[unix-history] / usr / share / man / cat3 / krb_get_cred.0



KERBEROS(3)		       4.0		      KERBEROS(3)


N\bNA\bAM\bME\bE
     krb_mk_req, krb_rd_req, krb_kntoln, krb_set_key,
     krb_get_cred, krb_mk_priv, krb_rd_priv, krb_mk_safe,
     krb_rd_safe, krb_mk_err, krb_rd_err, krb_ck_repl - Kerberos
     authentication library

S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
     #\b#i\bin\bnc\bcl\blu\bud\bde\be <\b<k\bke\ber\brb\bbe\ber\bro\bos\bsI\bIV\bV/\b/d\bde\bes\bs.\b.h\bh>\b>
     #\b#i\bin\bnc\bcl\blu\bud\bde\be <\b<k\bke\ber\brb\bbe\ber\bro\bos\bsI\bIV\bV/\b/k\bkr\brb\bb.\b.h\bh>\b>

     e\bex\bxt\bte\ber\brn\bn c\bch\bha\bar\br *\b*k\bkr\brb\bb_\b_e\ber\brr\br_\b_t\btx\bxt\bt[\b[]\b];\b;

     i\bin\bnt\bt k\bkr\brb\bb_\b_m\bmk\bk_\b_r\bre\beq\bq(\b(a\bau\but\bth\bhe\ben\bnt\bt,\b,s\bse\ber\brv\bvi\bic\bce\be,\b,i\bin\bns\bst\bta\ban\bnc\bce\be,\b,r\bre\bea\bal\blm\bm,\b,c\bch\bhe\bec\bck\bks\bsu\bum\bm)\b)
     K\bKT\bTE\bEX\bXT\bT a\bau\but\bth\bhe\ben\bnt\bt;\b;
     c\bch\bha\bar\br *\b*s\bse\ber\brv\bvi\bic\bce\be;\b;
     c\bch\bha\bar\br *\b*i\bin\bns\bst\bta\ban\bnc\bce\be;\b;
     c\bch\bha\bar\br *\b*r\bre\bea\bal\blm\bm;\b;
     u\bu_\b_l\blo\bon\bng\bg c\bch\bhe\bec\bck\bks\bsu\bum\bm;\b;

     i\bin\bnt\bt k\bkr\brb\bb_\b_r\brd\bd_\b_r\bre\beq\bq(\b(a\bau\but\bth\bhe\ben\bnt\bt,\b,s\bse\ber\brv\bvi\bic\bce\be,\b,i\bin\bns\bst\bta\ban\bnc\bce\be,\b,f\bfr\bro\bom\bm_\b_a\bad\bdd\bdr\br,\b,a\bad\bd,\b,f\bfn\bn)\b)
     K\bKT\bTE\bEX\bXT\bT a\bau\but\bth\bhe\ben\bnt\bt;\b;
     c\bch\bha\bar\br *\b*s\bse\ber\brv\bvi\bic\bce\be;\b;
     c\bch\bha\bar\br *\b*i\bin\bns\bst\bta\ban\bnc\bce\be;\b;
     u\bu_\b_l\blo\bon\bng\bg f\bfr\bro\bom\bm_\b_a\bad\bdd\bdr\br;\b;
     A\bAU\bUT\bTH\bH_\b_D\bDA\bAT\bT *\b*a\bad\bd;\b;
     c\bch\bha\bar\br *\b*f\bfn\bn;\b;

     i\bin\bnt\bt k\bkr\brb\bb_\b_k\bkn\bnt\bto\bol\bln\bn(\b(a\bad\bd,\b,l\bln\bna\bam\bme\be)\b)
     A\bAU\bUT\bTH\bH_\b_D\bDA\bAT\bT *\b*a\bad\bd;\b;
     c\bch\bha\bar\br *\b*l\bln\bna\bam\bme\be;\b;

     i\bin\bnt\bt k\bkr\brb\bb_\b_s\bse\bet\bt_\b_k\bke\bey\by(\b(k\bke\bey\by,\b,c\bcv\bvt\bt)\b)
     c\bch\bha\bar\br *\b*k\bke\bey\by;\b;
     i\bin\bnt\bt c\bcv\bvt\bt;\b;

     i\bin\bnt\bt k\bkr\brb\bb_\b_g\bge\bet\bt_\b_c\bcr\bre\bed\bd(\b(s\bse\ber\brv\bvi\bic\bce\be,\b,i\bin\bns\bst\bta\ban\bnc\bce\be,\b,r\bre\bea\bal\blm\bm,\b,c\bc)\b)
     c\bch\bha\bar\br *\b*s\bse\ber\brv\bvi\bic\bce\be;\b;
     c\bch\bha\bar\br *\b*i\bin\bns\bst\bta\ban\bnc\bce\be;\b;
     c\bch\bha\bar\br *\b*r\bre\bea\bal\blm\bm;\b;
     C\bCR\bRE\bED\bDE\bEN\bNT\bTI\bIA\bAL\bLS\bS *\b*c\bc;\b;

     l\blo\bon\bng\bg k\bkr\brb\bb_\b_m\bmk\bk_\b_p\bpr\bri\biv\bv(\b(i\bin\bn,\b,o\bou\but\bt,\b,i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh,\b,s\bsc\bch\bhe\bed\bdu\bul\ble\be,\b,k\bke\bey\by,\b,s\bse\ben\bnd\bde\ber\br,\b,r\bre\bec\bce\bei\biv\bve\ber\br)\b)
     u\bu_\b_c\bch\bha\bar\br *\b*i\bin\bn;\b;
     u\bu_\b_c\bch\bha\bar\br *\b*o\bou\but\bt;\b;
     u\bu_\b_l\blo\bon\bng\bg i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh;\b;
     d\bde\bes\bs_\b_c\bcb\bbl\blo\boc\bck\bk k\bke\bey\by;\b;
     d\bde\bes\bs_\b_k\bke\bey\by_\b_s\bsc\bch\bhe\bed\bdu\bul\ble\be s\bsc\bch\bhe\bed\bdu\bul\ble\be;\b;
     s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*s\bse\ben\bnd\bde\ber\br;\b;
     s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*r\bre\bec\bce\bei\biv\bve\ber\br;\b;

     l\blo\bon\bng\bg k\bkr\brb\bb_\b_r\brd\bd_\b_p\bpr\bri\biv\bv(\b(i\bin\bn,\b,i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh,\b,s\bsc\bch\bhe\bed\bdu\bul\ble\be,\b,k\bke\bey\by,\b,s\bse\ben\bnd\bde\ber\br,\b,r\bre\bec\bce\bei\biv\bve\ber\br,\b,m\bms\bsg\bg_\b_d\bda\bat\bta\ba)\b)
     u\bu_\b_c\bch\bha\bar\br *\b*i\bin\bn;\b;


