The sample client-side program gss-client creates a security context with a server, establishes security parameters, and sends the message string to the server. The program uses a simple TCP-based sockets connection to make the connection.
The following sections provide a step-by-step description of how gss-client works. Because gss-client is a sample program that has been designed to show off GSSAPI functionality, only relevant parts of the program are discussed in detail.
The gss-client application performs the following steps:
Parses the command line.
Creates an object ID (OID) for a mechanism, if a mechanism is specified. Otherwise, the default mechanism is used, which is most commonly the case.
Creates a connection to the server.
Establishes a security context.
Wraps and sends the message.
Verifies that the message has been “signed” correctly by the server.
Deletes the security context.
The gss-client example takes this form on the command line:
gss-client [–port port] [–d] [–mech mech] host service-name [–f] msg
port – The port number for making the connection to the remote system that is specified by host.
–d flag – Causes security credentials to be delegated to the server. Specifically, the deleg-flag variable is set to the GSS-API value GSS_C_DELEG_FLAG. Otherwise, deleg-flag is set to zero.
mech – The name of the security mechanism, such as Kerberos v5 to be used. If no mechanism is specified, the GSS-API uses a default mechanism.
host – The name of the server.
service-name – The name of the network service requested by the client. Some typical examples are the ftp and login services.
msg – The string to send to the server as protected data. If the –f option is specified, then msg is the name of a file from which to read the string.
A typical command line for client application program might look like the following example:
$ gss-client -port 8080 -d -mech kerberos_v5 erebos.eng nfs "ls"
The following example does not specify a mechanism, port, or delegation:
% gss-client erebos.eng nfs "ls"