From d9cbcb50b52b6c033a00eac46c9285955eed228c Mon Sep 17 00:00:00 2001 From: dfr Date: Thu, 29 Dec 2005 14:40:22 +0000 Subject: Add a new extensible GSS-API layer which can support GSS-API plugins, similar the the Solaris implementation. Repackage the krb5 GSS mechanism as a plugin library for the new implementation. This also includes a comprehensive set of manpages for the GSS-API functions with text mostly taken from the RFC. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed by: Love Hörnquist Åstrand , ru (build system), des (openssh parts) --- lib/libgssapi/gss_acquire_cred.3 | 238 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 238 insertions(+) create mode 100644 lib/libgssapi/gss_acquire_cred.3 (limited to 'lib/libgssapi/gss_acquire_cred.3') diff --git a/lib/libgssapi/gss_acquire_cred.3 b/lib/libgssapi/gss_acquire_cred.3 new file mode 100644 index 0000000..d108875 --- /dev/null +++ b/lib/libgssapi/gss_acquire_cred.3 @@ -0,0 +1,238 @@ +.\" -*- nroff -*- +.\" +.\" Copyright (c) 2005 Doug Rabson +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.\" Copyright (C) The Internet Society (2000). All Rights Reserved. +.\" +.\" This document and translations of it may be copied and furnished to +.\" others, and derivative works that comment on or otherwise explain it +.\" or assist in its implementation may be prepared, copied, published +.\" and distributed, in whole or in part, without restriction of any +.\" kind, provided that the above copyright notice and this paragraph are +.\" included on all such copies and derivative works. However, this +.\" document itself may not be modified in any way, such as by removing +.\" the copyright notice or references to the Internet Society or other +.\" Internet organizations, except as needed for the purpose of +.\" developing Internet standards in which case the procedures for +.\" copyrights defined in the Internet Standards process must be +.\" followed, or as required to translate it into languages other than +.\" English. +.\" +.\" The limited permissions granted above are perpetual and will not be +.\" revoked by the Internet Society or its successors or assigns. +.\" +.\" This document and the information contained herein is provided on an +.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING +.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING +.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION +.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF +.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. +.\" +.\" The following commands are required for all man pages. +.Dd November 12, 2005 +.Os +.Dt GSS_ACQUIRE_CRED 3 PRM +.Sh NAME +.Nm gss_acquire_cred +.Nd Obtain a GSS-API credential handle for pre-existing credentials +.\" This next command is for sections 2 and 3 only. +.\" .Sh LIBRARY +.Sh SYNOPSIS +.In "gssapi/gssapi.h" +.Ft OM_uint32 +.Fo gss_acquire_cred +.Fa "OM_uint32 *minor_status" +.Fa "const gss_name_t desired_name" +.Fa "OM_uint32 time_req" +.Fa "const gss_OID_set desired_mechs" +.Fa "gss_cred_usage_t cred_usage" +.Fa "gss_cred_id_t *output_cred_handle" +.Fa "gss_OID_set *actual_mechs" +.Fa "OM_uint32 *time_rec" +.Fc +.Sh DESCRIPTION +Allows an application to acquire a handle for a pre-existing +credential by name. +GSS-API implementations must impose a local +access-control policy on callers of this routine to prevent +unauthorized callers from acquiring credentials to which they are not +entitled. +This routine is not intended to provide a "login to the +network" function, as such a function would involve the creation of +new credentials rather than merely acquiring a handle to existing +credentials. +Such functions, if required, should be defined in +implementation-specific extensions to the API. +.Pp +If desired_name is +.Dv GSS_C_NO_NAME , +the call is interpreted as a +request for a credential handle that will invoke default behavior +when passed to +.Fn gss_init_sec_context +(if cred_usage is +.Dv GSS_C_INITIATE +or +.Dv GSS_C_BOTH ) +or +.Fn gss_accept_sec_context +(if