Code Monkey home page Code Monkey logo

gssapi's Introduction

gssapi

License ReportCard Build Coverage GoDoc

The gssapi package is a Golang wrapper around RFC 2743, the Generic Security Services Application Programming Interface. (GSSAPI)

Uses

We use it to authenticate clients with our authentication server. Clients talk to a Kerberos or Active Directory Domain Controller to retrieve a Kerberos service ticket, which we verify with a keytab on our authentication server.

When a user logs into Kerberos using kinit, they get a Kerberos TGT. During Kerberos authentication, that TGT is used to retrieve a Service Ticket from the Domain Controller. GSSAPI lets us authenticate without having to know where or in what form the TGT is stored. Because each operating system vendor might move that, this package wraps your system GSSAPI implementation.

What do you use it for? Let us know!

Building

This library is go get compatible. However, it also requires header files to build against the GSSAPI C library on your platform.

Golang needs to be able to find a gcc compiler (and one which is recent enough to support gccgo). If the system compiler isn't gcc, then use CC in environ to point the Golang build tools at your gcc. (LLVM's clang does not work and Golang's diagnostics if it encounters clang are to spew a lot of apparently-unrelated errors from trying to use it anyway).

On MacOS, the default headers are too old; you can use newer headers for building but still use the normal system libraries.

  • FreeBSD: export CC=gcc48; go install
  • MacOS: brew install homebrew/dupes/heimdal --without-x11
  • Ubuntu: see apt-get in test/docker/client/Dockerfile

Testing

Tests in the main gssapi repository can be run using the built-in go test.

To run an integrated test against a live Heimdal Kerberos Domain Controller, cd test and bring up Docker, (or boot2docker). Then, run ./run-heimdal.sh. This will run some go tests using three Docker images: a client, a service, and a domain controller. The service will receive a generated keytab file, and the client will point to the domain controller for authentication.

NOTE: to run Docker tests, your GOROOT environment variable MUST be set.

TODO

See our TODO doc on stuff you can do to help. We welcome contributions!

Verified platforms

We've tested that we can authenticate against:

  • Heimdal Kerberos
  • Active Directory

We suspect we can authenticate against:

  • MIT Kerberos

We definitely cannot authenticate with:

  • Windows clients (because Windows uses SSPI instead of GSSAPI as the library interface)

gssapi's People

Contributors

alekstkach avatar alextoombs avatar kgraney avatar levb avatar liggitt avatar

Stargazers

avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

samirkut global-localhost global19 global19-atlassian-net ipoemi isabella232 alextoombs wzshiming gitlabhq

gssapi's Issues

fatal error: unexpected signal during runtime execution

Hi!

At GitLab, we have a project called GitLab Shell that handles incoming git based SSH requests for GitLab instances. The project is written in Go and we use this module ๐Ÿ™‚ A community contributor added support for the gssapi-with-mic auth method (which was so cool to see) but we're seeing a panic inside the gssapi logic.. https://gitlab.com/gitlab-org/gitlab/-/issues/429161 is the Issue tracking the problem and contains the following trace:

corrupted size vs. prev_size in fastbins
fatal error: unexpected signal during runtime execution
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0x7f639371e96f]

runtime stack:
runtime.throw({0xeae4c5?, 0xfffffffffffffff0?})
	/usr/local/go/src/runtime/panic.go:1047 +0x5d fp=0x7f6392ddfd40 sp=0x7f6392ddfd10 pc=0x43d2fd
runtime.sigpanic()
	/usr/local/go/src/runtime/signal_unix.go:825 +0x3e9 fp=0x7f6392ddfda0 sp=0x7f6392ddfd40 pc=0x454789

