gss

package

v0.0.0-...-513c08a Latest Latest Go to latest Published: Aug 25, 2019 License: BSD-3-Clause Imports: 20 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/tidalf/tsig

Links

Open Source Insights

Documentation ¶

Rendered for

Overview ¶

Package gss implements RFC 3645 GSS-TSIG functions. This permits sending signed dynamic DNS update messages to Windows servers that have the zone require "Secure only" updates.

Example client:

import (
        "fmt"
        "net"
        "time"

        "github.com/tidalf/tsig"
        c "github.com/tidalf/tsig/client"
        "github.com/tidalf/tsig/gss"
        "github.com/miekg/dns"
)

func main() {
        host := "ns.example.com"

        g, err := gss.New()
        if err != nil {
                panic(err)
        }
        defer g.Close()

        // Negotiate a context with the chosen server using the
        // current user. See also g.NegotiateContextWithCredentials()
        // and g.NegotiateContextWithKeytab() for alternatives
        keyname, _, err := g.NegotiateContext(host)
        if err != nil {
                panic(err)
        }

        client := c.Client{}
        client.Net = "tcp"
        client.TsigAlgorithm = map[string]*c.TsigAlgorithm{
                tsig.GSS: {
                        Generate: g.GenerateGSS,
                        Verify:   g.VerifyGSS,
                },
        }
        client.TsigSecret = map[string]string{*keyname: ""}

        // Use the DNS client as normal

        msg := new(dns.Msg)
        msg.SetUpdate(dns.Fqdn("example.com"))

        insert, err := dns.NewRR("test.example.com. 300 A 192.0.2.1")
        if err != nil {
                panic(err)
        }
        msg.Insert([]dns.RR{insert})

        msg.SetTsig(*keyname, tsig.GSS, 300, time.Now().Unix())

        rr, _, err := client.Exchange(msg, net.JoinHostPort(host, "53"))
        if err != nil {
                panic(err)
        }

        if rr.Rcode != dns.RcodeSuccess {
                fmt.Printf("DNS error: %s (%d)\n", dns.RcodeToString[rr.Rcode], rr.Rcode)
        }

        // Cleanup the context
        err = g.DeleteContext(keyname)
        if err != nil {
                panic(err)
        }
}

Under the hood, GSSAPI is used on platforms other than Windows whilst Windows uses native SSPI which has a similar API.

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type GSS ¶

type GSS struct {
	// contains filtered or unexported fields
}

GSS maps the TKEY name to the context that negotiated it as well as any other internal state.

func New ¶

func New() (*GSS, error)

New performs any library initialization necessary. It returns a context handle for any further functions along with any error that occurred.

func (*GSS) Close ¶

func (c *GSS) Close() error

Close deletes any active contexts and unloads any underlying libraries as necessary. It returns any error that occurred.

func (*GSS) DeleteContext ¶

func (c *GSS) DeleteContext(keyname *string) error

DeleteContext deletes the active security context associated with the given TKEY name. It returns any error that occurred.

func (*GSS) GenerateGSS ¶

func (c *GSS) GenerateGSS(msg []byte, algorithm, name, secret string) ([]byte, error)

GenerateGSS generates the TSIG MAC based on the established context. It is intended to be called as an algorithm-specific callback. It is called with the bytes of the DNS message, the algorithm name, the TSIG name (which is the negotiated TKEY for this context) and the secret (which is ignored). It returns the bytes for the TSIG MAC and any error that occurred.

func (*GSS) NegotiateContext ¶

func (c *GSS) NegotiateContext(host string) (*string, *time.Time, error)

NegotiateContext exchanges RFC 2930 TKEY records with the indicated DNS server to establish a security context using the current user. It returns the negotiated TKEY name, expiration time, and any error that occurred.

func (*GSS) NegotiateContextWithCredentials ¶

func (c *GSS) NegotiateContextWithCredentials(host, domain, username, password string) (*string, *time.Time, error)

NegotiateContextWithCredentials exchanges RFC 2930 TKEY records with the indicated DNS server to establish a security context using the provided credentials. It returns the negotiated TKEY name, expiration time, and any error that occurred.

func (*GSS) NegotiateContextWithKeytab ¶

func (c *GSS) NegotiateContextWithKeytab(host, domain, username, path string) (*string, *time.Time, error)

NegotiateContextWithKeytab exchanges RFC 2930 TKEY records with the indicated DNS server to establish a security context using the provided keytab. It returns the negotiated TKEY name, expiration time, and any error that occurred.

func (*GSS) VerifyGSS ¶

func (c *GSS) VerifyGSS(stripped []byte, t *dns.TSIG, name, secret string) error

VerifyGSS verifies the TSIG MAC based on the established context. It is intended to be called as an algorithm-specific callback. It is called with the bytes of the DNS message, the TSIG record, the TSIG name (which is the negotiated TKEY for this context) and the secret (which is ignored). It returns any error that occurred.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL