Introduction to the Kerberos Products and GSS-API

Generic Security Service Application Programming Interface (GSS-API)

“Context Level Services” on page 71

“Authentication Services” on page 72

“Confidentiality Service” on page 72

“Support Services” on page 72

Credential Management Services

Credential management function calls acquire and release credentials by principals.

Applications are responsible for establishing a security mechanism based on the initial credentials. GSS-API mechanisms are responsible for management of credentials on the local machine.

The GSS-API function calls for credential management are:

gss_acquire_cred: Obtain credentials for use

gss_release_cred: Release credentials after use

gss_add_cred: Adds credential elements incrementally

gss_inquire_cred: Display information about credentials

Context Level Services

Context level function calls manage security context between peers. A context’s initiator calls gss_init_sec_context(), resulting in generalization of a token that the caller passes to the target. The target then passes the token to gss_accept_sec_context(). It can take multiple exchanges of tokens to establish the security context depending on the options used.

The GSS-API context level function calls are:

gss_init_sec_context: Initiate outbound security context

gss_accept_sec_context: Accept inbound security context

gss_delete_sec_context: Remove context that is no longer needed

gss_export_sec_context: Transfer context to other process

gss_import_sec_context: Import context from other process

gss_inquire_context: Display information about context

Chapter 2

71