Партнёры:
Хостинг:
NAME
kerberos, krb_mk_req, krb_rd_req, krb_kntoln, krb_set_key,
krb_get_cred, krb_mk_safe, krb_rd_safe, krb_mk_err,
krb_rd_err - Kerberos authentication library
SYNOPSIS
cc [ flag ... ] file ... -lkrb [ library ... ]
#include <kerberos/krb.h>
extern char *krb_err_txt[];
int krb_mk_req(KTEXT authent, const char *service, const
char *instance, const char *realm, const long checksum);
int krb_rd_req(const KTEXT authent, const char * service,
char * instance, const long from_addr, AUTH_DAT *ad, const
char *fn);
int krb_kntoln(const AUTH_DAT *ad, char *lname);
int krb_set_key(const char *key, const int cvt);
int krb_get_cred(const char *service, const char *instance,
const char *realm, CREDENTIALS *c);
long krb_mk_safe(const uchar_t *in, uchar_t *out, const
ulong_t in_length, const des_cblock *key, const struct
sockaddr_in *sender, const struct sockaddr_in *receiver);
long krb_rd_safe(const uchar_t *in, const ulong_t length,
const des_cblock *key, const struct sockaddr_in *sender,
const struct sockaddr_in *receiver, MSG_DAT *msg_data);
long krb_mk_err(uchar_t *out, const long code, const char
*string);
long krb_rd_err(const uchar_t *in, const ulong_t length,
long *code, MSG_DAT *msg_data);
DESCRIPTION
This library supports network authentication and various
related operations. The library contains many routines
beyond those described in this man page, but they are not
intended to be used directly. Instead, they are called by
the routines that are described, the authentication server
and the login program.
krb_err_txt[] contains text string descriptions of various
Kerberos error codes returned by some of the routines below.
krb_mk_req() takes a pointer to a text structure in which an
authenticator is to be built. It also takes the name,
instance, and realm of the service to be used and an
optional checksum. It is up to the application to decide how
to generate the checksum. krb_mk_req() then retrieves a
ticket for the desired service and creates an authenticator.
The authenticator is built in authent and is accessible to
the calling procedure.
It is up to the application to get the authenticator to the
service where it will be read by krb_rd_req(). Unless an
attacker possesses the session key contained in the ticket,
it will be unable to modify the authenticator. Thus, the
checksum can be used to verify the authenticity of the other
data that will pass through a connection.
krb_mk_req() returns KSUCCESS if successful, otherwise a
Kerberos error code as defined in <kerberos/krb.h>.
krb_rd_req() takes an authenticator of type KTEXT, a service
name, an instance, the address of the host originating the
request, and a pointer to a structure of type AUTH_DAT which
is filled in with information obtained from the authentica-
tor. It also optionally takes the name of the file in which
it will find the secret key(s) for the service. If the sup-
plied instance is "*", then the first service key with the
same service name found in the service key file will be
used, and the instance argument will be filled in with the
chosen instance. This means that the caller must provide
space for such an instance name.
If the last argument is the null string (""), krb_rd_req()
will use the file /etc/srvtab to find its keys. If the last
argument is NULL, it will assume that the key has been set
by krb_set_key() and will not bother looking further.
krb_rd_req() is used to find out information about the prin-
cipal when a request has been made to a service. It is up to
the application protocol to get the authenticator from the
client to the service. The authenticator is then passed to
krb_rd_req() to extract the desired information.
krb_rd_req() returns zero (RD_AP_OK) upon successful authen-
tication. If a packet was forged, modified, or replayed,
authentication will fail. If the authentication fails, a
non-zero value is returned indicating the particular problem
encountered. See <kerberos/krb.h> for the list of error
codes.
krb_kntoln() converts a Kerberos name to a local name. It
takes a structure of type AUTH_DAT and uses the name,
instance, and realm to determine the corresponding local
name. A valid local name is returned if the instance is
NULL and the realm is the same as the local realm. The local
name returned is the Kerberos name and can be used by an
application to change uids, directories, or other parame-
ters. This routine is not an integral part of Kerberos, but
is provided to support the use of Kerberos in existing util-
ities. This routine returns KSUCCESS or KFAILURE.
krb_set_key() takes as an argument a DES key. It then
creates a key schedule from it and saves the original key to
be used as an initialization vector. It is used to set the
server's key which must be used to decrypt tickets.
If called with a non-zero second argument, krb_set_key()
will first convert the input from a string of arbitrary
length to a DES key by encrypting it with a one-way func-
tion.
