GSSAPI (i.e. Kerberos auth over TLS)

GSSAPI (i.e. Kerberos auth over TLS)

[Stefan Monnier]

I seem to remember someone was working on adding support for GSSAPI
authentication, but AFAICT it hasn't made it to `master` yet.
Does anyone remember who was working on this, or knows what happened?
Any hope to see it in `master` soon?


        Stefan

Re: GSSAPI (i.e. Kerberos auth over TLS)

[Elias Mårtenson]

[-- Attachment #1: Type: text/plain, Size: 591 bytes --]

That was me. I implemented support for it using the module API.

I was getting the copyright transfer done, but it got stuck in the process
somewhere and I didn't follow up. I'll check with legal at my place of work
tomorrow.

Regards,
Elias

On Mon, 18 Mar 2019, 00:00 Stefan Monnier, <monnier@iro.umontreal.ca> wrote:

> I seem to remember someone was working on adding support for GSSAPI
> authentication, but AFAICT it hasn't made it to `master` yet.
> Does anyone remember who was working on this, or knows what happened?
> Any hope to see it in `master` soon?
>
>
>         Stefan
>
>

[-- Attachment #2: Type: text/html, Size: 1015 bytes --]

Re: GSSAPI (i.e. Kerberos auth over TLS)

[Stefan Monnier]

> I was getting the copyright transfer done, but it got stuck in the process
> somewhere and I didn't follow up.  I'll check with legal at my place of work
> tomorrow.

Is it available somewhere for testing?


        Stefan

Re: GSSAPI (i.e. Kerberos auth over TLS)

[Elias Mårtenson]

[-- Attachment #1: Type: text/plain, Size: 392 bytes --]

Yes, the code is here: https://github.com/lokedhs/emacs-gssapi

On Mon, 18 Mar 2019 at 01:59, Stefan Monnier <monnier@iro.umontreal.ca>
wrote:

> > I was getting the copyright transfer done, but it got stuck in the
> process
> > somewhere and I didn't follow up.  I'll check with legal at my place of
> work
> > tomorrow.
>
> Is it available somewhere for testing?
>
>
>         Stefan
>
>
>

[-- Attachment #2: Type: text/html, Size: 806 bytes --]

Re: GSSAPI (i.e. Kerberos auth over TLS)

[Adam Sjøgren]

> On Mon, 18 Mar 2019 at 01:59, Stefan Monnier <monnier@iro.umontreal.ca>
> wrote:
>
>>> I was getting the copyright transfer done, but it got stuck in the
>>> process somewhere and I didn't follow up. I'll check with legal at
>>> my place of work tomorrow.
>>
>> Is it available somewhere for testing?

Elias writes:

> Yes, the code is here: https://github.com/lokedhs/emacs-gssapi

This sounds very interesting - at work I often receive HTML emails
containing pictures on internal websites (such as a GitLab instance),
which need Kerberos authentication to be fetched.

Does it work with Gnus/shr/eww?


  Best regards,

    Adam

-- 
 "You do not know what geometry means, do you?"               Adam Sjøgren
 "Of course I do, it is a type of camel."                asjo@koldfront.dk

Re: GSSAPI (i.e. Kerberos auth over TLS)

[Elias Mårtenson]

[-- Attachment #1: Type: text/plain, Size: 895 bytes --]

On Sat, 20 Jul 2019, 08:28 Adam Sjøgren, <asjo@koldfront.dk> wrote:

> > On Mon, 18 Mar 2019 at 01:59, Stefan Monnier <monnier@iro.umontreal.ca>
> > wrote:
> >
> >>> I was getting the copyright transfer done, but it got stuck in the
> >>> process somewhere and I didn't follow up. I'll check with legal at
> >>> my place of work tomorrow.
> >>
> >> Is it available somewhere for testing?
>
> Elias writes:
>
> > Yes, the code is here: https://github.com/lokedhs/emacs-gssapi
>
> This sounds very interesting - at work I often receive HTML emails
> containing pictures on internal websites (such as a GitLab instance),
> which need Kerberos authentication to be fetched.
>
> Does it work with Gnus/shr/eww?
>

Well, it should be easy to leverage the library to provide this. However, I
never implemented it for eww. The protocol is simple though.

