Extracted from Pike v7.8 release 866 at 2016-11-06.
pike.ida.liu.se
[Top]
GSSAPI

Module GSSAPI

Description

This is pike glue for GSS-API ver 2 as specified in RFC 2743.

GSS-API is used to authenticate users and servers, and optionally also to encrypt communication between them. The API is generic and can be used without any knowledge of the actual implementation of these security services, which is typically provided by the operating system.

The most common implementation at the time of writing is Kerberos, which means that the main benefit of this API is to allow clients and servers to authenticate each other using Kerberos, thereby making single sign-on possible in a Kerberized environment.

All functions in this module that wraps GSS-API routines might throw GSSAPI.Error , and by default they do for all such errors. Only in some special cases do they return when a GSS-API error has happened, and that is noted in the documentation.


Constant ERROR_MASK

constant GSSAPI.ERROR_MASK

Description

Bitfield mask for the routine error part of major status codes like GSSAPI.Error.major_status . After applying this mask, the status values may be compared to any of the routine error constants.


constant GSSAPI.BAD_MECH
constant GSSAPI.BAD_NAME
constant GSSAPI.BAD_NAMETYPE
constant GSSAPI.BAD_BINDINGS
constant GSSAPI.BAD_STATUS
constant GSSAPI.BAD_SIG
constant GSSAPI.NO_CRED
constant GSSAPI.NO_CONTEXT
constant GSSAPI.DEFECTIVE_TOKEN
constant GSSAPI.DEFECTIVE_CREDENTIAL
constant GSSAPI.CREDENTIALS_EXPIRED
constant GSSAPI.CONTEXT_EXPIRED
constant GSSAPI.FAILURE
constant GSSAPI.BAD_QOP
constant GSSAPI.UNAUTHORIZED
constant GSSAPI.UNAVAILABLE
constant GSSAPI.DUPLICATE_ELEMENT
constant GSSAPI.NAME_NOT_MN

Description

Constants for routine errors in major status codes like GSSAPI.Error.major_status . See RFC 2743 section 1.2.1.1. Note that major status codes have to be masked with GSSAPI.ERROR_MASK before comparison with these.

Brief descriptions of the flags:

GSSAPI.BAD_BINDINGS

Channel binding mismatch.

GSSAPI.BAD_MECH

Unsupported mechanism requested.

GSSAPI.BAD_NAME

Invalid name provided.

GSSAPI.BAD_NAMETYPE

Name of unsupported type provided.

GSSAPI.BAD_STATUS

Invalid input status selector.

GSSAPI.BAD_MIC

Token had invalid integrity check.

GSSAPI.CONTEXT_EXPIRED

Specified security context expired.

GSSAPI.CREDENTIALS_EXPIRED

Expired credentials detected.

GSSAPI.DEFECTIVE_CREDENTIAL

Defective credential detected.

GSSAPI.DEFECTIVE_TOKEN

Defective token detected.

GSSAPI.FAILURE

Failure, unspecified at GSS-API level. GSSAPI.Error.minor_status should provide further details.

GSSAPI.NO_CONTEXT

No valid security context specified.

GSSAPI.NO_CRED

No valid credentials provided.

GSSAPI.BAD_QOP

Unsupported QOP value.

GSSAPI.UNAUTHORIZED

Operation unauthorized.

GSSAPI.UNAVAILABLE

Operation unavailable.

GSSAPI.DUPLICATE_ELEMENT

Duplicate credential element requested.

GSSAPI.NAME_NOT_MN

Name contains multi-mechanism elements.


Constant INFO_MASK

constant GSSAPI.INFO_MASK

Description

Bitfield mask for the informatory part of major status codes like GSSAPI.Error.major_status .


constant GSSAPI.CONTINUE_NEEDED
constant GSSAPI.DUPLICATE_TOKEN
constant GSSAPI.OLD_TOKEN
constant GSSAPI.UNSEQ_TOKEN
constant GSSAPI.GAP_TOKEN

Description

Bitfield flags for informatory codes in major status codes like GSSAPI.Error.major_status . See RFC 2743 section 1.2.1.1. Any combination of these might optionally be combined with one routine error constant to form a major status code.

Brief descriptions of the flags:

GSSAPI.CONTINUE_NEEDED

Continuation call to routine required.

