curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Does libcurl support Kerberos constrained delegation?

From: Sachin Nikumbh <sanikumbh_at_gmail.com>
Date: Mon, 9 Jul 2018 09:33:53 -0400

Hi,

Thanks for your response. I do have a follow up question. Since the
libcurl option is GSSAPI based, how will Kerberos delegation work on
Windows with SSPI if we need to use libcurl?

Thanks
Sachin

On Mon, Jul 9, 2018 at 2:49 AM Isaac Boukris <iboukris_at_gmail.com> wrote:

>
>
> On Mon, Jul 9, 2018, 05:30 Sachin Nikumbh <sanikumbh_at_gmail.com> wrote:
>
>> Hi,
>>
>>
>>
>> I am looking at libcurl’s support on Kerberos delegation.
>>
>> The only thing I found is CURLOPT_GSSAPI_DELEGATION added in 7.22.0.
>>
>> https://curl.haxx.se/libcurl/c/CURLOPT_GSSAPI_DELEGATION.html
>>
>> However, there are several issues with this option:
>>
>> 1. Looks like this option is for the original Kerberos v5 delegation
>> (unconstrained delegation for any services), not the Microsoft Kerberos
>> protocol extension for constrained delegation.
>> 2. It’s using GSSAPI. So does it work natively on Windows with SSPI?
>>
>>
>>
>> The preferred way to do Kerberos delegation is to do protocol transition
>> (S4U2Self) and Constrained delegation (S4U2Proxy).
>>
>> https://msdn.microsoft.com/en-us/library/cc246071.aspx
>>
>> https://k5wiki.kerberos.org/wiki/Projects/Services4User
>>
>>
>>
>> Is this supported in libcurl?
>>
>> If not, is there any plan to support it?
>>
>
>
> It doesn't have much to do with libcurl, if the contains the delegated
> credentials (e.g. acquired via gss_acquire_cred_impersonate_name) they will
> be used by the gssapi library when invoked by libcurl.
>
>
> -------------------------------------------------------------------
> Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-07-09