+
+
+
+KERBEROS(3) BSD Programmer's Manual KERBEROS(3)
+
+
+N\bNA\bAM\bME\bE
+ krb_mk_req, krb_rd_req, krb_kntoln, krb_set_key,
+ krb_get_cred, krb_mk_priv, krb_rd_priv, krb_mk_safe,
+ krb_rd_safe, krb_mk_err, krb_rd_err, krb_ck_repl - Ker-
+ beros authentication library
+
+S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
+ #\b#i\bin\bnc\bcl\blu\bud\bde\be <\b<k\bke\ber\brb\bbe\ber\bro\bos\bsI\bIV\bV/\b/d\bde\bes\bs.\b.h\bh>\b>
+ #\b#i\bin\bnc\bcl\blu\bud\bde\be <\b<k\bke\ber\brb\bbe\ber\bro\bos\bsI\bIV\bV/\b/k\bkr\brb\bb.\b.h\bh>\b>
+
+ e\bex\bxt\bte\ber\brn\bn c\bch\bha\bar\br *\b*k\bkr\brb\bb_\b_e\ber\brr\br_\b_t\btx\bxt\bt[\b[]\b];\b;
+
+ i\bin\bnt\bt k\bkr\brb\bb_\b_m\bmk\bk_\b_r\bre\beq\bq(\b(a\bau\but\bth\bhe\ben\bnt\bt,\b,s\bse\ber\brv\bvi\bic\bce\be,\b,i\bin\bns\bst\bta\ban\bnc\bce\be,\b,r\bre\bea\bal\blm\bm,\b,c\bch\bhe\bec\bck\bks\bsu\bum\bm)\b)
+ K\bKT\bTE\bEX\bXT\bT a\bau\but\bth\bhe\ben\bnt\bt;\b;
+ c\bch\bha\bar\br *\b*s\bse\ber\brv\bvi\bic\bce\be;\b;
+ c\bch\bha\bar\br *\b*i\bin\bns\bst\bta\ban\bnc\bce\be;\b;
+ c\bch\bha\bar\br *\b*r\bre\bea\bal\blm\bm;\b;
+ u\bu_\b_l\blo\bon\bng\bg c\bch\bhe\bec\bck\bks\bsu\bum\bm;\b;
+
+ i\bin\bnt\bt k\bkr\brb\bb_\b_r\brd\bd_\b_r\bre\beq\bq(\b(a\bau\but\bth\bhe\ben\bnt\bt,\b,s\bse\ber\brv\bvi\bic\bce\be,\b,i\bin\bns\bst\bta\ban\bnc\bce\be,\b,f\bfr\bro\bom\bm_\b_a\bad\bdd\bdr\br,\b,a\bad\bd,\b,f\bfn\bn)\b)
+ K\bKT\bTE\bEX\bXT\bT a\bau\but\bth\bhe\ben\bnt\bt;\b;
+ c\bch\bha\bar\br *\b*s\bse\ber\brv\bvi\bic\bce\be;\b;
+ c\bch\bha\bar\br *\b*i\bin\bns\bst\bta\ban\bnc\bce\be;\b;
+ u\bu_\b_l\blo\bon\bng\bg f\bfr\bro\bom\bm_\b_a\bad\bdd\bdr\br;\b;
+ A\bAU\bUT\bTH\bH_\b_D\bDA\bAT\bT *\b*a\bad\bd;\b;
+ c\bch\bha\bar\br *\b*f\bfn\bn;\b;
+
+ i\bin\bnt\bt k\bkr\brb\bb_\b_k\bkn\bnt\bto\bol\bln\bn(\b(a\bad\bd,\b,l\bln\bna\bam\bme\be)\b)
+ A\bAU\bUT\bTH\bH_\b_D\bDA\bAT\bT *\b*a\bad\bd;\b;
+ c\bch\bha\bar\br *\b*l\bln\bna\bam\bme\be;\b;
+
+ i\bin\bnt\bt k\bkr\brb\bb_\b_s\bse\bet\bt_\b_k\bke\bey\by(\b(k\bke\bey\by,\b,c\bcv\bvt\bt)\b)
+ c\bch\bha\bar\br *\b*k\bke\bey\by;\b;
+ i\bin\bnt\bt c\bcv\bvt\bt;\b;
+
+ i\bin\bnt\bt k\bkr\brb\bb_\b_g\bge\bet\bt_\b_c\bcr\bre\bed\bd(\b(s\bse\ber\brv\bvi\bic\bce\be,\b,i\bin\bns\bst\bta\ban\bnc\bce\be,\b,r\bre\bea\bal\blm\bm,\b,c\bc)\b)
+ c\bch\bha\bar\br *\b*s\bse\ber\brv\bvi\bic\bce\be;\b;
+ c\bch\bha\bar\br *\b*i\bin\bns\bst\bta\ban\bnc\bce\be;\b;
+ c\bch\bha\bar\br *\b*r\bre\bea\bal\blm\bm;\b;
+ C\bCR\bRE\bED\bDE\bEN\bNT\bTI\bIA\bAL\bLS\bS *\b*c\bc;\b;
