Documentation ¶
Overview ¶
This package implements the KRB5 security service client as described in https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/190ab8de-dc42-49cf-bf1b-ea5705b7a087.
This package also contains client-side GSSAPI bindings (InitSecurityContext, Wrap, Unwrap and so on).
Index ¶
- Variables
- func AddEntry(kt *keytab.Keytab, entry *Entry) error
- func IsValidCredential(cred any) bool
- func LoadKRB5Conf(p string) (*config.Config, error)
- func ParsedLibDefaults(c *config.Config) *config.Config
- func WithNTHash(creds *credentials.Credentials, ntHash []byte, kvno int) *credentials.Credentials
- type APRep
- func (m *APRep) DecryptEncPart(key types.EncryptionKey) error
- func (m *APRep) EncryptEncPart(e EncAPRepPart, key types.EncryptionKey) error
- func (m *APRep) Marshal() ([]byte, error)
- func (m *APRep) MarshalWithEncPart(e EncAPRepPart, key types.EncryptionKey) ([]byte, error)
- func (m *APRep) MarshalWithSeqNumber(seqNum int64, key types.EncryptionKey) ([]byte, error)
- func (m *APRep) SequenceNumber() int64
- func (m *APRep) Unmarshal(b []byte) error
- type APReq
- type Authentifier
- func (a *Authentifier) APReply(ctx context.Context, b []byte) ([]byte, error)
- func (a *Authentifier) APRequest(ctx context.Context) ([]byte, error)
- func (a *Authentifier) MakeInboundSignature(ctx context.Context, forSign [][]byte) ([]byte, error)
- func (a *Authentifier) MakeOutboundSignature(ctx context.Context, forSign [][]byte) ([]byte, error)
- func (a *Authentifier) OutboundSignatureSize(ctx context.Context, conf bool) int
- func (a *Authentifier) UnwrapInboundPayload(ctx context.Context, forSign, forSeal [][]byte, sgn []byte) (bool, error)
- func (a *Authentifier) WrapOutboundPayload(ctx context.Context, forSign, forSeal [][]byte) ([]byte, error)
- type Config
- type Credential
- type EncAPRepPart
- type Entry
- type Mechanism
- func (m *Mechanism) Accept(ctx context.Context, tok *gssapi.Token) (*gssapi.Token, error)
- func (Mechanism) DefaultConfig(ctx context.Context) (gssapi.MechanismConfig, error)
- func (m *Mechanism) Init(ctx context.Context, tok *gssapi.Token) (*gssapi.Token, error)
- func (m *Mechanism) MakeSignature(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)
- func (m *Mechanism) MakeSignatureEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)
- func (Mechanism) New(ctx context.Context) (gssapi.Mechanism, error)
- func (Mechanism) Type() gssapi.OID
- func (m *Mechanism) Unwrap(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)
- func (m *Mechanism) UnwrapEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)
- func (m *Mechanism) VerifySignature(ctx context.Context, tok *gssapi.MessageToken) error
- func (m *Mechanism) VerifySignatureEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) error
- func (m *Mechanism) Wrap(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)
- func (m *Mechanism) WrapEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)
- func (m *Mechanism) WrapSizeLimit(ctx context.Context, sz int, conf bool) int
- type Principal
- type SecurityService
Constants ¶
This section is empty.
