Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
KRB5_AUTH_CONTEXT(3)	 BSD Library Functions Manual	  KRB5_AUTH_CONTEXT(3)

NAME
     krb5_auth_con_addflags, krb5_auth_con_free, krb5_auth_con_genaddrs,
     krb5_auth_con_generatelocalsubkey,	krb5_auth_con_getaddrs,
     krb5_auth_con_getauthenticator, krb5_auth_con_getflags,
     krb5_auth_con_getkey, krb5_auth_con_getlocalsubkey,
     krb5_auth_con_getrcache, krb5_auth_con_getremotesubkey,
     krb5_auth_con_getuserkey, krb5_auth_con_init, krb5_auth_con_initivector,
     krb5_auth_con_removeflags,	krb5_auth_con_setaddrs,
     krb5_auth_con_setaddrs_from_fd, krb5_auth_con_setflags,
     krb5_auth_con_setivector, krb5_auth_con_setkey,
     krb5_auth_con_setlocalsubkey, krb5_auth_con_setrcache,
     krb5_auth_con_setremotesubkey, krb5_auth_con_setuserkey,
     krb5_auth_context,	krb5_auth_getcksumtype,	krb5_auth_getkeytype,
     krb5_auth_getlocalseqnumber, krb5_auth_getremoteseqnumber,
     krb5_auth_setcksumtype, krb5_auth_setkeytype,
     krb5_auth_setlocalseqnumber, krb5_auth_setremoteseqnumber,
     krb5_free_authenticator --	manage authentication on connection level

LIBRARY
     Kerberos 5	Library	(libkrb5, -lkrb5)

SYNOPSIS
     #include <krb5.h>

     krb5_error_code
     krb5_auth_con_init(krb5_context context,
	 krb5_auth_context *auth_context);

     void
     krb5_auth_con_free(krb5_context context, krb5_auth_context	auth_context);

     krb5_error_code
     krb5_auth_con_setflags(krb5_context context,
	 krb5_auth_context auth_context, int32_t flags);

     krb5_error_code
     krb5_auth_con_getflags(krb5_context context,
	 krb5_auth_context auth_context, int32_t *flags);

     krb5_error_code
     krb5_auth_con_addflags(krb5_context context,
	 krb5_auth_context auth_context, int32_t addflags, int32_t *flags);

     krb5_error_code
     krb5_auth_con_removeflags(krb5_context context,
	 krb5_auth_context auth_context, int32_t removelags, int32_t *flags);

     krb5_error_code
     krb5_auth_con_setaddrs(krb5_context context,
	 krb5_auth_context auth_context, krb5_address *local_addr,
	 krb5_address *remote_addr);

     krb5_error_code
     krb5_auth_con_getaddrs(krb5_context context,
	 krb5_auth_context auth_context, krb5_address **local_addr,
	 krb5_address **remote_addr);

     krb5_error_code
     krb5_auth_con_genaddrs(krb5_context context,
	 krb5_auth_context auth_context, int fd, int flags);

     krb5_error_code
     krb5_auth_con_setaddrs_from_fd(krb5_context context,
	 krb5_auth_context auth_context, void *p_fd);

     krb5_error_code
     krb5_auth_con_getkey(krb5_context context,
	 krb5_auth_context auth_context, krb5_keyblock **keyblock);

     krb5_error_code
     krb5_auth_con_getlocalsubkey(krb5_context context,
	 krb5_auth_context auth_context, krb5_keyblock **keyblock);

     krb5_error_code
     krb5_auth_con_getremotesubkey(krb5_context	context,
	 krb5_auth_context auth_context, krb5_keyblock **keyblock);

     krb5_error_code
     krb5_auth_con_generatelocalsubkey(krb5_context context,
	 krb5_auth_context auth_context, krb5_keyblock,	*key");

     krb5_error_code
     krb5_auth_con_initivector(krb5_context context,
	 krb5_auth_context auth_context);

     krb5_error_code
     krb5_auth_con_setivector(krb5_context context,
	 krb5_auth_context *auth_context, krb5_pointer ivector);

     void
     krb5_free_authenticator(krb5_context context,
	 krb5_authenticator *authenticator);

DESCRIPTION
     The krb5_auth_context structure holds all context related to an authenti-
     cated connection, in a similar way	to krb5_context	that holds the context
     for the thread or process.	 krb5_auth_context is used by various func-
     tions that	are directly related to	authentication between the
     server/client. Example of data that this structure	contains are various
     flags, addresses of client	and server, port numbers, keyblocks (and sub-
     keys), sequence numbers, replay cache, and	checksum-type.

     krb5_auth_con_init() allocates and	initializes the	krb5_auth_context
     structure.	Default	values can be changed with
     krb5_auth_con_setcksumtype() and krb5_auth_con_setflags().	 The
     auth_context structure must be freed by krb5_auth_con_free().

     krb5_auth_con_getflags(), krb5_auth_con_setflags(),
     krb5_auth_con_addflags() and krb5_auth_con_removeflags() gets and modi-
     fies the flags for	a krb5_auth_context structure. Possible	flags to set
     are:

     KRB5_AUTH_CONTEXT_DO_SEQUENCE
	     Generate and check	sequence-number	on each	packet.

