On 2025-10-24 02:53, Jake Scott wrote:
Hi there..
I've been working on a spec for GSSAPI on Go similar to RFC2744 and RFC2853
for C and Java. I have a working implementation of the described interface
and a provider that wraps the MIT & Heimdal C libraries. The idea is to
provide an idomatic interface for Go developers that supports multiple
providers (like the C provider or a pure Go provider at some point).
I would love some feedback before launching this on the world! It is
currently in beta, and the docs/code are at:
...
I know the C folks probably won't be keen on the more OO approach - would
be interested to know how people think this compares with the Java
interface though and whether there have been any issues to be aware of with
this approach.
Hi Jake,
this is a pleasant surprise to see this for Go as well. We've been using
Go for some smaller projects at $work and it might get
interesting/required, though my personal knowledge/understanding in/of
Go is very limited. I have strong knowledge especially in Java (JGSS)
and py-gssapi. I have a few questions/pointers for you:
* Have you looked into py-gssapi? It is a very clean, yet convenient
wrapper your C GSS-API. I have been using it at low-level and high-level
with please without the need to resort to C?
* The JGSS RFC is very dated and lacks a lot of features which have been
introduced in the C API in the past decade. There is now also an
ExtendedJGSSContext you might want to check.
* You should write to security-dev@openjdk mailing list and ask Max
(Weijun Wang). He is the lead guy for JGSS impl at Oracle. Feel free to
mention my name.
* You should not make the API public too soon, stuff like this takes
time and will then set to stone. Every change can break people's stuff.
* Since you support Apple Kerberos, see
https://github.com/curl/curl/issues/19109. This might be interesting for
you.
* FreeBSD base Kerbros: The ancient Heimdal has been replaced with MIT
Kerberos 1.22.1 in the base system for 15. You might want to check that.
* Being spoiled from the Python integration I want to ask you this:
** Does it easily plug into Go's URL transport library, e.g.,
py-requests-gssapi to authenticate via SPENGO?
** Python uses OpenLDAP libs with Cyrus SASL where SASL GSSAPI mech
comes for free, I have seen that you provide LDAP examples as well, how
trivial is it to make this happen in the Go impl too? This might get
interesting for us as well (LDAP calls to Active Directory)?
Thank you!
PS: I truly like
https://github.com/golang-auth/go-gssapi-c?tab=readme-ov-file#go-gssapi-c-bindings-provider
you really did your homework. Kudos to your professionalism!
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
