diff options
Diffstat (limited to 'doc/html/plugindev/gssapi.html')
| -rw-r--r-- | doc/html/plugindev/gssapi.html | 236 |
1 files changed, 236 insertions, 0 deletions
diff --git a/doc/html/plugindev/gssapi.html b/doc/html/plugindev/gssapi.html new file mode 100644 index 000000000000..beb9a566d0cf --- /dev/null +++ b/doc/html/plugindev/gssapi.html @@ -0,0 +1,236 @@ +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" + "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> + + +<html xmlns="http://www.w3.org/1999/xhtml"> + <head> + <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> + + <title>GSSAPI mechanism interface — MIT Kerberos Documentation</title> + + <link rel="stylesheet" href="../_static/agogo.css" type="text/css" /> + <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> + <link rel="stylesheet" href="../_static/kerb.css" type="text/css" /> + + <script type="text/javascript"> + var DOCUMENTATION_OPTIONS = { + URL_ROOT: '../', + VERSION: '1.15.1', + COLLAPSE_INDEX: false, + FILE_SUFFIX: '.html', + HAS_SOURCE: true + }; + </script> + <script type="text/javascript" src="../_static/jquery.js"></script> + <script type="text/javascript" src="../_static/underscore.js"></script> + <script type="text/javascript" src="../_static/doctools.js"></script> + <link rel="author" title="About these documents" href="../about.html" /> + <link rel="copyright" title="Copyright" href="../copyright.html" /> + <link rel="top" title="MIT Kerberos Documentation" href="../index.html" /> + <link rel="up" title="For plugin module developers" href="index.html" /> + <link rel="next" title="Internal pluggable interfaces" href="internal.html" /> + <link rel="prev" title="Configuration interface (profile)" href="profile.html" /> + </head> + <body> + <div class="header-wrapper"> + <div class="header"> + + + <h1><a href="../index.html">MIT Kerberos Documentation</a></h1> + + <div class="rel"> + + <a href="../index.html" title="Full Table of Contents" + accesskey="C">Contents</a> | + <a href="profile.html" title="Configuration interface (profile)" + accesskey="P">previous</a> | + <a href="internal.html" title="Internal pluggable interfaces" + accesskey="N">next</a> | + <a href="../genindex.html" title="General Index" + accesskey="I">index</a> | + <a href="../search.html" title="Enter search criteria" + accesskey="S">Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__GSSAPI mechanism interface">feedback</a> + </div> + </div> + </div> + + <div class="content-wrapper"> + <div class="content"> + <div class="document"> + + <div class="documentwrapper"> + <div class="bodywrapper"> + <div class="body"> + + <div class="section" id="gssapi-mechanism-interface"> +<h1>GSSAPI mechanism interface<a class="headerlink" href="#gssapi-mechanism-interface" title="Permalink to this headline">¶</a></h1> +<p>The GSSAPI library in MIT krb5 can load mechanism modules to augment +the set of built-in mechanisms.</p> +<p>A mechanism module is a Unix shared object or Windows DLL, built +separately from the krb5 tree. Modules are loaded according to the +<tt class="docutils literal"><span class="pre">/etc/gss/mech</span></tt> or <tt class="docutils literal"><span class="pre">/etc/gss/mech.d/*.conf</span></tt> config files, as +described in <a class="reference internal" href="../admin/host_config.html#gssapi-plugin-config"><em>GSSAPI mechanism modules</em></a>.</p> +<p>For the most part, a GSSAPI mechanism module exports the same +functions as would a GSSAPI implementation itself, with the same +function signatures. The mechanism selection layer within the GSSAPI +library (called the “mechglue”) will dispatch calls from the +application to the module if the module’s mechanism is requested. If +a module does not wish to implement a GSSAPI extension, it can simply +refrain from exporting it, and the mechglue will fail gracefully if +the application calls that function.</p> +<p>The mechglue does not invoke a module’s <strong>gss_add_cred</strong>, +<strong>gss_add_cred_from</strong>, <strong>gss_add_cred_impersonate_name</strong>, or +<strong>gss_add_cred_with_password</strong> function. A mechanism only needs to +implement the “acquire” variants of those functions.