Jump to content
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
HP.com home

Transition Impacts

Tru64 UNIX Software Transition Kit
» 

DSPP Home

» HP STK home
Tru64 UNIX STK
» Home
» Overview
» Tools
» Documentation
» Transition impacts
» Identifier types
» Impact list
» Porting to HP-UX
» FAQ
» Glossary
» Help
» Send us feedback
Site maps
» Tru64 UNIX STK
» DSPP
Content starts here

critical impact:

libgss - GSS-API extensions not supported (CrUn365)

LIB Impacts SEC Impacts

Problem description

The libgss library on Tru64 UNIX contains several GSS-API extensions that are not supported on HP-UX.

The libgss library provides the Generic Security Service Application Programming Interface (GSS-API). GSS-API is a standard that provides security services for client-server applications, independent of the various underlying security mechanisms.

Tru64 UNIX and HP-UX both provide the libgss library and an underlying Kerberos mechanism. However, the implementations are different. The Tru64 UNIX implementation is licensed from Cybersafe; the HP-UX implementation is based on the MIT Kerberos distribution.

The Tru64 UNIX libgss contains several Cybersafe extensions that are not supported on HP-UX. They include functions, data structures, and constants. These all begin with the cs_, csf_, or CSF_ prefix. This impact statement only discusses the most commonly used extensions.

The gss_OID and gss_OID_desc data structures have different member names on the two platforms. On Tru64 UNIX, they are nElem and elem; on HP-UX, they are length and elements. The gss_OID_set and gss_OID_set_desc data structures have similar differences. On Tru64 UNIX, their member names are nElem and elem; on HP-UX, they are count and elements.

Identifiers

Programming Libraries-lgss C/C++ Functionscsf_gss_release_user
C/C++ Functionscsf_gss_acq_user C/C++ Functionscsf_gss_renew_cred
C/C++ Functionscsf_gss_get_context_options Programming Librarieslibgss.so
C/C++ Functionscsf_gss_inq_user  

See also

Solution description

Review your code to see if it uses any of the Cybersafe extensions to GSS-API.

The following Cybersafe extensions let an application acquire and renew initial credentials from within a program instead of through the Kerberos kinit command:

  • csf_gss_acq_user acquires a user prior to initiating a security context.
  • csf_gss_inq_user obtains information about a user.
  • csf_gss_release_user deletes a user when it is no longer needed.
  • csf_gss_renew_cred renews credentials.

On HP-UX, the Kerberos client library, libkrb5, provides similar functionality through functions like krb5_get_init_creds_password and krb5_get_renewed_creds. For details, see the MIT Kerberos Web site.

The following Cybersafe extension lets an application determine what type of encryption (DES3 or DES) a security context supports:

  • csf_gss_get_context_options gets information about a security context.

This functionality is not supported on HP-UX.

See also


Problem summary

classifications source types OS release severity type
LIB, SEC Make, Script any HP-UX 11i version critical unavailable
Printable version
Privacy statement Using this site means you accept its terms Feedback to DSPP
© 2007 Hewlett-Packard Development Company, L.P.