logo_kerberos.gif

Difference between revisions of "Projects/GS2"

From K5Wiki
Jump to: navigation, search
(Status)
(Status)
Line 37: Line 37:
   
 
A test program is in src/tests/gssapi/t_saslname.c.
 
A test program is in src/tests/gssapi/t_saslname.c.
 
<pre>
 
 
[rand:src/tests/gssapi] lukeh% ./t_saslname
 
------------------------------------------------------------------------------
 
OID : { 1 2 840 113554 1 2 2 }
 
SASL mech: GS2-KRB5
 
Mech name: krb5
 
Mech desc: Kerberos 5 GSS-API Mechanism
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
 
OID : { 1 3 5 1 5 2 }
 
SASL mech: GS2-KRB5
 
Mech name: krb5
 
Mech desc: Kerberos 5 GSS-API Mechanism
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
 
OID : { 1 2 840 48018 1 2 2 }
 
SASL mech: GS2-KRB5
 
Mech name: krb5
 
Mech desc: Kerberos 5 GSS-API Mechanism
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
 
OID : { 1 3 6 1 5 2 5 }
 
SASL mech: GS2-KRB5
 
Mech name: krb5
 
Mech desc: Kerberos 5 GSS-API Mechanism
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
 
OID : { 1 3 6 1 5 5 2 }
 
SASL mech: SPNEGO
 
Mech name: spnego
 
Mech desc: Simple and Protected GSS-API Negotiation Mechanism
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
 
OID : { 1 3 6 1 4 1 5322 21 1 }
 
SASL mech: GS2-EAP
 
Mech name: eap
 
Mech desc: A GSS-API Mechanism for the Extensible Authentication Protocol
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
 
OID : { 1 3 6 1 4 1 5322 21 1 16 }
 
SASL mech: GS2-ZGMBGB5SLBQ
 
Mech name: eap-des3-cbc-sha1
 
Mech desc: A GSS-API Mechanism for the Extensible Authentication Protocol
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
 
OID : { 1 3 6 1 4 1 5322 21 1 17 }
 
SASL mech: GS2-EAP-AES128
 
Mech name: eap-aes128-cts-hmac-sha1-96
 
Mech desc: A GSS-API Mechanism for the Extensible Authentication Protocol
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
 
OID : { 1 3 6 1 4 1 5322 21 1 18 }
 
SASL mech: GS2-EAP-AES256
 
Mech name: eap-aes256-cts-hmac-sha1-96
 
Mech desc: A GSS-API Mechanism for the Extensible Authentication Protocol
 
------------------------------------------------------------------------------
 
------------------------------------------------------------------------------
 
OID : { 1 3 6 1 4 1 5322 21 1 23 }
 
SASL mech: GS2-6PUERUGDUSC
 
Mech name: eap-arcfour-hmac
 
Mech desc: A GSS-API Mechanism for the Extensible Authentication Protocol
 
------------------------------------------------------------------------------
 
</pre>
 
   
 
==Examples==
 
==Examples==

Revision as of 09:47, 25 September 2010

This is an early stage project for MIT Kerberos. It is being fleshed out by its proponents. Feel free to help flesh out the details of this project. After the project is ready, it will be presented for review and approval.


This project is targeted at release 1.9.


Background

Implement GSS_Inquire_SASLname_for_mech and GSS_Inquire_mech_for_SASLname as defined in [url http://tools.ietf.org/html/draft-ietf-sasl-gs2-20]draft-ietf-sasl-gs2-20[/url].

Architecture

These APIs provide a bidirectional mapping between GSS OIDs and SASL mechanism names. In the case of no mapping, the mechanism glue synthesises a SASL name using a base-32 encoded SHA-1 of the OID.

Implementation

The implementations live in src/lib/gssapi/mechglue/g_saslname.c.

OM_uint32 KRB5_CALLCONV gss_inquire_saslname_for_mech(
    OM_uint32     *minor_status,
    const gss_OID  desired_mech,
    gss_buffer_t   sasl_mech_name,
    gss_buffer_t   mech_name,
    gss_buffer_t   mech_description);

OM_uint32 KRB5_CALLCONV gss_inquire_mech_for_saslname(
    OM_uint32           *minor_status,
    const gss_buffer_t   sasl_mech_name,
    gss_OID             *mech_type);

If a mechanism does not provide the entry point or returns GSS_S_BAD_MECH, then the name is mapped as described above.

The Kerberos and SPNEGO mechanisms have been updated to return GS2-KRB5 and SPNEGO, respectively, as their SASL names.

Status

Implemented and tested with a prototype GS2 implementation, as well as a mechanism plugin.

A test program is in src/tests/gssapi/t_saslname.c.

Examples

A list of GS2 mechanisms.