Implement Kerberos V5 (GSSAPI)

[emersion]

See https://tools.ietf.org/html/rfc4752

[simo5]

If you ever want to implement this I suggest you do it via bindings to libgssapi.so (dynamically load if present, if not present your user is definitely not using kerberos on their machine anyway).

[emersion]

I'd rather not. I'd prefer to just provide the wire marshalling, define an interface, and letting users implement it with whatever kerberos lib they want.

[simo5]

Well on the wire there isn't much going, the meat of the SASL/GSSAPI mechanism is in calling gss_init_sec_context() repeatedly and shuffling along the binary blobs you get back. But as long as there is no intention of implementing kerberos or gssapi here all is good :-)

Just note that there are basically there "gssapi" SASL protocols that are used:
GSSAPI (traditionally on unix like systems)
GSS-SPNEGO (very similar to GSSAPI but used for compatibility with Microsoft systems)
and the new GS2 mechanism that doesn't have wide usage as far as I know.

GSSAPI and GSS-SPNEGO are very close and can share most of the machinery, they are implemented in the same plugin in cyrus-sasl for example.

HTH.