The Generic Security Service Application Program Interface (GSSAPI, also GSS- API) is an . Sun Microsystems (). “GSS-API Programming Guide”. The GSSAPI (Generic Security Services API) allows applications to communicate securely using Kerberos 5 or other security mechanisms. We recommend. The Secure Shell protocol supports Kerberos authentication via GSSAPI (Generic Security Services Application Programming Interface). Advantages of using.

Author: Arashitaxe Shaktile
Country: Madagascar
Language: English (Spanish)
Genre: Medical
Published (Last): 12 November 2014
Pages: 137
PDF File Size: 2.36 Mb
ePub File Size: 5.59 Mb
ISBN: 539-2-69176-265-9
Downloads: 47393
Price: Free* [*Free Regsitration Required]
Uploader: Nikobar

Is there any way of providing user’s public key that way? Because of this, a serialized krb5 credential can only be imported by a process with similar privileges to the exporter. The value should be a string of the form service or service hostname.

GSSAPI tokens can usually travel prograjming an insecure network as the mechanisms provide inherent message security.

The memory pointed to by the buffers is not required to be contiguous or in any particular order. This is the most common way to name target services when initiating a security context, and is the most likely name type to work across multiple mechanisms.

Generic Security Services Application Program Interface

If no existing tickets are available for the desired name, but the name has an entry in progtamming default client keytabthe krb5 mechanism will acquire initial tickets for the name using the default client keytab. In this case, the contents of the credential cache are serialized, so that the resulting token may be imported even if the original memory credential cache no longer exists.

October Learn how and when to remove this template message. Post as a guest Name. These name types may work with mechanisms other than krb5, but will have different interpretations in those mechanisms.


linux – Server side of GSSAPI for sshd and private key authentication – Stack Overflow

A serialized credential should not be trusted if it originates from a source with lower privileges than the importer, as it may contain references to external credential cache, keytab, or replay cache resources not accessible to the originator.

Post Your Answer Huide By clicking “Post Your Answer”, you acknowledge that you have read our updated terms of serviceprivacy policy and programmiing policyand that your continued use of the website is subject to these policies. If there are no existing tickets for the chosen principal, but it is present in the default client keytab, the krb5 mechanism will acquire initial tickets ghide the keytab. Sign up using Email and Password.

From Wikipedia, the free encyclopedia. This is the recommended approach if the server application has no specific requirements to the contrary. DATA buffers must be provided in the iov list so that padding length can be computed correctly, but the output buffers need not be initialized. Once a security context is established, sensitive application messages can be wrapped encrypted by the GSSAPI for secure communication between client and server.

After the exchange of some number of tokens, the GSSAPI implementations at both ends inform their local application guied a security context has been established.

By using our site, you acknowledge that you have read and understand our Cookie PolicyPrivacy Policyand our Terms of Service. The serialization format does not protect this information from eavesdropping or tampering. The hostname will be canonicalized using forward name resolution, and possibly also using reverse rpogramming resolution depending on the value of the rdns variable in [libdefaults].


Limitations of the GSSAPI include that it standardizes only authenticationand not authorizationand that it assumes a client—server architecture. I dont know if the windows domain login is enabled for pkinit. Email Required, but never shown. Sign up or log in Sign up using Google. This article includes a list of referencesrelated reading or external linksbut its sources remain unclear because it lacks inline citations.

Yes, I believe I need to implement my own server-side component to do the authentication, so it’s a programming question. By using this site, you agree to the Terms of Use and Privacy Policy. The value is ignored. Sign up using Facebook. A serialized credential may contain secret information such as ticket session keys.

If the security implementation ever needs replacing, the application need not be rewritten. After this your machine will receive a TGT, and this transaction happens during domain login or while doing a kinit. Note If a hostname is specified, it will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the rdns variable in [libdefaults].

University of Bamberg Press. Instead, security-service vendors provide GSSAPI implementations – usually in the form of libraries installed with their security software. The following name types are supported by the krb5 mechanism: Note In MIT krb5 versions prior to 1.

This page was last edited on 25 Januaryat Operating system security Internet Standards.