This is a fork of gokrb5
gokrb5 may work with other versions of Go but they are not formally tested. It has been reported that gokrb5 also works with the gollvm compiler but this is not formally tested.
- Pure Go - no dependency on external libraries
- No platform specific code
- Server Side
- HTTP handler wrapper implements SPNEGO Kerberos authentication
- HTTP handler wrapper decodes Microsoft AD PAC authorization data
- Client Side
- Client that can authenticate to an SPNEGO Kerberos authenticated web service
- Ability to change client's password
- General
- Kerberos libraries for custom integration
- Parsing Keytab files
- Parsing krb5.conf files
- Parsing client credentials cache files such as
/tmp/krb5cc_$(id -u $(whoami))
Implementation | Encryption ID | Checksum ID | RFC |
---|---|---|---|
des3-cbc-sha1-kd | 16 | 12 | 3961 |
aes128-cts-hmac-sha1-96 | 17 | 15 | 3962 |
aes256-cts-hmac-sha1-96 | 18 | 16 | 3962 |
aes128-cts-hmac-sha256-128 | 19 | 19 | 8009 |
aes256-cts-hmac-sha384-192 | 20 | 20 | 8009 |
rc4-hmac | 23 | -138 | 4757 |
The following is working/tested:
- Tested against MIT KDC (1.6.3 is the oldest version tested against) and Microsoft Active Directory (Windows 2008 R2)
- Tested against a KDC that supports PA-FX-FAST.
- Tested against users that have pre-authentication required using PA-ENC-TIMESTAMP.
- Microsoft PAC Authorization Data is processed and exposed in the HTTP request context. Available if Microsoft Active Directory is used as the KDC.
If you are interested in contributing to gokrb, great! Please read the contribution guidelines.
- RFC 3244 Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols
- RFC 4120 The Kerberos Network Authentication Service (V5)
- RFC 3961 Encryption and Checksum Specifications for Kerberos 5
- RFC 3962 Advanced Encryption Standard (AES) Encryption for Kerberos 5
- RFC 4121 The Kerberos Version 5 GSS-API Mechanism
- RFC 4178 The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism
- RFC 4559 SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows
- RFC 4757 The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows
- RFC 6806 Kerberos Principal Name Canonicalization and Cross-Realm Referrals
- RFC 6113 A Generalized Framework for Kerberos Pre-Authentication
- RFC 8009 AES Encryption with HMAC-SHA2 for Kerberos 5
- IANA Assigned Kerberos Numbers
- HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol - Part 1
- HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol - Part 2
- Microsoft PAC Validation
- Microsoft Kerberos Protocol Extensions
- Windows Data Types
- Greg Hudson from the MIT Consortium for Kerberos and Internet Trust for providing useful advice.
Issue | Worked around? | References |
---|---|---|
The Go standard library's encoding/asn1 package cannot unmarshal into slice of asn1.RawValue | Yes | golang/go#17321 |
The Go standard library's encoding/asn1 package cannot marshal into a GeneralString | Yes - using https://github.com/jcmturner/gofork/tree/master/encoding/asn1 | golang/go#18832 |
The Go standard library's encoding/asn1 package cannot marshal into slice of strings and pass stringtype parameter tags to members | Yes - using https://github.com/jcmturner/gofork/tree/master/encoding/asn1 | golang/go#18834 |
The Go standard library's encoding/asn1 package cannot marshal with application tags | Yes | |
The Go standard library's x/crypto/pbkdf2.Key function uses the int type for iteraction count limiting meaning the 4294967296 count specified in https://tools.ietf.org/html/rfc3962 section 4 cannot be met on 32bit systems | Yes - using https://github.com/jcmturner/gofork/tree/master/x/crypto/pbkdf2 | https://go-review.googlesource.com/c/crypto/+/85535 |