The Generic Security Service Application Program Interface (GSSAPI, also GSS- API) is an . Sun Microsystems (). “GSS-API Programming Guide”. The GSSAPI (Generic Security Services API) allows applications to communicate securely using Kerberos 5 or other security mechanisms. We recommend. The Secure Shell protocol supports Kerberos authentication via GSSAPI (Generic Security Services Application Programming Interface). Advantages of using.

Author: Faera Kile
Country: Laos
Language: English (Spanish)
Genre: Science
Published (Last): 11 October 2005
Pages: 106
PDF File Size: 17.69 Mb
ePub File Size: 1.22 Mb
ISBN: 425-2-69783-938-1
Downloads: 16736
Price: Free* [*Free Regsitration Required]
Uploader: Tojora

Note If a hostname is specified, it will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the rdns variable in [libdefaults]. Please help to improve this article by introducing more precise citations.

These resources are normally serialized as references to their external locations such as the filename of the credential cache. Integration Strategies, Patterns, and Best Practices. If the security implementation ever needs replacing, the application need not be rewritten.

After the exchange of some number of programminb, the GSSAPI implementations at both ends inform their local application that a security context has been established. As with other GSSAPI serialization functions, prograkming extensions are only intended to work with a matching implementation on the other side; they do not serialize credentials in a standardized format.

After this your machine will receive a TGT, and this transaction happens during domain login or while doing a kinit. Instead, security-service vendors provide GSSAPI implementations – usually in the form of libraries installed with their security software. Once a security context is established, sensitive application messages can be wrapped encrypted by the GSSAPI for secure communication between client and server. Putty uses this TGT and gets a service ticket and proceed, so a simple kerberos enabled putty is sufficient.


A krb5 GSSAPI credential may contain references to a credential cache, a client keytab, an acceptor keytab, and a replay cache. DATA buffers must be provided in the iov list so that padding length can be computed correctly, but the output buffers need not be initialized. In MIT krb5 versions prior to 1. The value should be a string of the form service or service hostname. Because of this, a serialized krb5 credential can only be imported by a process with similar privileges to the exporter.

Sign up or log in Sign up using Google. If the default credential cache does not huide, but the default client keytab does, the krb5 mechanism will try to acquire initial tickets for the first principal in the default client keytab. I’m looking at a way of authenticating users connecting to an SSH daemon. This is the recommended approach if the server application has no specific requirements to the contrary.

linux – Server side of GSSAPI for sshd and private key authentication – Stack Overflow

The only guides I’ve found so far are very low-level protocol descriptions or server configuration guides for admins If a hostname is specified, it will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the rdns variable in [libdefaults]. Note In MIT krb5 versions prior to 1. The value is treated as an unparsed principal name string, as above.


The memory pointed to by the buffers is not required to be contiguous or in any particular order.

Kerberos (GSSAPI) Authentication – Reflection for Secure IT for UNIX

Email Required, but never shown. Operating system security Internet Standards. Stack Overflow works best with JavaScript enabled.

Articles lacking in-text citations from October All articles lacking in-text citations Pages using RFC magic links. In this case, the contents of the credential cache are serialized, so that the resulting token may be imported even if the original memory credential cache no longer exists.

October Learn how and when to remove this template message. The hostname will be canonicalized using forward name resolution, and gyide also using reverse name resolution depending on the value of the rdns variable in [libdefaults].

Generic Security Services Application Program Interface

The following name types are supported by the krb5 mechanism: A serialized credential may contain secret information such as ticket session keys. A serialized credential should not be trusted if it originates from a source with lower privileges than the importer, as it may contain references to external credential cache, keytab, or replay cache resources not accessible to the originator.

This page was last edited on 25 Januaryat Do you know if this is a krb library-specific thing, or can putty somehow use this too? Are you going to do programming this is not clear form your question?