Commit | Line | Data |
---|---|---|
b1052012 C |
1 | |
2 | ||
3 | ||
4 | KERBEROS(3) BSD Programmer's Manual KERBEROS(3) | |
5 | ||
6 | ||
7 | N\bNA\bAM\bME\bE | |
8 | krb_mk_req, krb_rd_req, krb_kntoln, krb_set_key, | |
9 | krb_get_cred, krb_mk_priv, krb_rd_priv, krb_mk_safe, | |
10 | krb_rd_safe, krb_mk_err, krb_rd_err, krb_ck_repl - Ker- | |
11 | beros authentication library | |
12 | ||
13 | S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS | |
14 | #\b#i\bin\bnc\bcl\blu\bud\bde\be <\b<k\bke\ber\brb\bbe\ber\bro\bos\bsI\bIV\bV/\b/d\bde\bes\bs.\b.h\bh>\b> | |
15 | #\b#i\bin\bnc\bcl\blu\bud\bde\be <\b<k\bke\ber\brb\bbe\ber\bro\bos\bsI\bIV\bV/\b/k\bkr\brb\bb.\b.h\bh>\b> | |
16 | ||
17 | e\bex\bxt\bte\ber\brn\bn c\bch\bha\bar\br *\b*k\bkr\brb\bb_\b_e\ber\brr\br_\b_t\btx\bxt\bt[\b[]\b];\b; | |
18 | ||
19 | i\bin\bnt\bt k\bkr\brb\bb_\b_m\bmk\bk_\b_r\bre\beq\bq(\b(a\bau\but\bth\bhe\ben\bnt\bt,\b,s\bse\ber\brv\bvi\bic\bce\be,\b,i\bin\bns\bst\bta\ban\bnc\bce\be,\b,r\bre\bea\bal\blm\bm,\b,c\bch\bhe\bec\bck\bks\bsu\bum\bm)\b) | |
20 | K\bKT\bTE\bEX\bXT\bT a\bau\but\bth\bhe\ben\bnt\bt;\b; | |
21 | c\bch\bha\bar\br *\b*s\bse\ber\brv\bvi\bic\bce\be;\b; | |
22 | c\bch\bha\bar\br *\b*i\bin\bns\bst\bta\ban\bnc\bce\be;\b; | |
23 | c\bch\bha\bar\br *\b*r\bre\bea\bal\blm\bm;\b; | |
24 | u\bu_\b_l\blo\bon\bng\bg c\bch\bhe\bec\bck\bks\bsu\bum\bm;\b; | |
25 | ||
26 | i\bin\bnt\bt k\bkr\brb\bb_\b_r\brd\bd_\b_r\bre\beq\bq(\b(a\bau\but\bth\bhe\ben\bnt\bt,\b,s\bse\ber\brv\bvi\bic\bce\be,\b,i\bin\bns\bst\bta\ban\bnc\bce\be,\b,f\bfr\bro\bom\bm_\b_a\bad\bdd\bdr\br,\b,a\bad\bd,\b,f\bfn\bn)\b) | |
27 | K\bKT\bTE\bEX\bXT\bT a\bau\but\bth\bhe\ben\bnt\bt;\b; | |
28 | c\bch\bha\bar\br *\b*s\bse\ber\brv\bvi\bic\bce\be;\b; | |
29 | c\bch\bha\bar\br *\b*i\bin\bns\bst\bta\ban\bnc\bce\be;\b; | |
30 | u\bu_\b_l\blo\bon\bng\bg f\bfr\bro\bom\bm_\b_a\bad\bdd\bdr\br;\b; | |
31 | A\bAU\bUT\bTH\bH_\b_D\bDA\bAT\bT *\b*a\bad\bd;\b; | |
32 | c\bch\bha\bar\br *\b*f\bfn\bn;\b; | |
33 | ||
34 | i\bin\bnt\bt k\bkr\brb\bb_\b_k\bkn\bnt\bto\bol\bln\bn(\b(a\bad\bd,\b,l\bln\bna\bam\bme\be)\b) | |
35 | A\bAU\bUT\bTH\bH_\b_D\bDA\bAT\bT *\b*a\bad\bd;\b; | |
36 | c\bch\bha\bar\br *\b*l\bln\bna\bam\bme\be;\b; | |
37 | ||
38 | i\bin\bnt\bt k\bkr\brb\bb_\b_s\bse\bet\bt_\b_k\bke\bey\by(\b(k\bke\bey\by,\b,c\bcv\bvt\bt)\b) | |
39 | c\bch\bha\bar\br *\b*k\bke\bey\by;\b; | |
40 | i\bin\bnt\bt c\bcv\bvt\bt;\b; | |
41 | ||
42 | i\bin\bnt\bt k\bkr\brb\bb_\b_g\bge\bet\bt_\b_c\bcr\bre\bed\bd(\b(s\bse\ber\brv\bvi\bic\bce\be,\b,i\bin\bns\bst\bta\ban\bnc\bce\be,\b,r\bre\bea\bal\blm\bm,\b,c\bc)\b) | |
43 | c\bch\bha\bar\br *\b*s\bse\ber\brv\bvi\bic\bce\be;\b; | |
44 | c\bch\bha\bar\br *\b*i\bin\bns\bst\bta\ban\bnc\bce\be;\b; | |
45 | c\bch\bha\bar\br *\b*r\bre\bea\bal\blm\bm;\b; | |
46 | C\bCR\bRE\bED\bDE\bEN\bNT\bTI\bIA\bAL\bLS\bS *\b*c\bc;\b; | |
47 | ||
