The example shows wrapping a string to protect it with a signature. Run:
tdgssauth -u userconfhigh -m td2 -i 198.51.100.20 -T "this is a test"
The user's name (-u) is the same as it is specified in a bteq .logon command. The -m option specifies the logon mechanism to use (TD2 in this case). The -i option specifies the IP address from which the user will connect. -T wraps and unwraps the string.
Result:
Status: not authenticated, not authorized Actual mechanism employed: TD2 [OID 1.3.6.1.4.1.191.1.1012.1.1.9] Security context capabilities: replay detection out of sequence detection confidentiality integrity protection ready exportable security context Minimum quality of protection: 3 (High) with confidentiality and integrity Options: none String to be wrapped: this is a test Requesting QoP: 3 (High) Requesting Confidentiality: yes Wrapped text (by client side): 00000000: ff 6e 79 ed f9 b3 fa 42 ee 79 3e c1 b0 7a af ab *.ny....B.y>..z..* 00000010: e9 ce 82 c5 3e bd 49 e3 a6 70 95 ab 42 9a 95 6b *....>.I..p..B..k* 00000020: d2 1b 2a 8e c6 f1 04 91 24 78 5d 50 e5 8b 69 8a *..*.....$x]P..i.* 00000030: 86 2a 0f ab 75 f6 3d 7e 19 14 3f d3 35 6d 77 74 *.*..u.=~..?.5mwt* 00000040: 03 07 04 03 00 00 00 40 00 00 00 00 00 00 00 01 *.......@........* Unwrapped text (by server side): 00000000: 74 68 69 73 20 69 73 20 61 20 74 65 73 74 *this is a test* Actual QoP applied: 3 (High) Confidentiality applied: yes Wrapped text (by server side): 00000000: d9 f0 77 7b 1a 9c 75 2e 3e 65 6e 75 ee 9a 07 33 *..w{..u.>enu...3* 00000010: a5 b3 f0 8e 04 3e 24 15 a8 6e b8 29 97 68 43 c5 *.....>$..n.).hC.* 00000020: 4f dc f3 d5 14 70 9d e1 27 38 9a de 50 3c 95 fd *O....p..'8..P<..* 00000030: 8d cf 2f e9 b1 ed 77 18 aa ca 53 7d 05 61 50 dc *../...w...S}.aP.* 00000040: 03 07 84 03 00 00 00 40 00 00 00 00 00 00 00 01 *.......@........* Unwrapped text (by client side): 00000000: 74 68 69 73 20 69 73 20 61 20 74 65 73 74 *this is a test* Actual QoP applied: 3 (High) Confidentiality applied: yes
The -T option specifies a string to wrap and unwrap. Wrapping causes the text to be protected with a signature and to optionally be encrypted (see the -c and -e options in Using tdgssauth Syntax). The tool uses the QoP configured for the session when invoking the wrap function in TDGSS. In this case, the client side wrapped the message and turned it into an 80-byte string. The 80-byte string is passed to the server side of TDGSS and requests the server side to unwrap the string back to the original string. The server then wraps the string it unwrapped and generates a different 80-byte string. The client unwraps the string from the server side back to the original string.
The -T option can be used with any mechanism and any number of -T options may be specified.