* GSSAPI (i.e. Kerberos auth over TLS)
@ 2019-03-17 15:59 Stefan Monnier
2019-03-17 17:09 ` Elias Mårtenson
0 siblings, 1 reply; 7+ messages in thread
From: Stefan Monnier @ 2019-03-17 15:59 UTC (permalink / raw)
To: emacs-devel
I seem to remember someone was working on adding support for GSSAPI
authentication, but AFAICT it hasn't made it to `master` yet.
Does anyone remember who was working on this, or knows what happened?
Any hope to see it in `master` soon?
Stefan
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: GSSAPI (i.e. Kerberos auth over TLS)
2019-03-17 15:59 GSSAPI (i.e. Kerberos auth over TLS) Stefan Monnier
@ 2019-03-17 17:09 ` Elias Mårtenson
2019-03-17 17:47 ` Stefan Monnier
0 siblings, 1 reply; 7+ messages in thread
From: Elias Mårtenson @ 2019-03-17 17:09 UTC (permalink / raw)
To: Stefan Monnier; +Cc: emacs-devel
[-- Attachment #1: Type: text/plain, Size: 591 bytes --]
That was me. I implemented support for it using the module API.
I was getting the copyright transfer done, but it got stuck in the process
somewhere and I didn't follow up. I'll check with legal at my place of work
tomorrow.
Regards,
Elias
On Mon, 18 Mar 2019, 00:00 Stefan Monnier, <monnier@iro.umontreal.ca> wrote:
> I seem to remember someone was working on adding support for GSSAPI
> authentication, but AFAICT it hasn't made it to `master` yet.
> Does anyone remember who was working on this, or knows what happened?
> Any hope to see it in `master` soon?
>
>
> Stefan
>
>
[-- Attachment #2: Type: text/html, Size: 1015 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: GSSAPI (i.e. Kerberos auth over TLS)
2019-03-17 17:09 ` Elias Mårtenson
@ 2019-03-17 17:47 ` Stefan Monnier
2019-03-19 4:08 ` Elias Mårtenson
0 siblings, 1 reply; 7+ messages in thread
From: Stefan Monnier @ 2019-03-17 17:47 UTC (permalink / raw)
To: emacs-devel
> I was getting the copyright transfer done, but it got stuck in the process
> somewhere and I didn't follow up. I'll check with legal at my place of work
> tomorrow.
Is it available somewhere for testing?
Stefan
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: GSSAPI (i.e. Kerberos auth over TLS)
2019-03-17 17:47 ` Stefan Monnier
@ 2019-03-19 4:08 ` Elias Mårtenson
2019-07-20 0:27 ` Adam Sjøgren
0 siblings, 1 reply; 7+ messages in thread
From: Elias Mårtenson @ 2019-03-19 4:08 UTC (permalink / raw)
To: Stefan Monnier; +Cc: emacs-devel
[-- Attachment #1: Type: text/plain, Size: 392 bytes --]
Yes, the code is here: https://github.com/lokedhs/emacs-gssapi
On Mon, 18 Mar 2019 at 01:59, Stefan Monnier <monnier@iro.umontreal.ca>
wrote:
> > I was getting the copyright transfer done, but it got stuck in the
> process
> > somewhere and I didn't follow up. I'll check with legal at my place of
> work
> > tomorrow.
>
> Is it available somewhere for testing?
>
>
> Stefan
>
>
>
[-- Attachment #2: Type: text/html, Size: 806 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: GSSAPI (i.e. Kerberos auth over TLS)
2019-03-19 4:08 ` Elias Mårtenson
@ 2019-07-20 0:27 ` Adam Sjøgren
2019-07-24 12:56 ` Elias Mårtenson
0 siblings, 1 reply; 7+ messages in thread
From: Adam Sjøgren @ 2019-07-20 0:27 UTC (permalink / raw)
To: emacs-devel
> On Mon, 18 Mar 2019 at 01:59, Stefan Monnier <monnier@iro.umontreal.ca>
> wrote:
>
>>> I was getting the copyright transfer done, but it got stuck in the
>>> process somewhere and I didn't follow up. I'll check with legal at
>>> my place of work tomorrow.
>>
>> Is it available somewhere for testing?
Elias writes:
> Yes, the code is here: https://github.com/lokedhs/emacs-gssapi
This sounds very interesting - at work I often receive HTML emails
containing pictures on internal websites (such as a GitLab instance),
which need Kerberos authentication to be fetched.
Does it work with Gnus/shr/eww?
Best regards,
Adam
--
"You do not know what geometry means, do you?" Adam Sjøgren
"Of course I do, it is a type of camel." asjo@koldfront.dk
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: GSSAPI (i.e. Kerberos auth over TLS)
2019-07-20 0:27 ` Adam Sjøgren
@ 2019-07-24 12:56 ` Elias Mårtenson
2021-08-05 19:26 ` Adam Sjøgren
0 siblings, 1 reply; 7+ messages in thread
From: Elias Mårtenson @ 2019-07-24 12:56 UTC (permalink / raw)
To: Adam Sjøgren; +Cc: emacs-devel
[-- Attachment #1: Type: text/plain, Size: 895 bytes --]
On Sat, 20 Jul 2019, 08:28 Adam Sjøgren, <asjo@koldfront.dk> wrote:
> > On Mon, 18 Mar 2019 at 01:59, Stefan Monnier <monnier@iro.umontreal.ca>
> > wrote:
> >
> >>> I was getting the copyright transfer done, but it got stuck in the
> >>> process somewhere and I didn't follow up. I'll check with legal at
> >>> my place of work tomorrow.
