RE: krb4 and CURLOPT_KRBLEVEL
Date: Sat, 15 Nov 2014 23:23:05 +0000
On Sat, 15 Nov 2014, Michael Osipov wrote:
> > I have prepared a patch to remove this (see attached), however, from
> > reading the libcurl code (security.c) and associated comments it seems
> > more of a generic "Kerberos" option. Does anyone know if it is used
> > for Kerberos 5 at all?
> It isn't, this is a FTP security extension command. See
Cheers Michael - that helps quite a bit.
> > If so, then should we update the option so that it is enabled when
> > KERBEROS5 support is detected or shall I continue to remove it as
> > planned?
> At best disable.
> > If we remove it, should we tidy up the libcurl code, removing it and
> > marking CURLOPT_KRBLEVEL as deprecated?
Sounds like a plan - I'll add it to my December TODO list and in the meantime see what other feedback comes in ;-)
> > Other than removing it, the main reason I ask is... Do I need to
> > support this as part of the SASL Kerberos 5 work I am doing - either
> > in the SSPI code that I added in August, or the new GSS-API code that
> > I am currently working on?
> You don't need that for SASL because SASL use different terms for that.
> If you take another close look, you'll see that gss_seal is used and this is exactly
> the same as a SASL QOP which I told you about recently.
Reading the above RFC it did seem like there was a bit of overlap between what the PROT command is trying to do and auth-int and auth-conf from SASL's QOP values.
> So that option was/is not used with Kerberos 4 but can be used with
> Kerberos 5 too.
Would you ever want to use it with Kerberos 5 or would you only use the encryption part of Kerberos 5 rather than the authentication part here? Am I right in thinking that you could authenticate FTP with clear text, but then use a protocol protection of PRIVATE and let Kerberos 5 do that encryption for you?
> At best, we need someone who uses that stuff in the real world. In my
> opinion, stuff has been contributed and never been reviewed again. :-(
Yep. I wouldn't mind learning more about FTP and updating its authentication. For example I added Kerberos 5 support via SSPI to the TODO list, add other mechanisms if FTP supports them, and try and remove some of the "Blocking" code in the process - but at the moment, as you know, I'm busy with other things in curl at the moment.
List admin: http://cool.haxx.se/list/listinfo/curl-library
Received on 2014-11-16