Main index | Section 3 | Options |
#include <krb5.h>
krb5_auth_con_init() allocates and initializes the krb5_auth_context structure. Default values can be changed with krb5_auth_con_setcksumtype() and krb5_auth_con_setflags(). The auth_context structure must be freed by krb5_auth_con_free().
krb5_auth_con_getflags(), krb5_auth_con_setflags(), krb5_auth_con_addflags() and krb5_auth_con_removeflags() gets and modifies the flags for a krb5_auth_context structure. Possible flags to set are:
KRB5_AUTH_CONTEXT_DO_SEQUENCE | |
Generate and check sequence-number on each packet. | |
KRB5_AUTH_CONTEXT_DO_TIME | |
Check timestamp on incoming packets. | |
KRB5_AUTH_CONTEXT_RET_SEQUENCE, KRB5_AUTH_CONTEXT_RET_TIME | |
Return sequence numbers and time stamps in the outdata parameters. | |
KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED | |
will force
krb5_get_forwarded_creds()
and
krb5_fwd_tgt_creds()
to create unencrypted )
ENCTYPE_NULL)
credentials.
This is for use with old MIT server and JAVA based servers as
they can't handle encrypted
KRB-CRED.
Note that sending such
KRB-CRED
is clear exposes crypto keys and tickets and is insecure,
make sure the packet is encrypted in the protocol.
krb5_rd_cred(3),
krb5_rd_priv(3),
krb5_rd_safe(3),
krb5_mk_priv(3)
and
krb5_mk_safe(3).
Setting this flag requires that parameter to be passed to these
functions.
The flags KRB5_AUTH_CONTEXT_DO_TIME also modifies the behavior the function krb5_get_forwarded_creds() by removing the timestamp in the forward credential message, this have backward compatibility problems since not all versions of the heimdal supports timeless credentional messages. Is very useful since it always the sender of the message to cache forward message and thus avoiding a round trip to the KDC for each time a credential is forwarded. The same functionality can be obtained by using address-less tickets. | |
krb5_auth_con_setaddrs(), krb5_auth_con_setaddrs_from_fd() and krb5_auth_con_getaddrs() gets and sets the addresses that are checked when a packet is received. It is mandatory to set an address for the remote host. If the local address is not set, it iss deduced from the underlaying operating system. krb5_auth_con_getaddrs() will call krb5_free_address() on any address that is passed in local_addr or remote_addr. krb5_auth_con_setaddr() allows passing in a NULL pointer as local_addr and remote_addr, in that case it will just not set that address.
krb5_auth_con_setaddrs_from_fd() fetches the addresses from a file descriptor.
krb5_auth_con_genaddrs() fetches the address information from the given file descriptor fd depending on the bitmap argument flags.
Possible values on flags are:
KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR | |
fetches the local address from fd. | |
KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR | |
fetches the remote address from fd. | |
krb5_auth_con_setkey(), krb5_auth_con_setuserkey() and krb5_auth_con_getkey() gets and sets the key used for this auth context. The keyblock returned by krb5_auth_con_getkey() should be freed with krb5_free_keyblock(). The keyblock send into krb5_auth_con_setkey() is copied into the krb5_auth_context, and thus no special handling is needed. NULL is not a valid keyblock to krb5_auth_con_setkey().
krb5_auth_con_setuserkey() is only useful when doing user to user authentication. krb5_auth_con_setkey() is equivalent to krb5_auth_con_setuserkey().
krb5_auth_con_getlocalsubkey(), krb5_auth_con_setlocalsubkey(), krb5_auth_con_getremotesubkey() and krb5_auth_con_setremotesubkey() gets and sets the keyblock for the local and remote subkey. The keyblock returned by krb5_auth_con_getlocalsubkey() and krb5_auth_con_getremotesubkey() must be freed with krb5_free_keyblock().
krb5_auth_setcksumtype() and krb5_auth_getcksumtype() sets and gets the checksum type that should be used for this connection.
krb5_auth_con_generatelocalsubkey() generates a local subkey that have the same encryption type as key.
krb5_auth_getremoteseqnumber() krb5_auth_setremoteseqnumber(), krb5_auth_getlocalseqnumber() and krb5_auth_setlocalseqnumber() gets and sets the sequence-number for the local and remote sequence-number counter.
krb5_auth_setkeytype() and krb5_auth_getkeytype() gets and gets the keytype of the keyblock in krb5_auth_context.
krb5_auth_con_getauthenticator() Retrieves the authenticator that was used during mutual authentication. The authenticator returned should be freed by calling krb5_free_authenticator().
krb5_auth_con_getrcache() and krb5_auth_con_setrcache() gets and sets the replay-cache.
krb5_auth_con_initivector() allocates memory for and zeros the initial vector in the auth_context keyblock.
krb5_auth_con_setivector() sets the i_vector portion of auth_context to ivector.
krb5_free_authenticator() free the content of authenticator and authenticator itself.
HEIMDAL | KRB5_AUTH_CONTEXT (3) | May 17, 2005 |
Main index | Section 3 | Options |
Please direct any comments about this manual page service to Ben Bullock. Privacy policy.