-
-
Notifications
You must be signed in to change notification settings - Fork 828
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for the GSSAPI SASL mechanism #1249
Comments
I actually came across that the other day as I was searching to see if anyone had implemented a managed NTLM library for .NET and thought about possibly adding Kerberos support. |
Would be great to see Kerberos support, NTLM would be convenient. |
Just to make sure I know which SASL mechanism you guys want, what are the AUTH mechanism names that your SMTP/POP3/IMAP servers are reporting? I'm assuming GSSAPI? Back in the day (20 years ago), KERBEROS_V4 and GSSAPI were the 2 I had implemented in C, but these days it looks like there might be more variants than that: https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml |
In my specific case it's a SMTP server that reports GSSAPI yes. |
This doesn't look like it will be as easy as I had hoped. Kerberos.NET doesn't implement any of the GSS API's. Kerberos is only a small part of GSS afaict. |
GSSAPI SASL mechanism: https://datatracker.ietf.org/doc/html/rfc4752 |
That's some big specifications.... 😅 Maybe a somewhat naive question: Of course, if that just adds lots of extra work that you cannot really re-use for cross-platform. Then I guess I'll just sit tight til you hopefully find time to implement this in a proper way. MailKit is a great library regardless, keep up the good work. 😄 |
Erhm, I had success with GSSAPI authentication (via SPNEGO) on Ldap (https://github.com/dsbenghe/Novell.Directory.Ldap.NETStandard) with Kerberos.NET, aka fully managed. What is not supported in Kerberos.NET that you need? It have an EncodeGssApi function which should be enough. Or is there smth else? |
Need a bit more than an encoder. Btw, your ldap link does not implement GSS-API either 😁 |
Yeah, because I extended it for the said implementation. Work-related code. There was nothing special though. Basically after reading https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SSEAN/%5bMS-SSEAN%5d.pdf and https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SPNG/%5bMS-SPNG%5d.pdf, and seeing that all theese token implementations are present in Kerberos.NET, shouldn't be too complex to implement. |
Good, then I'll expect that patch from you by tomorrow ;-) |
xD If only I had more time that could very well happen xD |
I'm thinking that this should probably be a separate MailKit.Security.Gssapi nuget package if/when I (or someone else) ever get around to implementing it. I'd love to see this supported in MailKit, but I'm just not seeing the demand so it's been a very low priority for me (especially now that I have had so little free time to work on this and other side projects). |
Ref. issue #890, there is a Kerberos .net library here: https://github.com/dotnet/Kerberos.NET.
Would i be possible to get support for kerberos authentication in MailKit with that at some point?
The text was updated successfully, but these errors were encountered: