search

mongodb / winkerberos

A native Kerberos client implementation for Python on Windows
Apache License 2.0
54 stars 15 forks source link

Implement the authGSSClientWrap `protect` parameter #14

Closed behackett closed 8 years ago

behackett commented 8 years ago

Apple's original kerberos project enables this feature. WinKerberos currently defaults to signing but no confidentiality. That is, it passes SECQOP_WRAP_NO_ENCRYPT as the second parameter to EncryptMessage. We can instead pass 0 when protect is 1, following the example from MSDN's "SSPI/Kerberos Interoperability with GSSAPI" documentation.

References: https://github.com/apple/ccs-pykerberos/blob/PyKerberos-1.2.5/pysrc/kerberos.py#L261 https://msdn.microsoft.com/en-us/library/windows/desktop/aa375385(v=vs.85).aspx https://msdn.microsoft.com/en-us/library/windows/desktop/aa380496(v=vs.85).aspx

Note that the popular PyKerberos fork of Apple's project does not support this feature. https://github.com/02strich/pykerberos/blob/v1.1.9/pysrc/kerberos.py#L173

behackett commented 8 years ago

To enable confidentiality in authGSSClientWrap with the protect parameter you have to pass GSS_C_CONF_FLAG in the gssflags parameter to authGSSClientInit. Otherwise SSPI will return "The function requested is not supported".