From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: =?utf-8?Q?Adam_Sj=C3=B8gren?= Newsgroups: gmane.emacs.devel Subject: Re: GSSAPI (i.e. Kerberos auth over TLS) Date: Thu, 05 Aug 2021 21:26:56 +0200 Organization: koldfront - analysis & revolution, Copenhagen, Denmark Message-ID: <87r1f7wv3z.fsf@tullinup.koldfront.dk> References: <87lfwta6te.fsf@tullinup.koldfront.dk> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="19352"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.0.50 (gnu/linux) Cc: Elias =?utf-8?Q?M=C3=A5rtenson?= To: emacs-devel@gnu.org Cancel-Lock: sha1:ZTraosPnV7joNMdhahuh92gj/tU= Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Thu Aug 05 21:27:56 2021 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mBj24-0004oz-DS for ged-emacs-devel@m.gmane-mx.org; Thu, 05 Aug 2021 21:27:56 +0200 Original-Received: from localhost ([::1]:47810 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mBj23-0007BY-Fe for ged-emacs-devel@m.gmane-mx.org; Thu, 05 Aug 2021 15:27:55 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:42498) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mBj1K-000608-3M for emacs-devel@gnu.org; Thu, 05 Aug 2021 15:27:10 -0400 Original-Received: from ciao.gmane.io ([116.202.254.214]:52352) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mBj1G-0004i8-8z for emacs-devel@gnu.org; Thu, 05 Aug 2021 15:27:09 -0400 Original-Received: from list by ciao.gmane.io with local (Exim 4.92) (envelope-from ) id 1mBj1B-0003hF-PC for emacs-devel@gnu.org; Thu, 05 Aug 2021 21:27:01 +0200 X-Injected-Via-Gmane: http://gmane.org/ OpenPGP: id=476630590A231909B0A0961A49D0746121BDE416; url=https://asjo.koldfront.dk/gpg.asc X-Now-Playing: =?utf-8?Q?Dr=C3=B8mmenes_K=C3=B8benhavn=2C?= DK (Love Shop) X-Face: )qY&CseJ?.:=8F#^~GcSA?F=9eu'{KAFfL1C3/A&:nE?PW\i65"ba0NS)97, Q(^@xk}n4Ou rPuR#V8I(J_@~H($[ym:`K_+]*kjvW>xH5jbgLBVFGXY:(#4P>zVBklLbdL&XxL\M)%T}3S/IS9lMJ ^St'=VZBR List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:272112 Archived-At: Elias writes: >>> Yes, the code is here: https://github.com/lokedhs/emacs-gssapi >> >> This sounds very interesting - at work I often receive HTML emails >> containing pictures on internal websites (such as a GitLab instance), >> which need Kerberos authentication to be fetched. >> >> Does it work with Gnus/shr/eww? > > Well, it should be easy to leverage the library to provide this. However, I > never implemented it for eww. The protocol is simple though. I had forgotten about this thread while I was looking into how to make "Negotiate" authencation support in emacs/lisp/url/url-auth.el the past couple of days (which is what is needed for both eww and shr). But I found it again! I got a very hacky version of Negotiate auth working, where the actual GSSAPI stuff is done by a Perl-script I shell out to. Fake it till you make it... To show the minimal stuff I tried to make it work, here is what I mangled together and added to url-auth.el: (defun url-negotiate-auth-build-response (url attrs) "Compute authorization string for SPNEGO-based Kerberos. base64 encoding of an InitialContextToken as defined in RFC2743, from SPNEGO GSSAPI. The NTLM part is not implemented" (let ((token (shell-command-to-string (concat "/home/asjo/bin/generate_initialcontexttoken " (url-host url))))) (concat "Negotiate " token))) (defun url-negotiate-auth (url &optional prompt overwrite realm attrs) "Get the HTTP Negotiate response string for the specified URL. Optional arguments PROMPT, OVERWRITE, and REALM are not relevant for the Negotiate method. Alist ATTRS contains additional attributes for the authentication challenge such as nonce and opaque." (if attrs (let* ((href (if (stringp url) (url-generic-parse-url url) url)) (enable-recursive-minibuffers t)) (url-negotiate-auth-build-response href attrs)))) Plus this in url.el: (url-register-auth-scheme "negotiate" nil 9) This hack - to my surprise - actually works! Of course this is a partial solution, as all the GSSAPI stuff is punted to a Perl script cobbled together by looking at LWP::Authen::Negotiate. So what is at minimum is needed is an elisp implementation of the script, which is quite basic: #!/usr/bin/perl use strict; use warnings; use MIME::Base64; use GSSAPI; my $host=$ARGV[0]; my $target; my $status=GSSAPI::Name->import($target, 'HTTP@' . $host, GSSAPI::OID::gss_nt_hostbased_service); my $tname; $status=$target->display($tname); my $ctx = GSSAPI::Context->new(); my $imech = GSSAPI::OID::gss_mech_krb5; my $iflags = GSS_C_REPLAY_FLAG; $iflags = $iflags | GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG; # if ( $ENV{LWP_AUTHEN_NEGOTIATE_DELEGATE} ) my $bindings = GSS_C_NO_CHANNEL_BINDINGS; my $creds = GSS_C_NO_CREDENTIAL; my $itime = 0; my $otoken; my $itoken=q{}; # prev WWW-Authenticate ... $status = $ctx->init($creds, $target, $imech, $iflags, $itime, $bindings, $itoken, undef, $otoken, undef, undef); print encode_base64($otoken,""); And I guess your gssapi-module would be able to be used for just that? Best regards, Adam -- "Instruments: SYNTH, CRUSH, FEAR, DEATH" Adam Sjøgren asjo@koldfront.dk