gsskrb5_extract_authz_data_from_sec_context man page on OpenBSD

Man page or keyword search:  
man Server   11362 pages
apropos Keyword Search (all sections)
Output format
OpenBSD logo
[printable version]

GSS_ACQUIRE_CRED(3)	  OpenBSD Programmer's Manual	   GSS_ACQUIRE_CRED(3)

NAME
     gss_accept_sec_context, gss_acquire_cred, gss_add_cred,
     gss_add_oid_set_member, gss_canonicalize_name, gss_compare_name,
     gss_context_time, gss_create_empty_oid_set, gss_delete_sec_context,
     gss_display_name, gss_display_status, gss_duplicate_name,
     gss_export_name, gss_export_sec_context, gss_get_mic, gss_import_name,
     gss_import_sec_context, gss_indicate_mechs, gss_init_sec_context,
     gss_inquire_context, gss_inquire_cred, gss_inquire_cred_by_mech,
     gss_inquire_mechs_for_name, gss_inquire_names_for_mech,
     gss_krb5_ccache_name, gss_krb5_compat_des3_mic, gss_krb5_copy_ccache,
     gsskrb5_extract_authz_data_from_sec_context, gss_krb5_get_tkt_flags,
     gss_process_context_token, gss_release_buffer, gss_release_cred,
     gss_release_name, gss_release_oid_set, gss_seal, gss_sign,
     gss_test_oid_set_member, gss_unseal, gss_unwrap, gss_verify,
     gss_verify_mic, gss_wrap, gss_wrap_size_limit - Generic Security Service
     Application Program Interface library

LIBRARY
     GSS-API library (libgssapi, -lgssapi)

SYNOPSIS
     #include <gssapi.h>

     OM_uint32
     gss_accept_sec_context(OM_uint32 * minor_status, gss_ctx_id_t *
     context_handle, const gss_cred_id_t acceptor_cred_handle, const
     gss_buffer_t input_token_buffer, const gss_channel_bindings_t
     input_chan_bindings, gss_name_t * src_name, gss_OID * mech_type,
     gss_buffer_t output_token, OM_uint32 * ret_flags, OM_uint32 * time_rec,
     gss_cred_id_t * delegated_cred_handle);

     OM_uint32
     gss_acquire_cred(OM_uint32 * minor_status, const gss_name_t desired_name,
     OM_uint32 time_req, const gss_OID_set desired_mechs, gss_cred_usage_t
     cred_usage, gss_cred_id_t * output_cred_handle, gss_OID_set *
     actual_mechs, OM_uint32 * time_rec);

     OM_uint32
     gss_add_cred(OM_uint32 *minor_status, const gss_cred_id_t
     input_cred_handle, const gss_name_t desired_name, const gss_OID
     desired_mech, gss_cred_usage_t cred_usage, OM_uint32 initiator_time_req,
     OM_uint32 acceptor_time_req, gss_cred_id_t *output_cred_handle,
     gss_OID_set *actual_mechs, OM_uint32 *initiator_time_rec, OM_uint32
     *acceptor_time_rec);

     OM_uint32
     gss_add_oid_set_member(OM_uint32 * minor_status, const gss_OID
     member_oid, gss_OID_set * oid_set);

     OM_uint32
     gss_canonicalize_name(OM_uint32 * minor_status, const gss_name_t
     input_name, const gss_OID mech_type, gss_name_t * output_name);

     OM_uint32
     gss_compare_name(OM_uint32 * minor_status, const gss_name_t name1, const
     gss_name_t name2, int * name_equal);

     OM_uint32
     gss_context_time(OM_uint32 * minor_status, const gss_ctx_id_t
     context_handle, OM_uint32 * time_rec);

     OM_uint32
     gss_create_empty_oid_set(OM_uint32 * minor_status, gss_OID_set *
     oid_set);

     OM_uint32
     gss_delete_sec_context(OM_uint32 * minor_status, gss_ctx_id_t *
     context_handle, gss_buffer_t output_token);

     OM_uint32
     gss_display_name(OM_uint32 * minor_status, const gss_name_t input_name,
     gss_buffer_t output_name_buffer, gss_OID * output_name_type);

