keyhole logo

Functions

Heimdal Kerberos 5 credential handing functions

Functions

KRB5_LIB_FUNCTION
krb5_error_code KRB5_LIB_CALL 
krb5_fwd_tgt_creds (krb5_context context, krb5_auth_context auth_context, const char *hostname, krb5_principal client, krb5_principal server, krb5_ccache ccache, int forwardable, krb5_data *out_data)
KRB5_LIB_FUNCTION
krb5_error_code KRB5_LIB_CALL 
krb5_get_forwarded_creds (krb5_context context, krb5_auth_context auth_context, krb5_ccache ccache, krb5_flags flags, const char *hostname, krb5_creds *in_creds, krb5_data *out_data)
KRB5_LIB_FUNCTION
krb5_error_code KRB5_LIB_CALL 
krb5_get_init_creds_opt_alloc (krb5_context context, krb5_get_init_creds_opt **opt)
KRB5_LIB_FUNCTION void
KRB5_LIB_CALL 
krb5_get_init_creds_opt_free (krb5_context context, krb5_get_init_creds_opt *opt)
KRB5_LIB_FUNCTION
krb5_error_code KRB5_LIB_CALL 
krb5_init_creds_init (krb5_context context, krb5_principal client, krb5_prompter_fct prompter, void *prompter_data, krb5_deltat start_time, krb5_get_init_creds_opt *options, krb5_init_creds_context *rctx)
KRB5_LIB_FUNCTION
krb5_error_code KRB5_LIB_CALL 
krb5_init_creds_set_service (krb5_context context, krb5_init_creds_context ctx, const char *service)
KRB5_LIB_FUNCTION
krb5_error_code KRB5_LIB_CALL 
krb5_init_creds_set_password (krb5_context context, krb5_init_creds_context ctx, const char *password)
KRB5_LIB_FUNCTION
krb5_error_code KRB5_LIB_CALL 
krb5_init_creds_set_keytab (krb5_context context, krb5_init_creds_context ctx, krb5_keytab keytab)
KRB5_LIB_FUNCTION
krb5_error_code KRB5_LIB_CALL 
krb5_init_creds_step (krb5_context context, krb5_init_creds_context ctx, krb5_data *in, krb5_data *out, krb5_krbhst_info *hostinfo, unsigned int *flags)
KRB5_LIB_FUNCTION
krb5_error_code KRB5_LIB_CALL 
krb5_init_creds_get_error (krb5_context context, krb5_init_creds_context ctx, KRB_ERROR *error)
KRB5_LIB_FUNCTION void
KRB5_LIB_CALL 
krb5_init_creds_free (krb5_context context, krb5_init_creds_context ctx)
KRB5_LIB_FUNCTION
krb5_error_code KRB5_LIB_CALL 
krb5_init_creds_get (krb5_context context, krb5_init_creds_context ctx)
KRB5_LIB_FUNCTION
krb5_error_code KRB5_LIB_CALL 
krb5_get_init_creds_password (krb5_context context, krb5_creds *creds, krb5_principal client, const char *password, krb5_prompter_fct prompter, void *data, krb5_deltat start_time, const char *in_tkt_service, krb5_get_init_creds_opt *options)
KRB5_LIB_FUNCTION
krb5_error_code KRB5_LIB_CALL 
krb5_get_init_creds_keyblock (krb5_context context, krb5_creds *creds, krb5_principal client, krb5_keyblock *keyblock, krb5_deltat start_time, const char *in_tkt_service, krb5_get_init_creds_opt *options)
KRB5_LIB_FUNCTION
krb5_error_code KRB5_LIB_CALL 
krb5_get_init_creds_keytab (krb5_context context, krb5_creds *creds, krb5_principal client, krb5_keytab keytab, krb5_deltat start_time, const char *in_tkt_service, krb5_get_init_creds_opt *options)

Function Documentation

KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_fwd_tgt_creds ( krb5_context  context,
krb5_auth_context  auth_context,
const char *  hostname,
krb5_principal  client,
krb5_principal  server,
krb5_ccache  ccache,
int  forwardable,
krb5_data *  out_data 
)

Forward credentials for client to host hostname , making them forwardable if forwardable, and returning the blob of data to sent in out_data. If hostname == NULL, pick it from server.

Parameters:
contextA kerberos 5 context.
auth_contextthe auth context with the key to encrypt the out_data.
hostnamethe host to forward the tickets too.
clientthe client to delegate from.
serverthe server to delegate the credential too.
ccachecredential cache to use.
forwardablemake the forwarded ticket forwabledable.
out_datathe resulting credential.
Returns:
Return an error code or 0.
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_forwarded_creds ( krb5_context  context,
krb5_auth_context  auth_context,
krb5_ccache  ccache,
krb5_flags  flags,
const char *  hostname,
krb5_creds *  in_creds,
krb5_data *  out_data 
)

Gets tickets forwarded to hostname. If the tickets that are forwarded are address-less, the forwarded tickets will also be address-less.

If the ticket have any address, hostname will be used for figure out the address to forward the ticket too. This since this might use DNS, its insecure and also doesn't represent configured all addresses of the host. For example, the host might have two adresses, one IPv4 and one IPv6 address where the later is not published in DNS. This IPv6 address might be used communications and thus the resulting ticket useless.

