Commit | Line | Data |
---|---|---|
610c7828 C |
1 | |
2 | ||
3 | ||
4 | KERBEROS(3) 4.0 KERBEROS(3) | |
5 | ||
6 | ||
7 | ||
8 | N\bNA\bAM\bME\bE | |
9 | krb_mk_req, krb_rd_req, krb_kntoln, krb_set_key, | |
10 | krb_get_cred, krb_mk_priv, krb_rd_priv, krb_mk_safe, | |
11 | krb_rd_safe, krb_mk_err, krb_rd_err, krb_ck_repl - Kerberos | |
12 | authentication library | |
13 | ||
14 | S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS | |
15 | #\b#i\bin\bnc\bcl\blu\bud\bde\be <\b<k\bke\ber\brb\bbe\ber\bro\bos\bsI\bIV\bV/\b/d\bde\bes\bs.\b.h\bh>\b> | |
16 | #\b#i\bin\bnc\bcl\blu\bud\bde\be <\b<k\bke\ber\brb\bbe\ber\bro\bos\bsI\bIV\bV/\b/k\bkr\brb\bb.\b.h\bh>\b> | |
17 | ||
18 | e\bex\bxt\bte\ber\brn\bn c\bch\bha\bar\br *\b*k\bkr\brb\bb_\b_e\ber\brr\br_\b_t\btx\bxt\bt[\b[]\b];\b; | |
19 | ||
20 | i\bin\bnt\bt k\bkr\brb\bb_\b_m\bmk\bk_\b_r\bre\beq\bq(\b(a\bau\but\bth\bhe\ben\bnt\bt,\b,s\bse\ber\brv\bvi\bic\bce\be,\b,i\bin\bns\bst\bta\ban\bnc\bce\be,\b,r\bre\bea\bal\blm\bm,\b,c\bch\bhe\bec\bck\bks\bsu\bum\bm)\b) | |
21 | K\bKT\bTE\bEX\bXT\bT a\bau\but\bth\bhe\ben\bnt\bt;\b; | |
22 | c\bch\bha\bar\br *\b*s\bse\ber\brv\bvi\bic\bce\be;\b; | |
23 | c\bch\bha\bar\br *\b*i\bin\bns\bst\bta\ban\bnc\bce\be;\b; | |
24 | c\bch\bha\bar\br *\b*r\bre\bea\bal\blm\bm;\b; | |
25 | u\bu_\b_l\blo\bon\bng\bg c\bch\bhe\bec\bck\bks\bsu\bum\bm;\b; | |
26 | ||
27 | i\bin\bnt\bt k\bkr\brb\bb_\b_r\brd\bd_\b_r\bre\beq\bq(\b(a\bau\but\bth\bhe\ben\bnt\bt,\b,s\bse\ber\brv\bvi\bic\bce\be,\b,i\bin\bns\bst\bta\ban\bnc\bce\be,\b,f\bfr\bro\bom\bm_\b_a\bad\bdd\bdr\br,\b,a\bad\bd,\b,f\bfn\bn)\b) | |
28 | K\bKT\bTE\bEX\bXT\bT a\bau\but\bth\bhe\ben\bnt\bt;\b; | |
29 | c\bch\bha\bar\br *\b*s\bse\ber\brv\bvi\bic\bce\be;\b; | |
30 | c\bch\bha\bar\br *\b*i\bin\bns\bst\bta\ban\bnc\bce\be;\b; | |
31 | u\bu_\b_l\blo\bon\bng\bg f\bfr\bro\bom\bm_\b_a\bad\bdd\bdr\br;\b; | |
32 | A\bAU\bUT\bTH\bH_\b_D\bDA\bAT\bT *\b*a\bad\bd;\b; | |
33 | c\bch\bha\bar\br *\b*f\bfn\bn;\b; | |
34 | ||
35 | i\bin\bnt\bt k\bkr\brb\bb_\b_k\bkn\bnt\bto\bol\bln\bn(\b(a\bad\bd,\b,l\bln\bna\bam\bme\be)\b) | |
36 | A\bAU\bUT\bTH\bH_\b_D\bDA\bAT\bT *\b*a\bad\bd;\b; | |
37 | c\bch\bha\bar\br *\b*l\bln\bna\bam\bme\be;\b; | |
38 | ||
39 | i\bin\bnt\bt k\bkr\brb\bb_\b_s\bse\bet\bt_\b_k\bke\bey\by(\b(k\bke\bey\by,\b,c\bcv\bvt\bt)\b) | |
40 | c\bch\bha\bar\br *\b*k\bke\bey\by;\b; | |
41 | i\bin\bnt\bt c\bcv\bvt\bt;\b; | |
42 | ||
43 | i\bin\bnt\bt k\bkr\brb\bb_\b_g\bge\bet\bt_\b_c\bcr\bre\bed\bd(\b(s\bse\ber\brv\bvi\bic\bce\be,\b,i\bin\bns\bst\bta\ban\bnc\bce\be,\b,r\bre\bea\bal\blm\bm,\b,c\bc)\b) | |
44 | c\bch\bha\bar\br *\b*s\bse\ber\brv\bvi\bic\bce\be;\b; | |
45 | c\bch\bha\bar\br *\b*i\bin\bns\bst\bta\ban\bnc\bce\be;\b; | |
46 | c\bch\bha\bar\br *\b*r\bre\bea\bal\blm\bm;\b; | |
47 | C\bCR\bRE\bED\bDE\bEN\bNT\bTI\bIA\bAL\bLS\bS *\b*c\bc;\b; | |
48 | ||
49 | l\blo\bon\bng\bg k\bkr\brb\bb_\b_m\bmk\bk_\b_p\bpr\bri\biv\bv(\b(i\bin\bn,\b,o\bou\but\bt,\b,i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh,\b,s\bsc\bch\bhe\bed\bdu\bul\ble\be,\b,k\bke\bey\by,\b,s\bse\ben\bnd\bde\ber\br,\b,r\bre\bec\bce\bei\biv\bve\ber\br)\b) | |
50 | u\bu_\b_c\bch\bha\bar\br *\b*i\bin\bn;\b; | |
51 | u\bu_\b_c\bch\bha\bar\br *\b*o\bou\but\bt;\b; | |
52 | u\bu_\b_l\blo\bon\bng\bg i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh;\b; | |
53 | d\bde\bes\bs_\b_c\bcb\bbl\blo\boc\bck\bk k\bke\bey\by;\b; | |
54 | d\bde\bes\bs_\b_k\bke\bey\by_\b_s\bsc\bch\bhe\bed\bdu\bul\ble\be s\bsc\bch\bhe\bed\bdu\bul\ble\be;\b; | |
55 | s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*s\bse\ben\bnd\bde\ber\br;\b; | |
56 | s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*r\bre\bec\bce\bei\biv\bve\ber\br;\b; | |
57 | ||
58 | l\blo\bon\bng\bg k\bkr\brb\bb_\b_r\brd\bd_\b_p\bpr\bri\biv\bv(\b(i\bin\bn,\b,i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh,\b,s\bsc\bch\bhe\bed\bdu\bul\ble\be,\b,k\bke\bey\by,\b,s\bse\ben\bnd\bde\ber\br,\b,r\bre\bec\bce\bei\biv\bve\ber\br,\b,m\bms\bsg\bg_\b_d\bda\bat\bta\ba)\b) | |
59 | u\bu_\b_c\bch\bha\bar\br *\b*i\bin\bn;\b; | |
60 | ||
61 | ||
62 | ||
63 | Printed 7/27/90 Kerberos 1 | |
64 | ||
65 | ||
66 | ||
67 | ||
68 | ||
69 | ||
70 | KERBEROS(3) 4.0 KERBEROS(3) | |
71 | ||
72 | ||
73 | ||
74 | u\bu_\b_l\blo\bon\bng\bg i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh;\b; | |
75 | K\bKe\bey\by_\b_s\bsc\bch\bhe\bed\bdu\bul\ble\be s\bsc\bch\bhe\bed\bdu\bul\ble\be;\b; | |
76 | d\bde\bes\bs_\b_c\bcb\bbl\blo\boc\bck\bk k\bke\bey\by;\b; | |
77 | s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*s\bse\ben\bnd\bde\ber\br;\b; | |
78 | s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*r\bre\bec\bce\bei\biv\bve\ber\br;\b; | |
79 | M\bMS\bSG\bG_\b_D\bDA\bAT\bT *\b*m\bms\bsg\bg_\b_d\bda\bat\bta\ba;\b; | |
80 | ||
81 | l\blo\bon\bng\bg k\bkr\brb\bb_\b_m\bmk\bk_\b_s\bsa\baf\bfe\be(\b(i\bin\bn,\b,o\bou\but\bt,\b,i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh,\b,k\bke\bey\by,\b,s\bse\ben\bnd\bde\ber\br,\b,r\bre\bec\bce\bei\biv\bve\ber\br)\b) | |
82 | u\bu_\b_c\bch\bha\bar\br *\b*i\bin\bn;\b; | |
83 | u\bu_\b_c\bch\bha\bar\br *\b*o\bou\but\bt;\b; | |
84 | u\bu_\b_l\blo\bon\bng\bg i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh;\b; | |
85 | d\bde\bes\bs_\b_c\bcb\bbl\blo\boc\bck\bk k\bke\bey\by;\b; | |
86 | s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*s\bse\ben\bnd\bde\ber\br;\b; | |
87 | s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*r\bre\bec\bce\bei\biv\bve\ber\br;\b; | |
88 | ||
89 | l\blo\bon\bng\bg k\bkr\brb\bb_\b_r\brd\bd_\b_s\bsa\baf\bfe\be(\b(i\bin\bn,\b,l\ble\ben\bng\bgt\bth\bh,\b,k\bke\bey\by,\b,s\bse\ben\bnd\bde\ber\br,\b,r\bre\bec\bce\bei\biv\bve\ber\br,\b,m\bms\bsg\bg_\b_d\bda\bat\bta\ba)\b) | |
90 | u\bu_\b_c\bch\bha\bar\br *\b*i\bin\bn;\b; | |