+
+ l\blo\bon\bng\bg k\bkr\brb\bb_\b_m\bmk\bk_\b_p\bpr\bri\biv\bv(\b(i\bin\bn,\b,o\bou\but\bt,\b,i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh,\b,s\bsc\bch\bhe\bed\bdu\bul\ble\be,\b,k\bke\bey\by,\b,s\bse\ben\bnd\bde\ber\br,\b,r\bre\bec\bce\bei\biv\bve\ber\br)\b)
+ u\bu_\b_c\bch\bha\bar\br *\b*i\bin\bn;\b;
+ u\bu_\b_c\bch\bha\bar\br *\b*o\bou\but\bt;\b;
+ u\bu_\b_l\blo\bon\bng\bg i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh;\b;
+ d\bde\bes\bs_\b_c\bcb\bbl\blo\boc\bck\bk k\bke\bey\by;\b;
+ d\bde\bes\bs_\b_k\bke\bey\by_\b_s\bsc\bch\bhe\bed\bdu\bul\ble\be s\bsc\bch\bhe\bed\bdu\bul\ble\be;\b;
+ s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*s\bse\ben\bnd\bde\ber\br;\b;
+ s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*r\bre\bec\bce\bei\biv\bve\ber\br;\b;
+
+ l\blo\bon\bng\bg k\bkr\brb\bb_\b_r\brd\bd_\b_p\bpr\bri\biv\bv(\b(i\bin\bn,\b,i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh,\b,s\bsc\bch\bhe\bed\bdu\bul\ble\be,\b,k\bke\bey\by,\b,s\bse\ben\bnd\bde\ber\br,\b,r\bre\bec\bce\bei\biv\bve\ber\br,\b,m\bms\bsg\bg_\b_d\bda\bat\bta\ba)\b)
+
+
+
+MIT Project Athena Kerberos Version 4.0 1
+
+
+
+
+
+
+
+
+KERBEROS(3) BSD Programmer's Manual KERBEROS(3)
+
+
+ u\bu_\b_c\bch\bha\bar\br *\b*i\bin\bn;\b;
+ u\bu_\b_l\blo\bon\bng\bg i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh;\b;
+ K\bKe\bey\by_\b_s\bsc\bch\bhe\bed\bdu\bul\ble\be s\bsc\bch\bhe\bed\bdu\bul\ble\be;\b;
+ d\bde\bes\bs_\b_c\bcb\bbl\blo\boc\bck\bk k\bke\bey\by;\b;
+ s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*s\bse\ben\bnd\bde\ber\br;\b;
+ s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*r\bre\bec\bce\bei\biv\bve\ber\br;\b;
+ M\bMS\bSG\bG_\b_D\bDA\bAT\bT *\b*m\bms\bsg\bg_\b_d\bda\bat\bta\ba;\b;
+
+ l\blo\bon\bng\bg k\bkr\brb\bb_\b_m\bmk\bk_\b_s\bsa\baf\bfe\be(\b(i\bin\bn,\b,o\bou\but\bt,\b,i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh,\b,k\bke\bey\by,\b,s\bse\ben\bnd\bde\ber\br,\b,r\bre\bec\bce\bei\biv\bve\ber\br)\b)
+ u\bu_\b_c\bch\bha\bar\br *\b*i\bin\bn;\b;
+ u\bu_\b_c\bch\bha\bar\br *\b*o\bou\but\bt;\b;
+ u\bu_\b_l\blo\bon\bng\bg i\bin\bn_\b_l\ble\ben\bng\bgt\bth\bh;\b;
+ d\bde\bes\bs_\b_c\bcb\bbl\blo\boc\bck\bk k\bke\bey\by;\b;
+ s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*s\bse\ben\bnd\bde\ber\br;\b;
+ s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*r\bre\bec\bce\bei\biv\bve\ber\br;\b;
+
