The Generic Security Service Application Program Interface (GSSAPI, also GSS- API) is an . Sun Microsystems (). “GSS-API Programming Guide”. The GSSAPI (Generic Security Services API) allows applications to communicate securely using Kerberos 5 or other security mechanisms. We recommend. The Secure Shell protocol supports Kerberos authentication via GSSAPI (Generic Security Services Application Programming Interface). Advantages of using.

Author: Arara Nikoll
Country: Great Britain
Language: English (Spanish)
Genre: Art
Published (Last): 6 March 2008
Pages: 10
PDF File Size: 20.24 Mb
ePub File Size: 5.66 Mb
ISBN: 125-3-46423-481-8
Downloads: 46036
Price: Free* [*Free Regsitration Required]
Uploader: Magor

Articles lacking in-text citations from October All articles lacking in-text citations Pages using RFC magic links.

Generic Security Services Application Program Interface

The memory pointed to by the buffers is not required to be contiguous or in any particular order. The value is treated as an unparsed principal name string, as above. Are you going to do programming this is not clear form your question? These name types may work with mechanisms other than krb5, but will have different interpretations in those mechanisms.

Limitations of the GSSAPI include that it standardizes only authenticationand not authorizationand that it assumes a client—server architecture. On Unix-like systems, the username of the uid is looked up in the system user database and the resulting username is parsed as a principal name. A krb5 GSSAPI credential may guiide references to a credential cache, a client keytab, an acceptor keytab, and a replay cache. This facility might, for instance, programmung to choose existing tickets for a client principal in the same realm as the target service.

Once a security context is established, sensitive application messages can be wrapped encrypted by the GSSAPI for secure communication between client and server.

Do you know if this is a krb library-specific thing, or can putty somehow use this too? Yes, I believe I need to implement my own server-side component to do the authentication, so it’s a programming question. By using our site, you acknowledge that you have read and understand our Cookie PolicyPrivacy Policyand our Terms of Service. Contents previous next index Search feedback. This is the most common way to name target services when initiating a security context, and is the most likely name type to work across multiple mechanisms.


This page was last edited on 25 Januaryat As with other GSSAPI serialization functions, these extensions are only intended to work with a matching implementation on the other side; they do not serialize credentials in a standardized format.

October Learn how and when to remove this template message. GSSAPI tokens can usually travel over an insecure network as the mechanisms provide inherent message security. The client and server sides of the application are written to convey the tokens given to them by their respective GSSAPI implementations. In this case, the contents of the credential cache are serialized, so that the resulting token may be imported even if the original memory credential cache no longer exists.

Instead, security-service vendors provide GSSAPI implementations – usually in the form of libraries installed with their security software. But there are some kinit versions support pkinit.

Developing with GSSAPI — MIT Kerberos Documentation

The application must pad the DATA buffer to a multiple of 16 bytes as no padding or trailer buffer is used. If there are no existing tickets for the chosen principal, but it is present in the default client keytab, the krb5 mechanism will acquire initial tickets using the keytab.

The only guides I’ve found so far are very low-level protocol descriptions or server configuration guides for admins These resources are normally serialized as references to their external locations such as the filename of the credential cache. If programmjng existing tickets are available for the desired name, but the name has an entry in the default client keytabthe krb5 mechanism will acquire initial tickets for the name using the default client keytab.


Sign up using Facebook. If a hostname is specified, it will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the rdns variable in [libdefaults].

Integration Strategies, Patterns, and Best Practices. This is the recommended approach if the server application has no specific requirements to the contrary. From Wikipedia, the free encyclopedia.

The anonymous principal is used, allowing a client to authenticate to guid server without asserting a particular identity which may or may not be allowed by a particular server or Kerberos realm.

The serialization format does not protect this information from eavesdropping or tampering.

Sign up using Email and Password. After this your machine will receive a TGT, and this transaction happens during domain login or while doing a kinit. The value is ignored.

The following name types are supported by the krb5 mechanism: Note In MIT krb5 versions prior to 1. The value should be a string of the form service or service hostname. If the input name contains both a service and a hostnameclients will be allowed to authenticate to any host-based principal for the named service and hostname, regardless of realm.

The value should be a principal name string. Post as a guest Name. I’m looking at a way of authenticating users connecting to an SSH daemon. Is there any way of providing user’s public key that way?

Please help to improve this article by introducing more precise citations.