Groups | Search | Server Info | Login | Register
Groups > comp.protocols.kerberos > #5453
| Path | csiph.com!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail |
|---|---|
| From | Jake Scott <jake@poptart.org> |
| Newsgroups | comp.protocols.kerberos |
| Subject | Re: Golang GSSAPI spec |
| Date | Fri, 24 Oct 2025 17:13:53 -0600 |
| Organization | TNet Consulting |
| Lines | 100 |
| Message-ID | <mailman.29.1761372898.2340612.kerberos@mit.edu> (permalink) |
| References | <CAExmWcgo0ZHmJB4or0isZtwy=an7tD+SpzQ=_ymYd6RfZBEtSA@mail.gmail.com> <CAExmWciw4N_6b_jafnbM-1x+FLhMZ8beftFP5Fnx+OFZZcRyOw@mail.gmail.com> |
| MIME-Version | 1.0 |
| Content-Type | text/plain; charset="UTF-8" |
| Content-Transfer-Encoding | quoted-printable |
| Injection-Info | tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50"; logging-data="8354"; mail-complaints-to="newsmaster@tnetconsulting.net" |
| To | kerberos@mit.edu, michael.osipov@innomotics.com |
| DKIM-Filter | OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid) |
| Authentication-Results | mailman.mit.edu; dkim=pass (1024-bit key, unprotected) header.d=mitprod.onmicrosoft.com header.i=@mitprod.onmicrosoft.com header.a=rsa-sha256 header.s=selector2-mitprod-onmicrosoft-com header.b=JApovuBG; dkim=pass (1024-bit key, unprotected) header.d=poptart.org header.i=@poptart.org header.a=rsa-sha256 header.s=google header.b=BEU97ikC |
| ARC-Seal | i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=wEBRnadUqw450EznGiyinkfn4x9c/fiZE6mk7GH3/p2ZUmpsDrMwyYe9D8oOsNeLN36iFJqgB8Pk7+x7It6eUlJ4lYso3JcOrSR57z8yhsldaadnZZ8qftl4u0rASBHmUpGF61tlPFDWi33lTdW4cSm8JSOxruzgCEUEbLOg5jxIzb7gtLR3fMBDOLF58xNGHNUIRdZBzzs5Swcdr93plOS4h0XnvfUqYleQuhpeq0JQhJbTGdKXeg4TFPtTpaNO1TmLxShSKQ30zRxC7DlqbAvNWFJzDzZSYv+446bngLY86StHek0eSUeBcQ7VKGPtcm9a8W0QvL+ZxEAAEjeLJA== |
| ARC-Message-Signature | i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=syhnyYLjsp4W3wcELKNGpOUbIN6bvaOO0x2dkxpB4Xo=; b=aR2wRvyQvyDerI5MveZ5NG6ydQIXVoBO/nvnhCXyiSMhrLb/6SMlknOq7qKXUP+qQURpI8AfJ4KJelx6Z4vBHPRJRLnFVJFpdWD0b5IAP9b3ApuT8NGt1SrT6ITCerZxppS1nXB4Sj03O1lOIFfAKoNto4VC7NtgKtspOewWhijBhY5QqzjV6XLkGYAotYlKgU1cIeuc9yRNUM/XcP8DnAG4viF6DwKyB2dvpr3eiMjLyOkcc9ILktMpnlheWMKkm4WHmdpbzFa3MKTy0wu4xypnJogZv/4dF7xngSxQCJxFkp3EAI4ry+OCI2ivRHhtSYAzrP4k6tMJ0R9+JX0wjw== |
| ARC-Authentication-Results | i=1; mx.microsoft.com 1; spf=pass (sender ip is 2607:f8b0:4864:20::733) smtp.rcpttodomain=mit.edu smtp.mailfrom=poptart.org; dmarc=bestguesspass action=none header.from=poptart.org; dkim=pass (signature was verified) header.d=poptart.org; arc=none (0) |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitprod.onmicrosoft.com; s=selector2-mitprod-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=syhnyYLjsp4W3wcELKNGpOUbIN6bvaOO0x2dkxpB4Xo=; b=JApovuBGspvLOTEIWmruEem9+VcepNQm53i/kG9hR2g86aTfshgIni2PMEzYowdcp2ygoFC9PixzvG4ONsTaD12WW2XLwaUMxN7VUvurG9UnsnZcm99WxqCsftdiGeuc14gXi1alyXvCU+hqVb5V0teWP6KdTCuetZ+/3R4yOU4= |
| Authentication-Results | spf=pass (sender IP is 2607:f8b0:4864:20::733) smtp.mailfrom=poptart.org; dkim=pass (signature was verified) header.d=poptart.org; dmarc=bestguesspass action=none header.from=poptart.org; |
| Received-SPF | Pass (protection.outlook.com: domain of poptart.org designates 2607:f8b0:4864:20::733 as permitted sender) receiver=protection.outlook.com; client-ip=2607:f8b0:4864:20::733; helo=mail-qk1-x733.google.com; pr=C |
| DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=poptart.org; s=google; t=1761347644; x=1761952444; darn=mit.edu; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=syhnyYLjsp4W3wcELKNGpOUbIN6bvaOO0x2dkxpB4Xo=; b=BEU97ikCoJ4XbAlZ2PlTQgSsooGDxdDC5wKGJXXdmw4zyQgkoGGZ7HtrAf6LuiorhQ 5Cq8SN1cFvy14pWVEJPrUVVPXASRjeIJXJ2hd+ftBDUY8giLtvzlJqqX7F/DNqZGaOjw 1GJl4SyeY8eAkklaJj4udPngAoyicJI+BzP0Q= |
| X-Google-DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1761347644; x=1761952444; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=syhnyYLjsp4W3wcELKNGpOUbIN6bvaOO0x2dkxpB4Xo=; b=elAxSmQmqJmPjgO8vUULwfESYwQwbVezWdmMXvDbGo5XV5P65j6LLhL4G+eEag0ibB wcylckrBx67eYxhGPaNFfGq/9ttFoP5A2WNDHR4/Ydw7K2A4JWJtltGll4scgY4wo4mV hWYRh1RvTRgpUyWxVsJ0kcpAPHNpqJVFsPZrN1tQUTZ0azkdCv/QhCoqm76eXYgeBfnv /9ZgSN54N08rHozKaZH2frL+mI9kpCWxke3BFREu6LQiXykHgwfbav7UA8fEVAhHteXy 0wCfy0IUXHfntkk/1KB7p0Qxh6MdBrROVzKum/ZXZUqIbqQpzgCA0D3t9I0kH9lkjCd2 ocEg== |
| X-Gm-Message-State | AOJu0YxG8DuOdtjcs2Oeny26vFoKyel4su3NInAEGan+4l9mHrL2zDZW ReaIDRxI2KhWOTkmVHO6smVpwJCbBDwcHOox9ps4aqxeQOfQY9KuUlalUJF1pDlhuPC1AAPtVBg cXbYOvBAwJ1ekXrOyA1bn4FftAge5KuA0yurBk9WqlwhTzxd6qCg4xkWim2CY |
| X-Gm-Gg | ASbGncvlD+8z5hiTHGM61H4I1yaRP3i59vI1dv4Max2FXtj/ZKdk8MOSwPmj+jPyeDC 5eCnAsyY24lS66mZPKgqvrjc6fHxLaMayG4e/FG0zslf78GFOGuwmuAkHRI23Eks1Y29LZZh2S0 9kcBmwL+8jSRXo7SfMAaD/DZC/PVBsrBBIJX/muy5YntV93LvrBMQ5smIJFbHmQ/bFn9ie2Wt4m 0ISIw5Vpl6YslKKP5nSdXK+6VNsmeucRMqb6E+AWC21v/sHrjV3+Xpf/UI4PtThmLt/3so= |
| X-Google-Smtp-Source | AGHT+IH6o26br+GlnNeLuCF4yKPfSPQ5U02ANvEhiii2DZmAi2Oyg0r4pgba2163QoDhfzzNCfE8mM0R0UDRJdYmlC4= |
| X-Received | by 2002:a05:6214:40f:b0:87b:d338:bdaa with SMTP id 6a1803df08f44-87c206497a4mr129375616d6.52.1761347644273; Fri, 24 Oct 2025 16:14:04 -0700 (PDT) |
| In-Reply-To | <CAExmWcgo0ZHmJB4or0isZtwy=an7tD+SpzQ=_ymYd6RfZBEtSA@mail.gmail.com> |
| X-Gm-Features | AWmQ_bmINmM0QNkeHR-jggwEQff5MPMqvDfOI6luK7Rp4S0KSEf1LDJkw9J_n0E |
| X-EOPAttributedMessage | 0 |
| X-EOPTenantAttributedMessage | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0 |
| X-MS-PublicTrafficType | |
| X-MS-TrafficTypeDiagnostic | BL02EPF0001A0FB:EE_|MW4PR01MB6323:EE_ |
| X-MS-Office365-Filtering-Correlation-Id | add14b34-478f-440c-255e-08de135306f4 |
| X-LD-Processed | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr |
| X-MS-Exchange-AtpMessageProperties | SA |
| X-MS-Exchange-SenderADCheck | 0 |
| X-MS-Exchange-AntiSpam-Relay | 0 |
| X-Microsoft-Antispam | BCL:0; ARA:13230040|43022699015|9140799003|61400799027|48200799018|376014|13003099007|8096899003; |
| X-Microsoft-Antispam-Message-Info | 9H2ri/eXBK6KCHEcmtjD2gOTgQTH0P2atPNGiH9d13UScdmvc/y29tJ5S8QLnAtiauiDmiVfn/x9JvA7QicJ8ah8RKg5cBzSKXxwd/6ZJR9/niuh2xvizUoiis051j49rTRW+/kEtHhSOMMjU2PsDxtnbFnFrhJSKcTC0pvVWtETD5+Gwvea1bRO/NFIP9X/ShKNTiSEQkcqc6W+GGTYHKdXoKeVxK/ZEEESphM7KafBCOL4i7j+v6BnaC0mO0ZVpk8zamPkn8oDvKIo3P/qcQhAKR/mCe73VxWcVXas9O0L3v5T2AsbqzMDfixFY/CRxEuqo/rvJqnsNen6nEeViZQRuHQ7B1hDDhPF2zqk6SsAt3NM67MYQKpd5o81V8e/K4OMUWY4tJ2RxqozkHInNeKt2bVKhUQHAqVRRiIG0t3eFsFthZFJn1bkBuGeOOJxej6LWiMehg7hSDw6XNvEnlGsPiCyPs49/PQHnJVGsLvYBGmzz032paZT8hShSYcSLOsq43rCkmCVUA0MQ2heGPvD/QvCKrgqSMtELHd+ID6TAPIju97Rg187QHGnaVv/N1kzfMjQfvYeqlZvy3pW5tuNn2osPj0G9dJjRm4QmPN4EZwbNg9aCnuHx0Gg4gE9Rvsx4eOe2CMh/Gewx