Re: krb4 and CURLOPT_KRBLEVEL
Date: Sat, 15 Nov 2014 21:46:57 +0100
Am 2014-11-15 um 16:43 schrieb Steve Holme:
> Dear friends,
> As some of you are aware krb4 support was dropped from curl and libcurl in
> However, there have been a few references to this feature left around either
> in source code or documentation - some of which I have been cleaning out or
> marking as deprecated recently.
> There is one that I'm not sure what to do with!!
> The curl command line tool supports --krb LEVEL and in its usages sets the
> CURLOPT_KRBLEVEL option in libcurl - but only if KRB4 support has been
> detected "if(curlinfo->features & CURL_VERSION_KERBEROS4)" in
> I have prepared a patch to remove this (see attached), however, from reading
> the libcurl code (security.c) and associated comments it seems more of a
> generic "Kerberos" option. Does anyone know if it is used for Kerberos 5 at
> If so, then should we update the option so that it is enabled when KERBEROS5
> support is detected or shall I continue to remove it as planned?
It isn't, this is a FTP security extension command. See
At best disable.
> If we remove it, should we tidy up the libcurl code, removing it and marking
> CURLOPT_KRBLEVEL as deprecated?
> Please note: From what I know this option is only currently used by the FTP
> Other than removing it, the main reason I ask is... Do I need to support
> this as part of the SASL Kerberos 5 work I am doing - either in the SSPI
> code that I added in August, or the new GSS-API code that I am currently
> working on?
You don't need that for SASL because SASL use different terms for that.
If you take a closer look at the code in ftp.c/security.c it
The RFC from above is old and refers to Kerberos 4 only but in ftp.c
line 2707 to 2272 is an ifdef with HAVE_GSSAPI. How can this be if this
is used for Kerberos 5 only and there is the KRBLEVEL again.
Going further, you'll see if(Curl_sec_login(conn))
infof(data, "Logging in with password in cleartext!\n");
Since when is Kerberos a clear text auth with a password?
Having a look at the Curl_sec_login in security.c reveals that it
delegates to choose_mech which iterates over mechs which contains only
Curl_krb5_client_mech which is a struct with Kerberos 5 instructions.
If you take another close look, you'll see that gss_seal is used and
this is exactly the same as a SASL QOP which I told you about recently.
It requires Kerberos to sign and encrypt the entire FTP traffic and
making TLS obsolete here.
So that option was/is not used with Kerberos 4 but can be used with
Kerberos 5 too.
At best, we need someone who uses that stuff in the real world. In my
opinion, stuff has been contributed and never been reviewed again. :-(
List admin: http://cool.haxx.se/list/listinfo/curl-library
Received on 2014-11-15