xref: /freebsd/crypto/heimdal/lib/gssapi/gssapi.3 (revision 02e9120893770924227138ba49df1edb3896112a)
1.\" Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan
2.\" (Royal Institute of Technology, Stockholm, Sweden).
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\"
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\"
12.\" 2. Redistributions in binary form must reproduce the above copyright
13.\"    notice, this list of conditions and the following disclaimer in the
14.\"    documentation and/or other materials provided with the distribution.
15.\"
16.\" 3. Neither the name of the Institute nor the names of its contributors
17.\"    may be used to endorse or promote products derived from this software
18.\"    without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\" $Id$
33.\"
34.Dd April 20, 2005
35.Dt GSSAPI 3
36.Os
37.Sh NAME
38.Nm gssapi
39.Nd Generic Security Service Application Program Interface library
40.Sh LIBRARY
41GSS-API Library (libgssapi, -lgssapi)
42.Sh DESCRIPTION
43The Generic Security Service Application Program Interface (GSS-API)
44provides security services to callers in a generic fashion,
45supportable with a range of underlying mechanisms and technologies and
46hence allowing source-level portability of applications to different
47environments.
48.Pp
49The GSS-API implementation in Heimdal implements the Kerberos 5 and
50the SPNEGO GSS-API security mechanisms.
51.Sh LIST OF FUNCTIONS
52These functions constitute the gssapi library,
53.Em libgssapi .
54Declarations for these functions may be obtained from the include file
55.Pa gssapi.h .
56.Bl -column -compact
57.It Sy Name/Page
58.It Xr gss_accept_sec_context 3
59.It Xr gss_acquire_cred 3
60.It Xr gss_add_cred 3
61.It Xr gss_add_oid_set_member 3
62.It Xr gss_canonicalize_name 3
63.It Xr gss_compare_name 3
64.It Xr gss_context_time 3
65.It Xr gss_create_empty_oid_set 3
66.It Xr gss_delete_sec_context 3
67.It Xr gss_display_name 3
68.It Xr gss_display_status 3
69.It Xr gss_duplicate_name 3
70.It Xr gss_export_name 3
71.It Xr gss_export_sec_context 3
72.It Xr gss_get_mic 3
73.It Xr gss_import_name 3
74.It Xr gss_import_sec_context 3
75.It Xr gss_indicate_mechs 3
76.It Xr gss_init_sec_context 3
77.It Xr gss_inquire_context 3
78.It Xr gss_inquire_cred 3
79.It Xr gss_inquire_cred_by_mech 3
80.It Xr gss_inquire_mechs_for_name 3
81.It Xr gss_inquire_names_for_mech 3
82.It Xr gss_krb5_ccache_name 3
83.It Xr gss_krb5_compat_des3_mic 3
84.It Xr gss_krb5_copy_ccache 3
85.It Xr gss_krb5_extract_authz_data_from_sec_context 3
86.It Xr gss_krb5_import_ccache 3
87.It Xr gss_process_context_token 3
88.It Xr gss_release_buffer 3
89.It Xr gss_release_cred 3
90.It Xr gss_release_name 3
91.It Xr gss_release_oid_set 3
92.It Xr gss_seal 3
93.It Xr gss_sign 3
94.It Xr gss_test_oid_set_member 3
95.It Xr gss_unseal 3
96.It Xr gss_unwrap 3
97.It Xr gss_verify 3
98.It Xr gss_verify_mic 3
99.It Xr gss_wrap 3
100.It Xr gss_wrap_size_limit 3
101.El
102.Sh COMPATIBILITY
103The
104.Nm Heimdal
105GSS-API implementation had a bug in releases before 0.6 that made it
106fail to inter-operate when using DES3 with other GSS-API
107implementations when using
108.Fn gss_get_mic
109/
110.Fn gss_verify_mic .
111It is possible to modify the behavior of the generator of the MIC with
112the
113.Pa krb5.conf
114configuration file so that old clients/servers will still
115work.
116.Pp
117New clients/servers will try both the old and new MIC in Heimdal 0.6.
118In 0.7 it will check only if configured - the compatibility code will
119be removed in 0.8.
120.Pp
121Heimdal 0.6 still generates by default the broken GSS-API DES3 mic,
122this will change in 0.7 to generate correct des3 mic.
123.Pp
124To turn on compatibility with older clients and servers, change the
125.Nm [gssapi]
126.Ar broken_des3_mic
127in
128.Pa krb5.conf
129that contains a list of globbing expressions that will be matched
130against the server name.
131To turn off generation of the old (incompatible) mic of the MIC use
132.Nm [gssapi]
133.Ar correct_des3_mic .
134.Pp
135If a match for a entry is in both
136.Nm [gssapi]
137.Ar correct_des3_mic
138and
139.Nm [gssapi]
140.Ar broken_des3_mic ,
141the later will override.
142.Pp
143This config option modifies behaviour for both clients and servers.
144.Pp
145Microsoft implemented SPNEGO to Windows2000, however, they managed to
146get it wrong, their implementation didn't fill in the MechListMIC in
147the reply token with the right content.
148There is a work around for this problem, but not all implementation
149support it.
150.Pp
151Heimdal defaults to correct SPNEGO when the the kerberos
152implementation uses CFX, or when it is configured by the user.
153To turn on compatibility with peers, use option
154.Nm [gssapi]
155.Ar require_mechlist_mic .
156.Sh EXAMPLES
157.Bd -literal -offset indent
158[gssapi]
159	broken_des3_mic = cvs/*@SU.SE
160	broken_des3_mic = host/*@E.KTH.SE
161	correct_des3_mic = host/*@SU.SE
162	require_mechlist_mic = host/*@SU.SE
163.Ed
164.Sh BUGS
165All of 0.5.x versions of
166.Nm heimdal
167had broken token delegations in the client side, the server side was
168correct.
169.Sh SEE ALSO
170.Xr krb5 3 ,
171.Xr krb5.conf 5 ,
172.Xr kerberos 8
173