{"id":13721164,"url":"https://github.com/jcmturner/gokrb5","last_synced_at":"2025-09-23T12:05:57.092Z","repository":{"id":15177008,"uuid":"77703394","full_name":"jcmturner/gokrb5","owner":"jcmturner","description":"Pure Go Kerberos library for clients and services","archived":false,"fork":false,"pushed_at":"2024-07-29T13:34:56.000Z","size":57827,"stargazers_count":766,"open_issues_count":93,"forks_count":270,"subscribers_count":30,"default_branch":"master","last_synced_at":"2025-09-13T05:34:12.611Z","etag":null,"topics":["go","golang","gssapi","kerberos","kerberos-authentication","kerberos-client","kerberos-spnego","keytab","spnego"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jcmturner.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2016-12-30T18:29:30.000Z","updated_at":"2025-09-12T03:06:58.000Z","dependencies_parsed_at":"2024-02-14T03:41:20.693Z","dependency_job_id":null,"html_url":"https://github.com/jcmturner/gokrb5","commit_stats":{"total_commits":659,"total_committers":38,"mean_commits":"17.342105263157894","dds":"0.11532625189681334","last_synced_commit":"47cd2e7744531465a983bf457bac38e6ad8f4684"},"previous_names":[],"tags_count":60,"template":false,"template_full_name":null,"purl":"pkg:github/jcmturner/gokrb5","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jcmturner%2Fgokrb5","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jcmturner%2Fgokrb5/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jcmturner%2Fgokrb5/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jcmturner%2Fgokrb5/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jcmturner","download_url":"https://codeload.github.com/jcmturner/gokrb5/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jcmturner%2Fgokrb5/sbom","scorecard":{"id":511585,"data":{"date":"2025-08-11","repo":{"name":"github.com/jcmturner/gokrb5","commit":"855dbc707a37a21467aef6c0245fcf3328dc39ed"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":3.3,"checks":[{"name":"Code-Review","score":4,"reason":"Found 11/23 approved changesets -- score normalized to 4","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/testing.yml:1","Warn: no topLevel permission defined: .github/workflows/testingv8.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Maintained","score":0,"reason":"0 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":2,"reason":"dependency not pinned by hash detected -- score normalized to 2","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/testing.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/jcmturner/gokrb5/testing.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/testing.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/jcmturner/gokrb5/testing.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/testingv8.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/jcmturner/gokrb5/testingv8.yml/master?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/testingv8.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/jcmturner/gokrb5/testingv8.yml/master?enable=pin","Info:   0 out of   4 GitHub-owned GitHubAction dependencies pinned","Info:   1 out of   1 goCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":0,"reason":"10 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2023-2402 / GHSA-45x7-px36-x8w8","Warn: Project is vulnerable to: GO-2024-3321 / GHSA-v778-237x-gjrc","Warn: Project is vulnerable to: GO-2025-3487 / GHSA-hcg3-q754-cr77","Warn: Project is vulnerable to: GO-2023-1988 / GHSA-2wrh-6pvc-2jm9","Warn: Project is vulnerable to: GO-2023-2102 / GHSA-4374-p667-p6c8","Warn: Project is vulnerable to: GHSA-qppj-fm5r-hxr3","Warn: Project is vulnerable to: GO-2024-2687 / GHSA-4v7x-pqxf-cx7m","Warn: Project is vulnerable to: GO-2024-3333","Warn: Project is vulnerable to: GO-2025-3503 / GHSA-qxp5-gwg8-xv66","Warn: Project is vulnerable to: GO-2025-3595 / GHSA-vvgc-356p-c3xw"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-20T00:40:28.922Z","repository_id":15177008,"created_at":"2025-08-20T00:40:28.922Z","updated_at":"2025-08-20T00:40:28.922Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":274979001,"owners_count":25384778,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-09-13T02:00:10.085Z","response_time":70,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["go","golang","gssapi","kerberos","kerberos-authentication","kerberos-client","kerberos-spnego","keytab","spnego"],"created_at":"2024-08-03T01:01:13.136Z","updated_at":"2025-09-23T12:05:57.027Z","avatar_url":"https://github.com/jcmturner.png","language":"Go","funding_links":[],"categories":["Encryption"],"sub_categories":[],"readme":"# gokrb5\n\nIt is recommended to use the latest version: [![Version](https://img.shields.io/github/release/jcmturner/gokrb5.svg)](https://github.com/jcmturner/gokrb5/releases)\n\nDevelopment will be focused on the latest major version. New features will only be targeted at this version.\n\n| Versions | Dependency Management | Import Path | Usage | Godoc | Go Report Card |\n|----------|-----------------------|-------------|-------|-------|----------------|\n| [![v8](https://github.com/jcmturner/gokrb5/workflows/v8/badge.svg)](https://github.com/jcmturner/gokrb5/actions?query=workflow%3Av8) | Go modules | import \"github.com/jcmturner/gokrb5/v8/{sub-package}\" | [![Usage](https://img.shields.io/badge/v8-usage-blue)](https://github.com/jcmturner/gokrb5/blob/master/v8/USAGE.md) | [![GoDoc](https://img.shields.io/badge/godoc-reference-blue)](https://pkg.go.dev/github.com/jcmturner/gokrb5/v8) | [![Go Report Card](https://goreportcard.com/badge/github.com/jcmturner/gokrb5/v8)](https://goreportcard.com/report/github.com/jcmturner/gokrb5/v8) |\n| [![v7](https://github.com/jcmturner/gokrb5/workflows/v7/badge.svg)](https://github.com/jcmturner/gokrb5/actions?query=workflow%3Av7) | gopkg.in | import \"gopkg.in/jcmturner/gokrb5.v7/{sub-package}\" | [![Usage](https://img.shields.io/badge/v7-usage-blue)](https://github.com/jcmturner/gokrb5/blob/master/USAGE.md) | [![GoDoc](https://img.shields.io/badge/godoc-reference-blue)](https://pkg.go.dev/github.com/jcmturner/gokrb5@v7.5.0+incompatible) | [![Go Report Card](https://goreportcard.com/badge/gopkg.in/jcmturner/gokrb5.v7)](https://goreportcard.com/report/gopkg.in/jcmturner/gokrb5.v7) |\n\n\n#### Go Version Support\n![Go version](https://img.shields.io/badge/Go-1.18-brightgreen.svg)\n![Go version](https://img.shields.io/badge/Go-1.17-brightgreen.svg)\n![Go version](https://img.shields.io/badge/Go-1.16-brightgreen.svg)\n\ngokrb5 may work with other versions of Go but they are not formally tested.\nIt has been reported that gokrb5 also works with the [gollvm](https://go.googlesource.com/gollvm/) compiler but this is not formally tested.\n\n## Features\n* **Pure Go** - no dependency on external libraries \n* No platform specific code\n* Server Side\n  * HTTP handler wrapper implements SPNEGO Kerberos authentication\n  * HTTP handler wrapper decodes Microsoft AD PAC authorization data\n* Client Side\n  * Client that can authenticate to an SPNEGO Kerberos authenticated web service\n  * Ability to change client's password\n* General\n  * Kerberos libraries for custom integration\n  * Parsing Keytab files\n  * Parsing krb5.conf files\n  * Parsing client credentials cache files such as `/tmp/krb5cc_$(id -u $(whoami))`\n\n#### Implemented Encryption \u0026 Checksum Types\n\n| Implementation | Encryption ID | Checksum ID | RFC |\n|-------|-------------|------------|------|\n| des3-cbc-sha1-kd | 16 | 12 | 3961 |\n| aes128-cts-hmac-sha1-96 | 17 | 15 | 3962 |\n| aes256-cts-hmac-sha1-96 | 18 | 16 | 3962 |\n| aes128-cts-hmac-sha256-128 | 19 | 19 | 8009 |\n| aes256-cts-hmac-sha384-192 | 20 | 20 | 8009 |\n| rc4-hmac | 23 | -138 | 4757 |\n\n\nThe following is working/tested:\n* Tested against MIT KDC (1.6.3 is the oldest version tested against) and Microsoft Active Directory (Windows 2008 R2)\n* Tested against a KDC that supports PA-FX-FAST.\n* Tested against users that have pre-authentication required using PA-ENC-TIMESTAMP.\n* Microsoft PAC Authorization Data is processed and exposed in the HTTP request context. Available if Microsoft Active Directory is used as the KDC.\n\n## Contributing\nIf you are interested in contributing to gokrb5, great! Please read the [contribution guidelines](https://github.com/jcmturner/gokrb5/blob/master/CONTRIBUTING.md).\n\n---\n\n## References\n* [RFC 3244 Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols](https://tools.ietf.org/html/rfc3244)\n* [RFC 4120 The Kerberos Network Authentication Service (V5)](https://tools.ietf.org/html/rfc4120)\n* [RFC 3961 Encryption and Checksum Specifications for Kerberos 5](https://tools.ietf.org/html/rfc3961)\n* [RFC 3962 Advanced Encryption Standard (AES) Encryption for Kerberos 5](https://tools.ietf.org/html/rfc3962)\n* [RFC 4121 The Kerberos Version 5 GSS-API Mechanism](https://tools.ietf.org/html/rfc4121)\n* [RFC 4178 The Simple and Protected Generic Security Service Application Program Interface (GSS-API) Negotiation Mechanism](https://tools.ietf.org/html/rfc4178.html)\n* [RFC 4559 SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows](https://tools.ietf.org/html/rfc4559.html)\n* [RFC 4757 The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows](https://tools.ietf.org/html/rfc4757)\n* [RFC 6806 Kerberos Principal Name Canonicalization and Cross-Realm Referrals](https://tools.ietf.org/html/rfc6806.html)\n* [RFC 6113 A Generalized Framework for Kerberos Pre-Authentication](https://tools.ietf.org/html/rfc6113.html)\n* [RFC 8009 AES Encryption with HMAC-SHA2 for Kerberos 5](https://tools.ietf.org/html/rfc8009)\n* [IANA Assigned Kerberos Numbers](http://www.iana.org/assignments/kerberos-parameters/kerberos-parameters.xhtml)\n* [HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol - Part 1](https://msdn.microsoft.com/en-us/library/ms995329.aspx)\n* [HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol - Part 2](https://msdn.microsoft.com/en-us/library/ms995330.aspx)\n* [Microsoft PAC Validation](https://blogs.msdn.microsoft.com/openspecification/2009/04/24/understanding-microsoft-kerberos-pac-validation/)\n* [Microsoft Kerberos Protocol Extensions](https://msdn.microsoft.com/en-us/library/cc233855.aspx)\n* [Windows Data Types](https://msdn.microsoft.com/en-us/library/cc230273.aspx)\n\n### Useful Links\n* https://en.wikipedia.org/wiki/Ciphertext_stealing#CBC_ciphertext_stealing\n\n## Thanks\n* Greg Hudson from the MIT Consortium for Kerberos and Internet Trust for providing useful advice.\n\n## Contributing\nThank you for your interest in contributing to gokrb5 please read the \n[contribution guide](https://github.com/jcmturner/gokrb5/blob/master/CONTRIBUTING.md) as it should help you get started.\n\n## Known Issues\n| Issue | Worked around? | References |\n|-------|-------------|------------|\n| The Go standard library's encoding/asn1 package cannot unmarshal into slice of asn1.RawValue | Yes | https://github.com/golang/go/issues/17321 |\n| The Go standard library's encoding/asn1 package cannot marshal into a GeneralString | Yes - using https://github.com/jcmturner/gofork/tree/master/encoding/asn1 | https://github.com/golang/go/issues/18832 |\n| The Go standard library's encoding/asn1 package cannot marshal into slice of strings and pass stringtype parameter tags to members | Yes - using https://github.com/jcmturner/gofork/tree/master/encoding/asn1 | https://github.com/golang/go/issues/18834 |\n| The Go standard library's encoding/asn1 package cannot marshal with application tags | Yes | |\n| The Go standard library's x/crypto/pbkdf2.Key function uses the int type for iteraction count limiting meaning the 4294967296 count specified in https://tools.ietf.org/html/rfc3962 section 4 cannot be met on 32bit systems | Yes - using https://github.com/jcmturner/gofork/tree/master/x/crypto/pbkdf2 | https://go-review.googlesource.com/c/crypto/+/85535 |\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjcmturner%2Fgokrb5","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjcmturner%2Fgokrb5","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjcmturner%2Fgokrb5/lists"}