689 lines
18 KiB
Groff
689 lines
18 KiB
Groff
.\" Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan
|
|
.\" (Royal Institute of Technology, Stockholm, Sweden).
|
|
.\" All rights reserved.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\"
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\"
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\"
|
|
.\" 3. Neither the name of the Institute nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" $Id: gss_acquire_cred.3 20235 2007-02-16 11:19:03Z lha $
|
|
.\"
|
|
.Dd October 26, 2005
|
|
.Dt GSS_ACQUIRE_CRED 3
|
|
.Os HEIMDAL
|
|
.Sh NAME
|
|
.Nm gss_accept_sec_context ,
|
|
.Nm gss_acquire_cred ,
|
|
.Nm gss_add_cred ,
|
|
.Nm gss_add_oid_set_member ,
|
|
.Nm gss_canonicalize_name ,
|
|
.Nm gss_compare_name ,
|
|
.Nm gss_context_time ,
|
|
.Nm gss_create_empty_oid_set ,
|
|
.Nm gss_delete_sec_context ,
|
|
.Nm gss_display_name ,
|
|
.Nm gss_display_status ,
|
|
.Nm gss_duplicate_name ,
|
|
.Nm gss_export_name ,
|
|
.Nm gss_export_sec_context ,
|
|
.Nm gss_get_mic ,
|
|
.Nm gss_import_name ,
|
|
.Nm gss_import_sec_context ,
|
|
.Nm gss_indicate_mechs ,
|
|
.Nm gss_init_sec_context ,
|
|
.Nm gss_inquire_context ,
|
|
.Nm gss_inquire_cred ,
|
|
.Nm gss_inquire_cred_by_mech ,
|
|
.Nm gss_inquire_mechs_for_name ,
|
|
.Nm gss_inquire_names_for_mech ,
|
|
.Nm gss_krb5_ccache_name ,
|
|
.Nm gss_krb5_compat_des3_mic ,
|
|
.Nm gss_krb5_copy_ccache ,
|
|
.Nm gss_krb5_import_cred
|
|
.Nm gsskrb5_extract_authz_data_from_sec_context ,
|
|
.Nm gsskrb5_register_acceptor_identity ,
|
|
.Nm gss_krb5_import_ccache ,
|
|
.Nm gss_krb5_get_tkt_flags ,
|
|
.Nm gss_process_context_token ,
|
|
.Nm gss_release_buffer ,
|
|
.Nm gss_release_cred ,
|
|
.Nm gss_release_name ,
|
|
.Nm gss_release_oid_set ,
|
|
.Nm gss_seal ,
|
|
.Nm gss_sign ,
|
|
.Nm gss_test_oid_set_member ,
|
|
.Nm gss_unseal ,
|
|
.Nm gss_unwrap ,
|
|
.Nm gss_verify ,
|
|
.Nm gss_verify_mic ,
|
|
.Nm gss_wrap ,
|
|
.Nm gss_wrap_size_limit
|
|
.Nd Generic Security Service Application Program Interface library
|
|
.Sh LIBRARY
|
|
GSS-API library (libgssapi, -lgssapi)
|
|
.Sh SYNOPSIS
|
|
.In gssapi.h
|
|
.Pp
|
|
.Ft OM_uint32
|
|
.Fo gss_accept_sec_context
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "gss_ctx_id_t * context_handle"
|
|
.Fa "const gss_cred_id_t acceptor_cred_handle"
|
|
.Fa "const gss_buffer_t input_token_buffer"
|
|
.Fa "const gss_channel_bindings_t input_chan_bindings"
|
|
.Fa "gss_name_t * src_name"
|
|
.Fa "gss_OID * mech_type"
|
|
.Fa "gss_buffer_t output_token"
|
|
.Fa "OM_uint32 * ret_flags"
|
|
.Fa "OM_uint32 * time_rec"
|
|
.Fa "gss_cred_id_t * delegated_cred_handle"
|
|
.Fc
|
|
.Pp
|
|
.Ft OM_uint32
|
|
.Fo gss_acquire_cred
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_name_t desired_name"
|
|
.Fa "OM_uint32 time_req"
|
|
.Fa "const gss_OID_set desired_mechs"
|
|
.Fa "gss_cred_usage_t cred_usage"
|
|
.Fa "gss_cred_id_t * output_cred_handle"
|
|
.Fa "gss_OID_set * actual_mechs"
|
|
.Fa "OM_uint32 * time_rec"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_add_cred
|
|
.Fa "OM_uint32 *minor_status"
|
|
.Fa "const gss_cred_id_t input_cred_handle"
|
|
.Fa "const gss_name_t desired_name"
|
|
.Fa "const gss_OID desired_mech"
|
|
.Fa "gss_cred_usage_t cred_usage"
|
|
.Fa "OM_uint32 initiator_time_req"
|
|
.Fa "OM_uint32 acceptor_time_req"
|
|
.Fa "gss_cred_id_t *output_cred_handle"
|
|
.Fa "gss_OID_set *actual_mechs"
|
|
.Fa "OM_uint32 *initiator_time_rec"
|
|
.Fa "OM_uint32 *acceptor_time_rec"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_add_oid_set_member