48 | l\blo\bon\bng\bg k\bkr\brb\bb_\b_m\bmk\bk_\b_p\bpr\bri\biv\bv(\b(i\bin\bn,\b,o\bou\but\bt,\b,i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh,\b,s\bsc\bch\bhe\bed\bdu\bul\ble\be,\b,k\bke\bey\by,\b,s\bse\ben\bnd\bde\ber\br,\b,r\bre\bec\bce\bei\biv\bve\ber\br)\b) | |
49 | u\bu_\b_c\bch\bha\bar\br *\b*i\bin\bn;\b; | |
50 | u\bu_\b_c\bch\bha\bar\br *\b*o\bou\but\bt;\b; | |
51 | u\bu_\b_l\blo\bon\bng\bg i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh;\b; | |
52 | d\bde\bes\bs_\b_c\bcb\bbl\blo\boc\bck\bk k\bke\bey\by;\b; | |
53 | d\bde\bes\bs_\b_k\bke\bey\by_\b_s\bsc\bch\bhe\bed\bdu\bul\ble\be s\bsc\bch\bhe\bed\bdu\bul\ble\be;\b; | |
54 | s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*s\bse\ben\bnd\bde\ber\br;\b; | |
55 | s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*r\bre\bec\bce\bei\biv\bve\ber\br;\b; | |
56 | ||
57 | l\blo\bon\bng\bg k\bkr\brb\bb_\b_r\brd\bd_\b_p\bpr\bri\biv\bv(\b(i\bin\bn,\b,i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh,\b,s\bsc\bch\bhe\bed\bdu\bul\ble\be,\b,k\bke\bey\by,\b,s\bse\ben\bnd\bde\ber\br,\b,r\bre\bec\bce\bei\biv\bve\ber\br,\b,m\bms\bsg\bg_\b_d\bda\bat\bta\ba)\b) | |
58 | ||
59 | ||
60 | ||
61 | MIT Project Athena Kerberos Version 4.0 1 | |
62 | ||
63 | ||
64 | ||
65 | ||
66 | ||
67 | ||
68 | ||
69 | ||
70 | KERBEROS(3) BSD Programmer's Manual KERBEROS(3) | |
71 | ||
72 | ||
73 | u\bu_\b_c\bch\bha\bar\br *\b*i\bin\bn;\b; | |
74 | u\bu_\b_l\blo\bon\bng\bg i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh;\b; | |
75 | K\bKe\bey\by_\b_s\bsc\bch\bhe\bed\bdu\bul\ble\be s\bsc\bch\bhe\bed\bdu\bul\ble\be;\b; | |
76 | d\bde\bes\bs_\b_c\bcb\bbl\blo\boc\bck\bk k\bke\bey\by;\b; | |
77 | s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*s\bse\ben\bnd\bde\ber\br;\b; | |
78 | s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*r\bre\bec\bce\bei\biv\bve\ber\br;\b; | |
79 | M\bMS\bSG\bG_\b_D\bDA\bAT\bT *\b*m\bms\bsg\bg_\b_d\bda\bat\bta\ba;\b; | |
80 | ||
81 | l\blo\bon\bng\bg k\bkr\brb\bb_\b_m\bmk\bk_\b_s\bsa\baf\bfe\be(\b(i\bin\bn,\b,o\bou\but\bt,\b,i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh,\b,k\bke\bey\by,\b,s\bse\ben\bnd\bde\ber\br,\b,r\bre\bec\bce\bei\biv\bve\ber\br)\b) | |
82 | u\bu_\b_c\bch\bha\bar\br *\b*i\bin\bn;\b; | |
83 | u\bu_\b_c\bch\bha\bar\br *\b*o\bou\but\bt;\b; | |
84 | u\bu_\b_l\blo\bon\bng\bg i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh;\b; | |
85 | d\bde\bes\bs_\b_c\bcb\bbl\blo\boc\bck\bk k\bke\bey\by;\b; | |
86 | s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*s\bse\ben\bnd\bde\ber\br;\b; | |
87 | s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*r\bre\bec\bce\bei\biv\bve\ber\br;\b; | |
88 | ||
89 | l\blo\bon\bng\bg k\bkr\brb\bb_\b_r\brd\bd_\b_s\bsa\baf\bfe\be(\b(i\bin\bn,\b,l\ble\ben\bng\bgt\bth\bh,\b,k\bke\bey\by,\b,s\bse\ben\bnd\bde\ber\br,\b,r\bre\bec\bce\bei\biv\bve\ber\br,\b,m\bms\bsg\bg_\b_d\bda\bat\bta\ba)\b) | |
90 | u\bu_\b_c\bch\bha\bar\br *\b*i\bin\bn;\b; | |
91 | u\bu_\b_l\blo\bon\bng\bg l\ble\ben\bng\bgt\bth\bh;\b; | |
92 | d\bde\bes\bs_\b_c\bcb\bbl\blo\boc\bck\bk k\bke\bey\by;\b; | |