Printed 7/27/90             Kerberos				1


KERBEROS(3)		       4.0		      KERBEROS(3)


     u\bu_\b_l\blo\bon\bng\bg i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh;\b;
     K\bKe\bey\by_\b_s\bsc\bch\bhe\bed\bdu\bul\ble\be s\bsc\bch\bhe\bed\bdu\bul\ble\be;\b;
     d\bde\bes\bs_\b_c\bcb\bbl\blo\boc\bck\bk k\bke\bey\by;\b;
     s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*s\bse\ben\bnd\bde\ber\br;\b;
     s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*r\bre\bec\bce\bei\biv\bve\ber\br;\b;
     M\bMS\bSG\bG_\b_D\bDA\bAT\bT *\b*m\bms\bsg\bg_\b_d\bda\bat\bta\ba;\b;

     l\blo\bon\bng\bg k\bkr\brb\bb_\b_m\bmk\bk_\b_s\bsa\baf\bfe\be(\b(i\bin\bn,\b,o\bou\but\bt,\b,i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh,\b,k\bke\bey\by,\b,s\bse\ben\bnd\bde\ber\br,\b,r\bre\bec\bce\bei\biv\bve\ber\br)\b)
     u\bu_\b_c\bch\bha\bar\br *\b*i\bin\bn;\b;
     u\bu_\b_c\bch\bha\bar\br *\b*o\bou\but\bt;\b;
     u\bu_\b_l\blo\bon\bng\bg i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh;\b;
     d\bde\bes\bs_\b_c\bcb\bbl\blo\boc\bck\bk k\bke\bey\by;\b;
     s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*s\bse\ben\bnd\bde\ber\br;\b;
     s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*r\bre\bec\bce\bei\biv\bve\ber\br;\b;

     l\blo\bon\bng\bg k\bkr\brb\bb_\b_r\brd\bd_\b_s\bsa\baf\bfe\be(\b(i\bin\bn,\b,l\ble\ben\bng\bgt\bth\bh,\b,k\bke\bey\by,\b,s\bse\ben\bnd\bde\ber\br,\b,r\bre\bec\bce\bei\biv\bve\ber\br,\b,m\bms\bsg\bg_\b_d\bda\bat\bta\ba)\b)
     u\bu_\b_c\bch\bha\bar\br *\b*i\bin\bn;\b;
     u\bu_\b_l\blo\bon\bng\bg l\ble\ben\bng\bgt\bth\bh;\b;
     d\bde\bes\bs_\b_c\bcb\bbl\blo\boc\bck\bk k\bke\bey\by;\b;
     s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*s\bse\ben\bnd\bde\ber\br;\b;
     s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*r\bre\bec\bce\bei\biv\bve\ber\br;\b;
     M\bMS\bSG\bG_\b_D\bDA\bAT\bT *\b*m\bms\bsg\bg_\b_d\bda\bat\bta\ba;\b;

     l\blo\bon\bng\bg k\bkr\brb\bb_\b_m\bmk\bk_\b_e\ber\brr\br(\b(o\bou\but\bt,\b,c\bco\bod\bde\be,\b,s\bst\btr\bri\bin\bng\bg)\b)
     u\bu_\b_c\bch\bha\bar\br *\b*o\bou\but\bt;\b;
     l\blo\bon\bng\bg c\bco\bod\bde\be;\b;
     c\bch\bha\bar\br *\b*s\bst\btr\bri\bin\bng\bg;\b;

     l\blo\bon\bng\bg k\bkr\brb\bb_\b_r\brd\bd_\b_e\ber\brr\br(\b(i\bin\bn,\b,l\ble\ben\bng\bgt\bth\bh,\b,c\bco\bod\bde\be,\b,m\bms\bsg\bg_\b_d\bda\bat\bta\ba)\b)
     u\bu_\b_c\bch\bha\bar\br *\b*i\bin\bn;\b;
     u\bu_\b_l\blo\bon\bng\bg l\ble\ben\bng\bgt\bth\bh;\b;
     l\blo\bon\bng\bg c\bco\bod\bde\be;\b;
     M\bMS\bSG\bG_\b_D\bDA\bAT\bT *\b*m\bms\bsg\bg_\b_d\bda\bat\bta\ba;\b;

D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
     This library supports network authentication and various
     related operations.  The library contains many routines
     beyond those described in this man page, but they are not
     intended to be used directly.  Instead, they are called by
     the routines that are described, the authentication server
     and the login program.

     _\bk_\br_\bb__\be_\br_\br__\bt_\bx_\bt[] contains text string descriptions of various
     Kerberos error codes returned by some of the routines below.

     _\bk_\br_\bb__\bm_\bk__\br_\be_\bq takes a pointer to a text structure in which an
     authenticator is to be built.  It also takes the name,
     instance, and realm of the service to be used and an
     optional checksum.  It is up to the application to decide
     how to generate the checksum.  _\bk_\br_\bb__\bm_\bk__\br_\be_\bq then retrieves a
     ticket for the desired service and creates an authenticator.
     The authenticator is built in _\ba_\bu_\bt_\bh_\be_\bn_\bt and is accessible to


Printed 7/27/90             Kerberos				2


KERBEROS(3)		       4.0		      KERBEROS(3)


     the calling procedure.

     It is up to the application to get the authenticator to the
     service where it will be read by _\bk_\br_\bb__\br_\bd__\br_\be_\bq. Unless an
     attacker posesses the session key contained in the ticket,
     it will be unable to modify the authenticator.  Thus, the
     checksum can be used to verify the authenticity of the other
     data that will pass through a connection.

     _\bk_\br_\bb__\br_\bd__\br_\be_\bq takes an authenticator of type K\bKT\bTE\bEX\bXT\bT,\b, a service
     name, an instance, the address of the host originating the
     request, and a pointer to a structure of type A\bAU\bUT\bTH\bH_\b_D\bDA\bAT\bT which
     is filled in with information obtained from the authentica-
     tor.  It also optionally takes the name of the file in which
     it will find the secret key(s) for the service.  If the sup-
     plied _\bi_\bn_\bs_\bt_\ba_\bn_\bc_\be contains "*", then the first service key with
     the same service name found in the service key file will be
     used, and the _\bi_\bn_\bs_\bt_\ba_\bn_\bc_\be argument will be filled in with the
     chosen instance.  This means that the caller must provide
     space for such an instance name.

     It is used to find out information about the principal when
     a request has been made to a service.  It is up to the
     application protocol to get the authenticator from the
     client to the service.  The authenticator is then passed to
     _\bk_\br_\bb__\br_\bd__\br_\be_\bq to extract the desired information.

     _\bk_\br_\bb__\br_\bd__\br_\be_\bq returns zero (RD_AP_OK) upon successful authenti-
     cation.  If a packet was forged, modified, or replayed,
     authentication will fail.	If the authentication fails, a
     non-zero value is returned indicating the particular problem
     encountered.  See _\bk_\br_\bb._\bh for the list of error codes.

