curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Does libcurl support Kerberos constrained delegation?

From: Isaac Boukris <iboukris_at_gmail.com>
Date: Mon, 9 Jul 2018 17:49:31 +0300

On Mon, Jul 9, 2018, 16:38 Sachin Nikumbh <sanikumbh_at_gmail.com> wrote:

> Hi,
>
> Thanks for your response. I do have a follow up question. Since the
> libcurl option is GSSAPI based, how will Kerberos delegation work on
> Windows with SSPI if we need to use libcurl?
>
> Thanks
> Sachin
>
> On Mon, Jul 9, 2018 at 2:49 AM Isaac Boukris <iboukris_at_gmail.com> wrote:
>
>>
>>
>> On Mon, Jul 9, 2018, 05:30 Sachin Nikumbh <sanikumbh_at_gmail.com> wrote:
>>
>>> Hi,
>>>
>>>
>>>
>>> I am looking at libcurl’s support on Kerberos delegation.
>>>
>>> The only thing I found is CURLOPT_GSSAPI_DELEGATION added in 7.22.0.
>>>
>>> https://curl.haxx.se/libcurl/c/CURLOPT_GSSAPI_DELEGATION.html
>>>
>>> However, there are several issues with this option:
>>>
>>> 1. Looks like this option is for the original Kerberos v5 delegation
>>> (unconstrained delegation for any services), not the Microsoft Kerberos
>>> protocol extension for constrained delegation.
>>> 2. It’s using GSSAPI. So does it work natively on Windows with SSPI?
>>>
>>>
>>>
>>> The preferred way to do Kerberos delegation is to do protocol transition
>>> (S4U2Self) and Constrained delegation (S4U2Proxy).
>>>
>>> https://msdn.microsoft.com/en-us/library/cc246071.aspx
>>>
>>> https://k5wiki.kerberos.org/wiki/Projects/Services4User
>>>
>>>
>>>
>>> Is this supported in libcurl?
>>>
>>> If not, is there any plan to support it?
>>>
>>
>>
>> It doesn't have much to do with libcurl, if the contains the delegated
>> credentials (e.g. acquired via gss_acquire_cred_impersonate_name) they will
>> be used by the gssapi library when invoked by libcurl.
>>
>

I don't know about delegation in sspi, it might be possible to achieve
something similar depending on the API.

>

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-07-09