• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..31-Jan-2020-

asn1tools/H31-Jan-2020-8749

client/H31-Jan-2020-2,3631,990

config/H31-Jan-2020-1,5231,293

credentials/H31-Jan-2020-1,077865

crypto/H31-Jan-2020-2,8821,985

examples/H31-Jan-2020-482390

gssapi/H31-Jan-2020-1,078762

iana/H31-Jan-2020-564473

kadmin/H31-Jan-2020-274229

keytab/H31-Jan-2020-615513

krberror/H31-Jan-2020-9270

messages/H31-Jan-2020-3,0992,642

pac/H31-Jan-2020-1,4491,173

service/H31-Jan-2020-932761

spnego/H31-Jan-2020-1,8961,554

test/H31-Jan-2020-2,3191,879

types/H31-Jan-2020-1,405976

README.mdH A D31-Jan-20206.9 KiB9576

USAGE.mdH A D31-Jan-20209.4 KiB237209

go.modH A D31-Jan-2020414 1613

go.sumH A D31-Jan-20203.3 KiB3837

gokrb5.goH A D31-Jan-202077 31

README.md

1# gokrb5
2
3It is recommended to use the latest version: [![Version](https://img.shields.io/github/release/jcmturner/gokrb5.svg)](https://github.com/jcmturner/gokrb5/releases)
4
5Development will be focused on the latest major version. New features will only be targeted at this version.
6
7| Versions | Dependency Management | Import Path | Usage | Godoc | Go Report Card |
8|----------|-----------------------|-------------|-------|-------|----------------|
9| [![v8](https://github.com/jcmturner/gokrb5/workflows/v8/badge.svg)](https://github.com/jcmturner/gokrb5/actions?query=workflow%3Av8) | Go modules | import "github.com/jcmturner/gokrb5/v8/{sub-package}" | [![Usage](https://img.shields.io/badge/v8-usage-blue)](https://github.com/jcmturner/gokrb5/blob/master/v8/USAGE.md) | [![GoDoc](https://godoc.org/github.com/jcmturner/gokrb5/v8?status.svg)](https://godoc.org/github.com/jcmturner/gokrb5/v8) | [![Go Report Card](https://goreportcard.com/badge/github.com/jcmturner/gokrb5/v8)](https://goreportcard.com/report/github.com/jcmturner/gokrb5/v8) |
10| [![v7](https://github.com/jcmturner/gokrb5/workflows/v7/badge.svg)](https://github.com/jcmturner/gokrb5/actions?query=workflow%3Av7) | gopkg.in | import "gopkg.in/jcmturner/gokrb5.v7/{sub-package}" | [![Usage](https://img.shields.io/badge/v7-usage-blue)](https://github.com/jcmturner/gokrb5/blob/master/USAGE.md) | [![GoDoc](https://godoc.org/gopkg.in/jcmturner/gokrb5.v7?status.svg)](https://godoc.org/gopkg.in/jcmturner/gokrb5.v7) | [![Go Report Card](https://goreportcard.com/badge/gopkg.in/jcmturner/gokrb5.v7)](https://goreportcard.com/report/gopkg.in/jcmturner/gokrb5.v7) |
11
12
13#### Go Version Support
14![Go version](https://img.shields.io/badge/Go-1.13-brightgreen.svg)
15![Go version](https://img.shields.io/badge/Go-1.12-brightgreen.svg)
16![Go version](https://img.shields.io/badge/Go-1.11-brightgreen.svg)
17
18gokrb5 may work with other versions of Go but they are not tested.
19
20## Features
21* **Pure Go** - no dependency on external libraries
22* No platform specific code
23* Server Side
24  * HTTP handler wrapper implements SPNEGO Kerberos authentication
25  * HTTP handler wrapper decodes Microsoft AD PAC authorization data
26* Client Side
27  * Client that can authenticate to an SPNEGO Kerberos authenticated web service
28  * Ability to change client's password
29* General
30  * Kerberos libraries for custom integration
31  * Parsing Keytab files
32  * Parsing krb5.conf files
33  * Parsing client credentials cache files such as `/tmp/krb5cc_$(id -u $(whoami))`
34
35#### Implemented Encryption & Checksum Types
36
37| Implementation | Encryption ID | Checksum ID | RFC |
38|-------|-------------|------------|------|
39| des3-cbc-sha1-kd | 16 | 12 | 3961 |
40| aes128-cts-hmac-sha1-96 | 17 | 15 | 3962 |
41| aes256-cts-hmac-sha1-96 | 18 | 16 | 3962 |
42| aes128-cts-hmac-sha256-128 | 19 | 19 | 8009 |
43| aes256-cts-hmac-sha384-192 | 20 | 20 | 8009 |
44| rc4-hmac | 23 | -138 | 4757 |
45
46
47The following is working/tested:
48* Tested against MIT KDC (1.6.3 is the oldest version tested against) and Microsoft Active Directory (Windows 2008 R2)
49* Tested against a KDC that supports PA-FX-FAST.
50* Tested against users that have pre-authentication required using PA-ENC-TIMESTAMP.
51* Microsoft PAC Authorization Data is processed and exposed in the HTTP request context. Available if Microsoft Active Directory is used as the KDC.
52
53## Contributing
54If you are interested in contributing to gokrb5, great! Please read the [contribution guidelines](https://github.com/jcmturner/gokrb5/blob/master/CONTRIBUTING.md).
55
56---
57
58## References
59* [RFC 3244 Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols](https://tools.ietf.org/html/rfc3244)
60* [RFC 4120 The Kerberos Network Authentication Service (V5)](https://tools.ietf.org/html/rfc4120)
61* [RFC 3961 Encryption and Checksum Specifications for Kerberos 5](https://tools.ietf.org/html/rfc3961)
62* [RFC 3962 Advanced Encryption Standard (AES) Encryption for Kerberos 5](https://tools.ietf.org/html/rfc3962)
63* [RFC 4121 The Kerberos Version 5 GSS-API Mechanism](https://tools.ietf.org/html/rfc4121)
64* [RFC 4178 The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism](https://tools.ietf.org/html/rfc4178.html)
65* [RFC 4559 SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows](https://tools.ietf.org/html/rfc4559.html)
66* [RFC 4757 The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows](https://tools.ietf.org/html/rfc4757)
67* [RFC 6806 Kerberos Principal Name Canonicalization and Cross-Realm Referrals](https://tools.ietf.org/html/rfc6806.html)
68* [RFC 6113 A Generalized Framework for Kerberos Pre-Authentication](https://tools.ietf.org/html/rfc6113.html)
69* [RFC 8009 AES Encryption with HMAC-SHA2 for Kerberos 5](https://tools.ietf.org/html/rfc8009)
70* [IANA Assigned Kerberos Numbers](http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml)
71* [HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol - Part 1](https://msdn.microsoft.com/en-us/library/ms995329.aspx)
72* [HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol - Part 2](https://msdn.microsoft.com/en-us/library/ms995330.aspx)
73* [Microsoft PAC Validation](https://blogs.msdn.microsoft.com/openspecification/2009/04/24/understanding-microsoft-kerberos-pac-validation/)
74* [Microsoft Kerberos Protocol Extensions](https://msdn.microsoft.com/en-us/library/cc233855.aspx)
75* [Windows Data Types](https://msdn.microsoft.com/en-us/library/cc230273.aspx)
76
77### Useful Links
78* https://en.wikipedia.org/wiki/Ciphertext_stealing#CBC_ciphertext_stealing
79
80## Thanks
81* Greg Hudson from the MIT Consortium for Kerberos and Internet Trust for providing useful advice.
82
83## Contributing
84Thank you for your interest in contributing to gokrb5 please read the
85[contribution guide](https://github.com/jcmturner/gokrb5/blob/master/CONTRIBUTING.md) as it should help you get started.
86
87## Known Issues
88| Issue | Worked around? | References |
89|-------|-------------|------------|
90| The Go standard library's encoding/asn1 package cannot unmarshal into slice of asn1.RawValue | Yes | https://github.com/golang/go/issues/17321 |
91| The Go standard library's encoding/asn1 package cannot marshal into a GeneralString | Yes - using https://github.com/jcmturner/gofork/tree/master/encoding/asn1 | https://github.com/golang/go/issues/18832 |
92| The Go standard library's encoding/asn1 package cannot marshal into slice of strings and pass stringtype parameter tags to members | Yes - using https://github.com/jcmturner/gofork/tree/master/encoding/asn1 | https://github.com/golang/go/issues/18834 |
93| The Go standard library's encoding/asn1 package cannot marshal with application tags | Yes | |
94| The Go standard library's x/crypto/pbkdf2.Key function uses the int type for iteraction count limiting meaning the 4294967296 count specified in https://tools.ietf.org/html/rfc3962 section 4 cannot be met on 32bit systems | Yes - using https://github.com/jcmturner/gofork/tree/master/x/crypto/pbkdf2 | https://go-review.googlesource.com/c/crypto/+/85535 |
95