krb5

package

v1.0.1 Latest Latest Go to latest Published: May 28, 2024 License: MIT Imports: 23 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/oiweiwei/go-msrpc

Links

Open Source Insights

README ¶

MS Kerberos Support

SHA-2 Support

Link

Windows systems do not support RFC8009 encryption types (SHA-2-based) at
all. Microsoft engineer gave a hint they are working on their support
for ~2025 but it will not be backported.

IPA KDC defaults to RFC8009 and only falls back to SHA-1-based ones
for trust to Active Directory. There are few places in MIT Kerberos KDC
where a choice of the signature or encryption type is made based on the
strongest key available for the krbtgt/... principal, which is always a
SHA-2-based one for new IPA deployments. For cross-realm operations we
have special logic to fall back to SHA-1-based ones for AD DCs. For
in-realm operations we don't and shouldn't as it would be a security
issue (downgrade of encryption algorithm to a less secure one).

Documentation ¶

Overview ¶

This package implements the KRB5 security service client as described in https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-kile/190ab8de-dc42-49cf-bf1b-ea5705b7a087.

This package also contains client-side GSSAPI bindings (InitSecurityContext, Wrap, Unwrap and so on).

Index ¶

Variables
func IsValidCredential(cred any) bool
func LoadKRB5Conf(p string) (*config.Config, error)
func ParsedLibDefaults(c *config.Config) *config.Config
type APRep
type APReq
type Authentifier
type Config
- func NewConfig() *Config
type Credential
type EncAPRepPart
- func (m *EncAPRepPart) Marshal() ([]byte, error)
- func (m *EncAPRepPart) Unmarshal(b []byte) error
type Mechanism
type SecurityService

Constants ¶

This section is empty.

Variables ¶

View Source

var DefaultKRB5ConfPath = "/etc/krb5.conf"

View Source

var (
	MechanismType = gssapi.OID{1, 2, 840, 113554, 1, 2, 2}
)

Functions ¶

func IsValidCredential ¶

func IsValidCredential(cred any) bool

func LoadKRB5Conf ¶

func LoadKRB5Conf(p string) (*config.Config, error)

func ParsedLibDefaults ¶

func ParsedLibDefaults(c *config.Config) *config.Config

Types ¶

type APRep ¶

type APRep struct {
	messages.APRep
	EncAPRepPart
}

func (*APRep) DecryptEncPart ¶

func (m *APRep) DecryptEncPart(key types.EncryptionKey) error

func (*APRep) EncryptEncPart ¶

func (m *APRep) EncryptEncPart(e EncAPRepPart, key types.EncryptionKey) error

func (*APRep) Marshal ¶

func (m *APRep) Marshal() ([]byte, error)

func (*APRep) MarshalWithEncPart ¶

func (m *APRep) MarshalWithEncPart(e EncAPRepPart, key types.EncryptionKey) ([]byte, error)

func (*APRep) MarshalWithSeqNumber ¶

func (m *APRep) MarshalWithSeqNumber(seqNum int64, key types.EncryptionKey) ([]byte, error)

func (*APRep) SequenceNumber ¶

func (m *APRep) SequenceNumber() int64

func (*APRep) Unmarshal ¶

func (m *APRep) Unmarshal(b []byte) error

type APReq ¶

type APReq messages.APReq

func (*APReq) DecryptAuthenticator ¶

func (m *APReq) DecryptAuthenticator(key types.EncryptionKey) error

func (*APReq) Marshal ¶

func (m *APReq) Marshal() ([]byte, error)

func (*APReq) SequenceNumber ¶

func (m *APReq) SequenceNumber() int64

func (*APReq) Unmarshal ¶

func (m *APReq) Unmarshal(b []byte) error

type Authentifier ¶

type Authentifier struct {
	// The authentifier configuration.
	Config *Config

	// The AP Req message.
	APReq *APReq
	// The AP Rep message.
	APRep *APRep
	// The session key.
	SessionKey types.EncryptionKey
	// contains filtered or unexported fields
}

func (*Authentifier) APReply ¶

func (a *Authentifier) APReply(ctx context.Context, b []byte) ([]byte, error)

func (*Authentifier) APRequest ¶

func (a *Authentifier) APRequest(ctx context.Context) ([]byte, error)

func (*Authentifier) MakeInboundSignature ¶

func (a *Authentifier) MakeInboundSignature(ctx context.Context, forSign [][]byte) ([]byte, error)

func (*Authentifier) MakeOutboundSignature ¶

func (a *Authentifier) MakeOutboundSignature(ctx context.Context, forSign [][]byte) ([]byte, error)

func (*Authentifier) OutboundSignatureSize ¶

func (a *Authentifier) OutboundSignatureSize(ctx context.Context, conf bool) int

func (*Authentifier) UnwrapInboundPayload ¶

func (a *Authentifier) UnwrapInboundPayload(ctx context.Context, forSign, forSeal [][]byte, sgn []byte) (bool, error)

func (*Authentifier) WrapOutboundPayload ¶

func (a *Authentifier) WrapOutboundPayload(ctx context.Context, forSign, forSeal [][]byte) ([]byte, error)

type Config ¶

type Config struct {
	// IsServer.
	IsServer bool
	// The client credential.
	Credential Credential
	// The kerberos config file.
	KRB5Config *config.Config
	// The kerberos config file path.
	KRB5ConfigPath string
	// The credentials cache file path.
	CCachePath string
	// The GSSAPI flags.
	Flags []int
	// The Kerberos Options.
	APOptions []int

