Skip to content

Latest commit

 

History

History
37 lines (30 loc) · 1.56 KB

README.md

File metadata and controls

37 lines (30 loc) · 1.56 KB

Package gss provides bindings for a C implementation of GSS-API (specifically, MIT Kerberos 1.12 or later) using cgo. The provided API is relatively stable but still subject to change.

To download and build:

go get github.com/nalind/gss/...

In broad strokes:

  • gss_buffer_t is replaced by either []byte or string
  • OIDs and OID sets are passed around as encoding/asn1 ObjectIdentifiers and arrays of encoding/asn1 ObjectIdentifiers
  • memory management is still very much done manually

Package gss/proxy provides a client for gss-proxy. The provided API is relatively stable but still subject to change, particularly around name attributes.

  • OIDs and OID sets are passed around as encoding/asn1 ObjectIdentifiers and arrays of encoding/asn1 ObjectIdentifiers
  • The single Release RPC is replaced with two wrappers: ReleaseCred and ReleaseSecCtx.
  • The proxy doesn't currently allow use of SPNEGO "credentials", so a minimal SPNEGO implementation is added here.

In order to use the proxy, your /etc/gssproxy/gssproxy.conf will need a stanza which the proxy will use to decide which credentials your process will be able to access, and over which socket it will be able to use them:

[service/proxy-clients]
  mechs = krb5
  euid = 0
  allow_any_uid = yes
  socket = /run/gssproxy-clients.sock
  cred_store = ccache:KEYRING:persistent:%U

Likewise, your server will need a stanza of its own:

[service/http-server]
  mechs = krb5
  euid = 48
  socket = /run/gssproxy-http.sock
  cred_store = keytab:/etc/httpd/conf/httpd.keytab