The Generic Security Service Application Program Interface (GSSAPI, also GSS- API) is an . Sun Microsystems (). “GSS-API Programming Guide”. The GSSAPI (Generic Security Services API) allows applications to communicate securely using Kerberos 5 or other security mechanisms. We recommend. The Secure Shell protocol supports Kerberos authentication via GSSAPI (Generic Security Services Application Programming Interface). Advantages of using.
|Published (Last):||19 September 2010|
|PDF File Size:||20.65 Mb|
|ePub File Size:||4.55 Mb|
|Price:||Free* [*Free Regsitration Required]|
The following name types are supported by the krb5 mechanism:.
Generic Security Services Application Program Interface
Operating system security Internet Standards. A krb5 GSSAPI credential may contain references to a credential cache, a client keytab, an acceptor keytab, and a replay cache. Do you know if this is a krb library-specific thing, or can putty somehow use this too?
This page was last edited on 25 Januaryat If the input name contains both a service and a hostnameclients will be allowed to authenticate to any host-based principal for the named service and hostname, regardless of realm.
Sign up using Facebook. But there are some kinit versions support pkinit. As with other GSSAPI serialization functions, these extensions are only intended to work with a matching implementation on the other side; they do not serialize credentials in a standardized format. The hostname will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the rdns variable in [libdefaults].
The serialization format does not protect this information from eavesdropping or tampering. University of Bamberg Press. The anonymous principal is used, allowing a client to authenticate to a server without asserting a particular identity which may or may not be allowed by a particular server or Kerberos realm. This article includes a list of referencesrelated reading or external linksbut its sources remain unclear because it lacks inline citations. October Learn how and when to remove this template message.
Kerberos (GSSAPI) Authentication
rpogramming If there are no existing tickets for the chosen principal, but it is present in the default client keytab, the krb5 mechanism will acquire initial tickets using the keytab. Note If a hostname is specified, it will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the rdns variable in [libdefaults].
Putty uses this TGT and gets a service ticket and proceed, ptogramming a simple kerberos enabled putty is sufficient.
After the exchange of some number of tokens, the Gsdapi implementations at both ends inform their local application that a security context has been established.
Because of this, a serialized krb5 credential can only be imported by a process with similar privileges to the exporter. A serialized credential may contain secret information such as ticket session keys.
Sign up using Email and Password.
Developing with GSSAPI — MIT Kerberos Documentation
After this your machine will receive a TGT, and this transaction happens during domain login or while doing a kinit. The following name types are supported by the krb5 mechanism: In MIT krb5 versions prior to 1. Views Read Edit View history.
Integration Strategies, Patterns, and Best Practices. Probably you are looking for kerberos with pkinit support.
This is the recommended fssapi if the server application has no specific requirements to the contrary. GSSAPI tokens can usually travel over an insecure network as the mechanisms provide inherent message security. Limitations of the GSSAPI include that it standardizes only authenticationand not authorizationand that it assumes a client—server architecture. Retrieved from ” https: If a hostname is specified, it will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the rdns variable in [libdefaults].
The only guides I’ve found so far are very low-level protocol descriptions or server configuration prlgramming for admins The client and server sides of the application are written to convey the tokens given to them by their respective GSSAPI implementations. Note In MIT krb5 versions prior to 1.