Module GSSAPI
- Description
This is pike glue for GSS-API ver 2 as specified in RFC 2743.
GSS-API is used to authenticate users and servers, and optionally also to encrypt communication between them. The API is generic and can be used without any knowledge of the actual implementation of these security services, which is typically provided by the operating system.
The most common implementation at the time of writing is Kerberos, which means that the main benefit of this API is to allow clients and servers to authenticate each other using Kerberos, thereby making single sign-on possible in a Kerberized environment.
All functions in this module that wrap GSS-API routines may throw GSSAPI.Error, and by default they do so for all such errors. Only in some special cases do they return when a GSS-API error has happened, and this is then noted in the documentation.
- Constant
INITIATE
Constant ACCEPT
Constant BOTH
constantintGSSAPI.INITIATE
constantintGSSAPI.ACCEPT
constantintGSSAPI.BOTH- Description
Flags for indicating how a GSSAPI.Cred object may be used:
- INITIATE
The credential can only be used to initiate security contexts (i.e. using GSSAPI.InitContext).
- ACCEPT
The credential can only be used to accept security contexts (i.e. using GSSAPI.AcceptContext).
- BOTH
The credential may be used both to initiate or accept security contexts.
- Constant
DELEG_FLAG
Constant MUTUAL_FLAG
Constant REPLAY_FLAG
Constant SEQUENCE_FLAG
Constant CONF_FLAG
Constant INTEG_FLAG
Constant ANON_FLAG
Constant PROT_READY_FLAG
Constant TRANS_FLAG
constantintGSSAPI.DELEG_FLAG
constantintGSSAPI.MUTUAL_FLAG
constantintGSSAPI.REPLAY_FLAG
constantintGSSAPI.SEQUENCE_FLAG
constantintGSSAPI.CONF_FLAG
constantintGSSAPI.INTEG_FLAG
constantintGSSAPI.ANON_FLAG
constantintGSSAPI.PROT_READY_FLAG
constantintGSSAPI.TRANS_FLAG- Description
Bitfield flags returned by e.g. GSSAPI.Context.services to denote various services that are available in the context.
Brief descriptions of the flags:
- GSSAPI.DELEG_FLAG
Delegation. See RFC 2743 section 1.2.9.
- GSSAPI.MUTUAL_FLAG
Mutual authentication (actually, acceptor authentication). See RFC 2743 section 1.1.1.3 and RFC 2743 section 1.2.5.
- GSSAPI.REPLAY_FLAG
Per-message replay detection. See RFC 2743 section 1.2.3.
- GSSAPI.SEQUENCE_FLAG
Per-message sequencing. See RFC 2743 section 1.2.3.
- GSSAPI.CONF_FLAG
Per-message confidentiality. See RFC 2743 section 1.2.2.
- GSSAPI.INTEG_FLAG
Per-message integrity. See RFC 2743 section 1.2.2.
- GSSAPI.ANON_FLAG
Anonymous authentication. See RFC 2743 section 1.2.5.
- GSSAPI.PROT_READY_FLAG
Might be set before the context establishment has finished, to denote that per-message protection already is available. See RFC 2743 section 1.2.7. Is always set in GSSAPI.Context and derived classes when the context is established.
- GSSAPI.TRANS_FLAG
The context can be transferred between processes using GSSAPI.Context.export. See RFC 2743 section 1.2.10.
- Constant
BAD_MECH
Constant BAD_NAME
Constant BAD_NAMETYPE
Constant BAD_BINDINGS
Constant BAD_STATUS
Constant BAD_SIG
Constant NO_CRED
Constant NO_CONTEXT
Constant DEFECTIVE_TOKEN
Constant DEFECTIVE_CREDENTIAL
Constant CREDENTIALS_EXPIRED
Constant CONTEXT_EXPIRED
Constant FAILURE
Constant BAD_QOP
Constant UNAUTHORIZED
Constant UNAVAILABLE
Constant DUPLICATE_ELEMENT
Constant NAME_NOT_MN
constantintGSSAPI.BAD_MECH
constantintGSSAPI.BAD_NAME
constantintGSSAPI.BAD_NAMETYPE
constantintGSSAPI.BAD_BINDINGS
constantintGSSAPI.BAD_STATUS
constantintGSSAPI.BAD_SIG
constantintGSSAPI.NO_CRED
constantintGSSAPI.NO_CONTEXT
constantintGSSAPI.DEFECTIVE_TOKEN
constantintGSSAPI.DEFECTIVE_CREDENTIAL
constantintGSSAPI.CREDENTIALS_EXPIRED
constantintGSSAPI.CONTEXT_EXPIRED
constantintGSSAPI.FAILURE
constantintGSSAPI.BAD_QOP
constantintGSSAPI.UNAUTHORIZED
constantintGSSAPI.UNAVAILABLE
constantintGSSAPI.DUPLICATE_ELEMENT
constantintGSSAPI.NAME_NOT_MN- Description
Constants for routine errors in major status codes like GSSAPI.Error.major_status. See RFC 2743 section 1.2.1.1. Note that major status codes have to be masked with GSSAPI.ERROR_MASK before comparison with these.