cred_usage is +.Dv GSS_C_ACCEPT +or +.Dv GSS_C_BOTH ). +.Pp +Mechanisms should honor the +.Fa desired_mechs +parameter, +and return a credential that is suitable to use only with the +requested mechanisms. +An exception to this is the case where one underlying credential +element can be shared by multiple mechanisms; +in this case it is permissible for an implementation to indicate all +mechanisms with which the credential element may be used. +If +.Fa desired_mechs +is an empty set, behavior is undefined. +.Pp +This routine is expected to be used primarily by context acceptors, +since implementations are likely to provide mechanism-specific ways +of obtaining GSS-API initiator credentials from the system login +process. +Some implementations may therefore not support the acquisition of +.Dv GSS_C_INITIATE +or +.Dv GSS_C_BOTH +credentials via +.Fn gss_acquire_cred +for any name other than +.Dv GSS_C_NO_NAME , +or a name produced by applying either +.Fn gss_inquire_cred +to a valid credential, or +.Fn gss_inquire_context +to an active context. +.Pp +If credential acquisition is time-consuming for a mechanism, +the mechanism may choose to delay the actual acquisition until the +credential is required +(e.g. by +.Fn gss_init_sec_context +or +.Fn gss_accept_sec_context ). +Such mechanism-specific implementation +decisions should be invisible to the calling application; +thus a call of +.Fn gss_inquire_cred +immediately following the call of +.Fn gss_acquire_cred +must return valid credential data, +and may therefore incur the overhead of a deferred credential acquisition. +.Sh PARAMETERS +.Bl -tag +.It desired_name +Name of principal whose credential should be acquired. +.It time_req +Number of seconds that credentials should remain valid. +Specify +.Dv GSS_C_INDEFINITE +to request that the credentials have the maximum +permitted lifetime. +.It desired_mechs +Set of underlying security mechanisms that may be used. +.Dv GSS_C_NO_OID_SET +may be used to obtain an implementation-specific default. +.It cred_usage +.Bl -tag -width "GSS_C_INITIATE" +.It GSS_C_BOTH +Credentials may be used either to initiate or accept security +contexts. +.It GSS_C_INITIATE +Credentials will only be used to initiate security contexts. +.It GSS_C_ACCEPT +Credentials will only be used to accept security contexts. +.El +.It output_cred_handle +The returned credential handle. +Resources +associated with this credential handle must be released by +the application after use with a call to +.Fn gss_release_cred . +.It actual_mechs +The set of mechanisms for which the credential is valid. +Storage associated with the returned OID-set must be released by the +application after use with a call to +.Fn gss_release_oid_set . +Specify +.Dv NULL if not required. +.It time_rec +Actual number of seconds for which the returned credentials will +remain valid. +If the implementation does not support expiration of credentials, +the value +.Dv GSS_C_INDEFINITE +will be returned. +Specify NULL if not required. +.It minor_status +Mechanism specific status code. +.El +.Sh RETURN VALUES +.Bl -tag +.It GSS_S_COMPLETE +Successful completion. +.It GSS_S_BAD_MECH +Unavailable mechanism requested. +.It GSS_S_BAD_NAMETYPE +Type contained within desired_name parameter is not supported. +.It GSS_S_BAD_NAME +Value supplied for desired_name parameter is ill formed. +.It GSS_S_CREDENTIALS_EXPIRED +The credentials could not be acquired Because they have expired. +.It GSS_S_NO_CRED +No credentials were found for the specified name. +.El +.Sh SEE ALSO +.Xr gss_init_sec_context 3 , +.Xr gss_accept_sec_context 3 , +.Xr gss_inquire_cred 3 , +.Xr gss_inquire_context 3 , +.Xr gss_release_cred 3 , +.Xr gss_release_oid_set 3 +.Sh STANDARDS +.Bl -tag +.It RFC 2743 +Generic Security Service Application Program Interface Version 2, Update 1 +.It RFC 2744 +Generic Security Service API Version 2 : C-bindings +.\" .Sh HISTORY +.El +.Sh HISTORY +The +.Nm +manual page example first appeared in +.Fx 7.0 . +.Sh AUTHORS +John Wray, Iris Associates -- cgit v1.1