1KRB5_GET_INIT_CREDS(3) BSD Library Functions Manual KRB5_GET_INIT_CREDS(3)
2
4 krb5_get_init_creds, krb5_get_init_creds_keytab, krb5_get_init_creds_opt,
5 krb5_get_init_creds_opt_alloc, krb5_get_init_creds_opt_free,
6 krb5_get_init_creds_opt_init, krb5_get_init_creds_opt_set_address_list,
7 krb5_get_init_creds_opt_set_addressless,
8 krb5_get_init_creds_opt_set_anonymous,
9 krb5_get_init_creds_opt_set_default_flags,
10 krb5_get_init_creds_opt_set_etype_list,
11 krb5_get_init_creds_opt_set_forwardable,
12 krb5_get_init_creds_opt_set_pa_password,
13 krb5_get_init_creds_opt_set_paq_request,
14 krb5_get_init_creds_opt_set_preauth_list,
15 krb5_get_init_creds_opt_set_proxiable,
16 krb5_get_init_creds_opt_set_renew_life, krb5_get_init_creds_opt_set_salt,
17 krb5_get_init_creds_opt_set_tkt_life,
18 krb5_get_init_creds_opt_set_canonicalize,
19 krb5_get_init_creds_opt_set_win2k, krb5_get_init_creds_password,
20 krb5_prompt, krb5_prompter_posix — Kerberos 5 initial authentication
21 functions
22
24 Kerberos 5 Library (libkrb5, -lkrb5)
25
27 #include <krb5.h>
28 krb5_get_init_creds_opt;
30 krb5_error_code
32 krb5_get_init_creds_opt_alloc(krb5_context context,
33 krb5_get_init_creds_opt **opt);
34 void
36 krb5_get_init_creds_opt_free(krb5_context context,
37 krb5_get_init_creds_opt *opt);
38 void
40 krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt);
41 void
43 krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt,
44 krb5_addresses *addresses);
45 void
47 krb5_get_init_creds_opt_set_addressless(krb5_get_init_creds_opt *opt,
48 krb5_boolean addressless);
49 void
51 krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt,
52 int anonymous);
53 void
55 krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt,
56 int change_password_prompt);
57 void
59 krb5_get_init_creds_opt_set_default_flags(krb5_context context,
60 const char *appname, krb5_const_realm realm,
61 krb5_get_init_creds_opt *opt);
62 void
64 krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt,
65 krb5_enctype *etype_list, int etype_list_length);
66 void
68 krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt,
69 int forwardable);
70 krb5_error_code
72 krb5_get_init_creds_opt_set_pa_password(krb5_context context,
73 krb5_get_init_creds_opt *opt, const char *password,
74 krb5_s2k_proc key_proc);
75 krb5_error_code
77 krb5_get_init_creds_opt_set_paq_request(krb5_context context,
78 krb5_get_init_creds_opt *opt, krb5_boolean req_pac);
79 krb5_error_code
81 krb5_get_init_creds_opt_set_pkinit(krb5_context context,
82 krb5_get_init_creds_opt *opt, const char *cert_file,
83 const char *key_file, const char *x509_anchors, int flags,
84 char *password);
85 void
87 krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt,
88 krb5_preauthtype *preauth_list, int preauth_list_length);
89 void
91 krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt,
92 int proxiable);
93 void
95 krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt,
96 krb5_deltat renew_life);
97 void
99 krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt,
100 krb5_data *salt);
101 void
103 krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt,
104 krb5_deltat tkt_life);
105 krb5_error_code
107 krb5_get_init_creds_opt_set_canonicalize(krb5_context context,
108 krb5_get_init_creds_opt *opt, krb5_boolean req);
109 krb5_error_code
111 krb5_get_init_creds_opt_set_win2k(krb5_context context,
112 krb5_get_init_creds_opt *opt, krb5_boolean req);
113 krb5_error_code
115 krb5_get_init_creds(krb5_context context, krb5_creds *creds,
116 krb5_principal client, krb5_prompter_fct prompter,
117 void *prompter_data, krb5_deltat start_time,
118 const char *in_tkt_service, krb5_get_init_creds_opt *options);
119 krb5_error_code
121 krb5_get_init_creds_password(krb5_context context, krb5_creds *creds,
122 krb5_principal client, const char *password,
123 krb5_prompter_fct prompter, void *prompter_data,
124 krb5_deltat start_time, const char *in_tkt_service,
125 krb5_get_init_creds_opt *in_options);
126 krb5_error_code
128 krb5_get_init_creds_keytab(krb5_context context, krb5_creds *creds,
129 krb5_principal client, krb5_keytab keytab, krb5_deltat start_time,
130 const char *in_tkt_service, krb5_get_init_creds_opt *options);
131 int
133 krb5_prompter_posix(krb5_context context, void *data, const char *name,
134 const char *banner, int num_prompts, krb5_prompt prompts[]);
135
137 Getting initial credential ticket for a principal. That may include
138 changing an expired password, and doing preauthentication. This inter‐
139 face that replaces the deprecated krb5_in_tkt and krb5_in_cred functions.
