Introduction to the Kerberos Products and GSS-API
Generic Security Service Application Programming Interface (GSS-API)
With an Open System architecture, GSS-API provides portability in a heterogeneous environment. It contains all the GSS-APIs specified in RFC 2743. It is implemented as a package of C-language interfaces as defined in RFC 2744, Generic Security Service API: C-bindings. The Kerberos Version 5 GSS-API Mechanism is explained in RFC 1964.
GSS-API provides secure communication between two peers with a security context established by an exchange of tokens. As shown in Figure 2-5, GSS-API is independent of communication protocols. The GSS-API libraries on the two hosts are responsible for creating and processing the tokens, but the application is responsible for transporting the tokens between the client and the server.
Figure 2-5 | GSS-API |
| Operation |
| GSS-API | | Transport | | | | Transport | | | GSS-API | |
| | | | | | | | | | | | | | | | | | |
| | | | | | | | | | | | | | |
| | | | | | | | | | | | | | | | | | |
| Mech-1 | | | Mech-2 | | | | | | Mech-1 | | Mech-2 |
| | | | | | | | | | | | | | | | | | |
It is the GSS-API caller’s responsibility to transfer GSS-API-provided data element to the peer end to parse communicated messages, and to separate GSS-API related data elements from caller-provided data.
GSS-API provides either context level tokens or per-message tokens for the caller to transport and get the results.