91 | u\bu_\b_l\blo\bon\bng\bg l\ble\ben\bng\bgt\bth\bh;\b; | |
92 | d\bde\bes\bs_\b_c\bcb\bbl\blo\boc\bck\bk k\bke\bey\by;\b; | |
93 | s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*s\bse\ben\bnd\bde\ber\br;\b; | |
94 | s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*r\bre\bec\bce\bei\biv\bve\ber\br;\b; | |
95 | M\bMS\bSG\bG_\b_D\bDA\bAT\bT *\b*m\bms\bsg\bg_\b_d\bda\bat\bta\ba;\b; | |
96 | ||
97 | l\blo\bon\bng\bg k\bkr\brb\bb_\b_m\bmk\bk_\b_e\ber\brr\br(\b(o\bou\but\bt,\b,c\bco\bod\bde\be,\b,s\bst\btr\bri\bin\bng\bg)\b) | |
98 | u\bu_\b_c\bch\bha\bar\br *\b*o\bou\but\bt;\b; | |
99 | l\blo\bon\bng\bg c\bco\bod\bde\be;\b; | |
100 | c\bch\bha\bar\br *\b*s\bst\btr\bri\bin\bng\bg;\b; | |
101 | ||
102 | l\blo\bon\bng\bg k\bkr\brb\bb_\b_r\brd\bd_\b_e\ber\brr\br(\b(i\bin\bn,\b,l\ble\ben\bng\bgt\bth\bh,\b,c\bco\bod\bde\be,\b,m\bms\bsg\bg_\b_d\bda\bat\bta\ba)\b) | |
103 | u\bu_\b_c\bch\bha\bar\br *\b*i\bin\bn;\b; | |
104 | u\bu_\b_l\blo\bon\bng\bg l\ble\ben\bng\bgt\bth\bh;\b; | |
105 | l\blo\bon\bng\bg c\bco\bod\bde\be;\b; | |
106 | M\bMS\bSG\bG_\b_D\bDA\bAT\bT *\b*m\bms\bsg\bg_\b_d\bda\bat\bta\ba;\b; | |
107 | ||
108 | D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN | |
109 | This library supports network authentication and various | |
110 | related operations. The library contains many routines | |
111 | beyond those described in this man page, but they are not | |
112 | intended to be used directly. Instead, they are called by | |
113 | the routines that are described, the authentication server | |
114 | and the login program. | |
115 | ||
116 | _\bk_\br_\bb__\be_\br_\br__\bt_\bx_\bt[] contains text string descriptions of various | |
117 | Kerberos error codes returned by some of the routines below. | |
118 | ||
119 | _\bk_\br_\bb__\bm_\bk__\br_\be_\bq takes a pointer to a text structure in which an | |
120 | authenticator is to be built. It also takes the name, | |
121 | instance, and realm of the service to be used and an | |
122 | optional checksum. It is up to the application to decide | |
123 | how to generate the checksum. _\bk_\br_\bb__\bm_\bk__\br_\be_\bq then retrieves a | |
124 | ticket for the desired service and creates an authenticator. | |
125 | The authenticator is built in _\ba_\bu_\bt_\bh_\be_\bn_\bt and is accessible to | |
126 | ||
127 | ||
128 | ||
129 | Printed 7/27/90 Kerberos 2 | |
130 | ||
131 | ||
132 | ||
133 | ||
134 | ||
135 | ||
136 | KERBEROS(3) 4.0 KERBEROS(3) | |
137 | ||
138 | ||
139 | ||
140 | the calling procedure. | |
141 | ||
142 | It is up to the application to get the authenticator to the | |
143 | service where it will be read by _\bk_\br_\bb__\br_\bd__\br_\be_\bq. Unless an | |
144 | attacker posesses the session key contained in the ticket, | |
145 | it will be unable to modify the authenticator. Thus, the | |
146 | checksum can be used to verify the authenticity of the other | |
