1532
1532
-l, --list-mechanisms
1533
1533
List information about supported mechanisms
1534
1534
in a human readable format.
1536
1535
-m, --major=LONG Describe a `major status' error code value.
1536
-a, --accept-sec-context
1537
Accept a security context as server.
1538
-i, --init-sec-context=MECH
1539
Initialize a security context as client.
1540
MECH is the SASL name of mechanism, use -l
1541
to list supported mechanisms.
1542
-n, --server-name=SERVICE@HOSTNAME
1543
For -i, set the name of the remote host.
1544
For example, "imap@mail.example.com".
1539
1547
@majorheading Other Options
1549
1557
@majorheading Examples
1554
-h, --help Print help and exit
1555
-V, --version Print version and exit
1556
-q, --quiet Silent operation (default=off)
1559
To list the supported mechanisms, use @code{gss -l} like this:
1563
Found 1 supported mechanisms.
1566
Mechanism name: Kerberos V5
1567
Mechanism description: Kerberos V5 GSS-API mechanism
1568
SASL Mechanism name: GS2-KRB5
1572
To initialize a Kerberos V5 security context, use the
1573
@code{--init-sec-context} parameter. Kerberos V5 needs to know the name
1574
of the remote entity, so you need to supply the @code{--server-name}
1575
parameter as well. That will provide the name of the server. For
1576
example, use @code{imap@@mail.example.com} to setup a security context
1577
with the @code{imap} service on the host @code{mail.example.com}. The
1578
Kerberos V5 client will use your ticket-granting ticket (which needs to
1579
be available) and acquire a server ticket for the service. The KDC must
1580
know about the server for this to work. The tool will print the GSS-API
1581
context tokens base64 encoded on standard output.
1584
$ gss -i GS2-KRB5 -n host@interop.josefsson.org
1585
Context token (protection is available):
1586
YIICIQYJKoZIhvcSAQICAQBuggIQMIICDKADAgEFoQMCAQ6iBwMFACAAAACjggEYYYIBFDCCARCgAwIBBaEXGxVpbnRlcm9wLmpvc2Vmc3Nvbi5vcmeiKDAmoAMCAQGhHzAdGwRob3N0GxVpbnRlcm9wLmpvc2Vmc3Nvbi5vcmejgcUwgcKgAwIBEqKBugSBt0zqTh6tBBKV2BwDjQg6H4abEaPshPa0o3tT/TH9U7BaSw/M9ugYYqpHAhOitVjcQidhG2FdSl1n3FOgDBufHHO+gHOW0Y1XHc2QtEdkg1xYF2J4iR1vNQB14kXDM78pogCsfvfLnjsEESKWoeKRGOYWPRx0ksLJDnl/e5tXecZTjhJ3hLrFNBEWRmpIOakTAPnL+Xzz6xcnLHMLLnhZ5VcHqtIMm5p9IDWsP0juIncJ6tO8hjMA2qSB2jCB16ADAgESooHPBIHMWSeRBgV80gh/6hNNMr00jTVwCs5TEAIkljvjOfyPmNBzIFWoG+Wj5ZKOBdizdi7vYbJ2s8b1iSsq/9YEZSqaTxul+5aNrclKoJ7J/IW4kTuMklHcQf/A16TeZFsm9TdfE+x8+PjbOBFtKYXT8ODT8LLicNNiDbWW0meY7lsktXAVpZiUds4wTZ1W5bOSEGY7+mxAWrAlTnNwNAt1J2MHZnfGJFJDLJZldXoyG8OwHyp4h1nBhgzC5BfAmL85QJVxxgVfiHhM5oT9mE1O
1587
Input context token:
1591
The tool is waiting for the final Kerberos V5 context token from the
1592
server. Note the status text informing you that message protection is
1595
To accept a Kerberos V5 context, the process is similar. The server
1596
needs to know its name, so that it can find the host key from
1597
(typically) @code{/etc/shishi/shishi.keys}. Once started it will wait
1598
for a context token from the client. Below we'll paste in the token
1602
$ gss -a -n host@interop.josefsson.org
1603
Importing name "host@interop.josefsson.org"...
1604
Acquiring credentials...
1605
Input context token:
1606
YIICIQYJKoZIhvcSAQICAQBuggIQMIICDKADAgEFoQMCAQ6iBwMFACAAAACjggEYYYIBFDCCARCgAwIBBaEXGxVpbnRlcm9wLmpvc2Vmc3Nvbi5vcmeiKDAmoAMCAQGhHzAdGwRob3N0GxVpbnRlcm9wLmpvc2Vmc3Nvbi5vcmejgcUwgcKgAwIBEqKBugSBt0zqTh6tBBKV2BwDjQg6H4abEaPshPa0o3tT/TH9U7BaSw/M9ugYYqpHAhOitVjcQidhG2FdSl1n3FOgDBufHHO+gHOW0Y1XHc2QtEdkg1xYF2J4iR1vNQB14kXDM78pogCsfvfLnjsEESKWoeKRGOYWPRx0ksLJDnl/e5tXecZTjhJ3hLrFNBEWRmpIOakTAPnL+Xzz6xcnLHMLLnhZ5VcHqtIMm5p9IDWsP0juIncJ6tO8hjMA2qSB2jCB16ADAgESooHPBIHMWSeRBgV80gh/6hNNMr00jTVwCs5TEAIkljvjOfyPmNBzIFWoG+Wj5ZKOBdizdi7vYbJ2s8b1iSsq/9YEZSqaTxul+5aNrclKoJ7J/IW4kTuMklHcQf/A16TeZFsm9TdfE+x8+PjbOBFtKYXT8ODT8LLicNNiDbWW0meY7lsktXAVpZiUds4wTZ1W5bOSEGY7+mxAWrAlTnNwNAt1J2MHZnfGJFJDLJZldXoyG8OwHyp4h1nBhgzC5BfAmL85QJVxxgVfiHhM5oT9mE1O
1607
Context has been accepted. Final context token:
1608
YHEGCSqGSIb3EgECAgIAb2IwYKADAgEFoQMCAQ+iVDBSoAMCARKhAwIBAKJGBESy1Zoy9DrG+DuV/6aWmAp79s9d+ofGXC/WKOzRuxAqo98vMRWbsbILW8z9aF1th4GZz0kjFz/hZAmnWyomZ9JiP3yQvg==
1612
Returning to the client, you may now cut'n'paste the final context token
1613
as shown by the server. The client has then authenticated the server as
1614
well. The output from the client is shown below.
1617
YHEGCSqGSIb3EgECAgIAb2IwYKADAgEFoQMCAQ+iVDBSoAMCARKhAwIBAKJGBESy1Zoy9DrG+DuV/6aWmAp79s9d+ofGXC/WKOzRuxAqo98vMRWbsbILW8z9aF1th4GZz0kjFz/hZAmnWyomZ9JiP3yQvg==
1618
Context has been initialized.
1559
1622
@c **********************************************************