Download
Browse source Changelog
Documentation
Project   Help us   Known bugs   TODO Protocols   CA bundle   HTTP Cookies   HTTP/2   SSL Certs Releases   Security   Version numbers   Vulnerabilities curl tool   man page   Tutorial   HTTP scripting Who and Why
libcurl
ABI API Competitors Examples Features Mailing list Related libs Using libcurl Tutorial Testimonials
Get Help
curl-library curl-users curl-announce curl-commits Book: Everything curl Report a bug Mail Etiquette
Development
Autobuilds Code Style Contribute Deprecate Internals Release Notes Release Procedure Roadmap Run Tests Security Process Specifications Test curl
News
Changelog Release table
curl / Mailing Lists / curl-library / Single Mail

curl-library

Re: Does libcurl support Kerberos constrained delegation?

From: xiaoyan wei <xwei168_at_yahoo.com>
Date: Tue, 10 Jul 2018 13:05:07 +0000 (UTC)

On Mon, Jul 9, 2018, 16:38 Sachin Nikumbh <sanikumbh_at_gmail.com> wrote: 

>> Hi, 
>> 
>> Thanks for your response. I do have a follow up question. Since the 
>> libcurl option is GSSAPI based, how will Kerberos delegation work on 
>> Windows with SSPI if we need to use libcurl? 
>> 
>> Thanks 
>> Sachin 
>> 
>> On Mon, Jul 9, 2018 at 2:49 AM Isaac Boukris <iboukris_at_gmail.com> wrote: 
>> 
>>> 
>>> 
>>> On Mon, Jul 9, 2018, 05:30 Sachin Nikumbh <sanikumbh_at_gmail.com> wrote: 
>>> 
>>>> Hi, 
>>>> 
>>>> 
>>>> 
>>>> I am looking at libcurl’s support on Kerberos delegation. 
>>>> 
>>>> The only thing I found is CURLOPT_GSSAPI_DELEGATION added in 7.22.0. 
>>>> 
>>>> https://curl.haxx.se/libcurl/c/CURLOPT_GSSAPI_DELEGATION.html%c2 
>>>> 
>>>> However, there are several issues with this option: 
>>>> 
>>>> 1. Looks like this option is for the original Kerberos v5 delegation 
>>>> (unconstrained delegation for any services), not the Microsoft Kerberos 
>>>> protocol extension for constrained delegation. 
>>>> 2. It’s using GSSAPI. So does it work natively on Windows with SSPI? 
>>>> 
>>>> 
>>>> 
>>>> The preferred way to do Kerberos delegation is to do protocol transition 
>>>> (S4U2Self) and Constrained delegation (S4U2Proxy). 
>>>> 
>>>> https://msdn.microsoft.com/en-us/library/cc246071.aspx%c2 
>>>> 
>>>> https://k5wiki.kerberos.org/wiki/Projects/Services4User%c2 
>>>> 
>>>> 
>>>> 
>>>> Is this supported in libcurl? 
>>>> 
>>>> If not, is there any plan to support it? 
>>>> 
>>> 
>>> 
>>> It doesn't have much to do with libcurl, if the contains the delegated 
>>> credentials (e.g. acquired via gss_acquire_cred_impersonate_name) they will 
>>> be used by the gssapi library when invoked by libcurl. 
>>> 
>> 

> I don't know about delegation in sspi, it might be possible to achieve 
> something similar depending on the API. 

 The sspi LsaLogonUser can be used to achieve similar things as gss_acquire_cred_impersonate_name.However, that will put the delegated credential in LSA credential cache, GSSAPI may not be able to access it.
Does anyone know how to do kerberos delegation using libcurl on Windows?
Thanks.

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-07-10