1*bbd80c28SJacques Vidrine.\" Copyright (c) 2003 Kungliga Tekniska H�gskolan 2*bbd80c28SJacques Vidrine.\" (Royal Institute of Technology, Stockholm, Sweden). 3*bbd80c28SJacques Vidrine.\" All rights reserved. 4*bbd80c28SJacques Vidrine.\" 5*bbd80c28SJacques Vidrine.\" Redistribution and use in source and binary forms, with or without 6*bbd80c28SJacques Vidrine.\" modification, are permitted provided that the following conditions 7*bbd80c28SJacques Vidrine.\" are met: 8*bbd80c28SJacques Vidrine.\" 9*bbd80c28SJacques Vidrine.\" 1. Redistributions of source code must retain the above copyright 10*bbd80c28SJacques Vidrine.\" notice, this list of conditions and the following disclaimer. 11*bbd80c28SJacques Vidrine.\" 12*bbd80c28SJacques Vidrine.\" 2. Redistributions in binary form must reproduce the above copyright 13*bbd80c28SJacques Vidrine.\" notice, this list of conditions and the following disclaimer in the 14*bbd80c28SJacques Vidrine.\" documentation and/or other materials provided with the distribution. 15*bbd80c28SJacques Vidrine.\" 16*bbd80c28SJacques Vidrine.\" 3. Neither the name of the Institute nor the names of its contributors 17*bbd80c28SJacques Vidrine.\" may be used to endorse or promote products derived from this software 18*bbd80c28SJacques Vidrine.\" without specific prior written permission. 19*bbd80c28SJacques Vidrine.\" 20*bbd80c28SJacques Vidrine.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 21*bbd80c28SJacques Vidrine.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22*bbd80c28SJacques Vidrine.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23*bbd80c28SJacques Vidrine.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 24*bbd80c28SJacques Vidrine.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25*bbd80c28SJacques Vidrine.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26*bbd80c28SJacques Vidrine.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27*bbd80c28SJacques Vidrine.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28*bbd80c28SJacques Vidrine.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29*bbd80c28SJacques Vidrine.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30*bbd80c28SJacques Vidrine.\" SUCH DAMAGE. 31*bbd80c28SJacques Vidrine.\" 32*bbd80c28SJacques Vidrine.\" $Id: gssapi.3,v 1.5.2.2 2003/04/30 09:56:26 lha Exp $ 33*bbd80c28SJacques Vidrine.\" 34*bbd80c28SJacques Vidrine.Dd January 23, 2003 35*bbd80c28SJacques Vidrine.Dt GSSAPI 3 36*bbd80c28SJacques Vidrine.Os 37*bbd80c28SJacques Vidrine.Sh NAME 38*bbd80c28SJacques Vidrine.Nm gssapi 39*bbd80c28SJacques Vidrine.Nd Generic Security Service Application Program Interface library 40*bbd80c28SJacques Vidrine.Sh LIBRARY 41*bbd80c28SJacques VidrineGSS-API Library (libgssapi, -lgssapi) 42*bbd80c28SJacques Vidrine.Sh DESCRIPTION 43*bbd80c28SJacques VidrineThe Generic Security Service Application Program Interface (GSS-API) 44*bbd80c28SJacques Vidrineprovides security services to callers in a generic fashion, 45*bbd80c28SJacques Vidrinesupportable with a range of underlying mechanisms and technologies and 46*bbd80c28SJacques Vidrinehence allowing source-level portability of applications to different 47*bbd80c28SJacques Vidrineenvironments. 