> >>
> >> Is it available somewhere for testing?
>
> Elias writes:
>
> > Yes, the code is here: https://github.com/lokedhs/emacs-gssapi
>
> This sounds very interesting - at work I often receive HTML emails
> containing pictures on internal websites (such as a GitLab instance),
> which need Kerberos authentication to be fetched.
>
> Does it work with Gnus/shr/eww?
>
Well, it should be easy to leverage the library to provide this. However, I
never implemented it for eww. The protocol is simple though.
Regards,
Elias
>
[-- Attachment #2: Type: text/html, Size: 1716 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: GSSAPI (i.e. Kerberos auth over TLS)
2019-07-24 12:56 ` Elias Mårtenson
@ 2021-08-05 19:26 ` Adam Sjøgren
0 siblings, 0 replies; 7+ messages in thread
From: Adam Sjøgren @ 2021-08-05 19:26 UTC (permalink / raw)
To: emacs-devel; +Cc: Elias Mårtenson
Elias writes:
>>> Yes, the code is here: https://github.com/lokedhs/emacs-gssapi
>>
>> This sounds very interesting - at work I often receive HTML emails
>> containing pictures on internal websites (such as a GitLab instance),
>> which need Kerberos authentication to be fetched.
>>
>> Does it work with Gnus/shr/eww?
>
> Well, it should be easy to leverage the library to provide this. However, I
> never implemented it for eww. The protocol is simple though.
I had forgotten about this thread while I was looking into how to make
"Negotiate" authencation support in emacs/lisp/url/url-auth.el the past
couple of days (which is what is needed for both eww and shr). But I
found it again!
I got a very hacky version of Negotiate auth working, where the actual
GSSAPI stuff is done by a Perl-script I shell out to. Fake it till you
make it...
To show the minimal stuff I tried to make it work, here is what I
mangled together and added to url-auth.el:
(defun url-negotiate-auth-build-response (url attrs)
"Compute authorization string for SPNEGO-based Kerberos.
base64 encoding of an InitialContextToken as defined in
RFC2743, from SPNEGO GSSAPI.
The NTLM part is not implemented"
(let ((token (shell-command-to-string (concat "/home/asjo/bin/generate_initialcontexttoken " (url-host url)))))
(concat
"Negotiate "
token)))
(defun url-negotiate-auth (url &optional prompt overwrite realm attrs)
"Get the HTTP Negotiate response string for the specified URL.
Optional arguments PROMPT, OVERWRITE, and REALM are not relevant for the
Negotiate method.
Alist ATTRS contains additional attributes for the authentication
challenge such as nonce and opaque."
(if attrs
(let* ((href (if (stringp url) (url-generic-parse-url url) url))
(enable-recursive-minibuffers t))
(url-negotiate-auth-build-response href attrs))))
Plus this in url.el:
(url-register-auth-scheme "negotiate" nil 9)
This hack - to my surprise - actually works!
Of course this is a partial solution, as all the GSSAPI stuff is punted
to a Perl script cobbled together by looking at LWP::Authen::Negotiate.
So what is at minimum is needed is an elisp implementation of the
script, which is quite basic:
#!/usr/bin/perl
use strict;
use warnings;
use MIME::Base64;
use GSSAPI;
my $host=$ARGV[0];
my $target;
my $status=GSSAPI::Name->import($target, 'HTTP@' . $host, GSSAPI::OID::gss_nt_hostbased_service);
my $tname;
$status=$target->display($tname);
my $ctx = GSSAPI::Context->new();
my $imech = GSSAPI::OID::gss_mech_krb5;
my $iflags = GSS_C_REPLAY_FLAG;
$iflags = $iflags | GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG; # if ( $ENV{LWP_AUTHEN_NEGOTIATE_DELEGATE} )
my $bindings = GSS_C_NO_CHANNEL_BINDINGS;
my $creds = GSS_C_NO_CREDENTIAL;
my $itime = 0;
my $otoken;
my $itoken=q{}; # prev WWW-Authenticate ...
$status = $ctx->init($creds, $target, $imech, $iflags, $itime, $bindings, $itoken, undef, $otoken, undef, undef);
print encode_base64($otoken,"");
And I guess your gssapi-module would be able to be used for just that?
Best regards,
Adam
--
"Instruments: SYNTH, CRUSH, FEAR, DEATH" Adam Sjøgren
asjo@koldfront.dk
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-08-05 19:26 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-03-17 15:59 GSSAPI (i.e. Kerberos auth over TLS) Stefan Monnier
2019-03-17 17:09 ` Elias Mårtenson
2019-03-17 17:47 ` Stefan Monnier
2019-03-19 4:08 ` Elias Mårtenson
2019-07-20 0:27 ` Adam Sjøgren
2019-07-24 12:56 ` Elias Mårtenson
2021-08-05 19:26 ` Adam Sjøgren
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.