/qbNNGlKqgbREJ+ZChjBDtA+yxqoaphCIgr+eIbwy9RLN9J6qUaWgLHgP2xNWt4LZM/ng9e8hpYCFkeMy5qQIkBcVmmMZjg3LB33UIOsz3LQrjKfwpDfX8l08OGxIzveTJ59DxxFCoftZPTy+XMIRjcwsGuRe23HuFfIquT69/N1sU47fkXG476WLraaXBBpgx8yIoWiGNJ+4rE+PeTMpTiWbfDa4jPoFTzV77HqSnK1/Y6arWvWpLE9veI3XLJFfzX7avlJgY1Z10oIU03HSv760C+Q1niJi9CHuMz4aTLWrhdgnLqg9J+b9oAeLFsTRlJ9nXNnzkDJLJ0q8izVWoABLdCTWjm45EzPL5R8vX66THFjp5sQ5qd7SDVu9xUFVBvklr4ytjl58ZR8+opF/xjY0xS2QHTO2xtVhNV2hIY5z7fqxsDmjrsyHFJPcwVZBFoIEyMSGAjipbyNODHFVhNKga2DcwKcPQAonNluEQUqSL98ejmvPcPHitNI5YUvQXgVu+JzABWp2+PcOE+5poITE5ACRkKNH0TvevWtUDGToGVFKDK4OrzIW2lenk8vyeFriVIt4ru3uHfg0ufW7kHBCauxT6NJcA6UDhkM/diE3aHOejYmV/5Z9PQ1mzm30AoDA49WiKQnIf1t4VvF2E8lQG1x5VeDQdK8oNPI8dRSAoBpd1uFfxVG1620csT+mdD70neeTSdOVkLL8Zb5HL62KPmkbbF/Q870aUvTv/sc81dTTz77K/SKawPAYMA0yuL0X7j5xhjRKXeoGCtw2TerzWaJ2eL22mZ+mO61gls5L3SnMmK+2qVXwUMYn9FYib+EhsyTECjcKVa50BXf/9k35M= |
| X-Forefront-Antispam-Report | CIP:2607:f8b0:4864:20::733; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail-qk1-x733.google.com; PTR:mail-qk1-x733.google.com; CAT:NONE; SFS:(13230040)(43022699015)(9140799003)(61400799027)(48200799018)(376014)(13003099007)(8096899003); DIR:OUT; SFP:1101; |
| X-ExternalRecipientOutboundConnectors | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b |
| X-Auto-Response-Suppress | DR, OOF, AutoReply |
| X-OriginatorOrg | mitprod.onmicrosoft.com |
| X-MS-Exchange-CrossTenant-OriginalArrivalTime | 24 Oct 2025 23:14:05.2189 (UTC) |
| X-MS-Exchange-CrossTenant-Network-Message-Id | add14b34-478f-440c-255e-08de135306f4 |
| X-MS-Exchange-CrossTenant-Id | 64afd9ba-0ecf-4acf-bc36-935f6235ba8b |
| X-MS-Exchange-CrossTenant-AuthSource | BL02EPF0001A0FB.namprd03.prod.outlook.com |
| X-MS-Exchange-CrossTenant-AuthAs | Anonymous |
| X-MS-Exchange-CrossTenant-FromEntityHeader | Internet |
| X-MS-Exchange-Transport-CrossTenantHeadersStamped | MW4PR01MB6323 |
| X-Mailman-Approved-At | Sat, 25 Oct 2025 02:14:48 -0400 |
| X-Content-Filtered-By | Mailman/MimeDel 2.1.34 |
| X-BeenThere | kerberos@mit.edu |
| X-Mailman-Version | 2.1.34 |
| Precedence | list |
| List-Id | The Kerberos Authentication System Mailing List <kerberos.mit.edu> |
| List-Unsubscribe | <https://mailman.mit.edu/mailman/options/kerberos>, <mailto:kerberos-request@mit.edu?subject=unsubscribe> |
| List-Archive | <http://mailman.mit.edu/pipermail/kerberos/> |
| List-Post | <mailto:kerberos@mit.edu> |
| List-Help | <mailto:kerberos-request@mit.edu?subject=help> |
| List-Subscribe | <https://mailman.mit.edu/mailman/listinfo/kerberos>, <mailto:kerberos-request@mit.edu?subject=subscribe> |
| X-Mailman-Original-Message-ID | <CAExmWciw4N_6b_jafnbM-1x+FLhMZ8beftFP5Fnx+OFZZcRyOw@mail.gmail.com> |
| X-Mailman-Original-References | <CAExmWcgo0ZHmJB4or0isZtwy=an7tD+SpzQ=_ymYd6RfZBEtSA@mail.gmail.com> |
| Xref | csiph.com comp.protocols.kerberos:5453 |
Show key headers only | View raw
