1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<link rel="stylesheet" href="style.css" type="text/css">
<meta content="text/html; charset=iso-8859-1" http-equiv="Content-Type">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="Start" href="index.html">
<link rel="previous" href="Credentials.html">
<link rel="next" href="Ocamlnet4.html">
<link rel="Up" href="index.html">
<link title="Index of types" rel=Appendix href="index_types.html">
<link title="Index of extensions" rel=Appendix href="index_extensions.html">
<link title="Index of exceptions" rel=Appendix href="index_exceptions.html">
<link title="Index of values" rel=Appendix href="index_values.html">
<link title="Index of class attributes" rel=Appendix href="index_attributes.html">
<link title="Index of class methods" rel=Appendix href="index_methods.html">
<link title="Index of classes" rel=Appendix href="index_classes.html">
<link title="Index of class types" rel=Appendix href="index_class_types.html">
<link title="Index of modules" rel=Appendix href="index_modules.html">
<link title="Index of module types" rel=Appendix href="index_module_types.html">
<link title="Uq_gtk" rel="Chapter" href="Uq_gtk.html">
<link title="Uq_tcl" rel="Chapter" href="Uq_tcl.html">
<link title="Equeue" rel="Chapter" href="Equeue.html">
<link title="Unixqueue" rel="Chapter" href="Unixqueue.html">
<link title="Unixqueue_pollset" rel="Chapter" href="Unixqueue_pollset.html">
<link title="Unixqueue_select" rel="Chapter" href="Unixqueue_select.html">
<link title="Uq_resolver" rel="Chapter" href="Uq_resolver.html">
<link title="Uq_engines" rel="Chapter" href="Uq_engines.html">
<link title="Uq_multiplex" rel="Chapter" href="Uq_multiplex.html">
<link title="Uq_transfer" rel="Chapter" href="Uq_transfer.html">
<link title="Uq_socks5" rel="Chapter" href="Uq_socks5.html">
<link title="Uq_io" rel="Chapter" href="Uq_io.html">
<link title="Uq_lwt" rel="Chapter" href="Uq_lwt.html">
<link title="Uq_libevent" rel="Chapter" href="Uq_libevent.html">
<link title="Uq_mt" rel="Chapter" href="Uq_mt.html">
<link title="Uq_client" rel="Chapter" href="Uq_client.html">
<link title="Uq_server" rel="Chapter" href="Uq_server.html">
<link title="Uq_datagram" rel="Chapter" href="Uq_datagram.html">
<link title="Uq_engines_compat" rel="Chapter" href="Uq_engines_compat.html">
<link title="Equeue_intro" rel="Chapter" href="Equeue_intro.html">
<link title="Equeue_howto" rel="Chapter" href="Equeue_howto.html">
<link title="Netcamlbox" rel="Chapter" href="Netcamlbox.html">
<link title="Netcgi_apache" rel="Chapter" href="Netcgi_apache.html">
<link title="Netcgi_modtpl" rel="Chapter" href="Netcgi_modtpl.html">
<link title="Netcgi_plex" rel="Chapter" href="Netcgi_plex.html">
<link title="Netcgi_common" rel="Chapter" href="Netcgi_common.html">
<link title="Netcgi" rel="Chapter" href="Netcgi.html">
<link title="Netcgi_ajp" rel="Chapter" href="Netcgi_ajp.html">
<link title="Netcgi_scgi" rel="Chapter" href="Netcgi_scgi.html">
<link title="Netcgi_cgi" rel="Chapter" href="Netcgi_cgi.html">
<link title="Netcgi_fcgi" rel="Chapter" href="Netcgi_fcgi.html">
<link title="Netcgi_dbi" rel="Chapter" href="Netcgi_dbi.html">
<link title="Netcgi1_compat" rel="Chapter" href="Netcgi1_compat.html">
<link title="Netcgi_test" rel="Chapter" href="Netcgi_test.html">
<link title="Netcgi_porting" rel="Chapter" href="Netcgi_porting.html">
<link title="Nethttp_client_conncache" rel="Chapter" href="Nethttp_client_conncache.html">
<link title="Nethttp_client" rel="Chapter" href="Nethttp_client.html">
<link title="Nettelnet_client" rel="Chapter" href="Nettelnet_client.html">
<link title="Netftp_data_endpoint" rel="Chapter" href="Netftp_data_endpoint.html">
<link title="Netftp_client" rel="Chapter" href="Netftp_client.html">
<link title="Nethttp_fs" rel="Chapter" href="Nethttp_fs.html">
<link title="Netftp_fs" rel="Chapter" href="Netftp_fs.html">
<link title="Netsmtp" rel="Chapter" href="Netsmtp.html">
<link title="Netpop" rel="Chapter" href="Netpop.html">
<link title="Netldap" rel="Chapter" href="Netldap.html">
<link title="Netclient_tut" rel="Chapter" href="Netclient_tut.html">
<link title="Netgss_bindings" rel="Chapter" href="Netgss_bindings.html">
<link title="Netgss" rel="Chapter" href="Netgss.html">
<link title="Nethttpd_types" rel="Chapter" href="Nethttpd_types.html">
<link title="Nethttpd_kernel" rel="Chapter" href="Nethttpd_kernel.html">
<link title="Nethttpd_reactor" rel="Chapter" href="Nethttpd_reactor.html">
<link title="Nethttpd_engine" rel="Chapter" href="Nethttpd_engine.html">
<link title="Nethttpd_services" rel="Chapter" href="Nethttpd_services.html">
<link title="Nethttpd_plex" rel="Chapter" href="Nethttpd_plex.html">
<link title="Nethttpd_util" rel="Chapter" href="Nethttpd_util.html">
<link title="Nethttpd_intro" rel="Chapter" href="Nethttpd_intro.html">
<link title="Netmcore" rel="Chapter" href="Netmcore.html">
<link title="Netmcore_camlbox" rel="Chapter" href="Netmcore_camlbox.html">
<link title="Netmcore_mempool" rel="Chapter" href="Netmcore_mempool.html">
<link title="Netmcore_heap" rel="Chapter" href="Netmcore_heap.html">
<link title="Netmcore_ref" rel="Chapter" href="Netmcore_ref.html">
<link title="Netmcore_array" rel="Chapter" href="Netmcore_array.html">
<link title="Netmcore_sem" rel="Chapter" href="Netmcore_sem.html">
<link title="Netmcore_mutex" rel="Chapter" href="Netmcore_mutex.html">
<link title="Netmcore_condition" rel="Chapter" href="Netmcore_condition.html">
<link title="Netmcore_queue" rel="Chapter" href="Netmcore_queue.html">
<link title="Netmcore_buffer" rel="Chapter" href="Netmcore_buffer.html">
<link title="Netmcore_matrix" rel="Chapter" href="Netmcore_matrix.html">
<link title="Netmcore_hashtbl" rel="Chapter" href="Netmcore_hashtbl.html">
<link title="Netmcore_process" rel="Chapter" href="Netmcore_process.html">
<link title="Netmcore_tut" rel="Chapter" href="Netmcore_tut.html">
<link title="Netmcore_basics" rel="Chapter" href="Netmcore_basics.html">
<link title="Netplex_types" rel="Chapter" href="Netplex_types.html">
<link title="Netplex_mp" rel="Chapter" href="Netplex_mp.html">
<link title="Netplex_mt" rel="Chapter" href="Netplex_mt.html">
<link title="Netplex_log" rel="Chapter" href="Netplex_log.html">
<link title="Netplex_controller" rel="Chapter" href="Netplex_controller.html">
<link title="Netplex_container" rel="Chapter" href="Netplex_container.html">
<link title="Netplex_sockserv" rel="Chapter" href="Netplex_sockserv.html">
<link title="Netplex_workload" rel="Chapter" href="Netplex_workload.html">
<link title="Netplex_main" rel="Chapter" href="Netplex_main.html">
<link title="Netplex_config" rel="Chapter" href="Netplex_config.html">
<link title="Netplex_kit" rel="Chapter" href="Netplex_kit.html">
<link title="Rpc_netplex" rel="Chapter" href="Rpc_netplex.html">
<link title="Netplex_cenv" rel="Chapter" href="Netplex_cenv.html">
<link title="Netplex_semaphore" rel="Chapter" href="Netplex_semaphore.html">
<link title="Netplex_sharedvar" rel="Chapter" href="Netplex_sharedvar.html">
<link title="Netplex_mutex" rel="Chapter" href="Netplex_mutex.html">
<link title="Netplex_encap" rel="Chapter" href="Netplex_encap.html">
<link title="Netplex_mbox" rel="Chapter" href="Netplex_mbox.html">
<link title="Netplex_internal" rel="Chapter" href="Netplex_internal.html">
<link title="Netplex_intro" rel="Chapter" href="Netplex_intro.html">
<link title="Netplex_advanced" rel="Chapter" href="Netplex_advanced.html">
<link title="Netplex_admin" rel="Chapter" href="Netplex_admin.html">
<link title="Netshm" rel="Chapter" href="Netshm.html">
