[1816] in Kerberos
Re: KERBEROS API / OSF DCE Security API / DEC GSSAPI - RFI
daemon@ATHENA.MIT.EDU (Joe Pato)
Tue Mar 17 13:41:13 1992
From: pato@apollo.hp.com (Joe Pato)
Date: Tue, 17 Mar 92 10:53:55 EST
To: paulb@mlacus.oz.au (Paul Bandler)
Cc: kerberos@Athena.MIT.EDU
In-Reply-To: paulb@mlacus.oz.au (Paul Bandler), mon, 16 mar 92 19:56:26
I have a DEC (John Linn) document (Sept 1990) which describes a proposed
Generic Security API for Kerberos & SPX. It references people involved
in OSF. I assume that the OSF DCE Security Service has defined an API.
My question is, is OSF's DCE Security service API based upon, or derived
from the DEC GSSAPI? If so, is it promoted as being some form of standard
network security API? If so, in what forums and where can I get further
information?
Please Email any response as news takes too long to trickle down here.
Thanks in advance,
Paul Bandler
ACUS - Australian Centre for Unisys Software
Neither the GSSAPI nor the Kerberos API are part of the DCE. These interfaces
may be provided by a given vendor, but they are not part of the DCE defined by
the OSF. The DCE includes the following security APIs which fall into two
broad classes:
Security management functions - most functions operate on the security
servers via RPCs, though some operate on state local to the client machine:
sec_acl_... ACL manipulation functions
sec_id_... Global name to unique id transformations
sec_key_mgmt_... Key management functions
sec_login_... User login functions, access to privilege server
sec_rgy_... user/group registration and database management
Communication functions. The DCE provides RPC as the mechanism for
communicating between clients and servers. The RPC API includes certain
functions which associate a client identity (established by sec_login_... calls
or process inheritance) and for determining the identity of a remote caller.
These functions include:
rpc_binding_set_auth_info Set authentication/authorization
information on a client's server binding
handle.
rpc_binding_inq_auth_client Obtain caller's (client's)
authentication / authorization
information.
rpc_server_register_auth_info Register server's identity with server
RPC runtime.
Like GSSAPI, the DCE APIs allow for multiple authentication protocols to be
used - but in DCE 1.0, only the Kerberos V5 shared key protocol is defined and
implemented. Later versions of the DCE will support additional authentication
protocols. Later versions of the DCE are also likely to support APIs for non
RPC based communication (a la GSSAPI).
The security management functions are documented in:
OSF DCE Version 1.0 DCE Application Development Reference (Volume 2)
The RPC API is documented in:
OSF DCE Version 1.0 DCE Application Development Reference (Volume 1)
General information about how the pieces fit together, and all material that
explains these interfaces (beyond the terse man-page documents listed above)
can be found in:
OSF DCE Version 1.0 DCE Application Development Guide
I would recommend starting with the application development guide and then
proceeding to the minutiae of the other two documents. All the documents are
currently available from the OSF.
-- Joe Pato
Cooperative Object Computing Division / East
Hewlett-Packard Company
pato@apollo.hp.com
-------
