The Generic Security Service Application Program Interface (GSSAPI, also GSS- API) is an . Sun Microsystems (). “GSS-API Programming Guide”. The GSSAPI (Generic Security Services API) allows applications to communicate securely using Kerberos 5 or other security mechanisms. We recommend. The Secure Shell protocol supports Kerberos authentication via GSSAPI (Generic Security Services Application Programming Interface). Advantages of using.

Author: Taulabar Megore
Country: Ghana
Language: English (Spanish)
Genre: Medical
Published (Last): 4 January 2005
Pages: 471
PDF File Size: 9.33 Mb
ePub File Size: 11.68 Mb
ISBN: 235-9-81244-262-5
Downloads: 66469
Price: Free* [*Free Regsitration Required]
Uploader: Mikalrajas

The definitive feature of GSSAPI applications is the exchange of opaque messages tokens which hide the implementation detail from the higher-level application. Serializing a credential does not destroy it. Limitations of the GSSAPI include that it standardizes only authenticationand not authorizationand that it assumes a client—server architecture. Programmming serialization format does not protect this information from eavesdropping or tampering.

The calling application must take care to protect the serialized credential when communicating it over an programminy channel or to an untrusted party. By clicking “Post Your Answer”, you acknowledge that you have read our updated terms of serviceprivacy policy and cookie policyand that your continued use of the website is subject to these policies.

Contents previous next index Search feedback. DATA buffers must be provided in the iov list so that padding length can be computed correctly, but the output buffers need not be initialized. Once a security context is established, sensitive application messages can be wrapped encrypted by the GSSAPI for secure communication between client and server.

On Unix-like systems, the username of the uid is looked up in the system user database and the resulting username is parsed as a principal name. In MIT krb5 versions prior to 1. The anonymous principal giude used, allowing a client to authenticate to a server without asserting a particular identity which may or may not program,ing allowed by a particular server or Kerberos realm.

Do you know if this is a krb library-specific thing, or can putty somehow use this too? Stack Overflow works best with JavaScript enabled. Email Required, but never shown. The memory pointed to by the buffers is not required to be contiguous or in any particular order. After the exchange of some number of tokens, the GSSAPI implementations prograjming both ends inform their local application that a security context has been established.


The gsxapi must pad the DATA buffer to a multiple of 16 bytes as guidde padding or trailer buffer is used.

linux – Server side of GSSAPI for sshd and private key authentication – Stack Overflow

These name types may work with mechanisms other than krb5, but will have different interpretations in those mechanisms. This facility might, for instance, try to choose existing tickets for a client principal in the same realm as the target service.

University of Bamberg Press. I’m looking at a way of authenticating users connecting to an SSH daemon. Sign up using Email and Password. October Learn how and when to remove this template message. If no existing tickets are available for the desired name, but the name has an entry in the default client keytabthe krb5 mechanism will acquire initial tickets for the name using the default client keytab.

The value is ignored. After this your machine will receive a TGT, and this transaction happens during domain login or while doing a kinit. Are you going to do programming this is not clear form your question? Please help to improve this article by introducing more precise citations. A serialized credential may contain secret information such as ticket session keys.

If the default credential cache does not exist, but the default client keytab does, the krb5 mechanism will try to acquire initial tickets for the first principal in the default client keytab. Note If a hostname is specified, it will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the rdns variable in [libdefaults].

These resources are normally serialized as references to their external locations such as the filename of the credential cache.

Is there any way of providing user’s public key that way?

Generic Security Services Application Program Interface

gssap The following name types are supported by the krb5 mechanism: By using our site, you acknowledge that you have read and understand our Cookie PolicyPrivacy Policyand our Terms of Service. As with other GSSAPI serialization functions, these extensions are only intended to work with a matching implementation on the other side; they do not serialize credentials in a standardized format.


If the security implementation ever needs replacing, the application need not be rewritten. A serialized credential should not be trusted if it originates from a source with lower privileges than the importer, as it may contain references to external credential cache, keytab, or replay cache resources not accessible to the originator.

From Wikipedia, the free encyclopedia. The only guides I’ve found so far are very low-level protocol descriptions or server configuration guides for admins Sign up using Facebook.

Articles lacking in-text citations from October All articles lacking in-text progarmming Pages using RFC magic links. This page was last edited on 25 Januaryat This article includes a list of referencesrelated reading or external linksbut its sources remain unclear because it lacks inline citations.

Yes, I believe I programminh to implement my own server-side component to do the authentication, so it’s a programming question. The hostname will be canonicalized using forward name resolution, and possibly progdamming using reverse name resolution depending on the value of the rdns variable in [libdefaults].

The value should be a string of the form service or service hostname. In this case, the contents of the credential cache are serialized, so that the resulting token may be imported even if the original memory credential cache no longer exists.

Operating system security Internet Standards. If there are no existing tickets for the chosen principal, but it is present in the default client keytab, the krb5 mechanism will acquire initial tickets using the keytab. Post as a guest Name.