<link title="Netshm_data" rel="Chapter" href="Netshm_data.html">
<link title="Netshm_hashtbl" rel="Chapter" href="Netshm_hashtbl.html">
<link title="Netshm_array" rel="Chapter" href="Netshm_array.html">
<link title="Netshm_intro" rel="Chapter" href="Netshm_intro.html">
<link title="Netstring_pcre" rel="Chapter" href="Netstring_pcre.html">
<link title="Netconversion" rel="Chapter" href="Netconversion.html">
<link title="Netchannels" rel="Chapter" href="Netchannels.html">
<link title="Netstream" rel="Chapter" href="Netstream.html">
<link title="Netmime_string" rel="Chapter" href="Netmime_string.html">
<link title="Netmime" rel="Chapter" href="Netmime.html">
<link title="Netsendmail" rel="Chapter" href="Netsendmail.html">
<link title="Neturl" rel="Chapter" href="Neturl.html">
<link title="Netaddress" rel="Chapter" href="Netaddress.html">
<link title="Netbuffer" rel="Chapter" href="Netbuffer.html">
<link title="Netmime_header" rel="Chapter" href="Netmime_header.html">
<link title="Netmime_channels" rel="Chapter" href="Netmime_channels.html">
<link title="Neturl_ldap" rel="Chapter" href="Neturl_ldap.html">
<link title="Netdate" rel="Chapter" href="Netdate.html">
<link title="Netencoding" rel="Chapter" href="Netencoding.html">
<link title="Netulex" rel="Chapter" href="Netulex.html">
<link title="Netaccel" rel="Chapter" href="Netaccel.html">
<link title="Netaccel_link" rel="Chapter" href="Netaccel_link.html">
<link title="Nethtml" rel="Chapter" href="Nethtml.html">
<link title="Netstring_str" rel="Chapter" href="Netstring_str.html">
<link title="Netmappings" rel="Chapter" href="Netmappings.html">
<link title="Netaux" rel="Chapter" href="Netaux.html">
<link title="Nethttp" rel="Chapter" href="Nethttp.html">
<link title="Netpagebuffer" rel="Chapter" href="Netpagebuffer.html">
<link title="Netfs" rel="Chapter" href="Netfs.html">
<link title="Netglob" rel="Chapter" href="Netglob.html">
<link title="Netauth" rel="Chapter" href="Netauth.html">
<link title="Netsockaddr" rel="Chapter" href="Netsockaddr.html">
<link title="Netnumber" rel="Chapter" href="Netnumber.html">
<link title="Netxdr_mstring" rel="Chapter" href="Netxdr_mstring.html">
<link title="Netxdr" rel="Chapter" href="Netxdr.html">
<link title="Netcompression" rel="Chapter" href="Netcompression.html">
<link title="Netunichar" rel="Chapter" href="Netunichar.html">
<link title="Netasn1" rel="Chapter" href="Netasn1.html">
<link title="Netasn1_encode" rel="Chapter" href="Netasn1_encode.html">
<link title="Netoid" rel="Chapter" href="Netoid.html">
<link title="Netstring_tstring" rel="Chapter" href="Netstring_tstring.html">
<link title="Netdn" rel="Chapter" href="Netdn.html">
<link title="Netx509" rel="Chapter" href="Netx509.html">
<link title="Netascii_armor" rel="Chapter" href="Netascii_armor.html">
<link title="Nettls_support" rel="Chapter" href="Nettls_support.html">
<link title="Netmech_scram" rel="Chapter" href="Netmech_scram.html">
<link title="Netmech_scram_gssapi" rel="Chapter" href="Netmech_scram_gssapi.html">
<link title="Netmech_scram_sasl" rel="Chapter" href="Netmech_scram_sasl.html">
<link title="Netmech_scram_http" rel="Chapter" href="Netmech_scram_http.html">
<link title="Netgssapi_support" rel="Chapter" href="Netgssapi_support.html">
<link title="Netgssapi_auth" rel="Chapter" href="Netgssapi_auth.html">
<link title="Netchannels_crypto" rel="Chapter" href="Netchannels_crypto.html">
<link title="Netx509_pubkey" rel="Chapter" href="Netx509_pubkey.html">
<link title="Netx509_pubkey_crypto" rel="Chapter" href="Netx509_pubkey_crypto.html">
<link title="Netsaslprep" rel="Chapter" href="Netsaslprep.html">
<link title="Netmech_plain_sasl" rel="Chapter" href="Netmech_plain_sasl.html">
<link title="Netmech_crammd5_sasl" rel="Chapter" href="Netmech_crammd5_sasl.html">
