NAME
krb5_mk_req,
krb5_mk_req_exact,
krb5_mk_req_extended,
krb5_rd_req,
krb5_rd_req_with_keyblock,
krb5_mk_rep,
krb5_mk_rep_exact,
krb5_mk_rep_extended,
krb5_rd_rep,
krb5_build_ap_req,
krb5_verify_ap_req —
create and read
application authentication request
LIBRARY
Kerberos 5 Library (libkrb5, -lkrb5)
SYNOPSIS
#include <krb5/krb5.h>
krb5_error_code
krb5_mk_req(
krb5_context context,
krb5_auth_context *auth_context,
const
krb5_flags ap_req_options,
const char *service,
const char *hostname,
krb5_data
*in_data,
krb5_ccache ccache,
krb5_data *outbuf);
krb5_error_code
krb5_mk_req_extended(
krb5_context
context,
krb5_auth_context *auth_context,
const krb5_flags ap_req_options,
krb5_data *in_data,
krb5_creds
*in_creds,
krb5_data *outbuf);
krb5_error_code
krb5_rd_req(
krb5_context context,
krb5_auth_context *auth_context,
const
krb5_data *inbuf,
krb5_const_principal server,
krb5_keytab keytab,
krb5_flags
*ap_req_options,
krb5_ticket **ticket);
krb5_error_code
krb5_build_ap_req(
krb5_context context,
krb5_enctype enctype,
krb5_creds
*cred,
krb5_flags ap_options,
krb5_data authenticator,
krb5_data
*retdata);
krb5_error_code
krb5_verify_ap_req(
krb5_context context,
krb5_auth_context *auth_context,
krb5_ap_req *ap_req,
krb5_const_principal server,
krb5_keyblock *keyblock,
krb5_flags
flags,
krb5_flags *ap_req_options,
krb5_ticket **ticket);
DESCRIPTION
The functions documented in this manual page document the functions that
facilitates the exchange between a Kerberos client and server. They are the
core functions used in the authentication exchange between the client and the
server.
The
krb5_mk_req and
krb5_mk_req_extended
creates the Kerberos message
KRB_AP_REQ
that is sent
from the client to the server as the first packet in a client/server exchange.
The result that should be sent to server is stored in
outbuf.
auth_context should be allocated with
krb5_auth_con_init() or
NULL
passed
in, in that case, it will be allocated and freed internally.
The input data
in_data will have a checksum calculated
over it and checksum will be transported in the message to the server.
ap_req_options can be set to one or more of the following
flags:
-
-
AP_OPTS_USE_SESSION_KEY
- Use the session key when creating the request, used for
user to user authentication.
-
-
AP_OPTS_MUTUAL_REQUIRED
- Mark the request as mutual authenticate required so that
the receiver returns a mutual authentication packet.
The
krb5_rd_req read the AP_REQ in
inbuf
and verify and extract the content. If
server is
specified, that server will be fetched from the
keytab
and used unconditionally. If
server is
NULL
, the
keytab will be search
for a matching principal.
The
keytab argument specifies what keytab to search for
receiving principals. The arguments
ap_req_options and
ticket returns the content.
When the AS-REQ is a user to user request, neither of
keytab or
principal are used,
instead
krb5_rd_req() expects the session key to be set in
auth_context.
The
krb5_verify_ap_req and
krb5_build_ap_req
both constructs and verify the AP_REQ message, should not be used by external
code.
SEE ALSO
krb5(3),
krb5.conf(5)