git clone ''

(ql:quickload :cl-gss)

cl-gss - Common Lisp bindings for GSSAPI

Author contact information


GSSAPI is an API which is designed to provide a standard API to authentication services. The API itself is generic, and the system can provide different underlying implementations. The most common one is Kerberos, which has several implementations, the most common of which is probably Active Directory.

Wikipedia has a more complete summary of GSS-API:

Attempts has been made to make this API fit well into the Common Lisp style, and also to work around some of the incompatibilities between different implementations. However, there are several functionalities that are not implemented, but these functions are generally not used much. If you are missing something, please let me know, or better yet, send a patch.


On the initiating side, the function INIT-SEC must be called to initialise the handshake. This function takes a single required parameter, the service name of service to which you intend to connect.

(cl-gss:init-sec "host@domain" :flags '(:mutual))

In this case, we're only passing a single flag, :MUTUAL. This flag indicates that not only do I want to verify my identify with the remote service. It should identify itself with me.

This call returns several values:

Since we used the flag :MUTUAL, the first return value will be T, since INIT-SEC needs to validate the identity of the peer.

The next step is to transfer the byte array that was returned as the second return value to the peer and pass it to ACCEPT-SEC:

(cl-gss:accept-sec buffer)

The call will return 5 values:

The name that was returned as the third return value is in an opaque form but can be converted to a string using the function NAME-TO-STRING. This name can then be used for authorisation checks.

(let ((user-name (cl-gss:name-to-string name)))
  (unless (equal user-name "some-name")
    (error "No permission to access service")))

Once INIT-SEC and ACCEPT-SEC have returned NIL as its first return value, the context is ready to be used.

In order to encrypt a packet, use the function WRAP. It takes the following arguments:

To decrypt a packet, use the function UNWRAP. This function takes the following arguments: