CODEWITHSUNDEEP
macoskerberos
bluesky
bluesky

Reputation: 31

SPNEGO/GSS-API Golang packages for Kerberos authentication on MacOS

Its my follow on query to my post How does a browser get Kerberos TGT and Service ticket. Thanks to user1686 for a detailed explanation on that post.

For my application on Windows platform I used github.com/alexbrainman/sspi package which provides APIs to get user credentials and necessary kerberos tokens for authentication.

I now need to do the same on MacOS platform but can't use alexbrainman/sspi as it is Windows only. So far based on my research I think https://pkg.go.dev/gopkg.in/jcmturner/gokrb5.v8 is the package suitable for use on MacOS. But only issue there is every user on MacOS will have to provide a keytab file as the gokrb5 package doesn't provide any APIs to directly get user's credentials (correct me I am wrong). Any suggestion for any other Golang packages that I can explore for Kerberos authentication on MacOS ?

Upvotes: 0

Views: 641

Answers (1)

grawity_u1686
grawity_u1686

Reputation: 16562

Most Unix systems offer the GSS API interface, which is the "standard" equivalent to Windows' SSPI. (The function names and constants are different but all of the fundamentals are the same.)

As far as I know, the Kerberos interface in macOS is Kerberos.framework, which is just a vendor fork of Heimdal Kerberos and still supports the same GSSAPI interface as you would find on Linux.

So you should be looking for a package that provides C GSSAPI bindings. At first glance, openshift/gssapi should work – though it's unmaintained, but it specifically mentions macOS as compatible. Either way, GSSAPI really hasn't changed all that much since 8 years ago, so I'd still start there.

Pure Go implementations may be possible, as credentials on Unix systems are stored "in the open" – there is no real equivalent to LSASS (except for the recent gss-proxy on Linux, but I don't think macOS has an equivalent); instead the Kerberos library directly reads tickets and session keys out of the credential cache. The issue is that macOS uses a different method of accessing the cache (instead of ordinary files it uses either a Unix socket or Mach IPC), and I doubt any "pure Go" module would bother doing that.

Upvotes: 0

Related Questions