The sample client-side programgss-client creates a security context with a server, establishes security parameters, and sends themessage string to the server. The program uses a simple TCP-based sockets connection to make the connection.
The following sections provide a step-by-step description of howgss-client works. Becausegss-client is a sample program that has been designed to show off GSSAPI functionality, only relevant parts of the program are discussed in detail.
Thegss-client application performs the followingsteps:
Parses the command line.
Creates an object ID (OID) for a mechanism, if a mechanismis specified. Otherwise, the default mechanism is used, which is most commonlythe case.
Creates a connection to the server.
Establishes a security context.
Wraps and sends the message.
Verifies that the message has been "signed" correctlyby the server.
Deletes the security context.
Thegss-client example takes this form on the command line:
gss-client [–portport] [–d] [–mechmech]hostservice-name [–f]msg
port – The port number for making the connection to the remote system that is specified byhost.
–d flag – Causes security credentials to be delegated to the server. Specifically, thedeleg-flag variable is set to the GSS-API valueGSS_C_DELEG_FLAG. Otherwise,deleg-flag is set to zero.
mech – The name of the security mechanism, such as Kerberos v5 to be used. If no mechanism is specified, the GSS-API uses a default mechanism.
host – The name of the server.
service-name – The name of the network service requested by the client. Some typical examples are theftp andlogin services.
msg – The string to send to the server as protected data. If the–f option is specified, thenmsg is the name of a file from which to read the string.
A typical command line for client application program might look like the following example:
$ gss-client -port 8080 -d -mech kerberos_v5 example.eng nfs "ls"
The following example does not specify a mechanism, port, or delegation:
$ gss-client example.eng nfs "ls"