Re: GSSAPI (i.e. Kerberos auth over TLS)

["Adam Sjøgren" <asjo@koldfront.dk>]

Elias writes:

>>> Yes, the code is here: https://github.com/lokedhs/emacs-gssapi
>>
>> This sounds very interesting - at work I often receive HTML emails
>> containing pictures on internal websites (such as a GitLab instance),
>> which need Kerberos authentication to be fetched.
>>
>> Does it work with Gnus/shr/eww?
>
> Well, it should be easy to leverage the library to provide this. However, I
> never implemented it for eww. The protocol is simple though.

I had forgotten about this thread while I was looking into how to make
"Negotiate" authencation support in emacs/lisp/url/url-auth.el the past
couple of days (which is what is needed for both eww and shr). But I
found it again!

I got a very hacky version of Negotiate auth working, where the actual
GSSAPI stuff is done by a Perl-script I shell out to. Fake it till you
make it...

To show the minimal stuff I tried to make it work, here is what I
mangled together and added to url-auth.el:

    (defun url-negotiate-auth-build-response (url attrs)
      "Compute authorization string for SPNEGO-based Kerberos.

    base64 encoding of an InitialContextToken as defined in
    RFC2743, from SPNEGO GSSAPI.

    The NTLM part is not implemented"
      (let ((token (shell-command-to-string (concat "/home/asjo/bin/generate_initialcontexttoken " (url-host url)))))
          (concat
           "Negotiate "
           token)))

    (defun url-negotiate-auth (url &optional prompt overwrite realm attrs)
      "Get the HTTP Negotiate response string for the specified URL.

    Optional arguments PROMPT, OVERWRITE, and REALM are not relevant for the
    Negotiate method.

    Alist ATTRS contains additional attributes for the authentication
    challenge such as nonce and opaque."
      (if attrs
          (let* ((href (if (stringp url) (url-generic-parse-url url) url))
                 (enable-recursive-minibuffers t))
            (url-negotiate-auth-build-response href attrs))))

Plus this in url.el:

    (url-register-auth-scheme "negotiate" nil 9)

This hack - to my surprise - actually works!

Of course this is a partial solution, as all the GSSAPI stuff is punted
to a Perl script cobbled together by looking at LWP::Authen::Negotiate.

So what is at minimum is needed is an elisp implementation of the
script, which is quite basic:

    #!/usr/bin/perl

    use strict;
    use warnings;

    use MIME::Base64;
    use GSSAPI;

    my $host=$ARGV[0];
    my $target;
    my $status=GSSAPI::Name->import($target, 'HTTP@' . $host, GSSAPI::OID::gss_nt_hostbased_service);

    my $tname;
    $status=$target->display($tname);

    my $ctx = GSSAPI::Context->new();
    my $imech = GSSAPI::OID::gss_mech_krb5;

    my $iflags = GSS_C_REPLAY_FLAG;
    $iflags = $iflags | GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG; # if ( $ENV{LWP_AUTHEN_NEGOTIATE_DELEGATE} )
    my $bindings = GSS_C_NO_CHANNEL_BINDINGS;
    my $creds = GSS_C_NO_CREDENTIAL;
    my $itime = 0;

    my $otoken;
    my $itoken=q{}; # prev WWW-Authenticate ...
    $status = $ctx->init($creds, $target, $imech, $iflags, $itime, $bindings, $itoken, undef, $otoken, undef, undef);
    print encode_base64($otoken,"");

And I guess your gssapi-module would be able to be used for just that?


  Best regards,

    Adam

-- 
 "Instruments: SYNTH, CRUSH, FEAR, DEATH"                   Adam Sjøgren
                                                       asjo@koldfront.dk