93 | s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*s\bse\ben\bnd\bde\ber\br;\b; | |
94 | s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*r\bre\bec\bce\bei\biv\bve\ber\br;\b; | |
95 | M\bMS\bSG\bG_\b_D\bDA\bAT\bT *\b*m\bms\bsg\bg_\b_d\bda\bat\bta\ba;\b; | |
96 | ||
97 | l\blo\bon\bng\bg k\bkr\brb\bb_\b_m\bmk\bk_\b_e\ber\brr\br(\b(o\bou\but\bt,\b,c\bco\bod\bde\be,\b,s\bst\btr\bri\bin\bng\bg)\b) | |
98 | u\bu_\b_c\bch\bha\bar\br *\b*o\bou\but\bt;\b; | |
99 | l\blo\bon\bng\bg c\bco\bod\bde\be;\b; | |
100 | c\bch\bha\bar\br *\b*s\bst\btr\bri\bin\bng\bg;\b; | |
101 | ||
102 | l\blo\bon\bng\bg k\bkr\brb\bb_\b_r\brd\bd_\b_e\ber\brr\br(\b(i\bin\bn,\b,l\ble\ben\bng\bgt\bth\bh,\b,c\bco\bod\bde\be,\b,m\bms\bsg\bg_\b_d\bda\bat\bta\ba)\b) | |
103 | u\bu_\b_c\bch\bha\bar\br *\b*i\bin\bn;\b; | |
104 | u\bu_\b_l\blo\bon\bng\bg l\ble\ben\bng\bgt\bth\bh;\b; | |
105 | l\blo\bon\bng\bg c\bco\bod\bde\be;\b; | |
106 | M\bMS\bSG\bG_\b_D\bDA\bAT\bT *\b*m\bms\bsg\bg_\b_d\bda\bat\bta\ba;\b; | |
107 | ||
108 | D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN | |
109 | This library supports network authentication and various | |
110 | related operations. The library contains many routines | |
111 | beyond those described in this man page, but they are not | |
112 | intended to be used directly. Instead, they are called by | |
113 | the routines that are described, the authentication server | |
114 | and the login program. | |
115 | ||
116 | _\bk_\br_\bb_\b__\be_\br_\br_\b__\bt_\bx_\bt_\b[_\b] contains text string descriptions of various | |
117 | Kerberos error codes returned by some of the routines | |
118 | below. | |
119 | ||
120 | _\bk_\br_\bb_\b__\bm_\bk_\b__\br_\be_\bq takes a pointer to a text structure in which an | |
121 | authenticator is to be built. It also takes the name, | |
122 | instance, and realm of the service to be used and an | |
123 | optional checksum. It is up to the application to decide | |
124 | ||
125 | ||
126 | ||
127 | MIT Project Athena Kerberos Version 4.0 2 | |
128 | ||
129 | ||
130 | ||
131 | ||
132 | ||
133 | ||
134 | ||
135 | ||
136 | KERBEROS(3) BSD Programmer's Manual KERBEROS(3) | |
137 | ||
138 | ||
139 | how to generate the checksum. _\bk_\br_\bb_\b__\bm_\bk_\b__\br_\be_\bq then retrieves a | |
140 | ticket for the desired service and creates an authentica- | |
141 | tor. The authenticator is built in _\ba_\bu_\bt_\bh_\be_\bn_\bt and is acces- | |
142 | sible to the calling procedure. | |
143 | ||
144 | It is up to the application to get the authenticator to | |
145 | the service where it will be read by _\bk_\br_\bb_\b__\br_\bd_\b__\br_\be_\bq_\b. Unless | |
146 | an attacker possesses the session key contained in the | |
147 | ticket, it will be unable to modify the authenticator. | |
148 | Thus, the checksum can be used to verify the authenticity | |
149 | of the other data that will pass through a connection. | |
150 | ||
