18f55a568SDoug Rabson.\" Copyright (c) 2008 Isilon Inc http://www.isilon.com/ 28f55a568SDoug Rabson.\" Authors: Doug Rabson <dfr@rabson.org> 38f55a568SDoug Rabson.\" Developed with Red Inc: Alfred Perlstein <alfred@freebsd.org> 48f55a568SDoug Rabson.\" 58f55a568SDoug Rabson.\" Redistribution and use in source and binary forms, with or without 68f55a568SDoug Rabson.\" modification, are permitted provided that the following conditions 78f55a568SDoug Rabson.\" are met: 88f55a568SDoug Rabson.\" 1. Redistributions of source code must retain the above copyright 98f55a568SDoug Rabson.\" notice, this list of conditions and the following disclaimer. 108f55a568SDoug Rabson.\" 2. Redistributions in binary form must reproduce the above copyright 118f55a568SDoug Rabson.\" notice, this list of conditions and the following disclaimer in the 128f55a568SDoug Rabson.\" documentation and/or other materials provided with the distribution. 138f55a568SDoug Rabson.\" 148f55a568SDoug Rabson.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 158f55a568SDoug Rabson.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 168f55a568SDoug Rabson.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 178f55a568SDoug Rabson.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 188f55a568SDoug Rabson.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 198f55a568SDoug Rabson.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 208f55a568SDoug Rabson.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 218f55a568SDoug Rabson.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 228f55a568SDoug Rabson.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 238f55a568SDoug Rabson.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 248f55a568SDoug Rabson.\" SUCH DAMAGE. 258f55a568SDoug Rabson.\" 268f55a568SDoug Rabson.\" $FreeBSD$ 278f55a568SDoug Rabson.Dd July 4, 2008 288f55a568SDoug Rabson.Dt RPC_GSS_SECCREATE 3 298f55a568SDoug Rabson.Os 308f55a568SDoug Rabson.Sh NAME 318f55a568SDoug Rabson.Nm RPCSEC_GSS 328f55a568SDoug Rabson.Nd "GSS-API based authentication for RPC" 338f55a568SDoug Rabson.Sh LIBRARY 348f55a568SDoug Rabson.Lb librpcsec_gss 358f55a568SDoug Rabson.Sh SYNOPSIS 368f55a568SDoug Rabson.In rpc/rpcsec_gss.h 378f55a568SDoug Rabson.Sh DESCRIPTION 388f55a568SDoug Rabson.Nm 398f55a568SDoug Rabsonis a security mechanism for the RPC protocol. 408f55a568SDoug RabsonIt uses the Generic Security Service API (GSS-API) to establish a 418f55a568SDoug Rabsonsecurity context between a client and a server and to ensure that all 428f55a568SDoug Rabsonsubsequent communication between client and server are properly 438f55a568SDoug Rabsonauthenticated. 448f55a568SDoug RabsonOptionally, extra protection can be applied to the connection. 458f55a568SDoug RabsonThe integrity service uses checksums to ensure that all data sent by 468f55a568SDoug Rabsona peer is recieved without modification. 478f55a568SDoug RabsonThe privacy service uses encryption to ensure that no third party can 488f55a568SDoug Rabsonaccess the data for a connection. 