<link title="Netmech_digest_sasl" rel="Chapter" href="Netmech_digest_sasl.html">
<link title="Netmech_digest_http" rel="Chapter" href="Netmech_digest_http.html">
<link title="Netmech_krb5_sasl" rel="Chapter" href="Netmech_krb5_sasl.html">
<link title="Netmech_gs2_sasl" rel="Chapter" href="Netmech_gs2_sasl.html">
<link title="Netmech_spnego_http" rel="Chapter" href="Netmech_spnego_http.html">
<link title="Netchannels_tut" rel="Chapter" href="Netchannels_tut.html">
<link title="Netmime_tut" rel="Chapter" href="Netmime_tut.html">
<link title="Netsendmail_tut" rel="Chapter" href="Netsendmail_tut.html">
<link title="Netulex_tut" rel="Chapter" href="Netulex_tut.html">
<link title="Neturl_tut" rel="Chapter" href="Neturl_tut.html">
<link title="Netsys" rel="Chapter" href="Netsys.html">
<link title="Netsys_posix" rel="Chapter" href="Netsys_posix.html">
<link title="Netsys_pollset" rel="Chapter" href="Netsys_pollset.html">
<link title="Netlog" rel="Chapter" href="Netlog.html">
<link title="Netexn" rel="Chapter" href="Netexn.html">
<link title="Netsys_win32" rel="Chapter" href="Netsys_win32.html">
<link title="Netsys_pollset_posix" rel="Chapter" href="Netsys_pollset_posix.html">
<link title="Netsys_pollset_win32" rel="Chapter" href="Netsys_pollset_win32.html">
<link title="Netsys_pollset_generic" rel="Chapter" href="Netsys_pollset_generic.html">
<link title="Netsys_signal" rel="Chapter" href="Netsys_signal.html">
<link title="Netsys_oothr" rel="Chapter" href="Netsys_oothr.html">
<link title="Netsys_xdr" rel="Chapter" href="Netsys_xdr.html">
<link title="Netsys_rng" rel="Chapter" href="Netsys_rng.html">
<link title="Netsys_crypto_types" rel="Chapter" href="Netsys_crypto_types.html">
<link title="Netsys_types" rel="Chapter" href="Netsys_types.html">
<link title="Netsys_mem" rel="Chapter" href="Netsys_mem.html">
<link title="Netsys_tmp" rel="Chapter" href="Netsys_tmp.html">
<link title="Netsys_sem" rel="Chapter" href="Netsys_sem.html">
<link title="Netsys_pmanage" rel="Chapter" href="Netsys_pmanage.html">
<link title="Netsys_crypto" rel="Chapter" href="Netsys_crypto.html">
<link title="Netsys_tls" rel="Chapter" href="Netsys_tls.html">
<link title="Netsys_ciphers" rel="Chapter" href="Netsys_ciphers.html">
<link title="Netsys_digests" rel="Chapter" href="Netsys_digests.html">
<link title="Netsys_crypto_modes" rel="Chapter" href="Netsys_crypto_modes.html">
<link title="Netsys_gssapi" rel="Chapter" href="Netsys_gssapi.html">
<link title="Netsys_sasl_types" rel="Chapter" href="Netsys_sasl_types.html">
<link title="Netsys_sasl" rel="Chapter" href="Netsys_sasl.html">
<link title="Netsys_polypipe" rel="Chapter" href="Netsys_polypipe.html">
<link title="Netsys_polysocket" rel="Chapter" href="Netsys_polysocket.html">
<link title="Netsys_global" rel="Chapter" href="Netsys_global.html">
<link title="Nettls_gnutls_bindings" rel="Chapter" href="Nettls_gnutls_bindings.html">
<link title="Nettls_nettle_bindings" rel="Chapter" href="Nettls_nettle_bindings.html">
<link title="Nettls_gnutls" rel="Chapter" href="Nettls_gnutls.html">
<link title="Netunidata" rel="Chapter" href="Netunidata.html">
<link title="Netgzip" rel="Chapter" href="Netgzip.html">
<link title="Rpc_auth_local" rel="Chapter" href="Rpc_auth_local.html">
<link title="Rpc_xti_client" rel="Chapter" href="Rpc_xti_client.html">
<link title="Rpc" rel="Chapter" href="Rpc.html">
<link title="Rpc_program" rel="Chapter" href="Rpc_program.html">
<link title="Rpc_util" rel="Chapter" href="Rpc_util.html">
<link title="Rpc_portmapper_aux" rel="Chapter" href="Rpc_portmapper_aux.html">
<link title="Rpc_packer" rel="Chapter" href="Rpc_packer.html">
<link title="Rpc_transport" rel="Chapter" href="Rpc_transport.html">
<link title="Rpc_client" rel="Chapter" href="Rpc_client.html">
