diff options
Diffstat (limited to 'crypto/heimdal/lib/krb5/krb5_auth_context.3')
-rw-r--r-- | crypto/heimdal/lib/krb5/krb5_auth_context.3 | 184 |
1 files changed, 131 insertions, 53 deletions
diff --git a/crypto/heimdal/lib/krb5/krb5_auth_context.3 b/crypto/heimdal/lib/krb5/krb5_auth_context.3 index 69db324..66d150e 100644 --- a/crypto/heimdal/lib/krb5/krb5_auth_context.3 +++ b/crypto/heimdal/lib/krb5/krb5_auth_context.3 @@ -1,70 +1,74 @@ -.\" Copyright (c) 2001 - 2002 Kungliga Tekniska Högskolan -.\" (Royal Institute of Technology, Stockholm, Sweden). -.\" All rights reserved. +.\" Copyright (c) 2001 - 2005 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. .\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: .\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. .\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. .\" -.\" 3. Neither the name of the Institute nor the names of its contributors -.\" may be used to endorse or promote products derived from this software -.\" without specific prior written permission. +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. .\" -.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. .\" -.\" $Id: krb5_auth_context.3,v 1.8 2003/04/16 13:58:13 lha Exp $ +.\" $Id: krb5_auth_context.3 15240 2005-05-25 13:47:58Z lha $ .\" -.Dd January 21, 2001 +.Dd May 17, 2005 .Dt KRB5_AUTH_CONTEXT 3 .Os HEIMDAL .Sh NAME -.Nm krb5_auth_context , -.Nm krb5_auth_con_init , +.Nm krb5_auth_con_addflags , .Nm krb5_auth_con_free , -.Nm krb5_auth_con_setflags , +.Nm krb5_auth_con_genaddrs , +.Nm krb5_auth_con_generatelocalsubkey , +.Nm krb5_auth_con_getaddrs , +.Nm krb5_auth_con_getauthenticator , .Nm krb5_auth_con_getflags , +.Nm krb5_auth_con_getkey , +.Nm krb5_auth_con_getlocalsubkey , +.Nm krb5_auth_con_getrcache , +.Nm krb5_auth_con_getremotesubkey , +.Nm krb5_auth_con_getuserkey , +.Nm krb5_auth_con_init , +.Nm krb5_auth_con_initivector , +.Nm krb5_auth_con_removeflags , .Nm krb5_auth_con_setaddrs , .Nm krb5_auth_con_setaddrs_from_fd , -.Nm krb5_auth_con_getaddrs , -.Nm krb5_auth_con_genaddrs , -.Nm krb5_auth_con_getkey , +.Nm krb5_auth_con_setflags , +.Nm krb5_auth_con_setivector , .Nm krb5_auth_con_setkey , -.Nm krb5_auth_con_getuserkey , -.Nm krb5_auth_con_setuserkey , -.Nm krb5_auth_con_getlocalsubkey , .Nm krb5_auth_con_setlocalsubkey , -.Nm krb5_auth_con_getremotesubkey , +.Nm krb5_auth_con_setrcache , .Nm krb5_auth_con_setremotesubkey , -.Nm krb5_auth_setcksumtype , +.Nm krb5_auth_con_setuserkey , +.Nm krb5_auth_context , .Nm krb5_auth_getcksumtype , -.Nm krb5_auth_setkeytype , .Nm krb5_auth_getkeytype , .Nm krb5_auth_getlocalseqnumber , -.Nm krb5_auth_setlocalseqnumber , .Nm krb5_auth_getremoteseqnumber , +.Nm krb5_auth_setcksumtype , +.Nm krb5_auth_setkeytype , +.Nm krb5_auth_setlocalseqnumber , .Nm krb5_auth_setremoteseqnumber , -.Nm krb5_auth_getauthenticator , -.Nm krb5_auth_con_getrcache , -.Nm krb5_auth_con_setrcache , -.Nm krb5_auth_con_initivector , -.Nm krb5_auth_con_setivector +.Nm krb5_free_authenticator .Nd manage authentication on connection level .Sh LIBRARY Kerberos 5 Library (libkrb5, -lkrb5) @@ -93,6 +97,20 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "int32_t *flags" .Fc .Ft krb5_error_code +.Fo krb5_auth_con_addflags +.Fa "krb5_context context" +.Fa "krb5_auth_context auth_context" +.Fa "int32_t addflags" +.Fa "int32_t *flags" +.Fc +.Ft krb5_error_code +.Fo krb5_auth_con_removeflags +.Fa "krb5_context context" +.Fa "krb5_auth_context auth_context" +.Fa "int32_t removelags" +.Fa "int32_t *flags" +.Fc +.Ft krb5_error_code .Fo krb5_auth_con_setaddrs .Fa "krb5_context context" .Fa "krb5_auth_context auth_context" @@ -138,6 +156,12 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "krb5_keyblock **keyblock" .Fc .Ft krb5_error_code +.Fo krb5_auth_con_generatelocalsubkey +.Fa "krb5_context context" +.Fa "krb5_auth_context auth_context" +.Fa krb5_keyblock *key" +.Fc +.Ft krb5_error_code .Fo krb5_auth_con_initivector .Fa "krb5_context context" .Fa "krb5_auth_context auth_context" @@ -148,6 +172,11 @@ Kerberos 5 Library (libkrb5, -lkrb5) .Fa "krb5_auth_context *auth_context" .Fa "krb5_pointer ivector" .Fc +.Ft void +.Fo krb5_free_authenticator +.Fa "krb5_context context" +.Fa "krb5_authenticator *authenticator" +.Fc .Sh DESCRIPTION The .Nm krb5_auth_context @@ -174,19 +203,56 @@ The structure must be freed by .Fn krb5_auth_con_free . .Pp -.Fn krb5_auth_con_getflags +.Fn krb5_auth_con_getflags , +.Fn krb5_auth_con_setflags , +.Fn krb5_auth_con_addflags and -.Fn krb5_auth_con_setflags +.Fn krb5_auth_con_removeflags gets and modifies the flags for a .Nm krb5_auth_context structure. Possible flags to set are: .Bl -tag -width Ds -.It Dv KRB5_AUTH_CONTEXT_DO_TIME -check timestamp on incoming packets. -.\".It Dv KRB5_AUTH_CONTEXT_RET_TIME .It Dv KRB5_AUTH_CONTEXT_DO_SEQUENCE Generate and check sequence-number on each packet. -.\".It Dv KRB5_AUTH_CONTEXT_RET_SEQUENCE +.It Dv KRB5_AUTH_CONTEXT_DO_TIME +Check timestamp on incoming packets. +.It Dv KRB5_AUTH_CONTEXT_RET_SEQUENCE , Dv KRB5_AUTH_CONTEXT_RET_TIME +Return sequence numbers and time stamps in the outdata parameters. +.It Dv KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED +will force +.Fn krb5_get_forwarded_creds +and +.Fn krb5_fwd_tgt_creds +to create unencrypted ) +.Dv ENCTYPE_NULL ) +credentials. +This is for use with old MIT server and JAVA based servers as +they can't handle encrypted +.Dv KRB-CRED . +Note that sending such +.Dv KRB-CRED +is clear exposes crypto keys and tickets and is insecure, +make sure the packet is encrypted in the protocol. +.Xr krb5_rd_cred 3 , +.Xr krb5_rd_priv 3 , +.Xr krb5_rd_safe 3 , +.Xr krb5_mk_priv 3 +and +.Xr krb5_mk_safe 3 . +Setting this flag requires that parameter to be passed to these +functions. +.Pp +The flags +.Dv KRB5_AUTH_CONTEXT_DO_TIME +also modifies the behavior the function +.Fn krb5_get_forwarded_creds +by removing the timestamp in the forward credential message, this have +backward compatibility problems since not all versions of the heimdal +supports timeless credentional messages. +Is very useful since it always the sender of the message to cache +forward message and thus avoiding a round trip to the KDC for each +time a credential is forwarded. +The same functionality can be obtained by using address-less tickets. .\".It Dv KRB5_AUTH_CONTEXT_PERMIT_ALL .El .Pp @@ -263,7 +329,8 @@ is equivalent to .Fn krb5_auth_con_getremotesubkey and .Fn krb5_auth_con_setremotesubkey -gets and sets the keyblock for the local and remote subkey. The keyblock returned by +gets and sets the keyblock for the local and remote subkey. +The keyblock returned by .Fn krb5_auth_con_getlocalsubkey and .Fn krb5_auth_con_getremotesubkey @@ -276,6 +343,10 @@ and sets and gets the checksum type that should be used for this connection. .Pp +.Fn krb5_auth_con_generatelocalsubkey +generates a local subkey that have the same encryption type as +.Fa key . +.Pp .Fn krb5_auth_getremoteseqnumber .Fn krb5_auth_setremoteseqnumber , .Fn krb5_auth_getlocalseqnumber @@ -290,7 +361,7 @@ and gets and gets the keytype of the keyblock in .Nm krb5_auth_context . .Pp -.Fn krb5_auth_getauthenticator +.Fn krb5_auth_con_getauthenticator Retrieves the authenticator that was used during mutual authentication. The .Dv authenticator @@ -312,6 +383,13 @@ sets the i_vector portion of .Fa auth_context to .Fa ivector . +.Pp +.Fn krb5_free_authenticator +free the content of +.Fa authenticator +and +.Fa authenticator +itself. .Sh SEE ALSO .Xr krb5_context 3 , .Xr kerberos 8 |