1*ae771770SStanislav Sedov.\" Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan 2bbd80c28SJacques Vidrine.\" (Royal Institute of Technology, Stockholm, Sweden). 3bbd80c28SJacques Vidrine.\" All rights reserved. 4bbd80c28SJacques Vidrine.\" 5bbd80c28SJacques Vidrine.\" Redistribution and use in source and binary forms, with or without 6bbd80c28SJacques Vidrine.\" modification, are permitted provided that the following conditions 7bbd80c28SJacques Vidrine.\" are met: 8bbd80c28SJacques Vidrine.\" 9bbd80c28SJacques Vidrine.\" 1. Redistributions of source code must retain the above copyright 10bbd80c28SJacques Vidrine.\" notice, this list of conditions and the following disclaimer. 11bbd80c28SJacques Vidrine.\" 12bbd80c28SJacques Vidrine.\" 2. Redistributions in binary form must reproduce the above copyright 13bbd80c28SJacques Vidrine.\" notice, this list of conditions and the following disclaimer in the 14bbd80c28SJacques Vidrine.\" documentation and/or other materials provided with the distribution. 15bbd80c28SJacques Vidrine.\" 16bbd80c28SJacques Vidrine.\" 3. Neither the name of the Institute nor the names of its contributors 17bbd80c28SJacques Vidrine.\" may be used to endorse or promote products derived from this software 18bbd80c28SJacques Vidrine.\" without specific prior written permission. 19bbd80c28SJacques Vidrine.\" 20bbd80c28SJacques Vidrine.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 21bbd80c28SJacques Vidrine.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22bbd80c28SJacques Vidrine.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23bbd80c28SJacques Vidrine.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 24bbd80c28SJacques Vidrine.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25bbd80c28SJacques Vidrine.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26bbd80c28SJacques Vidrine.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27bbd80c28SJacques Vidrine.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28bbd80c28SJacques Vidrine.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29bbd80c28SJacques Vidrine.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30bbd80c28SJacques Vidrine.\" SUCH DAMAGE. 31bbd80c28SJacques Vidrine.\" 32*ae771770SStanislav Sedov.\" $Id$ 33bbd80c28SJacques Vidrine.\" 34c19800e8SDoug Rabson.Dd April 20, 2005 35bbd80c28SJacques Vidrine.Dt GSSAPI 3 36bbd80c28SJacques Vidrine.Os 37bbd80c28SJacques Vidrine.Sh NAME 38bbd80c28SJacques Vidrine.Nm gssapi 39bbd80c28SJacques Vidrine.Nd Generic Security Service Application Program Interface library 40bbd80c28SJacques Vidrine.Sh LIBRARY 41bbd80c28SJacques VidrineGSS-API Library (libgssapi, -lgssapi) 42bbd80c28SJacques Vidrine.Sh DESCRIPTION 43bbd80c28SJacques VidrineThe Generic Security Service Application Program Interface (GSS-API) 44bbd80c28SJacques Vidrineprovides security services to callers in a generic fashion, 45bbd80c28SJacques Vidrinesupportable with a range of underlying mechanisms and technologies and 46bbd80c28SJacques Vidrinehence allowing source-level portability of applications to different 47bbd80c28SJacques Vidrineenvironments. 48c19800e8SDoug Rabson.Pp 49c19800e8SDoug RabsonThe GSS-API implementation in Heimdal implements the Kerberos 5 and 50c19800e8SDoug Rabsonthe SPNEGO GSS-API security mechanisms. 