| @@ -1,174 +1,174 @@ | | | @@ -1,174 +1,174 @@ |
1 | .\" $NetBSD: gssapi.3,v 1.2 2011/04/14 19:19:19 elric Exp $ | | 1 | .\" $NetBSD: gssapi.3,v 1.3 2011/04/28 14:28:47 wiz Exp $ |
2 | .\" | | 2 | .\" |
3 | .\" Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan | | 3 | .\" Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan |
4 | .\" (Royal Institute of Technology, Stockholm, Sweden). | | 4 | .\" (Royal Institute of Technology, Stockholm, Sweden). |
5 | .\" All rights reserved. | | 5 | .\" All rights reserved. |
6 | .\" | | 6 | .\" |
7 | .\" Redistribution and use in source and binary forms, with or without | | 7 | .\" Redistribution and use in source and binary forms, with or without |
8 | .\" modification, are permitted provided that the following conditions | | 8 | .\" modification, are permitted provided that the following conditions |
9 | .\" are met: | | 9 | .\" are met: |
10 | .\" | | 10 | .\" |
11 | .\" 1. Redistributions of source code must retain the above copyright | | 11 | .\" 1. Redistributions of source code must retain the above copyright |
12 | .\" notice, this list of conditions and the following disclaimer. | | 12 | .\" notice, this list of conditions and the following disclaimer. |
13 | .\" | | 13 | .\" |
14 | .\" 2. Redistributions in binary form must reproduce the above copyright | | 14 | .\" 2. Redistributions in binary form must reproduce the above copyright |
15 | .\" notice, this list of conditions and the following disclaimer in the | | 15 | .\" notice, this list of conditions and the following disclaimer in the |
16 | .\" documentation and/or other materials provided with the distribution. | | 16 | .\" documentation and/or other materials provided with the distribution. |
17 | .\" | | 17 | .\" |
18 | .\" 3. Neither the name of the Institute nor the names of its contributors | | 18 | .\" 3. Neither the name of the Institute nor the names of its contributors |
19 | .\" may be used to endorse or promote products derived from this software | | 19 | .\" may be used to endorse or promote products derived from this software |
20 | .\" without specific prior written permission. | | 20 | .\" without specific prior written permission. |
21 | .\" | | 21 | .\" |
22 | .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND | | 22 | .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND |
23 | .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | | 23 | .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
24 | .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | | 24 | .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
25 | .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE | | 25 | .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE |
26 | .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | | 26 | .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
27 | .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | | 27 | .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
28 | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | | 28 | .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
29 | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | | 29 | .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
30 | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | | 30 | .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
31 | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | | 31 | .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
32 | .\" SUCH DAMAGE. | | 32 | .\" SUCH DAMAGE. |
33 | .\" | | 33 | .\" |