<link title="Rpc_simple_client" rel="Chapter" href="Rpc_simple_client.html">
<link title="Rpc_portmapper_clnt" rel="Chapter" href="Rpc_portmapper_clnt.html">
<link title="Rpc_portmapper" rel="Chapter" href="Rpc_portmapper.html">
<link title="Rpc_server" rel="Chapter" href="Rpc_server.html">
<link title="Rpc_auth_sys" rel="Chapter" href="Rpc_auth_sys.html">
<link title="Rpc_auth_gssapi" rel="Chapter" href="Rpc_auth_gssapi.html">
<link title="Rpc_proxy" rel="Chapter" href="Rpc_proxy.html">
<link title="Rpc_intro" rel="Chapter" href="Rpc_intro.html">
<link title="Rpc_mapping_ref" rel="Chapter" href="Rpc_mapping_ref.html">
<link title="Rpc_intro_gss" rel="Chapter" href="Rpc_intro_gss.html">
<link title="Shell_sys" rel="Chapter" href="Shell_sys.html">
<link title="Shell" rel="Chapter" href="Shell.html">
<link title="Shell_uq" rel="Chapter" href="Shell_uq.html">
<link title="Shell_fs" rel="Chapter" href="Shell_fs.html">
<link title="Shell_intro" rel="Chapter" href="Shell_intro.html">
<link title="Intro" rel="Chapter" href="Intro.html">
<link title="Platform" rel="Chapter" href="Platform.html">
<link title="Foreword" rel="Chapter" href="Foreword.html">
<link title="Ipv6" rel="Chapter" href="Ipv6.html">
<link title="Regexp" rel="Chapter" href="Regexp.html">
<link title="Tls" rel="Chapter" href="Tls.html">
<link title="Crypto" rel="Chapter" href="Crypto.html">
<link title="Authentication" rel="Chapter" href="Authentication.html">
<link title="Credentials" rel="Chapter" href="Credentials.html">
<link title="Gssapi" rel="Chapter" href="Gssapi.html">
<link title="Ocamlnet4" rel="Chapter" href="Ocamlnet4.html">
<link title="Get" rel="Chapter" href="Get.html"><title>Ocamlnet 4 Reference Manual : Gssapi</title>
</head>
<body>
<div class="navbar"><a class="pre" href="Credentials.html" title="Credentials">Previous</a>
<a class="up" href="index.html" title="Index">Up</a>
<a class="post" href="Ocamlnet4.html" title="Ocamlnet4">Next</a>
</div>
<h1>Gssapi</h1>
<div class="info-desc">
<h2 id="1_TheGSSAPI">The GSSAPI</h2>
<p>The GSSAPI is a cryptographic API allowing the authentication of
clients and servers, and provides integrity and privacy protection of
messages. There is often already a GSSAPI library installed on system
level (e.g. MIT Kerberos or Heimdal), and this library provides such
services in a portable way. There are many crypto mechanisms specified
for GSSAPI, and worthwhile to mention are:</p>
<ul>
<li>Kerberos 5</li>
<li>SPNEGO</li>
<li>SCRAM</li>
</ul>
<p>The GSSAPI as such is a C API. OCamlnet defines the "OCamlized" version
<a href="Netsys_gssapi.GSSAPI.html"><code class="code">Netsys_gssapi.GSSAPI</code></a> as a first-class module. We don't want to go here
into detail how the GSSAPI functions are called, but instead explain how
you can use the GSSAPI together with the network protocol implementations
in OCamlnet.</p>
<p><b>OPAM users</b>: Note that the OPAM package for OCamlnet does not
build the GSSAPI module by default. The trigger for this is the presence
of the <code class="code">conf-gssapi</code> OPAM package, i.e. do <code class="code">opam install conf-gssapi</code>
to rebuild with GSSAPI.</p>
<h3 id="2_Compatibility">Compatibility</h3>
<p>So far, OCamlnet only supports the base interface as speficied in the RFCs
2743 and 2744. There are interesting extensions, in particular for setting
session parameters and for getting credentials with passwords. These will
be added in future OCamlnet releases.</p>
<p><b>The GSSAPI on Windows:</b> Microsoft "sort of" implements the GSSAPI. However,
instead of using the C API specified by the IETF Windows goes its own
proprietary way. At this point, OCamlnet does not support the SSPI API
Windows provides, as it would exceed the resources of the developers.
