1KRB5_AUTH_CONTEXT(3)     BSD Library Functions Manual     KRB5_AUTH_CONTEXT(3)
2

NAME

4     krb5_auth_con_addflags, krb5_auth_con_free, krb5_auth_con_genaddrs,
5     krb5_auth_con_generatelocalsubkey, krb5_auth_con_getaddrs,
6     krb5_auth_con_getauthenticator, krb5_auth_con_getflags,
7     krb5_auth_con_getkey, krb5_auth_con_getlocalsubkey,
8     krb5_auth_con_getrcache, krb5_auth_con_getremotesubkey,
9     krb5_auth_con_getuserkey, krb5_auth_con_init, krb5_auth_con_initivector,
10     krb5_auth_con_removeflags, krb5_auth_con_setaddrs,
11     krb5_auth_con_setaddrs_from_fd, krb5_auth_con_setflags,
12     krb5_auth_con_setivector, krb5_auth_con_setkey,
13     krb5_auth_con_setlocalsubkey, krb5_auth_con_setrcache,
14     krb5_auth_con_setremotesubkey, krb5_auth_con_setuserkey,
15     krb5_auth_context, krb5_auth_getcksumtype, krb5_auth_getkeytype,
16     krb5_auth_getlocalseqnumber, krb5_auth_getremoteseqnumber,
17     krb5_auth_setcksumtype, krb5_auth_setkeytype,
18     krb5_auth_setlocalseqnumber, krb5_auth_setremoteseqnumber,
19     krb5_free_authenticator — manage authentication on connection level
20

LIBRARY

22     Kerberos 5 Library (libkrb5, -lkrb5)
23

SYNOPSIS

25     #include <krb5.h>
26
27     krb5_error_code
28     krb5_auth_con_init(krb5_context context,
29         krb5_auth_context *auth_context);
30
31     void
32     krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context);
33
34     krb5_error_code
35     krb5_auth_con_setflags(krb5_context context,
36         krb5_auth_context auth_context, int32_t flags);
37
38     krb5_error_code
39     krb5_auth_con_getflags(krb5_context context,
40         krb5_auth_context auth_context, int32_t *flags);
41
42     krb5_error_code
43     krb5_auth_con_addflags(krb5_context context,
44         krb5_auth_context auth_context, int32_t addflags, int32_t *flags);
45
46     krb5_error_code
47     krb5_auth_con_removeflags(krb5_context context,
48         krb5_auth_context auth_context, int32_t removelags, int32_t *flags);
49
50     krb5_error_code
51     krb5_auth_con_setaddrs(krb5_context context,
52         krb5_auth_context auth_context, krb5_address *local_addr,
53         krb5_address *remote_addr);
54
55     krb5_error_code
56     krb5_auth_con_getaddrs(krb5_context context,
57         krb5_auth_context auth_context, krb5_address **local_addr,
58         krb5_address **remote_addr);
59
60     krb5_error_code
61     krb5_auth_con_genaddrs(krb5_context context,
62         krb5_auth_context auth_context, int fd, int flags);
63
64     krb5_error_code
65     krb5_auth_con_setaddrs_from_fd(krb5_context context,
66         krb5_auth_context auth_context, void *p_fd);
67
68     krb5_error_code
69     krb5_auth_con_getkey(krb5_context context,
70         krb5_auth_context auth_context, krb5_keyblock **keyblock);
71
72     krb5_error_code
73     krb5_auth_con_getlocalsubkey(krb5_context context,
74         krb5_auth_context auth_context, krb5_keyblock **keyblock);
75
76     krb5_error_code
77     krb5_auth_con_getremotesubkey(krb5_context context,
78         krb5_auth_context auth_context, krb5_keyblock **keyblock);
79
80     krb5_error_code
81     krb5_auth_con_generatelocalsubkey(krb5_context context,
82         krb5_auth_context auth_context, krb5_keyblock, *key");
83
84     krb5_error_code
85     krb5_auth_con_initivector(krb5_context context,
86         krb5_auth_context auth_context);
87
88     krb5_error_code
89     krb5_auth_con_setivector(krb5_context context,
90         krb5_auth_context *auth_context, krb5_pointer ivector);
91
92     void
93     krb5_free_authenticator(krb5_context context,
94         krb5_authenticator *authenticator);
95

