The Generic Security Service Application Program Interface (GSSAPI, also GSS- API) is an . Sun Microsystems (). “GSS-API Programming Guide”. The GSSAPI (Generic Security Services API) allows applications to communicate securely using Kerberos 5 or other security mechanisms. We recommend. The Secure Shell protocol supports Kerberos authentication via GSSAPI (Generic Security Services Application Programming Interface). Advantages of using.

Author: Dushicage Braktilar
Country: Djibouti
Language: English (Spanish)
Genre: Love
Published (Last): 16 March 2007
Pages: 223
PDF File Size: 10.74 Mb
ePub File Size: 1.40 Mb
ISBN: 270-7-93163-837-4
Downloads: 31518
Price: Free* [*Free Regsitration Required]
Uploader: Durn

The value should be a string of the form service or service hostname. Operating system security Internet Standards.

linux – Server side of GSSAPI for sshd and private key authentication – Stack Overflow

If the input name contains both a service and a hostnameclients will be allowed to authenticate to any host-based principal for the named service and hostname, regardless of realm. As above, but the value is a decimal string representation of the uid. Yes, I believe I need to implement my own server-side component to do the authentication, so it’s a programming question. Stack Overflow works best with JavaScript enabled. I dont know if the windows domain login is enabled for pkinit.

From Wikipedia, the free encyclopedia. In this case, the contents of the credential cache are serialized, so that the resulting token may be imported even if the original memory credential cache no longer exists. The anonymous principal is used, allowing a client to authenticate to a server without asserting a particular identity which may or may not be allowed by a particular server or Kerberos realm. Are you going to do programming this is not clear form your question? Email Required, but never shown.

If no existing tickets are available for the desired name, but the name has an entry in the default client keytabthe krb5 mechanism will acquire initial tickets for the name using the default client keytab. Integration Strategies, Patterns, and Best Practices. Sign up using Email and Password. After the exchange of some number of tokens, the GSSAPI implementations at both ends inform their local application that a security context has been established.


This article includes a list of referencesrelated reading or external linksbut its sources remain unclear because it lacks inline citations. After this your machine will receive a TGT, and this transaction happens during domain login or while doing a kinit. These resources are normally serialized as references to their external locations such as the filename of the credential cache. Post as a guest Name. Sign up using Facebook. GSSAPI tokens can usually travel over an insecure network as the mechanisms provide inherent message security.

If the security implementation ever needs replacing, the application need not be rewritten. Serializing a credential does not destroy it. Note In MIT krb5 versions prior to 1.

The serialization format does not protect this information from eavesdropping or tampering. The memory pointed to by the buffers is not required to be contiguous or in any particular order.

But there are some kinit versions support pkinit. Once a security context is established, sensitive application messages can be wrapped encrypted by the GSSAPI for secure communication between client and server. The following name proogramming are supported by the krb5 mechanism:.

Sign up or log in Sign up using Google. By clicking “Post Your Proramming, you acknowledge that you have read our updated terms of serviceprivacy policy and cookie policyand that your continued use of the website is subject to these policies.

Kerberos (GSSAPI) Authentication – Reflection for Secure IT for UNIX

If there are no existing tickets for the chosen principal, but it is present in the default client keytab, the krb5 mechanism will acquire initial tickets using the keytab.

If the default credential cache does not exist, but the default client keytab does, the krb5 mechanism will try to acquire initial tickets for the first principal in the default client keytab. Articles lacking in-text citations from October All articles lacking in-text citations Pages using RFC magic links.

This is the recommended approach if the server application has no specific requirements to the contrary. Please help to guude this article by introducing more precise citations. Limitations of the GSSAPI include that it standardizes only authenticationand not authorizationand that it assumes a client—server architecture.

Generic Security Services Application Program Interface

The calling application must take care to protect the serialized credential when communicating it over an insecure channel or to an untrusted party. As with other GSSAPI serialization functions, these extensions are only intended to work with a matching implementation on the other side; they do not serialize credentials in a standardized format.


Because of this, a serialized krb5 credential can only be imported by a process with similar privileges to the exporter. The hostname will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the rdns variable in [libdefaults]. A serialized credential should not be trusted if it originates from a source with lower privileges than the importer, as it may contain references to external credential cache, keytab, or replay cache resources not accessible to the originator.

A serialized credential may contain secret information such as ticket session keys. The value should be a principal name string. This facility might, for instance, try to choose existing tickets for a client principal in the same realm as the target service.

This page was last edited on 25 Januaryat Instead, security-service vendors provide GSSAPI implementations – usually in the form of libraries installed with their security software. This is the most common way to name target services when initiating a security context, and is the most likely name type to work across multiple mechanisms. Views Read Edit View history.

I’m looking at a way of authenticating users connecting to an SSH daemon. On Unix-like systems, the username of the uid is looked up in the system user database and the resulting username is guid as a principal name.

Note If a hostname is specified, it will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the rdns variable in [libdefaults]. Do you know if prograjming is a krb library-specific thing, or can putty somehow use this too?