krb5

package
v1.0.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 29, 2024 License: MIT Imports: 26 Imported by: 0

README

MS Kerberos Support

SHA-2 Support

Link

Windows systems do not support RFC8009 encryption types (SHA-2-based) at
all. Microsoft engineer gave a hint they are working on their support
for ~2025 but it will not be backported.

IPA KDC defaults to RFC8009 and only falls back to SHA-1-based ones
for trust to Active Directory. There are few places in MIT Kerberos KDC
where a choice of the signature or encryption type is made based on the
strongest key available for the krbtgt/... principal, which is always a
SHA-2-based one for new IPA deployments. For cross-realm operations we
have special logic to fall back to SHA-1-based ones for AD DCs. For
in-realm operations we don't and shouldn't as it would be a security
issue (downgrade of encryption algorithm to a less secure one).

Documentation

Overview

This package implements the KRB5 security service client as described in https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/190ab8de-dc42-49cf-bf1b-ea5705b7a087.

This package also contains client-side GSSAPI bindings (InitSecurityContext, Wrap, Unwrap and so on).

Index

Constants

This section is empty.

Variables

View Source
var DefaultKRB5ConfPath = "/etc/krb5.conf"
View Source
var (
	MechanismType = gssapi.OID{1, 2, 840, 113554, 1, 2, 2}
)

Functions

func AddEntry added in v1.0.3

func AddEntry(kt *keytab.Keytab, entry *Entry) error

FIXME: this is a workaround to add an entry to the keytab.

func IsValidCredential

func IsValidCredential(cred any) bool

func LoadKRB5Conf

func LoadKRB5Conf(p string) (*config.Config, error)

func ParsedLibDefaults

func ParsedLibDefaults(c *config.Config) *config.Config

func WithNTHash added in v1.0.3

func WithNTHash(creds *credentials.Credentials, ntHash []byte, kvno int) *credentials.Credentials

Types

type APRep

type APRep struct {
	messages.APRep
	EncAPRepPart
}

func (*APRep) DecryptEncPart

func (m *APRep) DecryptEncPart(key types.EncryptionKey) error

func (*APRep) EncryptEncPart

func (m *APRep) EncryptEncPart(e EncAPRepPart, key types.EncryptionKey) error

func (*APRep) Marshal

func (m *APRep) Marshal() ([]byte, error)

func (*APRep) MarshalWithEncPart

func (m *APRep) MarshalWithEncPart(e EncAPRepPart, key types.EncryptionKey) ([]byte, error)

func (*APRep) MarshalWithSeqNumber

func (m *APRep) MarshalWithSeqNumber(seqNum int64, key types.EncryptionKey) ([]byte, error)

func (*APRep) SequenceNumber

func (m *APRep) SequenceNumber() int64

func (*APRep) Unmarshal

func (m *APRep) Unmarshal(b []byte) error

type APReq

type APReq messages.APReq

func (*APReq) DecryptAuthenticator

func (m *APReq) DecryptAuthenticator(key types.EncryptionKey) error

func (*APReq) Marshal

func (m *APReq) Marshal() ([]byte, error)

func (*APReq) SequenceNumber

func (m *APReq) SequenceNumber() int64

func (*APReq) Unmarshal

func (m *APReq) Unmarshal(b []byte) error

type Authentifier

type Authentifier struct {
	// The authentifier configuration.
	Config *Config

	// The AP Req message.
	APReq *APReq
	// The AP Rep message.
	APRep *APRep
	// The session key.
	SessionKey types.EncryptionKey
	// contains filtered or unexported fields
}

func (*Authentifier) APReply

func (a *Authentifier) APReply(ctx context.Context, b []byte) ([]byte, error)

func (*Authentifier) APRequest

func (a *Authentifier) APRequest(ctx context.Context) ([]byte, error)

func (*Authentifier) MakeInboundSignature

func (a *Authentifier) MakeInboundSignature(ctx context.Context, forSign [][]byte) ([]byte, error)

func (*Authentifier) MakeOutboundSignature

func (a *Authentifier) MakeOutboundSignature(ctx context.Context, forSign [][]byte) ([]byte, error)

func (*Authentifier) OutboundSignatureSize

func (a *Authentifier) OutboundSignatureSize(ctx context.Context, conf bool) int

func (*Authentifier) UnwrapInboundPayload

func (a *Authentifier) UnwrapInboundPayload(ctx context.Context, forSign, forSeal [][]byte, sgn []byte) (bool, error)

func (*Authentifier) WrapOutboundPayload

func (a *Authentifier) WrapOutboundPayload(ctx context.Context, forSign, forSeal [][]byte) ([]byte, error)

type Config

type Config struct {
	// IsServer.
	IsServer bool
	// The client credential.
	Credential Credential
	// The kerberos config file.
	KRB5Config *config.Config
	// The kerberos config file path.
	KRB5ConfigPath string
	// The credentials cache file path.
	CCachePath string
	// The GSSAPI flags.
	Flags []int
	// The Kerberos Options.
	APOptions []int