GSSAPI.DUPLICATE_TOKEN

Duplicate per-message token detected.

GSSAPI.OLD_TOKEN

Timed-out per-message token detected.

GSSAPI.UNSEQ_TOKEN

Reordered (early) per-message token detected.

GSSAPI.GAP_TOKEN

Skipped predecessor token(s) detected.


constant GSSAPI.NT_HOSTBASED_SERVICE
constant GSSAPI.NT_USER_NAME
constant GSSAPI.NT_MACHINE_UID_NAME
constant GSSAPI.NT_STRING_UID_NAME
constant GSSAPI.NT_ANONYMOUS
constant GSSAPI.NT_EXPORT_NAME
constant GSSAPI.KRB5_NT_PRINCIPAL_NAME

Description

String OIDs on dotted-decimal form for the GSS-API mechanism-independent name types, and some selected mechanism-specific ones:

NT_HOSTBASED_SERVICE

Name type for a service associated with a host computer. The syntax is service@hostname where the @hostname part may be omitted for the local host. See RFC 2743 section 4.1.

NT_USER_NAME

Name type for a named user on a local system. The syntax is username. See RFC 2743 section 4.2.

NT_MACHINE_UID_NAME

Name type for a numeric user identifier corresponding to a user on a local system. The string representing a name of this type should contain a locally-significant user ID, represented in host byte order. See RFC 2743 section 4.3.

NT_STRING_UID_NAME

Name type for a string of digits representing the numeric user identifier of a user on a local system. This name type is similar to the Machine UID Form, except that the buffer contains a string representing the user ID. See RFC 2743 section 4.4.

NT_ANONYMOUS

Name type to identify anonymous names. See RFC 2743 section 4.5.

NT_EXPORT_NAME

Name type for the Mechanism-Independent Exported Name Object type, which is the type of the names returned by GSSAPI.Name.export . See RFC 2743 section 4.7.

KRB5_NT_PRINCIPAL_NAME

Name type for a Kerberos principal. See RFC 1964 section 2.1.1.


constant GSSAPI.INITIATE
constant GSSAPI.ACCEPT
constant GSSAPI.BOTH

Description

Flags for indicating how a GSSAPI.Cred object may be used:

INITIATE

The credential can only be used to initiate security contexts (i.e. using GSSAPI.InitContext ).

ACCEPT

The credential can only be used to accept security contexts (i.e. using GSSAPI.AcceptContext ).

BOTH

The credential may be used both to initiate or accept security contexts.


constant GSSAPI.DELEG_FLAG
constant GSSAPI.MUTUAL_FLAG
constant GSSAPI.REPLAY_FLAG
constant GSSAPI.SEQUENCE_FLAG
constant GSSAPI.CONF_FLAG
constant GSSAPI.INTEG_FLAG
constant GSSAPI.ANON_FLAG
constant GSSAPI.PROT_READY_FLAG
constant GSSAPI.TRANS_FLAG

Description

Bitfield flags returned by e.g. GSSAPI.Context.services to denote various services that are available in the context.

Brief descriptions of the flags:

GSSAPI.DELEG_FLAG

Delegation. See RFC 2743 section 1.2.9.

GSSAPI.MUTUAL_FLAG

Mutual authentication (actually, acceptor authentication). See RFC 2743 sections 1.1.1.3 and 1.2.5.

GSSAPI.REPLAY_FLAG

Per-message replay detection. See RFC 2743 section 1.2.3.

GSSAPI.SEQUENCE_FLAG

Per-message sequencing. See RFC 2743 section 1.2.3.

GSSAPI.CONF_FLAG

Per-message confidentiality. See RFC 2743 section 1.2.2.

GSSAPI.INTEG_FLAG

Per-message integrity. See RFC 2743 section 1.2.2.

GSSAPI.ANON_FLAG

Anonymous authentication. See RFC 2743 section 1.2.5.

GSSAPI.PROT_READY_FLAG

Might be set before the context establishment has finished, to denote that per-message protection already is available. See RFC 2743 section 1.2.7. Is always set in GSSAPI.Context and derived classes when the context is established.

GSSAPI.TRANS_FLAG

The context can be transferred between processes using GSSAPI.Context.export and GSSAPI.Context.import . See RFC 2743 section 1.2.10.