PyKerberos - allow more generic use of authClientGSSWrap
Hi! I'm using the pykerberos bindings that are developed as part of calendarserver to implement support for authenticating GSSAPI using FTP connections (RFC2228). However, at the moment, pykerberos appears to be making assumptions about the way Kerberos is used and forces some changes to the buffer passed into gss_wrap(). I need the attached patch to get it to work. How should I go about allowing more generic use? Would it be ok to break the existing API? Should I add a new call? Cheers, Jelmer --
Hi Jelmer, On Wed, Jun 11, 2008 at 11:14:52PM +0200, Jelmer Vernooij wrote:
How should I go about allowing more generic use? Would it be ok to break the existing API? Should I add a new call? I think the API can be extended without breaking it. The current call sets GSS_AUTH_P_NONE. If you want to setup real message integrity checking/encryption we can add these as parameters. We can also skip the part you ripped out by just jumping over it in case we pass in a NULL/NONE username. I'd be interested to know what kind of respone buffer you pass in in that case. Cheers, -- Guido
Hi Guido, Am Donnerstag, den 12.06.2008, 09:51 +0200 schrieb Guido Günther:
On Wed, Jun 11, 2008 at 11:14:52PM +0200, Jelmer Vernooij wrote:
How should I go about allowing more generic use? Would it be ok to break the existing API? Should I add a new call? I think the API can be extended without breaking it. The current call sets GSS_AUTH_P_NONE. If you want to setup real message integrity checking/encryption we can add these as parameters. We can also skip the part you ripped out by just jumping over it in case we pass in a NULL/NONE username. Thanks, I'll have a look at doing that.
I'd be interested to know what kind of respone buffer you pass in in that case. I'm implementing RFC2228 (GSSAPI Authentication + Encryption for FTP). The attached script extends ftplib.FTP to support GSSAPI logins and provides a very simple command-line FTP client that supports GSSAPI logins. It needs the patch I attached earlier. Feel free to include it in pykerberos as example; I can provide it under a different license if necessary.
Cheers, Jelmer -- Jelmer Vernooij <jelmer@samba.org> - http://samba.org/~jelmer/ Jabber: jelmer@jabber.fsfe.org
Hi Jelmer, On Thu, Jun 12, 2008 at 04:01:06PM +0200, Jelmer Vernooij wrote:
Hi Guido,
Am Donnerstag, den 12.06.2008, 09:51 +0200 schrieb Guido Günther:
On Wed, Jun 11, 2008 at 11:14:52PM +0200, Jelmer Vernooij wrote:
How should I go about allowing more generic use? Would it be ok to break the existing API? Should I add a new call? I think the API can be extended without breaking it. The current call sets GSS_AUTH_P_NONE. If you want to setup real message integrity checking/encryption we can add these as parameters. We can also skip the part you ripped out by just jumping over it in case we pass in a NULL/NONE username. Thanks, I'll have a look at doing that. Looking at your code this should indeed work out. We can simply skip the code you ripped out in case user == NULL in authenticate_gss_client_wrap. I should have moved this part into a different function in the first place.
[..snip..]
I'd be interested to know what kind of respone buffer you pass in in that case. I'm implementing RFC2228 (GSSAPI Authentication + Encryption for FTP). The attached script extends ftplib.FTP to support GSSAPI logins and provides a very simple command-line FTP client that supports GSSAPI logins. It needs the patch I attached earlier. Feel free to include it in pykerberos as example; I can provide it under a different license if necessary. This would make a great example indeed! -- Guido
Hi Guido, On Thu, Jun 12, 2008 at 05:39:57PM +0200, Guido Günther wrote:
On Thu, Jun 12, 2008 at 04:01:06PM +0200, Jelmer Vernooij wrote:
Hi Guido, Am Donnerstag, den 12.06.2008, 09:51 +0200 schrieb Guido Günther:
On Wed, Jun 11, 2008 at 11:14:52PM +0200, Jelmer Vernooij wrote:
How should I go about allowing more generic use? Would it be ok to break the existing API? Should I add a new call? I think the API can be extended without breaking it. The current call sets GSS_AUTH_P_NONE. If you want to setup real message integrity checking/encryption we can add these as parameters. We can also skip the part you ripped out by just jumping over it in case we pass in a NULL/NONE username. Thanks, I'll have a look at doing that. Looking at your code this should indeed work out. We can simply skip the code you ripped out in case user == NULL in authenticate_gss_client_wrap. I should have moved this part into a different function in the first place. Makes sense; I've attached a patch that does this. Does this look ok?