In most cases it should not be necessary to call
krb_set_key(). The necessary keys will usually be obtained
and set inside krb_rd_req(). krb_set_key() is provided for
those applications that do not wish to place the application
keys on disk. It returns 0 for success, otherwise a non-zero
value.
krb_get_cred() searches the caller's ticket file for a
ticket for the given service, instance, and realm. If a
ticket is found, the given CREDENTIALS structure is filled
in with the ticket information.
If the ticket was found, krb_get_cred() returns GC_OK. If
the ticket file cannot be found, cannot be read, does not
belong to the user (other than root), is not a regular file,
or is in the wrong mode, the error GC_TKFIL is returned.
krb_mk_safe() creates an authenticated, but unencrypted mes-
sage from any arbitrary application data, pointed to by in
and in_length bytes long. The private session key, pointed
to by key, is used to seed the quad_cksum() checksum algo-
rithm used as part of the authentication. sender and
receiver point to the Internet address of the two parties.
This message does not provide privacy, but does protect (via
detection) against modifications, insertions or replays. The
encapsulated message and header are placed in the area
pointed to by out and the routine returns the length of the
output, or -1 indicating an error.
krb_rd_safe() authenticates a received krb_mk_safe() mes-
sage. in points to the beginning of the received message,
whose length is specified in in_length. The private session
key, pointed to by key, is used to seed the quad_cksum()
routine as part of the authentication. msg_data is a pointer
to a MSG_DAT struct, defined in <kerberos/krb.h>. The rou-
tine fills in these MSG_DAT fields: the app_data field with
a pointer to the application data, app_length with the
length of the app_data field, time_sec and time_5ms with the
timestamps in the message, and swap with a 1 if the byte
order of the receiver is different than that of the sender.
(The application must still determine if it is appropriate
to byte-swap application data; the Kerberos protocol fields
are already taken care of.)
The routine returns zero if successful, or a Kerberos error
code. Modified messages and old messages cause errors, but
it is up to the caller to check the time sequence of mes-
sages, and to check against recently replayed messages.
krb_mk_err() constructs an application level error message
that may be used along with krb_mk_safe(). out is a pointer
to the output buffer, code is an application specific error
code, and string is an application specific error string.
This routine returns the length of the error reply.
krb_rd_err() unpacks a received krb_mk_err() message. in
points to the beginning of the received message, whose
length is specified in in_length. code is a pointer to a
value to be filled in with the error value provided by the
application. msg_data is a pointer to a MSG_DAT struct,
defined in <kerberos/krb.h>. The routine fills in these
MSG_DAT fields: the app_data field with a pointer to the
application error text, app_length with the length of the
app_data field, and swap with a 1 if the byte order of the
receiver is different than that of the sender. (The applica-
tion must still determine if it is appropriate to byte-swap
application data; the Kerberos protocol fields are already
taken care of).
The routine returns zero if the error message has been suc-
cessfully received, or a Kerberos error code.
The KTEXT structure is used to pass around text of varying
lengths. It consists of a buffer for the data, and a
length. krb_rd_req() takes an argument of this type contain-
ing the authenticator, and krb_mk_req() returns the authen-
ticator in a structure of this type. KTEXT itself is really
a pointer to the structure. The actual structure is of type
KTEXT_ST.
The AUTH_DAT structure is filled in by krb_rd_req(). It must
be allocated before calling krb_rd_req(), and a pointer to
it is passed. The structure is filled in with data obtained
from Kerberos. The MSG_DAT structure is filled in by either
krb_rd_safe() or krb_rd_err(). It must be allocated before
the call and a pointer to it is passed. The structure is
filled in with data obtained from Kerberos.
FILES
/usr/lib/libkrb.*
/etc/aname
/etc/srvtab
/tmp/tktuid
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| MT-Level | Unsafe |
|_____________________________|_____________________________|
SEE ALSO
kerberos(1), kerberos_rpc(3KRB), krb_realmofhost(3KRB),
krb_sendauth(3KRB), krb_set_tkt_string(3KRB), krb.conf(4),
krb.realms(4), attributes(5)
NOTES
These interfaces are unsafe in multithreaded applications.
Unsafe interfaces should be called only from the main
thread.
BUGS
The caller of krb_rd_req() and krb_rd_safe() must check time
order and for replay attempts.
AUTHORS
Clifford Neuman, MIT Project Athena Steve Miller, MIT Pro-
ject Athena/Digital Equipment Corporation
RESTRICTIONS
COPYRIGHT 1985,1986,1989 Massachusetts Institute of Technol-
ogy
|
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |