Bug 126477

Summary: GSSAPI authentication support for wget
Product: [Fedora] Fedora Reporter: Felipe Alfaro Solana <felipe_alfaro>
Component: wgetAssignee: Karsten Hopp <karsten>
Status: CLOSED UPSTREAM QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideKeywords: FutureFeature, Patch
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-08 13:20:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
GSSAPI authentication support for wget none

Description Felipe Alfaro Solana 2004-06-22 09:05:20 UTC 
This report includes a patch to extend wget functionality so GSSAPI
authentication can be negotiated between the wget FTP client and the
remote FTP server, allowing for non-anonymous, password-less,
authenticated sessions by virtue of a Kerberos V KDC.

The reason for the creation of this patch is that I have always missed
the GSSAPI authenticaion mechanism found in /usr/kerberos/bin/ftp
command line client, included in krb5-workstation, so I decided to
implement it for wget.

This patch can be further enhanced to support private (i.e. encrypted)
sessions using GSSAPI supplied functionality. The FTP command-line
tool from krb5-workstation already allows this by using the "-x"
switch. This should be easy to implement as the major infraestructure
is already in place with this patch (only minor additions are
required, which I'm currently working on).

The only change in behavior is that, before performing an anonymous
plain-text login, the AUTH GSSAPI command is sent to the remote FTP
server in first place. If the remote FTP server supports GSSAPI
authentication, via the ADAT command, GSSAPI authentication will be
negotiated between the wget client and the remote FTP server.

I'm currently using a modified wget 1.9.1 plus this patch and I'm
enjoying ticket-based GSSAPI authentication against my FTP server, so
I can download files from my remote home directory (accessible via the
FTP server supplied with krb5-server) without using plain-text based
logins.

Please, feel free to use and review this patch, or even including it
into future releases of wget. I have used code from
krb5-workstation to implement the GSSAPI authentication for wget.
There will be probably many bugs. I have tested it against the FTP
server available in Fedora Core 2 krb5-server package, and two remote
servers: HEANET.ie and Rediris.es (neither of them do support GSSAPI
authentication, by the way).

NOTE: I also sent this patch upstream to the mantainer, at
wget-patches, but since I haven't heard from them, I though
this patch could be considered for inclusion in Fedora Core 3.
Comment 1 Felipe Alfaro Solana 2004-06-22 09:07:10 UTC 
Created attachment 101323 [details]
GSSAPI authentication support for wget
Comment 2 Karsten Hopp 2005-09-08 13:20:26 UTC 
This really needs to be included upstream. I won't maintain a gssapi patch for
all upcoming wget versions. Please contact wget for inclusion.