34 | .\" Id | | 34 | .\" Id |
35 | .\" | | 35 | .\" |
36 | .Dd April 20, 2005 | | 36 | .Dd April 20, 2005 |
37 | .Dt GSSAPI 3 | | 37 | .Dt GSSAPI 3 |
38 | .Os | | 38 | .Os |
39 | .Sh NAME | | 39 | .Sh NAME |
40 | .Nm gssapi | | 40 | .Nm gssapi |
41 | .Nd Generic Security Service Application Program Interface library | | 41 | .Nd Generic Security Service Application Program Interface library |
42 | .Sh LIBRARY | | 42 | .Sh LIBRARY |
43 | GSS-API Library (libgssapi, -lgssapi) | | 43 | GSS-API Library (libgssapi, -lgssapi) |
44 | .Sh DESCRIPTION | | 44 | .Sh DESCRIPTION |
45 | The Generic Security Service Application Program Interface (GSS-API) | | 45 | The Generic Security Service Application Program Interface (GSS-API) |
46 | provides security services to callers in a generic fashion, | | 46 | provides security services to callers in a generic fashion, |
47 | supportable with a range of underlying mechanisms and technologies and | | 47 | supportable with a range of underlying mechanisms and technologies and |
48 | hence allowing source-level portability of applications to different | | 48 | hence allowing source-level portability of applications to different |
49 | environments. | | 49 | environments. |
50 | .Pp | | 50 | .Pp |
51 | The GSS-API implementation in Heimdal implements the Kerberos 5 and | | 51 | The GSS-API implementation in Heimdal implements the Kerberos 5 and |
52 | the SPNEGO GSS-API security mechanisms. | | 52 | the SPNEGO GSS-API security mechanisms. |
53 | .Sh LIST OF FUNCTIONS | | 53 | .Sh LIST OF FUNCTIONS |
54 | These functions constitute the gssapi library, | | 54 | These functions constitute the gssapi library, |
55 | .Em libgssapi . | | 55 | .Em libgssapi . |
56 | Declarations for these functions may be obtained from the include file | | 56 | Declarations for these functions may be obtained from the include file |
57 | .Pa gssapi/gssapi.h . | | 57 | .Pa gssapi/gssapi.h . |
58 | .Bl -column -compact | | 58 | .Bl -column -compact |
59 | .It Sy Name/Page | | 59 | .It Sy Name/Page |
60 | .It Xr gss_accept_sec_context 3 | | 60 | .It Xr gss_accept_sec_context 3 |
61 | .It Xr gss_acquire_cred 3 | | 61 | .It Xr gss_acquire_cred 3 |
62 | .It Xr gss_add_cred 3 | | 62 | .It Xr gss_add_cred 3 |
63 | .It Xr gss_add_oid_set_member 3 | | 63 | .It Xr gss_add_oid_set_member 3 |
64 | .It Xr gss_canonicalize_name 3 | | 64 | .It Xr gss_canonicalize_name 3 |
65 | .It Xr gss_compare_name 3 | | 65 | .It Xr gss_compare_name 3 |
66 | .It Xr gss_context_time 3 | | 66 | .It Xr gss_context_time 3 |
67 | .It Xr gss_create_empty_oid_set 3 | | 67 | .It Xr gss_create_empty_oid_set 3 |
68 | .It Xr gss_delete_sec_context 3 | | 68 | .It Xr gss_delete_sec_context 3 |
69 | .It Xr gss_display_name 3 | | 69 | .It Xr gss_display_name 3 |
70 | .It Xr gss_display_status 3 | | 70 | .It Xr gss_display_status 3 |
71 | .It Xr gss_duplicate_name 3 | | 71 | .It Xr gss_duplicate_name 3 |
72 | .It Xr gss_export_name 3 | | 72 | .It Xr gss_export_name 3 |
73 | .It Xr gss_export_sec_context 3 | | 73 | .It Xr gss_export_sec_context 3 |
74 | .It Xr gss_get_mic 3 | | 74 | .It Xr gss_get_mic 3 |
75 | .It Xr gss_import_name 3 | | 75 | .It Xr gss_import_name 3 |
76 | .It Xr gss_import_sec_context 3 | | 76 | .It Xr gss_import_sec_context 3 |
77 | .It Xr gss_indicate_mechs 3 | | 77 | .It Xr gss_indicate_mechs 3 |
78 | .It Xr gss_init_sec_context 3 | | 78 | .It Xr gss_init_sec_context 3 |
79 | .It Xr gss_inquire_context 3 | | 79 | .It Xr gss_inquire_context 3 |