</p> +<p>A module does not need to coordinate its minor status codes with those +of other mechanisms. If the mechglue detects conflicts, it will map +the mechanism’s status codes onto unique values, and then map them +back again when <strong>gss_display_status</strong> is called.</p> +<div class="section" id="interposer-modules"> +<h2>Interposer modules<a class="headerlink" href="#interposer-modules" title="Permalink to this headline">¶</a></h2> +<p>The mechglue also supports a kind of loadable module, called an +interposer module, which intercepts calls to existing mechanisms +rather than implementing a new mechanism.</p> +<p>An interposer module must export the symbol <strong>gss_mech_interposer</strong> +with the following signature:</p> +<div class="highlight-python"><div class="highlight"><pre>gss_OID_set gss_mech_interposer(gss_OID mech_type); +</pre></div> +</div> +<p>This function is invoked with the OID of the interposer mechanism as +specified in <tt class="docutils literal"><span class="pre">/etc/gss/mech</span></tt> or in a <tt class="docutils literal"><span class="pre">/etc/gss/mech.d/*.conf</span></tt> +file, and returns a set of mechanism OIDs to be interposed. The +returned OID set must have been created using the mechglue’s +gss_create_empty_oid_set and gss_add_oid_set_member functions.</p> +<p>An interposer module must use the prefix <tt class="docutils literal"><span class="pre">gssi_</span></tt> for the GSSAPI +functions it exports, instead of the prefix <tt class="docutils literal"><span class="pre">gss_</span></tt>.</p> +<p>An interposer module can link against the GSSAPI library in order to +make calls to the original mechanism. To do so, it must specify a +special mechanism OID which is the concatention of the interposer’s +own OID byte string and the original mechanism’s OID byte string.</p> +<p>Since <strong>gss_accept_sec_context</strong> does not accept a mechanism argument, +an interposer mechanism must, in order to invoke the original +mechanism’s function, acquire a credential for the concatenated OID +and pass that as the <em>verifier_cred_handle</em> parameter.</p> +<p>Since <strong>gss_import_name</strong>, <strong>gss_import_cred</strong>, and +<strong>gss_import_sec_context</strong> do not accept mechanism parameters, the SPI +has been extended to include variants which do. This allows the +interposer module to know which mechanism should be used to interpret +the token. These functions have the following signatures:</p> +<div class="highlight-python"><div class="highlight"><pre>OM_uint32 gssi_import_sec_context_by_mech(OM_uint32 *minor_status, + gss_OID desired_mech, gss_buffer_t interprocess_token, + gss_ctx_id_t *context_handle); + +OM_uint32 gssi_import_name_by_mech(OM_uint32 *minor_status, + gss_OID mech_type, gss_buffer_t input_name_buffer, + gss_OID input_name_type, gss_name_t output_name); + +OM_uint32 gssi_import_cred_by_mech(OM_uint32 *minor_status, + gss_OID mech_type, gss_buffer_t token, + gss_cred_id_t *cred_handle); +</pre></div> +</div> +<p>To re-enter the original mechanism when importing tokens for the above +functions, the interposer module must wrap the mechanism token in the +mechglue’s format, using the concatenated OID. The mechglue token +formats are:</p> +<ul class="simple"> +<li>For <strong>gss_import_sec_context</strong>, a four-byte OID length in big-endian +order, followed by the mechanism OID, followed by the mechanism +token.</li> +<li>For <strong>gss_import_name</strong>, the bytes 04 01, followed by a two-byte OID +length in big-endian order, followed by the mechanism OID, followed +by the bytes 06, followed by the OID length as a single byte, +followed by the mechanism OID, followed by the mechanism token.</li> +<li>For <strong>gss_import_cred</strong>, a four-byte OID length in big-endian order, +followed by the mechanism OID, followed by a four-byte token length +in big-endian order, followed by the mechanism token. This sequence +may be repeated multiple times.