Documentation ¶
Overview ¶
Package service provides server side integrations for Kerberos authentication.
Index ¶
Constants ¶
const ( // CTXKeyAuthenticated is the request context key holding a boolean indicating if the request has been authenticated. CTXKeyAuthenticated ctxKey = 0 // CTXKeyCredentials is the request context key holding the credentials gopkg.in/jcmturner/goidentity.v2/Identity object. CTXKeyCredentials ctxKey = 1 // HTTPHeaderAuthRequest is the header that will hold authn/z information. HTTPHeaderAuthRequest = "Authorization" // HTTPHeaderAuthResponse is the header that will hold SPNEGO data from the server. HTTPHeaderAuthResponse = "WWW-Authenticate" // HTTPHeaderAuthResponseValueKey is the key in the auth header for SPNEGO. HTTPHeaderAuthResponseValueKey = "Negotiate" UnauthorizedMsg = "Unauthorised.\n" )
Variables ¶
This section is empty.
Functions ¶
func SPNEGOKRB5Authenticate ¶
SPNEGOKRB5Authenticate is a Kerberos SPNEGO authentication HTTP handler wrapper.
func ValidateAPREQ ¶
func ValidateAPREQ(APReq messages.APReq, sa SPNEGOAuthenticator) (bool, credentials.Credentials, error)
ValidateAPREQ validates an AP_REQ sent to the service. Returns a boolean for if the AP_REQ is valid and the client's principal name and realm.
Types ¶
type Cache ¶
type Cache struct {
// contains filtered or unexported fields
}
Cache for tickets received from clients keyed by fully qualified client name. Used to track replay of tickets.
func GetReplayCache ¶
GetReplayCache returns a pointer to the Cache singleton.
func (*Cache) AddEntry ¶
func (c *Cache) AddEntry(sname types.PrincipalName, a types.Authenticator)
AddEntry adds an entry to the Cache.
func (*Cache) ClearOldEntries ¶
ClearOldEntries clears entries from the Cache that are older than the duration provided.
func (*Cache) IsReplay ¶
func (c *Cache) IsReplay(sname types.PrincipalName, a types.Authenticator) bool
IsReplay tests if the Authenticator provided is a replay within the duration defined. If this is not a replay add the entry to the cache for tracking.
type Config ¶
type Config struct { Keytab keytab.Keytab ServicePrincipal string RequireHostAddr bool DisablePACDecoding bool }
Config for service side implementation
Keytab (mandatory) - keytab for the service user ¶
KeytabPrincipal (optional) - keytab principal override for the service. The service looks for this principal in the keytab to use to decrypt tickets. If "" is passed as KeytabPrincipal then the principal will be automatically derived from the service name (SName) and realm in the ticket the service is trying to decrypt. This is often sufficient if you create the SPN in MIT KDC with: /usr/sbin/kadmin.local -q "add_principal HTTP/<fqdn>" When Active Directory is used for the KDC this may need to be the account name you have set the SPN against (setspn.exe -a "HTTP/<fqdn>" <account name>) If you are unsure run:
klist -k <service's keytab file>
and use the value from the Principal column for the keytab entry the service should use.
RequireHostAddr - require that the kerberos ticket must include client host IP addresses and one must match the client making the request. This is controled in the client config with the noaddresses option (http://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_files/krb5_conf.html).
DisablePACDecoding - if set to true decoding of the Microsoft PAC will be disabled.
func (*Config) Authenticate ¶
type KRB5BasicAuthenticator ¶
type KRB5BasicAuthenticator struct { SPN string BasicHeaderValue string ServiceConfig Config ClientConfig *config.Config // contains filtered or unexported fields }
KRB5BasicAuthenticator implements gopkg.in/jcmturner/goidentity.v3.Authenticator interface. It takes username and password so can be used for basic authentication.
func (KRB5BasicAuthenticator) Authenticate ¶
func (a KRB5BasicAuthenticator) Authenticate() (i goidentity.Identity, ok bool, err error)
Authenticate and return the identity. The boolean indicates if the authentication was successful.
func (KRB5BasicAuthenticator) Mechanism ¶
func (a KRB5BasicAuthenticator) Mechanism() string
Mechanism returns the authentication mechanism.
type SPNEGOAuthenticator ¶
SPNEGOAuthenticator implements gopkg.in/jcmturner/goidentity.v3.Authenticator interface
func NewSPNEGOAuthenticator ¶
func NewSPNEGOAuthenticator(kt keytab.Keytab) (a SPNEGOAuthenticator)
func (SPNEGOAuthenticator) Authenticate ¶
func (a SPNEGOAuthenticator) Authenticate() (i goidentity.Identity, ok bool, err error)
Authenticate and retrieve a goidentity.Identity. In this case it is a pointer to a credentials.Credentials
func (SPNEGOAuthenticator) Mechanism ¶
func (a SPNEGOAuthenticator) Mechanism() string
Mechanism returns the authentication mechanism.