18f55a568SDoug Rabson.\" Copyright (c) 2008 Isilon Inc http://www.isilon.com/ 28f55a568SDoug Rabson.\" Authors: Doug Rabson <dfr@rabson.org> 362486687SUlrich Spörlein.\" Developed with Red Inc: Alfred Perlstein <alfred@FreeBSD.org> 48f55a568SDoug Rabson.\" 58f55a568SDoug Rabson.\" Redistribution and use in source and binary forms, with or without 68f55a568SDoug Rabson.\" modification, are permitted provided that the following conditions 78f55a568SDoug Rabson.\" are met: 88f55a568SDoug Rabson.\" 1. Redistributions of source code must retain the above copyright 98f55a568SDoug Rabson.\" notice, this list of conditions and the following disclaimer. 108f55a568SDoug Rabson.\" 2. Redistributions in binary form must reproduce the above copyright 118f55a568SDoug Rabson.\" notice, this list of conditions and the following disclaimer in the 128f55a568SDoug Rabson.\" documentation and/or other materials provided with the distribution. 138f55a568SDoug Rabson.\" 148f55a568SDoug Rabson.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 158f55a568SDoug Rabson.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 168f55a568SDoug Rabson.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 178f55a568SDoug Rabson.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 188f55a568SDoug Rabson.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 198f55a568SDoug Rabson.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 208f55a568SDoug Rabson.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 218f55a568SDoug Rabson.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 228f55a568SDoug Rabson.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 238f55a568SDoug Rabson.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 248f55a568SDoug Rabson.\" SUCH DAMAGE. 25621d0bd3SGavin Atkinson.Dd January 26, 2010 268f55a568SDoug Rabson.Dt RPC_GSS_SECCREATE 3 278f55a568SDoug Rabson.Os 288f55a568SDoug Rabson.Sh NAME 298f55a568SDoug Rabson.Nm RPCSEC_GSS 308f55a568SDoug Rabson.Nd "GSS-API based authentication for RPC" 318f55a568SDoug Rabson.Sh LIBRARY 328f55a568SDoug Rabson.Lb librpcsec_gss 338f55a568SDoug Rabson.Sh SYNOPSIS 348f55a568SDoug Rabson.In rpc/rpcsec_gss.h 358f55a568SDoug Rabson.Sh DESCRIPTION 368f55a568SDoug Rabson.Nm 378f55a568SDoug Rabsonis a security mechanism for the RPC protocol. 388f55a568SDoug RabsonIt uses the Generic Security Service API (GSS-API) to establish a 398f55a568SDoug Rabsonsecurity context between a client and a server and to ensure that all 408f55a568SDoug Rabsonsubsequent communication between client and server are properly 418f55a568SDoug Rabsonauthenticated. 428f55a568SDoug RabsonOptionally, extra protection can be applied to the connection. 438f55a568SDoug RabsonThe integrity service uses checksums to ensure that all data sent by 4412613c1aSJens Schweikhardta peer is received without modification. 458f55a568SDoug RabsonThe privacy service uses encryption to ensure that no third party can 468f55a568SDoug Rabsonaccess the data for a connection. 478f55a568SDoug Rabson.Pp 488f55a568SDoug RabsonTo use this system, an application must first use 498f55a568SDoug Rabson.Fn rpc_gss_seccreate 508f55a568SDoug Rabsonto establish a security context. 518f55a568SDoug Rabson.Sh DATA STRUCTURES 528f55a568SDoug RabsonData structures used by 538f55a568SDoug Rabson.Nm 548f55a568SDoug Rabsonappear below. 558f55a568SDoug Rabson.Bl -tag -width "MMMM" 568f55a568SDoug Rabson.It Vt rpc_gss_service_t 578f55a568SDoug RabsonThis type defines the types of security service required for 588f55a568SDoug Rabson.Fn rpc_gss_seccreate . 598f55a568SDoug Rabson.Bd -literal 608f55a568SDoug Rabsontypedef enum { 618f55a568SDoug Rabson rpc_gss_svc_default = 0, 628f55a568SDoug Rabson rpc_gss_svc_none = 1, 638f55a568SDoug Rabson rpc_gss_svc_integrity = 2, 648f55a568SDoug Rabson rpc_gss_svc_privacy = 3 658f55a568SDoug Rabson} rpc_gss_service_t; 668f55a568SDoug Rabson.Ed 678f55a568SDoug Rabson.It Vt rpc_gss_options_ret_t 688f55a568SDoug RabsonThis structure contains various optional values which are used while 69c2025a76SJoel Dahlcreating a security context. 