Brief descriptions of the flags:
- GSSAPI.BAD_BINDINGS
Channel binding mismatch.
- GSSAPI.BAD_MECH
Unsupported mechanism requested.
- GSSAPI.BAD_NAME
Invalid name provided.
- GSSAPI.BAD_NAMETYPE
Name of unsupported type provided.
- GSSAPI.BAD_STATUS
Invalid input status selector.
- GSSAPI.BAD_MIC
Token had invalid integrity check.
- GSSAPI.CONTEXT_EXPIRED
Specified security context expired.
- GSSAPI.CREDENTIALS_EXPIRED
Expired credentials detected.
- GSSAPI.DEFECTIVE_CREDENTIAL
Defective credential detected.
- GSSAPI.DEFECTIVE_TOKEN
Defective token detected.
- GSSAPI.FAILURE
Failure, unspecified at GSS-API level. GSSAPI.Error.minor_status should provide further details.
- GSSAPI.NO_CONTEXT
No valid security context specified.
- GSSAPI.NO_CRED
No valid credentials provided.
- GSSAPI.BAD_QOP
Unsupported QOP value.
- GSSAPI.UNAUTHORIZED
Operation unauthorized.
- GSSAPI.UNAVAILABLE
Operation unavailable.
- GSSAPI.DUPLICATE_ELEMENT
Duplicate credential element requested.
- GSSAPI.NAME_NOT_MN
Name contains multi-mechanism elements.
- Constant
CONTINUE_NEEDED
Constant DUPLICATE_TOKEN
Constant OLD_TOKEN
Constant UNSEQ_TOKEN
Constant GAP_TOKEN
constantintGSSAPI.CONTINUE_NEEDED
constantintGSSAPI.DUPLICATE_TOKEN
constantintGSSAPI.OLD_TOKEN
constantintGSSAPI.UNSEQ_TOKEN
constantintGSSAPI.GAP_TOKEN- Description
Bitfield flags for informatory codes in major status codes like GSSAPI.Error.major_status. See RFC 2743 section 1.2.1.1. Any combination of these might optionally be combined with one routine error constant to form a major status code.
Brief descriptions of the flags:
- GSSAPI.CONTINUE_NEEDED
Continuation call to routine required.
- GSSAPI.DUPLICATE_TOKEN
Duplicate per-message token detected.
- GSSAPI.OLD_TOKEN
Timed-out per-message token detected.
- GSSAPI.UNSEQ_TOKEN
Reordered (early) per-message token detected.
- GSSAPI.GAP_TOKEN
Skipped predecessor token(s) detected.
- Constant
ERROR_MASK
constantintGSSAPI.ERROR_MASK- Description
Bitfield mask for the routine error part of major status codes like GSSAPI.Error.major_status. After applying this mask, the status values may be compared to any of the routine error constants.
- Constant
INFO_MASK
constantintGSSAPI.INFO_MASK- Description
Bitfield mask for the informatory part of major status codes like GSSAPI.Error.major_status.
- Constant
NT_HOSTBASED_SERVICE
Constant NT_USER_NAME
Constant NT_MACHINE_UID_NAME
Constant NT_STRING_UID_NAME
Constant NT_ANONYMOUS
Constant NT_EXPORT_NAME
Constant KRB5_NT_PRINCIPAL_NAME
constantstringGSSAPI.NT_HOSTBASED_SERVICE
constantstringGSSAPI.NT_USER_NAME
constantstringGSSAPI.NT_MACHINE_UID_NAME
constantstringGSSAPI.NT_STRING_UID_NAME
constantstringGSSAPI.NT_ANONYMOUS
constantstringGSSAPI.NT_EXPORT_NAME
constantstringGSSAPI.KRB5_NT_PRINCIPAL_NAME- Description
OIDs on dotted-decimal form for the GSS-API mechanism-independent name types, and some selected mechanism-specific ones:
- NT_HOSTBASED_SERVICE
Name type for a service associated with a host computer. The syntax is service@hostname where the @hostname part may be omitted for the local host. See RFC 2743 section 4.1.
- NT_USER_NAME
Name type for a named user on a local system. The syntax is username. See RFC 2743 section 4.2.
- NT_MACHINE_UID_NAME
Name type for a numeric user identifier corresponding to a user on a local system. The string representing a name of this type should contain a locally-significant user ID, represented in host byte order. See RFC 2743 section 4.3.
- NT_STRING_UID_NAME
Name type for a string of digits representing the numeric user identifier of a user on a local system. This name type is similar to the Machine UID Form, except that the buffer contains a string representing the user ID. See RFC 2743 section 4.4.
- NT_ANONYMOUS
Name type to identify anonymous names. See RFC 2743 section 4.5.
- NT_EXPORT_NAME
Name type for the Mechanism-Independent Exported Name Object type, which is the type of the names returned by GSSAPI.Name.export. See RFC 2743 section 4.7.
- KRB5_NT_PRINCIPAL_NAME
Name type for a Kerberos principal. See RFC 1964 section 2.1.1.