109 lines
2.5 KiB
Groff
109 lines
2.5 KiB
Groff
.\"
|
|
.\"
|
|
.Dd May 12, 2014
|
|
.Os
|
|
.Dt GSS-TOKEN 1
|
|
.Sh NAME
|
|
.Nm gss-token
|
|
.Nd generate and consume base64 GSS tokens
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Op Fl DNn
|
|
.Op Fl c count
|
|
.Ar service@host
|
|
.Nm
|
|
.Fl r
|
|
.Op Fl MNln
|
|
.Op Fl C Ar ccache
|
|
.Op Fl S Ar maxsize
|
|
.Op Fl c count
|
|
.Op Fl m mech
|
|
.Op Ar service@host
|
|
.Sh DESCRIPTION
|
|
.Nm
|
|
generates and consumes base64 encoded GSS tokens.
|
|
By default, it runs as an initiator and with the
|
|
.Fl r
|
|
flag it becomes an acceptor.
|
|
.Pp
|
|
.Nm
|
|
supports the following options:
|
|
.Bl -tag -width indentxxxx
|
|
.It Fl C Ar ccache
|
|
write an accepted delegated credential into
|
|
.Ar ccache .
|
|
This only makes sense if
|
|
.Fl r
|
|
is specified.
|
|
.It Fl D
|
|
delegate credentials.
|
|
This only makes sense as a client, that is when
|
|
.Fl r
|
|
is not specified.
|
|
.It Fl M
|
|
copy the default ccache to a MEMORY: ccache before each
|
|
separate write operation.
|
|
The default ccache will not pick up any obtained service
|
|
tickets.
|
|
If specified with
|
|
.Fl c ,
|
|
the cache will revert to its original state before each
|
|
new token is written.
|
|
This can be used to load test the KDC.
|
|
.It Fl N
|
|
prepend
|
|
.Dq Negotiate\
|
|
to generated tokens and expect it on consumed tokens.
|
|
.It Fl S Ar maxsize
|
|
split each token that is generated into components of maximum
|
|
size
|
|
.Ar maxsize .
|
|
Each token is base64 encoded and output separately.
|
|
.It Fl c Ar count
|
|
repeat the operation
|
|
.Ar count
|
|
times.
|
|
This flag only changes the behaviour when operating in initiator mode.
|
|
This is good for very basic benchmarking.
|
|
.It Fl l
|
|
loop indefinitely in acceptor mode.
|
|
.It Fl m Ar mech
|
|
specifies the GSS mechanism that will be used in initiator mode.
|
|
If a mechanism name of
|
|
.Do ? Dc
|
|
is specified, a list of supported mechanisms will be output and
|
|
.Nm
|
|
will exit.
|
|
.It Fl n
|
|
do not output the generated tokens.
|
|
.It Fl r
|
|
run in acceptor mode.
|
|
.El
|
|
.Pp
|
|
.Nm
|
|
takes one argument, a
|
|
.Ar host@service
|
|
specifier.
|
|
The argument is required when running as an initiator but is optional as
|
|
an acceptor.
|
|
.Pp
|
|
.Nm
|
|
will try to read a token whenever the GSS mechanism expects one
|
|
and will output a token whenever the GSS mechanism provides one.
|
|
Tokens are base64 encoded and terminated by either two successive
|
|
newlines or one newline and EOF.
|
|
The base64 encoding may be broken up by single newlines which will
|
|
be ignored when read. No extra whitespace will be ignored.
|
|
.Sh EXAMPLES
|
|
To test a simple GSS mechanism which doesn't require a round trip,
|
|
a single
|
|
.Pa /bin/sh
|
|
pipeline will suffice:
|
|
.Bd -literal -offset indent
|
|
$ export KRB5_KTNAME=/path/to/keytab
|
|
$ gss-token HTTP@$(hostname) | gss-token -r
|
|
.Ed
|
|
.Sh SEE ALSO
|
|
.Xr gssapi 3 ,
|
|
.Xr kerberos 8 .
|