Provided by: heimdal-dev_7.8.git20221117.28daf24+dfsg-5ubuntu3_amd64 bug

NAME
       krb5_auth_con_addflags,  krb5_auth_con_free,  krb5_auth_con_genaddrs,  krb5_auth_con_generatelocalsubkey,
       krb5_auth_con_getaddrs,  krb5_auth_con_getauthenticator,  krb5_auth_con_getflags,   krb5_auth_con_getkey,
       krb5_auth_con_getlocalsubkey,           krb5_auth_con_getrcache,           krb5_auth_con_getremotesubkey,
       krb5_auth_con_getuserkey,   krb5_auth_con_init,   krb5_auth_con_initivector,   krb5_auth_con_removeflags,
       krb5_auth_con_setaddrs, krb5_auth_con_setaddrs_from_fd, krb5_auth_con_setflags, krb5_auth_con_setivector,
       krb5_auth_con_setkey,                krb5_auth_con_setlocalsubkey,               krb5_auth_con_setrcache,
       krb5_auth_con_setremotesubkey,   krb5_auth_con_setuserkey,   krb5_auth_context,   krb5_auth_getcksumtype,
       krb5_auth_getkeytype,  krb5_auth_getlocalseqnumber, krb5_auth_getremoteseqnumber, krb5_auth_setcksumtype,
       krb5_auth_setkeytype, krb5_auth_setlocalseqnumber, krb5_auth_setremoteseqnumber,  krb5_free_authenticator
       — manage authentication on connection level


LIBRARY
       Kerberos 5 Library (libkrb5, -lkrb5)


SYNOPSIS
       #include <krb5.h>

       krb5_error_code
       krb5_auth_con_init(krb5_context context, krb5_auth_context *auth_context);

       void
       krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context);

       krb5_error_code
       krb5_auth_con_setflags(krb5_context context, krb5_auth_context auth_context, int32_t flags);

       krb5_error_code
       krb5_auth_con_getflags(krb5_context context, krb5_auth_context auth_context, int32_t *flags);

       krb5_error_code
       krb5_auth_con_addflags(krb5_context context,       krb5_auth_context auth_context,      int32_t addflags,
           int32_t *flags);

       krb5_error_code
       krb5_auth_con_removeflags(krb5_context context,    krb5_auth_context auth_context,    int32_t removelags,
           int32_t *flags);

       krb5_error_code
       krb5_auth_con_setaddrs(krb5_context context,   krb5_auth_context auth_context,  krb5_address *local_addr,
           krb5_address *remote_addr);

       krb5_error_code
       krb5_auth_con_getaddrs(krb5_context context,  krb5_auth_context auth_context,  krb5_address **local_addr,
           krb5_address **remote_addr);

       krb5_error_code
       krb5_auth_con_genaddrs(krb5_context context, krb5_auth_context auth_context, int fd, int flags);

       krb5_error_code
       krb5_auth_con_setaddrs_from_fd(krb5_context context, krb5_auth_context auth_context, void *p_fd);

       krb5_error_code
       krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock **keyblock);

       krb5_error_code
       krb5_auth_con_getlocalsubkey(krb5_context context,                        krb5_auth_context auth_context,
           krb5_keyblock **keyblock);

       krb5_error_code
       krb5_auth_con_getremotesubkey(krb5_context context,                       krb5_auth_context auth_context,
           krb5_keyblock **keyblock);

       krb5_error_code
       krb5_auth_con_generatelocalsubkey(krb5_context context,   krb5_auth_context auth_context,  krb5_keyblock,
           *key");

       krb5_error_code
       krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context);

       krb5_error_code
       krb5_auth_con_setivector(krb5_context context, krb5_auth_context *auth_context, krb5_pointer ivector);

       void
       krb5_free_authenticator(krb5_context context, krb5_authenticator *authenticator);


DESCRIPTION
       The krb5_auth_context structure holds all context related to an authenticated connection,  in  a  similar
       way  to  krb5_context  that  holds  the  context for the thread or process.  krb5_auth_context is used by
       various functions that are directly related to authentication between the server/client. Example of  data
       that  this  structure contains are various flags, addresses of client and server, port numbers, keyblocks
       (and subkeys), sequence numbers, replay cache, and checksum-type.

       krb5_auth_con_init() allocates and initializes the krb5_auth_context structure.  Default  values  can  be
       changed  with krb5_auth_con_setcksumtype() and krb5_auth_con_setflags().  The auth_context structure must
       be freed by krb5_auth_con_free().

       krb5_auth_con_getflags(),         krb5_auth_con_setflags(),         krb5_auth_con_addflags()          and
       krb5_auth_con_removeflags() gets and modifies the flags for a krb5_auth_context structure. Possible flags
       to set are:

       KRB5_AUTH_CONTEXT_DO_SEQUENCE
               Generate and check sequence-number on each packet.

