On this page
Table of contents
- For users
- For administrators
- For application developers
- Developing with GSSAPI
- Differences between Heimdal and MIT Kerberos API
- Principal manipulation and parsing
- Complete reference - API and datatypes
- krb5 API
- krb5_build_principal - Build a principal name using null-terminated strings.
- krb5_build_principal_alloc_va - Build a principal name, using a precomputed variable argument list.
- krb5_build_principal_ext - Build a principal name using length-counted strings.
- krb5_cc_close - Close a credential cache handle.
- krb5_cc_default - Resolve the default crendentials cache name.
- krb5_cc_default_name - Return the name of the default credential cache.
- krb5_cc_destroy - Destroy a credential cache.
- krb5_cc_dup - Duplicate ccache handle.
- krb5_cc_get_name - Retrieve the name, but not type of a credential cache.
- krb5_cc_get_principal - Get the default principal of a credential cache.
- krb5_cc_get_type - Retrieve the type of a credential cache.
- krb5_cc_initialize - Initialize a credential cache.
- krb5_cc_new_unique - Create a new credential cache of the specified type with a unique name.
- krb5_cc_resolve - Resolve a credential cache name.
- krb5_change_password - Change a password for an existing Kerberos account.
- krb5_free_context - Free a krb5 library context.
- krb5_free_error_message - Free an error message generated by krb5_get_error_message() .
- krb5_free_principal - Free the storage assigned to a principal.
- krb5_fwd_tgt_creds - Get a forwarded TGT and format a KRB-CRED message.
- krb5_get_default_realm - Retrieve the default realm.
- krb5_get_error_message - Get the (possibly extended) error message for a code.
- krb5_get_host_realm - Get the Kerberos realm names for a host.
- krb5_get_credentials - Get an additional ticket.
- krb5_get_fallback_host_realm
- krb5_get_init_creds_keytab - Get initial credentials using a key table.
- krb5_get_init_creds_opt_alloc - Allocate a new initial credential options structure.
- krb5_get_init_creds_opt_free - Free initial credential options.
- krb5_get_init_creds_opt_get_fast_flags - Retrieve FAST flags from initial credential options.
- krb5_get_init_creds_opt_set_address_list - Set address restrictions in initial credential options.
- krb5_get_init_creds_opt_set_anonymous - Set or unset the anonymous flag in initial credential options.
- krb5_get_init_creds_opt_set_canonicalize - Set or unset the canonicalize flag in initial credential options.
- krb5_get_init_creds_opt_set_change_password_prompt - Set or unset change-password-prompt flag in initial credential options.
- krb5_get_init_creds_opt_set_etype_list - Set allowable encryption types in initial credential options.
- krb5_get_init_creds_opt_set_expire_callback - Set an expiration callback in initial credential options.
- krb5_get_init_creds_opt_set_fast_ccache - Set FAST armor cache in initial credential options.
- krb5_get_init_creds_opt_set_fast_ccache_name - Set location of FAST armor ccache in initial credential options.
- krb5_get_init_creds_opt_set_fast_flags - Set FAST flags in initial credential options.
- krb5_get_init_creds_opt_set_forwardable - Set or unset the forwardable flag in initial credential options.
- krb5_get_init_creds_opt_set_out_ccache - Set an output credential cache in initial credential options.
- krb5_get_init_creds_opt_set_pa - Supply options for preauthentication in initial credential options.
- krb5_get_init_creds_opt_set_preauth_list - Set preauthentication types in initial credential options.
- krb5_get_init_creds_opt_set_proxiable - Set or unset the proxiable flag in initial credential options.
- krb5_get_init_creds_opt_set_renew_life - Set the ticket renewal lifetime in initial credential options.
- krb5_get_init_creds_opt_set_salt - Set salt for optimistic preauthentication in initial credential options.
- krb5_get_init_creds_opt_set_tkt_life - Set the ticket lifetime in initial credential options.
- krb5_get_init_creds_password - Get initial credentials using a password.
