rpcsec_gss(3N)rpcsec_gss(3N)NAMErpcsec_gss - security flavor incorporating GSS-API protections
SYNOPSIS
[flag]... file... [library]...
DESCRIPTION
is a security flavor which sits "on top" of the GSS-API (Generic Secu‐
rity Service Application Programming Interface) for network transmis‐
sions. Applications using can take advantage of GSS-API security fea‐
tures; moreover, they can use any security mechanism (such as RSA pub‐
lic key or Kerberos) that works with the GSS-API.
The GSS-API offers two security services beyond the traditional authen‐
tication services and integrity and privacy. With integrity, the sys‐
tem uses cryptographic checksumming to ensure the authenticity of a
message (authenticity of originator, recipient, and data); privacy pro‐
vides additional security by encrypting data. Applications using spec‐
ify which service they wish to use. The type of security service is
mechanism-independent.
Before exchanging data with a peer, an application must establish a
context for the exchange. provides a single function for this purpose,
which allows the application to specify the security mechanism, Quality
of Protection (QOP), and type of service at context creation. (The QOP
parameter sets the cryptographic algorithms to be used with integrity
or privacy, and is mechanism-dependent.) Once a context is estab‐
lished, applications can reset the QOP and type of service for each
data unit exchanged, if desired. Validation mechanisms and QOPs may be
obtained from configuration files or from the name service. Each mech‐
anism has a default QOP.
Contexts are destroyed with the usual RPC call.
Data Structures
Some of the data structures used by the RPCSEC_GSS package are shown
below.
rpc_gss_service_t
This enum defines the types of security services the context may have.
takes this as one argument when setting the service type for a session.
rpc_gss_options_req_t
Structure containing options passed directly through to the GSS-API.
takes this as an argument when creating a context.
rpc_gss_OID
This data type is used by in-kernel RPC routines, and thus is mentioned
here for informational purposes only.
rpc_gss_options_ret_t
Structure containing GSS-API options returned to the calling function,
is defined as 128.
rpc_gss_principal_t
The (mechanism-dependent, opaque) client principal type is used as an
argument to the function, and in the table. Also referenced by the
structure for raw credentials (see below).
rpc_gss_rawcred_t
Structure for raw credentials used by and
rpc_gss_ucred_t
Structure for UNIX credentials used by as an alternative to
rpc_gss_callback_t
Callback structure used by
rpc_gss_lock_t
Structure used by a callback routine to enforce a particular QOP and
service for a session. The field is normally set to the server sets it
to in order to lock the session. (A locked context will reject all
requests having different QOP and service values than those found in
the structure.) For more information, see rpc_gss_set_callback(3N).
rpc_gss_error_t
Structure used by to fetch an error code when a routine fails.
Index to Routines
The following lists routines and the manual reference pages on which
they are described. An (S) indicates it is a server-side function.
rpc_gss_seccreate(3N)
Create a secure context.
rpc_gss_set_defaults(3N)
Switch service and QOP for a session.
rpc_gss_max_data_length(3N)
Get maximum data length allowed by transport.
rpc_gss_set_svc_name(3N)
Set server's principal name. (S)
rpc_gss_getcred(3N)
Get credentials of caller. (S)
rpc_gss_set_callback(3N)
Specify callback to see context use. (S)
rpc_gss_get_principal_name(3N)
Get client principal name. (S)
rpc_gss_svc_max_data_length(3N)
Get maximum data length allowed by transport. (S)
rpc_gss_get_error(3N)
Get error number.
rpc_gss_get_mechanisms(3N)
Get valid mechanism strings.
rpc_gss_get_mech_info(3N)
Get valid QOP strings for current service.
rpc_gss_get_versions(3N)
Get supported versions.
rpc_gss_is_installed(3N)
Checks if a mechanism is installed.
rpc_gss_mech_to_oid(3N)
Maps ASCII mechanism to OID representation.
rpc_gss_qop_to_num(3N)
Maps ASCII QOP, mechanism to number.
Utilities
The utility manages the table, which contains mappings of principal
names between network and local credentials. See the gsscred(1M) man‐
page.
MULTITHREAD USAGE
Thread Safe: Yes
Cancel Safe: Yes
Fork Safe: No
Async-cancel Safe: No
Async-signal Safe: No
These functions can be called safely in a multithreaded environment.
They may be cancellation points in that they call functions that are
cancel points.
In a multithreaded environment, these functions are not safe to be
called by a child process after and before These functions should not
be called by a multithreaded application that supports asynchronous
cancellation or asynchronous signals.
FILES
List of installed mechanisms.
List of valid QOPs.
SEE ALSOgsscred(1M), rpc(3N), rpc_clnt_auth(3N), xdr(3N), environ(5).
rpcsec_gss(3N)