Next: , Previous: , Up: Mechanisms   [Contents][Index]

5.11 The GS2-KRB5 mechanism

GS2 is a protocol bridge between GSS-API and SASL, and allows every GSS-API mechanism that supports mutual authentication and channel bindings to be used as a SASL mechanism. Currently GS2-KRB5 is supported, for Kerberos V5 authentication, however our GS2 implementation is flexible enough to easily support other GSS-API mechanism if any gains popularity.

In the client, the mechanism is enabled only if the user has acquired credentials (i.e., a ticket granting ticket), and it requires the GSASL_AUTHZID, GSASL_SERVICE, and GSASL_HOSTNAME properties.

In the server, the mechanism requires the GSASL_SERVICE and GSASL_HOSTNAME properties, and it will invoke the GSASL_VALIDATE_GSSAPI callback property in order to validate the user. The callback may inspect the GSASL_AUTHZID and GSASL_GSSAPI_DISPLAY_NAME properties to decide whether to authorize the user. Note that authentication is performed by the GSS-API library and that GSASL_AUTHID is not used by the server mechanism, its role is played by GSASL_GSSAPI_DISPLAY_NAME.

The GS2 framework supports a variant of each mechanism, called the PLUS variant, which can also bind the authentication to a secure channel through channel bindings. Currently this is not supported by GNU SASL.

The GS2 mechanism family was specified in RFC 5801.