- krb5_get_profile - Retrieve configuration profile from the context.
- krb5_get_prompt_types - Get prompt types array from a context.
- krb5_get_renewed_creds - Get renewed credential from KDC using an existing credential.
- krb5_get_validated_creds - Get validated credentials from the KDC.
- krb5_init_context - Create a krb5 library context.
- krb5_init_secure_context - Create a krb5 library context using only configuration files.
- krb5_is_config_principal - Test whether a principal is a configuration principal.
- krb5_is_thread_safe - Test whether the Kerberos library was built with multithread support.
- krb5_kt_close - Close a key table handle.
- krb5_kt_default - Resolve default key table.
- krb5_kt_default_name - Get default key table name.
- krb5_kt_get_name - Get a key table name.
- krb5_kt_get_type - Return the type of a key table.
- krb5_kt_resolve - Get a handle for a key table.
- krb5_kuserok - Determine if a principal is authorized to log in as a local user.
- krb5_parse_name - Convert a string principal name to a krb5_principal structure.
- krb5_parse_name_flags - Convert a string principal name to a krb5_principal with flags.
- krb5_principal_compare - Compare two principals.
- krb5_principal_compare_any_realm - Compare two principals ignoring realm components.
- krb5_principal_compare_flags - Compare two principals with additional flags.
- krb5_prompter_posix - Prompt user for password.
- krb5_realm_compare - Compare the realms of two principals.
- krb5_set_default_realm - Override the default realm for the specified context.
- krb5_set_password - Set a password for a principal using specified credentials.
- krb5_set_password_using_ccache - Set a password for a principal using cached credentials.
- krb5_set_principal_realm - Set the realm field of a principal.
- krb5_set_trace_callback - Specify a callback function for trace events.
- krb5_set_trace_filename - Specify a file name for directing trace events.
- krb5_sname_match - Test whether a principal matches a matching principal.
- krb5_sname_to_principal - Generate a full principal name from a service name.
- krb5_unparse_name - Convert a krb5_principal structure to a string representation.
- krb5_unparse_name_ext - Convert krb5_principal structure to string and length.
- krb5_unparse_name_flags - Convert krb5_principal structure to a string with flags.
- krb5_unparse_name_flags_ext - Convert krb5_principal structure to string format with flags.
- krb5_us_timeofday - Retrieve the system time of day, in sec and ms, since the epoch.
- krb5_verify_authdata_kdc_issued - Unwrap and verify AD-KDCIssued authorization data.
- krb5_425_conv_principal - Convert a Kerberos V4 principal to a Kerberos V5 principal.
- krb5_524_conv_principal - Convert a Kerberos V5 principal to a Kerberos V4 principal.
- krb5_address_compare - Compare two Kerberos addresses.
- krb5_address_order - Return an ordering of the specified addresses.
- krb5_address_search - Search a list of addresses for a specified address.
- krb5_allow_weak_crypto - Allow the appplication to override the profile’s allow_weak_crypto setting.
- krb5_aname_to_localname - Convert a principal name to a local name.
- krb5_anonymous_principal - Build an anonymous principal.
- krb5_anonymous_realm - Return an anonymous realm data.
- krb5_appdefault_boolean - Retrieve a boolean value from the appdefaults section of krb5.conf.
- krb5_appdefault_string - Retrieve a string value from the appdefaults section of krb5.conf.
- krb5_auth_con_free - Free a krb5_auth_context structure.
- krb5_auth_con_genaddrs - Generate auth context addresses from a connected socket.
- krb5_auth_con_get_checksum_func - Get the checksum callback from an auth context.
- krb5_auth_con_getaddrs - Retrieve address fields from an auth context.
- krb5_auth_con_getauthenticator - Retrieve the authenticator from an auth context.
- krb5_auth_con_getflags - Retrieve flags from a krb5_auth_context structure.
- krb5_auth_con_getkey - Retrieve the session key from an auth context as a keyblock.
