summaryrefslogtreecommitdiffstats
path: root/crypto/heimdal/lib/gssapi/gssapi.3
diff options
context:
space:
mode:
Diffstat (limited to 'crypto/heimdal/lib/gssapi/gssapi.3')
-rw-r--r--crypto/heimdal/lib/gssapi/gssapi.335
1 files changed, 27 insertions, 8 deletions
diff --git a/crypto/heimdal/lib/gssapi/gssapi.3 b/crypto/heimdal/lib/gssapi/gssapi.3
index ff30042..0241ee7 100644
--- a/crypto/heimdal/lib/gssapi/gssapi.3
+++ b/crypto/heimdal/lib/gssapi/gssapi.3
@@ -1,4 +1,4 @@
-.\" Copyright (c) 2003 Kungliga Tekniska Högskolan
+.\" Copyright (c) 2003 - 2005 Kungliga Tekniska Högskolan
.\" (Royal Institute of Technology, Stockholm, Sweden).
.\" All rights reserved.
.\"
@@ -29,9 +29,9 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.\" $Id: gssapi.3,v 1.5.2.2 2003/04/30 09:56:26 lha Exp $
+.\" $Id: gssapi.3 22071 2007-11-14 20:04:50Z lha $
.\"
-.Dd January 23, 2003
+.Dd April 20, 2005
.Dt GSSAPI 3
.Os
.Sh NAME
@@ -45,6 +45,9 @@ provides security services to callers in a generic fashion,
supportable with a range of underlying mechanisms and technologies and
hence allowing source-level portability of applications to different
environments.
+.Pp
+The GSS-API implementation in Heimdal implements the Kerberos 5 and
+the SPNEGO GSS-API security mechanisms.
.Sh LIST OF FUNCTIONS
These functions constitute the gssapi library,
.Em libgssapi .
@@ -80,7 +83,11 @@ gss_inquire_cred.3
gss_inquire_cred_by_mech.3
gss_inquire_mechs_for_name.3
gss_inquire_names_for_mech.3
+gss_krb5_ccache_name.3
+gss_krb5_compat_des3_mic.3
gss_krb5_copy_ccache.3
+gss_krb5_extract_authz_data_from_sec_context.3
+gss_krb5_import_ccache.3
gss_process_context_token.3
gss_release_buffer.3
gss_release_cred.3
@@ -106,15 +113,15 @@ implementations when using
.Fn gss_get_mic
/
.Fn gss_verify_mic .
-Its possible to modify the behavior of the generator of the MIC with
+It is possible to modify the behavior of the generator of the MIC with
the
.Pa krb5.conf
configuration file so that old clients/servers will still
work.
.Pp
New clients/servers will try both the old and new MIC in Heimdal 0.6.
-In 0.7 it will check only if configured and the compatibility code
-will be removed in 0.8.
+In 0.7 it will check only if configured - the compatibility code will
+be removed in 0.8.
.Pp
Heimdal 0.6 still generates by default the broken GSS-API DES3 mic,
this will change in 0.7 to generate correct des3 mic.
@@ -135,17 +142,29 @@ If a match for a entry is in both
.Ar correct_des3_mic
and
.Nm [gssapi]
-.Ar correct_des3_mic ,
+.Ar broken_des3_mic ,
the later will override.
.Pp
This config option modifies behaviour for both clients and servers.
.Pp
-Example:
+Microsoft implemented SPNEGO to Windows2000, however, they manage to
+get it wrong, their implementation didn't fill in the MechListMIC in
+the reply token with the right content.
+There is a work around for this problem, but not all implementation
+support it.
+.Pp
+Heimdal defaults to correct SPNEGO when the the kerberos
+implementation uses CFX, or when it is configured by the user.
+To turn on compatibility with peers, use option
+.Nm [gssapi]
+.Ar require_mechlist_mic .
+.Sh EXAMPLES
.Bd -literal -offset indent
[gssapi]
broken_des3_mic = cvs/*@SU.SE
broken_des3_mic = host/*@E.KTH.SE
correct_des3_mic = host/*@SU.SE
+ require_mechlist_mic = host/*@SU.SE
.Ed
.Sh BUGS
All of 0.5.x versions of
OpenPOWER on IntegriCloud