[..snip..]
I'd be interested to know what kind of respone buffer you pass in in that case. I'm implementing RFC2228 (GSSAPI Authentication + Encryption for FTP). The attached script extends ftplib.FTP to support GSSAPI logins and provides a very simple command-line FTP client that supports GSSAPI logins. It needs the patch I attached earlier. Feel free to include it in pykerberos as example; I can provide it under a different license if necessary. This would make a great example indeed! Updated version attached as well, with license changed to apache license.
Cheers, Jelmer
Hi Jelmer, On Thu, Jun 12, 2008 at 11:04:46PM +0200, Jelmer Vernooij wrote:
Makes sense; I've attached a patch that does this. Does this look ok? I'd rater avoid introducing another function. Does the attached patch work for you too? This way we avoid duplicating the rest of the function by simply checking if user != NULL. Once we have a nicer API to set the encrytion/integrity flags we can then simpli deprecate the 3rd parameter.
[..snip..]
I'd be interested to know what kind of respone buffer you pass in in that case. I'm implementing RFC2228 (GSSAPI Authentication + Encryption for FTP). The attached script extends ftplib.FTP to support GSSAPI logins and provides a very simple command-line FTP client that supports GSSAPI logins. It needs the patch I attached earlier. Feel free to include it in pykerberos as example; I can provide it under a different license if necessary. This would make a great example indeed! Updated version attached as well, with license changed to apache license.
Thanks! I've attached the script to trac so hopefully somebody with SVN commit access will add it soon. Cheers, -- Guido
Hi Guido, Am Freitag, den 13.06.2008, 09:46 +0200 schrieb Guido Günther:
Hi Jelmer, On Thu, Jun 12, 2008 at 11:04:46PM +0200, Jelmer Vernooij wrote:
Makes sense; I've attached a patch that does this. Does this look ok? I'd rater avoid introducing another function. Does the attached patch work for you too? This way we avoid duplicating the rest of the function by simply checking if user != NULL. Once we have a nicer API to set the encrytion/integrity flags we can then simpli deprecate the 3rd parameter. Yep, I can confirm this patch works as well.
[..snip..]
I'd be interested to know what kind of respone buffer you pass in in that case. I'm implementing RFC2228 (GSSAPI Authentication + Encryption for FTP). The attached script extends ftplib.FTP to support GSSAPI logins and provides a very simple command-line FTP client that supports GSSAPI logins. It needs the patch I attached earlier. Feel free to include it in pykerberos as example; I can provide it under a different license if necessary. This would make a great example indeed! Updated version attached as well, with license changed to apache license. Thanks! I've attached the script to trac so hopefully somebody with SVN commit access will add it soon. Cool, thanks.
Cheers, Jelmer -- Jelmer Vernooij <jelmer@samba.org> - http://samba.org/~jelmer/ Jabber: jelmer@jabber.fsfe.org
On Fri, Jun 13, 2008 at 04:07:48PM +0200, Jelmer Vernooij wrote:
Yep, I can confirm this patch works as well. Thanks for testing. I attached it to trac as #283. I think with this fixed and your testcase it would make sense to do a 1.1 release. 1.0 is missing the hole wrap/unwrap support as well as the password changning code. Cheers, -- Guido
participants (2)
-
Guido Günther
-
Jelmer Vernooij