     If the last argument is the null string (""), krb_rd_req
     will use the file /etc/srvtab to find its keys.  If the last
     argument is NULL, it will assume that the key has been set
     by _\bk_\br_\bb__\bs_\be_\bt__\bk_\be_\by and will not bother looking further.

     _\bk_\br_\bb__\bk_\bn_\bt_\bo_\bl_\bn converts a Kerberos name to a local name.  It
     takes a structure of type AUTH_DAT and uses the name and
     instance to look in the database /etc/aname to find the
     corresponding local name.	The local name is returned and
     can be used by an application to change uids, directories,
     or other parameters.  It is not an integral part of Ker-
     beros, but is instead provided to support the use of Ker-
     beros in existing utilities.

     _\bk_\br_\bb__\bs_\be_\bt__\bk_\be_\by takes as an argument a des key.  It then creates
     a key schedule from it and saves the original key to be used
     as an initialization vector.  It is used to set the server's
     key which must be used to decrypt tickets.


Printed 7/27/90             Kerberos				3


KERBEROS(3)		       4.0		      KERBEROS(3)


     If called with a non-zero second argument, _\bk_\br_\bb__\bs_\be_\bt__\bk_\be_\by will
     first convert the input from a string of arbitrary length to
     a DES key by encrypting it with a one-way function.

     In most cases it should not be necessary to call
     _\bk_\br_\bb__\bs_\be_\bt__\bk_\be_\by. The necessary keys will usually be obtained and
     set inside _\bk_\br_\bb__\br_\bd__\br_\be_\bq. _\bk_\br_\bb__\bs_\be_\bt__\bk_\be_\by is provided for those
     applications that do not wish to place the application keys
     on disk.

     _\bk_\br_\bb__\bg_\be_\bt__\bc_\br_\be_\bd searches the caller's ticket file for a ticket
     for the given service, instance, and realm; and, if a ticket
     is found, fills in the given CREDENTIALS structure with the
     ticket information.

     If the ticket was found, _\bk_\br_\bb__\bg_\be_\bt__\bc_\br_\be_\bd returns GC_OK.  If the
     ticket file can't be found, can't be read, doesn't belong to
     the user (other than root), isn't a regular file, or is in
     the wrong mode, the error GC_TKFIL is returned.

     _\bk_\br_\bb__\bm_\bk__\bp_\br_\bi_\bv creates an encrypted, authenticated message from
     any arbitrary application data, pointed to by _\bi_\bn and
     _\bi_\bn__\bl_\be_\bn_\bg_\bt_\bh bytes long.  The private session key, pointed to
     by _\bk_\be_\by and the key schedule, _\bs_\bc_\bh_\be_\bd_\bu_\bl_\be, are used to encrypt
     the data and some header information using _\bp_\bc_\bb_\bc__\be_\bn_\bc_\br_\by_\bp_\bt.
     _\bs_\be_\bn_\bd_\be_\br and _\br_\be_\bc_\be_\bi_\bv_\be_\br point to the Internet address of the two
     parties.  In addition to providing privacy, this protocol
     message protects against modifications, insertions or
     replays.  The encapsulated message and header are placed in
     the area pointed to by _\bo_\bu_\bt and the routine returns the
     length of the output, or -1 indicating an error.

     _\bk_\br_\bb__\br_\bd__\bp_\br_\bi_\bv decrypts and authenticates a received
     _\bk_\br_\bb__\bm_\bk__\bp_\br_\bi_\bv message.  _\bi_\bn points to the beginning of the
     received message, whose length is specified in _\bi_\bn__\bl_\be_\bn_\bg_\bt_\bh.
     The private session key, pointed to by _\bk_\be_\by, and the key
     schedule, _\bs_\bc_\bh_\be_\bd_\bu_\bl_\be, are used to decrypt and verify the
     received message.	_\bm_\bs_\bg__\bd_\ba_\bt_\ba is a pointer to a _\bM_\bS_\bG__\bD_\bA_\bT
     struct, defined in _\bk_\br_\bb._\bh. The routine fills in the _\ba_\bp_\bp__\bd_\ba_\bt_\ba
     field with a pointer to the decrypted application data,
     _\ba_\bp_\bp__\bl_\be_\bn_\bg_\bt_\bh with the length of the _\ba_\bp_\bp__\bd_\ba_\bt_\ba field, _\bt_\bi_\bm_\be__\bs_\be_\bc
     and _\bt_\bi_\bm_\be__\b5_\bm_\bs with the timestamps in the message, and _\bs_\bw_\ba_\bp
     with a 1 if the byte order of the receiver is different than
     that of the sender.  (The application must still determine
     if it is appropriate to byte-swap application data; the Ker-
     beros protocol fields are already taken care of).	The _\bh_\ba_\bs_\bh
     field returns a value useful as input to the _\bk_\br_\bb__\bc_\bk__\br_\be_\bp_\bl
     routine.

     The routine returns zero if ok, or a Kerberos error code.
     Modified messages and old messages cause errors, but it is
     up to the caller to check the time sequence of messages, and


Printed 7/27/90             Kerberos				4


KERBEROS(3)		       4.0		      KERBEROS(3)


     to check against recently replayed messages using
     _\bk_\br_\bb__\bc_\bk__\br_\be_\bp_\bl if so desired.

     _\bk_\br_\bb__\bm_\bk__\bs_\ba_\bf_\be creates an authenticated, but unencrypted mes-
     sage from any arbitrary application data, pointed to by _\bi_\bn
     and _\bi_\bn__\bl_\be_\bn_\bg_\bt_\bh bytes long.	The private session key, pointed
     to by _\bk_\be_\by, is used to seed the _\bq_\bu_\ba_\bd__\bc_\bk_\bs_\bu_\bm() checksum algo-
     rithm used as part of the authentication.	_\bs_\be_\bn_\bd_\be_\br and
     _\br_\be_\bc_\be_\bi_\bv_\be_\br point to the Internet address of the two parties.
     This message does not provide privacy, but does protect (via
     detection) against modifications, insertions or replays.
     The encapsulated message and header are placed in the area
     pointed to by _\bo_\bu_\bt and the routine returns the length of the
     output, or -1 indicating an error.  The authentication pro-
     vided by this routine is not as strong as that provided by
     _\bk_\br_\bb__\bm_\bk__\bp_\br_\bi_\bv or by computing the checksum using _\bc_\bb_\bc__\bc_\bk_\bs_\bu_\bm
     instead, both of which authenticate via DES.