708f55a568SDoug Rabson.Bd -literal 718f55a568SDoug Rabsontypedef struct { 728f55a568SDoug Rabson int req_flags; /* GSS request bits */ 738f55a568SDoug Rabson int time_req; /* requested lifetime */ 748f55a568SDoug Rabson gss_cred_id_t my_cred; /* GSS credential */ 758f55a568SDoug Rabson gss_channel_bindings_t input_channel_bindings; 768f55a568SDoug Rabson} rpc_gss_options_req_t; 778f55a568SDoug Rabson.Ed 788f55a568SDoug Rabson.It Vt rpc_gss_options_ret_t 798f55a568SDoug RabsonVarious details of the created security context are returned using 808f55a568SDoug Rabsonthis structure. 818f55a568SDoug Rabson.Bd -literal 828f55a568SDoug Rabsontypedef struct { 838f55a568SDoug Rabson int major_status; 848f55a568SDoug Rabson int minor_status; 858f55a568SDoug Rabson u_int rpcsec_version; 868f55a568SDoug Rabson int ret_flags; 878f55a568SDoug Rabson int time_req; 888f55a568SDoug Rabson gss_ctx_id_t gss_context; 898f55a568SDoug Rabson char actual_mechanism[MAX_GSS_MECH]; 908f55a568SDoug Rabson} rpc_gss_options_ret_t; 918f55a568SDoug Rabson.Ed 928f55a568SDoug Rabson.It Vt rpc_gss_principal_t 938f55a568SDoug RabsonThis type is used to refer to an client principal which is represented 948f55a568SDoug Rabsonin GSS-API exported name form 958f55a568SDoug Rabson(see 968f55a568SDoug Rabson.Xr gss_export_name 3 978f55a568SDoug Rabsonfor more details). 988f55a568SDoug RabsonNames in this format may be stored in access control lists or compared 998f55a568SDoug Rabsonwith other names in exported name form. 1008f55a568SDoug RabsonThis structure is returned by 1018f55a568SDoug Rabson.Fn rpc_gss_get_principal_name 1028f55a568SDoug Rabsonand is also referenced by the 1038f55a568SDoug Rabson.Vt rpc_gss_rawcred_t 1048f55a568SDoug Rabsonstructure. 1058f55a568SDoug Rabson.Bd -literal 1068f55a568SDoug Rabsontypedef struct { 1078f55a568SDoug Rabson int len; 1088f55a568SDoug Rabson char name[1]; 1098f55a568SDoug Rabson} *rpc_gss_principal_t; 1108f55a568SDoug Rabson.Ed 1118f55a568SDoug Rabson.It Vt rpc_gss_rawcred_t 11212613c1aSJens SchweikhardtThis structure is used to access the raw credentials associated with a 1138f55a568SDoug Rabsonsecurity context. 1148f55a568SDoug Rabson.Bd -literal 1158f55a568SDoug Rabsontypedef struct { 1168f55a568SDoug Rabson u_int version; /* RPC version number */ 1178f55a568SDoug Rabson const char *mechanism; /* security mechanism */ 1188f55a568SDoug Rabson const char *qop; /* quality of protection */ 1198f55a568SDoug Rabson rpc_gss_principal_t client_principal; /* client name */ 1208f55a568SDoug Rabson const char *svc_principal; /* server name */ 1218f55a568SDoug Rabson rpc_gss_service_t service; /* service type */ 1228f55a568SDoug Rabson} rpc_gss_rawcred_t; 1238f55a568SDoug Rabson.Ed 1248f55a568SDoug Rabson.It Vt rpc_gss_ucred_t 1258f55a568SDoug RabsonUnix credentials which are derived form the raw credentials, 1268f55a568SDoug Rabsonaccessed via 1278f55a568SDoug Rabson.Fn rpc_gss_getcred . 1288f55a568SDoug Rabson.Bd -literal 1298f55a568SDoug Rabsontypedef struct { 1308f55a568SDoug Rabson uid_t uid; /* user ID */ 1318f55a568SDoug Rabson gid_t gid; /* group ID */ 1328f55a568SDoug Rabson short gidlen; 1338f55a568SDoug Rabson gid_t *gidlist; /* list of groups */ 1348f55a568SDoug Rabson} rpc_gss_ucred_t; 1358f55a568SDoug Rabson.Ed 1368f55a568SDoug Rabson.It Vt rpc_gss_lock_t 1378f55a568SDoug RabsonStructure used to enforce a particular QOP and service. 1388f55a568SDoug Rabson.Bd -literal 1398f55a568SDoug Rabsontypedef struct { 1408f55a568SDoug Rabson bool_t locked; 1418f55a568SDoug Rabson rpc_gss_rawcred_t *raw_cred; 1428f55a568SDoug Rabson} rpc_gss_lock_t; 1438f55a568SDoug Rabson.Ed 1448f55a568SDoug Rabson.It Vt rpc_gss_callback_t 1458f55a568SDoug RabsonCallback structure used by 1468f55a568SDoug Rabson.Fn rpc_gss_set_callback . 