You create contexts with the rpc_gss_seccreate() call. This function takes as its arguments:
A client handle returned, for example, by clnt_create()
The name of the server principal, for example, nfs@example.com
The mechanism (for example, Kerberos V5) for the session
The security service type (for example, privacy)
The QOP for the session
Two GSS-API parameters that can remain opaque for most uses (that is, the programmer can supply NULL values)
This function returns an AUTH authentication handle. The following example shows how rpc_gss_seccreate() might be used to create a context using the Kerberos V5 security mechanism and the integrity service.
Example 5-10 rpc_gss_seccreate()CLIENT *clnt; /* client handle */
char server_host[] = "foo";
char service_name[] = "nfs@eng.example.com";
char mech[] = "kerberos_v5";
clnt = clnt_create(server_host, SERVER_PROG, SERV_VERS, "netpath");
clnt->clnt_auth = rpc_gss_seccreate(clnt, service_name, mech,
rpc_gss_svc_integrity, NULL, NULL, NULL);
. . .
Note the following points about the example:
Although the mechanism was declared explicitly for ease of reading, it would be more commonly obtained programmatically with rpc_gss_get_mechanisms() from a table of available mechanisms.
The QOP is passed as a NULL, which sets the QOP to this mechanism's default. Otherwise, a valid value could, as with the mechanism, be obtained programmatically with rpc_gss_get_mechanisms(). See the rpc_gss_get_mechanisms(3NSL) man page for more information.
The security service type, rpc_gss_svc_integrity, is an enum of the RPCSEC_GSS type rpc_gss_service_t. rpc_gss_service_t has the following format:
typedef enum {
rpc_gss_svc_default = 0,
rpc_gss_svc_none = 1,
rpc_gss_svc_integrity = 2,
rpc_gss_svc_privacy = 3
} rpc_gss_service_t;The default security service maps to integrity, so the programmer could have specified rpc_gss_svc_default and obtained the same result.
For more information, see the rpc_gss_seccreate(3NSL) man page.