151 | _\bk_\br_\bb_\b__\br_\bd_\b__\br_\be_\bq takes an authenticator of type K\bKT\bTE\bEX\bXT\bT,\b, a service | |
152 | name, an instance, the address of the host originating the | |
153 | request, and a pointer to a structure of type A\bAU\bUT\bTH\bH_\b_D\bDA\bAT\bT | |
154 | which is filled in with information obtained from the | |
155 | authenticator. It also optionally takes the name of the | |
156 | file in which it will find the secret key(s) for the ser- | |
157 | vice. If the supplied _\bi_\bn_\bs_\bt_\ba_\bn_\bc_\be contains "*", then the | |
158 | first service key with the same service name found in the | |
159 | service key file will be used, and the _\bi_\bn_\bs_\bt_\ba_\bn_\bc_\be argument | |
160 | will be filled in with the chosen instance. This means | |
161 | that the caller must provide space for such an instance | |
162 | name. | |
163 | ||
164 | It is used to find out information about the principal | |
165 | when a request has been made to a service. It is up to | |
166 | the application protocol to get the authenticator from the | |
167 | client to the service. The authenticator is then passed | |
168 | to _\bk_\br_\bb_\b__\br_\bd_\b__\br_\be_\bq to extract the desired information. | |
169 | ||
170 | _\bk_\br_\bb_\b__\br_\bd_\b__\br_\be_\bq returns zero (RD_AP_OK) upon successful authen- | |
171 | tication. If a packet was forged, modified, or replayed, | |
172 | authentication will fail. If the authentication fails, a | |
173 | non-zero value is returned indicating the particular prob- | |
174 | lem encountered. See _\bk_\br_\bb_\b._\bh for the list of error codes. | |
175 | ||
176 | If the last argument is the null string (""), krb_rd_req | |
177 | will use the file /etc/srvtab to find its keys. If the | |
178 | last argument is NULL, it will assume that the key has | |
179 | been set by _\bk_\br_\bb_\b__\bs_\be_\bt_\b__\bk_\be_\by and will not bother looking fur- | |
180 | ther. | |
181 | ||
182 | _\bk_\br_\bb_\b__\bk_\bn_\bt_\bo_\bl_\bn converts a Kerberos name to a local name. It | |
183 | takes a structure of type AUTH_DAT and uses the name and | |
184 | instance to look in the database /etc/aname to find the | |
185 | corresponding local name. The local name is returned and | |
186 | can be used by an application to change uids, directories, | |
187 | or other parameters. It is not an integral part of Ker- | |
188 | beros, but is instead provided to support the use of Ker- | |
189 | beros in existing utilities. | |
190 | ||
191 | ||
192 | ||
193 | MIT Project Athena Kerberos Version 4.0 3 | |
194 | ||
195 | ||
196 | ||
197 | ||
198 | ||
199 | ||
200 | ||
201 | ||
202 | KERBEROS(3) BSD Programmer's Manual KERBEROS(3) | |
203 | ||
204 | ||
205 | _\bk_\br_\bb_\b__\bs_\be_\bt_\b__\bk_\be_\by takes as an argument a des key. It then cre- | |
206 | ates a key schedule from it and saves the original key to | |
207 | be used as an initialization vector. It is used to set | |
208 | the server's key which must be used to decrypt tickets. | |