1478f55a568SDoug Rabson.Bd -literal 1488f55a568SDoug Rabsontypedef struct { 1498f55a568SDoug Rabson u_int program; /* RPC program number */ 1508f55a568SDoug Rabson u_int version; /* RPC version number */ 1518f55a568SDoug Rabson /* user defined callback */ 1528f55a568SDoug Rabson bool_t (*callback)(struct svc_req *req, 1538f55a568SDoug Rabson gss_cred_id_t deleg, 1548f55a568SDoug Rabson gss_ctx_id_t gss_context, 1558f55a568SDoug Rabson rpc_gss_lock_t *lock, 1568f55a568SDoug Rabson void **cookie); 1578f55a568SDoug Rabson} rpc_gss_callback_t; 1588f55a568SDoug Rabson.Ed 1598f55a568SDoug Rabson.It Vt rpc_gss_error_t 1608f55a568SDoug RabsonStructure used to return error information by 1618f55a568SDoug Rabson.Fn rpc_gss_get_error . 1628f55a568SDoug Rabson.Bd -literal 1638f55a568SDoug Rabsontypedef struct { 1648f55a568SDoug Rabson int rpc_gss_error; 1658f55a568SDoug Rabson int system_error; /* same as errno */ 1668f55a568SDoug Rabson} rpc_gss_error_t; 1678f55a568SDoug Rabson 1688f55a568SDoug Rabson/* 1698f55a568SDoug Rabson * Values for rpc_gss_error 1708f55a568SDoug Rabson */ 1718f55a568SDoug Rabson#define RPC_GSS_ER_SUCCESS 0 /* no error */ 1728f55a568SDoug Rabson#define RPC_GSS_ER_SYSTEMERROR 1 /* system error */ 1738f55a568SDoug Rabson.Ed 17463d46d1dSUlrich Spörlein.El 1758f55a568SDoug Rabson.Sh INDEX 1768f55a568SDoug Rabson.Bl -tag -width "MMMM" 1778f55a568SDoug Rabson.It Xr rpc_gss_seccreate 3 1788f55a568SDoug RabsonCreate a new security context 1798f55a568SDoug Rabson.It Xr rpc_gss_set_defaults 3 1808f55a568SDoug RabsonSet service and quality of protection for a context 1818f55a568SDoug Rabson.It Xr rpc_gss_max_data_length 3 1828f55a568SDoug RabsonCalculate maximum client message sizes. 1838f55a568SDoug Rabson.It Xr rpc_gss_get_error 3 1848f55a568SDoug RabsonGet details of the last error 1858f55a568SDoug Rabson.It Xr rpc_gss_mech_to_oid 3 1868f55a568SDoug RabsonConvert a mechanism name to the corresponding GSS-API oid. 1878f55a568SDoug Rabson.It Xr rpc_gss_oid_to_mech 3 1888f55a568SDoug RabsonConvert a GSS-API oid to a mechanism name 1898f55a568SDoug Rabson.It Xr rpc_gss_qop_to_num 3 1908f55a568SDoug RabsonConvert a quality of protection name to the corresponding number 1918f55a568SDoug Rabson.It Xr rpc_gss_get_mechanisms 3 1928f55a568SDoug RabsonGet a list of security mechanisms. 1938f55a568SDoug Rabson.It Xr rpc_gss_get_mech_info 3 1948f55a568SDoug RabsonReturn extra information about a security mechanism 1958f55a568SDoug Rabson.It Xr rpc_gss_get_versions 3 1968f55a568SDoug RabsonReturn the maximum and minimum supported versions of the 1978f55a568SDoug Rabson.Nm 1988f55a568SDoug Rabsonprotocol 1998f55a568SDoug Rabson.It Xr rpc_gss_is_installed 3 2008f55a568SDoug RabsonQuery for the presence of a particular security mechanism 2018f55a568SDoug Rabson.It Xr rpc_gss_set_svc_name 3 2028f55a568SDoug RabsonSet the name of a service principal which matches a given RPC program 2038f55a568SDoug Rabsonplus version pair 2048f55a568SDoug Rabson.It Xr rpc_gss_getcred 3 2058f55a568SDoug RabsonGet credential details for the security context of an RPC request 2068f55a568SDoug Rabson.It Xr rpc_gss_set_callback 3 2078f55a568SDoug RabsonInstall a callback routine which is called on the server when new 2088f55a568SDoug Rabsonsecurity contexts are created 2098f55a568SDoug Rabson.It Xr rpc_gss_get_principal_name 3 2108f55a568SDoug RabsonCreate a client principal name from various strings 2118f55a568SDoug Rabson.It Xr rpc_gss_svc_max_data_length 3 2128f55a568SDoug RabsonCalculate maximum server message sizes. 2138f55a568SDoug Rabson.El 2148f55a568SDoug Rabson.Sh SEE ALSO 2158f55a568SDoug Rabson.Xr gss_export_name 3 , 216*5e4517a4SJoel Dahl.Xr gssapi 3 , 217*5e4517a4SJoel Dahl.Xr rpc 3 , 2188f55a568SDoug Rabson.Xr mech 5 , 219*5e4517a4SJoel Dahl.Xr qop 5 2208f55a568SDoug Rabson.Sh HISTORY 2218f55a568SDoug RabsonThe 2228f55a568SDoug Rabson.Nm 223ffae047bSGavin Atkinsonlibrary first appeared in 2248f55a568SDoug Rabson.Fx 8.0 . 2258f55a568SDoug Rabson.Sh AUTHORS 2268f55a568SDoug RabsonThis 2278f55a568SDoug Rabsonmanual page was written by 2282b7af31cSBaptiste Daroussin.An Doug Rabson Aq Mt dfr@FreeBSD.org . 229