     OM_uint32
     gss_display_status(OM_uint32 *minor_status, OM_uint32 status_value, int
     status_type, const gss_OID mech_type, OM_uint32 *message_context,
     gss_buffer_t status_string);

     OM_uint32
     gss_duplicate_name(OM_uint32 * minor_status, const gss_name_t src_name,
     gss_name_t * dest_name);

     OM_uint32
     gss_export_name(OM_uint32 * minor_status, const gss_name_t input_name,
     gss_buffer_t exported_name);

     OM_uint32
     gss_export_sec_context(OM_uint32 * minor_status, gss_ctx_id_t *
     context_handle, gss_buffer_t interprocess_token);

     OM_uint32
     gss_get_mic(OM_uint32 * minor_status, const gss_ctx_id_t context_handle,
     gss_qop_t qop_req, const gss_buffer_t message_buffer, gss_buffer_t
     message_token);

     OM_uint32
     gss_import_name(OM_uint32 * minor_status, const gss_buffer_t
     input_name_buffer, const gss_OID input_name_type, gss_name_t *
     output_name);

     OM_uint32
     gss_import_sec_context(OM_uint32 * minor_status, const gss_buffer_t
     interprocess_token, gss_ctx_id_t * context_handle);

     OM_uint32
     gss_indicate_mechs(OM_uint32 * minor_status, gss_OID_set * mech_set);

     OM_uint32
     gss_init_sec_context(OM_uint32 * minor_status, const gss_cred_id_t
     initiator_cred_handle, gss_ctx_id_t * context_handle, const gss_name_t
     target_name, const gss_OID mech_type, OM_uint32 req_flags, OM_uint32
     time_req, const gss_channel_bindings_t input_chan_bindings, const
     gss_buffer_t input_token, gss_OID * actual_mech_type, gss_buffer_t
     output_token, OM_uint32 * ret_flags, OM_uint32 * time_rec);

     OM_uint32
     gss_inquire_context(OM_uint32 * minor_status, const gss_ctx_id_t
     context_handle, gss_name_t * src_name, gss_name_t * targ_name, OM_uint32
     * lifetime_rec, gss_OID * mech_type, OM_uint32 * ctx_flags, int *
     locally_initiated, int * open_context);

     OM_uint32
     gss_inquire_cred(OM_uint32 * minor_status, const gss_cred_id_t
     cred_handle, gss_name_t * name, OM_uint32 * lifetime, gss_cred_usage_t *
     cred_usage, gss_OID_set * mechanisms);

     OM_uint32
     gss_inquire_cred_by_mech(OM_uint32 * minor_status, const gss_cred_id_t
     cred_handle, const gss_OID mech_type, gss_name_t * name, OM_uint32 *
     initiator_lifetime, OM_uint32 * acceptor_lifetime, gss_cred_usage_t *
     cred_usage);

     OM_uint32
     gss_inquire_mechs_for_name(OM_uint32 * minor_status, const gss_name_t
     input_name, gss_OID_set * mech_types);

     OM_uint32
     gss_inquire_names_for_mech(OM_uint32 * minor_status, const gss_OID
     mechanism, gss_OID_set * name_types);

     OM_uint32
     gss_krb5_ccache_name(OM_uint32 *minor, const char *name, const char
     **old_name);

     OM_uint32
     gss_krb5_copy_ccache(OM_uint32 *minor, gss_cred_id_t cred, krb5_ccache
     out);

     OM_uint32
     gss_krb5_compat_des3_mic(OM_uint32 * minor_status, gss_ctx_id_t
     context_handle, int onoff);

     OM_uint32
     gsskrb5_extract_authz_data_from_sec_context(OM_uint32 *minor_status,
     gss_ctx_id_t context_handle, int ad_type, gss_buffer_t ad_data);

     OM_uint32
     gss_krb5_get_tkt_flags(OM_uint32 *minor_status, gss_ctx_id_t
     context_handle, OM_uint32 *tkt_flags);

     OM_uint32
     gss_process_context_token(OM_uint32 * minor_status, const gss_ctx_id_t
     context_handle, const gss_buffer_t token_buffer);

     OM_uint32
     gss_release_buffer(OM_uint32 * minor_status, gss_buffer_t buffer);