209 | ||
210 | If called with a non-zero second argument, _\bk_\br_\bb_\b__\bs_\be_\bt_\b__\bk_\be_\by | |
211 | will first convert the input from a string of arbitrary | |
212 | length to a DES key by encrypting it with a one-way func- | |
213 | tion. | |
214 | ||
215 | In most cases it should not be necessary to call | |
216 | _\bk_\br_\bb_\b__\bs_\be_\bt_\b__\bk_\be_\by_\b. The necessary keys will usually be obtained | |
217 | and set inside _\bk_\br_\bb_\b__\br_\bd_\b__\br_\be_\bq_\b. _\bk_\br_\bb_\b__\bs_\be_\bt_\b__\bk_\be_\by is provided for | |
218 | those applications that do not wish to place the applica- | |
219 | tion keys on disk. | |
220 | ||
221 | _\bk_\br_\bb_\b__\bg_\be_\bt_\b__\bc_\br_\be_\bd searches the caller's ticket file for a | |
222 | ticket for the given service, instance, and realm; and, if | |
223 | a ticket is found, fills in the given CREDENTIALS struc- | |
224 | ture with the ticket information. | |
225 | ||
226 | If the ticket was found, _\bk_\br_\bb_\b__\bg_\be_\bt_\b__\bc_\br_\be_\bd returns GC_OK. If | |
227 | the ticket file can't be found, can't be read, doesn't | |
228 | belong to the user (other than root), isn't a regular | |
229 | file, or is in the wrong mode, the error GC_TKFIL is | |
230 | returned. | |
231 | ||
232 | _\bk_\br_\bb_\b__\bm_\bk_\b__\bp_\br_\bi_\bv creates an encrypted, authenticated message | |
233 | from any arbitrary application data, pointed to by _\bi_\bn and | |
234 | _\bi_\bn_\b__\bl_\be_\bn_\bg_\bt_\bh bytes long. The private session key, pointed to | |
235 | by _\bk_\be_\by and the key schedule, _\bs_\bc_\bh_\be_\bd_\bu_\bl_\be_\b, are used to encrypt | |
236 | the data and some header information using _\bp_\bc_\bb_\bc_\b__\be_\bn_\bc_\br_\by_\bp_\bt_\b. | |
237 | _\bs_\be_\bn_\bd_\be_\br and _\br_\be_\bc_\be_\bi_\bv_\be_\br point to the Internet address of the | |
238 | two parties. In addition to providing privacy, this pro- | |
239 | tocol message protects against modifications, insertions | |
240 | or replays. The encapsulated message and header are | |
241 | placed in the area pointed to by _\bo_\bu_\bt and the routine | |
242 | returns the length of the output, or -1 indicating an | |
243 | error. | |
244 | ||
245 | _\bk_\br_\bb_\b__\br_\bd_\b__\bp_\br_\bi_\bv decrypts and authenticates a received | |
246 | _\bk_\br_\bb_\b__\bm_\bk_\b__\bp_\br_\bi_\bv message. _\bi_\bn points to the beginning of the | |
247 | received message, whose length is specified in _\bi_\bn_\b__\bl_\be_\bn_\bg_\bt_\bh_\b. | |
248 | The private session key, pointed to by _\bk_\be_\by_\b, and the key | |
249 | schedule, _\bs_\bc_\bh_\be_\bd_\bu_\bl_\be_\b, are used to decrypt and verify the | |
250 | received message. _\bm_\bs_\bg_\b__\bd_\ba_\bt_\ba is a pointer to a _\bM_\bS_\bG_\b__\bD_\bA_\bT | |
251 | struct, defined in _\bk_\br_\bb_\b._\bh_\b. The routine fills in the | |
252 | _\ba_\bp_\bp_\b__\bd_\ba_\bt_\ba field with a pointer to the decrypted application | |
