As with all C programs, the outer shell of the program is contained in the entry-point function, main(). main() performs four functions:
It parses command-line arguments, assigning them to variables:
If specified, port is the port number for making the connection to the remote machine specified by host.
If the -d flag is set, security credentials should be delegated to the server. Specifically, the deleg_flag variable is set to the GSS-API value GSS_C_DELEG_FLAG; otherwise deleg_flag is set to zero.
mech is the (optional) name of the security mechanism, such as Kerberos v5 or X.509, to use. If no mechanism is specified, the GSS-API will use a default mechanism.
The name of the network service requested by the client (such as telnet
, ftp
, or login
service) is assigned to service_name.
Finally, msg is the string to send to the server as protected data. If the -f option is specified, then msg is the name of a file from which to read the string.
An example command line might look like this:
% gss-client -port 8080 -d -mech kerberos_v5 erebos.eng nfs "ls" |
This command line specifies neither mechanism nor port, and does not use delegation:
% gss-client erebos.eng nfs "ls" |
It calls parse_oid() to create a GSS-API OID (object identifier) from the name of a security mechanism (if such a name has been provided on the command line):
if (mechanism) parse_oid(mechanism, &g_mechOid);
where mechanism is the string to translate and g_mechOid is a pointer to a gss_OID object for the mechanism. See Appendix C, Specifying an OID for more about specifying a non-default mechanism.
It calls call_server(), which does the actual work of creating a context and sending data.
if (call_server(hostname, port, g_mechOid, service_name, deleg_flag, msg, use_file) < 0) exit(1);
It releases the storage space for the OID if it has not been released yet.
if (g_mechOID != GSS_C_NULL_OID) (void) gss_release_oid(&min_stat, &g_mechoid);
Note that gss_release_oid(), while supported by the Sun implementation of the GSS-API, is not supported by all GSS-API implementations and is considered nonstandard. Since applications should if possible use the default mechanism provided by the GSS-API instead of allocating one (with gss_str_to_oid()), the gss_release_oid() command generally should not be used.