KRB5_AUTH_CONTEXT(3) BSD Library Functions Manual KRB5_AUTH_CONTEXT(3) NNAAMMEE kkrrbb55__aauutthh__ccoonn__aaddddffllaaggss, kkrrbb55__aauutthh__ccoonn__ffrreeee, kkrrbb55__aauutthh__ccoonn__ggeennaaddddrrss, kkrrbb55__aauutthh__ccoonn__ggeenneerraatteellooccaallssuubbkkeeyy, kkrrbb55__aauutthh__ccoonn__ggeettaaddddrrss, kkrrbb55__aauutthh__ccoonn__ggeettaauutthheennttiiccaattoorr, kkrrbb55__aauutthh__ccoonn__ggeettffllaaggss, kkrrbb55__aauutthh__ccoonn__ggeettkkeeyy, kkrrbb55__aauutthh__ccoonn__ggeettllooccaallssuubbkkeeyy, kkrrbb55__aauutthh__ccoonn__ggeettrrccaacchhee, kkrrbb55__aauutthh__ccoonn__ggeettrreemmootteessuubbkkeeyy, kkrrbb55__aauutthh__ccoonn__ggeettuusseerrkkeeyy, kkrrbb55__aauutthh__ccoonn__iinniitt, kkrrbb55__aauutthh__ccoonn__iinniittiivveeccttoorr, kkrrbb55__aauutthh__ccoonn__rreemmoovveeffllaaggss, kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss, kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss__ffrroomm__ffdd, kkrrbb55__aauutthh__ccoonn__sseettffllaaggss, kkrrbb55__aauutthh__ccoonn__sseettiivveeccttoorr, kkrrbb55__aauutthh__ccoonn__sseettkkeeyy, kkrrbb55__aauutthh__ccoonn__sseettllooccaallssuubbkkeeyy, kkrrbb55__aauutthh__ccoonn__sseettrrccaacchhee, kkrrbb55__aauutthh__ccoonn__sseettrreemmootteessuubbkkeeyy, kkrrbb55__aauutthh__ccoonn__sseettuusseerrkkeeyy, kkrrbb55__aauutthh__ccoonntteexxtt, kkrrbb55__aauutthh__ggeettcckkssuummttyyppee, kkrrbb55__aauutthh__ggeettkkeeyyttyyppee, kkrrbb55__aauutthh__ggeettllooccaallsseeqqnnuummbbeerr, kkrrbb55__aauutthh__ggeettrreemmootteesseeqqnnuummbbeerr, kkrrbb55__aauutthh__sseettcckkssuummttyyppee, kkrrbb55__aauutthh__sseettkkeeyyttyyppee, kkrrbb55__aauutthh__sseettllooccaallsseeqqnnuummbbeerr, kkrrbb55__aauutthh__sseettrreemmootteesseeqqnnuummbbeerr, kkrrbb55__ffrreeee__aauutthheennttiiccaattoorr -- manage authentication on connection level LLIIBBRRAARRYY Kerberos 5 Library (libkrb5, -lkrb5) SSYYNNOOPPSSIISS ##iinncclluuddee <> _k_r_b_5___e_r_r_o_r___c_o_d_e kkrrbb55__aauutthh__ccoonn__iinniitt(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _*_a_u_t_h___c_o_n_t_e_x_t); _v_o_i_d kkrrbb55__aauutthh__ccoonn__ffrreeee(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t); _k_r_b_5___e_r_r_o_r___c_o_d_e kkrrbb55__aauutthh__ccoonn__sseettffllaaggss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _i_n_t_3_2___t _f_l_a_g_s); _k_r_b_5___e_r_r_o_r___c_o_d_e kkrrbb55__aauutthh__ccoonn__ggeettffllaaggss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _i_n_t_3_2___t _*_f_l_a_g_s); _k_r_b_5___e_r_r_o_r___c_o_d_e kkrrbb55__aauutthh__ccoonn__aaddddffllaaggss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _i_n_t_3_2___t _a_d_d_f_l_a_g_s, _i_n_t_3_2___t _*_f_l_a_g_s); _k_r_b_5___e_r_r_o_r___c_o_d_e kkrrbb55__aauutthh__ccoonn__rreemmoovveeffllaaggss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _i_n_t_3_2___t _r_e_m_o_v_e_l_a_g_s, _i_n_t_3_2___t _*_f_l_a_g_s); _k_r_b_5___e_r_r_o_r___c_o_d_e kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s _*_l_o_c_a_l___a_d_d_r, _k_r_b_5___a_d_d_r_e_s_s _*_r_e_m_o_t_e___a_d_d_r); _k_r_b_5___e_r_r_o_r___c_o_d_e kkrrbb55__aauutthh__ccoonn__ggeettaaddddrrss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___a_d_d_r_e_s_s _*_*_l_o_c_a_l___a_d_d_r, _k_r_b_5___a_d_d_r_e_s_s _*_*_r_e_m_o_t_e___a_d_d_r); _k_r_b_5___e_r_r_o_r___c_o_d_e kkrrbb55__aauutthh__ccoonn__ggeennaaddddrrss(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _i_n_t _f_d, _i_n_t _f_l_a_g_s); _k_r_b_5___e_r_r_o_r___c_o_d_e kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss__ffrroomm__ffdd(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _v_o_i_d _*_p___f_d); _k_r_b_5___e_r_r_o_r___c_o_d_e kkrrbb55__aauutthh__ccoonn__ggeettkkeeyy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___k_e_y_b_l_o_c_k _*_*_k_e_y_b_l_o_c_k); _k_r_b_5___e_r_r_o_r___c_o_d_e kkrrbb55__aauutthh__ccoonn__ggeettllooccaallssuubbkkeeyy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___k_e_y_b_l_o_c_k _*_*_k_e_y_b_l_o_c_k); _k_r_b_5___e_r_r_o_r___c_o_d_e kkrrbb55__aauutthh__ccoonn__ggeettrreemmootteessuubbkkeeyy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___k_e_y_b_l_o_c_k _*_*_k_e_y_b_l_o_c_k); _k_r_b_5___e_r_r_o_r___c_o_d_e kkrrbb55__aauutthh__ccoonn__ggeenneerraatteellooccaallssuubbkkeeyy(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___k_e_y_b_l_o_c_k, _*_k_e_y_"); _k_r_b_5___e_r_r_o_r___c_o_d_e kkrrbb55__aauutthh__ccoonn__iinniittiivveeccttoorr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _a_u_t_h___c_o_n_t_e_x_t); _k_r_b_5___e_r_r_o_r___c_o_d_e kkrrbb55__aauutthh__ccoonn__sseettiivveeccttoorr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h___c_o_n_t_e_x_t _*_a_u_t_h___c_o_n_t_e_x_t, _k_r_b_5___p_o_i_n_t_e_r _i_v_e_c_t_o_r); _v_o_i_d kkrrbb55__ffrreeee__aauutthheennttiiccaattoorr(_k_r_b_5___c_o_n_t_e_x_t _c_o_n_t_e_x_t, _k_r_b_5___a_u_t_h_e_n_t_i_c_a_t_o_r _*_a_u_t_h_e_n_t_i_c_a_t_o_r); DDEESSCCRRIIPPTTIIOONN The kkrrbb55__aauutthh__ccoonntteexxtt structure holds all context related to an authenti- cated connection, in a similar way to kkrrbb55__ccoonntteexxtt that holds the context for the thread or process. kkrrbb55__aauutthh__ccoonntteexxtt is used by various func- tions that are directly related to authentication between the server/client. Example of data that this structure contains are various flags, addresses of client and server, port numbers, keyblocks (and sub- keys), sequence numbers, replay cache, and checksum-type. kkrrbb55__aauutthh__ccoonn__iinniitt() allocates and initializes the kkrrbb55__aauutthh__ccoonntteexxtt structure. Default values can be changed with kkrrbb55__aauutthh__ccoonn__sseettcckkssuummttyyppee() and kkrrbb55__aauutthh__ccoonn__sseettffllaaggss(). The aauutthh__ccoonntteexxtt structure must be freed by kkrrbb55__aauutthh__ccoonn__ffrreeee(). kkrrbb55__aauutthh__ccoonn__ggeettffllaaggss(), kkrrbb55__aauutthh__ccoonn__sseettffllaaggss(), kkrrbb55__aauutthh__ccoonn__aaddddffllaaggss() and kkrrbb55__aauutthh__ccoonn__rreemmoovveeffllaaggss() gets and modi- fies the flags for a kkrrbb55__aauutthh__ccoonntteexxtt structure. Possible flags to set are: KRB5_AUTH_CONTEXT_DO_SEQUENCE Generate and check sequence-number on each packet. KRB5_AUTH_CONTEXT_DO_TIME Check timestamp on incoming packets. KRB5_AUTH_CONTEXT_RET_SEQUENCE, KRB5_AUTH_CONTEXT_RET_TIME Return sequence numbers and time stamps in the outdata parame- ters. KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED will force kkrrbb55__ggeett__ffoorrwwaarrddeedd__ccrreeddss() and kkrrbb55__ffwwdd__ttggtt__ccrreeddss() to create unencrypted ) KRB5_ENCTYPE_NULL) credentials. This is for use with old MIT server and JAVA based servers as they can't han- dle encrypted KRB-CRED. Note that sending such KRB-CRED is clear exposes crypto keys and tickets and is insecure, make sure the packet is encrypted in the protocol. krb5_rd_cred(3), krb5_rd_priv(3), krb5_rd_safe(3), krb5_mk_priv(3) and krb5_mk_safe(3). Setting this flag requires that parameter to be passed to these functions. The flags KRB5_AUTH_CONTEXT_DO_TIME also modifies the behavior the function kkrrbb55__ggeett__ffoorrwwaarrddeedd__ccrreeddss() by removing the timestamp in the forward credential message, this have backward compatibil- ity problems since not all versions of the heimdal supports time- less credentional messages. Is very useful since it always the sender of the message to cache forward message and thus avoiding a round trip to the KDC for each time a credential is forwarded. The same functionality can be obtained by using address-less tickets. kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss(), kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss__ffrroomm__ffdd() and kkrrbb55__aauutthh__ccoonn__ggeettaaddddrrss() gets and sets the addresses that are checked when a packet is received. It is mandatory to set an address for the remote host. If the local address is not set, it iss deduced from the underlaying operating system. kkrrbb55__aauutthh__ccoonn__ggeettaaddddrrss() will call kkrrbb55__ffrreeee__aaddddrreessss() on any address that is passed in _l_o_c_a_l___a_d_d_r or _r_e_m_o_t_e___a_d_d_r. kkrrbb55__aauutthh__ccoonn__sseettaaddddrr() allows passing in a NULL pointer as _l_o_c_a_l___a_d_d_r and _r_e_m_o_t_e___a_d_d_r, in that case it will just not set that address. kkrrbb55__aauutthh__ccoonn__sseettaaddddrrss__ffrroomm__ffdd() fetches the addresses from a file descriptor. kkrrbb55__aauutthh__ccoonn__ggeennaaddddrrss() fetches the address information from the given file descriptor _f_d depending on the bitmap argument _f_l_a_g_s. Possible values on _f_l_a_g_s are: _K_R_B_5___A_U_T_H___C_O_N_T_E_X_T___G_E_N_E_R_A_T_E___L_O_C_A_L___A_D_D_R fetches the local address from _f_d. _K_R_B_5___A_U_T_H___C_O_N_T_E_X_T___G_E_N_E_R_A_T_E___R_E_M_O_T_E___A_D_D_R fetches the remote address from _f_d. kkrrbb55__aauutthh__ccoonn__sseettkkeeyy(), kkrrbb55__aauutthh__ccoonn__sseettuusseerrkkeeyy() and kkrrbb55__aauutthh__ccoonn__ggeettkkeeyy() gets and sets the key used for this auth context. The keyblock returned by kkrrbb55__aauutthh__ccoonn__ggeettkkeeyy() should be freed with kkrrbb55__ffrreeee__kkeeyybblloocckk(). The keyblock send into kkrrbb55__aauutthh__ccoonn__sseettkkeeyy() is copied into the kkrrbb55__aauutthh__ccoonntteexxtt, and thus no special handling is needed. NULL is not a valid keyblock to kkrrbb55__aauutthh__ccoonn__sseettkkeeyy(). kkrrbb55__aauutthh__ccoonn__sseettuusseerrkkeeyy() is only useful when doing user to user authen- tication. kkrrbb55__aauutthh__ccoonn__sseettkkeeyy() is equivalent to kkrrbb55__aauutthh__ccoonn__sseettuusseerrkkeeyy(). kkrrbb55__aauutthh__ccoonn__ggeettllooccaallssuubbkkeeyy(), kkrrbb55__aauutthh__ccoonn__sseettllooccaallssuubbkkeeyy(), kkrrbb55__aauutthh__ccoonn__ggeettrreemmootteessuubbkkeeyy() and kkrrbb55__aauutthh__ccoonn__sseettrreemmootteessuubbkkeeyy() gets and sets the keyblock for the local and remote subkey. The keyblock returned by kkrrbb55__aauutthh__ccoonn__ggeettllooccaallssuubbkkeeyy() and kkrrbb55__aauutthh__ccoonn__ggeettrreemmootteessuubbkkeeyy() must be freed with kkrrbb55__ffrreeee__kkeeyybblloocckk(). kkrrbb55__aauutthh__sseettcckkssuummttyyppee() and kkrrbb55__aauutthh__ggeettcckkssuummttyyppee() sets and gets the checksum type that should be used for this connection. kkrrbb55__aauutthh__ccoonn__ggeenneerraatteellooccaallssuubbkkeeyy() generates a local subkey that have the same encryption type as _k_e_y. kkrrbb55__aauutthh__ggeettrreemmootteesseeqqnnuummbbeerr() kkrrbb55__aauutthh__sseettrreemmootteesseeqqnnuummbbeerr(), kkrrbb55__aauutthh__ggeettllooccaallsseeqqnnuummbbeerr() and kkrrbb55__aauutthh__sseettllooccaallsseeqqnnuummbbeerr() gets and sets the sequence-number for the local and remote sequence-number counter. kkrrbb55__aauutthh__sseettkkeeyyttyyppee() and kkrrbb55__aauutthh__ggeettkkeeyyttyyppee() gets and gets the key- type of the keyblock in kkrrbb55__aauutthh__ccoonntteexxtt. kkrrbb55__aauutthh__ccoonn__ggeettaauutthheennttiiccaattoorr() Retrieves the authenticator that was used during mutual authentication. The authenticator returned should be freed by calling kkrrbb55__ffrreeee__aauutthheennttiiccaattoorr(). kkrrbb55__aauutthh__ccoonn__ggeettrrccaacchhee() and kkrrbb55__aauutthh__ccoonn__sseettrrccaacchhee() gets and sets the replay-cache. kkrrbb55__aauutthh__ccoonn__iinniittiivveeccttoorr() allocates memory for and zeros the initial vector in the _a_u_t_h___c_o_n_t_e_x_t keyblock. kkrrbb55__aauutthh__ccoonn__sseettiivveeccttoorr() sets the i_vector portion of _a_u_t_h___c_o_n_t_e_x_t to _i_v_e_c_t_o_r. kkrrbb55__ffrreeee__aauutthheennttiiccaattoorr() free the content of _a_u_t_h_e_n_t_i_c_a_t_o_r and _a_u_t_h_e_n_t_i_c_a_t_o_r itself. SSEEEE AALLSSOO krb5_context(3), kerberos(8) HEIMDAL May 17, 2005 HEIMDAL