goroutine 887243 [syscall, locked to thread]:
runtime.cgocall(0xc39270, 0xc0007e4d38)
	/usr/local/go/src/runtime/cgocall.go:157 +0x5c fp=0xc0007e4d10 sp=0xc0007e4cd8 pc=0x40865c
github.com/openshift/gssapi._Cfunc_wrap_gss_delete_sec_context(0x7f63936ff130, 0xc0001242d8, 0xc0007260c8, 0x0)
	_cgo_gotypes.go:538 +0x4c fp=0xc0007e4d38 sp=0xc0007e4d10 pc=0xab41ac
github.com/openshift/gssapi.(*CtxId).DeleteSecContext.func1(0xc0007260c0, 0xc0007e4db8?)
	/root/go/pkg/mod/github.com/openshift/[email protected]/context.go:320 +0x98 fp=0xc0007e4d88 sp=0xc0007e4d38 pc=0xab80b8
github.com/openshift/gssapi.(*CtxId).DeleteSecContext(0xc0007260c0)
	/root/go/pkg/mod/github.com/openshift/[email protected]/context.go:320 +0x7f fp=0xc0007e4de0 sp=0xc0007e4d88 pc=0xab7f1f
gitlab.com/gitlab-org/gitlab-shell/v14/internal/sshd.(*OSGSSAPIServer).DeleteSecContext(0xc0005ee480)
	/source/internal/sshd/gssapi.go:139 +0x2a fp=0xc0007e4df8 sp=0xc0007e4de0 pc=0xaef14a
golang.org/x/crypto/ssh.gssExchangeToken.func1()
	/root/go/pkg/mod/golang.org/x/[email protected]/ssh/server.go:327 +0x2b fp=0xc0007e4e10 sp=0xc0007e4df8 pc=0xaa770b
golang.org/x/crypto/ssh.gssExchangeToken(0xc0002aa060, {0xc000386005, 0x1c4b, 0x1c4b}, 0xc00011c700, {0xc00028c7e0, 0x20, 0xc0007e5010?}, {{0xc0001241b0, 0x3}, ...})
	/root/go/pkg/mod/golang.org/x/[email protected]/ssh/server.go:370 +0x662 fp=0xc0007e4f70 sp=0xc0007e4e10 pc=0xaa7442
golang.org/x/crypto/ssh.(*connection).serverAuthenticate(0xc00011c700, 0xc0006164e0)
	/root/go/pkg/mod/golang.org/x/[email protected]/ssh/server.go:645 +0x178b fp=0xc0007e5350 sp=0xc0007e4f70 pc=0xaa93cb
golang.org/x/crypto/ssh.(*connection).serverHandshake(0xc00011c700, 0xc0006164e0)
	/root/go/pkg/mod/golang.org/x/[email protected]/ssh/server.go:286 +0x53e fp=0xc0007e5420 sp=0xc0007e5350 pc=0xaa68fe
golang.org/x/crypto/ssh.NewServerConn({0xfc57b8, 0xc000120008}, 0xc000616340)
	/root/go/pkg/mod/golang.org/x/[email protected]/ssh/server.go:214 +0x1d4 fp=0xc0007e54b8 sp=0xc0007e5420 pc=0xaa6154
gitlab.com/gitlab-org/gitlab-shell/v14/internal/sshd.(*connection).initServerConn(0xc000450940, {0xfc09f0, 0xc00092a230}, 0x70?)
	/source/internal/sshd/connection.go:79 +0x154 fp=0xc0007e5858 sp=0xc0007e54b8 pc=0xaec874
gitlab.com/gitlab-org/gitlab-shell/v14/internal/sshd.(*connection).handle(0xc000450940, {0xfc09f0?, 0xc00092a230}, 0xb?, 0x407cef?)
	/source/internal/sshd/connection.go:56 +0x14c fp=0xc0007e5ba8 sp=0xc0007e5858 pc=0xaec32c
gitlab.com/gitlab-org/gitlab-shell/v14/internal/sshd.(*Server).handleConn(0xc000136280, {0xfc09f0, 0xc0001362d0}, {0xfc57b8?, 0xc000120008})
	/source/internal/sshd/sshd.go:199 +0x445 fp=0xc0007e5fa8 sp=0xc0007e5ba8 pc=0xaf4785
gitlab.com/gitlab-org/gitlab-shell/v14/internal/sshd.(*Server).serve.func1()
	/source/internal/sshd/sshd.go:135 +0x36 fp=0xc0007e5fe0 sp=0xc0007e5fa8 pc=0xaf4016
runtime.goexit()
	/usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc0007e5fe8 sp=0xc0007e5fe0 pc=0x4747a1
created by gitlab.com/gitlab-org/gitlab-shell/v14/internal/sshd.(*Server).serve
	/source/internal/sshd/sshd.go:135 +0x135

The trace above was captured from v14.28.0 of GitLab Shell but was subsequently patched in v14.30.0. v14.13.0 aimed to fix the issue as it was thought to be a race condition but it still causes a panic in the same area of the code but with a different error message:

free(): invalid pointer
SIGABRT: abort
PC=0x7f9f21b90ce1 m=11 sigcode=18446744073709551610
signal arrived during cgo execution

