Next: , Previous: GSSAPI, Up: Mechanisms

5.11 The GS2-KRB5 mechanism

GS2 is a protocol bridge between GSS-API and SASL, and allows every GSS-API mechanism that supports mutual authentication and channel bindings to be used as a SASL mechanism. Currently we support the GS2-KRB5 mechanism, for Kerberos V5 authentication, however our GS2 implementation is flexible enough to easily support other GSS-API mechanism if any gains popularity.

In the client, the mechanism is enabled only if the user has acquired credentials (i.e., a ticket granting ticket), and it requires the GSASL_AUTHID, GSASL_SERVICE, and GSASL_HOSTNAME properties.

In the server, the mechanism requires the GSASL_SERVICE and GSASL_HOSTNAME properties, and it will invoke the GSASL_VALIDATE_GSSAPI callback property in order to validate the user. The callback may inspect the GSASL_AUTHZID and GSASL_GSSAPI_DISPLAY_NAME properties to decide whether to authorize the user. Note that authentication is performed by the GSS-API library.

The GS2 framework supports a variant of each mechanism, called the PLUS variant, which can also bind the authentication to a secure channel through channel bindings. Currently this is not supported by GNU SASL.