       KRB5_AUTH_CONTEXT_DO_TIME
               Check timestamp on incoming packets.

       KRB5_AUTH_CONTEXT_RET_SEQUENCE, KRB5_AUTH_CONTEXT_RET_TIME
               Return sequence numbers and time stamps in the outdata parameters.

       KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED
               will   force   krb5_get_forwarded_creds()   and  krb5_fwd_tgt_creds()  to  create  unencrypted  )
               KRB5_ENCTYPE_NULL) credentials.  This is for use with old MIT server and JAVA  based  servers  as
               they  can't  handle  encrypted KRB-CRED.  Note that sending such KRB-CRED is clear exposes crypto
               keys and  tickets  and  is  insecure,  make  sure  the  packet  is  encrypted  in  the  protocol.
               krb5_rd_cred(3),  krb5_rd_priv(3), krb5_rd_safe(3), krb5_mk_priv(3) and krb5_mk_safe(3).  Setting
               this flag requires that parameter to be passed to these functions.

               The   flags   KRB5_AUTH_CONTEXT_DO_TIME    also    modifies    the    behavior    the    function
               krb5_get_forwarded_creds() by removing the timestamp in the forward credential message, this have
               backward  compatibility  problems  since  not  all  versions  of  the  heimdal  supports timeless
               credentional messages.  Is very useful since it always the sender of the message to cache forward
               message and thus avoiding a round trip to the KDC for each time a credential is  forwarded.   The
               same functionality can be obtained by using address-less tickets.

       krb5_auth_con_setaddrs(), krb5_auth_con_setaddrs_from_fd() and krb5_auth_con_getaddrs() gets and sets the
       addresses  that  are checked when a packet is received.  It is mandatory to set an address for the remote
       host. If the  local  address  is  not  set,  it  iss  deduced  from  the  underlaying  operating  system.
       krb5_auth_con_getaddrs()  will  call  krb5_free_address()  on any address that is passed in local_addr or
       remote_addr.  krb5_auth_con_setaddr() allows passing in a NULL pointer as local_addr and remote_addr,  in
       that case it will just not set that address.

       krb5_auth_con_setaddrs_from_fd() fetches the addresses from a file descriptor.

       krb5_auth_con_genaddrs()  fetches  the address information from the given file descriptor fd depending on
       the bitmap argument flags.

       Possible values on flags are:

       KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR
               fetches the local address from fd.

       KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR
               fetches the remote address from fd.

       krb5_auth_con_setkey(), krb5_auth_con_setuserkey() and krb5_auth_con_getkey() gets and sets the key  used
       for   this   auth  context.  The  keyblock  returned  by  krb5_auth_con_getkey()  should  be  freed  with
       krb5_free_keyblock().    The   keyblock   send   into   krb5_auth_con_setkey()   is   copied   into   the
       krb5_auth_context,  and  thus  no  special  handling  is  needed.   NULL  is  not  a  valid  keyblock  to
       krb5_auth_con_setkey().

       krb5_auth_con_setuserkey() is only useful when doing user to user authentication.  krb5_auth_con_setkey()
       is equivalent to krb5_auth_con_setuserkey().

       krb5_auth_con_getlocalsubkey(),   krb5_auth_con_setlocalsubkey(),   krb5_auth_con_getremotesubkey()   and
       krb5_auth_con_setremotesubkey() gets and sets the keyblock for the local and remote subkey.  The keyblock
       returned  by  krb5_auth_con_getlocalsubkey()  and  krb5_auth_con_getremotesubkey()  must  be  freed  with
       krb5_free_keyblock().

       krb5_auth_setcksumtype() and krb5_auth_getcksumtype() sets and gets the checksum type that should be used
       for this connection.

       krb5_auth_con_generatelocalsubkey() generates a local subkey that have the same encryption type as key.

       krb5_auth_getremoteseqnumber()    krb5_auth_setremoteseqnumber(),    krb5_auth_getlocalseqnumber()    and
       krb5_auth_setlocalseqnumber()  gets and sets the sequence-number for the local and remote sequence-number
       counter.

       krb5_auth_setkeytype()  and  krb5_auth_getkeytype()  gets  and  gets  the  keytype  of  the  keyblock  in
       krb5_auth_context.

       krb5_auth_con_getauthenticator()  Retrieves the authenticator that was used during mutual authentication.
       The authenticator returned should be freed by calling krb5_free_authenticator().

       krb5_auth_con_getrcache() and krb5_auth_con_setrcache() gets and sets the replay-cache.

       krb5_auth_con_initivector() allocates memory for  and  zeros  the  initial  vector  in  the  auth_context
       keyblock.

       krb5_auth_con_setivector() sets the i_vector portion of auth_context to ivector.

       krb5_free_authenticator() free the content of authenticator and authenticator itself.


SEE ALSO
       krb5_context(3), kerberos(8)

HEIMDAL                                           May 17, 2005                              KRB5_AUTH_CONTEXT(3)