KRB5_AUTH_CONTEXT(3) BSD Library Functions Manual KRB5_AUTH_CONTEXT(3)NAME
krb5_auth_con_addflags, krb5_auth_con_free, krb5_auth_con_genaddrs,
krb5_auth_con_generatelocalsubkey, krb5_auth_con_getaddrs,
krb5_auth_con_getauthenticator, krb5_auth_con_getflags,
krb5_auth_con_getkey, krb5_auth_con_getlocalsubkey,
krb5_auth_con_getrcache, krb5_auth_con_getremotesubkey,
krb5_auth_con_getuserkey, krb5_auth_con_init, krb5_auth_con_initivector,
krb5_auth_con_removeflags, krb5_auth_con_setaddrs,
krb5_auth_con_setaddrs_from_fd, krb5_auth_con_setflags,
krb5_auth_con_setivector, krb5_auth_con_setkey,
krb5_auth_con_setlocalsubkey, krb5_auth_con_setrcache,
krb5_auth_con_setremotesubkey, krb5_auth_con_setuserkey,
krb5_auth_context, krb5_auth_getcksumtype, krb5_auth_getkeytype,
krb5_auth_getlocalseqnumber, krb5_auth_getremoteseqnumber,
krb5_auth_setcksumtype, krb5_auth_setkeytype,
krb5_auth_setlocalseqnumber, krb5_auth_setremoteseqnumber,
krb5_free_authenticator -- manage authentication on connection level
LIBRARY
Kerberos 5 Library (libkrb5, -lkrb5)
SYNOPSIS
#include <krb5.h>
krb5_error_code
krb5_auth_con_init(krb5_context context,
krb5_auth_context *auth_context);
void
krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context);
krb5_error_code
krb5_auth_con_setflags(krb5_context context,
krb5_auth_context auth_context, int32_t flags);
krb5_error_code
krb5_auth_con_getflags(krb5_context context,
krb5_auth_context auth_context, int32_t *flags);
krb5_error_code
krb5_auth_con_addflags(krb5_context context,
krb5_auth_context auth_context, int32_t addflags, int32_t *flags);
krb5_error_code
krb5_auth_con_removeflags(krb5_context context,
krb5_auth_context auth_context, int32_t removelags, int32_t *flags);
krb5_error_code
krb5_auth_con_setaddrs(krb5_context context,
krb5_auth_context auth_context, krb5_address *local_addr,
krb5_address *remote_addr);
krb5_error_code
krb5_auth_con_getaddrs(krb5_context context,
krb5_auth_context auth_context, krb5_address **local_addr,
krb5_address **remote_addr);
krb5_error_code
krb5_auth_con_genaddrs(krb5_context context,
krb5_auth_context auth_context, int fd, int flags);
krb5_error_code
krb5_auth_con_setaddrs_from_fd(krb5_context context,
krb5_auth_context auth_context, void *p_fd);
krb5_error_code
krb5_auth_con_getkey(krb5_context context,
krb5_auth_context auth_context, krb5_keyblock **keyblock);
krb5_error_code
krb5_auth_con_getlocalsubkey(krb5_context context,
krb5_auth_context auth_context, krb5_keyblock **keyblock);
krb5_error_code
krb5_auth_con_getremotesubkey(krb5_context context,
krb5_auth_context auth_context, krb5_keyblock **keyblock);
krb5_error_code
krb5_auth_con_generatelocalsubkey(krb5_context context,
krb5_auth_context auth_context, krb5_keyblock, *key");
krb5_error_code
krb5_auth_con_initivector(krb5_context context,
krb5_auth_context auth_context);
krb5_error_code
krb5_auth_con_setivector(krb5_context context,
krb5_auth_context *auth_context, krb5_pointer ivector);
void
krb5_free_authenticator(krb5_context context,
krb5_authenticator *authenticator);
DESCRIPTION
The krb5_auth_context structure holds all context related to an authenti-
cated connection, in a similar way to krb5_context that holds the context
for the thread or process. krb5_auth_context is used by various func-
tions that are directly related to authentication between the
server/client. Example of data that this structure contains are various
flags, addresses of client and server, port numbers, keyblocks (and sub-
keys), sequence numbers, replay cache, and checksum-type.
krb5_auth_con_init() allocates and initializes the krb5_auth_context
structure. Default values can be changed with
krb5_auth_con_setcksumtype() and krb5_auth_con_setflags(). The
auth_context structure must be freed by krb5_auth_con_free().
krb5_auth_con_getflags(), krb5_auth_con_setflags(),
krb5_auth_con_addflags() and krb5_auth_con_removeflags() gets and modi-
fies the flags for a krb5_auth_context structure. Possible flags to set
are:
KRB5_AUTH_CONTEXT_DO_SEQUENCE
Generate and check sequence-number on each packet.
KRB5_AUTH_CONTEXT_DO_TIME
Check timestamp on incoming packets.
KRB5_AUTH_CONTEXT_RET_SEQUENCE, KRB5_AUTH_CONTEXT_RET_TIME
Return sequence numbers and time stamps in the outdata parame-
ters.
KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED
will force krb5_get_forwarded_creds() and krb5_fwd_tgt_creds() to
create unencrypted ) ENCTYPE_NULL) credentials. This is for use
with old MIT server and JAVA based servers as they can't handle
encrypted KRB-CRED. Note that sending such KRB-CRED is clear
exposes crypto keys and tickets and is insecure, make sure the
packet is encrypted in the protocol. krb5_rd_cred(3),
krb5_rd_priv(3), krb5_rd_safe(3), krb5_mk_priv(3) and
krb5_mk_safe(3). Setting this flag requires that parameter to be
passed to these functions.
The flags KRB5_AUTH_CONTEXT_DO_TIME also modifies the behavior
the function krb5_get_forwarded_creds() by removing the timestamp
in the forward credential message, this have backward compatibil-
ity problems since not all versions of the heimdal supports time-
less credentional messages. Is very useful since it always the
sender of the message to cache forward message and thus avoiding
a round trip to the KDC for each time a credential is forwarded.
The same functionality can be obtained by using address-less
tickets.
krb5_auth_con_setaddrs(), krb5_auth_con_setaddrs_from_fd() and
krb5_auth_con_getaddrs() gets and sets the addresses that are checked
when a packet is received. It is mandatory to set an address for the
remote host. If the local address is not set, it iss deduced from the
underlaying operating system. krb5_auth_con_getaddrs() will call
krb5_free_address() on any address that is passed in local_addr or
remote_addr. krb5_auth_con_setaddr() allows passing in a NULL pointer as
local_addr and remote_addr, in that case it will just not set that
address.
krb5_auth_con_setaddrs_from_fd() fetches the addresses from a file
descriptor.
krb5_auth_con_genaddrs() fetches the address information from the given
file descriptor fd depending on the bitmap argument flags.
Possible values on flags are:
KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR
fetches the local address from fd.
KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR
fetches the remote address from fd.
krb5_auth_con_setkey(), krb5_auth_con_setuserkey() and
krb5_auth_con_getkey() gets and sets the key used for this auth context.
The keyblock returned by krb5_auth_con_getkey() should be freed with
krb5_free_keyblock(). The keyblock send into krb5_auth_con_setkey() is
copied into the krb5_auth_context, and thus no special handling is
needed. NULL is not a valid keyblock to krb5_auth_con_setkey().
krb5_auth_con_setuserkey() is only useful when doing user to user authen-
tication. krb5_auth_con_setkey() is equivalent to
krb5_auth_con_setuserkey().
krb5_auth_con_getlocalsubkey(), krb5_auth_con_setlocalsubkey(),
krb5_auth_con_getremotesubkey() and krb5_auth_con_setremotesubkey() gets
and sets the keyblock for the local and remote subkey. The keyblock
returned by krb5_auth_con_getlocalsubkey() and
krb5_auth_con_getremotesubkey() must be freed with krb5_free_keyblock().
krb5_auth_setcksumtype() and krb5_auth_getcksumtype() sets and gets the
checksum type that should be used for this connection.
krb5_auth_con_generatelocalsubkey() generates a local subkey that have
the same encryption type as key.
krb5_auth_getremoteseqnumber()krb5_auth_setremoteseqnumber(),
krb5_auth_getlocalseqnumber() and krb5_auth_setlocalseqnumber() gets and
sets the sequence-number for the local and remote sequence-number
counter.
krb5_auth_setkeytype() and krb5_auth_getkeytype() gets and gets the key-
type of the keyblock in krb5_auth_context.
krb5_auth_con_getauthenticator() Retrieves the authenticator that was
used during mutual authentication. The authenticator returned should be
freed by calling krb5_free_authenticator().
krb5_auth_con_getrcache() and krb5_auth_con_setrcache() gets and sets the
replay-cache.
krb5_auth_con_initivector() allocates memory for and zeros the initial
vector in the auth_context keyblock.
krb5_auth_con_setivector() sets the i_vector portion of auth_context to
ivector.
krb5_free_authenticator() free the content of authenticator and
authenticator itself.
SEE ALSOkrb5_context(3), kerberos(8)HEIMDAL May 17, 2005 HEIMDAL
