Skip to content

Implement gssapi-with-mic user authentication with Kerberos #1692

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 4 commits into
base: develop
Choose a base branch
from
Draft

Implement gssapi-with-mic user authentication with Kerberos #1692

wants to merge 4 commits into from

Conversation

scott-xu
Copy link
Collaborator

This PR adds support for gssapi-with-mic user authentication with Kerberos which is defined at https://datatracker.ietf.org/doc/html/rfc4462.

Close #780
Close #170
Close #114

@scott-xu
Copy link
Collaborator Author

This PR is primarily based on tmds/Tmds.Ssh#188. Credits to @jborean93 and @tmds

🎏 Call for help!
This PR is still at early stage. If someone can help implement ReflectedNegotiateContext or add integration test, that would be great!

@Rob-Hague
Copy link
Collaborator

Some high-level questions

  1. I am not excited by the prospect of reflection/UnsafeAccessor. Is it just for lower targets? If so, I would prefer to restrict it to targets where it is possible via public api (NET 9+ presumably).

  2. It seems like it would be easier to just have:

public class GssApiAuthenticationMethod(NegotiateAuthenticationClientOptions options)
{ }

as the public api?

  1. Have you thought about how to test it? Presumably something can be set up via the dockerfile

@scott-xu
Copy link
Collaborator Author

  1. I am not excited by the prospect of reflection/UnsafeAccessor. Is it just for lower targets? If so, I would prefer to restrict it to targets where it is possible via public api (NET 9+ presumably).

Reflection is to support .NET Framework.
UnsafeAccessor is to support .NET 8.0

One reason to choose SSH.NET is that it supports lower targets.

  1. It seems like it would be easier to just have:
public class GssApiAuthenticationMethod(NegotiateAuthenticationClientOptions options)
{ }

as the public api?

There are too many options than needed if we use NegotiateAuthenticationClientOptions as public API.

  1. Have you thought about how to test it? Presumably something can be set up via the dockerfile

That's the "call out for help" item 😄

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@drieseng drieseng Awaiting requested review from drieseng drieseng will be requested when the pull request is marked ready for review drieseng is a code owner

@WojciechNagorski WojciechNagorski Awaiting requested review from WojciechNagorski WojciechNagorski will be requested when the pull request is marked ready for review WojciechNagorski is a code owner

@Rob-Hague Rob-Hague Awaiting requested review from Rob-Hague Rob-Hague will be requested when the pull request is marked ready for review Rob-Hague is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

GSSAPI/Kerberos Support GSSAPI support SSH NTLM Single sign on
2 participants
@scott-xu @Rob-Hague