Merge pull request #3 from JuliaWeb/gssapi

Add initial client support for GSSAPI authentication

docs/src/changelog.md

@@ -3,6 +3,12 @@
 This documents notable changes in LibSSH.jl. The format is based on [Keep a
 Changelog](https://keepachangelog.com).
 
+## Unreleased
+
+### Added
+
+- Initial client support for GSSAPI authentication ([#3]).
+
 ## [v0.2.0] - 2024-02-01
 
 ### Changed

docs/src/sessions_and_channels.md

@@ -51,6 +51,7 @@ userauth_password
 userauth_kbdint
 userauth_kbdint_getprompts
 userauth_kbdint_setanswers
+userauth_gssapi
 get_error(::Session)
 Base.isopen(::Session)
 Base.close(::Session)

docs/src/utilities.md

@@ -20,6 +20,7 @@ Depth = 10
 
 ```@docs
 get_hexa
+gssapi_available
 ```
 
 ## Messages

src/LibSSH.jl

@@ -158,6 +158,15 @@ function lib_version()
     VersionNumber(lib.LIBSSH_VERSION_MAJOR, lib.LIBSSH_VERSION_MINOR, lib.LIBSSH_VERSION_MICRO)
 end
 
+"""
+$(TYPEDSIGNATURES)
+
+Check if GSSAPI support is available (currently only Linux and FreeBSD).
+"""
+function gssapi_available()
+    Sys.islinux() || Sys.isfreebsd()
+end
+
 # Safe wrapper around poll_fd(). There's a race condition in older Julia
 # versions between the loop condition evaluation and this line, so we wrap
 # poll_fd() in a try-catch in case the bind (and thus the file descriptor) has

src/session.jl

@@ -558,6 +558,32 @@ end
 """
 $(TYPEDSIGNATURES)
 
+Authenticate with GSSAPI. This is not available on all platforms (see
+[`gssapi_available`](@ref)).
+
+# Throws
+- `ArgumentError`: If the session isn't connected.
+- `ErrorException`: If GSSAPI support isn't available.
+
+Wrapper around [`lib.ssh_userauth_gssapi()`](@ref).
+"""
+function userauth_gssapi(session::Session)
+    if !isconnected(session)
+        throw(ArgumentError("Session is disconnected, cannot authenticate until it's connected"))
+    elseif !gssapi_available()
+        error("GSSAPI support is not available")
+    end
+
+    ret = _session_trywait(session) do
+        lib.ssh_userauth_gssapi(session.ptr)
+    end
+
+    return AuthStatus(ret)
+end
+
+"""
+$(TYPEDSIGNATURES)
+
 Attempt to authenticate with the keyboard-interactive method.
 
 # Throws

test/LibSSHTests.jl

@@ -8,7 +8,7 @@ import Aqua
 import Literate
 import CURL_jll: curl
 import OpenSSH_jll
-import ReTest: @testset, @test, @test_throws, @test_nowarn, @test_logs
+import ReTest: @testset, @test, @test_throws, @test_nowarn, @test_broken, @test_logs
 
 import LibSSH
 import LibSSH as ssh
@@ -191,8 +191,6 @@ end
 end
 
 @testset "Session" begin
-    @test ssh.lib_version() isa VersionNumber
-
     session = ssh.Session("localhost"; auto_connect=false, log_verbosity=lib.SSH_LOG_NOLOG)
     @test !ssh.isconnected(session)
 
@@ -272,6 +270,20 @@ end
             close(session)
         end
     end
+
+    @testset "GSSAPI authentication" begin
+        DemoServer(2222; auth_methods=[ssh.AuthMethod_GSSAPI_MIC]) do
+            session = ssh.Session(Sockets.localhost, 2222)
+            @test ssh.isconnected(session)
+
+            # TODO: figure out how to write proper tests for this. It's a little
+            # tricky since we'd need to have Kerberos running and configured
+            # correctly. In the meantime, this has been tested manually.
+            @test_broken ssh.userauth_gssapi(session) == ssh.AuthStatus_Success
+
+            close(session)
+        end
+    end
 end
 
 # Helper function to start a DemoServer and create a session connected to it
@@ -410,6 +422,11 @@ end
     @test true
 end
 
+@testset "Utility functions" begin
+    @test ssh.lib_version() isa VersionNumber
+    @test ssh.gssapi_available() isa Bool
+end
+
 @testset "Aqua.jl" begin
     Aqua.test_all(ssh)
 end