147 | data that will pass through a connection. | |
148 | ||
149 | _\bk_\br_\bb__\br_\bd__\br_\be_\bq takes an authenticator of type K\bKT\bTE\bEX\bXT\bT,\b, a service | |
150 | name, an instance, the address of the host originating the | |
151 | request, and a pointer to a structure of type A\bAU\bUT\bTH\bH_\b_D\bDA\bAT\bT which | |
152 | is filled in with information obtained from the authentica- | |
153 | tor. It also optionally takes the name of the file in which | |
154 | it will find the secret key(s) for the service. If the sup- | |
155 | plied _\bi_\bn_\bs_\bt_\ba_\bn_\bc_\be contains "*", then the first service key with | |
156 | the same service name found in the service key file will be | |
157 | used, and the _\bi_\bn_\bs_\bt_\ba_\bn_\bc_\be argument will be filled in with the | |
158 | chosen instance. This means that the caller must provide | |
159 | space for such an instance name. | |
160 | ||
161 | It is used to find out information about the principal when | |
162 | a request has been made to a service. It is up to the | |
163 | application protocol to get the authenticator from the | |
164 | client to the service. The authenticator is then passed to | |
165 | _\bk_\br_\bb__\br_\bd__\br_\be_\bq to extract the desired information. | |
166 | ||
167 | _\bk_\br_\bb__\br_\bd__\br_\be_\bq returns zero (RD_AP_OK) upon successful authenti- | |
168 | cation. If a packet was forged, modified, or replayed, | |
169 | authentication will fail. If the authentication fails, a | |
170 | non-zero value is returned indicating the particular problem | |
171 | encountered. See _\bk_\br_\bb._\bh for the list of error codes. | |
172 | ||
173 | If the last argument is the null string (""), krb_rd_req | |
174 | will use the file /etc/srvtab to find its keys. If the last | |
175 | argument is NULL, it will assume that the key has been set | |
176 | by _\bk_\br_\bb__\bs_\be_\bt__\bk_\be_\by and will not bother looking further. | |
177 | ||
178 | _\bk_\br_\bb__\bk_\bn_\bt_\bo_\bl_\bn converts a Kerberos name to a local name. It | |
179 | takes a structure of type AUTH_DAT and uses the name and | |
180 | instance to look in the database /etc/aname to find the | |
181 | corresponding local name. The local name is returned and | |
182 | can be used by an application to change uids, directories, | |
183 | or other parameters. It is not an integral part of Ker- | |
184 | beros, but is instead provided to support the use of Ker- | |
185 | beros in existing utilities. | |
186 | ||
187 | _\bk_\br_\bb__\bs_\be_\bt__\bk_\be_\by takes as an argument a des key. It then creates | |
188 | a key schedule from it and saves the original key to be used | |
189 | as an initialization vector. It is used to set the server's | |
190 | key which must be used to decrypt tickets. | |
191 | ||
192 | ||
193 | ||
194 | ||
195 | Printed 7/27/90 Kerberos 3 | |
196 | ||