48*bbd80c28SJacques Vidrine.Sh LIST OF FUNCTIONS 49*bbd80c28SJacques VidrineThese functions constitute the gssapi library, 50*bbd80c28SJacques Vidrine.Em libgssapi . 51*bbd80c28SJacques VidrineDeclarations for these functions may be obtained from the include file 52*bbd80c28SJacques Vidrine.Pa gssapi.h . 53*bbd80c28SJacques Vidrine.sp 2 54*bbd80c28SJacques Vidrine.nf 55*bbd80c28SJacques Vidrine.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u 56*bbd80c28SJacques Vidrine\fIName/Page\fP \fIDescription\fP 57*bbd80c28SJacques Vidrine.ta \w'gss_inquire_names_for_mech'u+2n +\w'Description goes here'u+6nC 58*bbd80c28SJacques Vidrine.sp 5p 59*bbd80c28SJacques Vidrinegss_accept_sec_context.3 60*bbd80c28SJacques Vidrinegss_acquire_cred.3 61*bbd80c28SJacques Vidrinegss_add_cred.3 62*bbd80c28SJacques Vidrinegss_add_oid_set_member.3 63*bbd80c28SJacques Vidrinegss_canonicalize_name.3 64*bbd80c28SJacques Vidrinegss_compare_name.3 65*bbd80c28SJacques Vidrinegss_context_time.3 66*bbd80c28SJacques Vidrinegss_create_empty_oid_set.3 67*bbd80c28SJacques Vidrinegss_delete_sec_context.3 68*bbd80c28SJacques Vidrinegss_display_name.3 69*bbd80c28SJacques Vidrinegss_display_status.3 70*bbd80c28SJacques Vidrinegss_duplicate_name.3 71*bbd80c28SJacques Vidrinegss_export_name.3 72*bbd80c28SJacques Vidrinegss_export_sec_context.3 73*bbd80c28SJacques Vidrinegss_get_mic.3 74*bbd80c28SJacques Vidrinegss_import_name.3 75*bbd80c28SJacques Vidrinegss_import_sec_context.3 76*bbd80c28SJacques Vidrinegss_indicate_mechs.3 77*bbd80c28SJacques Vidrinegss_init_sec_context.3 78*bbd80c28SJacques Vidrinegss_inquire_context.3 79*bbd80c28SJacques Vidrinegss_inquire_cred.3 80*bbd80c28SJacques Vidrinegss_inquire_cred_by_mech.3 81*bbd80c28SJacques Vidrinegss_inquire_mechs_for_name.3 82*bbd80c28SJacques Vidrinegss_inquire_names_for_mech.3 83*bbd80c28SJacques Vidrinegss_krb5_copy_ccache.3 84*bbd80c28SJacques Vidrinegss_process_context_token.3 85*bbd80c28SJacques Vidrinegss_release_buffer.3 86*bbd80c28SJacques Vidrinegss_release_cred.3 87*bbd80c28SJacques Vidrinegss_release_name.3 88*bbd80c28SJacques Vidrinegss_release_oid_set.3 89*bbd80c28SJacques Vidrinegss_seal.3 90*bbd80c28SJacques Vidrinegss_sign.3 91*bbd80c28SJacques Vidrinegss_test_oid_set_member.3 92*bbd80c28SJacques Vidrinegss_unseal.3 93*bbd80c28SJacques Vidrinegss_unwrap.3 94*bbd80c28SJacques Vidrinegss_verify.3 95*bbd80c28SJacques Vidrinegss_verify_mic.3 96*bbd80c28SJacques Vidrinegss_wrap.3 97*bbd80c28SJacques Vidrinegss_wrap_size_limit.3 98*bbd80c28SJacques Vidrine.ta 99*bbd80c28SJacques Vidrine.Fi 100*bbd80c28SJacques Vidrine.Sh COMPATIBILITY 101*bbd80c28SJacques VidrineThe 102*bbd80c28SJacques Vidrine.Nm Heimdal 103*bbd80c28SJacques VidrineGSS-API implementation had a bug in releases before 0.6 that made it 104*bbd80c28SJacques Vidrinefail to inter-operate when using DES3 with other GSS-API 105*bbd80c28SJacques Vidrineimplementations when using 106*bbd80c28SJacques Vidrine.Fn gss_get_mic 107*bbd80c28SJacques Vidrine/ 108*bbd80c28SJacques Vidrine.Fn gss_verify_mic . 