Note that there is also an edition of MIT Kerberos for Windows, and this
could be an easy path to get full GSSAPI support. It has not yet been
tested, though (any feedback on this is welcome).</p>
<h3 id="2_ThesystemlevelGSSAPInetworklogins">The system-level GSSAPI: network logins</h3>
<p>Getting acces to the system-level GSSAPI library is simple:</p>
<ul>
<li>add the <code class="code">netgss-system</code> findlib package to your build</li>
<li>use <a href="Netgss.System.html"><code class="code">Netgss.System</code></a> which is an implementation of <a href="Netsys_gssapi.GSSAPI.html"><code class="code">Netsys_gssapi.GSSAPI</code></a>:
<pre class="codepre"><code class="code"> let gssapi = (module Netgss.System) </code></pre></li>
</ul>
<p>The function definitions in <a href="Netgss.System.html"><code class="code">Netgss.System</code></a> are actually wrappers around
the system-level GSSAPI.</p>
<p>What you can do with the system-level GSSAPI: The common way of using
it is that by calling the GSSAPI with default values you can log in to
any network services secured with it. For example, if there is
Kerberos deployed in the local network, the GSSAPI would then make a
Kerberos login. This is probably the most likely scenario. Of course,
there could also be some other network authentication service, and the
GSSAPI could be configured to use this other service for doing network
logins. The point here is that the client program needs not to know
which authentication mechanism is deployed in the network.</p>
<p>When used in this way, it is common that the client program requesting
access to secured services need not know the credentials (i.e. access
tickets or passwords). The system-level GSSAPI knows how to get the
credentials and how to use them for a service login. Of course, this
also means you can only login as system user (i.e. if you are "tim"
on your local machine, you'll also be "tim" when logging in to a
network service).</p>
<p>It is outside the scope of this text how you can configure the
system-level GSSAPI so that the default login method is the default
network login.</p>
<p>The system-level GSSAPI may also make other mechanisms available to
client programs. In this case, you need to request specific
authentication mechanisms and not just the default. Often, it is also
required to set these mechanisms up in a special way (e.g. provide
a database with passwords). The GSSAPI as such does not address these
configuration issues. It only includes functions for using a mechanism
in a protocol.</p>
<h3 id="2_DefiningaGSSAPImoduleonOCamllevel">Defining a GSSAPI module on OCaml level</h3>
<p>As we are only using the GSSAPI functions from OCaml, it is also possible
to define a GSSAPI module directly in OCaml instead of wrapping C functions.
Within OCamlnet, there is so far only <a href="Netmech_scram_gssapi.html"><code class="code">Netmech_scram_gssapi</code></a> following this
path. The nice aspect of this approach is that we can configure the security
mechanism directly, without having to edit files or using obscure helper
functions, e.g.</p>
<pre class="codepre"><code class="code"> let gssapi =
Netmech_scram_gssapi.scran_gss_api
~client_key_ring
(Netmech_scram.profile `GSSAPI `Sha1)
</code></pre>
<p>Here, the <code class="code">client_key_ring</code> contains already the client credentials, which
then need not to be passed through the GSSAPI functions.</p>
<h3 id="2_PassingtheGSSAPImoduletoaprotocolinterpreter">Passing the GSSAPI module to a protocol interpreter</h3>
<p>The GSSAPI is passed as first-class module to the protocol interpreter.
In the above code, the variable <code class="code">gssapi</code> is already such a module.</p>
<p>At the time of writing this text, these interpreters support the GSSAPI:</p>
<ul>
<li>RPC clients: <a href="Rpc_client.html"><code class="code">Rpc_client</code></a></li>
<li>RPC servers: <a href="Rpc_server.html"><code class="code">Rpc_server</code></a></li>
<li>HTTP clients: <a href="Nethttp_client.html"><code class="code">Nethttp_client</code></a> with the help of <a href="Netmech_spnego_http.html"><code class="code">Netmech_spnego_http</code></a></li>
<li>FTP clients: <a href="Netftp_client.html"><code class="code">Netftp_client</code></a> and <a href="Netftp_fs.html"><code class="code">Netftp_fs</code></a></li>
<li>POP clients (via SASL bridging): <a href="Netpop.html"><code class="code">Netpop</code></a></li>
<li>SMTP clients (via SASL bridging): <a href="Netsmtp.html"><code class="code">Netsmtp</code></a></li>
</ul>
<p>Sometimes, the <code class="code">gssapi</code> variable can be directly passed to the
protocol interpreter, but even in this case some extra configuration
is sometimes needed. An example of this is <a href="Netftp_fs.html"><code class="code">Netftp_fs</code></a>:</p>
<pre class="codepre"><code class="code">let fs =
Netftp_fs.ftp_fs
...
~gssapi_provider:gssapi
...
"ftp://user@host/path"
</code></pre>
<p>The protocol interpreters assume then reasonable defaults: they select
the default authentication mechanism, and assume the default identity.
This is usually the right thing when you do a system-level network login.</p>
<p>However, even in this case there are a few things that may need tuning:</p>
<ul>
<li>which service is addressed</li>
<li>whether integrity protection or even privacy protection is enabled</li>
<li>whether other options are enabled, e.g. delegation</li>
</ul>
<p>Most protocol interpreters can be configured to use non-default values.
For <a href="Netftp_fs.html"><code class="code">Netftp_fs</code></a> and some other interpreters you can also pass a
<code class="code">gssap_config</code> argument, which is an instance of <a href="Netsys_gssapi.client_config-c.html"><code class="code">Netsys_gssapi.client_config</code></a>.
For example, to enforce encryption, you'd do:</p>
<pre class="codepre"><code class="code">let gssapi_config =
Netsys_gssapi.create_client_config
~privacy:`Required
()
let fs =
Netftp_fs.ftp_fs
...
~gssapi_provider:gssapi
~gssapi_config
...