197 | ||
198 | ||
199 | ||
200 | ||
201 | ||
202 | KERBEROS(3) 4.0 KERBEROS(3) | |
203 | ||
204 | ||
205 | ||
206 | If called with a non-zero second argument, _\bk_\br_\bb__\bs_\be_\bt__\bk_\be_\by will | |
207 | first convert the input from a string of arbitrary length to | |
208 | a DES key by encrypting it with a one-way function. | |
209 | ||
210 | In most cases it should not be necessary to call | |
211 | _\bk_\br_\bb__\bs_\be_\bt__\bk_\be_\by. The necessary keys will usually be obtained and | |
212 | set inside _\bk_\br_\bb__\br_\bd__\br_\be_\bq. _\bk_\br_\bb__\bs_\be_\bt__\bk_\be_\by is provided for those | |
213 | applications that do not wish to place the application keys | |
214 | on disk. | |
215 | ||
216 | _\bk_\br_\bb__\bg_\be_\bt__\bc_\br_\be_\bd searches the caller's ticket file for a ticket | |
217 | for the given service, instance, and realm; and, if a ticket | |
218 | is found, fills in the given CREDENTIALS structure with the | |
219 | ticket information. | |
220 | ||
221 | If the ticket was found, _\bk_\br_\bb__\bg_\be_\bt__\bc_\br_\be_\bd returns GC_OK. If the | |
222 | ticket file can't be found, can't be read, doesn't belong to | |
223 | the user (other than root), isn't a regular file, or is in | |
224 | the wrong mode, the error GC_TKFIL is returned. | |
225 | ||
226 | _\bk_\br_\bb__\bm_\bk__\bp_\br_\bi_\bv creates an encrypted, authenticated message from | |
227 | any arbitrary application data, pointed to by _\bi_\bn and | |
228 | _\bi_\bn__\bl_\be_\bn_\bg_\bt_\bh bytes long. The private session key, pointed to | |
229 | by _\bk_\be_\by and the key schedule, _\bs_\bc_\bh_\be_\bd_\bu_\bl_\be, are used to encrypt | |
230 | the data and some header information using _\bp_\bc_\bb_\bc__\be_\bn_\bc_\br_\by_\bp_\bt. | |
231 | _\bs_\be_\bn_\bd_\be_\br and _\br_\be_\bc_\be_\bi_\bv_\be_\br point to the Internet address of the two | |
232 | parties. In addition to providing privacy, this protocol | |
233 | message protects against modifications, insertions or | |
234 | replays. The encapsulated message and header are placed in | |
235 | the area pointed to by _\bo_\bu_\bt and the routine returns the | |
236 | length of the output, or -1 indicating an error. | |
237 | ||
238 | _\bk_\br_\bb__\br_\bd__\bp_\br_\bi_\bv decrypts and authenticates a received | |
239 | _\bk_\br_\bb__\bm_\bk__\bp_\br_\bi_\bv message. _\bi_\bn points to the beginning of the | |
240 | received message, whose length is specified in _\bi_\bn__\bl_\be_\bn_\bg_\bt_\bh. | |
241 | The private session key, pointed to by _\bk_\be_\by, and the key | |
242 | schedule, _\bs_\bc_\bh_\be_\bd_\bu_\bl_\be, are used to decrypt and verify the | |
243 | received message. _\bm_\bs_\bg__\bd_\ba_\bt_\ba is a pointer to a _\bM_\bS_\bG__\bD_\bA_\bT | |
244 | struct, defined in _\bk_\br_\bb._\bh. The routine fills in the _\ba_\bp_\bp__\bd_\ba_\bt_\ba | |