253 | data, _\ba_\bp_\bp_\b__\bl_\be_\bn_\bg_\bt_\bh with the length of the _\ba_\bp_\bp_\b__\bd_\ba_\bt_\ba field, | |
254 | _\bt_\bi_\bm_\be_\b__\bs_\be_\bc and _\bt_\bi_\bm_\be_\b__\b5_\bm_\bs with the timestamps in the message, | |
255 | and _\bs_\bw_\ba_\bp with a 1 if the byte order of the receiver is | |
256 | ||
257 | ||
258 | ||
259 | MIT Project Athena Kerberos Version 4.0 4 | |
260 | ||
261 | ||
262 | ||
263 | ||
264 | ||
265 | ||
266 | ||
267 | ||
268 | KERBEROS(3) BSD Programmer's Manual KERBEROS(3) | |
269 | ||
270 | ||
271 | different than that of the sender. (The application must | |
272 | still determine if it is appropriate to byte-swap applica- | |
273 | tion data; the Kerberos protocol fields are already taken | |
274 | care of). The _\bh_\ba_\bs_\bh field returns a value useful as input | |
275 | to the _\bk_\br_\bb_\b__\bc_\bk_\b__\br_\be_\bp_\bl routine. | |
276 | ||
277 | The routine returns zero if ok, or a Kerberos error code. | |
278 | Modified messages and old messages cause errors, but it is | |
279 | up to the caller to check the time sequence of messages, | |
280 | and to check against recently replayed messages using | |
281 | _\bk_\br_\bb_\b__\bc_\bk_\b__\br_\be_\bp_\bl if so desired. | |
282 | ||
283 | _\bk_\br_\bb_\b__\bm_\bk_\b__\bs_\ba_\bf_\be creates an authenticated, but unencrypted mes- | |
284 | sage from any arbitrary application data, pointed to by _\bi_\bn | |
285 | and _\bi_\bn_\b__\bl_\be_\bn_\bg_\bt_\bh bytes long. The private session key, | |
286 | pointed to by _\bk_\be_\by_\b, is used to seed the _\bq_\bu_\ba_\bd_\b__\bc_\bk_\bs_\bu_\bm_\b(_\b) check- | |
287 | sum algorithm used as part of the authentication. _\bs_\be_\bn_\bd_\be_\br | |
288 | and _\br_\be_\bc_\be_\bi_\bv_\be_\br point to the Internet address of the two par- | |
289 | ties. This message does not provide privacy, but does | |
290 | protect (via detection) against modifications, insertions | |
291 | or replays. The encapsulated message and header are | |
292 | placed in the area pointed to by _\bo_\bu_\bt and the routine | |
293 | returns the length of the output, or -1 indicating an | |
294 | error. The authentication provided by this routine is not | |
295 | as strong as that provided by _\bk_\br_\bb_\b__\bm_\bk_\b__\bp_\br_\bi_\bv or by computing | |
296 | the checksum using _\bc_\bb_\bc_\b__\bc_\bk_\bs_\bu_\bm instead, both of which | |
297 | authenticate via DES. | |
298 | ||
299 | ||
300 | _\bk_\br_\bb_\b__\br_\bd_\b__\bs_\ba_\bf_\be authenticates a received _\bk_\br_\bb_\b__\bm_\bk_\b__\bs_\ba_\bf_\be message. | |
301 | _\bi_\bn points to the beginning of the received message, whose | |
302 | length is specified in _\bi_\bn_\b__\bl_\be_\bn_\bg_\bt_\bh_\b. The private session | |
303 | key, pointed to by _\bk_\be_\by_\b, is used to seed the quad_cksum() | |
304 | routine as part of the authentication. _\bm_\bs_\bg_\b__\bd_\ba_\bt_\ba is a | |