     OM_uint32
     gss_release_cred(OM_uint32 * minor_status, gss_cred_id_t * cred_handle);

     OM_uint32
     gss_release_name(OM_uint32 * minor_status, gss_name_t * input_name);

     OM_uint32
     gss_release_oid_set(OM_uint32 * minor_status, gss_OID_set * set);

     OM_uint32
     gss_seal(OM_uint32 * minor_status, gss_ctx_id_t context_handle, int
     conf_req_flag, int qop_req, gss_buffer_t input_message_buffer, int *
     conf_state, gss_buffer_t output_message_buffer);

     OM_uint32
     gss_sign(OM_uint32 * minor_status, gss_ctx_id_t context_handle, int
     qop_req, gss_buffer_t message_buffer, gss_buffer_t message_token);

     OM_uint32
     gss_test_oid_set_member(OM_uint32 * minor_status, const gss_OID member,
     const gss_OID_set set, int * present);

     OM_uint32
     gss_unseal(OM_uint32 * minor_status, gss_ctx_id_t context_handle,
     gss_buffer_t input_message_buffer, gss_buffer_t output_message_buffer,
     int * conf_state, int * qop_state);

     OM_uint32
     gss_unwrap(OM_uint32 * minor_status, const gss_ctx_id_t context_handle,
     const gss_buffer_t input_message_buffer, gss_buffer_t
     output_message_buffer, int * conf_state, gss_qop_t * qop_state);

     OM_uint32
     gss_verify(OM_uint32 * minor_status, gss_ctx_id_t context_handle,
     gss_buffer_t message_buffer, gss_buffer_t token_buffer, int * qop_state);

     OM_uint32
     gss_verify_mic(OM_uint32 * minor_status, const gss_ctx_id_t
     context_handle, const gss_buffer_t message_buffer, const gss_buffer_t
     token_buffer, gss_qop_t * qop_state);

     OM_uint32
     gss_wrap(OM_uint32 * minor_status, const gss_ctx_id_t context_handle, int
     conf_req_flag, gss_qop_t qop_req, const gss_buffer_t
     input_message_buffer, int * conf_state, gss_buffer_t
     output_message_buffer);

     OM_uint32
     gss_wrap_size_limit(OM_uint32 * minor_status, const gss_ctx_id_t
     context_handle, int conf_req_flag, gss_qop_t qop_req, OM_uint32
     req_output_size, OM_uint32 * max_input_size);

DESCRIPTION
     Generic Security Service API (GSS-API) version 2, and its C binding, are
     described in RFC 2743 and RFC 2744.  Version 1 (deprecated) of the C
     binding is described in RFC 1509.

     Heimdals GSS-API implementation supports the following mechanisms

	   o   GSS_KRB5_MECHANISM
	   o   GSS_SPNEGO_MECHANISM

     GSS-API have generic name types that all mechanism are supposed to
     implement (if possible):

	   o   GSS_C_NT_USER_NAME
	   o   GSS_C_NT_MACHINE_UID_NAME
	   o   GSS_C_NT_STRING_UID_NAME
	   o   GSS_C_NT_HOSTBASED_SERVICE
	   o   GSS_C_NT_ANONYMOUS
	   o   GSS_C_NT_EXPORT_NAME

     GSS-API implementations that supports Kerberos 5 have some additional
     name types:

	   o   GSS_KRB5_NT_PRINCIPAL_NAME
	   o   GSS_KRB5_NT_USER_NAME
	   o   GSS_KRB5_NT_MACHINE_UID_NAME
	   o   GSS_KRB5_NT_STRING_UID_NAME

     In GSS-API, names have two forms, internal names and contiguous string
     names.

     o	 Internal name and mechanism name

	 Internal names are implementation specific representation of a GSS-
	 API name.  Mechanism names special form of internal names corresponds
	 to one and only one mechanism.

	 In GSS-API an internal name is stored in a gss_name_t.

     o	 Contiguous string name and exported name

	 Contiguous string names are gssapi names stored in a OCTET STRING
	 that together with a name type identifier (OID) uniquely specifies a
	 gss-name.  A special form of the contiguous string name is the
	 exported name that have a OID embedded in the string to make it
	 unique.  Exported name have the nametype GSS_C_NT_EXPORT_NAME.

