CONTENTS

LIBRARY

SYNOPSIS

OM_uint32
.Fo gss_accept_sec_context "OM_uint32 * minor_status" "gss_ctx_id_t * context_handle" "const gss_cred_id_t acceptor_cred_handle" "const gss_buffer_t input_token_buffer" "const gss_channel_bindings_t input_chan_bindings" "gss_name_t * src_name" "gss_OID * mech_type" "gss_buffer_t output_token" "OM_uint32 * ret_flags" "OM_uint32 * time_rec" "gss_cred_id_t * delegated_cred_handle"
.Fc

Heimdals GSS-API implementation supports the following mechanisms

• GSS_KRB5_MECHANISM

GSS-API have generic name types that all mechanism are supposed to implement (if possible)

• GSS_C_NT_USER_NAME
• GSS_C_NT_MACHINE_UID_NAME
• GSS_C_NT_STRING_UID_NAME
• GSS_C_NT_HOSTBASED_SERVICE
• GSS_C_NT_ANONYMOUS
• GSS_C_NT_EXPORT_NAME

GSS-API implementations that supports Kerberos 5 have some additional name types

• GSS_KRB5_NT_PRINCIPAL_NAME
• GSS_KRB5_NT_USER_NAME
• GSS_KRB5_NT_MACHINE_UID_NAME
• GSS_KRB5_NT_STRING_UID_NAME

gss_display_name takes the gss name in input_name and put a printable form in output_name_buffer. output_name_buffer should be freed when done using gss_release_buffer. output_name_type can either be NULL or a pointer to a gss_OID and will in the later case contain the OID type of the name. The name should only be used for printing. Access control should be done with the result of gss_export_name.

gss_sign, gss_verify, gss_seal, and gss_unseal are part of the GSS-API V1 interface and are obsolete. The functions should not be used for new applications. They are provided so that version 1 applications can link against the library.

gss_krb5_copy_ccache is an extension to the GSS-API API. The function will extract the krb5 credential that are transfered from the initiator to the acceptor when using token delegation in the Kerberos mechanism. The acceptor receives the delegated token in the last argument to gss_accept_sec_context.