245 | field with a pointer to the decrypted application data, | |
246 | _\ba_\bp_\bp__\bl_\be_\bn_\bg_\bt_\bh with the length of the _\ba_\bp_\bp__\bd_\ba_\bt_\ba field, _\bt_\bi_\bm_\be__\bs_\be_\bc | |
247 | and _\bt_\bi_\bm_\be__\b5_\bm_\bs with the timestamps in the message, and _\bs_\bw_\ba_\bp | |
248 | with a 1 if the byte order of the receiver is different than | |
249 | that of the sender. (The application must still determine | |
250 | if it is appropriate to byte-swap application data; the Ker- | |
251 | beros protocol fields are already taken care of). The _\bh_\ba_\bs_\bh | |
252 | field returns a value useful as input to the _\bk_\br_\bb__\bc_\bk__\br_\be_\bp_\bl | |
253 | routine. | |
254 | ||
255 | The routine returns zero if ok, or a Kerberos error code. | |
256 | Modified messages and old messages cause errors, but it is | |
257 | up to the caller to check the time sequence of messages, and | |
258 | ||
259 | ||
260 | ||
261 | Printed 7/27/90 Kerberos 4 | |
262 | ||
263 | ||
264 | ||
265 | ||
266 | ||
267 | ||
268 | KERBEROS(3) 4.0 KERBEROS(3) | |
269 | ||
270 | ||
271 | ||
272 | to check against recently replayed messages using | |
273 | _\bk_\br_\bb__\bc_\bk__\br_\be_\bp_\bl if so desired. | |
274 | ||
275 | _\bk_\br_\bb__\bm_\bk__\bs_\ba_\bf_\be creates an authenticated, but unencrypted mes- | |
276 | sage from any arbitrary application data, pointed to by _\bi_\bn | |
277 | and _\bi_\bn__\bl_\be_\bn_\bg_\bt_\bh bytes long. The private session key, pointed | |
278 | to by _\bk_\be_\by, is used to seed the _\bq_\bu_\ba_\bd__\bc_\bk_\bs_\bu_\bm() checksum algo- | |
279 | rithm used as part of the authentication. _\bs_\be_\bn_\bd_\be_\br and | |
280 | _\br_\be_\bc_\be_\bi_\bv_\be_\br point to the Internet address of the two parties. | |
281 | This message does not provide privacy, but does protect (via | |
282 | detection) against modifications, insertions or replays. | |
283 | The encapsulated message and header are placed in the area | |
284 | pointed to by _\bo_\bu_\bt and the routine returns the length of the | |
285 | output, or -1 indicating an error. The authentication pro- | |
286 | vided by this routine is not as strong as that provided by | |
287 | _\bk_\br_\bb__\bm_\bk__\bp_\br_\bi_\bv or by computing the checksum using _\bc_\bb_\bc__\bc_\bk_\bs_\bu_\bm | |
288 | instead, both of which authenticate via DES. | |
289 | ||
290 | _\bk_\br_\bb__\br_\bd__\bs_\ba_\bf_\be authenticates a received _\bk_\br_\bb__\bm_\bk__\bs_\ba_\bf_\be message. | |
291 | _\bi_\bn points to the beginning of the received message, whose | |
292 | length is specified in _\bi_\bn__\bl_\be_\bn_\bg_\bt_\bh. The private session key, | |
293 | pointed to by _\bk_\be_\by, is used to seed the quad_cksum() routine | |
294 | as part of the authentication. _\bm_\bs_\bg__\bd_\ba_\bt_\ba is a pointer to a | |
