Next: The SAML20 mechanism, Previous: The GSSAPI mechanism, Up: Mechanisms [Contents][Index]
GS2 is a protocol bridge between GSS-API and SASL, and allows every GSS-API mechanism that supports mutual authentication and channel bindings to be used as a SASL mechanism. Currently GS2-KRB5 is supported, for Kerberos V5 authentication, however our GS2 implementation is flexible enough to easily support other GSS-API mechanism if any gains popularity.
In the client, the mechanism is enabled only if the user has acquired
credentials (i.e., a ticket granting ticket), and it requires the
GSASL_AUTHZID, GSASL_SERVICE, and GSASL_HOSTNAME
properties.
In the server, the mechanism requires the GSASL_SERVICE and
GSASL_HOSTNAME properties, and it will invoke the
GSASL_VALIDATE_GSSAPI callback property in order to validate the
user. The callback may inspect the GSASL_AUTHZID and
GSASL_GSSAPI_DISPLAY_NAME properties to decide whether to
authorize the user. Note that authentication is performed by the
GSS-API library and that GSASL_AUTHID is not used by the server
mechanism, its role is played by GSASL_GSSAPI_DISPLAY_NAME.
The GS2 framework supports a variant of each mechanism, called the PLUS variant, which can also bind the authentication to a secure channel through channel bindings. Currently this is not supported by GNU SASL.
The GS2 mechanism family was specified in RFC 5801.