NAME¶
gssapi —
Generic Security Service
Application Program Interface library
LIBRARY¶
GSS-API Library (libgssapi, -lgssapi)
DESCRIPTION¶
The Generic Security Service Application Program Interface (GSS-API) provides
security services to callers in a generic fashion, supportable with a range of
underlying mechanisms and technologies and hence allowing source-level
portability of applications to different environments.
The GSS-API implementation in Heimdal implements the Kerberos 5 and the SPNEGO
GSS-API security mechanisms.
LIST OF FUNCTIONS¶
These functions constitute the gssapi library,
libgssapi.
Declarations for these functions may be obtained from the include file
gssapi.h.
COMPATIBILITY¶
The
Heimdal GSS-API implementation had a bug in releases
before 0.6 that made it fail to inter-operate when using DES3 with other
GSS-API implementations when using
gss_get_mic() /
gss_verify_mic(). It is possible to modify the behavior of
the generator of the MIC with the
krb5.conf configuration
file so that old clients/servers will still work.
New clients/servers will try both the old and new MIC in Heimdal 0.6. In 0.7 it
will check only if configured - the compatibility code will be removed in 0.8.
Heimdal 0.6 still generates by default the broken GSS-API DES3 mic, this will
change in 0.7 to generate correct des3 mic.
To turn on compatibility with older clients and servers, change the
[gssapi] broken_des3_mic in
krb5.conf that contains a list of globbing expressions that
will be matched against the server name. To turn off generation of the old
(incompatible) mic of the MIC use
[gssapi]
correct_des3_mic.
If a match for a entry is in both
[gssapi]
correct_des3_mic and
[gssapi]
broken_des3_mic, the later will override.
This config option modifies behaviour for both clients and servers.
Microsoft implemented SPNEGO to Windows2000, however, they managed to get it
wrong, their implementation didn't fill in the MechListMIC in the reply token
with the right content. There is a work around for this problem, but not all
implementation support it.
Heimdal defaults to correct SPNEGO when the the kerberos implementation uses
CFX, or when it is configured by the user. To turn on compatibility with
peers, use option
[gssapi]
require_mechlist_mic.
EXAMPLES¶
[gssapi]
broken_des3_mic = cvs/*@SU.SE
broken_des3_mic = host/*@E.KTH.SE
correct_des3_mic = host/*@SU.SE
require_mechlist_mic = host/*@SU.SE
BUGS¶
All of 0.5.x versions of
heimdal had broken token delegations
in the client side, the server side was correct.
SEE ALSO¶
krb5(3),
krb5.conf(5),
kerberos(8)