     _\bk_\br_\bb__\br_\bd__\bs_\ba_\bf_\be authenticates a received _\bk_\br_\bb__\bm_\bk__\bs_\ba_\bf_\be message.
     _\bi_\bn points to the beginning of the received message, whose
     length is specified in _\bi_\bn__\bl_\be_\bn_\bg_\bt_\bh. The private session key,
     pointed to by _\bk_\be_\by, is used to seed the quad_cksum() routine
     as part of the authentication.  _\bm_\bs_\bg__\bd_\ba_\bt_\ba is a pointer to a
     _\bM_\bS_\bG__\bD_\bA_\bT struct, defined in _\bk_\br_\bb._\bh . The routine fills in
     these _\bM_\bS_\bG__\bD_\bA_\bT fields: the _\ba_\bp_\bp__\bd_\ba_\bt_\ba field with a pointer to
     the application data, _\ba_\bp_\bp__\bl_\be_\bn_\bg_\bt_\bh with the length of the
     _\ba_\bp_\bp__\bd_\ba_\bt_\ba field, _\bt_\bi_\bm_\be__\bs_\be_\bc and _\bt_\bi_\bm_\be__\b5_\bm_\bs with the timestamps in
     the message, and _\bs_\bw_\ba_\bp with a 1 if the byte order of the
     receiver is different than that of the sender.  (The appli-
     cation must still determine if it is appropriate to byte-
     swap application data; the Kerberos protocol fields are
     already taken care of).  The _\bh_\ba_\bs_\bh field returns a value use-
     ful as input to the _\bk_\br_\bb__\bc_\bk__\br_\be_\bp_\bl routine.

     The routine returns zero if ok, or a Kerberos error code.
     Modified messages and old messages cause errors, but it is
     up to the caller to check the time sequence of messages, and
     to check against recently replayed messages using
     _\bk_\br_\bb__\bc_\bk__\br_\be_\bp_\bl if so desired.

     _\bk_\br_\bb__\bm_\bk__\be_\br_\br constructs an application level error message
     that may be used along with _\bk_\br_\bb__\bm_\bk__\bp_\br_\bi_\bv or _\bk_\br_\bb__\bm_\bk__\bs_\ba_\bf_\be. _\bo_\bu_\bt
     is a pointer to the output buffer, _\bc_\bo_\bd_\be is an application
     specific error code, and _\bs_\bt_\br_\bi_\bn_\bg is an application specific
     error string.


     _\bk_\br_\bb__\br_\bd__\be_\br_\br unpacks a received _\bk_\br_\bb__\bm_\bk__\be_\br_\br message.	_\bi_\bn points
     to the beginning of the received message, whose length is
     specified in _\bi_\bn__\bl_\be_\bn_\bg_\bt_\bh. _\bc_\bo_\bd_\be is a pointer to a value to be
     filled in with the error value provided by the application.
     _\bm_\bs_\bg__\bd_\ba_\bt_\ba is a pointer to a _\bM_\bS_\bG__\bD_\bA_\bT struct, defined in _\bk_\br_\bb._\bh


Printed 7/27/90             Kerberos				5


KERBEROS(3)		       4.0		      KERBEROS(3)


     . The routine fills in these _\bM_\bS_\bG__\bD_\bA_\bT fields: the _\ba_\bp_\bp__\bd_\ba_\bt_\ba
     field with a pointer to the application error text,
     _\ba_\bp_\bp__\bl_\be_\bn_\bg_\bt_\bh with the length of the _\ba_\bp_\bp__\bd_\ba_\bt_\ba field, and _\bs_\bw_\ba_\bp
     with a 1 if the byte order of the receiver is different than
     that of the sender.  (The application must still determine
     if it is appropriate to byte-swap application data; the Ker-
     beros protocol fields are already taken care of).

     The routine returns zero if the error message has been suc-
     cessfully received, or a Kerberos error code.

     The _\bK_\bT_\bE_\bX_\bT structure is used to pass around text of varying
     lengths.  It consists of a buffer for the data, and a
     length.  krb_rd_req takes an argument of this type contain-
     ing the authenticator, and krb_mk_req returns the authenti-
     cator in a structure of this type.  KTEXT itself is really a
     pointer to the structure.	 The actual structure is of type
     KTEXT_ST.

     The _\bA_\bU_\bT_\bH__\bD_\bA_\bT structure is filled in by krb_rd_req.  It must
     be allocated before calling krb_rd_req, and a pointer to it
     is passed.  The structure is filled in with data obtained
     from Kerberos.  _\bM_\bS_\bG__\bD_\bA_\bT structure is filled in by either
     krb_rd_priv, krb_rd_safe, or krb_rd_err.  It must be allo-
     cated before the call and a pointer to it is passed.  The
     structure is filled in with data obtained from Kerberos.

F\bFI\bIL\bLE\bES\bS
     /usr/include/kerberosIV/krb.h
     /usr/lib/libkrb.a
     /usr/include/kerberosIV/des.h
     /usr/lib/libdes.a
     /etc/kerberosIV/aname
     /etc/kerberosIV/srvtab
     /tmp/tkt[uid]

S\bSE\bEE\bE A\bAL\bLS\bSO\bO
     kerberos(1), des_crypt(3)

D\bDI\bIA\bAG\bGN\bNO\bOS\bST\bTI\bIC\bCS\bS
B\bBU\bUG\bGS\bS
     The caller of _\bk_\br_\bb__\br_\bd__\br_\be_\bq, _\bk_\br_\bb__\br_\bd__\bp_\br_\bi_\bv, _\ba_\bn_\bd _\bk_\br_\bb__\br_\bd__\bs_\ba_\bf_\be must
     check time order and for replay attempts.	_\bk_\br_\bb__\bc_\bk__\br_\be_\bp_\bl is
     not implemented yet.

A\bAU\bUT\bTH\bHO\bOR\bRS\bS
     Clifford Neuman, MIT Project Athena
     Steve Miller, MIT Project Athena/Digital Equipment Corpora-
     tion

R\bRE\bES\bST\bTR\bRI\bIC\bCT\bTI\bIO\bON\bNS\bS
     COPYRIGHT 1985,1986,1989 Massachusetts Institute of


Printed 7/27/90             Kerberos				6


KERBEROS(3)		       4.0		      KERBEROS(3)