Hi Michael thanks for your reply. Didn't receive it in email for reason; found it on the mailing list archive.. On Thu, Oct 23, 2025 at 6:53 PM Osipov, Michael (IN IT IN) < michael.osipov@innomotics.com> wrote: > * Have you looked into py-gssapi? It is a very clean, yet convenient > wrapper your C GSS-API. I have been using it at low-level and high-level > with please without the need to resort to C? > I did - its a very nice to use API that I have made use of myself and influenced some of the Go API design. I'm not sure of the reason for the low level part though - certianly in Go there are idiomatic ways to do things and I don't know that exposing the GSS calls directly fits that bill. I am no Python developer though - I assumed the same would be true there so I'm certainly interested in why someone might want to use the lower level APIs from a high level language like that.. * The JGSS RFC is very dated and lacks a lot of features which have been > introduced in the C API in the past decade. There is now also an > ExtendedJGSSContext you might want to check. > * You should write to security-dev at openjdk mailing list and ask Max > (Weijun Wang). He is the lead guy for JGSS impl at Oracle. Feel free to > mention my name. Thanks that's useful info - I didn't know about the extended context and will certainly chat to the Java guys. * Since you support Apple Kerberos, see > https://github.com/curl/curl/issues/19109. This might be interesting for > you. That is interesting - why would you enable channel bindings by default. I will do some more MacOS testing.. * FreeBSD base Kerbros: The ancient Heimdal has been replaced with MIT > Kerberos 1.22.1 in the base system for 15. You might want to check that. Great news and about to install a FBSD 15 system to test with, thanks! Does it easily plug into Go's URL transport library, e.g., > py-requests-gssapi to authenticate via SPENGO? Yes I've already used it for that purpose. But I think its not a bad idea to ship something that makes this simple for developers - I would guess that Negotiate is probably the primary usecase. Thanks fot the suggestion. ** Python uses OpenLDAP libs with Cyrus SASL where SASL GSSAPI mech > comes for free, I have seen that you provide LDAP examples as well, how > trivial is it to make this happen in the Go impl too? This might get > interesting for us as well (LDAP calls to Active Directory)? So I wrote a very bare bones SASL library for Go a number of years ago that I am not very proud of (https://github.com/golang-auth/go-sasl if you're brave enough). I intend on moving on to actually making this something I'm happy to use 'next' and talking to folks that have Go libraries that fudge SASL to integrate that instead (including the nice people at https://github.com/go-ldap/ldap) Java's ticket cache is pure memory which means pure crap. I need to > change and fiddle with the Subject between threads in a thread pool > executor while MIT Kerberos does this nicely either with a file-based or > KCM-based cache. The Java approach leads to more code or a cache > per-thread which is slow to populate. That is also the approach to the old pure-go Kerberos implemetation. I did write a patch that used a file CCcache in a way that was compatible with MIT but just abandoned it in favour of this project eventually. You might be pleasantly surprised to hear that a colleage of mine is close to submitting a PR that will introduce KCM support for Java. We use KCM at my place of work with a custom KCM daemon (which I'm told we're also going to open source, just don't hold me to that). Many thanks, Jake
Back to comp.protocols.kerberos | Previous | Next | Find similar
Re: Golang GSSAPI spec Jake Scott <jake@poptart.org> - 2025-10-24 17:13 -0600
csiph-web