Parameters:
contextA kerberos 5 context.
auth_contextthe auth context with the key to encrypt the out_data.
ccachecredential cache to use
flagsthe flags to control the resulting ticket flags
hostnamethe host to forward the tickets too.
in_credsthe in client and server ticket names. The client and server components forwarded to the remote host.
out_datathe resulting credential.
Returns:
Return an error code or 0.

Some older of the MIT gssapi library used clear-text tickets (warped inside AP-REQ encryption), use the krb5_auth_context flag KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED to support those tickets. The session key is used otherwise to encrypt the forwarded ticket.

KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_keyblock ( krb5_context  context,
krb5_creds *  creds,
krb5_principal  client,
krb5_keyblock *  keyblock,
krb5_deltat  start_time,
const char *  in_tkt_service,
krb5_get_init_creds_opt *  options 
)

Get new credentials using keyblock.

KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_keytab ( krb5_context  context,
krb5_creds *  creds,
krb5_principal  client,
krb5_keytab  keytab,
krb5_deltat  start_time,
const char *  in_tkt_service,
krb5_get_init_creds_opt *  options 
)

Get new credentials using keytab.

KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_opt_alloc ( krb5_context  context,
krb5_get_init_creds_opt **  opt 
)

Allocate a new krb5_get_init_creds_opt structure, free with krb5_get_init_creds_opt_free().

KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_get_init_creds_opt_free ( krb5_context  context,
krb5_get_init_creds_opt *  opt 
)

Free krb5_get_init_creds_opt structure.

KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_get_init_creds_password ( krb5_context  context,
krb5_creds *  creds,
krb5_principal  client,
const char *  password,
krb5_prompter_fct  prompter,
void *  data,
krb5_deltat  start_time,
const char *  in_tkt_service,
krb5_get_init_creds_opt *  options 
)

Get new credentials using password.

KRB5_LIB_FUNCTION void KRB5_LIB_CALL krb5_init_creds_free ( krb5_context  context,
krb5_init_creds_context  ctx 
)

Free the krb5_init_creds_context allocated by krb5_init_creds_init().

Parameters:
contextA Kerberos 5 context.
ctxThe krb5_init_creds_context to free.
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_init_creds_get ( krb5_context  context,
krb5_init_creds_context  ctx 
)

Get new credentials as setup by the krb5_init_creds_context.

Parameters:
contextA Kerberos 5 context.
ctxThe krb5_init_creds_context to process.
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_init_creds_get_error ( krb5_context  context,
krb5_init_creds_context  ctx,
KRB_ERROR *  error 
)

Get the last error from the transaction.

Returns:
Returns 0 or an error code
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_init_creds_init ( krb5_context  context,
krb5_principal  client,
krb5_prompter_fct  prompter,
void *  prompter_data,
krb5_deltat  start_time,
krb5_get_init_creds_opt *  options,
krb5_init_creds_context *  rctx 
)

Start a new context to get a new initial credential.

Parameters:
contextA Kerberos 5 context.
clientThe Kerberos principal to get the credential for, if NULL is given, the default principal is used as determined by krb5_get_default_principal().
prompter
prompter_data
start_timethe time the ticket should start to be valid or 0 for now.
optionsa options structure, can be NULL for default options.
rctxA new allocated free with krb5_init_creds_free().
Returns:
0 for success or an Kerberos 5 error code, see krb5_get_error_message().
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_init_creds_set_keytab ( krb5_context  context,
krb5_init_creds_context  ctx,
krb5_keytab  keytab 
)

Set the keytab to use for authentication.

Parameters:
contexta Kerberos 5 context.
ctxctx krb5_init_creds_context context.
keytabthe keytab to read the key from.
Returns:
0 for success, or an Kerberos 5 error code, see krb5_get_error_message().
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_init_creds_set_password ( krb5_context  context,
krb5_init_creds_context  ctx,
const char *  password 
)

Sets the password that will use for the request.

Parameters:
contexta Kerberos 5 context.
ctxctx krb5_init_creds_context context.
passwordthe password to use.
Returns:
0 for success, or an Kerberos 5 error code, see krb5_get_error_message().
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_init_creds_set_service ( krb5_context  context,
krb5_init_creds_context  ctx,
const char *  service 
)

Sets the service that the is requested. This call is only neede for special initial tickets, by default the a krbtgt is fetched in the default realm.

Parameters:
contexta Kerberos 5 context.
ctxa krb5_init_creds_context context.
servicethe service given as a string, for example "kadmind/admin". If NULL, the default krbtgt in the clients realm is set.
Returns:
0 for success, or an Kerberos 5 error code, see krb5_get_error_message().
KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL krb5_init_creds_step ( krb5_context  context,
krb5_init_creds_context  ctx,
krb5_data *  in,
krb5_data *  out,
krb5_krbhst_info *  hostinfo,
unsigned int *  flags 
)

The core loop if krb5_get_init_creds() function family. Create the packets and have the caller send them off to the KDC.

If the caller want all work been done for them, use krb5_init_creds_get() instead.

Parameters:
contexta Kerberos 5 context.
ctxctx krb5_init_creds_context context.
ininput data from KDC, first round it should be reset by krb5_data_zer().
outreply to KDC.
hostinfoKDC address info, first round it can be NULL.
flagsstatus of the round, if KRB5_INIT_CREDS_STEP_FLAG_CONTINUE is set, continue one more round.
Returns:
0 for success, or an Kerberos 5 error code, see krb5_get_error_message().

Generated on Fri Dec 6 2013 08:15:58 for HeimdalKerberos5library by doxygen 1.7.2