Next: , Previous: , Up: Top   [Contents][Index]


5 Invoking gss

Name

GNU GSS (gss) – Command line interface to the GSS Library.

Description

gss is the main program of GNU GSS.

Mandatory or optional arguments to long options are also mandatory or optional for any corresponding short options.

Commands

gss recognizes these commands:

  -l, --list-mechanisms
                    List information about supported mechanisms
                    in a human readable format.
  -m, --major=LONG  Describe a `major status' error code value.
  -a, --accept-sec-context
                    Accept a security context as server.
  -i, --init-sec-context=MECH
                    Initialize a security context as client.
                    MECH is the SASL name of mechanism, use -l
                    to list supported mechanisms.
  -n, --server-name=SERVICE@HOSTNAME
                    For -i, set the name of the remote host.
                    For example, "imap@mail.example.com".

Other Options

These are some standard parameters.

  -h, --help        Print help and exit
  -V, --version     Print version and exit
  -q, --quiet       Silent operation  (default=off)

Examples

To list the supported mechanisms, use gss -l like this:

$ src/gss -l
Found 1 supported mechanisms.

Mechanism 0:
        Mechanism name: Kerberos V5
        Mechanism description: Kerberos V5 GSS-API mechanism
        SASL Mechanism name: GS2-KRB5
$

To initialize a Kerberos V5 security context, use the --init-sec-context parameter. Kerberos V5 needs to know the name of the remote entity, so you need to supply the --server-name parameter as well. That will provide the name of the server. For example, use imap@mail.example.com to setup a security context with the imap service on the host mail.example.com. The Kerberos V5 client will use your ticket-granting ticket (which needs to be available) and acquire a server ticket for the service. The KDC must know about the server for this to work. The tool will print the GSS-API context tokens base64 encoded on standard output.

$ gss -i GS2-KRB5 -n host@interop.josefsson.org
Context token (protection is available):
YIICIQYJKoZIhvcSAQICAQBuggIQMIICDKADAgEFoQMCAQ6iBwMFACAAAACjggEYYYIBFDCCARCgAwIBBaEXGxVpbnRlcm9wLmpvc2Vmc3Nvbi5vcmeiKDAmoAMCAQGhHzAdGwRob3N0GxVpbnRlcm9wLmpvc2Vmc3Nvbi5vcmejgcUwgcKgAwIBEqKBugSBt0zqTh6tBBKV2BwDjQg6H4abEaPshPa0o3tT/TH9U7BaSw/M9ugYYqpHAhOitVjcQidhG2FdSl1n3FOgDBufHHO+gHOW0Y1XHc2QtEdkg1xYF2J4iR1vNQB14kXDM78pogCsfvfLnjsEESKWoeKRGOYWPRx0ksLJDnl/e5tXecZTjhJ3hLrFNBEWRmpIOakTAPnL+Xzz6xcnLHMLLnhZ5VcHqtIMm5p9IDWsP0juIncJ6tO8hjMA2qSB2jCB16ADAgESooHPBIHMWSeRBgV80gh/6hNNMr00jTVwCs5TEAIkljvjOfyPmNBzIFWoG+Wj5ZKOBdizdi7vYbJ2s8b1iSsq/9YEZSqaTxul+5aNrclKoJ7J/IW4kTuMklHcQf/A16TeZFsm9TdfE+x8+PjbOBFtKYXT8ODT8LLicNNiDbWW0meY7lsktXAVpZiUds4wTZ1W5bOSEGY7+mxAWrAlTnNwNAt1J2MHZnfGJFJDLJZldXoyG8OwHyp4h1nBhgzC5BfAmL85QJVxxgVfiHhM5oT9mE1O
Input context token:

The tool is waiting for the final Kerberos V5 context token from the server. Note the status text informing you that message protection is available.

To accept a Kerberos V5 context, the process is similar. The server needs to know its name, so that it can find the host key from (typically) /etc/shishi/shishi.keys. Once started it will wait for a context token from the client. Below we’ll paste in the token printed above.

$ gss -a -n host@interop.josefsson.org
Importing name "host@interop.josefsson.org"...
Acquiring credentials...
Input context token:
YIICIQYJKoZIhvcSAQICAQBuggIQMIICDKADAgEFoQMCAQ6iBwMFACAAAACjggEYYYIBFDCCARCgAwIBBaEXGxVpbnRlcm9wLmpvc2Vmc3Nvbi5vcmeiKDAmoAMCAQGhHzAdGwRob3N0GxVpbnRlcm9wLmpvc2Vmc3Nvbi5vcmejgcUwgcKgAwIBEqKBugSBt0zqTh6tBBKV2BwDjQg6H4abEaPshPa0o3tT/TH9U7BaSw/M9ugYYqpHAhOitVjcQidhG2FdSl1n3FOgDBufHHO+gHOW0Y1XHc2QtEdkg1xYF2J4iR1vNQB14kXDM78pogCsfvfLnjsEESKWoeKRGOYWPRx0ksLJDnl/e5tXecZTjhJ3hLrFNBEWRmpIOakTAPnL+Xzz6xcnLHMLLnhZ5VcHqtIMm5p9IDWsP0juIncJ6tO8hjMA2qSB2jCB16ADAgESooHPBIHMWSeRBgV80gh/6hNNMr00jTVwCs5TEAIkljvjOfyPmNBzIFWoG+Wj5ZKOBdizdi7vYbJ2s8b1iSsq/9YEZSqaTxul+5aNrclKoJ7J/IW4kTuMklHcQf/A16TeZFsm9TdfE+x8+PjbOBFtKYXT8ODT8LLicNNiDbWW0meY7lsktXAVpZiUds4wTZ1W5bOSEGY7+mxAWrAlTnNwNAt1J2MHZnfGJFJDLJZldXoyG8OwHyp4h1nBhgzC5BfAmL85QJVxxgVfiHhM5oT9mE1O
Context has been accepted.  Final context token:
YHEGCSqGSIb3EgECAgIAb2IwYKADAgEFoQMCAQ+iVDBSoAMCARKhAwIBAKJGBESy1Zoy9DrG+DuV/6aWmAp79s9d+ofGXC/WKOzRuxAqo98vMRWbsbILW8z9aF1th4GZz0kjFz/hZAmnWyomZ9JiP3yQvg==
$

Returning to the client, you may now cut’n’paste the final context token as shown by the server. The client has then authenticated the server as well. The output from the client is shown below.

YHEGCSqGSIb3EgECAgIAb2IwYKADAgEFoQMCAQ+iVDBSoAMCARKhAwIBAKJGBESy1Zoy9DrG+DuV/6aWmAp79s9d+ofGXC/WKOzRuxAqo98vMRWbsbILW8z9aF1th4GZz0kjFz/hZAmnWyomZ9JiP3yQvg==
Context has been initialized.
$

Next: , Previous: , Up: Top   [Contents][Index]