305 | pointer to a _\bM_\bS_\bG_\b__\bD_\bA_\bT struct, defined in _\bk_\br_\bb_\b._\bh _\b. The rou- | |
306 | tine fills in these _\bM_\bS_\bG_\b__\bD_\bA_\bT fields: the _\ba_\bp_\bp_\b__\bd_\ba_\bt_\ba field | |
307 | with a pointer to the application data, _\ba_\bp_\bp_\b__\bl_\be_\bn_\bg_\bt_\bh with | |
308 | the length of the _\ba_\bp_\bp_\b__\bd_\ba_\bt_\ba field, _\bt_\bi_\bm_\be_\b__\bs_\be_\bc and _\bt_\bi_\bm_\be_\b__\b5_\bm_\bs | |
309 | with the timestamps in the message, and _\bs_\bw_\ba_\bp with a 1 if | |
310 | the byte order of the receiver is different than that of | |
311 | the sender. (The application must still determine if it | |
312 | is appropriate to byte-swap application data; the Kerberos | |
313 | protocol fields are already taken care of). The _\bh_\ba_\bs_\bh | |
314 | field returns a value useful as input to the _\bk_\br_\bb_\b__\bc_\bk_\b__\br_\be_\bp_\bl | |
315 | routine. | |
316 | ||
317 | The routine returns zero if ok, or a Kerberos error code. | |
318 | Modified messages and old messages cause errors, but it is | |
319 | up to the caller to check the time sequence of messages, | |
320 | and to check against recently replayed messages using | |
321 | _\bk_\br_\bb_\b__\bc_\bk_\b__\br_\be_\bp_\bl if so desired. | |
322 | ||
323 | ||
324 | ||
325 | MIT Project Athena Kerberos Version 4.0 5 | |
326 | ||
327 | ||
328 | ||
329 | ||
330 | ||
331 | ||
332 | ||
333 | ||
334 | KERBEROS(3) BSD Programmer's Manual KERBEROS(3) | |
335 | ||
336 | ||
337 | _\bk_\br_\bb_\b__\bm_\bk_\b__\be_\br_\br constructs an application level error message | |
338 | that may be used along with _\bk_\br_\bb_\b__\bm_\bk_\b__\bp_\br_\bi_\bv or _\bk_\br_\bb_\b__\bm_\bk_\b__\bs_\ba_\bf_\be_\b. | |
339 | _\bo_\bu_\bt is a pointer to the output buffer, _\bc_\bo_\bd_\be is an applica- | |
340 | tion specific error code, and _\bs_\bt_\br_\bi_\bn_\bg is an application | |
341 | specific error string. | |
342 | ||
343 | ||
344 | _\bk_\br_\bb_\b__\br_\bd_\b__\be_\br_\br unpacks a received _\bk_\br_\bb_\b__\bm_\bk_\b__\be_\br_\br message. _\bi_\bn | |
345 | points to the beginning of the received message, whose | |
346 | length is specified in _\bi_\bn_\b__\bl_\be_\bn_\bg_\bt_\bh_\b. _\bc_\bo_\bd_\be is a pointer to a | |
347 | value to be filled in with the error value provided by the | |
348 | application. _\bm_\bs_\bg_\b__\bd_\ba_\bt_\ba is a pointer to a _\bM_\bS_\bG_\b__\bD_\bA_\bT struct, | |
349 | defined in _\bk_\br_\bb_\b._\bh _\b. The routine fills in these _\bM_\bS_\bG_\b__\bD_\bA_\bT | |
350 | fields: the _\ba_\bp_\bp_\b__\bd_\ba_\bt_\ba field with a pointer to the applica- | |
351 | tion error text, _\ba_\bp_\bp_\b__\bl_\be_\bn_\bg_\bt_\bh with the length of the | |
352 | _\ba_\bp_\bp_\b__\bd_\ba_\bt_\ba field, and _\bs_\bw_\ba_\bp with a 1 if the byte order of the | |
353 | receiver is different than that of the sender. (The | |
354 | application must still determine if it is appropriate to | |
