109 lines
		
	
	
		
			2.5 KiB
		
	
	
	
		
			Groff
		
	
	
	
	
	
			
		
		
	
	
			109 lines
		
	
	
		
			2.5 KiB
		
	
	
	
		
			Groff
		
	
	
	
	
	
| .\"
 | |
| .\"
 | |
| .Dd May 12, 2014
 | |
| .Os
 | |
| .Dt GSS-TOKEN 1
 | |
| .Sh NAME
 | |
| .Nm gss-token
 | |
| .Nd generate and consume base64 GSS tokens
 | |
| .Sh SYNOPSIS
 | |
| .Nm
 | |
| .Op Fl DNn
 | |
| .Op Fl c count
 | |
| .Ar service@host
 | |
| .Nm
 | |
| .Fl r
 | |
| .Op Fl MNln
 | |
| .Op Fl C Ar ccache
 | |
| .Op Fl S Ar maxsize
 | |
| .Op Fl c count
 | |
| .Op Fl m mech
 | |
| .Op Ar service@host
 | |
| .Sh DESCRIPTION
 | |
| .Nm
 | |
| generates and consumes base64 encoded GSS tokens.
 | |
| By default, it runs as an initiator and with the
 | |
| .Fl r
 | |
| flag it becomes an acceptor.
 | |
| .Pp
 | |
| .Nm
 | |
| supports the following options:
 | |
| .Bl -tag -width indentxxxx
 | |
| .It Fl C Ar ccache
 | |
| write an accepted delegated credential into
 | |
| .Ar ccache .
 | |
| This only makes sense if
 | |
| .Fl r
 | |
| is specified.
 | |
| .It Fl D
 | |
| delegate credentials.
 | |
| This only makes sense as a client, that is when
 | |
| .Fl r
 | |
| is not specified.
 | |
| .It Fl M
 | |
| copy the default ccache to a MEMORY: ccache before each
 | |
| separate write operation.
 | |
| The default ccache will not pick up any obtained service
 | |
| tickets.
 | |
| If specified with
 | |
| .Fl c ,
 | |
| the cache will revert to its original state before each
 | |
| new token is written.
 | |
| This can be used to load test the KDC.
 | |
| .It Fl N
 | |
| prepend
 | |
| .Dq Negotiate\ 
 | |
| to generated tokens and expect it on consumed tokens.
 | |
| .It Fl S Ar maxsize
 | |
| split each token that is generated into components of maximum
 | |
| size
 | |
| .Ar maxsize .
 | |
| Each token is base64 encoded and output separately.
 | |
| .It Fl c Ar count
 | |
| repeat the operation
 | |
| .Ar count
 | |
| times.
 | |
| This flag only changes the behaviour when operating in initiator mode.
 | |
| This is good for very basic benchmarking.
 | |
| .It Fl l
 | |
| loop indefinitely in acceptor mode.
 | |
| .It Fl m Ar mech
 | |
| specifies the GSS mechanism that will be used in initiator mode.
 | |
| If a mechanism name of
 | |
| .Do ? Dc
 | |
| is specified, a list of supported mechanisms will be output and
 | |
| .Nm
 | |
| will exit.
 | |
| .It Fl n
 | |
| do not output the generated tokens.
 | |
| .It Fl r
 | |
| run in acceptor mode.
 | |
| .El
 | |
| .Pp
 | |
| .Nm
 | |
| takes one argument, a
 | |
| .Ar host@service
 | |
| specifier.
 | |
| The argument is required when running as an initiator but is optional as
 | |
| an acceptor.
 | |
| .Pp
 | |
| .Nm
 | |
| will try to read a token whenever the GSS mechanism expects one
 | |
| and will output a token whenever the GSS mechanism provides one.
 | |
| Tokens are base64 encoded and terminated by either two successive
 | |
| newlines or one newline and EOF.
 | |
| The base64 encoding may be broken up by single newlines which will
 | |
| be ignored when read.  No extra whitespace will be ignored.
 | |
| .Sh EXAMPLES
 | |
| To test a simple GSS mechanism which doesn't require a round trip,
 | |
| a single
 | |
| .Pa /bin/sh
 | |
| pipeline will suffice:
 | |
| .Bd -literal -offset indent
 | |
| $ export KRB5_KTNAME=/path/to/keytab
 | |
| $ gss-token HTTP@$(hostname) | gss-token -r
 | |
| .Ed
 | |
| .Sh SEE ALSO
 | |
| .Xr gssapi 3 ,
 | |
| .Xr kerberos 8 .
 | 
