The sample server-side program gss-server works in conjunction with gss-client, which is described in the previous chapter. The basic purpose of gss-server is to receive, sign, and return the wrapped message from gssapi-client.
The following sections provide a step-by-step description of how gss-server works. Because gss-server is a sample program for demonstrating GSSAPI functionality, only relevant parts of the program are discussed in detail. The complete source code for the two applications appears in the appendix and can be downloaded from
The gss-structure application performs the following steps:
Parses the command line.
If a mechanism is specified, translates the mechanism name to internal format.
Acquires credentials for the caller.
Checks to see whether the user has specified using the inetd daemon for connecting.
Makes a connection with the client.
Receives the data from the client.
Signs and returns the data.
Releases namespaces and exits.
gss-server takes this form on the command line
gss-server [-port port] [-verbose] [-inetd] [-once] [-logfile file] \ [-mech mechanism] service-name
port is the port number to listen on. If no port is specified, the program uses port 4444 as the default.
-verbose causes messages to be displayed as gss-server runs.
-inetd indicates that the program should use the inetd daemon to listen to a port. -inetd uses stdin and stdout to connect to the client.
-once indicates a single-instance connection only.
mechanism is the name of a security mechanism to use, such as Kerberos v5. If no mechanism is specified, the GSS-API uses a default mechanism.
service-name is the name of the network service that is requested by the client, such as telnet, ftp, or login service.
A typical command line might look like the following example:
% gss-server -port 8080 -once -mech kerberos_v5 erebos.eng nfs "hello"