c0b9f4fe65
similar the the Solaris implementation. Repackage the krb5 GSS mechanism as a plugin library for the new implementation. This also includes a comprehensive set of manpages for the GSS-API functions with text mostly taken from the RFC. Reviewed by: Love Hörnquist Åstrand <lha@it.su.se>, ru (build system), des (openssh parts)
239 lines
8.1 KiB
Groff
239 lines
8.1 KiB
Groff
.\" -*- nroff -*-
|
|
.\"
|
|
.\" Copyright (c) 2005 Doug Rabson
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $FreeBSD$
|
|
.\"
|
|
.\" Copyright (C) The Internet Society (2000). All Rights Reserved.
|
|
.\"
|
|
.\" This document and translations of it may be copied and furnished to
|
|
.\" others, and derivative works that comment on or otherwise explain it
|
|
.\" or assist in its implementation may be prepared, copied, published
|
|
.\" and distributed, in whole or in part, without restriction of any
|
|
.\" kind, provided that the above copyright notice and this paragraph are
|
|
.\" included on all such copies and derivative works. However, this
|
|
.\" document itself may not be modified in any way, such as by removing
|
|
.\" the copyright notice or references to the Internet Society or other
|
|
.\" Internet organizations, except as needed for the purpose of
|
|
.\" developing Internet standards in which case the procedures for
|
|
.\" copyrights defined in the Internet Standards process must be
|
|
.\" followed, or as required to translate it into languages other than
|
|
.\" English.
|
|
.\"
|
|
.\" The limited permissions granted above are perpetual and will not be
|
|
.\" revoked by the Internet Society or its successors or assigns.
|
|
.\"
|
|
.\" This document and the information contained herein is provided on an
|
|
.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
|
|
.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
|
|
.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
|
|
.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
|
|
.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
|
|
.\"
|
|
.\" The following commands are required for all man pages.
|
|
.Dd November 12, 2005
|
|
.Os
|
|
.Dt GSS_ACQUIRE_CRED 3 PRM
|
|
.Sh NAME
|
|
.Nm gss_acquire_cred
|
|
.Nd Obtain a GSS-API credential handle for pre-existing credentials
|
|
.\" This next command is for sections 2 and 3 only.
|
|
.\" .Sh LIBRARY
|
|
.Sh SYNOPSIS
|
|
.In "gssapi/gssapi.h"
|
|
.Ft OM_uint32
|
|
.Fo gss_acquire_cred
|
|
.Fa "OM_uint32 *minor_status"
|
|
.Fa "const gss_name_t desired_name"
|
|
.Fa "OM_uint32 time_req"
|
|
.Fa "const gss_OID_set desired_mechs"
|
|
.Fa "gss_cred_usage_t cred_usage"
|
|
.Fa "gss_cred_id_t *output_cred_handle"
|
|
.Fa "gss_OID_set *actual_mechs"
|
|
.Fa "OM_uint32 *time_rec"
|
|
.Fc
|
|
.Sh DESCRIPTION
|
|
Allows an application to acquire a handle for a pre-existing
|
|
credential by name.
|
|
GSS-API implementations must impose a local
|
|
access-control policy on callers of this routine to prevent
|
|
unauthorized callers from acquiring credentials to which they are not
|
|
entitled.
|
|
This routine is not intended to provide a "login to the
|
|
network" function, as such a function would involve the creation of
|
|
new credentials rather than merely acquiring a handle to existing
|
|
credentials.
|
|
Such functions, if required, should be defined in
|
|
implementation-specific extensions to the API.
|
|
.Pp
|
|
If desired_name is
|
|
.Dv GSS_C_NO_NAME ,
|
|
the call is interpreted as a
|
|
request for a credential handle that will invoke default behavior
|
|
when passed to
|
|
.Fn gss_init_sec_context
|
|
(if cred_usage is
|
|
.Dv GSS_C_INITIATE
|
|
or
|
|
.Dv GSS_C_BOTH )
|
|
or
|
|
.Fn gss_accept_sec_context
|
|
(if cred_usage is
|
|
.Dv GSS_C_ACCEPT
|
|
or
|
|
.Dv GSS_C_BOTH ).
|
|
.Pp
|
|
Mechanisms should honor the
|
|
.Fa desired_mechs
|
|
parameter,
|
|
and return a credential that is suitable to use only with the
|
|
requested mechanisms.
|
|
An exception to this is the case where one underlying credential
|
|
element can be shared by multiple mechanisms;
|
|
in this case it is permissible for an implementation to indicate all
|
|
mechanisms with which the credential element may be used.
|
|
If
|
|
.Fa desired_mechs
|
|
is an empty set, behavior is undefined.
