PGSSAPI allows administrators to selectively plug vendor GSSAPI libraries into applications, without having to re-compile the application each time.
|Other PGSSAPI releases|
What problem is this solving?
Security software such as Kerberos usually implement the standard Generic Security Services Application Programming Interface (GSSAPI) which is a high-level security interface independent of any particular security system. This is great for application writers because their product's design is not tied to any one particular security system.
However, when the product is finally compiled and distributed, it must be 'linked' to a particular GSSAPI provider library (e.g. from Heimdal, MIT Kerberos or Quest Authentication Services (QAS)). The linkage couples the deployed application to a particular vendor library making it difficult to use of any other vendor's security software either as a replacement, or in tandem.
Quest Software's Pluggable GSSAPI (PGSSAPI) library is a 'meta' GSSAPI library that simply combines and dispatches GSS operations to external GSSAPI libraries in a simple and configurable manner. PGSSAPI appears to the application as a normal GSSAPI library, so application code does not need not be modified to make use it.
Isn't this already done by Sun's mechglue?
PGSSAPI differs from Sun's mechglue in that PGSSAPI can load and dispatch full multi-mechanism libraries, instead of to specialised single-mechanism DSOs. This means that existing vendor GSS shared libraries can be used without modification.
Unlike mechglue, PGSSAPI can dispatch GSS calls to different libraries depending on the name of the application being invoked, or other parameters. Mechglue's configuration is relatively inflexible.
PGSSAPI's design is also capable of supporting mechglue modules.
Is PGSSAPI for application developers, or for operating system vendors?
Both. PGSSAPI was developed for two common use-cases:
- As distributable C source code that can be compiled directly into GSSAPI applications by the application developer, and controlled by application configuration data, or
- As a system-provided, dynamically-linked library under the control of the system administrator, with configuration integrated into the operating system platform.
In the event that both the system and the application use PGSSAPI, then PGSSAPI will happily nest.