Regards,
Elias

>

[-- Attachment #2: Type: text/html, Size: 1716 bytes --]

Re: GSSAPI (i.e. Kerberos auth over TLS)

[Adam Sjøgren]

Elias writes:

>>> Yes, the code is here: https://github.com/lokedhs/emacs-gssapi
>>
>> This sounds very interesting - at work I often receive HTML emails
>> containing pictures on internal websites (such as a GitLab instance),
>> which need Kerberos authentication to be fetched.
>>
>> Does it work with Gnus/shr/eww?
>
> Well, it should be easy to leverage the library to provide this. However, I
> never implemented it for eww. The protocol is simple though.

I had forgotten about this thread while I was looking into how to make
"Negotiate" authencation support in emacs/lisp/url/url-auth.el the past
couple of days (which is what is needed for both eww and shr). But I
found it again!

I got a very hacky version of Negotiate auth working, where the actual
GSSAPI stuff is done by a Perl-script I shell out to. Fake it till you
make it...

To show the minimal stuff I tried to make it work, here is what I
mangled together and added to url-auth.el:

    (defun url-negotiate-auth-build-response (url attrs)
      "Compute authorization string for SPNEGO-based Kerberos.

    base64 encoding of an InitialContextToken as defined in
    RFC2743, from SPNEGO GSSAPI.

    The NTLM part is not implemented"
      (let ((token (shell-command-to-string (concat "/home/asjo/bin/generate_initialcontexttoken " (url-host url)))))
          (concat
           "Negotiate "
           token)))

    (defun url-negotiate-auth (url &optional prompt overwrite realm attrs)
      "Get the HTTP Negotiate response string for the specified URL.

    Optional arguments PROMPT, OVERWRITE, and REALM are not relevant for the
    Negotiate method.

    Alist ATTRS contains additional attributes for the authentication
    challenge such as nonce and opaque."
      (if attrs
          (let* ((href (if (stringp url) (url-generic-parse-url url) url))
                 (enable-recursive-minibuffers t))
            (url-negotiate-auth-build-response href attrs))))

Plus this in url.el:

    (url-register-auth-scheme "negotiate" nil 9)

This hack - to my surprise - actually works!

Of course this is a partial solution, as all the GSSAPI stuff is punted
to a Perl script cobbled together by looking at LWP::Authen::Negotiate.

So what is at minimum is needed is an elisp implementation of the
script, which is quite basic:

    #!/usr/bin/perl

    use strict;
    use warnings;

    use MIME::Base64;
    use GSSAPI;

    my $host=$ARGV[0];
    my $target;
    my $status=GSSAPI::Name->import($target, 'HTTP@' . $host, GSSAPI::OID::gss_nt_hostbased_service);

    my $tname;
    $status=$target->display($tname);

    my $ctx = GSSAPI::Context->new();
    my $imech = GSSAPI::OID::gss_mech_krb5;

    my $iflags = GSS_C_REPLAY_FLAG;
    $iflags = $iflags | GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG; # if ( $ENV{LWP_AUTHEN_NEGOTIATE_DELEGATE} )
    my $bindings = GSS_C_NO_CHANNEL_BINDINGS;
    my $creds = GSS_C_NO_CREDENTIAL;
    my $itime = 0;

    my $otoken;
    my $itoken=q{}; # prev WWW-Authenticate ...
    $status = $ctx->init($creds, $target, $imech, $iflags, $itime, $bindings, $itoken, undef, $otoken, undef, undef);
    print encode_base64($otoken,"");

And I guess your gssapi-module would be able to be used for just that?


  Best regards,

    Adam

-- 
 "Instruments: SYNTH, CRUSH, FEAR, DEATH"                   Adam Sjøgren
                                                       asjo@koldfront.dk