|
|
.Pp
|
|
This routine is expected to be used primarily by context acceptors,
|
|
since implementations are likely to provide mechanism-specific ways
|
|
of obtaining GSS-API initiator credentials from the system login
|
|
process.
|
|
Some implementations may therefore not support the acquisition of
|
|
.Dv GSS_C_INITIATE
|
|
or
|
|
.Dv GSS_C_BOTH
|
|
credentials via
|
|
.Fn gss_acquire_cred
|
|
for any name other than
|
|
.Dv GSS_C_NO_NAME ,
|
|
or a name produced by applying either
|
|
.Fn gss_inquire_cred
|
|
to a valid credential, or
|
|
.Fn gss_inquire_context
|
|
to an active context.
|
|
.Pp
|
|
If credential acquisition is time-consuming for a mechanism,
|
|
the mechanism may choose to delay the actual acquisition until the
|
|
credential is required
|
|
(e.g. by
|
|
.Fn gss_init_sec_context
|
|
or
|
|
.Fn gss_accept_sec_context ).
|
|
Such mechanism-specific implementation
|
|
decisions should be invisible to the calling application;
|
|
thus a call of
|
|
.Fn gss_inquire_cred
|
|
immediately following the call of
|
|
.Fn gss_acquire_cred
|
|
must return valid credential data,
|
|
and may therefore incur the overhead of a deferred credential acquisition.
|
|
.Sh PARAMETERS
|
|
.Bl -tag
|
|
.It desired_name
|
|
Name of principal whose credential should be acquired.
|
|
.It time_req
|
|
Number of seconds that credentials should remain valid.
|
|
Specify
|
|
.Dv GSS_C_INDEFINITE
|
|
to request that the credentials have the maximum
|
|
permitted lifetime.
|
|
.It desired_mechs
|
|
Set of underlying security mechanisms that may be used.
|
|
.Dv GSS_C_NO_OID_SET
|
|
may be used to obtain an implementation-specific default.
|
|
.It cred_usage
|
|
.Bl -tag -width "GSS_C_INITIATE"
|
|
.It GSS_C_BOTH
|
|
Credentials may be used either to initiate or accept security
|
|
contexts.
|
|
.It GSS_C_INITIATE
|
|
Credentials will only be used to initiate security contexts.
|
|
.It GSS_C_ACCEPT
|
|
Credentials will only be used to accept security contexts.
|
|
.El
|
|
.It output_cred_handle
|
|
The returned credential handle.
|
|
Resources
|
|
associated with this credential handle must be released by
|
|
the application after use with a call to
|
|
.Fn gss_release_cred .
|
|
.It actual_mechs
|
|
The set of mechanisms for which the credential is valid.
|
|
Storage associated with the returned OID-set must be released by the
|
|
application after use with a call to
|
|
.Fn gss_release_oid_set .
|
|
Specify
|
|
.Dv NULL if not required.
|
|
.It time_rec
|
|
Actual number of seconds for which the returned credentials will
|
|
remain valid.
|
|
If the implementation does not support expiration of credentials,
|
|
the value
|
|
.Dv GSS_C_INDEFINITE
|
|
will be returned.
|
|
Specify NULL if not required.
|
|
.It minor_status
|
|
Mechanism specific status code.
|
|
.El
|
|
.Sh RETURN VALUES
|
|
.Bl -tag
|
|
.It GSS_S_COMPLETE
|
|
Successful completion.
|
|
.It GSS_S_BAD_MECH
|
|
Unavailable mechanism requested.
|
|
.It GSS_S_BAD_NAMETYPE
|
|
Type contained within desired_name parameter is not supported.
|
|
.It GSS_S_BAD_NAME
|
|
Value supplied for desired_name parameter is ill formed.
|
|
.It GSS_S_CREDENTIALS_EXPIRED
|
|
The credentials could not be acquired Because they have expired.
|
|
.It GSS_S_NO_CRED
|
|
No credentials were found for the specified name.
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr gss_init_sec_context 3 ,
|
|
.Xr gss_accept_sec_context 3 ,
|
|
.Xr gss_inquire_cred 3 ,
|
|
.Xr gss_inquire_context 3 ,
|
|
.Xr gss_release_cred 3 ,
|
|
.Xr gss_release_oid_set 3
|
|
.Sh STANDARDS
|
|
.Bl -tag
|
|
.It RFC 2743
|
|
Generic Security Service Application Program Interface Version 2, Update 1
|
|
.It RFC 2744
|
|
Generic Security Service API Version 2 : C-bindings
|
|
.\" .Sh HISTORY
|
|
.El
|
|
.Sh HISTORY
|
|
The
|
|
.Nm
|
|
manual page example first appeared in
|
|
.Fx 7.0 .
|
|
.Sh AUTHORS
|
|
John Wray, Iris Associates
|