Module GSSAPI

Description

This is pike glue for GSS-API ver 2 as specified in RFC 2743.

GSS-API is used to authenticate users and servers, and optionally also to encrypt communication between them. The API is generic and can be used without any knowledge of the actual implementation of these security services, which is typically provided by the operating system.

The most common implementation at the time of writing is Kerberos, which means that the main benefit of this API is to allow clients and servers to authenticate each other using Kerberos, thereby making single sign-on possible in a Kerberized environment.

All functions in this module that wrap GSS-API routines may throw GSSAPI.Error, and by default they do so for all such errors. Only in some special cases do they return when a GSS-API error has happened, and this is then noted in the documentation.


Constant INITIATE
Constant ACCEPT
Constant BOTH

constant int GSSAPI.INITIATE
constant int GSSAPI.ACCEPT
constant int GSSAPI.BOTH

Description

Flags for indicating how a GSSAPI.Cred object may be used:

INITIATE

The credential can only be used to initiate security contexts (i.e. using GSSAPI.InitContext).

ACCEPT

The credential can only be used to accept security contexts (i.e. using GSSAPI.AcceptContext).

BOTH

The credential may be used both to initiate or accept security contexts.


Constant DELEG_FLAG
Constant MUTUAL_FLAG
Constant REPLAY_FLAG
Constant SEQUENCE_FLAG
Constant CONF_FLAG
Constant INTEG_FLAG
Constant ANON_FLAG
Constant PROT_READY_FLAG
Constant TRANS_FLAG

constant int GSSAPI.DELEG_FLAG
constant int GSSAPI.MUTUAL_FLAG
constant int GSSAPI.REPLAY_FLAG
constant int GSSAPI.SEQUENCE_FLAG
constant int GSSAPI.CONF_FLAG
constant int GSSAPI.INTEG_FLAG
constant int GSSAPI.ANON_FLAG
constant int GSSAPI.PROT_READY_FLAG
constant int GSSAPI.TRANS_FLAG

Description

Bitfield flags returned by e.g. GSSAPI.Context.services to denote various services that are available in the context.

Brief descriptions of the flags:

GSSAPI.DELEG_FLAG

Delegation. See RFC 2743 section 1.2.9.

GSSAPI.MUTUAL_FLAG

Mutual authentication (actually, acceptor authentication). See RFC 2743 section 1.1.1.3 and RFC 2743 section 1.2.5.

GSSAPI.REPLAY_FLAG

Per-message replay detection. See RFC 2743 section 1.2.3.

GSSAPI.SEQUENCE_FLAG

Per-message sequencing. See RFC 2743 section 1.2.3.

GSSAPI.CONF_FLAG

Per-message confidentiality. See RFC 2743 section 1.2.2.

GSSAPI.INTEG_FLAG

Per-message integrity. See RFC 2743 section 1.2.2.

GSSAPI.ANON_FLAG

Anonymous authentication. See RFC 2743 section 1.2.5.

GSSAPI.PROT_READY_FLAG

Might be set before the context establishment has finished, to denote that per-message protection already is available. See RFC 2743 section 1.2.7. Is always set in GSSAPI.Context and derived classes when the context is established.

GSSAPI.TRANS_FLAG

The context can be transferred between processes using GSSAPI.Context.export. See RFC 2743 section 1.2.10.


Constant BAD_MECH
Constant BAD_NAME
Constant BAD_NAMETYPE
Constant BAD_BINDINGS
Constant BAD_STATUS
Constant BAD_SIG
Constant NO_CRED
Constant NO_CONTEXT
Constant DEFECTIVE_TOKEN
Constant DEFECTIVE_CREDENTIAL
Constant CREDENTIALS_EXPIRED
Constant CONTEXT_EXPIRED
Constant FAILURE
Constant BAD_QOP
Constant UNAUTHORIZED
Constant UNAVAILABLE
Constant DUPLICATE_ELEMENT
Constant NAME_NOT_MN

constant int GSSAPI.BAD_MECH
constant int GSSAPI.BAD_NAME
constant int GSSAPI.BAD_NAMETYPE
constant int GSSAPI.BAD_BINDINGS
constant int GSSAPI.BAD_STATUS
constant int GSSAPI.BAD_SIG
constant int GSSAPI.NO_CRED
constant int GSSAPI.NO_CONTEXT
constant int GSSAPI.DEFECTIVE_TOKEN
constant int GSSAPI.DEFECTIVE_CREDENTIAL
constant int GSSAPI.CREDENTIALS_EXPIRED
constant int GSSAPI.CONTEXT_EXPIRED
constant int GSSAPI.FAILURE
constant int GSSAPI.BAD_QOP
constant int GSSAPI.UNAUTHORIZED
constant int GSSAPI.UNAVAILABLE
constant int GSSAPI.DUPLICATE_ELEMENT
constant int GSSAPI.NAME_NOT_MN

Description

Constants for routine errors in major status codes like GSSAPI.Error.major_status. See RFC 2743 section 1.2.1.1. Note that major status codes have to be masked with GSSAPI.ERROR_MASK before comparison with these.