     Technology


Printed 7/27/90             Kerberos				7
Commit	Line	Data
610c7828 C	1
	2
	3
	4	KERBEROS(3) 4.0 KERBEROS(3)
	5
	6
	7
	8	N\bNA\bAM\bME\bE
	9	krb_mk_req, krb_rd_req, krb_kntoln, krb_set_key,
	10	krb_get_cred, krb_mk_priv, krb_rd_priv, krb_mk_safe,
	11	krb_rd_safe, krb_mk_err, krb_rd_err, krb_ck_repl - Kerberos
	12	authentication library
	13
	14	S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
	15	#\b#i\bin\bnc\bcl\blu\bud\bde\be <\b<k\bke\ber\brb\bbe\ber\bro\bos\bsI\bIV\bV/\b/d\bde\bes\bs.\b.h\bh>\b>
	16	#\b#i\bin\bnc\bcl\blu\bud\bde\be <\b<k\bke\ber\brb\bbe\ber\bro\bos\bsI\bIV\bV/\b/k\bkr\brb\bb.\b.h\bh>\b>
	17
	18	e\bex\bxt\bte\ber\brn\bn c\bch\bha\bar\br \bk\bkr\brb\bb_\b_e\ber\brr\br_\b_t\btx\bxt\bt[\b[]\b];\b;
	19
	20	i\bin\bnt\bt k\bkr\brb\bb_\b_m\bmk\bk_\b_r\bre\beq\bq(\b(a\bau\but\bth\bhe\ben\bnt\bt,\b,s\bse\ber\brv\bvi\bic\bce\be,\b,i\bin\bns\bst\bta\ban\bnc\bce\be,\b,r\bre\bea\bal\blm\bm,\b,c\bch\bhe\bec\bck\bks\bsu\bum\bm)\b)
	21	K\bKT\bTE\bEX\bXT\bT a\bau\but\bth\bhe\ben\bnt\bt;\b;
	22	c\bch\bha\bar\br \bs\bse\ber\brv\bvi\bic\bce\be;\b;
	23	c\bch\bha\bar\br \bi\bin\bns\bst\bta\ban\bnc\bce\be;\b;
	24	c\bch\bha\bar\br \br\bre\bea\bal\blm\bm;\b;
	25	u\bu_\b_l\blo\bon\bng\bg c\bch\bhe\bec\bck\bks\bsu\bum\bm;\b;
	26
	27	i\bin\bnt\bt k\bkr\brb\bb_\b_r\brd\bd_\b_r\bre\beq\bq(\b(a\bau\but\bth\bhe\ben\bnt\bt,\b,s\bse\ber\brv\bvi\bic\bce\be,\b,i\bin\bns\bst\bta\ban\bnc\bce\be,\b,f\bfr\bro\bom\bm_\b_a\bad\bdd\bdr\br,\b,a\bad\bd,\b,f\bfn\bn)\b)
	28	K\bKT\bTE\bEX\bXT\bT a\bau\but\bth\bhe\ben\bnt\bt;\b;
	29	c\bch\bha\bar\br \bs\bse\ber\brv\bvi\bic\bce\be;\b;
	30	c\bch\bha\bar\br \bi\bin\bns\bst\bta\ban\bnc\bce\be;\b;
	31	u\bu_\b_l\blo\bon\bng\bg f\bfr\bro\bom\bm_\b_a\bad\bdd\bdr\br;\b;
	32	A\bAU\bUT\bTH\bH_\b_D\bDA\bAT\bT \ba\bad\bd;\b;
	33	c\bch\bha\bar\br \bf\bfn\bn;\b;
	34
	35	i\bin\bnt\bt k\bkr\brb\bb_\b_k\bkn\bnt\bto\bol\bln\bn(\b(a\bad\bd,\b,l\bln\bna\bam\bme\be)\b)
	36	A\bAU\bUT\bTH\bH_\b_D\bDA\bAT\bT \ba\bad\bd;\b;
	37	c\bch\bha\bar\br \bl\bln\bna\bam\bme\be;\b;
	38
	39	i\bin\bnt\bt k\bkr\brb\bb_\b_s\bse\bet\bt_\b_k\bke\bey\by(\b(k\bke\bey\by,\b,c\bcv\bvt\bt)\b)
	40	c\bch\bha\bar\br \bk\bke\bey\by;\b;
	41	i\bin\bnt\bt c\bcv\bvt\bt;\b;
	42
	43	i\bin\bnt\bt k\bkr\brb\bb_\b_g\bge\bet\bt_\b_c\bcr\bre\bed\bd(\b(s\bse\ber\brv\bvi\bic\bce\be,\b,i\bin\bns\bst\bta\ban\bnc\bce\be,\b,r\bre\bea\bal\blm\bm,\b,c\bc)\b)
	44	c\bch\bha\bar\br \bs\bse\ber\brv\bvi\bic\bce\be;\b;
	45	c\bch\bha\bar\br \bi\bin\bns\bst\bta\ban\bnc\bce\be;\b;
	46	c\bch\bha\bar\br \br\bre\bea\bal\blm\bm;\b;
	47	C\bCR\bRE\bED\bDE\bEN\bNT\bTI\bIA\bAL\bLS\bS \bc\bc;\b;
	48
	49	l\blo\bon\bng\bg k\bkr\brb\bb_\b_m\bmk\bk_\b_p\bpr\bri\biv\bv(\b(i\bin\bn,\b,o\bou\but\bt,\b,i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh,\b,s\bsc\bch\bhe\bed\bdu\bul\ble\be,\b,k\bke\bey\by,\b,s\bse\ben\bnd\bde\ber\br,\b,r\bre\bec\bce\bei\biv\bve\ber\br)\b)
	50	u\bu_\b_c\bch\bha\bar\br \bi\bin\bn;\b;
	51	u\bu_\b_c\bch\bha\bar\br \bo\bou\but\bt;\b;
	52	u\bu_\b_l\blo\bon\bng\bg i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh;\b;
	53	d\bde\bes\bs_\b_c\bcb\bbl\blo\boc\bck\bk k\bke\bey\by;\b;
	54	d\bde\bes\bs_\b_k\bke\bey\by_\b_s\bsc\bch\bhe\bed\bdu\bul\ble\be s\bsc\bch\bhe\bed\bdu\bul\ble\be;\b;
	55	s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn \bs\bse\ben\bnd\bde\ber\br;\b;
	56	s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn \br\bre\bec\bce\bei\biv\bve\ber\br;\b;
	57
	58	l\blo\bon\bng\bg k\bkr\brb\bb_\b_r\brd\bd_\b_p\bpr\bri\biv\bv(\b(i\bin\bn,\b,i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh,\b,s\bsc\bch\bhe\bed\bdu\bul\ble\be,\b,k\bke\bey\by,\b,s\bse\ben\bnd\bde\ber\br,\b,r\bre\bec\bce\bei\biv\bve\ber\br,\b,m\bms\bsg\bg_\b_d\bda\bat\bta\ba)\b)
	59	u\bu_\b_c\bch\bha\bar\br \bi\bin\bn;\b;
	60
	61
	62
	63	Printed 7/27/90 Kerberos 1
	64
65
66
67
68
69
70	KERBEROS(3) 4.0 KERBEROS(3)
71
72
73
74	u\bu_\b_l\blo\bon\bng\bg i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh;\b;
75	K\bKe\bey\by_\b_s\bsc\bch\bhe\bed\bdu\bul\ble\be s\bsc\bch\bhe\bed\bdu\bul\ble\be;\b;
76	d\bde\bes\bs_\b_c\bcb\bbl\blo\boc\bck\bk k\bke\bey\by;\b;
77	s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn \bs\bse\ben\bnd\bde\ber\br;\b;
78	s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn \br\bre\bec\bce\bei\biv\bve\ber\br;\b;
79	M\bMS\bSG\bG_\b_D\bDA\bAT\bT \bm\bms\bsg\bg_\b_d\bda\bat\bta\ba;\b;
80
81	l\blo\bon\bng\bg k\bkr\brb\bb_\b_m\bmk\bk_\b_s\bsa\baf\bfe\be(\b(i\bin\bn,\b,o\bou\but\bt,\b,i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh,\b,k\bke\bey\by,\b,s\bse\ben\bnd\bde\ber\br,\b,r\bre\bec\bce\bei\biv\bve\ber\br)\b)
82	u\bu_\b_c\bch\bha\bar\br \bi\bin\bn;\b;
83	u\bu_\b_c\bch\bha\bar\br \bo\bou\but\bt;\b;
84	u\bu_\b_l\blo\bon\bng\bg i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh;\b;
85	d\bde\bes\bs_\b_c\bcb\bbl\blo\boc\bck\bk k\bke\bey\by;\b;
86	s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn \bs\bse\ben\bnd\bde\ber\br;\b;
87	s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn \br\bre\bec\bce\bei\biv\bve\ber\br;\b;
88
