GSSAPI Client Example Overview

The sample client-side program gss-client creates a security context with a server, establishes security parameters, and sends the message string to the server. The program uses a simple TCP-based sockets connection to make the connection.

The following sections provide a step-by-step description of how gss-client works. Because gss-client is a sample program that has been designed to show off GSSAPI functionality, only relevant parts of the program are discussed in detail. The complete source code for the two applications appears in the appendix and can be downloaded from

http://developers.sun.com/prodtech/solaris/downloads/index.html

GSSAPI Client Example Structure

The gss-client application performs the following steps:

1. Parses the command line.

2. Creates an object ID (OID) for a mechanism, if a mechanism is specified. Otherwise, the default mechanism is used, which is most commonly the case.

3. Creates a connection to the server.

4. Establishes a security context.

5. Wraps and sends the message.

6. Verifies that the message has been “signed” correctly by the server.

7. Deletes the security context.

Running the GSSAPI Client Example

The gss-client example takes this form on the command line:

gss-client [-port port] [-d] [-mech mech] host service-name [-f] msg

• port – The port number for making the connection to the remote machine that is specified by host.

• -d flag – Causes security credentials to be delegated to the server. Specifically, the deleg-flag variable is set to the GSS-API value GSS_C_DELEG_FLAG. Otherwise, deleg-flag is set to zero.

• mech – The name of the security mechanism, such as Kerberos v5 to be used. If no mechanism is specified, the GSS-API uses a default mechanism.

• host – The name of the server.

• service-name – The name of the network service requested by the client. Some typical examples are the telnet, ftp, and login services.

• msg – The string to send to the server as protected data. If the -f option is specified, then msg is the name of a file from which to read the string.

A typical command line for client application program might look like the following example:

% gss-client -port 8080 -d -mech kerberos_v5 erebos.eng nfs "ls"

The following example does not specify a mechanism, port, or delegation:

% gss-client erebos.eng nfs "ls"