Data

Tools

Indexes

Applications

Experiments

Awesome

An open API service indexing awesome lists of open source software.

https://github.com/structured-world/krb5-rs

Pure Rust Kerberos V5: GSSAPI, SPNEGO, PKINIT. No C FFI, no system krb5 dependency.
https://github.com/structured-world/krb5-rs

active-directory authentication gssapi kerberos pkinit pure-rust rust single-sign-on spnego

Last synced: 4 days ago
JSON representation

Pure Rust Kerberos V5: GSSAPI, SPNEGO, PKINIT. No C FFI, no system krb5 dependency.

Awesome Lists containing this project

README 

          
# krb5-rs



Pure Rust Kerberos V5 implementation. GSSAPI, SPNEGO, PKINIT.



**No C FFI. No system krb5. No libgssapi. Just `cargo add krb5-rs`.**



## Features



- **Kerberos V5 Client** — TGT acquisition, service ticket requests

- **GSSAPI/SPNEGO** — HTTP Negotiate authentication

- **PKINIT** — X.509 certificate-based authentication

- **FAST** — Flexible Authentication via Secure Tunneling

- **Credential Cache** — Read/write ccache and keytab formats



## Why?



MIT Kerberos and Heimdal are massive C codebases (~450K and ~620K SLOC respectively) with decades of CVEs. Every Rust project needing Kerberos auth depends on FFI bindings to these C libraries, inheriting their build complexity and security risks.



`krb5-rs` is a ground-up Rust implementation using `rasn` (ASN.1) + RustCrypto. Pure Rust, single binary, cross-compiles to musl.



## Status



**Pre-release.** API is unstable. Not ready for production use.



## RFCs



| RFC | Description | Status |

|-----|-------------|--------|

| [RFC 4120](https://www.rfc-editor.org/rfc/rfc4120) | Kerberos V5 core | Planned |

| [RFC 4121](https://www.rfc-editor.org/rfc/rfc4121) | GSSAPI mechanism | Planned |

| [RFC 3961](https://www.rfc-editor.org/rfc/rfc3961) | Encryption specs | Planned |

| [RFC 4556](https://www.rfc-editor.org/rfc/rfc4556) | PKINIT | Planned |

| [RFC 6113](https://www.rfc-editor.org/rfc/rfc6113) | FAST | Planned |



## License



Apache-2.0