Add support for the GSSAPI SASL mechanism

[JMyklebust]

Ref. issue #890, there is a Kerberos .net library here: https://github.com/dotnet/Kerberos.NET.

Would i be possible to get support for kerberos authentication in MailKit with that at some point?

[jstedfast]

I actually came across that the other day as I was searching to see if anyone had implemented a managed NTLM library for .NET and thought about possibly adding Kerberos support.

[SuperFlue]

Would be great to see Kerberos support, NTLM would be convenient.
But security wise it would better to have support for Kerberos.

[jstedfast]

Just to make sure I know which SASL mechanism you guys want, what are the AUTH mechanism names that your SMTP/POP3/IMAP servers are reporting?

I'm assuming GSSAPI?

Back in the day (20 years ago), KERBEROS_V4 and GSSAPI were the 2 I had implemented in C, but these days it looks like there might be more variants than that:

https://www.iana.org/assignments/sasl-mechanisms/sasl-mechanisms.xhtml

[JMyklebust]

In my specific case it's a SMTP server that reports GSSAPI yes.

[jstedfast]

This doesn't look like it will be as easy as I had hoped. Kerberos.NET doesn't implement any of the GSS API's. Kerberos is only a small part of GSS afaict.

[jstedfast]

GSSAPI SASL mechanism: https://datatracker.ietf.org/doc/html/rfc4752
GSSAPI: https://datatracker.ietf.org/doc/html/rfc2743
GSSAPI C-bindings: https://datatracker.ietf.org/doc/html/rfc2744

[JMyklebust]

That's some big specifications.... 😅

Maybe a somewhat naive question:
Could you leverage the Windows APIs for this?
Example: https://docs.microsoft.com/en-us/windows/win32/secauthn/sspi-kerberos-interoperability-with-gssapi
Obviously that wont be a solid cross-platform solution, but as a stopgap?

Of course, if that just adds lots of extra work that you cannot really re-use for cross-platform. Then I guess I'll just sit tight til you hopefully find time to implement this in a proper way.

MailKit is a great library regardless, keep up the good work. 😄

[Evengard]

Erhm, I had success with GSSAPI authentication (via SPNEGO) on Ldap (https://github.com/dsbenghe/Novell.Directory.Ldap.NETStandard) with Kerberos.NET, aka fully managed. What is not supported in Kerberos.NET that you need? It have an EncodeGssApi function which should be enough. Or is there smth else?

[jstedfast]

Need a bit more than an encoder.

Btw, your ldap link does not implement GSS-API either 😁

[Evengard]

Yeah, because I extended it for the said implementation. Work-related code. There was nothing special though. Basically after reading https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SSEAN/%5bMS-SSEAN%5d.pdf and https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SPNG/%5bMS-SPNG%5d.pdf, and seeing that all theese token implementations are present in Kerberos.NET, shouldn't be too complex to implement.

[jstedfast]

shouldn't be too complex to implement

Good, then I'll expect that patch from you by tomorrow ;-)

[Evengard]

xD If only I had more time that could very well happen xD

[jstedfast]

I'm thinking that this should probably be a separate MailKit.Security.Gssapi nuget package if/when I (or someone else) ever get around to implementing it.

I'd love to see this supported in MailKit, but I'm just not seeing the demand so it's been a very low priority for me (especially now that I have had so little free time to work on this and other side projects).