1 files changed, 115 insertions, 0 deletions

diff --git a/lib/gssapi/gssapi.cat3 b/lib/gssapi/gssapi.cat3
new file mode 100644
index 000000000000..82901ad0efbd
--- /dev/null
+++ b/lib/gssapi/gssapi.cat3
@@ -0,0 +1,115 @@
+
+GSSAPI(3)                BSD Library Functions Manual                GSSAPI(3)
+
+NNAAMMEE
+     ggssssaappii -- Generic Security Service Application Program Interface library
+
+LLIIBBRRAARRYY
+     GSS-API Library (libgssapi, -lgssapi)
+
+DDEESSCCRRIIPPTTIIOONN
+     The Generic Security Service Application Program Interface (GSS-API) pro-
+     vides security services to callers in a generic fashion, supportable with
+     a range of underlying mechanisms and technologies and hence allowing
+     source-level portability of applications to different environments.
+
+     The GSS-API implementation in Heimdal implements the Kerberos 5 and the
+     SPNEGO GSS-API security mechanisms.
+
+LLIISSTT OOFF FFUUNNCCTTIIOONNSS
+     These functions constitute the gssapi library, _l_i_b_g_s_s_a_p_i.  Declarations
+     for these functions may be obtained from the include file _g_s_s_a_p_i_._h.
+     NNaammee//PPaaggee
+     gss_accept_sec_context(3)
+     gss_acquire_cred(3)
+     gss_add_cred(3)
+     gss_add_oid_set_member(3)
+     gss_canonicalize_name(3)
+     gss_compare_name(3)
+     gss_context_time(3)
+     gss_create_empty_oid_set(3)
+     gss_delete_sec_context(3)
+     gss_display_name(3)
+     gss_display_status(3)
+     gss_duplicate_name(3)
+     gss_export_name(3)
+     gss_export_sec_context(3)
+     gss_get_mic(3)
+     gss_import_name(3)
+     gss_import_sec_context(3)
+     gss_indicate_mechs(3)
+     gss_init_sec_context(3)
+     gss_inquire_context(3)
+     gss_inquire_cred(3)
+     gss_inquire_cred_by_mech(3)
+     gss_inquire_mechs_for_name(3)
+     gss_inquire_names_for_mech(3)
+     gss_krb5_ccache_name(3)
+     gss_krb5_compat_des3_mic(3)
+     gss_krb5_copy_ccache(3)
+     gss_krb5_extract_authz_data_from_sec_context(3)
+     gss_krb5_import_ccache(3)
+     gss_process_context_token(3)
+     gss_release_buffer(3)
+     gss_release_cred(3)
+     gss_release_name(3)
+     gss_release_oid_set(3)
+     gss_seal(3)
+     gss_sign(3)
+     gss_test_oid_set_member(3)
+     gss_unseal(3)
+     gss_unwrap(3)
+     gss_verify(3)
+     gss_verify_mic(3)
+     gss_wrap(3)
+     gss_wrap_size_limit(3)
+
+CCOOMMPPAATTIIBBIILLIITTYY
+     The HHeeiimmddaall GSS-API implementation had a bug in releases before 0.6 that
+     made it fail to inter-operate when using DES3 with other GSS-API imple-
+     mentations when using ggssss__ggeett__mmiicc() / ggssss__vveerriiffyy__mmiicc().  It is possible
+     to modify the behavior of the generator of the MIC with the _k_r_b_5_._c_o_n_f
+     configuration file so that old clients/servers will still work.
+
+     New clients/servers will try both the old and new MIC in Heimdal 0.6.  In
+     0.7 it will check only if configured - the compatibility code will be
+     removed in 0.8.
+
+     Heimdal 0.6 still generates by default the broken GSS-API DES3 mic, this
+     will change in 0.7 to generate correct des3 mic.
+
+     To turn on compatibility with older clients and servers, change the
+     [[ggssssaappii]] _b_r_o_k_e_n___d_e_s_3___m_i_c in _k_r_b_5_._c_o_n_f that contains a list of globbing
+     expressions that will be matched against the server name.  To turn off
+     generation of the old (incompatible) mic of the MIC use [[ggssssaappii]]
+     _c_o_r_r_e_c_t___d_e_s_3___m_i_c.
+
+     If a match for a entry is in both [[ggssssaappii]] _c_o_r_r_e_c_t___d_e_s_3___m_i_c and [[ggssssaappii]]
+     _b_r_o_k_e_n___d_e_s_3___m_i_c, the later will override.
+
+     This config option modifies behaviour for both clients and servers.
+
+     Microsoft implemented SPNEGO to Windows2000, however, they managed to get
+     it wrong, their implementation didn't fill in the MechListMIC in the
+     reply token with the right content.  There is a work around for this
+     problem, but not all implementation support it.
+
+     Heimdal defaults to correct SPNEGO when the the kerberos implementation
+     uses CFX, or when it is configured by the user.  To turn on compatibility
+     with peers, use option [[ggssssaappii]] _r_e_q_u_i_r_e___m_e_c_h_l_i_s_t___m_i_c.
+
+EEXXAAMMPPLLEESS
+           [gssapi]
+                   broken_des3_mic = cvs/*@SU.SE
+                   broken_des3_mic = host/*@E.KTH.SE
+                   correct_des3_mic = host/*@SU.SE
+                   require_mechlist_mic = host/*@SU.SE
+
+BBUUGGSS
+     All of 0.5.x versions of hheeiimmddaall had broken token delegations in the
+     client side, the server side was correct.
+
+SSEEEE AALLSSOO
+     krb5(3), krb5.conf(5), kerberos(8)
+
+BSD                             April 20, 2005                             BSD