"ftp://user@host/path"
</code></pre>
<p>(By default, this is set to <code class="code">`If_possible</code>.)</p>
<h3 id="2_TheGSSAPIandSASL">The GSSAPI and SASL</h3>
<p>SASL is a authentication framework that is very similar to GSSAPI. The
main difference is that SASL is directly defined as protocol, whereas
GSSAPI takes the detour and first defines a protocol API, and then
describes how to use this API in a concrete protocol. Because of the
absence of the API, SASL is a lot simpler, and also has fewer features.
So far, SASL is mainly used for challenge/response password authentication
whereas GSSAPI targets complicated authentication suites such as Kerberos.</p>
<p>Nevertheless, both approaches are similar enough that it is possible
to encapsulate any GSSAPI authentication exchange as SASL
exchange. This is called "bridging". This way it is possible to use
GSSAPI for protocols that only have a SASL option. Note that there is
no standard for the opposite direction, as SASL is commonly seen as
the weaker standard, and there was so far not enough support for
wrapping SASL mechanisms so that they are usable from GSSAPI (but note
that there are mechanisms which are defined for both SASL and GSSAPI,
e.g. SCRAM).</p>
<p>In Ocamlnet, there are two bridging methods:</p>
<ul>
<li><a href="Netmech_krb5_sasl.Krb5_gs1.html"><code class="code">Netmech_krb5_sasl.Krb5_gs1</code></a> is the older method now called "GS1".
It is only used for Kerberos 5.</li>
<li><a href="Netmech_gs2_sasl.html"><code class="code">Netmech_gs2_sasl</code></a> is the newer method "GS2". It can be used for
any mechanism, but needs some configuration. For Kerberos, there is
a ready-to-use configuration, and <a href="Netmech_krb5_sasl.Krb5_gs2.html"><code class="code">Netmech_krb5_sasl.Krb5_gs2</code></a> is
the new way to wrap Kerberos for SASL.</li>
</ul>
<p>Let's have a look at an example: POP only supports SASL. For logging
in to your maildrop using Kerberos you need to use a bridge. The
Ocamlnet implementation <a href="Netpop.html"><code class="code">Netpop</code></a> provides a function for authenticating
a client with an existing connection to a server. For a normal
password login using SASL the <a href="Netpop.html#VALauthenticate"><code class="code">Netpop.authenticate</code></a> call could look like</p>
<pre class="codepre"><code class="code">Netpop.authenticate
~sasl_mechs:[ (module Netmech_scram_sasl.SCRAM_SHA1);
(module Netmech_digest_sasl.DIGEST_MD5);
]
~user:"tom"
~creds:[ "password", "sEcReT", [] ]
client
</code></pre>
<p>For GSSAPI, you mainly need to wrap the GSSAPI provider with some
additional configuration. In particular, you need to pass the name
of the service that is addressed. For POP, this name normally is the
string "pop@" followed by the fully-qualified host name.</p>
<pre class="codepre"><code class="code">module K = Netmech_krb5_sasl.Krb5_gs1(Netgss.System)
Netpop.authenticate
~sasl_mechs:[ (module K) ]
~sasl_params:[ "gssapi-acceptor", "pop@mail.provider.com", false ]
~user:"any"
~creds:[]
client
</code></pre>
<p>Note that the user name is ignored in this case, and that there are no
credentials.</p>
<h3 id="2_TheGSSAPIauthenticationloop">The GSSAPI authentication loop</h3>
<p>As an API, this authentication framework defines a handful of functions.
Only four of these are the really important ones doing all the work
whereas the remaining ones play only an assisting role:</p>
<ul>
<li><code class="code">init_sec_context</code>: This function is repeatedly called by the client
for authentication. After the first call, it generates a token, which
needs to be sent to the server. The server responds with a response
token, which is fed ot the next invocation of <code class="code">init_sec_context</code>.
This loop goes on until <code class="code">init_sec_context</code> signals that the authentication
is successful (or failed). In the positive case, the caller gets an
initialized security context.</li>
<li><code class="code">accept_sec_context</code>: This function is the counterpart in the server.