</li> +</ul> +</div> +</div> + + + </div> + </div> + </div> + </div> + <div class="sidebar"> + <h2>On this page</h2> + <ul> +<li><a class="reference internal" href="#">GSSAPI mechanism interface</a><ul> +<li><a class="reference internal" href="#interposer-modules">Interposer modules</a></li> +</ul> +</li> +</ul> + + <br/> + <h2>Table of contents</h2> + <ul class="current"> +<li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li> +<li class="toctree-l1"><a class="reference internal" href="../admin/index.html">For administrators</a></li> +<li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application developers</a></li> +<li class="toctree-l1 current"><a class="reference internal" href="index.html">For plugin module developers</a><ul class="current"> +<li class="toctree-l2"><a class="reference internal" href="general.html">General plugin concepts</a></li> +<li class="toctree-l2"><a class="reference internal" href="clpreauth.html">Client preauthentication interface (clpreauth)</a></li> +<li class="toctree-l2"><a class="reference internal" href="kdcpreauth.html">KDC preauthentication interface (kdcpreauth)</a></li> +<li class="toctree-l2"><a class="reference internal" href="ccselect.html">Credential cache selection interface (ccselect)</a></li> +<li class="toctree-l2"><a class="reference internal" href="pwqual.html">Password quality interface (pwqual)</a></li> +<li class="toctree-l2"><a class="reference internal" href="kadm5_hook.html">KADM5 hook interface (kadm5_hook)</a></li> +<li class="toctree-l2"><a class="reference internal" href="hostrealm.html">Host-to-realm interface (hostrealm)</a></li> +<li class="toctree-l2"><a class="reference internal" href="localauth.html">Local authorization interface (localauth)</a></li> +<li class="toctree-l2"><a class="reference internal" href="locate.html">Server location interface (locate)</a></li> +<li class="toctree-l2"><a class="reference internal" href="profile.html">Configuration interface (profile)</a></li> +<li class="toctree-l2 current"><a class="current reference internal" href="">GSSAPI mechanism interface</a><ul class="simple"> +</ul> +</li> +<li class="toctree-l2"><a class="reference internal" href="internal.html">Internal pluggable interfaces</a></li> +</ul> +</li> +<li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V5</a></li> +<li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concepts</a></li> +<li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and file formats</a></li> +<li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos features</a></li> +<li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this documentation from the source</a></li> +<li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT Kerberos Documentation</a></li> +<li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li> +</ul> + + <br/> + <h4><a href="../index.html">Full Table of Contents</a></h4> + <h4>Search</h4> + <form class="search" action="../search.html" method="get"> + <input type="text" name="q" size="18" /> + <input type="submit" value="Go" /> + <input type="hidden" name="check_keywords" value="yes" /> + <input type="hidden" name="area" value="default" /> + </form> + </div> + <div class="clearer"></div> + </div> + </div> + + <div class="footer-wrapper"> + <div class="footer" > + <div class="right" ><i>Release: 1.15.1</i><br /> + © <a href="../copyright.html">Copyright</a> 1985-2017, MIT. + </div> + <div class="left"> + + <a href="../index.html" title="Full Table of Contents" + >Contents</a> | + <a href="profile.html" title="Configuration interface (profile)" + >previous</a> | + <a href="internal.html" title="Internal pluggable interfaces" + >next</a> | + <a href="../genindex.html" title="General Index" + >index</a> | + <a href="../search.html" title="Enter search criteria" + >Search</a> | + <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__GSSAPI mechanism interface">feedback</a> + </div> + </div> + </div> + + </body> +</html>
\ No newline at end of file |