| 1 |
|
|---|
| 2 | GSSAPI(3) BSD Library Functions Manual GSSAPI(3)
|
|---|
| 3 |
|
|---|
| 4 | NNAAMMEE
|
|---|
| 5 | ggssssaappii -- Generic Security Service Application Program Interface library
|
|---|
| 6 |
|
|---|
| 7 | LLIIBBRRAARRYY
|
|---|
| 8 | GSS-API Library (libgssapi, -lgssapi)
|
|---|
| 9 |
|
|---|
| 10 | DDEESSCCRRIIPPTTIIOONN
|
|---|
| 11 | The Generic Security Service Application Program Interface (GSS-API) pro-
|
|---|
| 12 | vides security services to callers in a generic fashion, supportable with
|
|---|
| 13 | a range of underlying mechanisms and technologies and hence allowing
|
|---|
| 14 | source-level portability of applications to different environments.
|
|---|
| 15 |
|
|---|
| 16 | The GSS-API implementation in Heimdal implements the Kerberos 5 and the
|
|---|
| 17 | SPNEGO GSS-API security mechanisms.
|
|---|
| 18 |
|
|---|
| 19 | LLIISSTT OOFF FFUUNNCCTTIIOONNSS
|
|---|
| 20 | These functions constitute the gssapi library, _l_i_b_g_s_s_a_p_i. Declarations
|
|---|
| 21 | for these functions may be obtained from the include file _g_s_s_a_p_i_._h.
|
|---|
| 22 | NNaammee//PPaaggee
|
|---|
| 23 | gss_accept_sec_context(3)
|
|---|
| 24 | gss_acquire_cred(3)
|
|---|
| 25 | gss_add_cred(3)
|
|---|
| 26 | gss_add_oid_set_member(3)
|
|---|
| 27 | gss_canonicalize_name(3)
|
|---|
| 28 | gss_compare_name(3)
|
|---|
| 29 | gss_context_time(3)
|
|---|
| 30 | gss_create_empty_oid_set(3)
|
|---|
| 31 | gss_delete_sec_context(3)
|
|---|
| 32 | gss_display_name(3)
|
|---|
| 33 | gss_display_status(3)
|
|---|
| 34 | gss_duplicate_name(3)
|
|---|
| 35 | gss_export_name(3)
|
|---|
| 36 | gss_export_sec_context(3)
|
|---|
| 37 | gss_get_mic(3)
|
|---|
| 38 | gss_import_name(3)
|
|---|
| 39 | gss_import_sec_context(3)
|
|---|
| 40 | gss_indicate_mechs(3)
|
|---|
| 41 | gss_init_sec_context(3)
|
|---|
| 42 | gss_inquire_context(3)
|
|---|
| 43 | gss_inquire_cred(3)
|
|---|
| 44 | gss_inquire_cred_by_mech(3)
|
|---|
| 45 | gss_inquire_mechs_for_name(3)
|
|---|
| 46 | gss_inquire_names_for_mech(3)
|
|---|
| 47 | gss_krb5_ccache_name(3)
|
|---|
| 48 | gss_krb5_compat_des3_mic(3)
|
|---|
| 49 | gss_krb5_copy_ccache(3)
|
|---|
| 50 | gss_krb5_extract_authz_data_from_sec_context(3)
|
|---|
| 51 | gss_krb5_import_ccache(3)
|
|---|
| 52 | gss_process_context_token(3)
|
|---|
| 53 | gss_release_buffer(3)
|
|---|
| 54 | gss_release_cred(3)
|
|---|
| 55 | gss_release_name(3)
|
|---|
| 56 | gss_release_oid_set(3)
|
|---|
| 57 | gss_seal(3)
|
|---|
| 58 | gss_sign(3)
|
|---|
| 59 | gss_test_oid_set_member(3)
|
|---|
| 60 | gss_unseal(3)
|
|---|
| 61 | gss_unwrap(3)
|
|---|
| 62 | gss_verify(3)
|
|---|
| 63 | gss_verify_mic(3)
|
|---|
| 64 | gss_wrap(3)
|
|---|
| 65 | gss_wrap_size_limit(3)
|
|---|
| 66 |
|
|---|
| 67 | CCOOMMPPAATTIIBBIILLIITTYY
|
|---|
| 68 | The HHeeiimmddaall GSS-API implementation had a bug in releases before 0.6 that
|
|---|
| 69 | made it fail to inter-operate when using DES3 with other GSS-API imple-
|
|---|
| 70 | mentations when using ggssss__ggeett__mmiicc() / ggssss__vveerriiffyy__mmiicc(). It is possible
|
|---|
| 71 | to modify the behavior of the generator of the MIC with the _k_r_b_5_._c_o_n_f
|
|---|
| 72 | configuration file so that old clients/servers will still work.
|
|---|
| 73 |
|
|---|
| 74 | New clients/servers will try both the old and new MIC in Heimdal 0.6. In
|
|---|
| 75 | 0.7 it will check only if configured - the compatibility code will be
|
|---|
| 76 | removed in 0.8.
|
|---|
| 77 |
|
|---|
| 78 | Heimdal 0.6 still generates by default the broken GSS-API DES3 mic, this
|
|---|
| 79 | will change in 0.7 to generate correct des3 mic.
|
|---|
| 80 |
|
|---|
| 81 | To turn on compatibility with older clients and servers, change the
|
|---|
| 82 | [[ggssssaappii]] _b_r_o_k_e_n___d_e_s_3___m_i_c in _k_r_b_5_._c_o_n_f that contains a list of globbing
|
|---|
| 83 | expressions that will be matched against the server name. To turn off
|
|---|
| 84 | generation of the old (incompatible) mic of the MIC use [[ggssssaappii]]
|
|---|
| 85 | _c_o_r_r_e_c_t___d_e_s_3___m_i_c.
|
|---|
| 86 |
|
|---|
| 87 | If a match for a entry is in both [[ggssssaappii]] _c_o_r_r_e_c_t___d_e_s_3___m_i_c and [[ggssssaappii]]
|
|---|
| 88 | _b_r_o_k_e_n___d_e_s_3___m_i_c, the later will override.
|
|---|
| 89 |
|
|---|
| 90 | This config option modifies behaviour for both clients and servers.
|
|---|
| 91 |
|
|---|
| 92 | Microsoft implemented SPNEGO to Windows2000, however, they managed to get
|
|---|
| 93 | it wrong, their implementation didn't fill in the MechListMIC in the
|
|---|
| 94 | reply token with the right content. There is a work around for this
|
|---|
| 95 | problem, but not all implementation support it.
|
|---|
| 96 |
|
|---|
| 97 | Heimdal defaults to correct SPNEGO when the the kerberos implementation
|
|---|
| 98 | uses CFX, or when it is configured by the user. To turn on compatibility
|
|---|
| 99 | with peers, use option [[ggssssaappii]] _r_e_q_u_i_r_e___m_e_c_h_l_i_s_t___m_i_c.
|
|---|
| 100 |
|
|---|
| 101 | EEXXAAMMPPLLEESS
|
|---|
| 102 | [gssapi]
|
|---|
| 103 | broken_des3_mic = cvs/*@SU.SE
|
|---|
| 104 | broken_des3_mic = host/*@E.KTH.SE
|
|---|
| 105 | correct_des3_mic = host/*@SU.SE
|
|---|
| 106 | require_mechlist_mic = host/*@SU.SE
|
|---|
| 107 |
|
|---|
| 108 | BBUUGGSS
|
|---|
| 109 | All of 0.5.x versions of hheeiimmddaall had broken token delegations in the
|
|---|
| 110 | client side, the server side was correct.
|
|---|
| 111 |
|
|---|
| 112 | SSEEEE AALLSSOO
|
|---|
| 113 | krb5(3), krb5.conf(5), kerberos(8)
|
|---|
| 114 |
|
|---|
| 115 | BSD April 20, 2005 BSD
|
|---|