80 | .It Xr gss_inquire_cred 3 | | 80 | .It Xr gss_inquire_cred 3 |
81 | .It Xr gss_inquire_cred_by_mech 3 | | 81 | .It Xr gss_inquire_cred_by_mech 3 |
82 | .It Xr gss_inquire_mechs_for_name 3 | | 82 | .It Xr gss_inquire_mechs_for_name 3 |
83 | .It Xr gss_inquire_names_for_mech 3 | | 83 | .It Xr gss_inquire_names_for_mech 3 |
84 | .It Xr gss_krb5_ccache_name 3 | | 84 | .It Xr gss_krb5_ccache_name 3 |
85 | .It Xr gss_krb5_compat_des3_mic 3 | | 85 | .It Xr gss_krb5_compat_des3_mic 3 |
86 | .It Xr gss_krb5_copy_ccache 3 | | 86 | .It Xr gss_krb5_copy_ccache 3 |
87 | .It Xr gss_krb5_extract_authz_data_from_sec_context 3 | | 87 | .It Xr gss_krb5_extract_authz_data_from_sec_context 3 |
88 | .It Xr gss_krb5_import_ccache 3 | | 88 | .It Xr gss_krb5_import_ccache 3 |
89 | .It Xr gss_process_context_token 3 | | 89 | .It Xr gss_process_context_token 3 |
90 | .It Xr gss_release_buffer 3 | | 90 | .It Xr gss_release_buffer 3 |
91 | .It Xr gss_release_cred 3 | | 91 | .It Xr gss_release_cred 3 |
92 | .It Xr gss_release_name 3 | | 92 | .It Xr gss_release_name 3 |
93 | .It Xr gss_release_oid_set 3 | | 93 | .It Xr gss_release_oid_set 3 |
94 | .It Xr gss_seal 3 | | 94 | .It Xr gss_seal 3 |
95 | .It Xr gss_sign 3 | | 95 | .It Xr gss_sign 3 |
96 | .It Xr gss_test_oid_set_member 3 | | 96 | .It Xr gss_test_oid_set_member 3 |
97 | .It Xr gss_unseal 3 | | 97 | .It Xr gss_unseal 3 |
98 | .It Xr gss_unwrap 3 | | 98 | .It Xr gss_unwrap 3 |
99 | .It Xr gss_verify 3 | | 99 | .It Xr gss_verify 3 |
100 | .It Xr gss_verify_mic 3 | | 100 | .It Xr gss_verify_mic 3 |
101 | .It Xr gss_wrap 3 | | 101 | .It Xr gss_wrap 3 |
102 | .It Xr gss_wrap_size_limit 3 | | 102 | .It Xr gss_wrap_size_limit 3 |
103 | .El | | 103 | .El |
104 | .Sh COMPATIBILITY | | 104 | .Sh COMPATIBILITY |
105 | The | | 105 | The |
106 | .Nm Heimdal | | 106 | .Nm Heimdal |
107 | GSS-API implementation had a bug in releases before 0.6 that made it | | 107 | GSS-API implementation had a bug in releases before 0.6 that made it |
108 | fail to inter-operate when using DES3 with other GSS-API | | 108 | fail to inter-operate when using DES3 with other GSS-API |
109 | implementations when using | | 109 | implementations when using |
110 | .Fn gss_get_mic | | 110 | .Fn gss_get_mic |
111 | / | | 111 | / |
112 | .Fn gss_verify_mic . | | 112 | .Fn gss_verify_mic . |
113 | It is possible to modify the behavior of the generator of the MIC with | | 113 | It is possible to modify the behavior of the generator of the MIC with |
114 | the | | 114 | the |
115 | .Pa krb5.conf | | 115 | .Pa krb5.conf |
116 | configuration file so that old clients/servers will still | | 116 | configuration file so that old clients/servers will still |
117 | work. | | 117 | work. |
118 | .Pp | | 118 | .Pp |
119 | New clients/servers will try both the old and new MIC in Heimdal 0.6. | | 119 | New clients/servers will try both the old and new MIC in Heimdal 0.6. |
120 | In 0.7 it will check only if configured - the compatibility code will | | 120 | In 0.7 it will check only if configured - the compatibility code will |
121 | be removed in 0.8. | | 121 | be removed in 0.8. |
122 | .Pp | | 122 | .Pp |
123 | Heimdal 0.6 still generates by default the broken GSS-API DES3 mic, | | 123 | Heimdal 0.6 still generates by default the broken GSS-API DES3 mic, |
124 | this will change in 0.7 to generate correct des3 mic. | | 124 | this will change in 0.7 to generate correct des3 mic. |
125 | .Pp | | 125 | .Pp |
126 | To turn on compatibility with older clients and servers, change the | | 126 | To turn on compatibility with older clients and servers, change the |