- krb5_auth_con_getkey_k - Retrieve the session key from an auth context.
- krb5_auth_con_getlocalseqnumber - Retrieve the local sequence number from an auth context.
- krb5_auth_con_getrcache - Retrieve the replay cache from an auth context.
- krb5_auth_con_getrecvsubkey - Retrieve the receiving subkey from an auth context as a keyblock.
- krb5_auth_con_getrecvsubkey_k - Retrieve the receiving subkey from an auth context as a keyblock.
- krb5_auth_con_getremoteseqnumber - Retrieve the remote sequence number from an auth context.
- krb5_auth_con_getsendsubkey - Retrieve the send subkey from an auth context as a keyblock.
- krb5_auth_con_getsendsubkey_k - Retrieve the send subkey from an auth context.
- krb5_auth_con_init - Create and initialize an authentication context.
- krb5_auth_con_set_checksum_func - Set a checksum callback in an auth context.
- krb5_auth_con_set_req_cksumtype - Set checksum type in an an auth context.
- krb5_auth_con_setaddrs - Set the local and remote addresses in an auth context.
- krb5_auth_con_setflags - Set a flags field in a krb5_auth_context structure.
- krb5_auth_con_setports - Set local and remote port fields in an auth context.
- krb5_auth_con_setrcache - Set the replay cache in an auth context.
- krb5_auth_con_setrecvsubkey - Set the receiving subkey in an auth context with a keyblock.
- krb5_auth_con_setrecvsubkey_k - Set the receiving subkey in an auth context.
- krb5_auth_con_setsendsubkey - Set the send subkey in an auth context with a keyblock.
- krb5_auth_con_setsendsubkey_k - Set the send subkey in an auth context.
- krb5_auth_con_setuseruserkey - Set the session key in an auth context.
- krb5_cc_cache_match - Find a credential cache with a specified client principal.
- krb5_cc_copy_creds - Copy a credential cache.
- krb5_cc_end_seq_get - Finish a series of sequential processing credential cache entries.
- krb5_cc_get_config - Get a configuration value from a credential cache.
- krb5_cc_get_flags - Retrieve flags from a credential cache structure.
- krb5_cc_get_full_name - Retrieve the full name of a credential cache.
- krb5_cc_last_change_time - Return a timestamp of the last modification to a credential cache.
- krb5_cc_lock - Lock a credential cache.
- krb5_cc_move - Move a credential cache.
- krb5_cc_next_cred - Retrieve the next entry from the credential cache.
- krb5_cc_remove_cred - Remove credentials from a credential cache.
- krb5_cc_retrieve_cred - Retrieve a specified credentials from a credential cache.
- krb5_cc_select - Select a credential cache to use with a server principal.
- krb5_cc_set_config - Store a configuration value in a credential cache.
- krb5_cc_set_default_name - Set the default credential cache name.
- krb5_cc_set_flags - Set options flags on a credential cache.
- krb5_cc_start_seq_get - Prepare to sequentially read every credential in a credential cache.
- krb5_cc_store_cred - Store credentials in a credential cache.
- krb5_cc_support_switch - Determine whether a credential cache type supports switching.
- krb5_cc_switch - Make a credential cache the primary cache for its collection.
- krb5_cc_unlock - Unlock a credential cache.
- krb5_cccol_cursor_free - Free a credential cache collection cursor.
- krb5_cccol_cursor_new - Prepare to iterate over the collection of known credential caches.
- krb5_cccol_cursor_next - Get the next credential cache in the collection.
- krb5_cccol_last_change_time - Return a timestamp of the last modification of any known credential cache.
- krb5_cccol_lock - Acquire a global lock for credential caches.
- krb5_cccol_unlock - Release a global lock for credential caches.
- krb5_clear_error_message - Clear the extended error message in a context.
- krb5_check_clockskew - Check if a timestamp is within the allowed clock skew of the current time.
- krb5_copy_addresses - Copy an array of addresses.