Tokens coming from the client are passed as arguments to
<code class="code">accept_sec_context</code>, and the output of the function includes the
response tokens. If the authentication is successful, the server
also gets a security context.</li>
<li><code class="code">wrap</code>: After the authentication, this function can be called to
sign and/or encrypt a message.</li>
<li><code class="code">unwrap</code>: This is the function to check the signature and/or to decrypt
the message.</li>
</ul>
<p>So the login procedure only consists in the exchange of tokens emitted
and received by <code class="code">init_sec_context</code> and <code class="code">accept_sec_context</code>. Once the
authentication is done, the functions <code class="code">wrap</code> and <code class="code">unwrap</code> can be used
to securely exchange messages.</p>
<p>Often a protocol utilizes only the authentication service from GSSAPI
and does not wrap any messages (e.g. HTTP or the bridges for SASL). In
this case, it is highly recommended to use another security layer such
as TLS to protect the data exchange. Other protocols, however, securely
wrap messages and need not the help of TLS. An excample of the latter is
FTP.</p>
<h3 id="2_Mechanismnames">Mechanism names</h3>
<p>The GSSAPI identifies authentication mechanisms by OIDs. (If you did not
yet encounter them, OIDs are a standardized way of naming "objects" that
often configure network protocols. OIDs are sequences of integers. There
is some support in <a href="Netoid.html"><code class="code">Netoid</code></a>.) Examples:</p>
<ul>
<li><code class="code"> [| 1;2;840;113554;1;2;2 |] </code> is the OID of Kerberos</li>
<li><code class="code"> [| 1;3;6;1;5;5;14 |] </code> is the OID of SCRAM</li>
</ul>
<p>In Ocamlnet, OIDs are represented as <code class="code">int array</code>.</p>
<h3 id="2_Principalnames">Principal names</h3>
<p>The "principal" is the identity of a client or server with respect to
the authentication protocol. For clients, this is usually a user name,
and for servers a service name. The GSSAPI defines a few common ways of
naming principals:</p>
<ul>
<li><code class="code">NT_USER_NAME</code>: This is the user name as a simple unstructured string,
e.g. "tim".</li>
<li><code class="code">NT_MACHINE_UID_NAME</code>: This is the numeric user name as a binary number
(big endian)</li>
<li><code class="code">NT_STRING_UID_NAME</code>. The numeric user name as a decimal number</li>
<li><code class="code">NT_HOSTNAME_SERVICE</code>: This name identifies the service by combining
a service name like "imap" or "ftp" with the hostname: "service\@host"</li>
</ul>
<p>As Kerberos is frequently used via GSSAPI, it may also be helpful to
use Kerberos principals directly:</p>
<ul>
<li><code class="code">NT_KRB5_PRINCIPAL_NAME</code>: This name type follows the Kerberos rules,
e.g. "tim@REALM" for users or "ftp/hostname@REALM" for services.</li>
</ul>
<p>Like mechanisms, name types are identified by OID:</p>
<ul>
<li><a href="Netsys_gssapi.html#VALnt_user_name"><code class="code">Netsys_gssapi.nt_user_name</code></a> = <code class="code"> [| 1;2;840;113554;1;2;1;1 |] </code></li>
<li><a href="Netsys_gssapi.html#VALnt_machine_uid_name"><code class="code">Netsys_gssapi.nt_machine_uid_name</code></a> = <code class="code"> [|1;2;840;113554;1;2;1;2 |] </code></li>
<li><a href="Netsys_gssapi.html#VALnt_string_uid_name"><code class="code">Netsys_gssapi.nt_string_uid_name</code></a> = <code class="code"> [|1;2;840;113554;1;2;1;3 |] </code></li>
<li><a href="Netsys_gssapi.html#VALnt_hostbased_service"><code class="code">Netsys_gssapi.nt_hostbased_service</code></a> = <code class="code"> [| 1;3;6;1;5;6;2 |] </code></li>
<li><a href="Netsys_gssapi.html#VALnt_krb5_principal_name"><code class="code">Netsys_gssapi.nt_krb5_principal_name</code></a> = <code class="code"> [| 1;2;840;113554;1;2;2;1 |] </code></li>
</ul>
<p>Where OCamlnet needs a principal name, it usually expects the pair of
a string and an OID:</p>
<pre class="codepre"><code class="code"> string * Netoid.oid </code></pre>
<p>For example, look at the <code class="code">target_name</code> argument of
<a href="Netsys_gssapi.html#VALcreate_client_config"><code class="code">Netsys_gssapi.create_client_config</code></a>.</p>
<p>There are also a few helper functions:</p>
<ul>
<li><a href="Netsys_gssapi.html#VALparse_hostbased_service"><code class="code">Netsys_gssapi.parse_hostbased_service</code></a> for getting the service name
and the host name of an <code class="code">NT_HOSTNAME_SERVICE</code></li>
<li><a href="Netgssapi_support.html#VALparse_kerberos_name"><code class="code">Netgssapi_support.parse_kerberos_name</code></a> for getting the components
of a Kerberos principal</li>
</ul>
<h3 id="2_Limitations">Limitations</h3>
<p>So far there is no good support for:</p>
<ul>
<li>Wrapping passwords into the GSSAPI <code class="code">credential</code> type. This primarily
means that it is unspecified how a user proves its identity. For the
system-level GSSAPI this means you can only authenticate as the default
principal, i.e. as the user you already be on the system level. It is
not possible to log in as another user.</li>
</ul>
<p>and probably other GSSAPI options I'm not aware of.</p>
</div>
</body></html>
|
