libkrb5(3)libkrb5(3)NAME
libkrb5: libkrb5.sl, libkrb5.so, libcom_err.sl, libcom_err.so,
libk5crypto.sl, libk5crypto.so - Kerberos client libraries
SYNOPSIS
32-Bit Libraries on Itanium-based Systems
64-Bit Libraries on Itanium-based Systems
32-Bit Libraries on PA-RISC Systems
64-Bit Libraries on PA-RISC Systems
DESCRIPTION
Kerberos is a network authentication protocol developed at MIT. This
is now an IETF standard RFC 1510, the Kerberos Network Authentication
Service (V5). The shared libraries, and support authentication,
integrity and confidentiality services as per the Kerberos V5 specifi‐
cation.
Kerberos performs authentication as a trusted third-party authentica‐
tion service by using conventional (shared secret key) cryptography
mechanism. It provides a means of verifying the identities of princi‐
pals, without relying on authentication by the host operating system
and without basing trust on host addresses. This protocol works with‐
out requiring the physical security of all the hosts on the network
under the assumption that packets transmitting over the network can be
read, modified and inserted at will.
is the main Kerberos library, which provides APIs for authentication,
verifying tickets, creating authenticator, context management, cache
and replay cache management, keytab file management, memory management,
principal name style mapping and operating system specific calls. The
header file should be included in the application that uses APIs from
library.
which is linked to will provide the encryption and decryption APIs. A
user should not link this library directly with an application. In
order to add authentication, an application may need to call one or
more APIs of the Kerberos library, which results in the transmission of
the necessary messages to achieve authentication.
implements Kerberos library error code tables. There are separate
error code tables for database, magic numbers and ASN.1 APIs. Based on
the failure in the API, the user may get an error from these tables
using the appropriate API. The header file should be included in the
application that uses routines from the library. Executable files must
be linked with in order to cause the library to be included.
The functionalities of the APIs implemented in Kerberos client
libraries are given below.
krb5_context Management APIs
The context is designed to represent per process state. The Global
parameters which are "context" specific are stored in this structure.
The structure contains default realm, default encryption type, default
configuration files and the like. APIs will provide full access to the
data structure stored in the context and should not be accessed
directly by developers. Some of the common APIs are and
The encryption types which are retrieved from the and stored in the
should be freed by the caller.
krb5_auth_context Management APIs
The is a per-connection context and is used by the various APIs
involved directly in client/server authentication. Some of the data
stored in this context include keyblocks, addresses, sequence numbers,
authenticator, checksum type and replay cache pointer. Some of the
common APIs are and
The structure should be freed using It is the responsibility of the
application developer to free the memory allocated to the authenticator
by using The application developer must also free the memory that was
allocated to store the local sub keyblocks using
Principal Access APIs
A principal is a uniquely named client or server instance that partici‐
pates in a network communication. The APIs allow you to create, modify
and access portions of the krb5_principal. Some of the common APIs are
and so on.
Some of the APIs are internal functions, which are not intended for use
by the application programs since this interface may change at any
time. Even though it is possible to directly access the data elements
in the structure, it is recommended that these APIs should be used.
The returned principal should be freed with
Credential Cache Management APIs
These APIs deal with storing credentials (tickets, session keys and
other identifying information) in a semi-permanent store for later use
by different programs. The credential storage can be a hard disk or a
memory storage. Some of the common APIs are and
The retrieved credentials should be freed using
Replay Cache Management APIs
These APIs deal with verifying that do not contain duplicate authenti‐
cators. The storage must be non-volatile for the site-determined
validity period of authenticators. Some of the common APIs are and
initializes the private data for a replay cache. This API must be
called before the other replay cache APIs. The allocated memory should
be freed using
These APIs are not generally used by the applications.
Keytab Management APIs
These APIs deal with storing and retrieving service keys for use by
unattended services which participate in authentication exchanges.
Keytab routines are all atomic. All keytab types support multiple con‐
current sequential scans. Some of the common APIs are and
To free the resources, the user should use
Memory Management APIs
These APIs deal with deallocation of memory that has been allocated by
various routines. It is recommended that the developer must use these
routines in order to free the data structures. All the APIs start with
prefix. Some of the common APIs are and
Operating System-Specific APIs
These APIs provide an interface between the other parts of the
libraries and the operating system. These include APIs to allow access
to configuration specific information, disk based I/O operations, net‐
work based operations and operating system specific access APIs. Some
of the common APIs are and
Application-Specific and Miscellaneous APIs
These APIs deal with sending and receiving KRB5 protocol messages to
the Kerberos server, ticket management and miscellaneous calls. Some
of the common APIs are and
WARNINGS
It is strongly recommended that you use GSS-API instead of Kerberos
calls. The Kerberos libraries are not thread safe.
AUTHOR
Kerberos client libraries were developed at the Massachusetts Institute
of Technology. This version of the libraries is compatible with
MIT1.3.5.
SEE ALSOkdestroy(1), kinit(1), klist(1), kpasswd(1), ktutil(1), kvno(1),
krb5.conf(4), gssapi(5), kerberos(5).
libkrb5(3)