NAME¶
krb5_mk_req,
krb5_mk_req_exact,
krb5_mk_req_extended,
krb5_rd_req,
krb5_rd_req_with_keyblock,
krb5_mk_rep,
krb5_mk_rep_exact,
krb5_mk_rep_extended,
krb5_rd_rep,
krb5_build_ap_req,
krb5_verify_ap_req —
create and read application authentication
request
LIBRARY¶
Kerberos 5 Library (libkrb5, -lkrb5)
SYNOPSIS¶
#include
<krb5.h>
krb5_error_code
krb5_mk_req(
krb5_context
context,
krb5_auth_context
*auth_context,
const krb5_flags
ap_req_options,
const char *service,
const char *hostname,
krb5_data *in_data,
krb5_ccache ccache,
krb5_data *outbuf);
krb5_error_code
krb5_mk_req_extended(
krb5_context
context,
krb5_auth_context
*auth_context,
const krb5_flags
ap_req_options,
krb5_data *in_data,
krb5_creds *in_creds,
krb5_data *outbuf);
krb5_error_code
krb5_rd_req(
krb5_context
context,
krb5_auth_context
*auth_context,
const krb5_data *inbuf,
krb5_const_principal server,
krb5_keytab keytab,
krb5_flags *ap_req_options,
krb5_ticket **ticket);
krb5_error_code
krb5_build_ap_req(
krb5_context
context,
krb5_enctype enctype,
krb5_creds *cred,
krb5_flags ap_options,
krb5_data authenticator,
krb5_data *retdata);
krb5_error_code
krb5_verify_ap_req(
krb5_context
context,
krb5_auth_context
*auth_context,
krb5_ap_req *ap_req,
krb5_const_principal server,
krb5_keyblock *keyblock,
krb5_flags flags,
krb5_flags *ap_req_options,
krb5_ticket **ticket);
DESCRIPTION¶
The functions documented in this manual page document the functions that
facilitates the exchange between a Kerberos client and server. They are the
core functions used in the authentication exchange between the client and the
server.
The
krb5_mk_req and
krb5_mk_req_extended creates the Kerberos
message
KRB_AP_REQ that is sent from the
client to the server as the first packet in a client/server exchange. The
result that should be sent to server is stored in
outbuf.
auth_context should be allocated with
krb5_auth_con_init() or
NULL passed in, in that case, it will be
allocated and freed internally.
The input data
in_data will have a checksum
calculated over it and checksum will be transported in the message to the
server.
ap_req_options can be set to one or more of the
following flags:
AP_OPTS_USE_SESSION_KEY- Use the session key when creating the request, used for user to user
authentication.
AP_OPTS_MUTUAL_REQUIRED- Mark the request as mutual authenticate required so that the receiver
returns a mutual authentication packet.
The
krb5_rd_req read the AP_REQ in
inbuf and verify and extract the content. If
server is specified, that server will be
fetched from the
keytab and used
unconditionally. If
server is
NULL, the
keytab will be search for a matching
principal.
The
keytab argument specifies what keytab to
search for receiving principals. The arguments
ap_req_options and
ticket returns the content.
When the AS-REQ is a user to user request, neither of
keytab or
principal are used, instead
krb5_rd_req() expects the session key to be
set in
auth_context.
The
krb5_verify_ap_req and
krb5_build_ap_req both constructs and
verify the AP_REQ message, should not be used by external code.
SEE ALSO¶
krb5(3),
krb5.conf(5)