+ l\blo\bon\bng\bg k\bkr\brb\bb_\b_r\brd\bd_\b_s\bsa\baf\bfe\be(\b(i\bin\bn,\b,l\ble\ben\bng\bgt\bth\bh,\b,k\bke\bey\by,\b,s\bse\ben\bnd\bde\ber\br,\b,r\bre\bec\bce\bei\biv\bve\ber\br,\b,m\bms\bsg\bg_\b_d\bda\bat\bta\ba)\b)
+ u\bu_\b_c\bch\bha\bar\br *\b*i\bin\bn;\b;
+ u\bu_\b_l\blo\bon\bng\bg l\ble\ben\bng\bgt\bth\bh;\b;
+ d\bde\bes\bs_\b_c\bcb\bbl\blo\boc\bck\bk k\bke\bey\by;\b;
+ s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*s\bse\ben\bnd\bde\ber\br;\b;
+ s\bst\btr\bru\buc\bct\bt s\bso\boc\bck\bka\bad\bdd\bdr\br_\b_i\bin\bn *\b*r\bre\bec\bce\bei\biv\bve\ber\br;\b;
+ M\bMS\bSG\bG_\b_D\bDA\bAT\bT *\b*m\bms\bsg\bg_\b_d\bda\bat\bta\ba;\b;
+
+ l\blo\bon\bng\bg k\bkr\brb\bb_\b_m\bmk\bk_\b_e\ber\brr\br(\b(o\bou\but\bt,\b,c\bco\bod\bde\be,\b,s\bst\btr\bri\bin\bng\bg)\b)
+ u\bu_\b_c\bch\bha\bar\br *\b*o\bou\but\bt;\b;
+ l\blo\bon\bng\bg c\bco\bod\bde\be;\b;
+ c\bch\bha\bar\br *\b*s\bst\btr\bri\bin\bng\bg;\b;
+
+ l\blo\bon\bng\bg k\bkr\brb\bb_\b_r\brd\bd_\b_e\ber\brr\br(\b(i\bin\bn,\b,l\ble\ben\bng\bgt\bth\bh,\b,c\bco\bod\bde\be,\b,m\bms\bsg\bg_\b_d\bda\bat\bta\ba)\b)
+ u\bu_\b_c\bch\bha\bar\br *\b*i\bin\bn;\b;
+ u\bu_\b_l\blo\bon\bng\bg l\ble\ben\bng\bgt\bth\bh;\b;
+ l\blo\bon\bng\bg c\bco\bod\bde\be;\b;
+ M\bMS\bSG\bG_\b_D\bDA\bAT\bT *\b*m\bms\bsg\bg_\b_d\bda\bat\bta\ba;\b;
+
+D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
+ This library supports network authentication and various
+ related operations. The library contains many routines
+ beyond those described in this man page, but they are not
+ intended to be used directly. Instead, they are called by
+ the routines that are described, the authentication server
+ and the login program.
+
+ _\bk_\br_\bb_\b__\be_\br_\br_\b__\bt_\bx_\bt_\b[_\b] contains text string descriptions of various
+ Kerberos error codes returned by some of the routines
+ below.
+
+ _\bk_\br_\bb_\b__\bm_\bk_\b__\br_\be_\bq takes a pointer to a text structure in which an
+ authenticator is to be built. It also takes the name,
+ instance, and realm of the service to be used and an
+ optional checksum. It is up to the application to decide
+
+
+
+MIT Project Athena Kerberos Version 4.0 2
+
+
+
+
+
+
+
+
+KERBEROS(3) BSD Programmer's Manual KERBEROS(3)
+
+
+ how to generate the checksum. _\bk_\br_\bb_\b__\bm_\bk_\b__\br_\be_\bq then retrieves a
+ ticket for the desired service and creates an authentica-
+ tor. The authenticator is built in _\ba_\bu_\bt_\bh_\be_\bn_\bt and is acces-
+ sible to the calling procedure.