goroutine 138874 [syscall, locked to thread]:
runtime.cgocall(0xc2ca90, 0xc0002dac78)
	/usr/local/go/src/runtime/cgocall.go:157 +0x5c fp=0xc0002dac50 sp=0xc0002dac18 pc=0x40865c
github.com/openshift/gssapi._Cfunc_wrap_gss_delete_sec_context(0x7f9ef840d130, 0xc0009eb5c8, 0xc00072f098, 0x0)
	_cgo_gotypes.go:538 +0x4c fp=0xc0002dac78 sp=0xc0002dac50 pc=0xab990c
github.com/openshift/gssapi.(*CtxId).DeleteSecContext.func1(0xc00072f090, 0x110?)
	/root/go/pkg/mod/github.com/openshift/[email protected]/context.go:320 +0x98 fp=0xc0002dacc8 sp=0xc0002dac78 pc=0xabd818
github.com/openshift/gssapi.(*CtxId).DeleteSecContext(0xc00072f090)
	/root/go/pkg/mod/github.com/openshift/[email protected]/context.go:320 +0x7f fp=0xc0002dad20 sp=0xc0002dacc8 pc=0xabd67f
gitlab.com/gitlab-org/gitlab-shell/v14/internal/sshd.(*OSGSSAPIServer).DeleteSecContext(0xc000771c80)
	/source/internal/sshd/gssapi.go:150 +0x8a fp=0xc0002dad70 sp=0xc0002dad20 pc=0xaf4cca
golang.org/x/crypto/ssh.gssExchangeToken.func1()
	/root/go/pkg/mod/golang.org/x/[email protected]/ssh/server.go:327 +0x2b fp=0xc0002dad88 sp=0xc0002dad70 pc=0xaac84b
golang.org/x/crypto/ssh.gssExchangeToken(0xc00083ef48, {0xc0008afb05, 0x1a97, 0x1a97}, 0xc0005a0900, {0xc0002a0b20, 0x20, 0x48b147?}, {{0xc0009eb4b0, 0x3}, ...})
	/root/go/pkg/mod/golang.org/x/[email protected]/ssh/server.go:370 +0x662 fp=0xc0002daee8 sp=0xc0002dad88 pc=0xaac582
golang.org/x/crypto/ssh.(*connection).serverAuthenticate(0xc0005a0900, 0xc000452b60)
	/root/go/pkg/mod/golang.org/x/[email protected]/ssh/server.go:654 +0x178b fp=0xc0002db350 sp=0xc0002daee8 pc=0xaae50b
golang.org/x/crypto/ssh.(*connection).serverHandshake(0xc0005a0900, 0xc000452b60)
	/root/go/pkg/mod/golang.org/x/[email protected]/ssh/server.go:286 +0x53e fp=0xc0002db420 sp=0xc0002db350 pc=0xaaba3e
golang.org/x/crypto/ssh.NewServerConn({0xfb6f38, 0xc00065a008}, 0xc000452a90)
	/root/go/pkg/mod/golang.org/x/[email protected]/ssh/server.go:214 +0x1d4 fp=0xc0002db4b8 sp=0xc0002db420 pc=0xaab294
gitlab.com/gitlab-org/gitlab-shell/v14/internal/sshd.(*connection).initServerConn(0xc000771c40, {0xfb20f0, 0xc000cd1a40}, 0x70?)
	/source/internal/sshd/connection.go:79 +0x154 fp=0xc0002db858 sp=0xc0002db4b8 pc=0xaf20d4
gitlab.com/gitlab-org/gitlab-shell/v14/internal/sshd.(*connection).handle(0xc000771c40, {0xfb20f0?, 0xc000cd1a40}, 0xb?, 0xcc0f60?)
	/source/internal/sshd/connection.go:56 +0x14c fp=0xc0002dbba8 sp=0xc0002db858 pc=0xaf1b8c
gitlab.com/gitlab-org/gitlab-shell/v14/internal/sshd.(*Server).handleConn(0xc0000aa280, {0xfb20f0, 0xc0000aa320}, {0xfb6f38?, 0xc00065a008})
	/source/internal/sshd/sshd.go:199 +0x445 fp=0xc0002dbfa8 sp=0xc0002dbba8 pc=0xafa4e5
gitlab.com/gitlab-org/gitlab-shell/v14/internal/sshd.(*Server).serve.func1()
	/source/internal/sshd/sshd.go:135 +0x36 fp=0xc0002dbfe0 sp=0xc0002dbfa8 pc=0xaf9d76
runtime.goexit()
	/usr/local/go/src/runtime/asm_amd64.s:1598 +0x1 fp=0xc0002dbfe8 sp=0xc0002dbfe0 pc=0x4747a1
created by gitlab.com/gitlab-org/gitlab-shell/v14/internal/sshd.(*Server).serve
	/source/internal/sshd/sshd.go:135 +0x135

While we continue to investigate the GitLab Shell code, I thought it prudent to create an Issue here on the off chance there might be something that needs updating here in this repository.

https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/682 (along with https://gitlab.com/gitlab-org/gitlab-shell/-/merge_requests/875) contains the bulk of the changes to the codebase with https://gitlab.com/gitlab-org/gitlab-shell/-/blob/main/internal/sshd/gssapi.go containing most of the logic.

@alextoombs, as the most recent and prolific contributor to this project, may I please have your input here when you have time, thank-you very much ๐Ÿ™‡

question on repo maintainance and contributions

I have been using this library and I would like to know if the maintainers of this repo are interested in accepting contributions.

I made fixes for docker integration setup and implemented some of the TODO list items. Let me know.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.