cURL / Mailing Lists / curl-library / Single Mail

curl-library

RE: Option to specify Kerberos credential-cache when used via GSSAPI

From: Steve Holme <steve_holme_at_hotmail.com>
Date: Wed, 23 Mar 2016 19:30:23 +0000

On Wed, 23 Mar 2016, Isaac Boukris wrote:

> When libcurl is used in server-side application which runs transfers
> on behalf of different users, it would be useful to be able to specify
> different Kerberos credential-cache for each transfer.

Okay - Although I wrote the SASL Kerberos integration for curl there's still parts of the GSS-API that I'm not totally familiar with and I'm still relatively new to Linux :( but I would be interested to know your thoughts and proposals for doing this.

It has been on my TODO list for a while but I would like to see specific user support as well (for -u user) like SSPI can do - is that something that the credentials-cache can help with or are the two totally separate?

> I'd like to suggest adding a new option to libcurl - CURLOPT_KRB_CCACHE.
> The string parameter passed will be used when authenticating with
> Kerberos via GSSAPI to indicate the credential cache to use (file or
> other types, see
> http://web.mit.edu/kerberos/krb5-1.14/doc/basic/ccache_def.html).
>
> I've started to implement this via MIT's credential-store extention
> (gss_acquire_cred_from), see:
> https://github.com/curl/curl/pull/723
>
> (it is currently failing travis due to missing doc - symbols-in-versions)

Yes the new option needs to be added to libcurl/symbols-in-versions,

> Initially, I wanted to expose the credential-store API directly so it
> could be used not only for credential-cache but for other options
> (like client_keytab or for other GSSAPI mechanisms).
> But it complicates the usage as the app would have to provide a list
> of key-value pairs instead of a simple credential-cache string (which
> I think is the most needed).
> However I'm open for ideas.

I would recommend specific options for specific roles rather than trying to introduce a generic key-value pair mechanism would might be complicated to use from one, other or both curl and libcurl.

Additionally, would this proposed functionality:

* Include HTTP SPNego (Negotiate) via GSS-API as well or just Kerberos 5?
* Be for krb5.c - as used in FTP
* Be for the SASL Kerberos 5 implementation - currently curl_sasl_gsspi.c although shortly about to change)
* Include Kerberos 5 Socks 5 proxy authentication - in socks_gssapi.c

I look forward to seeing your work here.

Kind Regards

Steve

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-03-23