+
+ It is up to the application to get the authenticator to
+ the service where it will be read by _\bk_\br_\bb_\b__\br_\bd_\b__\br_\be_\bq_\b. Unless
+ an attacker possesses the session key contained in the
+ ticket, it will be unable to modify the authenticator.
+ Thus, the checksum can be used to verify the authenticity
+ of the other data that will pass through a connection.
+
+ _\bk_\br_\bb_\b__\br_\bd_\b__\br_\be_\bq takes an authenticator of type K\bKT\bTE\bEX\bXT\bT,\b, a service
+ name, an instance, the address of the host originating the
+ request, and a pointer to a structure of type A\bAU\bUT\bTH\bH_\b_D\bDA\bAT\bT
+ which is filled in with information obtained from the
+ authenticator. It also optionally takes the name of the
+ file in which it will find the secret key(s) for the ser-
+ vice. If the supplied _\bi_\bn_\bs_\bt_\ba_\bn_\bc_\be contains "*", then the
+ first service key with the same service name found in the
+ service key file will be used, and the _\bi_\bn_\bs_\bt_\ba_\bn_\bc_\be argument
+ will be filled in with the chosen instance. This means
+ that the caller must provide space for such an instance
+ name.
+
+ It is used to find out information about the principal
+ when a request has been made to a service. It is up to
+ the application protocol to get the authenticator from the
+ client to the service. The authenticator is then passed
+ to _\bk_\br_\bb_\b__\br_\bd_\b__\br_\be_\bq to extract the desired information.
+
+ _\bk_\br_\bb_\b__\br_\bd_\b__\br_\be_\bq returns zero (RD_AP_OK) upon successful authen-
+ tication. If a packet was forged, modified, or replayed,
+ authentication will fail. If the authentication fails, a
+ non-zero value is returned indicating the particular prob-
+ lem encountered. See _\bk_\br_\bb_\b._\bh for the list of error codes.
+
+ If the last argument is the null string (""), krb_rd_req
+ will use the file /etc/srvtab to find its keys. If the
+ last argument is NULL, it will assume that the key has
+ been set by _\bk_\br_\bb_\b__\bs_\be_\bt_\b__\bk_\be_\by and will not bother looking fur-
+ ther.
+
+ _\bk_\br_\bb_\b__\bk_\bn_\bt_\bo_\bl_\bn converts a Kerberos name to a local name. It
+ takes a structure of type AUTH_DAT and uses the name and
+ instance to look in the database /etc/aname to find the
+ corresponding local name. The local name is returned and
+ can be used by an application to change uids, directories,
+ or other parameters. It is not an integral part of Ker-
+ beros, but is instead provided to support the use of Ker-
+ beros in existing utilities.
+
+
+
+MIT Project Athena Kerberos Version 4.0 3
+
+
+
+
+
+
+
+
+KERBEROS(3) BSD Programmer's Manual KERBEROS(3)
+
+
+ _\bk_\br_\bb_\b__\bs_\be_\bt_\b__\bk_\be_\by takes as an argument a des key. It then cre-
+ ates a key schedule from it and saves the original key to
+ be used as an initialization vector. It is used to set
+ the server's key which must be used to decrypt tickets.
+
+ If called with a non-zero second argument, _\bk_\br_\bb_\b__\bs_\be_\bt_\b__\bk_\be_\by
+ will first convert the input from a string of arbitrary
+ length to a DES key by encrypting it with a one-way func-
+ tion.
+
+ In most cases it should not be necessary to call
+ _\bk_\br_\bb_\b__\bs_\be_\bt_\b__\bk_\be_\by_\b. The necessary keys will usually be obtained
+ and set inside _\bk_\br_\bb_\b__\br_\bd_\b__\br_\be_\bq_\b. _\bk_\br_\bb_\b__\bs_\be_\bt_\b__\bk_\be_\by is provided for
+ those applications that do not wish to place the applica-
+ tion keys on disk.