     KRB5_AUTH_CONTEXT_DO_TIME
	     Check timestamp on	incoming packets.

     KRB5_AUTH_CONTEXT_RET_SEQUENCE, KRB5_AUTH_CONTEXT_RET_TIME
	     Return sequence numbers and time stamps in	the outdata parame-
	     ters.

     KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED
	     will force	krb5_get_forwarded_creds() and krb5_fwd_tgt_creds() to
	     create unencrypted	) KRB5_ENCTYPE_NULL) credentials.  This	is for
	     use with old MIT server and JAVA based servers as they can't han-
	     dle encrypted KRB-CRED.  Note that	sending	such KRB-CRED is clear
	     exposes crypto keys and tickets and is insecure, make sure	the
	     packet is encrypted in the	protocol.  krb5_rd_cred(3),
	     krb5_rd_priv(3), krb5_rd_safe(3), krb5_mk_priv(3) and
	     krb5_mk_safe(3).  Setting this flag requires that parameter to be
	     passed to these functions.

	     The flags KRB5_AUTH_CONTEXT_DO_TIME also modifies the behavior
	     the function krb5_get_forwarded_creds() by	removing the timestamp
	     in	the forward credential message,	this have backward compatibil-
	     ity problems since	not all	versions of the	heimdal	supports time-
	     less credentional messages.  Is very useful since it always the
	     sender of the message to cache forward message and	thus avoiding
	     a round trip to the KDC for each time a credential	is forwarded.
	     The same functionality can	be obtained by using address-less
	     tickets.

     krb5_auth_con_setaddrs(), krb5_auth_con_setaddrs_from_fd()	and
     krb5_auth_con_getaddrs() gets and sets the	addresses that are checked
     when a packet is received.	 It is mandatory to set	an address for the re-
     mote host.	If the local address is	not set, it iss	deduced	from the un-
     derlaying operating system.  krb5_auth_con_getaddrs() will	call
     krb5_free_address() on any	address	that is	passed in local_addr or
     remote_addr.  krb5_auth_con_setaddr() allows passing in a NULL pointer as
     local_addr	and remote_addr, in that case it will just not set that	ad-
     dress.

     krb5_auth_con_setaddrs_from_fd() fetches the addresses from a file	de-
     scriptor.

     krb5_auth_con_genaddrs() fetches the address information from the given
     file descriptor fd	depending on the bitmap	argument flags.

     Possible values on	flags are:

     KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR
	     fetches the local address from fd.

     KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR
	     fetches the remote	address	from fd.

     krb5_auth_con_setkey(), krb5_auth_con_setuserkey()	and
     krb5_auth_con_getkey() gets and sets the key used for this	auth context.
     The keyblock returned by krb5_auth_con_getkey() should be freed with
     krb5_free_keyblock().  The	keyblock send into krb5_auth_con_setkey() is
     copied into the krb5_auth_context,	and thus no special handling is
     needed.  NULL is not a valid keyblock to krb5_auth_con_setkey().

     krb5_auth_con_setuserkey()	is only	useful when doing user to user authen-
     tication.	krb5_auth_con_setkey() is equivalent to
     krb5_auth_con_setuserkey().

     krb5_auth_con_getlocalsubkey(), krb5_auth_con_setlocalsubkey(),
     krb5_auth_con_getremotesubkey() and krb5_auth_con_setremotesubkey() gets
     and sets the keyblock for the local and remote subkey.  The keyblock re-
     turned by krb5_auth_con_getlocalsubkey() and
     krb5_auth_con_getremotesubkey() must be freed with	krb5_free_keyblock().

     krb5_auth_setcksumtype() and krb5_auth_getcksumtype() sets	and gets the
     checksum type that	should be used for this	connection.

     krb5_auth_con_generatelocalsubkey() generates a local subkey that have
     the same encryption type as key.

     krb5_auth_getremoteseqnumber() krb5_auth_setremoteseqnumber(),
     krb5_auth_getlocalseqnumber() and krb5_auth_setlocalseqnumber() gets and
     sets the sequence-number for the local and	remote sequence-number
     counter.

     krb5_auth_setkeytype() and	krb5_auth_getkeytype() gets and	gets the key-
     type of the keyblock in krb5_auth_context.

     krb5_auth_con_getauthenticator() Retrieves	the authenticator that was
     used during mutual	authentication.	The authenticator returned should be
     freed by calling krb5_free_authenticator().

     krb5_auth_con_getrcache() and krb5_auth_con_setrcache() gets and sets the
     replay-cache.

     krb5_auth_con_initivector() allocates memory for and zeros	the initial
     vector in the auth_context	keyblock.

     krb5_auth_con_setivector()	sets the i_vector portion of auth_context to
     ivector.

     krb5_free_authenticator() free the	content	of authenticator and
     authenticator itself.

SEE ALSO
     krb5_context(3), kerberos(8)

HEIMDAL				 May 17, 2005			       HEIMDAL

NAME | LIBRARY | SYNOPSIS | DESCRIPTION | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=krb5_auth_con_addflags&sektion=3&manpath=FreeBSD+12.0-RELEASE+and+Ports>

home | help