- krb5_copy_authdata - Copy an authorization data list.
- krb5_copy_authenticator - Copy a krb5_authenticator structure.
- krb5_copy_checksum - Copy a krb5_checksum structure.
- krb5_copy_context - Copy a krb5_context structure.
- krb5_copy_creds - Copy a krb5_creds structure.
- krb5_copy_data - Copy a krb5_data object.
- krb5_copy_error_message - Copy the most recent extended error message from one context to another.
- krb5_copy_keyblock - Copy a keyblock.
- krb5_copy_keyblock_contents - Copy the contents of a keyblock.
- krb5_copy_principal - Copy a principal.
- krb5_copy_ticket - Copy a krb5_ticket structure.
- krb5_find_authdata - Find authorization data elements.
- krb5_free_addresses - Free the data stored in array of addresses.
- krb5_free_ap_rep_enc_part - Free a krb5_ap_rep_enc_part structure.
- krb5_free_authdata - Free the storage assigned to array of authentication data.
- krb5_free_authenticator - Free a krb5_authenticator structure.
- krb5_free_cred_contents - Free the contents of a krb5_creds structure.
- krb5_free_creds - Free a krb5_creds structure.
- krb5_free_data - Free a krb5_data structure.
- krb5_free_data_contents - Free the contents of a krb5_data structure and zero the data field.
- krb5_free_default_realm - Free a default realm string returned by krb5_get_default_realm() .
- krb5_free_error - Free an error allocated by krb5_read_error() or krb5_sendauth() .
- krb5_free_host_realm - Free the memory allocated by krb5_get_host_realm() .
- krb5_free_keyblock - Free a krb5_keyblock structure.
- krb5_free_keyblock_contents - Free the contents of a krb5_keyblock structure.
- krb5_free_keytab_entry_contents - Free the contents of a key table entry.
- krb5_free_octet_data
- krb5_free_string - Free a string allocated by a krb5 function.
- krb5_free_ticket - Free a ticket.
- krb5_free_unparsed_name - Free a string representation of a principal.
- krb5_get_permitted_enctypes - Return a list of encryption types permitted for session keys.
- krb5_get_server_rcache - Generate a replay cache object for server use and open it.
- krb5_get_time_offsets - Return the time offsets from the os context.
- krb5_init_context_profile - Create a krb5 library context using a specified profile.
- krb5_init_creds_free - Free an initial credentials context.
- krb5_init_creds_get - Acquire credentials using an initial credentials context.
- krb5_init_creds_get_creds - Retrieve acquired credentials from an initial credentials context.
- krb5_init_creds_get_error - Get the last error from KDC from an initial credentials context.
- krb5_init_creds_get_times - Retrieve ticket times from an initial credentials context.
- krb5_init_creds_init - Create a context for acquiring initial credentials.
- krb5_init_creds_set_keytab - Specify a keytab to use for acquiring initial credentials.
- krb5_init_creds_set_password - Set a password for acquiring initial credentials.
- krb5_init_creds_set_service - Specify a service principal for acquiring initial credentials.
- krb5_init_creds_step - Get the next KDC request for acquiring initial credentials.
- krb5_init_keyblock - Initialize an empty krb5_keyblock .
- krb5_is_referral_realm - Check for a match with KRB5_REFERRAL_REALM.
- krb5_kt_add_entry - Add a new entry to a key table.
- krb5_kt_end_seq_get - Release a keytab cursor.
- krb5_kt_get_entry - Get an entry from a key table.
- krb5_kt_next_entry - Retrieve the next entry from the key table.
- krb5_kt_read_service_key - Retrieve a service key from a key table.
- krb5_kt_remove_entry - Remove an entry from a key table.
- krb5_kt_start_seq_get - Start a sequential retrieval of key table entries.
- krb5_make_authdata_kdc_issued - Encode and sign AD-KDCIssued authorization data.
- krb5_merge_authdata - Merge two authorization data lists into a new list.
