HP-UX Reference (11i v3 07/02) - 5 Miscellaneous Topics (vol 9)
g
gssapi(5) gssapi(5)
NAME
gssapi - Generic Security Service Application Programming Interface
DESCRIPTION
This introduction includes general information about the Generic Security Service Application Program-
ming Interface (GSSAPI) defined in RFC 2743, "Generic Security Service Application Programming Inter-
face," and RFC 2744, "Generic Security Service API: C-bindings." It also includes an overview of error han-
dling, data types, and calling conventions, including the following:
Integer types
String and other similar data types
Object identifiers (OIDs)
Object identifier sets (OID sets)
Credentials
Contexts
Authentication tokens
Major status values
Minor status values
Names
Channel bindings
Optional parameters
General Information
The Generic Security Service Application Programming Interface (GSSAPI) provides security services to
applications using peer-to-peer communications. Using GSSAPI routines, applications can perform the fol-
lowing operations:
Enable an application to authenticate another application’s user.
Enable an application to delegate access rights to another application.
Apply security services, such as confidentiality and integrity, on a per-message basis.
GSSAPI supports a secure connection between two communicating applications. The application that
establishes the secure connection is called the context initiator. The application that accepts the secure
connection is the context acceptor
There are four stages involved in using the GSSAPI:
The context initiator acquires a credential with which it can prove its identity to other processes.
Similarly, the context acceptor acquires a credential to enable it to accept a security context. Either
application may omit this credential acquisition and use their default credentials in subsequent stages.
See the "Credentials" section in this manual page for more information.
The applications use credentials to establish their global identity. The global identity can be, but is not
necessarily, related to the local user name under which the application is running. Credentials can contain
either of the following:
Login Context The login context includes a principal’s network credentials, as well as other account
information.
Security Context The communicating applications establish a joint security context by exchanging
authentication tokens.
The security context is a pair of GSSAPI data structures that contain information that is shared between
the communicating applications. The information describes the state of each application. This security con-
text is required for per-message security services.
To establish a security context, the context initiator calls the gss_init_sec_context() routine to
get a token. The token is cryptographically protected, opaque data. The context initiator transfers the
token to the context acceptor, which in turn passes the token to the
gss_accept_sec_context()
routine to decode and extract the shared information.
As part of establishing the security context, the context initiator is authenticated to the context acceptor.
The context initiator can require the context acceptor to authenticate itself in return.
The context initiator can delegate rights to allow the context acceptor to act as its agent. Delegation means
the context initiator gives the context acceptor the ability to initiate additional security contexts as an
agent of the context initiator. To delegate, the context initiator sets a flag on the
182 Hewlett-Packard Company − 1 − HP-UX 11i Version 3: February 2007