diff options
Diffstat (limited to 'third_party/heimdal/lib/gssapi/gss-token.1')
| -rw-r--r-- | third_party/heimdal/lib/gssapi/gss-token.1 | 108 |
1 files changed, 108 insertions, 0 deletions
diff --git a/third_party/heimdal/lib/gssapi/gss-token.1 b/third_party/heimdal/lib/gssapi/gss-token.1 new file mode 100644 index 0000000..7bd50b0 --- /dev/null +++ b/third_party/heimdal/lib/gssapi/gss-token.1 @@ -0,0 +1,108 @@ +.\" +.\" +.Dd May 12, 2014 +.Os +.Dt GSS-TOKEN 1 +.Sh NAME +.Nm gss-token +.Nd generate and consume base64 GSS tokens +.Sh SYNOPSIS +.Nm +.Op Fl DNn +.Op Fl c count +.Ar service@host +.Nm +.Fl r +.Op Fl MNln +.Op Fl C Ar ccache +.Op Fl S Ar maxsize +.Op Fl c count +.Op Fl m mech +.Op Ar service@host +.Sh DESCRIPTION +.Nm +generates and consumes base64 encoded GSS tokens. +By default, it runs as an initiator and with the +.Fl r +flag it becomes an acceptor. +.Pp +.Nm +supports the following options: +.Bl -tag -width indentxxxx +.It Fl C Ar ccache +write an accepted delegated credential into +.Ar ccache . +This only makes sense if +.Fl r +is specified. +.It Fl D +delegate credentials. +This only makes sense as a client, that is when +.Fl r +is not specified. +.It Fl M +copy the default ccache to a MEMORY: ccache before each +separate write operation. +The default ccache will not pick up any obtained service +tickets. +If specified with +.Fl c , +the cache will revert to its original state before each +new token is written. +This can be used to load test the KDC. +.It Fl N +prepend +.Dq Negotiate\ +to generated tokens and expect it on consumed tokens. +.It Fl S Ar maxsize +split each token that is generated into components of maximum +size +.Ar maxsize . +Each token is base64 encoded and output separately. +.It Fl c Ar count +repeat the operation +.Ar count +times. +This flag only changes the behaviour when operating in initiator mode. +This is good for very basic benchmarking. +.It Fl l +loop indefinitely in acceptor mode. +.It Fl m Ar mech +specifies the GSS mechanism that will be used in initiator mode. +If a mechanism name of +.Do ? Dc +is specified, a list of supported mechanisms will be output and +.Nm +will exit. +.It Fl n +do not output the generated tokens. +.It Fl r +run in acceptor mode. +.El +.Pp +.Nm +takes one argument, a +.Ar host@service +specifier. +The argument is required when running as an initiator but is optional as +an acceptor. +.Pp +.Nm +will try to read a token whenever the GSS mechanism expects one +and will output a token whenever the GSS mechanism provides one. +Tokens are base64 encoded and terminated by either two successive +newlines or one newline and EOF. +The base64 encoding may be broken up by single newlines which will +be ignored when read. No extra whitespace will be ignored. +.Sh EXAMPLES +To test a simple GSS mechanism which doesn't require a round trip, +a single +.Pa /bin/sh +pipeline will suffice: +.Bd -literal -offset indent +$ export KRB5_KTNAME=/path/to/keytab +$ gss-token HTTP@$(hostname) | gss-token -r +.Ed +.Sh SEE ALSO +.Xr gssapi 3 , +.Xr kerberos 8 . |