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_OID member_oid"
|
|
.Fa "gss_OID_set * oid_set"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_canonicalize_name
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_name_t input_name"
|
|
.Fa "const gss_OID mech_type"
|
|
.Fa "gss_name_t * output_name"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_compare_name
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_name_t name1"
|
|
.Fa "const gss_name_t name2"
|
|
.Fa "int * name_equal"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_context_time
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_ctx_id_t context_handle"
|
|
.Fa "OM_uint32 * time_rec"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_create_empty_oid_set
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "gss_OID_set * oid_set"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_delete_sec_context
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "gss_ctx_id_t * context_handle"
|
|
.Fa "gss_buffer_t output_token"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_display_name
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_name_t input_name"
|
|
.Fa "gss_buffer_t output_name_buffer"
|
|
.Fa "gss_OID * output_name_type"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_display_status
|
|
.Fa "OM_uint32 *minor_status"
|
|
.Fa "OM_uint32 status_value"
|
|
.Fa "int status_type"
|
|
.Fa "const gss_OID mech_type"
|
|
.Fa "OM_uint32 *message_context"
|
|
.Fa "gss_buffer_t status_string"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_duplicate_name
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_name_t src_name"
|
|
.Fa "gss_name_t * dest_name"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_export_name
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_name_t input_name"
|
|
.Fa "gss_buffer_t exported_name"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_export_sec_context
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "gss_ctx_id_t * context_handle"
|
|
.Fa "gss_buffer_t interprocess_token"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_get_mic
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_ctx_id_t context_handle"
|
|
.Fa "gss_qop_t qop_req"
|
|
.Fa "const gss_buffer_t message_buffer"
|
|
.Fa "gss_buffer_t message_token"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_import_name
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_buffer_t input_name_buffer"
|
|
.Fa "const gss_OID input_name_type"
|
|
.Fa "gss_name_t * output_name"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_import_sec_context
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_buffer_t interprocess_token"
|
|
.Fa "gss_ctx_id_t * context_handle"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_indicate_mechs
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "gss_OID_set * mech_set"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_init_sec_context
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_cred_id_t initiator_cred_handle"
|
|
.Fa "gss_ctx_id_t * context_handle"
|
|
.Fa "const gss_name_t target_name"
|
|
.Fa "const gss_OID mech_type"
|
|
.Fa "OM_uint32 req_flags"
|
|
.Fa "OM_uint32 time_req"
|
|
.Fa "const gss_channel_bindings_t input_chan_bindings"
|
|
.Fa "const gss_buffer_t input_token"
|
|
.Fa "gss_OID * actual_mech_type"
|
|
.Fa "gss_buffer_t output_token"
|
|
.Fa "OM_uint32 * ret_flags"
|
|
.Fa "OM_uint32 * time_rec"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_inquire_context
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_ctx_id_t context_handle"
|
|
.Fa "gss_name_t * src_name"
|
|
.Fa "gss_name_t * targ_name"
|
|
.Fa "OM_uint32 * lifetime_rec"
|
|
.Fa "gss_OID * mech_type"
|
|
.Fa "OM_uint32 * ctx_flags"
|
|
.Fa "int * locally_initiated"
|
|
.Fa "int * open_context"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_inquire_cred
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_cred_id_t cred_handle"
|
|
.Fa "gss_name_t * name"
|
|
.Fa "OM_uint32 * lifetime"
|
|
.Fa "gss_cred_usage_t * cred_usage"
|
|
.Fa "gss_OID_set * mechanisms"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_inquire_cred_by_mech
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_cred_id_t cred_handle"
|
|
.Fa "const gss_OID mech_type"
|
|
.Fa "gss_name_t * name"
|
|
.Fa "OM_uint32 * initiator_lifetime"
|
|
.Fa "OM_uint32 * acceptor_lifetime"
|
|
.Fa "gss_cred_usage_t * cred_usage"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_inquire_mechs_for_name
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_name_t input_name"
|
|
.Fa "gss_OID_set * mech_types"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_inquire_names_for_mech
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_OID mechanism"
|
|
.Fa "gss_OID_set * name_types"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_krb5_ccache_name
|
|
.Fa "OM_uint32 *minor"
|
|
.Fa "const char *name"
|
|
.Fa "const char **old_name"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_krb5_copy_ccache
|
|
.Fa "OM_uint32 *minor"
|
|
.Fa "gss_cred_id_t cred"
|
|
.Fa "krb5_ccache out"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_krb5_import_cred
|
|
.Fa "OM_uint32 *minor_status"
|
|
.Fa "krb5_ccache id"
|
|
.Fa "krb5_principal keytab_principal"
|
|
.Fa "krb5_keytab keytab"
|
|
.Fa "gss_cred_id_t *cred"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_krb5_compat_des3_mic
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "gss_ctx_id_t context_handle"
|
|
.Fa "int onoff"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gsskrb5_extract_authz_data_from_sec_context
|
|
.Fa "OM_uint32 *minor_status"
|
|
.Fa "gss_ctx_id_t context_handle"
|
|
.Fa "int ad_type"
|
|
.Fa "gss_buffer_t ad_data"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gsskrb5_register_acceptor_identity
|
|
.Fa "const char *identity"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_krb5_import_cache
|
|
.Fa "OM_uint32 *minor"
|
|
.Fa "krb5_ccache id"
|
|
.Fa "krb5_keytab keytab"
|
|
.Fa "gss_cred_id_t *cred"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_krb5_get_tkt_flags
|
|
.Fa "OM_uint32 *minor_status"
|
|
.Fa "gss_ctx_id_t context_handle"
|
|
.Fa "OM_uint32 *tkt_flags"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_process_context_token
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_ctx_id_t context_handle"
|
|
.Fa "const gss_buffer_t token_buffer"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_release_buffer
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "gss_buffer_t buffer"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_release_cred
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "gss_cred_id_t * cred_handle"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_release_name
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "gss_name_t * input_name"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_release_oid_set
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "gss_OID_set * set"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_seal
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "gss_ctx_id_t context_handle"
|
|
.Fa "int conf_req_flag"
|
|
.Fa "int qop_req"
|
|
.Fa "gss_buffer_t input_message_buffer"
|
|
.Fa "int * conf_state"
|
|
.Fa "gss_buffer_t output_message_buffer"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_sign
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "gss_ctx_id_t context_handle"
|
|
.Fa "int qop_req"
|
|
.Fa "gss_buffer_t message_buffer"
|
|
.Fa "gss_buffer_t message_token"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_test_oid_set_member
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_OID member"
|
|
.Fa "const gss_OID_set set"
|
|
.Fa "int * present"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_unseal
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "gss_ctx_id_t context_handle"
|
|
.Fa "gss_buffer_t input_message_buffer"
|
|
.Fa "gss_buffer_t output_message_buffer"
|
|
.Fa "int * conf_state"
|
|
.Fa "int * qop_state"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_unwrap
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_ctx_id_t context_handle"
|
|
.Fa "const gss_buffer_t input_message_buffer"
|
|
.Fa "gss_buffer_t output_message_buffer"
|
|
.Fa "int * conf_state"
|
|
.Fa "gss_qop_t * qop_state"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_verify
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "gss_ctx_id_t context_handle"
|
|
.Fa "gss_buffer_t message_buffer"
|
|
.Fa "gss_buffer_t token_buffer"
|
|
.Fa "int * qop_state"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_verify_mic
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_ctx_id_t context_handle"
|
|
.Fa "const gss_buffer_t message_buffer"
|
|
.Fa "const gss_buffer_t token_buffer"
|
|
.Fa "gss_qop_t * qop_state"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_wrap
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_ctx_id_t context_handle"
|
|
.Fa "int conf_req_flag"
|
|
.Fa "gss_qop_t qop_req"
|
|
.Fa "const gss_buffer_t input_message_buffer"
|
|
.Fa "int * conf_state"
|
|
.Fa "gss_buffer_t output_message_buffer"
|
|
.Fc
|
|
.Ft OM_uint32
|
|
.Fo gss_wrap_size_limit
|
|
.Fa "OM_uint32 * minor_status"
|
|
.Fa "const gss_ctx_id_t context_handle"
|
|
.Fa "int conf_req_flag"
|
|
.Fa "gss_qop_t qop_req"
|
|
.Fa "OM_uint32 req_output_size"
|
|
.Fa "OM_uint32 * max_input_size"
|
|
.Fc
|
|
.Sh DESCRIPTION
|
|
Generic Security Service API (GSS-API) version 2, and its C binding,
|
|
is described in
|
|
.Li RFC2743
|
|
and
|
|
.Li RFC2744 .
|
|
Version 1 (deprecated) of the C binding is described in
|
|
.Li RFC1509 .
|
|
.Pp
|
|
Heimdals GSS-API implementation supports the following mechanisms
|
|
.Bl -bullet
|
|
.It
|
|
.Li GSS_KRB5_MECHANISM
|
|
.It
|
|
.Li GSS_SPNEGO_MECHANISM
|
|
.El
|
|
.Pp
|
|
GSS-API have generic name types that all mechanism are supposed to
|
|
implement (if possible):
|
|
.Bl -bullet
|
|
.It
|
|
.Li GSS_C_NT_USER_NAME
|
|
.It
|
|
.Li GSS_C_NT_MACHINE_UID_NAME
|
|
.It
|
|
.Li GSS_C_NT_STRING_UID_NAME
|
|
.It
|
|
.Li GSS_C_NT_HOSTBASED_SERVICE
|
|
.It
|
|
.Li GSS_C_NT_ANONYMOUS
|
|
.It
|
|
.Li GSS_C_NT_EXPORT_NAME
|
|
.El
|
|
.Pp
|
|
GSS-API implementations that supports Kerberos 5 have some additional
|
|
name types:
|
|
.Bl -bullet
|
|
.It
|
|
.Li GSS_KRB5_NT_PRINCIPAL_NAME
|
|
.It
|
|
.Li GSS_KRB5_NT_USER_NAME
|
|
.It
|
|
.Li GSS_KRB5_NT_MACHINE_UID_NAME
|
|
.It
|
|
.Li GSS_KRB5_NT_STRING_UID_NAME
|
|
.El
|
|
.Pp
|
|
In GSS-API, names have two forms, internal names and contiguous string
|
|
names.
|
|
.Bl -bullet
|
|
.It
|
|
.Li Internal name and mechanism name
|
|
.Pp
|
|
Internal names are implementation specific representation of
|
|
a GSS-API name.
|
|
.Li Mechanism names
|
|
special form of internal names corresponds to one and only one mechanism.
|
|
.Pp
|
|
In GSS-API an internal name is stored in a
|
|
.Dv gss_name_t .
|
|
.It
|
|
.Li Contiguous string name and exported name
|
|
.Pp
|
|
Contiguous string names are gssapi names stored in a
|
|
.Dv OCTET STRING
|
|
that together with a name type identifier (OID) uniquely specifies a
|
|
gss-name.
|
|
A special form of the contiguous string name is the exported name that
|
|
have a OID embedded in the string to make it unique.
|
|
Exported name have the nametype
|
|
.Dv GSS_C_NT_EXPORT_NAME .
|
|
.Pp
|
|
In GSS-API an contiguous string name is stored in a
|
|
.Dv gss_buffer_t .
|
|
.Pp
|
|
Exported names also have the property that they are specified by the
|
|
mechanism itself and compatible between diffrent GSS-API
|
|
implementations.
|
|
.El
|
|
.Sh ACCESS CONTROL
|
|
There are two ways of comparing GSS-API names, either comparing two
|
|
internal names with each other or two contiguous string names with
|
|
either other.
|
|
.Pp
|
|
To compare two internal names with each other, import (if needed) the
|
|
names with
|
|
.Fn gss_import_name
|
|
into the GSS-API implementation and the compare the imported name with
|
|
.Fn gss_compare_name .
|
|
.Pp
|
|
Importing names can be slow, so when its possible to store exported
|
|
names in the access control list, comparing contiguous string name
|
|
might be better.
|
|
.Pp
|
|
when comparing contiguous string name, first export them into a
|
|
.Dv GSS_C_NT_EXPORT_NAME
|
|
name with
|
|
.Fn gss_export_name
|
|
and then compare with
|
|
.Xr memcmp 3 .
|
|
.Pp
|
|
Note that there are might be a difference between the two methods of
|
|
comparing names.
|
|
The first (using
|
|
.Fn gss_compare_name )
|
|
will compare to (unauthenticated) names are the same.
|
|
The second will compare if a mechanism will authenticate them as the
|
|
same principal.
|
|
.Pp
|
|
For example, if
|
|
.Fn gss_import_name
|
|
name was used with
|
|
.Dv GSS_C_NO_OID
|
|
the default syntax is used for all mechanism the GSS-API
|
|
implementation supports.
|
|
When compare the imported name of
|
|
.Dv GSS_C_NO_OID
|
|
it may match serveral mechanism names (MN).
|
|
.Pp
|
|
The resulting name from
|
|
.Fn gss_display_name
|
|
must not be used for acccess control.
|
|
.Sh FUNCTIONS
|
|
.Fn gss_display_name
|
|
takes the gss name in
|
|
.Fa input_name
|
|
and puts a printable form in
|
|
.Fa output_name_buffer .
|
|
.Fa output_name_buffer
|
|
should be freed when done using
|
|
.Fn gss_release_buffer .
|
|
.Fa output_name_type
|
|
can either be
|
|
.Dv NULL
|
|
or a pointer to a
|
|
.Li gss_OID
|
|
and will in the latter case contain the OID type of the name.
|
|
The name must only be used for printing.
|
|
If access control is needed, see section
|
|
.Sx ACCESS CONTROL .
|
|
.Pp
|
|
.Fn gss_inquire_context
|
|
returns information about the context.
|
|
Information is available even after the context have expired.
|
|
.Fa lifetime_rec
|
|
argument is set to
|
|
.Dv GSS_C_INDEFINITE
|
|
(dont expire) or the number of seconds that the context is still valid.
|
|
A value of 0 means that the context is expired.
|
|
.Fa mech_type
|
|
argument should be considered readonly and must not be released.
|
|
.Fa src_name
|
|
and
|
|
.Fn dest_name
|
|
are both mechanims names and must be released with
|
|
.Fn gss_release_name
|
|
when no longer used.
|
|
.Pp
|
|
.Nm gss_context_time
|
|
will return the amount of time (in seconds) of the context is still
|
|
valid.
|
|
If its expired
|
|
.Fa time_rec
|
|
will be set to 0 and
|
|
.Dv GSS_S_CONTEXT_EXPIRED
|
|
returned.
|
|
.Pp
|
|
.Fn gss_sign ,
|
|
.Fn gss_verify ,
|
|
.Fn gss_seal ,
|
|
and
|
|
.Fn gss_unseal
|
|
are part of the GSS-API V1 interface and are obsolete.
|
|
The functions should not be used for new applications.
|
|
They are provided so that version 1 applications can link against the
|
|
library.
|
|
.Sh EXTENSIONS
|
|
.Fn gss_krb5_ccache_name
|
|
sets the internal kerberos 5 credential cache name to
|
|
.Fa name .
|
|
The old name is returned in
|
|
.Fa old_name ,
|
|
and must not be freed.
|
|
The data allocated for
|
|
.Fa old_name
|
|
is free upon next call to
|
|
.Fn gss_krb5_ccache_name .
|
|
This function is not threadsafe if
|
|
.Fa old_name
|
|
argument is used.
|
|
.Pp
|
|
.Fn gss_krb5_copy_ccache
|
|
will extract the krb5 credentials that are transferred from the
|
|
initiator to the acceptor when using token delegation in the Kerberos
|
|
mechanism.
|
|
The acceptor receives the delegated token in the last argument to
|
|
.Fn gss_accept_sec_context .
|
|
.Pp
|
|
.Fn gss_krb5_import_cred
|
|
will import the krb5 credentials (both keytab and/or credential cache)
|
|
into gss credential so it can be used withing GSS-API.
|
|
The
|
|
.Fa ccache
|
|
is copied by reference and thus shared, so if the credential is destroyed
|
|
with
|
|
.Fa krb5_cc_destroy ,
|
|
all users of thep
|
|
.Fa gss_cred_id_t
|
|
returned by
|
|
.Fn gss_krb5_import_ccache
|
|
will fail.
|
|
.Pp
|
|
.Fn gsskrb5_register_acceptor_identity
|
|
sets the Kerberos 5 filebased keytab that the acceptor will use. The
|
|
.Fa identifier
|
|
is the file name.
|
|
.Pp
|
|
.Fn gsskrb5_extract_authz_data_from_sec_context
|
|
extracts the Kerberos authorizationdata that may be stored within the
|
|
context.
|
|
Tha caller must free the returned buffer
|
|
.Fa ad_data
|
|
with
|
|
.Fn gss_release_buffer
|
|
upon success.
|
|
.Pp
|
|
.Fn gss_krb5_get_tkt_flags
|
|
return the ticket flags for the kerberos ticket receive when
|
|
authenticating the initiator.
|
|
Only valid on the acceptor context.
|
|
.Pp
|
|
.Fn gss_krb5_compat_des3_mic
|
|
turns on or off the compatibility with older version of Heimdal using
|
|
des3 get and verify mic, this is way to programmatically set the
|
|
[gssapi]broken_des3_mic and [gssapi]correct_des3_mic flags (see
|
|
COMPATIBILITY section in
|
|
.Xr gssapi 3 ) .
|
|
If the CPP symbol
|
|
.Dv GSS_C_KRB5_COMPAT_DES3_MIC
|
|
is present,
|
|
.Fn gss_krb5_compat_des3_mic
|
|
exists.
|
|
.Fn gss_krb5_compat_des3_mic
|
|
will be removed in a later version of the GSS-API library.
|
|
.Sh SEE ALSO
|
|
.Xr gssapi 3 ,
|
|
.Xr krb5 3 ,
|
|
.Xr krb5_ccache 3 ,
|
|
.Xr kerberos 8
|