295 | _\bM_\bS_\bG__\bD_\bA_\bT struct, defined in _\bk_\br_\bb._\bh . The routine fills in | |
296 | these _\bM_\bS_\bG__\bD_\bA_\bT fields: the _\ba_\bp_\bp__\bd_\ba_\bt_\ba field with a pointer to | |
297 | the application data, _\ba_\bp_\bp__\bl_\be_\bn_\bg_\bt_\bh with the length of the | |
298 | _\ba_\bp_\bp__\bd_\ba_\bt_\ba field, _\bt_\bi_\bm_\be__\bs_\be_\bc and _\bt_\bi_\bm_\be__\b5_\bm_\bs with the timestamps in | |
299 | the message, and _\bs_\bw_\ba_\bp with a 1 if the byte order of the | |
300 | receiver is different than that of the sender. (The appli- | |
301 | cation must still determine if it is appropriate to byte- | |
302 | swap application data; the Kerberos protocol fields are | |
303 | already taken care of). The _\bh_\ba_\bs_\bh field returns a value use- | |
304 | ful as input to the _\bk_\br_\bb__\bc_\bk__\br_\be_\bp_\bl routine. | |
305 | ||
306 | The routine returns zero if ok, or a Kerberos error code. | |
307 | Modified messages and old messages cause errors, but it is | |
308 | up to the caller to check the time sequence of messages, and | |
309 | to check against recently replayed messages using | |
310 | _\bk_\br_\bb__\bc_\bk__\br_\be_\bp_\bl if so desired. | |
311 | ||
312 | _\bk_\br_\bb__\bm_\bk__\be_\br_\br constructs an application level error message | |
313 | that may be used along with _\bk_\br_\bb__\bm_\bk__\bp_\br_\bi_\bv or _\bk_\br_\bb__\bm_\bk__\bs_\ba_\bf_\be. _\bo_\bu_\bt | |
314 | is a pointer to the output buffer, _\bc_\bo_\bd_\be is an application | |
315 | specific error code, and _\bs_\bt_\br_\bi_\bn_\bg is an application specific | |
316 | error string. | |
317 | ||
318 | ||
319 | _\bk_\br_\bb__\br_\bd__\be_\br_\br unpacks a received _\bk_\br_\bb__\bm_\bk__\be_\br_\br message. _\bi_\bn points | |
320 | to the beginning of the received message, whose length is | |
321 | specified in _\bi_\bn__\bl_\be_\bn_\bg_\bt_\bh. _\bc_\bo_\bd_\be is a pointer to a value to be | |
322 | filled in with the error value provided by the application. | |
323 | _\bm_\bs_\bg__\bd_\ba_\bt_\ba is a pointer to a _\bM_\bS_\bG__\bD_\bA_\bT struct, defined in _\bk_\br_\bb._\bh | |
324 | ||
325 | ||
326 | ||
327 | Printed 7/27/90 Kerberos 5 | |
328 | ||
329 | ||
330 | ||
331 | ||
332 | ||
333 | ||
334 | KERBEROS(3) 4.0 KERBEROS(3) | |
335 | ||
336 | ||
337 | ||
338 | . The routine fills in these _\bM_\bS_\bG__\bD_\bA_\bT fields: the _\ba_\bp_\bp__\bd_\ba_\bt_\ba | |
339 | field with a pointer to the application error text, | |
340 | _\ba_\bp_\bp__\bl_\be_\bn_\bg_\bt_\bh with the length of the _\ba_\bp_\bp__\bd_\ba_\bt_\ba field, and _\bs_\bw_\ba_\bp | |
341 | with a 1 if the byte order of the receiver is different than | |
342 | that of the sender. (The application must still determine | |
343 | if it is appropriate to byte-swap application data; the Ker- | |
344 | beros protocol fields are already taken care of). | |
345 | ||