140 If you only want to verify a username and password, consider using
142 krb5_verify_user(3) instead, since it also verifies that initial creden‐
143 tials with using a keytab to make sure the response was from the KDC.
144 First a krb5_get_init_creds_opt structure is initialized with
146 krb5_get_init_creds_opt_alloc() or krb5_get_init_creds_opt_init().
147 krb5_get_init_creds_opt_alloc() allocates a extendible structures that
148 needs to be freed with krb5_get_init_creds_opt_free(). The structure may
149 be modified by any of the krb5_get_init_creds_opt_set() functions to
150 change request parameters and authentication information.
151 If the caller want to use the default options, NULL can be passed
153 instead.
154 The the actual request to the KDC is done by any of the
156 krb5_get_init_creds(), krb5_get_init_creds_password(), or
157 krb5_get_init_creds_keytab() functions. krb5_get_init_creds() is the
158 least specialized function and can, with the right in data, behave like
159 the latter two. The latter two are there for compatibility with older
160 releases and they are slightly easier to use.
161 krb5_prompt is a structure containing the following elements:
163 typedef struct {
165 const char *prompt;
166 int hidden;
167 krb5_data *reply;
168 krb5_prompt_type type
169 } krb5_prompt;
170 prompt is the prompt that should shown to the user If hidden is set, the
172 prompter function shouldn't echo the output to the display device. reply
173 must be preallocated; it will not be allocated by the prompter function.
174 Possible values for the type element are:
175 KRB5_PROMPT_TYPE_PASSWORD
177 KRB5_PROMPT_TYPE_NEW_PASSWORD
178 KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN
179 KRB5_PROMPT_TYPE_PREAUTH
180 KRB5_PROMPT_TYPE_INFO
181 krb5_prompter_posix() is the default prompter function in a POSIX envi‐
183 ronment. It matches the krb5_prompter_fct and can be used in the
184 krb5_get_init_creds functions. krb5_prompter_posix() doesn't require
185 prompter_data.
186 If the start_time is zero, then the requested ticket will be valid begin‐
188 ning immediately. Otherwise, the start_time indicates how far in the
189 future the ticket should be postdated.
190 If the in_tkt_service name is non-NULL, that principal name will be used
192 as the server name for the initial ticket request. The realm of the name
193 specified will be ignored and will be set to the realm of the client
194 name. If no in_tkt_service name is specified, krbtgt/CLIENT-
195 REALM@CLIENT-REALM will be used.
196 For the rest of arguments, a configuration or library default will be
198 used if no value is specified in the options structure.
199 krb5_get_init_creds_opt_set_address_list() sets the list of addresses
201 that is should be stored in the ticket.
202 krb5_get_init_creds_opt_set_addressless() controls if the ticket is
204 requested with addresses or not,
205 krb5_get_init_creds_opt_set_address_list() overrides this option.
206 krb5_get_init_creds_opt_set_anonymous() make the request anonymous if the
208 anonymous parameter is non-zero.
209 krb5_get_init_creds_opt_set_default_flags() sets the default flags using
211 the configuration file.
212 krb5_get_init_creds_opt_set_etype_list() set a list of enctypes that the
214 client is willing to support in the request.
215 krb5_get_init_creds_opt_set_forwardable() request a forwardable ticket.
217 krb5_get_init_creds_opt_set_pa_password() set the password and key_proc
219 that is going to be used to get a new ticket. password or key_proc can
220 be NULL if the caller wants to use the default values. If the password
221 is unset and needed, the user will be prompted for it.
222 krb5_get_init_creds_opt_set_paq_request() sets the password that is going
224 to be used to get a new ticket.
225 krb5_get_init_creds_opt_set_preauth_list() sets the list of client-sup‐
227 ported preauth types.
228 krb5_get_init_creds_opt_set_proxiable() makes the request proxiable.
230 krb5_get_init_creds_opt_set_renew_life() sets the requested renewable
232 lifetime.
233 krb5_get_init_creds_opt_set_salt() sets the salt that is going to be used
235 in the request.
236 krb5_get_init_creds_opt_set_tkt_life() sets requested ticket lifetime.
238 krb5_get_init_creds_opt_set_canonicalize() requests that the KDC canoni‐
240 calize the client principal if possible.
241 krb5_get_init_creds_opt_set_win2k() turns on compatibility with Windows
243 2000.
244
246 krb5(3), krb5_creds(3), krb5_verify_user(3), krb5.conf(5), kerberos(8)
247HEIMDAL Sep 16, 2006 HEIMDAL