This report includes a patch to extend wget functionality so GSSAPI
authentication can be negotiated between the wget FTP client and the
remote FTP server, allowing for non-anonymous, password-less,
authenticated sessions by virtue of a Kerberos V KDC.
The reason for the creation of this patch is that I have always missed
the GSSAPI authenticaion mechanism found in /usr/kerberos/bin/ftp
command line client, included in krb5-workstation, so I decided to
implement it for wget.
This patch can be further enhanced to support private (i.e. encrypted)
sessions using GSSAPI supplied functionality. The FTP command-line
tool from krb5-workstation already allows this by using the "-x"
switch. This should be easy to implement as the major infraestructure
is already in place with this patch (only minor additions are
required, which I'm currently working on).
The only change in behavior is that, before performing an anonymous
plain-text login, the AUTH GSSAPI command is sent to the remote FTP
server in first place. If the remote FTP server supports GSSAPI
authentication, via the ADAT command, GSSAPI authentication will be
negotiated between the wget client and the remote FTP server.
I'm currently using a modified wget 1.9.1 plus this patch and I'm
enjoying ticket-based GSSAPI authentication against my FTP server, so
I can download files from my remote home directory (accessible via the
FTP server supplied with krb5-server) without using plain-text based
Please, feel free to use and review this patch, or even including it
into future releases of wget. I have used code from
krb5-workstation to implement the GSSAPI authentication for wget.
There will be probably many bugs. I have tested it against the FTP
server available in Fedora Core 2 krb5-server package, and two remote
servers: HEANET.ie and Rediris.es (neither of them do support GSSAPI
authentication, by the way).
NOTE: I also sent this patch upstream to the mantainer, at
firstname.lastname@example.org, but since I haven't heard from them, I though
this patch could be considered for inclusion in Fedora Core 3.
Created attachment 101323 [details]
GSSAPI authentication support for wget
This really needs to be included upstream. I won't maintain a gssapi patch for
all upcoming wget versions. Please contact email@example.com for inclusion.