOutboundPayload(ctx context.Context, forSign, forSeal [][]byte) ([]byte, error)

type Config 

type Config struct {
	// IsServer.
	IsServer bool
	// The client credential.
	Credential Credential
	// The kerberos config file.
	KRB5Config *config.Config
	// The kerberos config file path.
	KRB5ConfigPath string
	// The credentials cache file path.
	CCachePath string
	// The GSSAPI flags.
	Flags []int
	// The Kerberos Options.
	APOptions []int

	// common.
	DCEStyle bool

	// KeytabPrincipal used to override the principal name
	// used to find the key in the keytab.
	KeytabPrincipal string
	// SName used provide a specific service name to the
	// service settings.
	SName string
	// RequireHostAddr indicates if the service should require
	// the host address to be included in the ticket.
	RequireHostAddr bool
	// DisablePACDecoding used to configure service side to
	// enable/disable PAC decoding if the PAC is present.
	// Defaults to enabled if not specified.
	DisablePACDecoding bool
	// ClientAddress used to configure service side with the
	// clients host address to be used during validation.
	ClientAddress *types.HostAddress
	// MaxClockSkew returns the maximum acceptable clock skew
	// between the service and the issue time of kerberos tickets.
	// If none is defined a duration of 5 minutes is returned.
	MaxClockSkew time.Duration

	// DisablePAFXFAST used to configure the client to not use
	// PA_FX_FAST.
	DisablePAFXFAST bool
	// AssumePreAuthentication used to configure the client to
	// assume pre-authentication is required.
	AssumePreAuthentication bool
}

The Kerberos Version 5 Configuration.

func NewConfig 

func NewConfig() *Config

NewConfig function returns the default configuration. (or configuration under KRB5_CONFIG environment variable).

func (*Config) ClientSettings 

func (c *Config) ClientSettings() []func(*client.Settings)

ClientSettings function returns the set of options for the kerberos client.

func (*Config) Copy added in v1.1.1 

func (c *Config) Copy() gssapi.MechanismConfig

func (*Config) FlagIsSet added in v1.1.1 

func (c *Config) FlagIsSet(f gssapi.Cap) bool

func (*Config) ServiceSettings 

func (c *Config) ServiceSettings() []func(*service.Settings)

ServiceSettings function returns the set of options for the service settings.

func (Config) Type 

func (Config) Type() gssapi.OID

type Credential 

type Credential = credential.Credential

The generic credential.

type EncAPRepPart 

type EncAPRepPart messages.EncAPRepPart

func (*EncAPRepPart) Marshal 

func (m *EncAPRepPart) Marshal() ([]byte, error)

func (*EncAPRepPart) Unmarshal 

func (m *EncAPRepPart) Unmarshal(b []byte) error

type Entry added in v1.0.3 

type Entry struct {
	// Principal is the principal name.
	Principal Principal
	// Timestamp is the timestamp of the key.
	Timestamp time.Time
	// KVNO8 is the key version number.
	KVNO8 uint8
	// Key is the encryption key.
	Key types.EncryptionKey
	// KVNO is the key version number.
	KVNO uint32
}

Entry represents a keytab entry.

type Mechanism 

type Mechanism struct {
	*Authentifier
}

func (*Mechanism) Accept 

func (m *Mechanism) Accept(ctx context.Context, tok *gssapi.Token) (*gssapi.Token, error)

The security context accept call.

func (Mechanism) DefaultConfig 

func (Mechanism) DefaultConfig(ctx context.Context) (gssapi.MechanismConfig, error)

DefaultConfig function returns the default config.

func (*Mechanism) Init 

func (m *Mechanism) Init(ctx context.Context, tok *gssapi.Token) (*gssapi.Token, error)

The security context init call.

func (*Mechanism) MakeSignature 

func (m *Mechanism) MakeSignature(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)

MakeSignature token.

func (*Mechanism) MakeSignatureEx 

func (m *Mechanism) MakeSignatureEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)

func (Mechanism) New 

func (Mechanism) New(ctx context.Context) (gssapi.Mechanism, error)

New function returns the new mechanism instance from the GSSAPI configuration.

func (Mechanism) Type 

func (Mechanism) Type() gssapi.OID

The mechanism type object identifier.

func (*Mechanism) Unwrap 

func (m *Mechanism) Unwrap(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)

Unwrap token.

func (*Mechanism) UnwrapEx 

func (m *Mechanism) UnwrapEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)

UnwrapEx function accepts the list of encrypted payloads and signature and returns the unencrypted paylaod.

func (*Mechanism) VerifySignature 

func (m *Mechanism) VerifySignature(ctx context.Context, tok *gssapi.MessageToken) error

VerifySignature token.

func (*Mechanism) VerifySignatureEx 

func (m *Mechanism) VerifySignatureEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) error

func (*Mechanism) Wrap 

func (m *Mechanism) Wrap(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)

Wrap token.

func (*Mechanism) WrapEx 

func (m *Mechanism) WrapEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)

WrapEx function accepts the list of unencrypted payloads and returns the encrypted payload and signature.

func (*Mechanism) WrapSizeLimit 

func (m *Mechanism) WrapSizeLimit(ctx context.Context, sz int, conf bool) int

The maximum message size for the given limit. (and flag determining if conf is required).

type Principal added in v1.0.3 

type Principal struct {
	// NumComponents.
	NumComponents int16 `json:"-"`
	// Realm.
	Realm string
	// Components.
	Components []string
	// NameType.
	NameType int32
}

Principal represents a keytab principal.

type SecurityService 

type SecurityService struct {
	Key                    types.EncryptionKey
	IsSubKey               bool
	OutboundSequenceNumber uint64
	InboundSequenceNumber  uint64
	OutboundCipher         crypto.Cipher
	InboundCipher          crypto.Cipher
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.