498f55a568SDoug Rabson.Pp 508f55a568SDoug RabsonTo use this system, an application must first use 518f55a568SDoug Rabson.Fn rpc_gss_seccreate 528f55a568SDoug Rabsonto establish a security context. 538f55a568SDoug Rabson.Sh DATA STRUCTURES 548f55a568SDoug RabsonData structures used by 558f55a568SDoug Rabson.Nm 568f55a568SDoug Rabsonappear below. 578f55a568SDoug Rabson.Bl -tag -width "MMMM" 588f55a568SDoug Rabson.It Vt rpc_gss_service_t 598f55a568SDoug RabsonThis type defines the types of security service required for 608f55a568SDoug Rabson.Fn rpc_gss_seccreate . 618f55a568SDoug Rabson.Bd -literal 628f55a568SDoug Rabsontypedef enum { 638f55a568SDoug Rabson rpc_gss_svc_default = 0, 648f55a568SDoug Rabson rpc_gss_svc_none = 1, 658f55a568SDoug Rabson rpc_gss_svc_integrity = 2, 668f55a568SDoug Rabson rpc_gss_svc_privacy = 3 678f55a568SDoug Rabson} rpc_gss_service_t; 688f55a568SDoug Rabson.Ed 698f55a568SDoug Rabson.It Vt rpc_gss_options_ret_t 708f55a568SDoug RabsonThis structure contains various optional values which are used while 718f55a568SDoug Rabsoncreating a security contect. 728f55a568SDoug Rabson.Bd -literal 738f55a568SDoug Rabsontypedef struct { 748f55a568SDoug Rabson int req_flags; /* GSS request bits */ 758f55a568SDoug Rabson int time_req; /* requested lifetime */ 768f55a568SDoug Rabson gss_cred_id_t my_cred; /* GSS credential */ 778f55a568SDoug Rabson gss_channel_bindings_t input_channel_bindings; 788f55a568SDoug Rabson} rpc_gss_options_req_t; 798f55a568SDoug Rabson.Ed 808f55a568SDoug Rabson.It Vt rpc_gss_options_ret_t 818f55a568SDoug RabsonVarious details of the created security context are returned using 828f55a568SDoug Rabsonthis structure. 838f55a568SDoug Rabson.Bd -literal 848f55a568SDoug Rabsontypedef struct { 858f55a568SDoug Rabson int major_status; 868f55a568SDoug Rabson int minor_status; 878f55a568SDoug Rabson u_int rpcsec_version; 888f55a568SDoug Rabson int ret_flags; 898f55a568SDoug Rabson int time_req; 908f55a568SDoug Rabson gss_ctx_id_t gss_context; 918f55a568SDoug Rabson char actual_mechanism[MAX_GSS_MECH]; 928f55a568SDoug Rabson} rpc_gss_options_ret_t; 938f55a568SDoug Rabson.Ed 948f55a568SDoug Rabson.It Vt rpc_gss_principal_t 958f55a568SDoug RabsonThis type is used to refer to an client principal which is represented 968f55a568SDoug Rabsonin GSS-API exported name form 978f55a568SDoug Rabson(see 988f55a568SDoug Rabson.Xr gss_export_name 3 998f55a568SDoug Rabsonfor more details). 1008f55a568SDoug RabsonNames in this format may be stored in access control lists or compared 1018f55a568SDoug Rabsonwith other names in exported name form. 1028f55a568SDoug RabsonThis structure is returned by 1038f55a568SDoug Rabson.Fn rpc_gss_get_principal_name 1048f55a568SDoug Rabsonand is also referenced by the 1058f55a568SDoug Rabson.Vt rpc_gss_rawcred_t 1068f55a568SDoug Rabsonstructure. 