Open Bug 133939 Opened 23 years ago Updated 3 months ago

[RFE] SOCKS: cannot use kerberos v5 (GSS-API) authentication with


(Core :: Networking: Proxy, enhancement, P5)






(Reporter: peter.lees, Unassigned)




(Keywords: helpwanted, Whiteboard: [necko-would-take][proxy])

the SOCKS5 proxy support in mozilla does not, currently, support
Kerberos v5 (GSS-API) authentication/authorisation.

the work-around usable in netscape 4.x and other browsers (eg opera, lynx)
is to interpose the GSS-API-enabled libsocks5_sh shared object using
(on solaris) LD_PRELOAD.  this work-around *does not work* with mozilla,
hence i am submitting this as a bug, rather than an enhancement request.

the impact is that mozilla cannot participate in single-sign-on environments
which use Kerberos v5 as the authentication/authorisation mechanism. 

considering MS Active Directory uses what is essentially Kerberos v5, this
kind of authentication mechanism will inevitably become more widespread.
completing the SOCKS5 proxy implementation to include GSS-API support will
help mozilla keep pace, as well as restoring functionality to existing users
of netscape 4.x.
RFC1928 describes SOCKS5
RFC1961 describes GSS-API for SOCKS 5

nb - according to RFC1928:

    Compliant implementations MUST support GSSAPI and SHOULD support
    USERNAME/PASSWORD authentication methods.

(mozilla reverses this - user/pass is implemented, gssapi is not...)
Keywords: 4xp
OS: Solaris → All
Hardware: Sun → All
Temporarily "futuring" all PAC&SOCKS bugs to clear new-networking queue.

I will review later. (I promise)

If you object, and can make a case for a mozilla 1.0 fix, please reset milestone
to  "--" or email me.
Target Milestone: --- → Future
QA Contact: benc → socksqa
I'm almost certain this isn't implemented, so RFE.
Severity: minor → enhancement
Ever confirmed: true
Keywords: helpwanted
Summary: cannot use kerberos v5 (GSS-API) authentication with SOCKS5 proxy → [RFE] SOCKS: cannot use kerberos v5 (GSS-API) authentication with
turns out i was mistaken with my original comment: the only auth mechanism
implemented is "NOAUTH" - ie, not even user/pass.

*however* i'd like to re-iterate that RFC1928 specifies that

 "Compliant implementations MUST support GSSAPI and SHOULD support
  USERNAME/PASSWORD authentication methods."

i guess it's a matter of opinion then whether the non-implementation
is a bug or a feature/enhancement problem.

i wish i knew myself where to start with this, but i don't 8(

it appears this bug is becoming a wider issue: bug 122752 and
bug 200882  (at least) seem to be related
Assignee: general → nobody
QA Contact: socksqa → networking
Whiteboard: [necko-would-take]
Whiteboard: [necko-would-take] → [necko-would-take][proxy]
Bulk change to priority:
Priority: -- → P5
Severity: normal → S3

Moving bug to Core/Networking: Proxy.

Component: Networking → Networking: Proxy
You need to log in before you can comment on or make changes to this bug.