- krb5_mk_1cred - Format a KRB-CRED message for a single set of credentials.
- krb5_mk_error - Format and encode a KRB_ERROR message.
- krb5_mk_ncred - Format a KRB-CRED message for an array of credentials.
- krb5_mk_priv - Format a KRB-PRIV message.
- krb5_mk_rep - Format and encrypt a KRB_AP_REP message.
- krb5_mk_rep_dce - Format and encrypt a KRB_AP_REP message for DCE RPC.
- krb5_mk_req - Create a KRB_AP_REQ message.
- krb5_mk_req_extended - Create a KRB_AP_REQ message using supplied credentials.
- krb5_mk_safe - Format a KRB-SAFE message.
- krb5_os_localaddr - Return all interface addresses for this host.
- krb5_pac_add_buffer - Add a buffer to a PAC handle.
- krb5_pac_free - Free a PAC handle.
- krb5_pac_get_buffer - Retrieve a buffer value from a PAC.
- krb5_pac_get_types - Return an array of buffer types in a PAC handle.
- krb5_pac_init - Create an empty Privilege Attribute Certificate (PAC) handle.
- krb5_pac_parse - Unparse an encoded PAC into a new handle.
- krb5_pac_sign - Sign a PAC.
- krb5_pac_verify - Verify a PAC.
- krb5_principal2salt - Convert a principal name into the default salt for that principal.
- krb5_rd_cred - Read and validate a KRB-CRED message.
- krb5_rd_error - Decode a KRB-ERROR message.
- krb5_rd_priv - Process a KRB-PRIV message.
- krb5_rd_rep - Parse and decrypt a KRB_AP_REP message.
- krb5_rd_rep_dce - Parse and decrypt a KRB_AP_REP message for DCE RPC.
- krb5_rd_req - Parse and decrypt a KRB_AP_REQ message.
- krb5_rd_safe - Process KRB-SAFE message.
- krb5_read_password - Read a password from keyboard input.
- krb5_salttype_to_string - Convert a salt type to a string.
- krb5_server_decrypt_ticket_keytab - Decrypt a ticket using the specified key table.
- krb5_set_default_tgs_enctypes - Set default TGS encryption types in a krb5_context structure.
- krb5_set_error_message - Set an extended error message for an error code.
- krb5_set_real_time - Set time offset field in a krb5_context structure.
- krb5_string_to_cksumtype - Convert a string to a checksum type.
- krb5_string_to_deltat - Convert a string to a delta time value.
- krb5_string_to_enctype - Convert a string to an encryption type.
- krb5_string_to_salttype - Convert a string to a salt type.
- krb5_string_to_timestamp - Convert a string to a timestamp.
- krb5_timeofday - Retrieve the current time with context specific time offset adjustment.
- krb5_timestamp_to_sfstring - Convert a timestamp to a string, with optional output padding.
- krb5_timestamp_to_string - Convert a timestamp to a string.
- krb5_tkt_creds_free - Free a TGS request context.
- krb5_tkt_creds_get - Synchronously obtain credentials using a TGS request context.
- krb5_tkt_creds_get_creds - Retrieve acquired credentials from a TGS request context.
- krb5_tkt_creds_get_times - Retrieve ticket times from a TGS request context.
- krb5_tkt_creds_init - Create a context to get credentials from a KDC’s Ticket Granting Service.
- krb5_tkt_creds_step - Get the next KDC request in a TGS exchange.
- krb5_verify_init_creds - Verify initial credentials against a keytab.
- krb5_verify_init_creds_opt_init - Initialize a credential verification options structure.
- krb5_verify_init_creds_opt_set_ap_req_nofail - Set whether credential verification is required.
- krb5_vset_error_message - Set an extended error message for an error code using a va_list.
- krb5_c_block_size - Return cipher block size.
- krb5_c_checksum_length - Return the length of checksums for a checksum type.
- krb5_c_crypto_length - Return a length of a message field specific to the encryption type.