346 | The routine returns zero if the error message has been suc- | |
347 | cessfully received, or a Kerberos error code. | |
348 | ||
349 | The _\bK_\bT_\bE_\bX_\bT structure is used to pass around text of varying | |
350 | lengths. It consists of a buffer for the data, and a | |
351 | length. krb_rd_req takes an argument of this type contain- | |
352 | ing the authenticator, and krb_mk_req returns the authenti- | |
353 | cator in a structure of this type. KTEXT itself is really a | |
354 | pointer to the structure. The actual structure is of type | |
355 | KTEXT_ST. | |
356 | ||
357 | The _\bA_\bU_\bT_\bH__\bD_\bA_\bT structure is filled in by krb_rd_req. It must | |
358 | be allocated before calling krb_rd_req, and a pointer to it | |
359 | is passed. The structure is filled in with data obtained | |
360 | from Kerberos. _\bM_\bS_\bG__\bD_\bA_\bT structure is filled in by either | |
361 | krb_rd_priv, krb_rd_safe, or krb_rd_err. It must be allo- | |
362 | cated before the call and a pointer to it is passed. The | |
363 | structure is filled in with data obtained from Kerberos. | |
364 | ||
365 | F\bFI\bIL\bLE\bES\bS | |
366 | /usr/include/kerberosIV/krb.h | |
367 | /usr/lib/libkrb.a | |
368 | /usr/include/kerberosIV/des.h | |
369 | /usr/lib/libdes.a | |
370 | /etc/kerberosIV/aname | |
371 | /etc/kerberosIV/srvtab | |
372 | /tmp/tkt[uid] | |
373 | ||
374 | S\bSE\bEE\bE A\bAL\bLS\bSO\bO | |
375 | kerberos(1), des_crypt(3) | |
376 | ||
377 | D\bDI\bIA\bAG\bGN\bNO\bOS\bST\bTI\bIC\bCS\bS | |
378 | B\bBU\bUG\bGS\bS | |
379 | The caller of _\bk_\br_\bb__\br_\bd__\br_\be_\bq, _\bk_\br_\bb__\br_\bd__\bp_\br_\bi_\bv, _\ba_\bn_\bd _\bk_\br_\bb__\br_\bd__\bs_\ba_\bf_\be must | |
380 | check time order and for replay attempts. _\bk_\br_\bb__\bc_\bk__\br_\be_\bp_\bl is | |
381 | not implemented yet. | |
382 | ||
383 | A\bAU\bUT\bTH\bHO\bOR\bRS\bS | |
384 | Clifford Neuman, MIT Project Athena | |
385 | Steve Miller, MIT Project Athena/Digital Equipment Corpora- | |
386 | tion | |
387 | ||
388 | R\bRE\bES\bST\bTR\bRI\bIC\bCT\bTI\bIO\bON\bNS\bS | |
389 | COPYRIGHT 1985,1986,1989 Massachusetts Institute of | |
390 | ||
391 | ||
392 | ||
393 | Printed 7/27/90 Kerberos 6 | |
394 | ||
395 | ||
396 | ||
397 | ||
398 | ||
399 | ||
400 | KERBEROS(3) 4.0 KERBEROS(3) | |
401 | ||
402 | ||
403 | ||
404 | Technology | |
405 | ||
406 | ||
407 | ||
408 | ||
409 | ||
410 | ||
411 | ||
412 | ||
413 | ||
414 | ||
415 | ||
416 | ||
417 | ||
418 | ||
419 | ||
420 | ||
421 | ||
422 | ||
423 | ||
424 | ||
425 | ||
426 | ||
427 | ||
428 | ||
429 | ||
430 | ||
431 | ||
432 | ||
433 | ||
434 | ||
435 | ||
436 | ||
437 | ||
438 | ||
439 | ||
440 | ||
441 | ||
442 | ||
443 | ||
444 | ||
445 | ||
446 | ||
447 | ||
448 | ||
449 | ||
450 | ||
451 | ||
452 | ||
453 | ||
454 | ||
455 | ||
456 | ||
457 | ||
458 | ||
459 | Printed 7/27/90 Kerberos 7 | |
460 | ||
461 | ||
462 |