I believe you would want to use the GSSAPI for this. If your header
looks like:

Proxy-Authorization: Negotiate <base64 encoded data>

Then definitely you want to use that. You could use libcurl as example
code if you wanted to see what this would look like.

--Ken

Thanks Ken,I understand I need to use GSSAPI for Linux/MacOS platforms. I was wondering if I can use MIT Kerberos GSSAPI for the same. Does libcurl use MIT Kerberos gssapi ?
Yes my proxy header would look exactly like you mentioned.
Thank-you.

Yahoo Mail: Search, organise, conquer
I believe you would want to use the GSSAPI for this.  If your header
looks like:

Proxy-Authorization: Negotiate <base64 encoded data>

Then definitely you want to use that.  You could use libcurl as example
code if you wanted to see what this would look like.

--Ken

You should be able to use the MIT Kerberos GSSAPI implementation fine
for this (but I think either MIT Kerberos or Heimdal would work; on
MacOS X it might be easier to use the native GSSAPI implementation which
would be Heimdal). My understanding is that libcurl can link against
either Heimdal or MIT Kerberos, but you should probably investigate that
yourself.

--Ken

Thanks again Ken.
My application is written in Go. So I'm looking for Kerberos implementation that can be easily integrated with my application. Hence I  was considering MIT Kerberos and using C bindings to call those APIs from my Go code.
"MacOS X it might be easier to use the native GSSAPI implementation which would be Heimdal"

Here did you mean developer.apple.com/documentation/gss ? Isn't that in Swift ?
I will explore libcurl code thank-you.

Yahoo Mail: Search, organise, conquer
You should be able to use the MIT Kerberos GSSAPI implementation fine
for this (but I think either MIT Kerberos or Heimdal would work; on
MacOS X it might be easier to use the native GSSAPI implementation which
would be Heimdal).  My understanding is that libcurl can link against
either Heimdal or MIT Kerberos, but you should probably investigate that
yourself.

--Ken

I can't speak for the Swift API, but Heimdal on MacOS X also provides a
standard C API for the GSSAPI functions. I don't have much experience
with Go but if you can call C functions from within it (and I have to
believe that is possible) then doing so for Heimdal should be fine.
There might be a few differences in term of what GSSAPI extension
functions are available but from what you describe you should only need
the standard GSSAPI functions.

--Ken

Are you familiar with https://github.com/jcmturner/gokrb5? I've used it
in the past with some experiments in some Go code I was working on, I
wasn't touching GSSAPI but there's at least some GSSAPI code in there.
Might be worth checking out as it's native Go code, no cgo wrapping.

I would caution you that if you are targeting MacOS X as a platform, one
of the most important things is integration with the native credential
cache format (especially if you are assuming your credentials are being
acquired as part of the single signon process). On MacOS X the default
credential cache uses a RPC mechanism to talk to a daemon process (and
that has actually changed to a DIFFERENT RPC service in more recent
versions of MacOS X). My brief look at gokrb5 suggests that it only
supports the FILE credential cache type.

--Ken

Last time I checked that code was kept together with spit and tape, and
was far from what I would consider usable in production for general
use.
It implements the minimum set of code needed for the specific use case
and specific file credential of the person that built it, and will fall
apart as soon as you do anything funny.

There is also no guarantee it is secure.

As much as I understand the desire of new languages to have "native
code" I strongly suggest to avoid the urge in this case. Both Heimdal
and MIT Kerberos have decades of development behind them, not something
you reproduce in a "summer of coding".

HTH,
Simo.

Thank you. Yes, as suggested here, I am looking into using ether MIT or Heimdal Kerberos implementation.
Last time I checked that code was kept together with spit and tape, and
was far from what I would consider usable in production for general
use.
It implements the minimum set of code needed for the specific use case
and specific file credential of the person that built it, and will fall
apart as soon as you do anything funny.

There is also no guarantee it is secure.

As much as I understand the desire of new languages to have "native
code" I strongly suggest to avoid the urge in this case. Both Heimdal
and MIT Kerberos have decades of development behind them, not something
you reproduce in a "summer of coding".

HTH,
Simo.
--
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc









________________________________________________
Kerberos mailing list          ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

I think you're comparing apples and oranges a bit there; those two calls
you mention (which from my look at that Golang library really only end
up as one SSPI call) are only a small part of the overall authentication
flow. The code in that RFC you reference is a mostly-complete GSSAPI
application which includes a full loop and interprocess communication.

I'm going to repeat what I said last time: look at the libcurl source
code which already does this.

--Ken

You are comparing a full loop with just setting up the initial context.

The two calls you have on those two lines are indeed equivalent to:

maj = gss_acquire_cred(&min, acceptor_name, GSS_C_INDEFINITE,
desired_mechs, cred_usage, creds,
actual_mechs, NULL);

and

maj = gss_init_sec_context(min, init_cred, &init_ctx,
accept_name, mech_type, GSS_C_DELEG_FLAG,
req_lifetime, GSS_C_NO_CHANNEL_BINDINGS,
&accept_token, NULL, &init_token, NULL,
NULL);


Where all those variables are set to default values.
Of course this is missing all error handling, and, if you use defaults
it will miss many nuances.

As Ken suggested you should look at real examples, libcurl may be a
way, I can also suggest this library of mine:
ttps://github.com/gssapi/mod_auth_gssapi/blob/master/src/mod_auth_gssap
i.c