51bbd80c28SJacques Vidrine.Sh LIST OF FUNCTIONS 52bbd80c28SJacques VidrineThese functions constitute the gssapi library, 53bbd80c28SJacques Vidrine.Em libgssapi . 54bbd80c28SJacques VidrineDeclarations for these functions may be obtained from the include file 55bbd80c28SJacques Vidrine.Pa gssapi.h . 56*ae771770SStanislav Sedov.Bl -column -compact 57*ae771770SStanislav Sedov.It Sy Name/Page 58*ae771770SStanislav Sedov.It Xr gss_accept_sec_context 3 59*ae771770SStanislav Sedov.It Xr gss_acquire_cred 3 60*ae771770SStanislav Sedov.It Xr gss_add_cred 3 61*ae771770SStanislav Sedov.It Xr gss_add_oid_set_member 3 62*ae771770SStanislav Sedov.It Xr gss_canonicalize_name 3 63*ae771770SStanislav Sedov.It Xr gss_compare_name 3 64*ae771770SStanislav Sedov.It Xr gss_context_time 3 65*ae771770SStanislav Sedov.It Xr gss_create_empty_oid_set 3 66*ae771770SStanislav Sedov.It Xr gss_delete_sec_context 3 67*ae771770SStanislav Sedov.It Xr gss_display_name 3 68*ae771770SStanislav Sedov.It Xr gss_display_status 3 69*ae771770SStanislav Sedov.It Xr gss_duplicate_name 3 70*ae771770SStanislav Sedov.It Xr gss_export_name 3 71*ae771770SStanislav Sedov.It Xr gss_export_sec_context 3 72*ae771770SStanislav Sedov.It Xr gss_get_mic 3 73*ae771770SStanislav Sedov.It Xr gss_import_name 3 74*ae771770SStanislav Sedov.It Xr gss_import_sec_context 3 75*ae771770SStanislav Sedov.It Xr gss_indicate_mechs 3 76*ae771770SStanislav Sedov.It Xr gss_init_sec_context 3 77*ae771770SStanislav Sedov.It Xr gss_inquire_context 3 78*ae771770SStanislav Sedov.It Xr gss_inquire_cred 3 79*ae771770SStanislav Sedov.It Xr gss_inquire_cred_by_mech 3 80*ae771770SStanislav Sedov.It Xr gss_inquire_mechs_for_name 3 81*ae771770SStanislav Sedov.It Xr gss_inquire_names_for_mech 3 82*ae771770SStanislav Sedov.It Xr gss_krb5_ccache_name 3 83*ae771770SStanislav Sedov.It Xr gss_krb5_compat_des3_mic 3 84*ae771770SStanislav Sedov.It Xr gss_krb5_copy_ccache 3 85*ae771770SStanislav Sedov.It Xr gss_krb5_extract_authz_data_from_sec_context 3 86*ae771770SStanislav Sedov.It Xr gss_krb5_import_ccache 3 87*ae771770SStanislav Sedov.It Xr gss_process_context_token 3 88*ae771770SStanislav Sedov.It Xr gss_release_buffer 3 89*ae771770SStanislav Sedov.It Xr gss_release_cred 3 90*ae771770SStanislav Sedov.It Xr gss_release_name 3 91*ae771770SStanislav Sedov.It Xr gss_release_oid_set 3 92*ae771770SStanislav Sedov.It Xr gss_seal 3 93*ae771770SStanislav Sedov.It Xr gss_sign 3 94*ae771770SStanislav Sedov.It Xr gss_test_oid_set_member 3 95*ae771770SStanislav Sedov.It Xr gss_unseal 3 96*ae771770SStanislav Sedov.It Xr gss_unwrap 3 97*ae771770SStanislav Sedov.It Xr gss_verify 3 98*ae771770SStanislav Sedov.It Xr gss_verify_mic 3 99*ae771770SStanislav Sedov.It Xr gss_wrap 3 100*ae771770SStanislav Sedov.It Xr gss_wrap_size_limit 3 101*ae771770SStanislav Sedov.El 102bbd80c28SJacques Vidrine.Sh COMPATIBILITY 103bbd80c28SJacques VidrineThe 104bbd80c28SJacques Vidrine.Nm Heimdal 105bbd80c28SJacques VidrineGSS-API implementation had a bug in releases before 0.6 that made it 106bbd80c28SJacques Vidrinefail to inter-operate when using DES3 with other GSS-API 107bbd80c28SJacques Vidrineimplementations when using 108bbd80c28SJacques Vidrine.Fn gss_get_mic 109bbd80c28SJacques Vidrine/ 110bbd80c28SJacques Vidrine.Fn gss_verify_mic . 111c19800e8SDoug RabsonIt is possible to modify the behavior of the generator of the MIC with 112bbd80c28SJacques Vidrinethe 113bbd80c28SJacques Vidrine.Pa krb5.conf 114bbd80c28SJacques Vidrineconfiguration file so that old clients/servers will still 115bbd80c28SJacques Vidrinework. 116bbd80c28SJacques Vidrine.Pp 117bbd80c28SJacques VidrineNew clients/servers will try both the old and new MIC in Heimdal 0.6. 118c19800e8SDoug RabsonIn 0.7 it will check only if configured - the compatibility code will 119c19800e8SDoug Rabsonbe removed in 0.8. 120bbd80c28SJacques Vidrine.Pp 121bbd80c28SJacques VidrineHeimdal 0.6 still generates by default the broken GSS-API DES3 mic, 122bbd80c28SJacques Vidrinethis will change in 0.7 to generate correct des3 mic. 123bbd80c28SJacques Vidrine.Pp 124bbd80c28SJacques VidrineTo turn on compatibility with older clients and servers, change the 125bbd80c28SJacques Vidrine.Nm [gssapi] 126bbd80c28SJacques Vidrine.Ar broken_des3_mic 127bbd80c28SJacques Vidrinein 128bbd80c28SJacques Vidrine.Pa krb5.conf 129bbd80c28SJacques Vidrinethat contains a list of globbing expressions that will be matched 130bbd80c28SJacques Vidrineagainst the server name. 131bbd80c28SJacques VidrineTo turn off generation of the old (incompatible) mic of the MIC use 132bbd80c28SJacques Vidrine.Nm [gssapi] 133bbd80c28SJacques Vidrine.Ar correct_des3_mic . 134bbd80c28SJacques Vidrine.Pp 135bbd80c28SJacques VidrineIf a match for a entry is in both 136bbd80c28SJacques Vidrine.Nm [gssapi] 137bbd80c28SJacques Vidrine.Ar correct_des3_mic 138bbd80c28SJacques Vidrineand 139bbd80c28SJacques Vidrine.Nm [gssapi] 140c19800e8SDoug Rabson.Ar broken_des3_mic , 141bbd80c28SJacques Vidrinethe later will override. 142bbd80c28SJacques Vidrine.Pp 143bbd80c28SJacques VidrineThis config option modifies behaviour for both clients and servers. 144bbd80c28SJacques Vidrine.Pp 145*ae771770SStanislav SedovMicrosoft implemented SPNEGO to Windows2000, however, they managed to 146c19800e8SDoug Rabsonget it wrong, their implementation didn't fill in the MechListMIC in 147c19800e8SDoug Rabsonthe reply token with the right content. 148c19800e8SDoug RabsonThere is a work around for this problem, but not all implementation 149c19800e8SDoug Rabsonsupport it. 150c19800e8SDoug Rabson.Pp 151c19800e8SDoug RabsonHeimdal defaults to correct SPNEGO when the the kerberos 152c19800e8SDoug Rabsonimplementation uses CFX, or when it is configured by the user. 153c19800e8SDoug RabsonTo turn on compatibility with peers, use option 154c19800e8SDoug Rabson.Nm [gssapi] 155c19800e8SDoug Rabson.Ar require_mechlist_mic . 156c19800e8SDoug Rabson.Sh EXAMPLES 157bbd80c28SJacques Vidrine.Bd -literal -offset indent 158bbd80c28SJacques Vidrine[gssapi] 159bbd80c28SJacques Vidrine broken_des3_mic = cvs/*@SU.SE 160bbd80c28SJacques Vidrine broken_des3_mic = host/*@E.KTH.SE 161bbd80c28SJacques Vidrine correct_des3_mic = host/*@SU.SE 162c19800e8SDoug Rabson require_mechlist_mic = host/*@SU.SE 163bbd80c28SJacques Vidrine.Ed 164bbd80c28SJacques Vidrine.Sh BUGS 165bbd80c28SJacques VidrineAll of 0.5.x versions of 166bbd80c28SJacques Vidrine.Nm heimdal 167bbd80c28SJacques Vidrinehad broken token delegations in the client side, the server side was 168bbd80c28SJacques Vidrinecorrect. 169bbd80c28SJacques Vidrine.Sh SEE ALSO 170bbd80c28SJacques Vidrine.Xr krb5 3 , 171bbd80c28SJacques Vidrine.Xr krb5.conf 5 , 172bbd80c28SJacques Vidrine.Xr kerberos 8 173