DESCRIPTION

97     The krb5_auth_context structure holds all context related to an authenti‐
98     cated connection, in a similar way to krb5_context that holds the context
99     for the thread or process.  krb5_auth_context is used by various func‐
100     tions that are directly related to authentication between the
101     server/client. Example of data that this structure contains are various
102     flags, addresses of client and server, port numbers, keyblocks (and sub‐
103     keys), sequence numbers, replay cache, and checksum-type.
104
105     krb5_auth_con_init() allocates and initializes the krb5_auth_context
106     structure. Default values can be changed with
107     krb5_auth_con_setcksumtype() and krb5_auth_con_setflags().  The
108     auth_context structure must be freed by krb5_auth_con_free().
109
110     krb5_auth_con_getflags(), krb5_auth_con_setflags(),
111     krb5_auth_con_addflags() and krb5_auth_con_removeflags() gets and modi‐
112     fies the flags for a krb5_auth_context structure. Possible flags to set
113     are:
114
115     KRB5_AUTH_CONTEXT_DO_SEQUENCE
116             Generate and check sequence-number on each packet.
117
118     KRB5_AUTH_CONTEXT_DO_TIME
119             Check timestamp on incoming packets.
120
121     KRB5_AUTH_CONTEXT_RET_SEQUENCE, KRB5_AUTH_CONTEXT_RET_TIME
122             Return sequence numbers and time stamps in the outdata parame‐
123             ters.
124
125     KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED
126             will force krb5_get_forwarded_creds() and krb5_fwd_tgt_creds() to
127             create unencrypted ) KRB5_ENCTYPE_NULL) credentials.  This is for
128             use with old MIT server and JAVA based servers as they can't han‐
129             dle encrypted KRB-CRED.  Note that sending such KRB-CRED is clear
130             exposes crypto keys and tickets and is insecure, make sure the
131             packet is encrypted in the protocol.  krb5_rd_cred(3),
132             krb5_rd_priv(3), krb5_rd_safe(3), krb5_mk_priv(3) and
133             krb5_mk_safe(3).  Setting this flag requires that parameter to be
134             passed to these functions.
135
136             The flags KRB5_AUTH_CONTEXT_DO_TIME also modifies the behavior
137             the function krb5_get_forwarded_creds() by removing the timestamp
138             in the forward credential message, this have backward compatibil‐
139             ity problems since not all versions of the heimdal supports time‐
140             less credentional messages.  Is very useful since it always the
141             sender of the message to cache forward message and thus avoiding
142             a round trip to the KDC for each time a credential is forwarded.
143             The same functionality can be obtained by using address-less
144             tickets.
145
146     krb5_auth_con_setaddrs(), krb5_auth_con_setaddrs_from_fd() and
147     krb5_auth_con_getaddrs() gets and sets the addresses that are checked
148     when a packet is received.  It is mandatory to set an address for the
149     remote host. If the local address is not set, it iss deduced from the
150     underlaying operating system.  krb5_auth_con_getaddrs() will call
151     krb5_free_address() on any address that is passed in local_addr or
152     remote_addr.  krb5_auth_con_setaddr() allows passing in a NULL pointer as
153     local_addr and remote_addr, in that case it will just not set that
154     address.
155
156     krb5_auth_con_setaddrs_from_fd() fetches the addresses from a file
157     descriptor.
158
159     krb5_auth_con_genaddrs() fetches the address information from the given
160     file descriptor fd depending on the bitmap argument flags.
161
162     Possible values on flags are:
163
164     KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR
165             fetches the local address from fd.
166
167     KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR
168             fetches the remote address from fd.
169
170     krb5_auth_con_setkey(), krb5_auth_con_setuserkey() and
171     krb5_auth_con_getkey() gets and sets the key used for this auth context.
172     The keyblock returned by krb5_auth_con_getkey() should be freed with
173     krb5_free_keyblock().  The keyblock send into krb5_auth_con_setkey() is
174     copied into the krb5_auth_context, and thus no special handling is
175     needed.  NULL is not a valid keyblock to krb5_auth_con_setkey().
176
177     krb5_auth_con_setuserkey() is only useful when doing user to user authen‐
178     tication.  krb5_auth_con_setkey() is equivalent to
179     krb5_auth_con_setuserkey().
180
181     krb5_auth_con_getlocalsubkey(), krb5_auth_con_setlocalsubkey(),
182     krb5_auth_con_getremotesubkey() and krb5_auth_con_setremotesubkey() gets
183     and sets the keyblock for the local and remote subkey.  The keyblock
184     returned by krb5_auth_con_getlocalsubkey() and
185     krb5_auth_con_getremotesubkey() must be freed with krb5_free_keyblock().
186
187     krb5_auth_setcksumtype() and krb5_auth_getcksumtype() sets and gets the
188     checksum type that should be used for this connection.
189
190     krb5_auth_con_generatelocalsubkey() generates a local subkey that have
191     the same encryption type as key.
192
193     krb5_auth_getremoteseqnumber() krb5_auth_setremoteseqnumber(),
194     krb5_auth_getlocalseqnumber() and krb5_auth_setlocalseqnumber() gets and
195     sets the sequence-number for the local and remote sequence-number
196     counter.
197
198     krb5_auth_setkeytype() and krb5_auth_getkeytype() gets and gets the key‐
199     type of the keyblock in krb5_auth_context.
200
201     krb5_auth_con_getauthenticator() Retrieves the authenticator that was
202     used during mutual authentication. The authenticator returned should be
203     freed by calling krb5_free_authenticator().
204
205     krb5_auth_con_getrcache() and krb5_auth_con_setrcache() gets and sets the
206     replay-cache.
207
208     krb5_auth_con_initivector() allocates memory for and zeros the initial
209     vector in the auth_context keyblock.
210
211     krb5_auth_con_setivector() sets the i_vector portion of auth_context to
212     ivector.
213
214     krb5_free_authenticator() free the content of authenticator and
215     authenticator itself.
216

SEE ALSO

218     krb5_context(3), kerberos(8)
219
220HEIMDAL                          May 17, 2005                          HEIMDAL
Impressum