	// common.
	DCEStyle bool

	// KeytabPrincipal used to override the principal name
	// used to find the key in the keytab.
	KeytabPrincipal string
	// SName used provide a specific service name to the
	// service settings.
	SName string
	// RequireHostAddr indicates if the service should require
	// the host address to be included in the ticket.
	RequireHostAddr bool
	// DisablePACDecoding used to configure service side to
	// enable/disable PAC decoding if the PAC is present.
	// Defaults to enabled if not specified.
	DisablePACDecoding bool
	// ClientAddress used to configure service side with the
	// clients host address to be used during validation.
	ClientAddress *types.HostAddress
	// MaxClockSkew returns the maximum acceptable clock skew
	// between the service and the issue time of kerberos tickets.
	// If none is defined a duration of 5 minutes is returned.
	MaxClockSkew time.Duration

	// DisablePAFXFAST used to configure the client to not use
	// PA_FX_FAST.
	DisablePAFXFAST bool
	// AssumePreAuthentication used to configure the client to
	// assume pre-authentication is required.
	AssumePreAuthentication bool
}

The Kerberos Version 5 Configuration.

func NewConfig ¶

func NewConfig() *Config

NewConfig function returns the default configuration. (or configuration under KRB5_CONFIG environment variable).

func (*Config) ClientSettings ¶

func (c *Config) ClientSettings() []func(*client.Settings)

ClientSettings function returns the set of options for the kerberos client.

func (*Config) ServiceSettings ¶

func (c *Config) ServiceSettings() []func(*service.Settings)

ServiceSettings function returns the set of options for the service settings.

func (Config) Type ¶

func (Config) Type() gssapi.OID

type Credential ¶

type Credential = credential.Credential

The generic credential.

type EncAPRepPart ¶

type EncAPRepPart messages.EncAPRepPart

func (*EncAPRepPart) Marshal ¶

func (m *EncAPRepPart) Marshal() ([]byte, error)

func (*EncAPRepPart) Unmarshal ¶

func (m *EncAPRepPart) Unmarshal(b []byte) error

type Mechanism ¶

type Mechanism struct {
	*Authentifier
}

func (*Mechanism) Accept ¶

func (m *Mechanism) Accept(ctx context.Context, tok *gssapi.Token) (*gssapi.Token, error)

The security context accept call.

func (Mechanism) DefaultConfig ¶

func (Mechanism) DefaultConfig(ctx context.Context) (gssapi.MechanismConfig, error)

DefaultConfig function returns the default config.

func (*Mechanism) Init ¶

func (m *Mechanism) Init(ctx context.Context, tok *gssapi.Token) (*gssapi.Token, error)

The security context init call.

func (*Mechanism) MakeSignature ¶

func (m *Mechanism) MakeSignature(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)

MakeSignature token.

func (*Mechanism) MakeSignatureEx ¶

func (m *Mechanism) MakeSignatureEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)

func (Mechanism) New ¶

func (Mechanism) New(ctx context.Context) (gssapi.Mechanism, error)

New function returns the new mechanism instance from the GSSAPI configuration.

func (Mechanism) Type ¶

func (Mechanism) Type() gssapi.OID

The mechanism type object identifier.

func (*Mechanism) Unwrap ¶

func (m *Mechanism) Unwrap(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)

Unwrap token.

func (*Mechanism) UnwrapEx ¶

func (m *Mechanism) UnwrapEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)

UnwrapEx function accepts the list of encrypted payloads and signature and returns the unencrypted paylaod.

func (*Mechanism) VerifySignature ¶

func (m *Mechanism) VerifySignature(ctx context.Context, tok *gssapi.MessageToken) error

VerifySignature token.

func (*Mechanism) VerifySignatureEx ¶

func (m *Mechanism) VerifySignatureEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) error

func (*Mechanism) Wrap ¶

func (m *Mechanism) Wrap(ctx context.Context, tok *gssapi.MessageToken) (*gssapi.MessageToken, error)

Wrap token.

func (*Mechanism) WrapEx ¶

func (m *Mechanism) WrapEx(ctx context.Context, tokEx *gssapi.MessageTokenEx) (*gssapi.MessageTokenEx, error)

WrapEx function accepts the list of unencrypted payloads and returns the encrypted payload and signature.

func (*Mechanism) WrapSizeLimit ¶

func (m *Mechanism) WrapSizeLimit(ctx context.Context, sz int, conf bool) int

The maximum message size for the given limit. (and flag determining if conf is required).

type SecurityService ¶

type SecurityService struct {
	Key                    types.EncryptionKey
	IsSubKey               bool
	OutboundSequenceNumber uint64
	InboundSequenceNumber  uint64
	OutboundCipher         crypto.Cipher
	InboundCipher          crypto.Cipher
}

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
crypto

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL