The Generic Security Service Application Program Interface (GSSAPI, also GSS- API) is an . Sun Microsystems (). “GSS-API Programming Guide”. The GSSAPI (Generic Security Services API) allows applications to communicate securely using Kerberos 5 or other security mechanisms. We recommend. The Secure Shell protocol supports Kerberos authentication via GSSAPI (Generic Security Services Application Programming Interface). Advantages of using.
|Published (Last):||13 September 2009|
|PDF File Size:||10.92 Mb|
|ePub File Size:||8.47 Mb|
|Price:||Free* [*Free Regsitration Required]|
The following name types are supported by the krb5 mechanism:. The hostname will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on gukde value of the rdns variable in [libdefaults].
Kerberos (GSSAPI) Authentication
If no existing tickets are available for the desired name, but the name has an entry in the default client keytabthe krb5 mechanism will acquire initial tickets for the name using the default client keytab. This facility might, for instance, try to choose existing tickets for a client principal in the same realm as the target service. If there are no existing tickets for the chosen principal, but it is present in the default client keytab, the krb5 mechanism will acquire initial tickets using the keytab.
If the default credential cache does not exist, but the default client keytab does, the krb5 mechanism will try to acquire initial tickets for the first principal in the default client keytab.
Gssapk is the recommended approach if the server application has no specific requirements to the contrary. If the input name contains both a service and a hostnameclients will be allowed to authenticate to any host-based principal for the named service and hostname, regardless of realm.
If a hostname is specified, it will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the progrsmming variable in [libdefaults].
In MIT krb5 versions prior to 1.
Serializing a credential does not destroy it. As with other GSSAPI serialization functions, these extensions are only intended to work with a matching implementation on the other side; they do not serialize credentials in a standardized format. A serialized credential may contain secret information such as ticket session keys.
The serialization format does not protect gsxapi information from eavesdropping or tampering. The calling application must take care to protect the serialized credential when communicating it over an insecure channel or programminb an untrusted party.
A krb5 GSSAPI credential may contain references to a credential cache, a client keytab, an acceptor keytab, and a replay cache. These resources are normally serialized as references to their external locations such as the filename of the credential cache. Because of this, a serialized krb5 credential can only be imported by a process with similar privileges gjide the exporter.
A serialized credential should not be trusted if it originates from a source with lower privileges than the importer, as it may contain references to external credential cache, keytab, or replay cache resources not accessible to the originator. In this case, the contents of the credential cache are serialized, so that the resulting token may be imported even if the original memory credential cache no longer exists. The memory pointed to by the buffers is not required to be contiguous or prigramming any particular order.
DATA buffers must be provided in the iov list so that padding length can be computed correctly, but the output buffers need not be initialized. The application must pad the DATA buffer to a multiple of 16 bytes as no padding or trailer buffer is used.
Kerberos (GSSAPI) Authentication – Reflection for Secure IT for UNIX
The following name types are supported by the krb5 mechanism: The value should be a string of the form service or service hostname. This is the most common way to name target services when initiating a security context, and is the most likely name type to work across multiple mechanisms.
The value should be a principal name string. The value is treated as an unparsed principal name string, as above. These name types may work with mechanisms other than krb5, but will have different interpretations in those mechanisms.
linux – Server side of GSSAPI for sshd and private key authentication – Stack Overflow
The value is ignored. The anonymous principal is used, allowing a client to authenticate to a server without asserting a particular identity which may or may not be allowed by a particular server or Kerberos realm. On Unix-like systems, prograamming username of the uid is looked up in the system user database and the resulting username is parsed as a principal name. As above, programing the value is a decimal string representation of the uid.
Note If a hostname is specified, it will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the rdns variable in [libdefaults].
Note In MIT krb5 versions prior to 1. Contents previous next index Search feedback.