You create contexts with the rpc_gss_seccreate() call. This function takes as its arguments:
A client handle returned, for example, by clnt_create()
The name of the server principal, for example, [email protected]
The mechanism (for example, Kerberos V5) for the session
The security service type (for example, privacy)
The QOP for the session
Two GSS-API parameters that can remain opaque for most uses (that is, the programmer can supply NULL values)
This function returns an AUTH authentication handle. The following example shows how rpc_gss_seccreate() might be used to create a context using the Kerberos V5 security mechanism and the integrity service.
Example 5-10 rpc_gss_seccreate()CLIENT *clnt; /* client handle */ char server_host[] = "foo"; char service_name[] = "[email protected]"; char mech[] = "kerberos_v5"; clnt = clnt_create(server_host, SERVER_PROG, SERV_VERS, "netpath"); clnt->clnt_auth = rpc_gss_seccreate(clnt, service_name, mech, rpc_gss_svc_integrity, NULL, NULL, NULL); . . .
Note the following points about the example:
Although the mechanism was declared explicitly for ease of reading, it would be more commonly obtained programmatically with rpc_gss_get_mechanisms() from a table of available mechanisms.
The QOP is passed as a NULL, which sets the QOP to this mechanism's default. Otherwise, a valid value could, as with the mechanism, be obtained programmatically with rpc_gss_get_mechanisms(). See the rpc_gss_get_mechanisms(3NSL) man page for more information.
The security service type, rpc_gss_svc_integrity, is an enum of the RPCSEC_GSS type rpc_gss_service_t. rpc_gss_service_t has the following format:
typedef enum {
rpc_gss_svc_default = 0,
rpc_gss_svc_none = 1,
rpc_gss_svc_integrity = 2,
rpc_gss_svc_privacy = 3
} rpc_gss_service_t;The default security service maps to integrity, so the programmer could have specified rpc_gss_svc_default and obtained the same result.
For more information, see the rpc_gss_seccreate(3NSL) man page.