127 | .Nm [gssapi] | | 127 | .Nm [gssapi] |
128 | .Ar broken_des3_mic | | 128 | .Ar broken_des3_mic |
129 | in | | 129 | in |
130 | .Pa krb5.conf | | 130 | .Pa krb5.conf |
131 | that contains a list of globbing expressions that will be matched | | 131 | that contains a list of globbing expressions that will be matched |
132 | against the server name. | | 132 | against the server name. |
133 | To turn off generation of the old (incompatible) mic of the MIC use | | 133 | To turn off generation of the old (incompatible) mic of the MIC use |
134 | .Nm [gssapi] | | 134 | .Nm [gssapi] |
135 | .Ar correct_des3_mic . | | 135 | .Ar correct_des3_mic . |
136 | .Pp | | 136 | .Pp |
137 | If a match for a entry is in both | | 137 | If a match for a entry is in both |
138 | .Nm [gssapi] | | 138 | .Nm [gssapi] |
139 | .Ar correct_des3_mic | | 139 | .Ar correct_des3_mic |
140 | and | | 140 | and |
141 | .Nm [gssapi] | | 141 | .Nm [gssapi] |
142 | .Ar broken_des3_mic , | | 142 | .Ar broken_des3_mic , |
143 | the later will override. | | 143 | the later will override. |
144 | .Pp | | 144 | .Pp |
145 | This config option modifies behaviour for both clients and servers. | | 145 | This config option modifies behaviour for both clients and servers. |
146 | .Pp | | 146 | .Pp |
147 | Microsoft implemented SPNEGO to Windows2000, however, they manage to | | 147 | Microsoft implemented SPNEGO to Windows2000, however, they managed to |
148 | get it wrong, their implementation didn't fill in the MechListMIC in | | 148 | get it wrong, their implementation didn't fill in the MechListMIC in |
149 | the reply token with the right content. | | 149 | the reply token with the right content. |
150 | There is a work around for this problem, but not all implementation | | 150 | There is a work around for this problem, but not all implementation |
151 | support it. | | 151 | support it. |
152 | .Pp | | 152 | .Pp |
153 | Heimdal defaults to correct SPNEGO when the the kerberos | | 153 | Heimdal defaults to correct SPNEGO when the the kerberos |
154 | implementation uses CFX, or when it is configured by the user. | | 154 | implementation uses CFX, or when it is configured by the user. |
155 | To turn on compatibility with peers, use option | | 155 | To turn on compatibility with peers, use option |
156 | .Nm [gssapi] | | 156 | .Nm [gssapi] |
157 | .Ar require_mechlist_mic . | | 157 | .Ar require_mechlist_mic . |
158 | .Sh EXAMPLES | | 158 | .Sh EXAMPLES |
159 | .Bd -literal -offset indent | | 159 | .Bd -literal -offset indent |
160 | [gssapi] | | 160 | [gssapi] |
161 | broken_des3_mic = cvs/*@SU.SE | | 161 | broken_des3_mic = cvs/*@SU.SE |
162 | broken_des3_mic = host/*@E.KTH.SE | | 162 | broken_des3_mic = host/*@E.KTH.SE |
163 | correct_des3_mic = host/*@SU.SE | | 163 | correct_des3_mic = host/*@SU.SE |
164 | require_mechlist_mic = host/*@SU.SE | | 164 | require_mechlist_mic = host/*@SU.SE |
165 | .Ed | | 165 | .Ed |
166 | .Sh BUGS | | 166 | .Sh BUGS |
167 | All of 0.5.x versions of | | 167 | All of 0.5.x versions of |
168 | .Nm heimdal | | 168 | .Nm heimdal |
169 | had broken token delegations in the client side, the server side was | | 169 | had broken token delegations in the client side, the server side was |
170 | correct. | | 170 | correct. |
171 | .Sh SEE ALSO | | 171 | .Sh SEE ALSO |
172 | .Xr krb5 3 , | | 172 | .Xr krb5 3 , |
173 | .Xr krb5.conf 5 , | | 173 | .Xr krb5.conf 5 , |
174 | .Xr kerberos 8 | | 174 | .Xr kerberos 8 |