datatracker.ietf.org
Sign in
Version 5.3.0, 2014-04-12
Report a bug

The Kerberos V5 ("GSSAPI") Simple Authentication and Security Layer (SASL) Mechanism
RFC 4752

Document type: RFC - Proposed Standard (November 2006)
Obsoletes RFC 2222
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 4752 (Proposed Standard)
Responsible AD: Sam Hartman
Send notices to: sasl-chairs@tools.ietf.org

Network Working Group                                   A. Melnikov, Ed.
Request for Comments: 4752                                         Isode
Obsoletes: 2222                                            November 2006
Category: Standards Track

                       The Kerberos V5 ("GSSAPI")
       Simple Authentication and Security Layer (SASL) Mechanism

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The IETF Trust (2006).

Abstract

   The Simple Authentication and Security Layer (SASL) is a framework
   for adding authentication support to connection-based protocols.
   This document describes the method for using the Generic Security
   Service Application Program Interface (GSS-API) Kerberos V5 in the
   SASL.

   This document replaces Section 7.2 of RFC 2222, the definition of the
   "GSSAPI" SASL mechanism.  This document, together with RFC 4422,
   obsoletes RFC 2222.

Melnikov                    Standards Track                     [Page 1]
RFC 4752                 SASL GSSAPI Mechanism             November 2006

Table of Contents

   1. Introduction ....................................................2
      1.1. Relationship to Other Documents ............................2
   2. Conventions Used in This Document ...............................2
   3. Kerberos V5 GSS-API Mechanism ...................................2
      3.1. Client Side of Authentication Protocol Exchange ............3
      3.2. Server Side of Authentication Protocol Exchange ............4
      3.3. Security Layer .............................................6
   4. IANA Considerations .............................................7
   5. Security Considerations .........................................7
   6. Acknowledgements ................................................8
   7. Changes since RFC 2222 ..........................................8
   8. References ......................................................8
      8.1. Normative References .......................................8
      8.2. Informative References .....................................9

1.  Introduction

   This specification documents currently deployed Simple Authentication
   and Security Layer (SASL [SASL]) mechanism supporting the Kerberos V5
   [KERBEROS] Generic Security Service Application Program Interface
   ([GSS-API]) mechanism [RFC4121].  The authentication sequence is
   described in Section 3.  Note that the described authentication
   sequence has known limitations, in particular, it lacks channel
   bindings and the number of round-trips required to complete
   authentication exchange is not minimal.  SASL WG is working on a
   separate document that should address these limitations.

1.1.  Relationship to Other Documents

   This document, together with RFC 4422, obsoletes RFC 2222 in its
   entirety.  This document replaces Section 7.2 of RFC 2222.  The
   remainder is obsoleted as detailed in Section 1.2 of RFC 4422.

2.  Conventions Used in This Document

   The key words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", and "MAY"
   in this document are to be interpreted as defined in "Key words for
   use in RFCs to Indicate Requirement Levels" [KEYWORDS].

3.  Kerberos V5 GSS-API Mechanism

   The SASL mechanism name for the Kerberos V5 GSS-API mechanism
   [RFC4121] is "GSSAPI".  Though known as the SASL GSSAPI mechanism,
   the mechanism is specifically tied to Kerberos V5 and GSS-API's
   Kerberos V5 mechanism.

Melnikov                    Standards Track                     [Page 2]
RFC 4752                 SASL GSSAPI Mechanism             November 2006

   The GSSAPI SASL mechanism is a "client goes first" SASL mechanism;
   i.e., it starts with the client sending a "response" created as
   described in the following section.

   The implementation MAY set any GSS-API flags or arguments not
   mentioned in this specification as is necessary for the
   implementation to enforce its security policy.

   Note that major status codes returned by GSS_Init_sec_context() or
   GSS_Accept_sec_context() other than GSS_S_COMPLETE or
   GSS_S_CONTINUE_NEEDED cause authentication failure.  Major status
   codes returned by GSS_Unwrap() other than GSS_S_COMPLETE (without any

[include full document text]