1078f55a568SDoug Rabson.Bd -literal 1088f55a568SDoug Rabsontypedef struct { 1098f55a568SDoug Rabson int len; 1108f55a568SDoug Rabson char name[1]; 1118f55a568SDoug Rabson} *rpc_gss_principal_t; 1128f55a568SDoug Rabson.Ed 1138f55a568SDoug Rabson.It Vt rpc_gss_rawcred_t 1148f55a568SDoug RabsonThis structure is used to access the raw credentions associated with a 1158f55a568SDoug Rabsonsecurity context. 1168f55a568SDoug Rabson.Bd -literal 1178f55a568SDoug Rabsontypedef struct { 1188f55a568SDoug Rabson u_int version; /* RPC version number */ 1198f55a568SDoug Rabson const char *mechanism; /* security mechanism */ 1208f55a568SDoug Rabson const char *qop; /* quality of protection */ 1218f55a568SDoug Rabson rpc_gss_principal_t client_principal; /* client name */ 1228f55a568SDoug Rabson const char *svc_principal; /* server name */ 1238f55a568SDoug Rabson rpc_gss_service_t service; /* service type */ 1248f55a568SDoug Rabson} rpc_gss_rawcred_t; 1258f55a568SDoug Rabson.Ed 1268f55a568SDoug Rabson.It Vt rpc_gss_ucred_t 1278f55a568SDoug RabsonUnix credentials which are derived form the raw credentials, 1288f55a568SDoug Rabsonaccessed via 1298f55a568SDoug Rabson.Fn rpc_gss_getcred . 1308f55a568SDoug Rabson.Bd -literal 1318f55a568SDoug Rabsontypedef struct { 1328f55a568SDoug Rabson uid_t uid; /* user ID */ 1338f55a568SDoug Rabson gid_t gid; /* group ID */ 1348f55a568SDoug Rabson short gidlen; 1358f55a568SDoug Rabson gid_t *gidlist; /* list of groups */ 1368f55a568SDoug Rabson} rpc_gss_ucred_t; 1378f55a568SDoug Rabson.Ed 1388f55a568SDoug Rabson.It Vt rpc_gss_lock_t 1398f55a568SDoug RabsonStructure used to enforce a particular QOP and service. 1408f55a568SDoug Rabson.Bd -literal 1418f55a568SDoug Rabsontypedef struct { 1428f55a568SDoug Rabson bool_t locked; 1438f55a568SDoug Rabson rpc_gss_rawcred_t *raw_cred; 1448f55a568SDoug Rabson} rpc_gss_lock_t; 1458f55a568SDoug Rabson.Ed 1468f55a568SDoug Rabson.It Vt rpc_gss_callback_t 1478f55a568SDoug RabsonCallback structure used by 1488f55a568SDoug Rabson.Fn rpc_gss_set_callback . 1498f55a568SDoug Rabson.Bd -literal 1508f55a568SDoug Rabsontypedef struct { 1518f55a568SDoug Rabson u_int program; /* RPC program number */ 1528f55a568SDoug Rabson u_int version; /* RPC version number */ 1538f55a568SDoug Rabson /* user defined callback */ 1548f55a568SDoug Rabson bool_t (*callback)(struct svc_req *req, 1558f55a568SDoug Rabson gss_cred_id_t deleg, 1568f55a568SDoug Rabson gss_ctx_id_t gss_context, 1578f55a568SDoug Rabson rpc_gss_lock_t *lock, 1588f55a568SDoug Rabson void **cookie); 1598f55a568SDoug Rabson} rpc_gss_callback_t; 1608f55a568SDoug Rabson.Ed 1618f55a568SDoug Rabson.It Vt rpc_gss_error_t 1628f55a568SDoug RabsonStructure used to return error information by 1638f55a568SDoug Rabson.Fn rpc_gss_get_error . 