uses.
dnl Checks for declarations.
AC_CHECK_DECL([GSS_C_NT_USER_NAME],
[AC_DEFINE([HAVE_GSS_RFC_OIDS], 1,
- [Define to 1 if the GSSAPI library uses RFC-compliant OIDs.])], ,
+ [Define to 1 if the GSS-API library uses RFC-compliant OIDs.])], ,
[#ifdef HAVE_GSSAPI_H
# include <gssapi.h>
#else
A daemon run from inetd or an equivalent which responds to network
authentication requests in the S/Ident protocol. S/Ident is a modified
version of the standard ident protocol that adds SASL-based
- authentication. Currently, only Kerberos v4 and Kerberos v5 GSSAPI
+ authentication. Currently, only Kerberos v4 and Kerberos v5 GSS-API
authentication are supported. sidentd can also optionally serve as a
conventional ident responder.
S/Ident is a modified version of the standard ident protocol that adds
SASL-based authentication. libsident is a requester implementation, used
to send S/Ident queries to a remote system that has connected to a local
- service. Currently, only Kerberos v4 and Kerberos v5 GSSAPI
+ service. Currently, only Kerberos v4 and Kerberos v5 GSS-API
authentication are supported, and the user of this library must have
access to an appropriate srvtab or keytab. In a pinch, this library can
also be used to send normal ident queries, but there are better libraries
S/Ident is a modified version of the standard ident protocol that adds
SASL-based authentication. libsident is a requester implementation, used
to send S/Ident queries to a remote system that has connected to a local
- service. Currently, only Kerberos v4 and Kerberos v5 GSSAPI
+ service. Currently, only Kerberos v4 and Kerberos v5 GSS-API
authentication are supported, and the user of this library must have
access to an appropriate srvtab or keytab. In a pinch, this library can
also be used to send normal ident queries, but there are better libraries
S/Ident is a modified version of the standard ident protocol that adds
SASL-based authentication. These are Perl bindings to the libsident C
library to send S/Ident queries to a remote system that has connected to
- a local service. Currently, only Kerberos v4 and Kerberos v5 GSSAPI
+ a local service. Currently, only Kerberos v4 and Kerberos v5 GSS-API
authentication are supported, and the user of this library must have
access to an appropriate srvtab or keytab. In a pinch, this library can
also be used to send normal ident queries, but there are better libraries
srvtab should contain a key for ident.I<hostname> where I<hostname> is the
DNS name of the network interface that will be making the request.
-(There is no direct way to specify the keytab to use for the GSSAPI method
-because GSSAPI doesn't have a way to specify it. You can, however, set
-the KRB5_KTNAME environment variable to point to the appropriate keytab.)
+(There is no direct way to specify the keytab to use for the GSS-API
+method because GSS-API doesn't have a way to specify it. You can,
+however, set the KRB5_KTNAME environment variable to point to the
+appropriate keytab.)
B<ident_set_authflag> sets an optional flag in the initial authentication
request. Currently, the only supported flag is "USER-INTERACTION", which
mechanisms that are supported. This information can be queried using
B<ident_query_error>; the flag value should be the name of a SASL
mechanism, and the return code will indicate whether the responder said it
-supported that mechanism. Note that GSSAPI mechanisms are separately
-listed as I<type>/I<subtype>. The only currently supported GSSAPI
+supported that mechanism. Note that GSS-API mechanisms are separately
+listed as I<type>/I<subtype>. The only currently supported GSS-API
mechanism is "GSSAPI/KERBEROS_v5".
The IDENT struct has the following definition:
} IDENT;
B<identifier> contains the authenticated identity (principal@realm for
-Kerberos v4 or GSSAPI Kerberos v5 authentication), a colon, and identifier
+Kerberos v4 or GSS-API Kerberos v5 authentication), a colon, and identifier
returned by the remote system (generally the local Unix user name or UID).
In the event of an error, B<identifier> will instead contain a string
representation of the error. B<principal> will contain only the principal
=head1 AUTHORS
Originally written by Booker Bense <bbense@stanford.edu> based on the
-S/Ident protocol proposed by Robert Morgan <morgan@stanford.edu>. GSSAPI
+S/Ident protocol proposed by Robert Morgan <morgan@stanford.edu>. GSS-API
support added by Russ Allbery <rra@stanford.edu>, who currently maintains
this package.
which B<sidentd> runs and the system querying it. It looks up the owner
of that connection and returns their authentication information. The
current implementation supports both the standard Ident protocol (which
-returns the user's Unix username or UID) and the Kerberos v4 and GSSAPI
-SASL mechanisms. (Only Kerberos v5 is supported as a GSSAPI mechanism.)
+returns the user's Unix username or UID) and the Kerberos v4 and GSS-API
+SASL mechanisms. (Only Kerberos v5 is supported as a GSS-API mechanism.)
When responding, B<sidentd> assumes that the Kerberos service of the
requester is either ident.I<system> (Kerberos v4) or ident/I<system>
-(GSSAPI), where I<system> is fully qualified for GSSAPI but not for
+(GSS-API), where I<system> is fully qualified for GSS-API but not for
Kerberos v4. The protocol requires that the identity chosen be based
entirely on the incoming connection, since otherwise S/Ident could be used
to steal tickets. This means that the requester must have an appropriate
See inetd.conf(5) and services(5) for more information.
-If you are supporting Kerberos v4 or GSSAPI authentication, the responder
+If you are supporting Kerberos v4 or GSS-API authentication, the responder
must run as root in order to be able to read the ticket caches of users.
If you are using TCP wrappers (highly recommended), the F<inetd.conf>
invocation should instead be C</usr/sbin/tcpd /usr/local/sbin/sidentd>,
=item F</tmp/krb5cc_%s>
The file name pattern that B<sidentd> will use to look for a user's
-Kerberos v5 tickets for GSSAPI authentication. As with Kerberos v4
+Kerberos v5 tickets for GSS-API authentication. As with Kerberos v4
tickets, the file must be owned by the correct user and have appropriate
permissions and the first such matching file will be used to answer
requests.
=head1 AUTHORS
Originally written by Booker Bense <bbense@stanford.edu> based on the
-S/Ident protocol proposed by Robert Morgan <morgan@stanford.edu>. GSSAPI
+S/Ident protocol proposed by Robert Morgan <morgan@stanford.edu>. GSS-API
support added by Russ Allbery <rra@stanford.edu>, who currently maintains
this package.