+
+ _\bk_\br_\bb_\b__\bg_\be_\bt_\b__\bc_\br_\be_\bd searches the caller's ticket file for a
+ ticket for the given service, instance, and realm; and, if
+ a ticket is found, fills in the given CREDENTIALS struc-
+ ture with the ticket information.
+
+ If the ticket was found, _\bk_\br_\bb_\b__\bg_\be_\bt_\b__\bc_\br_\be_\bd returns GC_OK. If
+ the ticket file can't be found, can't be read, doesn't
+ belong to the user (other than root), isn't a regular
+ file, or is in the wrong mode, the error GC_TKFIL is
+ returned.
+
+ _\bk_\br_\bb_\b__\bm_\bk_\b__\bp_\br_\bi_\bv creates an encrypted, authenticated message
+ from any arbitrary application data, pointed to by _\bi_\bn and
+ _\bi_\bn_\b__\bl_\be_\bn_\bg_\bt_\bh bytes long. The private session key, pointed to
+ by _\bk_\be_\by and the key schedule, _\bs_\bc_\bh_\be_\bd_\bu_\bl_\be_\b, are used to encrypt
+ the data and some header information using _\bp_\bc_\bb_\bc_\b__\be_\bn_\bc_\br_\by_\bp_\bt_\b.
+ _\bs_\be_\bn_\bd_\be_\br and _\br_\be_\bc_\be_\bi_\bv_\be_\br point to the Internet address of the
+ two parties. In addition to providing privacy, this pro-
+ tocol message protects against modifications, insertions
+ or replays. The encapsulated message and header are
+ placed in the area pointed to by _\bo_\bu_\bt and the routine
+ returns the length of the output, or -1 indicating an
+ error.
+
+ _\bk_\br_\bb_\b__\br_\bd_\b__\bp_\br_\bi_\bv decrypts and authenticates a received
+ _\bk_\br_\bb_\b__\bm_\bk_\b__\bp_\br_\bi_\bv message. _\bi_\bn points to the beginning of the
+ received message, whose length is specified in _\bi_\bn_\b__\bl_\be_\bn_\bg_\bt_\bh_\b.
+ The private session key, pointed to by _\bk_\be_\by_\b, and the key
+ schedule, _\bs_\bc_\bh_\be_\bd_\bu_\bl_\be_\b, are used to decrypt and verify the
+ received message. _\bm_\bs_\bg_\b__\bd_\ba_\bt_\ba is a pointer to a _\bM_\bS_\bG_\b__\bD_\bA_\bT
+ struct, defined in _\bk_\br_\bb_\b._\bh_\b. The routine fills in the
+ _\ba_\bp_\bp_\b__\bd_\ba_\bt_\ba field with a pointer to the decrypted application
+ data, _\ba_\bp_\bp_\b__\bl_\be_\bn_\bg_\bt_\bh with the length of the _\ba_\bp_\bp_\b__\bd_\ba_\bt_\ba field,
+ _\bt_\bi_\bm_\be_\b__\bs_\be_\bc and _\bt_\bi_\bm_\be_\b__\b5_\bm_\bs with the timestamps in the message,
+ and _\bs_\bw_\ba_\bp with a 1 if the byte order of the receiver is
+
+
+
+MIT Project Athena Kerberos Version 4.0 4
+
+
+
+
+
+
+
+
+KERBEROS(3) BSD Programmer's Manual KERBEROS(3)
+
+
+ different than that of the sender. (The application must
+ still determine if it is appropriate to byte-swap applica-
+ tion data; the Kerberos protocol fields are already taken
+ care of). The _\bh_\ba_\bs_\bh field returns a value useful as input
+ to the _\bk_\br_\bb_\b__\bc_\bk_\b__\br_\be_\bp_\bl routine.
+
+ The routine returns zero if ok, or a Kerberos error code.
+ Modified messages and old messages cause errors, but it is
+ up to the caller to check the time sequence of messages,
+ and to check against recently replayed messages using
+ _\bk_\br_\bb_\b__\bc_\bk_\b__\br_\be_\bp_\bl if so desired.