Brief descriptions of the flags:

GSSAPI.BAD_BINDINGS

Channel binding mismatch.

GSSAPI.BAD_MECH

Unsupported mechanism requested.

GSSAPI.BAD_NAME

Invalid name provided.

GSSAPI.BAD_NAMETYPE

Name of unsupported type provided.

GSSAPI.BAD_STATUS

Invalid input status selector.

GSSAPI.BAD_MIC

Token had invalid integrity check.

GSSAPI.CONTEXT_EXPIRED

Specified security context expired.

GSSAPI.CREDENTIALS_EXPIRED

Expired credentials detected.

GSSAPI.DEFECTIVE_CREDENTIAL

Defective credential detected.

GSSAPI.DEFECTIVE_TOKEN

Defective token detected.

GSSAPI.FAILURE

Failure, unspecified at GSS-API level. GSSAPI.Error.minor_status should provide further details.

GSSAPI.NO_CONTEXT

No valid security context specified.

GSSAPI.NO_CRED

No valid credentials provided.

GSSAPI.BAD_QOP

Unsupported QOP value.

GSSAPI.UNAUTHORIZED

Operation unauthorized.

GSSAPI.UNAVAILABLE

Operation unavailable.

GSSAPI.DUPLICATE_ELEMENT

Duplicate credential element requested.

GSSAPI.NAME_NOT_MN

Name contains multi-mechanism elements.


Constant CONTINUE_NEEDED
Constant DUPLICATE_TOKEN
Constant OLD_TOKEN
Constant UNSEQ_TOKEN
Constant GAP_TOKEN

constant int GSSAPI.CONTINUE_NEEDED
constant int GSSAPI.DUPLICATE_TOKEN
constant int GSSAPI.OLD_TOKEN
constant int GSSAPI.UNSEQ_TOKEN
constant int GSSAPI.GAP_TOKEN

Description

Bitfield flags for informatory codes in major status codes like GSSAPI.Error.major_status. See RFC 2743 section 1.2.1.1. Any combination of these might optionally be combined with one routine error constant to form a major status code.

Brief descriptions of the flags:

GSSAPI.CONTINUE_NEEDED

Continuation call to routine required.

GSSAPI.DUPLICATE_TOKEN

Duplicate per-message token detected.

GSSAPI.OLD_TOKEN

Timed-out per-message token detected.

GSSAPI.UNSEQ_TOKEN

Reordered (early) per-message token detected.

GSSAPI.GAP_TOKEN

Skipped predecessor token(s) detected.


Constant ERROR_MASK

constant int GSSAPI.ERROR_MASK

Description

Bitfield mask for the routine error part of major status codes like GSSAPI.Error.major_status. After applying this mask, the status values may be compared to any of the routine error constants.


Constant INFO_MASK

constant int GSSAPI.INFO_MASK

Description

Bitfield mask for the informatory part of major status codes like GSSAPI.Error.major_status.


Constant NT_HOSTBASED_SERVICE
Constant NT_USER_NAME
Constant NT_MACHINE_UID_NAME
Constant NT_STRING_UID_NAME
Constant NT_ANONYMOUS
Constant NT_EXPORT_NAME
Constant KRB5_NT_PRINCIPAL_NAME

constant string GSSAPI.NT_HOSTBASED_SERVICE
constant string GSSAPI.NT_USER_NAME
constant string GSSAPI.NT_MACHINE_UID_NAME
constant string GSSAPI.NT_STRING_UID_NAME
constant string GSSAPI.NT_ANONYMOUS
constant string GSSAPI.NT_EXPORT_NAME
constant string GSSAPI.KRB5_NT_PRINCIPAL_NAME

Description

OIDs on dotted-decimal form for the GSS-API mechanism-independent name types, and some selected mechanism-specific ones:

NT_HOSTBASED_SERVICE

Name type for a service associated with a host computer. The syntax is service@hostname where the @hostname part may be omitted for the local host. See RFC 2743 section 4.1.

NT_USER_NAME

Name type for a named user on a local system. The syntax is username. See RFC 2743 section 4.2.

NT_MACHINE_UID_NAME

Name type for a numeric user identifier corresponding to a user on a local system. The string representing a name of this type should contain a locally-significant user ID, represented in host byte order. See RFC 2743 section 4.3.

NT_STRING_UID_NAME

Name type for a string of digits representing the numeric user identifier of a user on a local system. This name type is similar to the Machine UID Form, except that the buffer contains a string representing the user ID. See RFC 2743 section 4.4.

NT_ANONYMOUS

Name type to identify anonymous names. See RFC 2743 section 4.5.

NT_EXPORT_NAME

Name type for the Mechanism-Independent Exported Name Object type, which is the type of the names returned by GSSAPI.Name.export. See RFC 2743 section 4.7.

KRB5_NT_PRINCIPAL_NAME

Name type for a Kerberos principal. See RFC 1964 section 2.1.1.