📄 rfc1961.txt
字号:
Network Working Group P. McMahonRequest for Comments: 1961 ICLCategory: Standards Track June 1996 GSS-API Authentication Method for SOCKS Version 5Status of this Memo This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.Table of Contents 1. Purpose ............................................ 1 2. Introduction ....................................... 1 3. GSS-API Security Context Establishment ............. 2 4. GSS-API Protection-level Options ................... 5 5. GSS-API Per-message Protection ..................... 7 6. GSS-API Security Context Termination ............... 8 7. References ......................................... 8 8. Acknowledgments .................................... 8 9. Security Considerations ............................ 8 10. Author's Address .................................. 91. Purpose The protocol specification for SOCKS Version 5 specifies a generalized framework for the use of arbitrary authentication protocols in the initial SOCKS connection setup. This document provides the specification for the SOCKS V5 GSS-API authentication protocol, and defines a GSS-API-based encapsulation for provision of integrity, authentication and optional confidentiality.2. Introduction GSS-API provides an abstract interface which provides security services for use in distributed applications, but isolates callers from specific security mechanisms and implementations. GSS-API peers achieve interoperability by establishing a common security mechanism for security context establishment - either through administrative action, or through negotiation. GSS-API is specified in [RFC 1508], and [RFC 1509]. This specification is intended for use with implementations of GSS-API, and the emergingMcMahon Standards Track [Page 1]
RFC 1961 GSS-API Authentication for SOCKS V5 June 1996 GSS-API V2 specification. The approach for use of GSS-API in SOCKS V5 is to authenticate the client and server by successfully establishing a GSS-API security context - such that the GSS-API encapsulates any negotiation protocol for mechanism selection, and the agreement of security service options. The GSS-API enables the context initiator to know what security services the target supports for the chosen mechanism. The required level of protection is then agreed by negotiation. The GSS-API per-message protection calls are subsequently used to encapsulate any further TCP and UDP traffic between client and server.3. GSS-API Security Context Establishment3.1 Preparation Prior to use of GSS-API primitives, the client and server should be locally authenticated, and have established default GSS-API credentials. The client should call gss_import_name to obtain an internal representation of the server name. For maximal portability the default name_type GSS_C_NULL_OID should be used to specify the default name space, and the input name_string should treated by the client's code as an opaque name-space specific input. For example, when using Kerberos V5 naming, the imported name may be of the form "SERVICE:socks@socks_server_hostname" where "socks_server_hostname" is the fully qualified host name of the server with all letters in lower case. Other mechanisms may, however, have different name forms, so the client should not make assumptions about the name syntax.3.2 Client Context Establishment The client should then call gss_init_sec_context, typically passing: GSS_C_NO_CREDENTIAL into cred_handle to specify the default credential (for initiator usage), GSS_C_NULL_OID into mech_type to specify the default mechanism,McMahon Standards Track [Page 2]
RFC 1961 GSS-API Authentication for SOCKS V5 June 1996 GSS_C_NO_CONTEXT into context_handle to specify a NULL context (initially), and, the previously imported server name into target_name. The client must also specify its requirements for replay protection, delegation, and sequence protection via the gss_init_sec_context req_flags parameter. It is required by this specification that the client always requests these service options (i.e. passes GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG | GSS_C_DELEG_FLAG | GSS_C_SEQUENCE_FLAG into req_flags). However, GSS_C_SEQUENCE_FLAG should only be passed in for TCP-based clients, not for UDP-based clients.3.3 Client Context Establishment Major Status codes The gss_init_sec_context returned status code can take two different success values: - If gss_init_sec_context returns GSS_S_CONTINUE_NEEDED, then the client should expect the server to issue a token in the subsequent subnegotiation response. The client must pass the token to another call to gss_init_sec_context, and repeat this procedure until "continue" operations are complete. - If gss_init_sec_context returns GSS_S_COMPLETE, then the client should respond to the server with any resulting output_token. If there is no output_token, the client should proceed to send the protected request details, including any required message protection subnegotiation as specified in sections 4 and 5 below.3.4 Client initial token The client's GSS-API implementation then typically responds with the resulting output_token which the client sends in a message to the server. +------+------+------+.......................+ + ver | mtyp | len | token | +------+------+------+.......................+ + 0x01 | 0x01 | 0x02 | up to 2^16 - 1 octets | +------+------+------+.......................+McMahon Standards Track [Page 3]
RFC 1961 GSS-API Authentication for SOCKS V5 June 1996 Where: - "ver" is the protocol version number, here 1 to represent the first version of the SOCKS/GSS-API protocol - "mtyp" is the message type, here 1 to represent an authentication message - "len" is the length of the "token" field in octets - "token" is the opaque authentication token emitted by GSS-API3.5 Client GSS-API Initialisation Failure If, however, the client's GSS-API implementation failed during gss_init_sec_context, the client must close its connection to the server.3.6 Server Context Establishment For the case where a client successfully sends a token emitted by gss_init_sec_context() to the server, the server must pass the client-supplied token to gss_accept_sec_context as input_token. When calling gss_accept_sec_context() for the first time, the context_handle argument is initially set to GSS_C_NO_CONTEXT. For portability, verifier_cred_handle is set to GSS_C_NO_CREDENTIAL to specify default credentials (for acceptor usage). If gss_accept_sec_context returns GSS_CONTINUE_NEEDED, the server should return the generated output_token to the client, and subsequently pass the resulting client supplied token to another call to gss_accept_sec_context. If gss_accept_sec_context returns GSS_S_COMPLETE, then, if an output_token is returned, the server should return it to the client. If no token is returned, a zero length token should be sent by the server to signal to the client that it is ready to receive the client's request.McMahon Standards Track [Page 4]
RFC 1961 GSS-API Authentication for SOCKS V5 June 19963.7 Server Reply In all continue/confirmation cases, the server uses the same message type as for the client -> server interaction. +------+------+------+.......................+ + ver | mtyp | len | token | +------+------+------+.......................+ + 0x01 | 0x01 | 0x02 | up to 2^16 - 1 octets | +------+------+------+.......................+3.8 Security Context Failure If the server refuses the client's connection for any reason (GSS-API authentication failure or otherwise), it will return: +------+------+ + ver | mtyp | +------+------+ + 0x01 | 0xff | +------+------+ Where:⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -