1GSSAPI(3) BSD Library Functions Manual GSSAPI(3)
2
4 gssapi — Generic Security Service Application Program Interface library
5
7 GSS-API Library (libgssapi, -lgssapi)
8
10 The Generic Security Service Application Program Interface (GSS-API) pro‐
11 vides security services to callers in a generic fashion, supportable with
12 a range of underlying mechanisms and technologies and hence allowing
13 source-level portability of applications to different environments.
14 The GSS-API implementation in Heimdal implements the Kerberos 5 and the
16 SPNEGO GSS-API security mechanisms.
17
19 These functions constitute the gssapi library, libgssapi. Declarations
20 for these functions may be obtained from the include file gssapi.h.
21 Name/Page
22 gss_accept_sec_context(3)
23 gss_acquire_cred(3)
24 gss_add_cred(3)
25 gss_add_oid_set_member(3)
26 gss_canonicalize_name(3)
27 gss_compare_name(3)
28 gss_context_time(3)
29 gss_create_empty_oid_set(3)
30 gss_delete_sec_context(3)
31 gss_display_name(3)
32 gss_display_status(3)
33 gss_duplicate_name(3)
34 gss_export_name(3)
35 gss_export_sec_context(3)
36 gss_get_mic(3)
37 gss_import_name(3)
38 gss_import_sec_context(3)
39 gss_indicate_mechs(3)
40 gss_init_sec_context(3)
41 gss_inquire_context(3)
42 gss_inquire_cred(3)
43 gss_inquire_cred_by_mech(3)
44 gss_inquire_mechs_for_name(3)
45 gss_inquire_names_for_mech(3)
46 gss_krb5_ccache_name(3)
47 gss_krb5_compat_des3_mic(3)
48 gss_krb5_copy_ccache(3)
49 gss_krb5_extract_authz_data_from_sec_context(3)
50 gss_krb5_import_ccache(3)
51 gss_process_context_token(3)
52 gss_release_buffer(3)
53 gss_release_cred(3)
54 gss_release_name(3)
55 gss_release_oid_set(3)
56 gss_seal(3)
57 gss_sign(3)
58 gss_test_oid_set_member(3)
59 gss_unseal(3)
60 gss_unwrap(3)
61 gss_verify(3)
62 gss_verify_mic(3)
63 gss_wrap(3)
64 gss_wrap_size_limit(3)
65
67 The Heimdal GSS-API implementation had a bug in releases before 0.6 that
68 made it fail to inter-operate when using DES3 with other GSS-API imple‐
69 mentations when using gss_get_mic() / gss_verify_mic(). It is possible
70 to modify the behavior of the generator of the MIC with the krb5.conf
71 configuration file so that old clients/servers will still work.
72 New clients/servers will try both the old and new MIC in Heimdal 0.6. In
74 0.7 it will check only if configured - the compatibility code will be
75 removed in 0.8.
76 Heimdal 0.6 still generates by default the broken GSS-API DES3 mic, this
78 will change in 0.7 to generate correct des3 mic.
79 To turn on compatibility with older clients and servers, change the
81 [gssapi] broken_des3_mic in krb5.conf that contains a list of globbing
82 expressions that will be matched against the server name. To turn off
83 generation of the old (incompatible) mic of the MIC use [gssapi]
84 correct_des3_mic.
85 If a match for a entry is in both [gssapi] correct_des3_mic and [gssapi]
87 broken_des3_mic, the later will override.
88 This config option modifies behaviour for both clients and servers.
90 Microsoft implemented SPNEGO to Windows2000, however, they managed to get
92 it wrong, their implementation didn't fill in the MechListMIC in the
93 reply token with the right content. There is a work around for this
94 problem, but not all implementation support it.
95 Heimdal defaults to correct SPNEGO when the the kerberos implementation
97 uses CFX, or when it is configured by the user. To turn on compatibility
98 with peers, use option [gssapi] require_mechlist_mic.
99
101 [gssapi]
102 broken_des3_mic = cvs/*@SU.SE
103 broken_des3_mic = host/*@E.KTH.SE
104 correct_des3_mic = host/*@SU.SE
105 require_mechlist_mic = host/*@SU.SE
106
108 All of 0.5.x versions of heimdal had broken token delegations in the
109 client side, the server side was correct.
110
112 krb5(3), krb5.conf(5), kerberos(8)
113BSD April 20, 2005 BSD