Source File
ssh_gss.go
Belonging Package
golang.org/x/crypto/ssh
Copyright 2011 The Go Authors. All rights reserved. Use of this source code is governed by a BSD-style license that can be found in the LICENSE file.
GSSAPIClient provides the API to plug-in GSSAPI authentication for client logins.
InitSecContext initiates the establishment of a security context for GSS-API between the ssh client and ssh server. Initially the token parameter should be specified as nil. The routine may return a outputToken which should be transferred to the ssh server, where the ssh server will present it to AcceptSecContext. If no token need be sent, InitSecContext will indicate this by setting needContinue to false. To complete the context establishment, one or more reply tokens may be required from the ssh server;if so, InitSecContext will return a needContinue which is true. In this case, InitSecContext should be called again when the reply token is received from the ssh server, passing the reply token to InitSecContext via the token parameters. See RFC 2743 section 2.2.1 and RFC 4462 section 3.4.
GetMIC generates a cryptographic MIC for the SSH2 message, and places the MIC in a token for transfer to the ssh server. The contents of the MIC field are obtained by calling GSS_GetMIC() over the following, using the GSS-API context that was just established: string session identifier byte SSH_MSG_USERAUTH_REQUEST string user name string service string "gssapi-with-mic" See RFC 2743 section 2.3.1 and RFC 4462 3.5.
Whenever possible, it should be possible for DeleteSecContext() calls to be successfully processed even if other calls cannot succeed, thereby enabling context-related resources to be released. In addition to deleting established security contexts, gss_delete_sec_context must also be able to delete "half-built" security contexts resulting from an incomplete sequence of InitSecContext()/AcceptSecContext() calls. See RFC 2743 section 2.2.3.
DeleteSecContext() error
}
GSSAPIServer provides the API to plug in GSSAPI authentication for server logins.
AcceptSecContext allows a remotely initiated security context between the application and a remote peer to be established by the ssh client. The routine may return a outputToken which should be transferred to the ssh client, where the ssh client will present it to InitSecContext. If no token need be sent, AcceptSecContext will indicate this by setting the needContinue to false. To complete the context establishment, one or more reply tokens may be required from the ssh client. if so, AcceptSecContext will return a needContinue which is true, in which case it should be called again when the reply token is received from the ssh client, passing the token to AcceptSecContext via the token parameters. The srcName return value is the authenticated username. See RFC 2743 section 2.2.2 and RFC 4462 section 3.4.
VerifyMIC verifies that a cryptographic MIC, contained in the token parameter, fits the supplied message is received from the ssh client. See RFC 2743 section 2.3.2.
Whenever possible, it should be possible for DeleteSecContext() calls to be successfully processed even if other calls cannot succeed, thereby enabling context-related resources to be released. In addition to deleting established security contexts, gss_delete_sec_context must also be able to delete "half-built" security contexts resulting from an incomplete sequence of InitSecContext()/AcceptSecContext() calls. See RFC 2743 section 2.2.3.
DeleteSecContext() error
}
OpenSSH supports Kerberos V5 mechanism only for GSS-API authentication, so we also support the krb5 mechanism only. See RFC 1964 section 1.
krb5Mesh = asn1.ObjectIdentifier{1, 2, 840, 113554, 1, 2, 2}
)
The GSS-API authentication method is initiated when the client sends an SSH_MSG_USERAUTH_REQUEST See RFC 4462 section 3.2.
type userAuthRequestGSSAPI struct {
N uint32
OIDS []asn1.ObjectIdentifier
}
func ( []byte) (*userAuthRequestGSSAPI, error) {
, , := parseUint32()
if ! {
return nil, errors.New("parse uint32 failed")
}
:= &userAuthRequestGSSAPI{
N: ,
OIDS: make([]asn1.ObjectIdentifier, ),
}
for := 0; < int(); ++ {
var (
[]byte
error
)
, , = parseString()
if ! {
return nil, errors.New("parse string failed")
}
if , = asn1.Unmarshal(, &.OIDS[]); != nil {
return nil,
}
}
return , nil
}
See RFC 4462 section 3.6.
func ( string, string, string, string) []byte {
:= make([]byte, 0, 0)
= appendString(, )
= append(, msgUserAuthRequest)
= appendString(, )
= appendString(, )
= appendString(, )
return
 |
The pages are generated with Golds v0.3.2-preview. (GOOS=darwin GOARCH=amd64) Golds is a Go 101 project developed by Tapir Liu. PR and bug reports are welcome and can be submitted to the issue list. Please follow @Go100and1 (reachable from the left QR code) to get the latest news of Golds. |