89	l\blo\bon\bng\bg k\bkr\brb\bb_\b_r\brd\bd_\b_s\bsa\baf\bfe\be(\b(i\bin\bn,\b,l\ble\ben\bng\bgt\bth\bh,\b,k\bke\bey\by,\b,s\bse\ben\bnd\bde\ber\br,\b,r\bre\bec\bce\bei\biv\bve\ber\br,\b,m\bms\bsg\bg_\b_d\bda\bat\bta\ba)\b)
90	u\bu_\b_c\bch\bha\bar\br \bi\bin\bn;\b;
91	u\bu_\b_l\blo\bon\bng\bg l\ble\ben\bng\bgt\bth\bh;\b;
92	d\bde\bes\bs_\b_c\bcb\bbl\blo\boc\bck\bk k\bke\bey\by;\b;
93	s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn \bs\bse\ben\bnd\bde\ber\br;\b;
94	s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn \br\bre\bec\bce\bei\biv\bve\ber\br;\b;
95	M\bMS\bSG\bG_\b_D\bDA\bAT\bT \bm\bms\bsg\bg_\b_d\bda\bat\bta\ba;\b;
96
97	l\blo\bon\bng\bg k\bkr\brb\bb_\b_m\bmk\bk_\b_e\ber\brr\br(\b(o\bou\but\bt,\b,c\bco\bod\bde\be,\b,s\bst\btr\bri\bin\bng\bg)\b)
98	u\bu_\b_c\bch\bha\bar\br \bo\bou\but\bt;\b;
99	l\blo\bon\bng\bg c\bco\bod\bde\be;\b;
100	c\bch\bha\bar\br \bs\bst\btr\bri\bin\bng\bg;\b;
101
102	l\blo\bon\bng\bg k\bkr\brb\bb_\b_r\brd\bd_\b_e\ber\brr\br(\b(i\bin\bn,\b,l\ble\ben\bng\bgt\bth\bh,\b,c\bco\bod\bde\be,\b,m\bms\bsg\bg_\b_d\bda\bat\bta\ba)\b)
103	u\bu_\b_c\bch\bha\bar\br \bi\bin\bn;\b;
104	u\bu_\b_l\blo\bon\bng\bg l\ble\ben\bng\bgt\bth\bh;\b;
105	l\blo\bon\bng\bg c\bco\bod\bde\be;\b;
106	M\bMS\bSG\bG_\b_D\bDA\bAT\bT \bm\bms\bsg\bg_\b_d\bda\bat\bta\ba;\b;
107
108	D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
109	This library supports network authentication and various
110	related operations. The library contains many routines
111	beyond those described in this man page, but they are not
112	intended to be used directly. Instead, they are called by
113	the routines that are described, the authentication server
114	and the login program.
115
116	_\bk_\br_\bb__\be_\br_\br__\bt_\bx_\bt[] contains text string descriptions of various
117	Kerberos error codes returned by some of the routines below.
118
119	_\bk_\br_\bb__\bm_\bk__\br_\be_\bq takes a pointer to a text structure in which an
120	authenticator is to be built. It also takes the name,
121	instance, and realm of the service to be used and an
122	optional checksum. It is up to the application to decide
123	how to generate the checksum. _\bk_\br_\bb__\bm_\bk__\br_\be_\bq then retrieves a
124	ticket for the desired service and creates an authenticator.
125	The authenticator is built in _\ba_\bu_\bt_\bh_\be_\bn_\bt and is accessible to
126
127
128
129	Printed 7/27/90 Kerberos 2
130
131
132
133
134
135
136	KERBEROS(3) 4.0 KERBEROS(3)
137
138
139
140	the calling procedure.
141
142	It is up to the application to get the authenticator to the
143	service where it will be read by _\bk_\br_\bb__\br_\bd__\br_\be_\bq. Unless an
144	attacker posesses the session key contained in the ticket,
145	it will be unable to modify the authenticator. Thus, the
146	checksum can be used to verify the authenticity of the other
147	data that will pass through a connection.
148
149	_\bk_\br_\bb__\br_\bd__\br_\be_\bq takes an authenticator of type K\bKT\bTE\bEX\bXT\bT,\b, a service
150	name, an instance, the address of the host originating the
151	request, and a pointer to a structure of type A\bAU\bUT\bTH\bH_\b_D\bDA\bAT\bT which
152	is filled in with information obtained from the authentica-
153	tor. It also optionally takes the name of the file in which
154	it will find the secret key(s) for the service. If the sup-
155	plied _\bi_\bn_\bs_\bt_\ba_\bn_\bc_\be contains "*", then the first service key with
156	the same service name found in the service key file will be
157	used, and the _\bi_\bn_\bs_\bt_\ba_\bn_\bc_\be argument will be filled in with the
158	chosen instance. This means that the caller must provide
159	space for such an instance name.
160
161	It is used to find out information about the principal when
162	a request has been made to a service. It is up to the
163	application protocol to get the authenticator from the
164	client to the service. The authenticator is then passed to
165	_\bk_\br_\bb__\br_\bd__\br_\be_\bq to extract the desired information.
166
167	_\bk_\br_\bb__\br_\bd__\br_\be_\bq returns zero (RD_AP_OK) upon successful authenti-
168	cation. If a packet was forged, modified, or replayed,
169	authentication will fail. If the authentication fails, a
170	non-zero value is returned indicating the particular problem
171	encountered. See _\bk_\br_\bb._\bh for the list of error codes.
172
173	If the last argument is the null string (""), krb_rd_req
174	will use the file /etc/srvtab to find its keys. If the last
175	argument is NULL, it will assume that the key has been set
176	by _\bk_\br_\bb__\bs_\be_\bt__\bk_\be_\by and will not bother looking further.
177
178	_\bk_\br_\bb__\bk_\bn_\bt_\bo_\bl_\bn converts a Kerberos name to a local name. It
179	takes a structure of type AUTH_DAT and uses the name and
180	instance to look in the database /etc/aname to find the
181	corresponding local name. The local name is returned and
182	can be used by an application to change uids, directories,
183	or other parameters. It is not an integral part of Ker-
184	beros, but is instead provided to support the use of Ker-
185	beros in existing utilities.
186