1648f55a568SDoug Rabson.Bd -literal 1658f55a568SDoug Rabsontypedef struct { 1668f55a568SDoug Rabson int rpc_gss_error; 1678f55a568SDoug Rabson int system_error; /* same as errno */ 1688f55a568SDoug Rabson} rpc_gss_error_t; 1698f55a568SDoug Rabson 1708f55a568SDoug Rabson/* 1718f55a568SDoug Rabson * Values for rpc_gss_error 1728f55a568SDoug Rabson */ 1738f55a568SDoug Rabson#define RPC_GSS_ER_SUCCESS 0 /* no error */ 1748f55a568SDoug Rabson#define RPC_GSS_ER_SYSTEMERROR 1 /* system error */ 1758f55a568SDoug Rabson.Ed 1768f55a568SDoug Rabson.Sh INDEX 1778f55a568SDoug Rabson.Bl -tag -width "MMMM" 1788f55a568SDoug Rabson.It Xr rpc_gss_seccreate 3 1798f55a568SDoug RabsonCreate a new security context 1808f55a568SDoug Rabson.It Xr rpc_gss_set_defaults 3 1818f55a568SDoug RabsonSet service and quality of protection for a context 1828f55a568SDoug Rabson.It Xr rpc_gss_max_data_length 3 1838f55a568SDoug RabsonCalculate maximum client message sizes. 1848f55a568SDoug Rabson.It Xr rpc_gss_get_error 3 1858f55a568SDoug RabsonGet details of the last error 1868f55a568SDoug Rabson.It Xr rpc_gss_mech_to_oid 3 1878f55a568SDoug RabsonConvert a mechanism name to the corresponding GSS-API oid. 1888f55a568SDoug Rabson.It Xr rpc_gss_oid_to_mech 3 1898f55a568SDoug RabsonConvert a GSS-API oid to a mechanism name 1908f55a568SDoug Rabson.It Xr rpc_gss_qop_to_num 3 1918f55a568SDoug RabsonConvert a quality of protection name to the corresponding number 1928f55a568SDoug Rabson.It Xr rpc_gss_get_mechanisms 3 1938f55a568SDoug RabsonGet a list of security mechanisms. 1948f55a568SDoug Rabson.It Xr rpc_gss_get_mech_info 3 1958f55a568SDoug RabsonReturn extra information about a security mechanism 1968f55a568SDoug Rabson.It Xr rpc_gss_get_versions 3 1978f55a568SDoug RabsonReturn the maximum and minimum supported versions of the 1988f55a568SDoug Rabson.Nm 1998f55a568SDoug Rabsonprotocol 2008f55a568SDoug Rabson.It Xr rpc_gss_is_installed 3 2018f55a568SDoug RabsonQuery for the presence of a particular security mechanism 2028f55a568SDoug Rabson.It Xr rpc_gss_set_svc_name 3 2038f55a568SDoug RabsonSet the name of a service principal which matches a given RPC program 2048f55a568SDoug Rabsonplus version pair 2058f55a568SDoug Rabson.It Xr rpc_gss_getcred 3 2068f55a568SDoug RabsonGet credential details for the security context of an RPC request 2078f55a568SDoug Rabson.It Xr rpc_gss_set_callback 3 2088f55a568SDoug RabsonInstall a callback routine which is called on the server when new 2098f55a568SDoug Rabsonsecurity contexts are created 2108f55a568SDoug Rabson.It Xr rpc_gss_get_principal_name 3 2118f55a568SDoug RabsonCreate a client principal name from various strings 2128f55a568SDoug Rabson.It Xr rpc_gss_svc_max_data_length 3 2138f55a568SDoug RabsonCalculate maximum server message sizes. 2148f55a568SDoug Rabson.El 2158f55a568SDoug Rabson.Sh SEE ALSO 2168f55a568SDoug Rabson.Xr rpc 3 , 2178f55a568SDoug Rabson.Xr gssapi 3 , 2188f55a568SDoug Rabson.Xr gss_export_name 3 , 2198f55a568SDoug Rabson.Xr mech 5 , 2208f55a568SDoug Rabson.Xr qop 5 , 2218f55a568SDoug Rabson.Xr rpcset_gss 3 2228f55a568SDoug Rabson.Sh HISTORY 2238f55a568SDoug RabsonThe 2248f55a568SDoug Rabson.Nm 225ffae047bSGavin Atkinsonlibrary first appeared in 2268f55a568SDoug Rabson.Fx 8.0 . 2278f55a568SDoug Rabson.Sh AUTHORS 2288f55a568SDoug RabsonThis 2298f55a568SDoug Rabsonmanual page was written by 2308f55a568SDoug Rabson.An Doug Rabson Aq dfr@FreeBSD.org . 231