355 | byte-swap application data; the Kerberos protocol fields | |
356 | are already taken care of). | |
357 | ||
358 | The routine returns zero if the error message has been | |
359 | successfully received, or a Kerberos error code. | |
360 | ||
361 | The _\bK_\bT_\bE_\bX_\bT structure is used to pass around text of varying | |
362 | lengths. It consists of a buffer for the data, and a | |
363 | length. krb_rd_req takes an argument of this type con- | |
364 | taining the authenticator, and krb_mk_req returns the | |
365 | authenticator in a structure of this type. KTEXT itself | |
366 | is really a pointer to the structure. The actual struc- | |
367 | ture is of type KTEXT_ST. | |
368 | ||
369 | The _\bA_\bU_\bT_\bH_\b__\bD_\bA_\bT structure is filled in by krb_rd_req. It | |
370 | must be allocated before calling krb_rd_req, and a pointer | |
371 | to it is passed. The structure is filled in with data | |
372 | obtained from Kerberos. _\bM_\bS_\bG_\b__\bD_\bA_\bT structure is filled in by | |
373 | either krb_rd_priv, krb_rd_safe, or krb_rd_err. It must | |
374 | be allocated before the call and a pointer to it is | |
375 | passed. The structure is filled in with data obtained | |
376 | from Kerberos. | |
377 | ||
378 | ||
379 | F\bFI\bIL\bLE\bES\bS | |
380 | /usr/include/kerberosIV/krb.h | |
381 | /usr/lib/libkrb.a | |
382 | /usr/include/kerberosIV/des.h | |
383 | /usr/lib/libdes.a | |
384 | /etc/kerberosIV/aname | |
385 | /etc/kerberosIV/srvtab | |
386 | /tmp/tkt[uid] | |
387 | ||
388 | ||
389 | ||
390 | ||
391 | MIT Project Athena Kerberos Version 4.0 6 | |
392 | ||
393 | ||
394 | ||
395 | ||
396 | ||
397 | ||
398 | ||
399 | ||
400 | KERBEROS(3) BSD Programmer's Manual KERBEROS(3) | |
401 | ||
402 | ||
403 | S\bSE\bEE\bE A\bAL\bLS\bSO\bO | |
404 | kerberos(1), des_crypt(3) | |
405 | ||
406 | D\bDI\bIA\bAG\bGN\bNO\bOS\bST\bTI\bIC\bCS\bS | |
407 | B\bBU\bUG\bGS\bS | |
408 | The caller of _\bk_\br_\bb_\b__\br_\bd_\b__\br_\be_\bq_\b, _\bk_\br_\bb_\b__\br_\bd_\b__\bp_\br_\bi_\bv_\b, _\ba_\bn_\bd _\bk_\br_\bb_\b__\br_\bd_\b__\bs_\ba_\bf_\be | |
409 | must check time order and for replay attempts. | |
410 | _\bk_\br_\bb_\b__\bc_\bk_\b__\br_\be_\bp_\bl is not implemented yet. | |
411 | ||
412 | A\bAU\bUT\bTH\bHO\bOR\bRS\bS | |
413 | Clifford Neuman, MIT Project Athena | |
414 | Steve Miller, MIT Project Athena/Digital Equipment Corpo- | |
415 | ration | |
416 | ||
417 | R\bRE\bES\bST\bTR\bRI\bIC\bCT\bTI\bIO\bON\bNS\bS | |
418 | COPYRIGHT 1985,1986,1989 Massachusetts Institute of Tech- | |
419 | nology | |
420 | ||
421 | ||
422 | ||
423 | ||
424 | ||
425 | ||
426 | ||
427 | ||
428 | ||
429 | ||
430 | ||
431 | ||
432 | ||
433 | ||
434 | ||
435 | ||
436 | ||
437 | ||
438 | ||
439 | ||
440 | ||
441 | ||
442 | ||
443 | ||
444 | ||
445 | ||
446 | ||
447 | ||
448 | ||
449 | ||
450 | ||
451 | ||
452 | ||
453 | ||
454 | ||
455 | ||
456 | ||
457 | MIT Project Athena Kerberos Version 4.0 7 | |
458 | ||
459 | ||
460 | ||
461 | ||
462 |