- krb5_c_crypto_length_iov - Fill in lengths for header, trailer and padding in a IOV array.
- krb5_c_decrypt - Decrypt data using a key (operates on keyblock).
- krb5_c_decrypt_iov - Decrypt data in place supporting AEAD (operates on keyblock).
- krb5_c_encrypt - Encrypt data using a key (operates on keyblock).
- krb5_c_encrypt_iov - Encrypt data in place supporting AEAD (operates on keyblock).
- krb5_c_encrypt_length - Compute encrypted data length.
- krb5_c_enctype_compare - Compare two encryption types.
- krb5_c_free_state - Free a cipher state previously allocated by krb5_c_init_state() .
- krb5_c_fx_cf2_simple - Compute the KRB-FX-CF2 combination of two keys and pepper strings.
- krb5_c_init_state - Initialize a new cipher state.
- krb5_c_is_coll_proof_cksum - Test whether a checksum type is collision-proof.
- krb5_c_is_keyed_cksum - Test whether a checksum type is keyed.
- krb5_c_keyed_checksum_types - Return a list of keyed checksum types usable with an encryption type.
- krb5_c_keylengths - Return length of the specified key in bytes.
- krb5_c_make_checksum - Compute a checksum (operates on keyblock).
- krb5_c_make_checksum_iov - Fill in a checksum element in IOV array (operates on keyblock)
- krb5_c_make_random_key - Generate an enctype-specific random encryption key.
- krb5_c_padding_length - Return a number of padding octets.
- krb5_c_prf - Generate enctype-specific pseudo-random bytes.
- krb5_c_prf_length - Get the output length of pseudo-random functions for an encryption type.
- krb5_c_random_add_entropy - Add entropy to the pseudo-random number generator.
- krb5_c_random_make_octets - Generate pseudo-random bytes.
- krb5_c_random_os_entropy - Collect entropy from the OS if possible.
- krb5_c_random_to_key - Generate an enctype-specific key from random data.
- krb5_c_string_to_key - Convert a string (such a password) to a key.
- krb5_c_string_to_key_with_params - Convert a string (such as a password) to a key with additional parameters.
- krb5_c_valid_cksumtype - Verify that specified checksum type is a valid Kerberos checksum type.
- krb5_c_valid_enctype - Verify that a specified encryption type is a valid Kerberos encryption type.
- krb5_c_verify_checksum - Verify a checksum (operates on keyblock).
- krb5_c_verify_checksum_iov - Validate a checksum element in IOV array (operates on keyblock).
- krb5_cksumtype_to_string - Convert a checksum type to a string.
- krb5_decode_authdata_container - Unwrap authorization data.
- krb5_decode_ticket - Decode an ASN.1-formatted ticket.
- krb5_deltat_to_string - Convert a relative time value to a string.
- krb5_encode_authdata_container - Wrap authorization data in a container.
- krb5_enctype_to_name - Convert an encryption type to a name or alias.
- krb5_enctype_to_string - Convert an encryption type to a string.
- krb5_free_checksum - Free a krb5_checksum structure.
- krb5_free_checksum_contents - Free the contents of a krb5_checksum structure.
- krb5_free_cksumtypes - Free an array of checksum types.
- krb5_free_tgt_creds - Free an array of credential structures.
- krb5_k_create_key - Create a krb5_key from the enctype and key data in a keyblock.
- krb5_k_decrypt - Decrypt data using a key (operates on opaque key).
- krb5_k_decrypt_iov - Decrypt data in place supporting AEAD (operates on opaque key).
- krb5_k_encrypt - Encrypt data using a key (operates on opaque key).
- krb5_k_encrypt_iov - Encrypt data in place supporting AEAD (operates on opaque key).
- krb5_k_free_key - Decrement the reference count on a key and free it if it hits zero.
- krb5_k_key_enctype - Retrieve the enctype of a krb5_key structure.
- krb5_k_key_keyblock - Retrieve a copy of the keyblock from a krb5_key structure.
