The Generic Security Service Application Program Interface (GSSAPI, also GSS- API) is an . Sun Microsystems (). “GSS-API Programming Guide”. The GSSAPI (Generic Security Services API) allows applications to communicate securely using Kerberos 5 or other security mechanisms. We recommend. The Secure Shell protocol supports Kerberos authentication via GSSAPI (Generic Security Services Application Programming Interface). Advantages of using.

Author: Disar Jubei
Country: Portugal
Language: English (Spanish)
Genre: Business
Published (Last): 26 May 2013
Pages: 368
PDF File Size: 6.92 Mb
ePub File Size: 11.39 Mb
ISBN: 265-2-40784-292-9
Downloads: 63736
Price: Free* [*Free Regsitration Required]
Uploader: Jushakar

Articles lacking in-text citations from October All articles lacking in-text citations Pages using RFC magic links. Retrieved from ” https: Instead, security-service vendors provide GSSAPI implementations – usually in the form of libraries installed with their security software.

By using this site, you agree to the Terms of Use and Privacy Policy. Sign up using Email and Password. This facility might, for instance, try to choose existing tickets for a client principal in the same peogramming as the target service.

Integration Strategies, Patterns, and Best Practices. Gsaspi a hostname is specified, it will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value gukde the rdns variable in [libdefaults]. The following name types are supported by the krb5 mechanism:.

The value is treated as an unparsed principal name string, as above. University of Bamberg Press. Is there any way of providing user’s public key that way? Post as a guest Name. As above, but the value is a decimal string representation of the uid. Sign up or log in Sign up using Google.


Kerberos (GSSAPI) Authentication

If the default credential cache does not exist, but the default client keytab orogramming, the krb5 mechanism will try to acquire initial tickets for the first principal in the default client keytab. If the security implementation ever needs replacing, the application need not be rewritten. The value is ignored. Are you going to do programming this is not programmihg form your question? The serialization format does not protect this information from eavesdropping or tampering.

If the input name contains both a service and a hostnameclients will be allowed to authenticate to any host-based principal for the named service and hostname, regardless of realm.

Post Your Answer Discard By clicking “Post Your Answer”, you acknowledge that you have read our updated terms of serviceprivacy policy and cookie policyand that your continued use of the website is subject to these policies.

By using our site, you acknowledge that you have read and understand our Cookie PolicyPrivacy Policyand our Terms yuide Service.

The application must pad the DATA buffer to a multiple of 16 bytes as no padding or trailer buffer is used. Giide hostname will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the rdns variable in [libdefaults].

Limitations of the GSSAPI include that it standardizes only authenticationand not authorizationand that programmingg assumes a client—server architecture. October Learn how and when to remove this template message. In this case, the contents of the credential cache are serialized, so that the resulting token may be imported even if the original memory credential cache no longer exists. Sign up using Facebook. The anonymous principal is used, allowing a client to authenticate to a guise without asserting a particular identity which may or gssali not be allowed by a particular server or Kerberos realm.


If no existing tickets are available for the desired name, but the name has an entry in the default client keytabthe krb5 mechanism will acquire initial tickets for the name using the default client keytab.

GSSAPI tokens can usually travel over an insecure network as the mechanisms provide inherent message security. Email Required, but never shown. Stack Overflow works best with JavaScript enabled. A krb5 GSSAPI credential may contain references to a credential cache, a client keytab, an acceptor keytab, and a replay cache.

Kerberos (GSSAPI) Authentication – Reflection for Secure IT for UNIX

Do you know if this is a krb library-specific thing, or can putty somehow use this too? I’m looking at a way of authenticating users connecting to an SSH daemon. Because of this, a serialized krb5 credential can only be imported by a process with similar privileges sgsapi the exporter.

This is the recommended approach if the server application has no specific requirements to the contrary.

These resources are normally serialized as references to their external locations such as the filename of the credential cache. Probably you are looking for kerberos with pkinit support. Views Read Edit View history. The definitive feature of GSSAPI applications is the exchange of opaque messages tokens which hide the implementation detail from the higher-level application.