cURL / Mailing Lists / curl-library / Single Mail



From: Michael Osipov <>
Date: Sat, 15 Nov 2014 21:46:57 +0100

Am 2014-11-15 um 16:43 schrieb Steve Holme:
> Dear friends,
> As some of you are aware krb4 support was dropped from curl and libcurl in
> 7.33.
> However, there have been a few references to this feature left around either
> in source code or documentation - some of which I have been cleaning out or
> marking as deprecated recently.
> There is one that I'm not sure what to do with!!
> The curl command line tool supports --krb LEVEL and in its usages sets the
> CURLOPT_KRBLEVEL option in libcurl - but only if KRB4 support has been
> detected "if(curlinfo->features & CURL_VERSION_KERBEROS4)" in
> tool_getparam.c:696.
> I have prepared a patch to remove this (see attached), however, from reading
> the libcurl code (security.c) and associated comments it seems more of a
> generic "Kerberos" option. Does anyone know if it is used for Kerberos 5 at
> all?
> If so, then should we update the option so that it is enabled when KERBEROS5
> support is detected or shall I continue to remove it as planned?

It isn't, this is a FTP security extension command. See

At best disable.

> If we remove it, should we tidy up the libcurl code, removing it and marking
> CURLOPT_KRBLEVEL as deprecated?


> Please note: From what I know this option is only currently used by the FTP
> protocol.
> Other than removing it, the main reason I ask is... Do I need to support
> this as part of the SASL Kerberos 5 work I am doing - either in the SSPI
> code that I added in August, or the new GSS-API code that I am currently
> working on?

You don't need that for SASL because SASL use different terms for that.

If you take a closer look at the code in ftp.c/security.c it
constradicts itself:

The RFC from above is old and refers to Kerberos 4 only but in ftp.c
line 2707 to 2272 is an ifdef with HAVE_GSSAPI. How can this be if this
is used for Kerberos 5 only and there is the KRBLEVEL again.

Going further, you'll see if(Curl_sec_login(conn))
           infof(data, "Logging in with password in cleartext!\n");

Since when is Kerberos a clear text auth with a password?

Having a look at the Curl_sec_login in security.c reveals that it
delegates to choose_mech which iterates over mechs which contains only
Curl_krb5_client_mech which is a struct with Kerberos 5 instructions.

If you take another close look, you'll see that gss_seal is used and
this is exactly the same as a SASL QOP which I told you about recently.

It requires Kerberos to sign and encrypt the entire FTP traffic and
making TLS obsolete here.

So that option was/is not used with Kerberos 4 but can be used with
Kerberos 5 too.

At best, we need someone who uses that stuff in the real world. In my
opinion, stuff has been contributed and never been reviewed again. :-(

List admin:
Received on 2014-11-15