RPCSEC_GSS(7)RPCSEC_GSS(7)NAMErpcsec_gss - Generic Security Service authentication protocol for ONC RPC
DESCRIPTION
RPCSEC_GSS is the security and authentication flavour for ONC RPC. It is
based on Generic Security Services API (GSS API) and provides both
authentication for client and server and optional security for RPC data.
Historically RPC authentication flavours only provided information about
a client to a server, e.g AUTH_UNIX would send UNIX style UID and GID
information to the server. The server has no way of verifying that the
client is indeed who it says it is and client has no way of verifying
that it talks to the legitimate server. RPCSEC_GSS authentication uses
GSS API mechanisms which allow both ends to be authenticated by the third
party, e.g. a Kerberos V5 Domain Controller, thus ensuring that both
client and server identity can be verified on both ends of an RPC call.
In addition to authentication, RPCSEC_GSS can provide data integrity and
data privacy services via GSS API. In case of data integrity, each RPC
call or reply data is protected from unauthorized modification by digital
signature which forms a part of each RPC transaction. In case of data
privacy service the entire data block is encrypted to protect it from
unauthorized access.
GSS MECHANISMS
GSS API allows access to authentication, integrity and security services
independently of the way actual implementatin of data verification or
encryption technique. In GSS API terms each data verification and
encryption technique is called a mechanism.
As of 6.5.24 Irix the only supported mechanism is Kerberos Version 5.
There is no way for the user to extend or modify the list of mechanism,
suppored by RPCSEC_GSS.
KERBEROS VERSION 5
RPCSEC_GSS implementation of Kerberos Version 5 mechanism is based on on
MIT implementation and uses the same format of configuration files. There
is no Kerberos Domain Controller provided with RPCSEC_GSS subsystem. The
default Kerberos V5 configuration file is in /etc/krb5.conf.
RPCSEC_GSS Kerberos V5 implemenetation supports DES in Cipher Block
Chaining (CBC) mode with CRC-32 and MD5 checksum modes and DES RAW
encryption mode. There is no support for Tripple DES (3DES) in the
current implementation.
CAVEATS
RPCSEC_GSS support is only available for applications which use N32 ABI.
Lack of Tripple DES (3DES) encryption mode means that Kerberos tickets,
issued by Kerberos Domain Controller, cannot use 3DES encryption.
Page 1
RPCSEC_GSS(7)RPCSEC_GSS(7)
RPCSEC_GSS Kerberos V5 comes without Kerberos Utilities, these utilities
can be optained by installing optional keberos.sw.client subsystem.
The Kerberos V5 package used to provide support for PAM has its own
version of libkerberos.so and libgss_krb.so. These libraries are
incompatible with RPCSEC_GSS implementation of Kerberos and applications
cannot use both RPCSEC_GSS and PAM Kerberos libraries together.
FILES
/etc/gss/qop
Quality of Protection map.
/etc/krb5.conf
Kerberos V5 configuration file
/etc/krb5/krb5.keytab
Kerberos V5 keytab.
SEE ALSOgssd(1M), gsscred(1M), rpcsec_gss (3n), kerberos(1).
Page 2
