krb5-rs
Pure Rust Kerberos V5 implementation. GSSAPI, SPNEGO, PKINIT.
No C FFI. No system krb5. No libgssapi. Just cargo add krb5-rs.
Features
- Kerberos V5 Client — TGT acquisition, service ticket requests
- GSSAPI/SPNEGO — HTTP Negotiate authentication
- PKINIT — X.509 certificate-based authentication
- FAST — Flexible Authentication via Secure Tunneling
- Credential Cache — Read/write ccache and keytab formats
Why?
MIT Kerberos and Heimdal are massive C codebases (~450K and ~620K SLOC respectively) with decades of CVEs. Every Rust project needing Kerberos auth depends on FFI bindings to these C libraries, inheriting their build complexity and security risks.
krb5-rs is a ground-up Rust implementation using rasn (ASN.1) + RustCrypto. Pure Rust, single binary, cross-compiles to musl.
Status
Pre-release. API is unstable. Not ready for production use.
RFCs
| RFC | Description | Status |
|---|---|---|
| RFC 4120 | Kerberos V5 core | Planned |
| RFC 4121 | GSSAPI mechanism | Planned |
| RFC 3961 | Encryption specs | Planned |
| RFC 4556 | PKINIT | Planned |
| RFC 6113 | FAST | Planned |
License
Apache-2.0