search

jcmturner / gokrb5

Pure Go Kerberos library for clients and services
Apache License 2.0
723 stars 245 forks source link

Support OSX ticket cache #412

Open eest opened 3 years ago

eest commented 3 years ago

Hello,

I was interested in being able to read a ticket cache on OSX and found issue https://github.com/jcmturner/gokrb5/issues/328 which is closed at this point. Being unable to reopen it I decided to create a new issue.

The best overview I have found on the subject of the non-FILE cache used on OSX is this page: https://k5wiki.kerberos.org/wiki/Projects/KCM_client

From the page:

Heimdal implements a credential cache type named "KCM" where operations are transmitted to a daemon process which manages the actual cache contents. The KCM daemon can be contacted via a Unix domain socket or, on OS X only, via Mach RPC. (There is also incomplete support in the source code for using Doors on Solaris.)

On OS X 10.7 and later, the native default credential cache type uses the KCM protocol via Mach RPC. It is typically referred to via the "API" cache type for continuity with Kerberos for Macintosh; the API and KCM cache types have the same namespace in the native OS X Kerberos.

Kerberos for Windows and Kerberos for Macintosh also implement a daemon-based cache type named "API". It uses a different protocol and transports.

So, a bit confusingly, even if klist on a modern OSX machine returns Credentials cache: API:XXXXXXX it is actually backed by the heimdal KCM protocol, reinforced in this mailing list thread: http://kerberos.996246.n3.nabble.com/API-cache-on-Mac-OSX-td44391.html

Apple's API: cache is Heimdal's kcm daemon, which recent (1.13+) MIT supports as the KCM: ccache type.

As stated there is an added quirk on OSX: while KCM is using UNIX domain sockets on other systems, on OSX it appears to be reached via Mach RPC calls, something I was not at all familiar with prior to investigating this.

The MIT kerberos code supports both, with the implementation found here: https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c

/*
 * This cache type contacts a daemon for each cache operation, using Heimdal's
 * KCM protocol.  On macOS, the preferred transport is Mach RPC; on other
 * Unix-like platforms or if the daemon is not available via RPC, Unix domain
 * sockets are used instead.
 */

Looking around the heimdal codebase I believe the equivalent code is found here: https://github.com/heimdal/heimdal/blob/master/lib/ipc/client.c

What I feel most unsure about is how you would interact with the Mach RPC calls from this library, I have not been able to find any obvious native golang way of doing so.

sunxunkang commented 3 years ago

I have the same problem.

sunxunkang commented 3 years ago

ping~

sunxunkang commented 3 years ago

anybody?

sunxunkang commented 3 years ago

Hello,

I was interested in being able to read a ticket cache on OSX and found issue #328 which is closed at this point. Being unable to reopen it I decided to create a new issue.

The best overview I have found on the subject of the non-FILE cache used on OSX is this page: https://k5wiki.kerberos.org/wiki/Projects/KCM_client

From the page:

Heimdal implements a credential cache type named "KCM" where operations are transmitted to a daemon process which manages the actual cache contents. The KCM daemon can be contacted via a Unix domain socket or, on OS X only, via Mach RPC. (There is also incomplete support in the source code for using Doors on Solaris.) On OS X 10.7 and later, the native default credential cache type uses the KCM protocol via Mach RPC. It is typically referred to via the "API" cache type for continuity with Kerberos for Macintosh; the API and KCM cache types have the same namespace in the native OS X Kerberos. Kerberos for Windows and Kerberos for Macintosh also implement a daemon-based cache type named "API". It uses a different protocol and transports.

So, a bit confusingly, even if klist on a modern OSX machine returns Credentials cache: API:XXXXXXX it is actually backed by the heimdal KCM protocol, reinforced in this mailing list thread: http://kerberos.996246.n3.nabble.com/API-cache-on-Mac-OSX-td44391.html

Apple's API: cache is Heimdal's kcm daemon, which recent (1.13+) MIT supports as the KCM: ccache type.

As stated there is an added quirk on OSX: while KCM is using UNIX domain sockets on other systems, on OSX it appears to be reached via Mach RPC calls, something I was not at all familiar with prior to investigating this.

The MIT kerberos code supports both, with the implementation found here: https://github.com/krb5/krb5/blob/master/src/lib/krb5/ccache/cc_kcm.c

/*
 * This cache type contacts a daemon for each cache operation, using Heimdal's
 * KCM protocol.  On macOS, the preferred transport is Mach RPC; on other
 * Unix-like platforms or if the daemon is not available via RPC, Unix domain
 * sockets are used instead.
 */

Looking around the heimdal codebase I believe the equivalent code is found here: https://github.com/heimdal/heimdal/blob/master/lib/ipc/client.c

What I feel most unsure about is how you would interact with the Mach RPC calls from this library, I have not been able to find any obvious native golang way of doing so.

I get credential file via 'kgetcred' command on macos finally

jake-scott commented 3 years ago

Hi - see #426 for a proposal on how to support this. I also need KCM support for an enterprise use-case and would be happy to implement if we can agree how..