	 In GSS-API an contiguous string name is stored in a gss_buffer_t.

	 Exported names also have the property that they are specified by the
	 mechanism itself and compatible between diffrent GSS-API
	 implementations.

ACCESS CONTROL
     There are two ways of comparing GSS-API names, either comparing two
     internal names with each other or two contiguous string names with either
     other.

     To compare two internal names with each other, import (if needed) the
     names with gss_import_name() into the GSS-API implementation and the
     compare the imported name with gss_compare_name().

     Importing names can be slow, so when its possible to store exported names
     in the access control list, comparing contiguous string name might be
     better.

     when comparing contiguous string name, first export them into a
     GSS_C_NT_EXPORT_NAME name with gss_export_name() and then compare with
     memcmp(3).

     Note that there are might be a difference between the two methods of
     comparing names.  The first (using gss_compare_name()) will compare to
     (unauthenticated) names are the same.  The second will compare if a
     mechanism will authenticate them as the same principal.

     For example, if gss_import_name() name was used with GSS_C_NO_OID the
     default syntax is used for all mechanism the GSS-API implementation
     supports.	When compare the imported name of GSS_C_NO_OID it may match
     serveral mechanism names (MN).

     The resulting name from gss_display_name() must not be used for acccess
     control.

FUNCTIONS
     gss_display_name() takes the gss name in input_name and puts a printable
     form in output_name_buffer.  output_name_buffer should be freed when done
     using gss_release_buffer().  output_name_type can either be NULL or a
     pointer to a gss_OID and will in the latter case contain the OID type of
     the name.	The name must only be used for printing.  If access control is
     needed, see section ACCESS CONTROL.

     gss_inquire_context() returns information about the context.  Information
     is available even after the context have expired.	lifetime_rec argument
     is set to GSS_C_INDEFINITE (dont expire) or the number of seconds that
     the context is still valid.  A value of 0 means that the context is
     expired.  mech_type argument should be considered readonly and must not
     be released.  src_name and dest_name() are both mechanims names and must
     be released with gss_release_name() when no longer used.

     gss_context_time will return the amount of time (in seconds) of the
     context is still valid.  If its expired time_rec will be set to 0 and
     GSS_S_CONTEXT_EXPIRED returned.

     gss_sign(), gss_verify(), gss_seal(), and gss_unseal() are part of the
     GSS-API V1 interface and are obsolete.  The functions should not be used
     for new applications.  They are provided so that version 1 applications
     can link against the library.

EXTENSIONS
     gss_krb5_ccache_name() sets the internal kerberos 5 credential cache name
     to name.  The old name is returned in old_name, and must not be freed.
     The data allocated for old_name is free upon next call to
     gss_krb5_ccache_name().  This function is not threadsafe if old_name
     argument is used.

     gss_krb5_copy_ccache() will extract the krb5 credentials that are
     transferred from the initiator to the acceptor when using token
     delegation in the Kerberos mechanism.  The acceptor receives the
     delegated token in the last argument to gss_accept_sec_context().

     gsskrb5_register_acceptor_identity() sets the Kerberos 5 principal that
     the acceptor will use.

     gsskrb5_extract_authz_data_from_sec_context() extracts the Kerberos
     authorizationdata that may be stored within the context.  Tha caller must
     free the returned buffer ad_data with gss_release_buffer() upon success.

     gss_krb5_get_tkt_flags() return the ticket flags for the kerberos ticket
     receive when authenticating the initiator.	 Only valid on the acceptor
     context.

     gss_krb5_compat_des3_mic() turns on or off the compatibility with older
     version of Heimdal using des3 get and verify mic, this is way to
     programmatically set the [gssapi]broken_des3_mic and
     [gssapi]correct_des3_mic flags (see COMPATIBILITY section in gssapi(3)).
     If the CPP symbol GSS_C_KRB5_COMPAT_DES3_MIC is present,
     gss_krb5_compat_des3_mic() exists.	 gss_krb5_compat_des3_mic() will be
     removed in a later version of the GSS-API library.

SEE ALSO
     gssapi(3), krb5(3), krb5_ccache(3), kerberos(8)

HEIMDAL			       September 9, 2003		       HEIMDAL
[top]

List of man pages available for OpenBSD

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net