+
+ _\bk_\br_\bb_\b__\bm_\bk_\b__\bs_\ba_\bf_\be creates an authenticated, but unencrypted mes-
+ sage from any arbitrary application data, pointed to by _\bi_\bn
+ and _\bi_\bn_\b__\bl_\be_\bn_\bg_\bt_\bh bytes long. The private session key,
+ pointed to by _\bk_\be_\by_\b, is used to seed the _\bq_\bu_\ba_\bd_\b__\bc_\bk_\bs_\bu_\bm_\b(_\b) check-
+ sum algorithm used as part of the authentication. _\bs_\be_\bn_\bd_\be_\br
+ and _\br_\be_\bc_\be_\bi_\bv_\be_\br point to the Internet address of the two par-
+ ties. This message does not provide privacy, but does
+ protect (via detection) against modifications, insertions
+ or replays. The encapsulated message and header are
+ placed in the area pointed to by _\bo_\bu_\bt and the routine
+ returns the length of the output, or -1 indicating an
+ error. The authentication provided by this routine is not
+ as strong as that provided by _\bk_\br_\bb_\b__\bm_\bk_\b__\bp_\br_\bi_\bv or by computing
+ the checksum using _\bc_\bb_\bc_\b__\bc_\bk_\bs_\bu_\bm instead, both of which
+ authenticate via DES.
+
+
+ _\bk_\br_\bb_\b__\br_\bd_\b__\bs_\ba_\bf_\be authenticates a received _\bk_\br_\bb_\b__\bm_\bk_\b__\bs_\ba_\bf_\be message.
+ _\bi_\bn points to the beginning of the received message, whose
+ length is specified in _\bi_\bn_\b__\bl_\be_\bn_\bg_\bt_\bh_\b. The private session
+ key, pointed to by _\bk_\be_\by_\b, is used to seed the quad_cksum()
+ routine as part of the authentication. _\bm_\bs_\bg_\b__\bd_\ba_\bt_\ba is a
+ pointer to a _\bM_\bS_\bG_\b__\bD_\bA_\bT struct, defined in _\bk_\br_\bb_\b._\bh _\b. The rou-
+ tine fills in these _\bM_\bS_\bG_\b__\bD_\bA_\bT fields: the _\ba_\bp_\bp_\b__\bd_\ba_\bt_\ba field
+ with a pointer to the application data, _\ba_\bp_\bp_\b__\bl_\be_\bn_\bg_\bt_\bh with
+ the length of the _\ba_\bp_\bp_\b__\bd_\ba_\bt_\ba field, _\bt_\bi_\bm_\be_\b__\bs_\be_\bc and _\bt_\bi_\bm_\be_\b__\b5_\bm_\bs
+ with the timestamps in the message, and _\bs_\bw_\ba_\bp with a 1 if
+ the byte order of the receiver is different than that of
+ the sender. (The application must still determine if it
+ is appropriate to byte-swap application data; the Kerberos
+ protocol fields are already taken care of). The _\bh_\ba_\bs_\bh
+ field returns a value useful as input to the _\bk_\br_\bb_\b__\bc_\bk_\b__\br_\be_\bp_\bl
+ routine.
+
+ The routine returns zero if ok, or a Kerberos error code.
+ Modified messages and old messages cause errors, but it is
+ up to the caller to check the time sequence of messages,
+ and to check against recently replayed messages using
+ _\bk_\br_\bb_\b__\bc_\bk_\b__\br_\be_\bp_\bl if so desired.
+
+
+
+MIT Project Athena Kerberos Version 4.0 5
+
+
+
+
+
+
+
+
+KERBEROS(3) BSD Programmer's Manual KERBEROS(3)
+
+
+ _\bk_\br_\bb_\b__\bm_\bk_\b__\be_\br_\br constructs an application level error message
+ that may be used along with _\bk_\br_\bb_\b__\bm_\bk_\b__\bp_\br_\bi_\bv or _\bk_\br_\bb_\b__\bm_\bk_\b__\bs_\ba_\bf_\be_\b.
+ _\bo_\bu_\bt is a pointer to the output buffer, _\bc_\bo_\bd_\be is an applica-
+ tion specific error code, and _\bs_\bt_\br_\bi_\bn_\bg is an application
+ specific error string.
