1# Copyright 1993 by OpenVision Technologies, Inc. 2# 3# Permission to use, copy, modify, distribute, and sell this software 4# and its documentation for any purpose is hereby granted without fee, 5# provided that the above copyright notice appears in all copies and 6# that both that copyright notice and this permission notice appear in 7# supporting documentation, and that the name of OpenVision not be used 8# in advertising or publicity pertaining to distribution of the software 9# without specific, written prior permission. OpenVision makes no 10# representations about the suitability of this software for any 11# purpose. It is provided "as is" without express or implied warranty. 12# 13# OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, 14# INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO 15# EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR 16# CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF 17# USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR 18# OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 19# PERFORMANCE OF THIS SOFTWARE. 20 21This directory contains a sample GSS-API client and server 22application. In addition to serving as an example of GSS-API 23programming, this application is also intended to be a tool for 24testing the performance of GSS-API implementations. 25 26Each time the client is invoked, it performs one or more exchanges 27with the server. Each exchange with the server consists primarily of 28the following steps: 29 30 1. A TCP/IP connection is established. 31 32 2. (optional, on by default) The client and server establish a 33 GSS-API context, and the server prints the identify of the 34 client. 35 36 / 3. The client sends a message to the server. The message may 37 / be plaintext, cryptographically "signed" but not encrypted, 38 | or encrypted (default). 39 | 400 or | 4. The server decrypts the message (if necessary), verifies 41more | its signature (if there is one) and prints it. 42times| 43 | 5. The server sends either a signature block (the default) or an 44 | empty token back to the client to acknowledge the message. 45 \ 46 \ 6. If the server sent a signature block, the client verifies 47 it and prints a message indicating that it was verified. 48 49 7. The client sends an empty block to the server to tell it 50 that the exchange is finished. 51 52 8. The client and server close the TCP/IP connection and 53 destroy the GSS-API context. 54 55The client also supports the -v1 flag which uses an older exchange 56format compatible with previous releases of Kerberos and with samples 57shipped in the Microsoft SDK. 58 59The server's command line usage is 60 61 gss-server [-port port] [-verbose] [-once] [-inetd] [-export] 62 [-logfile file] service_name 63 64where service_name is a GSS-API service name of the form 65"service@host" (or just "service", in which case the local host name 66is used). The command-line options have the following meanings: 67 68-port The TCP port on which to accept connections. Default is 4444. 69 70-once Tells the server to exit after a single exchange, rather than 71 persisting. 72 73-inetd Tells the server that it is running out of inetd, so it should 74 interact with the client on stdin rather than binding to a 75 network port. Implies "-once". 76 77-export Tells the server to test the gss_export_sec_context function 78 after establishing a context with a client. 79 80-logfile 81 The file to which the server should append its output, rather 82 than sending it to stdout. 83 84The client's command line usage is 85 86 gss-client [-port port] [-mech mechanism] [-d] [-f] [-q] 87 [-seq] [-noreplay] [-nomutual] [-dce] 88 [-ccount count] [-mcount count] [-na] [-nw] [-nx] [-nm] 89 host service_name msg 90 91where host is the host running the server, service_name is the service 92name that the server will establish connections as (if you don't 93specify the host name in the service name when running gss-server, and 94it's running on a different machine from gss-client, make sure to 95specify the server's host name in the service name you specify to 96gss-client!) and msg is the message. The command-line options have 97the following meanings: 98 99-port The TCP port to which to connect. Default is 4444. 100 101-mech The OID of the GSS-API mechanism to use. 102 103-d Tells the client to delegate credentials to the server. For 104 the Kerberos GSS-API mechanism, this means that a forwardable 105 TGT will be sent to the server, which will put it in its 106 credential cache (you must have acquired your tickets with 107 "kinit -f" for this to work). 108 109-seq Tells the client to enforce ordered message delivery via 110 sequencing. 111 112-noreplay Tells the client to disable the use of replay 113 detection. 114 115-dce Tells the client to request DCE-style authentication. 116 117-nomutual Tells the client to disable the use of mutual authentication. 118 119-f Tells the client that the "msg" argument is actually the name 120 of a file whose contents should be used as the message. 121 122-q Tells the client to be quiet, i.e., to only print error 123 messages. 124 125-ccount Specifies how many sessions the client should initiate with 126 the server (the "connection count"). 127 128-mcount Specifies how many times the message should be sent to the 129 server in each session (the "message count"). 130 131-na Tells the client not to do any authentication with the 132 server. Implies "-nw", "-nx" and "-nm". 133 134-nw Tells the client not to "wrap" messages. Implies "-nx". 135 136-nx Tells the client not to encrypt messages. 137 138-nm Tells the client not to ask the server to send back a 139 cryptographic checksum ("MIC"). 140 141To run the server on a host, you need to make sure that the principal 142corresponding to service_name is in the default keytab on the server 143host, and that the gss-server process can read the keytab. For 144example, the service name "host@server" corresponds to the Kerberos 145principal "host/server.domain.com@REALM". 146 147This sample application uses the following GSS-API functions: 148 149 gss_accept_sec_context gss_inquire_names_for_mech 150 gss_acquire_cred gss_oid_to_str 151 gss_delete_sec_context gss_release_buffer 152 gss_display_name gss_release_cred 153 gss_display_status gss_release_name 154 gss_export_sec_context gss_release_oid 155 gss_get_mic gss_release_oid_set 156 gss_import_name gss_str_to_oid 157 gss_import_sec_context gss_unwrap 158 gss_init_sec_context gss_verify_mic 159 gss_inquire_context gss_wrap 160 161This application was originally written by Barry Jaspan of OpenVision 162Technologies, Inc. It was updated significantly by Jonathan Kamens of 163OpenVision Technologies, Inc. 164 165$Id$ 166