Variables ¶
var DefaultKRB5ConfPath = "/etc/krb5.conf"
var (
MechanismType = gssapi.OID{1, 2, 840, 113554, 1, 2, 2}
)
Functions ¶
func IsValidCredential ¶
func WithNTHash ¶ added in v1.0.3
func WithNTHash(creds *credentials.Credentials, ntHash []byte, kvno int) *credentials.Credentials
Types ¶
type APRep ¶
type APRep struct { messages.APRep EncAPRepPart }
func (*APRep) DecryptEncPart ¶
func (m *APRep) DecryptEncPart(key types.EncryptionKey) error
func (*APRep) EncryptEncPart ¶
func (m *APRep) EncryptEncPart(e EncAPRepPart, key types.EncryptionKey) error
func (*APRep) MarshalWithEncPart ¶
func (m *APRep) MarshalWithEncPart(e EncAPRepPart, key types.EncryptionKey) ([]byte, error)
func (*APRep) MarshalWithSeqNumber ¶
func (*APRep) SequenceNumber ¶
type APReq ¶
func (*APReq) DecryptAuthenticator ¶
func (m *APReq) DecryptAuthenticator(key types.EncryptionKey) error
func (*APReq) SequenceNumber ¶
type Authentifier ¶
type Authentifier struct { // The authentifier configuration. Config *Config // The AP Req message. APReq *APReq // The AP Rep message. APRep *APRep // The session key. SessionKey types.EncryptionKey // contains filtered or unexported fields }
func (*Authentifier) APRequest ¶
func (a *Authentifier) APRequest(ctx context.Context) ([]byte, error)
func (*Authentifier) MakeInboundSignature ¶
func (*Authentifier) MakeOutboundSignature ¶
func (*Authentifier) OutboundSignatureSize ¶
func (a *Authentifier) OutboundSignatureSize(ctx context.Context, conf bool) int
func (*Authentifier) UnwrapInboundPayload ¶
func (*Authentifier) WrapOutboundPayload ¶
type Config ¶
type Config struct { // IsServer. IsServer bool // The client credential. Credential Credential // The kerberos config file. KRB5Config *config.Config // The kerberos config file path. KRB5ConfigPath string // The credentials cache file path. CCachePath string // The GSSAPI flags. Flags []int // The Kerberos Options. APOptions []int // common. DCEStyle bool // KeytabPrincipal used to override the principal name // used to find the key in the keytab. KeytabPrincipal string // SName used provide a specific service name to the // service settings. SName string // RequireHostAddr indicates if the service should require // the host address to be included in the ticket. RequireHostAddr bool // DisablePACDecoding used to configure service side to // enable/disable PAC decoding if the PAC is present. // Defaults to enabled if not specified. DisablePACDecoding bool // ClientAddress used to configure service side with the // clients host address to be used during validation. ClientAddress *types.HostAddress // MaxClockSkew returns the maximum acceptable clock skew // between the service and the issue time of kerberos tickets. // If none is defined a duration of 5 minutes is returned. MaxClockSkew time.Duration // DisablePAFXFAST used to configure the client to not use // PA_FX_FAST. DisablePAFXFAST bool // AssumePreAuthentication used to configure the client to // assume pre-authentication is required. AssumePreAuthentication bool }
The Kerberos Version 5 Configuration.
func NewConfig ¶
func NewConfig() *Config
NewConfig function returns the default configuration. (or configuration under KRB5_CONFIG environment variable).
func (*Config) ClientSettings ¶
ClientSettings function returns the set of options for the kerberos client.
func (*Config) ServiceSettings ¶
ServiceSettings function returns the set of options for the service settings.
type EncAPRepPart ¶
type EncAPRepPart messages.EncAPRepPart
func (*EncAPRepPart) Marshal ¶
func (m *EncAPRepPart) Marshal() ([]byte, error)
func (*EncAPRepPart) Unmarshal ¶
func (m *EncAPRepPart) Unmarshal(b []byte) error
type Entry ¶ added in v1.0.3
type Entry struct { // Principal is the principal name. Principal Principal // Timestamp is the timestamp of the key. Timestamp time.Time // KVNO8 is the key version number. KVNO8 uint8 // Key is the encryption key. Key types.EncryptionKey // KVNO is the key version number. KVNO uint32 }
Entry represents a keytab entry.
type Mechanism ¶
type Mechanism struct {
*Authentifier
}
func (Mechanism) DefaultConfig ¶
DefaultConfig function returns the default config.
func (*Mechanism) MakeSignature ¶
func (m *Mechanism) MakeSignature(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)
MakeSignature token.
func (*Mechanism) MakeSignatureEx ¶
func (m *Mechanism) MakeSignatureEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)
func (Mechanism) New ¶
New function returns the new mechanism instance from the GSSAPI configuration.
func (*Mechanism) Unwrap ¶
func (m *Mechanism) Unwrap(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)
Unwrap token.
func (*Mechanism) UnwrapEx ¶
func (m *Mechanism) UnwrapEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)
UnwrapEx function accepts the list of encrypted payloads and signature and returns the unencrypted paylaod.
func (*Mechanism) VerifySignature ¶
VerifySignature token.
func (*Mechanism) VerifySignatureEx ¶
func (*Mechanism) Wrap ¶
func (m *Mechanism) Wrap(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)
Wrap token.
func (*Mechanism) WrapEx ¶
func (m *Mechanism) WrapEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)
WrapEx function accepts the list of unencrypted payloads and returns the encrypted payload and signature.