gssapi.5 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

gssapi(5) gssapi(5)

NAME

gssapi - Generic Security Service Application Programming Interface

DESCRIPTION

This introduction includes general information about the Generic Security Service Application Program-

ming Interface (GSSAPI) deﬁned in RFC 2743, "Generic Security Service Application Programming Inter-

face," and RFC 2744, "Generic Security Service API: C-bindings." It also includes an overview of error

handling, data types, and calling conventions, including the following:

Integer types

String and other similar data types

Object identiﬁers (OIDs)

Object identiﬁer sets (OID sets)

Credentials

Contexts

Authentication tokens

Major status values

Minor status values

Names

Channel bindings

Optional parameters

General Information

The Generic Security Service Application Programming Interface (GSSAPI) provides security services to

applications using peer-to-peer communications. Using GSSAPI routines, applications can perform the

following operations:

Enable an application to authenticate another application’s user.

Enable an application to delegate access rights to another application.

Apply security services, such as conﬁdentiality and integrity, on a per-message basis.

GSSAPI supports a secure connection between two communicating applications. The application that

establishes the secure connection is called the context initiator . The application that accepts the secure

connection is the context acceptor

There are four stages involved in using the GSSAPI:

The context initiator acquires a credential with which it can prove its identity to other processes.

Similarly, the context acceptor acquires a credential to enable it to accept a security context. Either

application may omit this credential acquisition and use their default credentials in subsequent

stages. See the "Credentials" section in this manual page for more information.

The applications use credentials to establish their global identity. The global identity can be, but is not

necessarily, related to the local user name under which the application is running. Credentials can con-

tain either of the following:

account information.

Security Context The communicating applications establish a joint security context by exchanging

authentication tokens.

The security context is a pair of GSSAPI data structures that contain information that is shared between

the communicating applications. The information describes the state of each application. This security

context is required for per-message security services.

To establish a security context, the context initiator calls the

gss_init_sec_context() routine to

get a token . The token is cryptographically protected, opaque data. The context initiator transfers the

token to the context acceptor, which in turn passes the token to the

gss_accept_sec_context()

routine to decode and extract the shared information.

As part of establishing the security context, the context initiator is authenticated to the context acceptor.

The context initiator can require the context acceptor to authenticate itself in return.

The context initiator can delegate rights to allow the context acceptor to act as its agent. Delegation

means the context initiator gives the context acceptor the ability to initiate additional security contexts

as an agent of the context initiator. To delegate, the context initiator sets a ﬂag on the

gss_init_sec_context() routine indicating that it wants to delegate and sends the returned token

HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1

Summary of content (8 pages)

PAGE 1
gssapi(5) gssapi(5) NAME gssapi - Generic Security Service Application Programming Interface DESCRIPTION This introduction includes general information about the Generic Security Service Application Programming Interface (GSSAPI) defined in RFC 2743, "Generic Security Service Application Programming Interface," and RFC 2744, "Generic Security Service API: C-bindings.
PAGE 2
gssapi(5) in the gssapi(5) normal way to the context acceptor. The acceptor passes this token to the gss_accept_sec_context() routine, which generates a delegated credential. The context acceptor can use the credential to initiate additional security contexts. The applications can exchange protected messages and data using this context. The applications can call GSSAPI routines to protect data exchanged in messages.
PAGE 3
gssapi(5) gssapi(5) } gss_buffer_desc, *gss_buffer_t; The length field contains the total number of bytes in the data and the value field contains a pointer to the actual data. When using the gss_buffer_t data type, the GSSAPI routine allocates storage for any data it passes to the application. The calling application must allocate the gss_buffer_desc object. It can initialize unused gss_buffer_desc objects with the value GSS_C_EMPTY_BUFFER.
PAGE 4
gssapi(5) gssapi(5) The gss_ctx_id_t data type contains an atomic value that identifies one end of a GSSAPI security context. The data type is opaque to the caller. Authentication Tokens GSSAPI uses tokens to maintain the synchronization between the applications sharing a security context. The token is a cryptographically protected bit string generated by the security mechanism at one end of the GSSAPI security context for use by the peer application at the other end of the security context.
PAGE 5
gssapi(5) gssapi(5) GSS_S_UNAUTHORIZED 15 The operation is forbidded by local security policy. The following table lists the calling error values and their meanings: Calling Errors Name GSS_S_CALL_INACCESSIBLE_READ Field Value 1 GSS_S_CALL_INACCESSIBLE_WRITE 2 GSS_S_BAD_STRUCTURE 3 Meaning Could not read a required input parameter. Could not write a required output parameter. A parameter was incorrectly structured. The following table lists the supplementary bits and their meanings.
PAGE 6
gssapi(5) gssapi(5) Names are represented in two forms: A printable form, for presentation to an application. An internal, canonical form that is used by the APIs and is opaque to applications. The gss_import_name() and gss_display_name() routines convert names between their printable form and their gss_name_tdata type. The gss_compare_name() routine compares internal form names.
PAGE 7
gssapi(5) gssapi(5) system. Therefore portable applications should use either the correct address type and value or the GSS_C_AF_NULLADDR for the initiator_addrtype address field. Some security mechanisms include the channel binding data in the token instead of a signature, so portable applications should not use confidential data as channel-binding components. The GSSAPI does not verify the address or include the plain text bindings information in the token.
PAGE 8
(Notes) A (Notes) gA 8 Hewlett-Packard Company −1− HP-UX 11i Version 3: September 2010