- krb5_k_make_checksum - Compute a checksum (operates on opaque key).
- krb5_k_make_checksum_iov - Fill in a checksum element in IOV array (operates on opaque key)
- krb5_k_prf - Generate enctype-specific pseudo-random bytes (operates on opaque key).
- krb5_k_reference_key - Increment the reference count on a key.
- krb5_k_verify_checksum - Verify a checksum (operates on opaque key).
- krb5_k_verify_checksum_iov - Validate a checksum element in IOV array (operates on opaque key).
- krb5_recvauth - Server function for sendauth protocol.
- krb5_recvauth_version - Server function for sendauth protocol with version parameter.
- krb5_sendauth - Client function for sendauth protocol.
- krb5_524_convert_creds - Convert a Kerberos V5 credentials to a Kerberos V4 credentials.
- krb5_auth_con_getlocalsubkey
- krb5_auth_con_getremotesubkey
- krb5_auth_con_initivector
- krb5_build_principal_va
- krb5_c_random_seed
- krb5_calculate_checksum
- krb5_checksum_size
- krb5_encrypt
- krb5_decrypt
- krb5_eblock_enctype
- krb5_encrypt_size
- krb5_finish_key
- krb5_finish_random_key
- krb5_cc_gen_new
- krb5_get_credentials_renew
- krb5_get_credentials_validate
- krb5_get_in_tkt_with_password
- krb5_get_in_tkt_with_skey
- krb5_get_in_tkt_with_keytab
- krb5_get_init_creds_opt_init
- krb5_init_random_key
- krb5_kt_free_entry
- krb5_random_key
- krb5_process_key
- krb5_string_to_key
- krb5_use_enctype
- krb5_verify_checksum
- krb5 types and structures
- krb5 simple macros
- krb5 API
- For plugin module developers
- Building Kerberos V5
- Basic Kerberos V5 concepts
- MIT Kerberos Features
- About this project
- Resources
Full Table of Contents
Search
krb5_rd_req - Parse and decrypt a KRB_AP_REQ message.¶
- krb5_error_code krb5_rd_req(krb5_context context, krb5_auth_context * auth_context, const krb5_data * inbuf, krb5_const_principal server, krb5_keytab keytab, krb5_flags * ap_req_options, krb5_ticket ** ticket)¶
| param: | [in] context - Library context [inout] auth_context - Pre-existing or newly created auth context [in] inbuf - AP-REQ message to be parsed [in] server - Matching principal for server, or NULL to allow any principal in keytab [in] keytab - Key table, or NULL to use the default [out] ap_req_options - If non-null, the AP-REQ flags on output [out] ticket - If non-null, ticket from the AP-REQ message |
|---|
| retval: |
|
|---|
This function parses, decrypts and verifies a AP-REQ message from inbuf and stores the authenticator in auth_context .
If a keyblock is present in the auth_context , it is used to decrypt the ticket in AP-REQ message. (This is useful for user-to-user authentication.) Otherwise, the decryption key is obtained from the keytab . If keytab is iterable, all of its key entries it will be tried against the ticket; otherwise, the server principal in the ticket will be looked up in the keytab and that key will be tried.
The client specified in the decrypted authenticator must match the client specified in the decrypted ticket. If server is non-null, the key in which the ticket is encrypted must correspond to a principal in keytab matching server according to the rules of krb5_sname_match() .
If the remote_addr field of auth_context is set, the request must come from that address.
If a replay cache handle is provided in the auth_context , the authenticator and ticket are verified against it. If no conflict is found, the new authenticator is then stored in the replay cash of auth_context .
Various other checks are performed on the decoded data, including cross-realm policy, clockskew, and ticket validation times.
On success the authenticator, subkey, and remote sequence number of the request are stored in auth_context . If the AP_OPTS_MUTUAL_REQUIRED bit is set, the local sequence number is XORed with the remote sequence number in the request.
Use krb5_free_ticket() to free ticket when it is no longer needed.