187	_\bk_\br_\bb__\bs_\be_\bt__\bk_\be_\by takes as an argument a des key. It then creates
188	a key schedule from it and saves the original key to be used
189	as an initialization vector. It is used to set the server's
190	key which must be used to decrypt tickets.
191
192
193
194
195	Printed 7/27/90 Kerberos 3
196
197
198
199
200
201
202	KERBEROS(3) 4.0 KERBEROS(3)
203
204
205
206	If called with a non-zero second argument, _\bk_\br_\bb__\bs_\be_\bt__\bk_\be_\by will
207	first convert the input from a string of arbitrary length to
208	a DES key by encrypting it with a one-way function.
209
210	In most cases it should not be necessary to call
211	_\bk_\br_\bb__\bs_\be_\bt__\bk_\be_\by. The necessary keys will usually be obtained and
212	set inside _\bk_\br_\bb__\br_\bd__\br_\be_\bq. _\bk_\br_\bb__\bs_\be_\bt__\bk_\be_\by is provided for those
213	applications that do not wish to place the application keys
214	on disk.
215
216	_\bk_\br_\bb__\bg_\be_\bt__\bc_\br_\be_\bd searches the caller's ticket file for a ticket
217	for the given service, instance, and realm; and, if a ticket
218	is found, fills in the given CREDENTIALS structure with the
219	ticket information.
220
221	If the ticket was found, _\bk_\br_\bb__\bg_\be_\bt__\bc_\br_\be_\bd returns GC_OK. If the
222	ticket file can't be found, can't be read, doesn't belong to
223	the user (other than root), isn't a regular file, or is in
224	the wrong mode, the error GC_TKFIL is returned.
225
226	_\bk_\br_\bb__\bm_\bk__\bp_\br_\bi_\bv creates an encrypted, authenticated message from
227	any arbitrary application data, pointed to by _\bi_\bn and
228	_\bi_\bn__\bl_\be_\bn_\bg_\bt_\bh bytes long. The private session key, pointed to
229	by _\bk_\be_\by and the key schedule, _\bs_\bc_\bh_\be_\bd_\bu_\bl_\be, are used to encrypt
230	the data and some header information using _\bp_\bc_\bb_\bc__\be_\bn_\bc_\br_\by_\bp_\bt.
231	_\bs_\be_\bn_\bd_\be_\br and _\br_\be_\bc_\be_\bi_\bv_\be_\br point to the Internet address of the two
232	parties. In addition to providing privacy, this protocol
233	message protects against modifications, insertions or
234	replays. The encapsulated message and header are placed in
235	the area pointed to by _\bo_\bu_\bt and the routine returns the
236	length of the output, or -1 indicating an error.
237
238	_\bk_\br_\bb__\br_\bd__\bp_\br_\bi_\bv decrypts and authenticates a received
239	_\bk_\br_\bb__\bm_\bk__\bp_\br_\bi_\bv message. _\bi_\bn points to the beginning of the
240	received message, whose length is specified in _\bi_\bn__\bl_\be_\bn_\bg_\bt_\bh.
241	The private session key, pointed to by _\bk_\be_\by, and the key
242	schedule, _\bs_\bc_\bh_\be_\bd_\bu_\bl_\be, are used to decrypt and verify the
243	received message. _\bm_\bs_\bg__\bd_\ba_\bt_\ba is a pointer to a _\bM_\bS_\bG__\bD_\bA_\bT
244	struct, defined in _\bk_\br_\bb._\bh. The routine fills in the _\ba_\bp_\bp__\bd_\ba_\bt_\ba
245	field with a pointer to the decrypted application data,
246	_\ba_\bp_\bp__\bl_\be_\bn_\bg_\bt_\bh with the length of the _\ba_\bp_\bp__\bd_\ba_\bt_\ba field, _\bt_\bi_\bm_\be__\bs_\be_\bc
247	and _\bt_\bi_\bm_\be__\b5_\bm_\bs with the timestamps in the message, and _\bs_\bw_\ba_\bp
248	with a 1 if the byte order of the receiver is different than
249	that of the sender. (The application must still determine
250	if it is appropriate to byte-swap application data; the Ker-
251	beros protocol fields are already taken care of). The _\bh_\ba_\bs_\bh
252	field returns a value useful as input to the _\bk_\br_\bb__\bc_\bk__\br_\be_\bp_\bl
253	routine.
254
255	The routine returns zero if ok, or a Kerberos error code.
256	Modified messages and old messages cause errors, but it is
257	up to the caller to check the time sequence of messages, and
258
259
260
261	Printed 7/27/90 Kerberos 4
262
263
264
265
266
267
268	KERBEROS(3) 4.0 KERBEROS(3)
269
270
271
272	to check against recently replayed messages using
273	_\bk_\br_\bb__\bc_\bk__\br_\be_\bp_\bl if so desired.
274
275	_\bk_\br_\bb__\bm_\bk__\bs_\ba_\bf_\be creates an authenticated, but unencrypted mes-
276	sage from any arbitrary application data, pointed to by _\bi_\bn
277	and _\bi_\bn__\bl_\be_\bn_\bg_\bt_\bh bytes long. The private session key, pointed
278	to by _\bk_\be_\by, is used to seed the _\bq_\bu_\ba_\bd__\bc_\bk_\bs_\bu_\bm() checksum algo-
279	rithm used as part of the authentication. _\bs_\be_\bn_\bd_\be_\br and
280	_\br_\be_\bc_\be_\bi_\bv_\be_\br point to the Internet address of the two parties.
281	This message does not provide privacy, but does protect (via
282	detection) against modifications, insertions or replays.
283	The encapsulated message and header are placed in the area
284	pointed to by _\bo_\bu_\bt and the routine returns the length of the
285	output, or -1 indicating an error. The authentication pro-
286	vided by this routine is not as strong as that provided by
287	_\bk_\br_\bb__\bm_\bk__\bp_\br_\bi_\bv or by computing the checksum using _\bc_\bb_\bc__\bc_\bk_\bs_\bu_\bm
288	instead, both of which authenticate via DES.
289
290	_\bk_\br_\bb__\br_\bd__\bs_\ba_\bf_\be authenticates a received _\bk_\br_\bb__\bm_\bk__\bs_\ba_\bf_\be message.
291	_\bi_\bn points to the beginning of the received message, whose
292	length is specified in _\bi_\bn__\bl_\be_\bn_\bg_\bt_\bh. The private session key,
293	pointed to by _\bk_\be_\by, is used to seed the quad_cksum() routine
294	as part of the authentication. _\bm_\bs_\bg__\bd_\ba_\bt_\ba is a pointer to a
295	_\bM_\bS_\bG__\bD_\bA_\bT struct, defined in _\bk_\br_\bb._\bh . The routine fills in
296	these _\bM_\bS_\bG__\bD_\bA_\bT fields: the _\ba_\bp_\bp__\bd_\ba_\bt_\ba field with a pointer to
297	the application data, _\ba_\bp_\bp__\bl_\be_\bn_\bg_\bt_\bh with the length of the
298	_\ba_\bp_\bp__\bd_\ba_\bt_\ba field, _\bt_\bi_\bm_\be__\bs_\be_\bc and _\bt_\bi_\bm_\be__\b5_\bm_\bs with the timestamps in
299	the message, and _\bs_\bw_\ba_\bp with a 1 if the byte order of the
300	receiver is different than that of the sender. (The appli-
301	cation must still determine if it is appropriate to byte-
302	swap application data; the Kerberos protocol fields are
303	already taken care of). The _\bh_\ba_\bs_\bh field returns a value use-
304	ful as input to the _\bk_\br_\bb__\bc_\bk__\br_\be_\bp_\bl routine.
305
306	The routine returns zero if ok, or a Kerberos error code.
307	Modified messages and old messages cause errors, but it is
308	up to the caller to check the time sequence of messages, and
309	to check against recently replayed messages using
310	_\bk_\br_\bb__\bc_\bk__\br_\be_\bp_\bl if so desired.
311
312	_\bk_\br_\bb__\bm_\bk__\be_\br_\br constructs an application level error message
313	that may be used along with _\bk_\br_\bb__\bm_\bk__\bp_\br_\bi_\bv or _\bk_\br_\bb__\bm_\bk__\bs_\ba_\bf_\be. _\bo_\bu_\bt
314	is a pointer to the output buffer, _\bc_\bo_\bd_\be is an application
315	specific error code, and _\bs_\bt_\br_\bi_\bn_\bg is an application specific
316	error string.
317
318
319	_\bk_\br_\bb__\br_\bd__\be_\br_\br unpacks a received _\bk_\br_\bb__\bm_\bk__\be_\br_\br message. _\bi_\bn points
320	to the beginning of the received message, whose length is
321	specified in _\bi_\bn__\bl_\be_\bn_\bg_\bt_\bh. _\bc_\bo_\bd_\be is a pointer to a value to be
322	filled in with the error value provided by the application.
323	_\bm_\bs_\bg__\bd_\ba_\bt_\ba is a pointer to a _\bM_\bS_\bG__\bD_\bA_\bT struct, defined in _\bk_\br_\bb._\bh
324
325
326
327	Printed 7/27/90 Kerberos 5
328
329
330
331
332
333
334	KERBEROS(3) 4.0 KERBEROS(3)
335
336
337
338	. The routine fills in these _\bM_\bS_\bG__\bD_\bA_\bT fields: the _\ba_\bp_\bp__\bd_\ba_\bt_\ba
339	field with a pointer to the application error text,
340	_\ba_\bp_\bp__\bl_\be_\bn_\bg_\bt_\bh with the length of the _\ba_\bp_\bp__\bd_\ba_\bt_\ba field, and _\bs_\bw_\ba_\bp
341	with a 1 if the byte order of the receiver is different than
342	that of the sender. (The application must still determine
343	if it is appropriate to byte-swap application data; the Ker-
344	beros protocol fields are already taken care of).
345
346	The routine returns zero if the error message has been suc-
347	cessfully received, or a Kerberos error code.
348
349	The _\bK_\bT_\bE_\bX_\bT structure is used to pass around text of varying
350	lengths. It consists of a buffer for the data, and a
351	length. krb_rd_req takes an argument of this type contain-
352	ing the authenticator, and krb_mk_req returns the authenti-
353	cator in a structure of this type. KTEXT itself is really a
354	pointer to the structure. The actual structure is of type
355	KTEXT_ST.
356
357	The _\bA_\bU_\bT_\bH__\bD_\bA_\bT structure is filled in by krb_rd_req. It must
358	be allocated before calling krb_rd_req, and a pointer to it
359	is passed. The structure is filled in with data obtained
360	from Kerberos. _\bM_\bS_\bG__\bD_\bA_\bT structure is filled in by either
361	krb_rd_priv, krb_rd_safe, or krb_rd_err. It must be allo-
362	cated before the call and a pointer to it is passed. The
363	structure is filled in with data obtained from Kerberos.
364
365	F\bFI\bIL\bLE\bES\bS
366	/usr/include/kerberosIV/krb.h
367	/usr/lib/libkrb.a
368	/usr/include/kerberosIV/des.h
369	/usr/lib/libdes.a
370	/etc/kerberosIV/aname
371	/etc/kerberosIV/srvtab
372	/tmp/tkt[uid]
373
374	S\bSE\bEE\bE A\bAL\bLS\bSO\bO
375	kerberos(1), des_crypt(3)
376
377	D\bDI\bIA\bAG\bGN\bNO\bOS\bST\bTI\bIC\bCS\bS
378	B\bBU\bUG\bGS\bS
379	The caller of _\bk_\br_\bb__\br_\bd__\br_\be_\bq, _\bk_\br_\bb__\br_\bd__\bp_\br_\bi_\bv, _\ba_\bn_\bd _\bk_\br_\bb__\br_\bd__\bs_\ba_\bf_\be must
380	check time order and for replay attempts. _\bk_\br_\bb__\bc_\bk__\br_\be_\bp_\bl is
381	not implemented yet.
382
383	A\bAU\bUT\bTH\bHO\bOR\bRS\bS
384	Clifford Neuman, MIT Project Athena
385	Steve Miller, MIT Project Athena/Digital Equipment Corpora-
386	tion
387
388	R\bRE\bES\bST\bTR\bRI\bIC\bCT\bTI\bIO\bON\bNS\bS
389	COPYRIGHT 1985,1986,1989 Massachusetts Institute of
390
391
392
393	Printed 7/27/90 Kerberos 6
394
395
396
397
398
399
400	KERBEROS(3) 4.0 KERBEROS(3)
401
402
403
404	Technology
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459	Printed 7/27/90 Kerberos 7
460
461
462