109*bbd80c28SJacques VidrineIts possible to modify the behavior of the generator of the MIC with 110*bbd80c28SJacques Vidrinethe 111*bbd80c28SJacques Vidrine.Pa krb5.conf 112*bbd80c28SJacques Vidrineconfiguration file so that old clients/servers will still 113*bbd80c28SJacques Vidrinework. 114*bbd80c28SJacques Vidrine.Pp 115*bbd80c28SJacques VidrineNew clients/servers will try both the old and new MIC in Heimdal 0.6. 116*bbd80c28SJacques VidrineIn 0.7 it will check only if configured and the compatibility code 117*bbd80c28SJacques Vidrinewill be removed in 0.8. 118*bbd80c28SJacques Vidrine.Pp 119*bbd80c28SJacques VidrineHeimdal 0.6 still generates by default the broken GSS-API DES3 mic, 120*bbd80c28SJacques Vidrinethis will change in 0.7 to generate correct des3 mic. 121*bbd80c28SJacques Vidrine.Pp 122*bbd80c28SJacques VidrineTo turn on compatibility with older clients and servers, change the 123*bbd80c28SJacques Vidrine.Nm [gssapi] 124*bbd80c28SJacques Vidrine.Ar broken_des3_mic 125*bbd80c28SJacques Vidrinein 126*bbd80c28SJacques Vidrine.Pa krb5.conf 127*bbd80c28SJacques Vidrinethat contains a list of globbing expressions that will be matched 128*bbd80c28SJacques Vidrineagainst the server name. 129*bbd80c28SJacques VidrineTo turn off generation of the old (incompatible) mic of the MIC use 130*bbd80c28SJacques Vidrine.Nm [gssapi] 131*bbd80c28SJacques Vidrine.Ar correct_des3_mic . 132*bbd80c28SJacques Vidrine.Pp 133*bbd80c28SJacques VidrineIf a match for a entry is in both 134*bbd80c28SJacques Vidrine.Nm [gssapi] 135*bbd80c28SJacques Vidrine.Ar correct_des3_mic 136*bbd80c28SJacques Vidrineand 137*bbd80c28SJacques Vidrine.Nm [gssapi] 138*bbd80c28SJacques Vidrine.Ar correct_des3_mic , 139*bbd80c28SJacques Vidrinethe later will override. 140*bbd80c28SJacques Vidrine.Pp 141*bbd80c28SJacques VidrineThis config option modifies behaviour for both clients and servers. 142*bbd80c28SJacques Vidrine.Pp 143*bbd80c28SJacques VidrineExample: 144*bbd80c28SJacques Vidrine.Bd -literal -offset indent 145*bbd80c28SJacques Vidrine[gssapi] 146*bbd80c28SJacques Vidrine broken_des3_mic = cvs/*@SU.SE 147*bbd80c28SJacques Vidrine broken_des3_mic = host/*@E.KTH.SE 148*bbd80c28SJacques Vidrine correct_des3_mic = host/*@SU.SE 149*bbd80c28SJacques Vidrine.Ed 150*bbd80c28SJacques Vidrine.Sh BUGS 151*bbd80c28SJacques VidrineAll of 0.5.x versions of 152*bbd80c28SJacques Vidrine.Nm heimdal 153*bbd80c28SJacques Vidrinehad broken token delegations in the client side, the server side was 154*bbd80c28SJacques Vidrinecorrect. 155*bbd80c28SJacques Vidrine.Sh SEE ALSO 156*bbd80c28SJacques Vidrine.Xr krb5 3 , 157*bbd80c28SJacques Vidrine.Xr krb5.conf 5 , 158*bbd80c28SJacques Vidrine.Xr kerberos 8 159