+
+
+ _\bk_\br_\bb_\b__\br_\bd_\b__\be_\br_\br unpacks a received _\bk_\br_\bb_\b__\bm_\bk_\b__\be_\br_\br message. _\bi_\bn
+ points to the beginning of the received message, whose
+ length is specified in _\bi_\bn_\b__\bl_\be_\bn_\bg_\bt_\bh_\b. _\bc_\bo_\bd_\be is a pointer to a
+ value to be filled in with the error value provided by the
+ application. _\bm_\bs_\bg_\b__\bd_\ba_\bt_\ba is a pointer to a _\bM_\bS_\bG_\b__\bD_\bA_\bT struct,
+ defined in _\bk_\br_\bb_\b._\bh _\b. The routine fills in these _\bM_\bS_\bG_\b__\bD_\bA_\bT
+ fields: the _\ba_\bp_\bp_\b__\bd_\ba_\bt_\ba field with a pointer to the applica-
+ tion error text, _\ba_\bp_\bp_\b__\bl_\be_\bn_\bg_\bt_\bh with the length of the
+ _\ba_\bp_\bp_\b__\bd_\ba_\bt_\ba field, and _\bs_\bw_\ba_\bp with a 1 if the byte order of the
+ receiver is different than that of the sender. (The
+ application must still determine if it is appropriate to
+ byte-swap application data; the Kerberos protocol fields
+ are already taken care of).
+
+ The routine returns zero if the error message has been
+ successfully received, or a Kerberos error code.
+
+ The _\bK_\bT_\bE_\bX_\bT structure is used to pass around text of varying
+ lengths. It consists of a buffer for the data, and a
+ length. krb_rd_req takes an argument of this type con-
+ taining the authenticator, and krb_mk_req returns the
+ authenticator in a structure of this type. KTEXT itself
+ is really a pointer to the structure. The actual struc-
+ ture is of type KTEXT_ST.
+
+ The _\bA_\bU_\bT_\bH_\b__\bD_\bA_\bT structure is filled in by krb_rd_req. It
+ must be allocated before calling krb_rd_req, and a pointer
+ to it is passed. The structure is filled in with data
+ obtained from Kerberos. _\bM_\bS_\bG_\b__\bD_\bA_\bT structure is filled in by
+ either krb_rd_priv, krb_rd_safe, or krb_rd_err. It must
+ be allocated before the call and a pointer to it is
+ passed. The structure is filled in with data obtained
+ from Kerberos.
+
+
+F\bFI\bIL\bLE\bES\bS
+ /usr/include/kerberosIV/krb.h
+ /usr/lib/libkrb.a
+ /usr/include/kerberosIV/des.h
+ /usr/lib/libdes.a
+ /etc/kerberosIV/aname
+ /etc/kerberosIV/srvtab
+ /tmp/tkt[uid]
+
+
+
+
+MIT Project Athena Kerberos Version 4.0 6
+
+
+
+
+
+
+
+
+KERBEROS(3) BSD Programmer's Manual KERBEROS(3)
+
+
+S\bSE\bEE\bE A\bAL\bLS\bSO\bO
+ kerberos(1), des_crypt(3)
+
+D\bDI\bIA\bAG\bGN\bNO\bOS\bST\bTI\bIC\bCS\bS
+B\bBU\bUG\bGS\bS
+ The caller of _\bk_\br_\bb_\b__\br_\bd_\b__\br_\be_\bq_\b, _\bk_\br_\bb_\b__\br_\bd_\b__\bp_\br_\bi_\bv_\b, _\ba_\bn_\bd _\bk_\br_\bb_\b__\br_\bd_\b__\bs_\ba_\bf_\be
+ must check time order and for replay attempts.
+ _\bk_\br_\bb_\b__\bc_\bk_\b__\br_\be_\bp_\bl is not implemented yet.
+
+A\bAU\bUT\bTH\bHO\bOR\bRS\bS
+ Clifford Neuman, MIT Project Athena
+ Steve Miller, MIT Project Athena/Digital Equipment Corpo-
+ ration
+
+R\bRE\bES\bST\bTR\bRI\bIC\bCT\bTI\bIO\bON\bNS\bS
+ COPYRIGHT 1985,1986,1989 Massachusetts Institute of Tech-
+ nology
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+MIT Project Athena Kerberos Version 4.0 7
+
+
+
+
+