Opened 5 years ago

Last modified 19 months ago

#10266 new Patch

Implementation of Kerberos/GSSAPI support (RFC 2228)

Reported by: Ken Hornstein Owned by:
Priority: normal Component: FileZilla Client
Keywords: Cc:
Component version: Operating system type:
Operating system version:

Description (last modified by Tim Kosse)

I've implemented Kerberos/GSSAPI support (RFC 2228) for the FileZilla client. I've made sure my changes work against the most recent source code of FileZilla. I've tested this on MacOS X and Windows, and I believe there should be no problems having it work on Linux.

I'd like to get this into the FileZilla source code. So ... what do I need to do to make this happen? Should I just post the patch here?

Attachments (1)

super-patch (72.4 KB) - added by Ken Hornstein 5 years ago.
Patch for GSSAPI/Kerberos support

Download all attachments as: .zip

Change History (10)

comment:1 Changed 5 years ago by Tim Kosse

Status: newmoreinfo

Yes, please post the patch here as unified context diff against the current trunk HEAD of the FileZilla SVN repository.

Changed 5 years ago by Ken Hornstein

Attachment: super-patch added

Patch for GSSAPI/Kerberos support

comment:2 Changed 5 years ago by Ken Hornstein

Status: moreinfonew

Okay, it's been attached to this ticket. A few changes for building on Windows with MinGW have been included, but those should be obvious.

comment:3 Changed 3 years ago by kpedro88

Is there any possibility of getting these features included in FileZilla?

I work at a national laboratory that uses Kerberos heavily, and there is a serious lack of third-party support on Windows. Only one major SFTP GUI can use Kerberos authentication (rhymes with "ShminSCP") and it's barely functional in general.

I know that many years ago, Kerberos support was removed due to the lack of a testing environment. Perhaps the FileZilla developers can contact the kfwdev list (https://web.mit.edu/kerberos/contact.html) to establish such a test setup. There are many Windows users who would greatly appreciate being able to use FileZilla with Kerberos.

comment:4 Changed 2 years ago by Tim Kosse

Description: modified (diff)
Status: newmoreinfo

Please use FTP over TLS with password authentication. It's perfectly secure and MANY MANY MANY orders of magnitude easier to use than this GSS kludge. It's also much faster.

For this patch to be eligible I require instructions how to properly setup GSS infrastructure within 5 minutes on a standard Debian machine.

comment:5 Changed 2 years ago by kpedro88

Is this sufficient? Installing Kerberos on Debian

(I've been pleading with the lab's IT department for years to ditch Kerberos; however, user support is not their priority.)

comment:6 in reply to:  4 Changed 2 years ago by Ken Hornstein

Status: moreinfonew

Replying to codesquid:

Please use FTP over TLS with password authentication. It's perfectly secure and MANY MANY MANY orders of magnitude easier to use than this GSS kludge. It's also much faster.

I'm sorry, this statement is ... not accurate.

Well, okay, let me expand on that. FTP over TLS is fine, as long as you don't have a Kerberos environment. If you do, then it is MUCH LESS SECURE. As for orders of magnitude easier to use, I cannot agree. Also, I disagree completely that it is a kludge. As for speed, I did testing here and the speed was fine.

For this patch to be eligible I require instructions how to properly setup GSS infrastructure within 5 minutes on a standard Debian machine.

You know, first the complaint was, "Nobody has written the code". Now the complaint is, "I can't test it". I have to say that it sure feels like you're moving the goalposts on me. And it sure would have been nice to know that the goalposts were moved on me 2 years ago.

If the issue REALLY IS "I can't test it", I'm willing to work with you guys on that. I just don't want another issue to appear later. But "setup within 5 minutes" seems kind of arbitrary and capricious. The advantage to Kerberos is it's a centrally-managed key distribution system; the disadvantage is, that requires some infrastructure, and some extra pieces. It has it's place, just like TLS does.

Look, I would like this integrated. I'm willing to meet you more than halfway on this. You don't need any software that doesn't already ship with popular Linux distributions. If the issue really is getting a simple Kerberos infrastructure up, that could be easily made scriptable. I can help with that. It is not rocket science, but it's easy to get it wrong and the solution to errors you get is not obvious unless you have experience with Kerberos. I'm glad to help you get it working.

comment:7 in reply to:  description ; Changed 20 months ago by juamp

Replying to kenh:

I've implemented Kerberos/GSSAPI support (RFC 2228) for the FileZilla client. I've made sure my changes work against the most recent source code of FileZilla. I've tested this on MacOS X and Windows, and I believe there should be no problems having it work on Linux.

Nice! Thank you so much for that!

I'd also love to see this upstream and in the official FileZilla builds.

Do you happen to have a more recent version of the patch that applies to the most recent sources in svn or to the latest release? If so, I would really appreciate if you could post it here.

Anyway, thank you very much kenh!

comment:8 in reply to:  7 Changed 20 months ago by Ken Hornstein

Replying to juamp:

Nice! Thank you so much for that!

I'd also love to see this upstream and in the official FileZilla builds.

Do you happen to have a more recent version of the patch that applies to the most recent sources in svn or to the latest release? If so, I would really appreciate if you could post it here.

A co-worker talked to me recently about working on that but as far as I know they are not done.

Considering the last response I received about this was a not-so-veiled "fuck you" (see the comment history), I have been kind of discouraged and haven't really been motivated in keeping this work up to date.

comment:9 Changed 19 months ago by juamp

A co-worker talked to me recently about working on that but as far as I know they are not done.

Considering the last response I received about this was a not-so-veiled "fuck you" (see the comment history), I have been kind of discouraged and haven't really been motivated in keeping this work up to date.

Yes, I understand and am sorry to hear that! I wasn't really very hopeful. I had to ask though... You never know :)

If your co-worker happens to have anything and you are willing to share it, I'd be more than happy if you could tell me.

Again, thank you very much!

Note: See TracTickets for help on using tickets.