Security News
Oracle Drags Its Feet in the JavaScript Trademark Dispute
Oracle seeks to dismiss fraud claims in the JavaScript trademark dispute, delaying the case and avoiding questions about its right to the name.
By Sarah Gooding - Feb 07, 2025
New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
github.com/gunnarbeutner/gssapi
- Version published
- Created
gssapi
The gssapi package is a Golang wrapper around RFC 2743, the Generic Security Services Application Programming Interface. (GSSAPI)
Uses
We use it to authenticate clients with our authentication server. Clients talk to a Kerberos or Active Directory Domain Controller to retrieve a Kerberos service ticket, which we verify with a keytab on our authentication server.
When a user logs into Kerberos using kinit, they get a Kerberos TGT. During
Kerberos authentication, that TGT is used to retrieve a Service Ticket from the
Domain Controller. GSSAPI lets us authenticate without having to know where or
in what form the TGT is stored. Because each operating system vendor might
move that, this package wraps your system GSSAPI implementation.
What do you use it for? Let us know!
Building
This library is go get compatible. However, it also requires header files
to build against the GSSAPI C library on your platform.
Golang needs to be able to find a gcc compiler (and one which is recent enough
to support gccgo). If the system compiler isn't gcc, then use CC in environ
to point the Golang build tools at your gcc. (LLVM's clang does not work and
Golang's diagnostics if it encounters clang are to spew a lot of
apparently-unrelated errors from trying to use it anyway).
On MacOS, the default headers are too old; you can use newer headers for building but still use the normal system libraries.
- FreeBSD:
export CC=gcc48; go install - MacOS:
brew install homebrew/dupes/heimdal --without-x11 - Ubuntu: see
apt-getintest/docker/client/Dockerfile
Testing
Tests in the main gssapi repository can be run using the built-in go test.
To run an integrated test against a live Heimdal Kerberos Domain Controller,
cd test and bring up Docker, (or
boot2docker). Then, run ./run-heimdal.sh. This will
run some go tests using three Docker images: a client, a service, and a domain
controller. The service will receive a generated keytab file, and the client
will point to the domain controller for authentication.
NOTE: to run Docker tests, your GOROOT environment variable MUST be set.
TODO
See our TODO doc on stuff you can do to help. We welcome contributions!
Verified platforms
We've tested that we can authenticate against:
- Heimdal Kerberos
- Active Directory
We suspect we can authenticate against:
- MIT Kerberos
We definitely cannot authenticate with:
- Windows clients (because Windows uses SSPI instead of GSSAPI as the library interface)
FAQs
Unknown package
Package last updated on 24 Sep 2019
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Linux Foundation Warns Open Source Developers: Compliance with Sanctions Is Not Optional
The Linux Foundation is warning open source developers that compliance with global sanctions is mandatory, highlighting legal risks and restrictions on contributions.
By Sarah Gooding - Feb 06, 2025
Security News
Maven Central Adds Sigstore Signature Validation
Maven Central now validates Sigstore signatures, making it easier for developers to verify the provenance of Java packages.
By Sarah Gooding - Feb 06, 2025