	// common.
	DCEStyle bool

	// KeytabPrincipal used to override the principal name
	// used to find the key in the keytab.
	KeytabPrincipal string
	// SName used provide a specific service name to the
	// service settings.
	SName string
	// RequireHostAddr indicates if the service should require
	// the host address to be included in the ticket.
	RequireHostAddr bool
	// DisablePACDecoding used to configure service side to
	// enable/disable PAC decoding if the PAC is present.
	// Defaults to enabled if not specified.
	DisablePACDecoding bool
	// ClientAddress used to configure service side with the
	// clients host address to be used during validation.
	ClientAddress *types.HostAddress
	// MaxClockSkew returns the maximum acceptable clock skew
	// between the service and the issue time of kerberos tickets.
	// If none is defined a duration of 5 minutes is returned.
	MaxClockSkew time.Duration

	// DisablePAFXFAST used to configure the client to not use
	// PA_FX_FAST.
	DisablePAFXFAST bool
	// AssumePreAuthentication used to configure the client to
	// assume pre-authentication is required.
	AssumePreAuthentication bool
}

The Kerberos Version 5 Configuration.

func NewConfig

func NewConfig() *Config

NewConfig function returns the default configuration. (or configuration under KRB5_CONFIG environment variable).

func (*Config) ClientSettings

func (c *Config) ClientSettings() []func(*client.Settings)

ClientSettings function returns the set of options for the kerberos client.

func (*Config) ServiceSettings

func (c *Config) ServiceSettings() []func(*service.Settings)

ServiceSettings function returns the set of options for the service settings.

func (Config) Type

func (Config) Type() gssapi.OID

type Credential

type Credential = credential.Credential

The generic credential.

type EncAPRepPart

type EncAPRepPart messages.EncAPRepPart

func (*EncAPRepPart) Marshal

func (m *EncAPRepPart) Marshal() ([]byte, error)

func (*EncAPRepPart) Unmarshal

func (m *EncAPRepPart) Unmarshal(b []byte) error

type Entry added in v1.0.3

type Entry struct {
	// Principal is the principal name.
	Principal Principal
	// Timestamp is the timestamp of the key.
	Timestamp time.Time
	// KVNO8 is the key version number.
	KVNO8 uint8
	// Key is the encryption key.
	Key types.EncryptionKey
	// KVNO is the key version number.
	KVNO uint32
}

Entry represents a keytab entry.

type Mechanism

type Mechanism struct {
	*Authentifier
}

func (*Mechanism) Accept

func (m *Mechanism) Accept(ctx context.Context, tok *gssapi.Token) (*gssapi.Token, error)

The security context accept call.

func (Mechanism) DefaultConfig

func (Mechanism) DefaultConfig(ctx context.Context) (gssapi.MechanismConfig, error)

DefaultConfig function returns the default config.

func (*Mechanism) Init

func (m *Mechanism) Init(ctx context.Context, tok *gssapi.Token) (*gssapi.Token, error)

The security context init call.

func (*Mechanism) MakeSignature

func (m *Mechanism) MakeSignature(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)

MakeSignature token.

func (*Mechanism) MakeSignatureEx

func (m *Mechanism) MakeSignatureEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)

func (Mechanism) New

New function returns the new mechanism instance from the GSSAPI configuration.

func (Mechanism) Type

func (Mechanism) Type() gssapi.OID

The mechanism type object identifier.

func (*Mechanism) Unwrap

Unwrap token.

func (*Mechanism) UnwrapEx

UnwrapEx function accepts the list of encrypted payloads and signature and returns the unencrypted paylaod.

func (*Mechanism) VerifySignature

func (m *Mechanism) VerifySignature(ctx context.Context, tok *gssapi.MessageToken) error

VerifySignature token.

func (*Mechanism) VerifySignatureEx

func (m *Mechanism) VerifySignatureEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) error

func (*Mechanism) Wrap

Wrap token.

func (*Mechanism) WrapEx

WrapEx function accepts the list of unencrypted payloads and returns the encrypted payload and signature.

func (*Mechanism) WrapSizeLimit

func (m *Mechanism) WrapSizeLimit(ctx context.Context, sz int, conf bool) int

The maximum message size for the given limit. (and flag determining if conf is required).

type Principal added in v1.0.3

type Principal struct {
	// NumComponents.
	NumComponents int16 `json:"-"`
	// Realm.
	Realm string
	// Components.
	Components []string
	// NameType.
	NameType int32
}

Principal represents a keytab principal.

type SecurityService

type SecurityService struct {
	Key                    types.EncryptionKey
	IsSubKey               bool
	OutboundSequenceNumber uint64
	InboundSequenceNumber  uint64
	OutboundCipher         crypto.Cipher
	InboundCipher          crypto.Cipher
}

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL