xref: /freebsd/crypto/krb5/src/appl/gss-sample/README (revision 7f2fe78b9dd5f51c821d771b63d2e096f6fd49e9) 
1# Copyright 1993 by OpenVision Technologies, Inc.
2#
3# Permission to use, copy, modify, distribute, and sell this software
4# and its documentation for any purpose is hereby granted without fee,
5# provided that the above copyright notice appears in all copies and
6# that both that copyright notice and this permission notice appear in
7# supporting documentation, and that the name of OpenVision not be used
8# in advertising or publicity pertaining to distribution of the software
9# without specific, written prior permission. OpenVision makes no
10# representations about the suitability of this software for any
11# purpose.  It is provided "as is" without express or implied warranty.
12#
13# OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
14# INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
15# EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
16# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF
17# USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR
18# OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
19# PERFORMANCE OF THIS SOFTWARE.
20
21This directory contains a sample GSS-API client and server
22application.  In addition to serving as an example of GSS-API
23programming, this application is also intended to be a tool for
24testing the performance of GSS-API implementations.
25
26Each time the client is invoked, it performs one or more exchanges
27with the server.  Each exchange with the server consists primarily of
28the following steps:
29
30	1. A TCP/IP connection is established.
31
32	2. (optional, on by default) The client and server establish a
33	   GSS-API context, and the server prints the identify of the
34	   client.
35
36      /	3. The client sends a message to the server.  The message may
37     /     be plaintext, cryptographically "signed" but not encrypted,
38     |     or encrypted (default).
39     |
400 or |  4. The server decrypts the message (if necessary), verifies
41more |     its signature (if there is one) and prints it.
42times|
43     |  5. The server sends either a signature block (the default) or an
44     |     empty token back to the client to acknowledge the message.
45     \
46      \ 6. If the server sent a signature block, the client verifies
47           it and prints a message indicating that it was verified.
48
49	7. The client sends an empty block to the server to tell it
50	   that the exchange is finished.
51
52	8. The client and server close the TCP/IP connection and
53	   destroy the GSS-API context.
54
55The client also supports the -v1 flag which uses an older exchange
56format compatible with previous releases of Kerberos and with samples
57shipped in the Microsoft SDK.
58
59The server's command line usage is
60
61	gss-server [-port port] [-verbose] [-once] [-inetd] [-export]
62		[-logfile file] service_name
63
64where service_name is a GSS-API service name of the form
65"service@host" (or just "service", in which case the local host name
66is used).  The command-line options have the following meanings:
67
68-port	The TCP port on which to accept connections.  Default is 4444.
69
70-once	Tells the server to exit after a single exchange, rather than
71	persisting.
72
73-inetd	Tells the server that it is running out of inetd, so it should
74	interact with the client on stdin rather than binding to a
75	network port.  Implies "-once".
76
77-export	Tells the server to test the gss_export_sec_context function
78	after establishing a context with a client.
79
80-logfile
81	The file to which the server should append its output, rather
82	than sending it to stdout.
83
84The client's command line usage is
85
86	gss-client [-port port] [-mech mechanism] [-d] [-f] [-q]
87        [-seq] [-noreplay] [-nomutual] [-dce]
88        [-ccount count] [-mcount count] [-na] [-nw] [-nx] [-nm]
89		host service_name msg
90
91where host is the host running the server, service_name is the service
92name that the server will establish connections as (if you don't
93specify the host name in the service name when running gss-server, and
94it's running on a different machine from gss-client, make sure to
95specify the server's host name in the service name you specify to
96gss-client!) and msg is the message.  The command-line options have
97the following meanings:
98
99-port	The TCP port to which to connect.  Default is 4444.
100
101-mech	The OID of the GSS-API mechanism to use.
102
103-d	Tells the client to delegate credentials to the server.  For
104	the Kerberos GSS-API mechanism, this means that a forwardable
105	TGT will be sent to the server, which will put it in its
106	credential cache (you must have acquired your tickets with
107	"kinit -f" for this to work).
108
109-seq Tells the client to enforce ordered message delivery via
110    sequencing.
111
112-noreplay Tells the client to disable the use of replay
113    detection.
114
115-dce	Tells the client to request DCE-style authentication.
116
117-nomutual Tells the client to disable the use of mutual authentication.
118
119-f	Tells the client that the "msg" argument is actually the name
120	of a file whose contents should be used as the message.
121
122-q	Tells the client to be quiet, i.e., to only print error
123	messages.
124
125-ccount	Specifies how many sessions the client should initiate with
126	the server (the "connection count").
127
128-mcount	Specifies how many times the message should be sent to the
129	server in each session (the "message count").
130
131-na	Tells the client not to do any authentication with the
132	server.  Implies "-nw", "-nx" and "-nm".
133
134-nw	Tells the client not to "wrap" messages.  Implies "-nx".
135
136-nx	Tells the client not to encrypt messages.
137
138-nm	Tells the client not to ask the server to send back a
139	cryptographic checksum ("MIC").
140
141To run the server on a host, you need to make sure that the principal
142corresponding to service_name is in the default keytab on the server
143host, and that the gss-server process can read the keytab.  For
144example, the service name "host@server" corresponds to the Kerberos
145principal "host/server.domain.com@REALM".
146
147This sample application uses the following GSS-API functions:
148
149	gss_accept_sec_context		gss_inquire_names_for_mech
150	gss_acquire_cred		gss_oid_to_str
151	gss_delete_sec_context		gss_release_buffer
152	gss_display_name		gss_release_cred
153	gss_display_status		gss_release_name
154	gss_export_sec_context		gss_release_oid
155	gss_get_mic			gss_release_oid_set
156	gss_import_name			gss_str_to_oid
157	gss_import_sec_context		gss_unwrap
158	gss_init_sec_context		gss_verify_mic
159	gss_inquire_context		gss_wrap
160
161This application was originally written by Barry Jaspan of OpenVision
162Technologies, Inc.  It was updated significantly by Jonathan Kamens of
163OpenVision Technologies, Inc.
164
165$Id$
166