4.4BSD/usr/share/man/cat3/krb_mk_req.0

Compare this file to the similar file:
Show the results in this format:

KERBEROS(3) BSD Programmer's Manual KERBEROS(3)

NNAAMMEE
krb_mk_req, krb_rd_req, krb_kntoln, krb_set_key,
krb_get_cred, krb_mk_priv, krb_rd_priv, krb_mk_safe,
krb_rd_safe, krb_mk_err, krb_rd_err, krb_ck_repl - Ker-
beros authentication library

SSYYNNOOPPSSIISS
##iinncclluuddee <<kkeerrbbeerroossIIVV//ddeess..hh>>
##iinncclluuddee <<kkeerrbbeerroossIIVV//kkrrbb..hh>>

eexxtteerrnn cchhaarr **kkrrbb__eerrrr__ttxxtt[[]];;

iinntt kkrrbb__mmkk__rreeqq((aauutthheenntt,,sseerrvviiccee,,iinnssttaannccee,,rreeaallmm,,cchheecckkssuumm))
KKTTEEXXTT aauutthheenntt;;
cchhaarr **sseerrvviiccee;;
cchhaarr **iinnssttaannccee;;
cchhaarr **rreeaallmm;;
uu__lloonngg cchheecckkssuumm;;

iinntt kkrrbb__rrdd__rreeqq((aauutthheenntt,,sseerrvviiccee,,iinnssttaannccee,,ffrroomm__aaddddrr,,aadd,,ffnn))
KKTTEEXXTT aauutthheenntt;;
cchhaarr **sseerrvviiccee;;
cchhaarr **iinnssttaannccee;;
uu__lloonngg ffrroomm__aaddddrr;;
AAUUTTHH__DDAATT **aadd;;
cchhaarr **ffnn;;

iinntt kkrrbb__kknnttoollnn((aadd,,llnnaammee))
AAUUTTHH__DDAATT **aadd;;
cchhaarr **llnnaammee;;

iinntt kkrrbb__sseett__kkeeyy((kkeeyy,,ccvvtt))
cchhaarr **kkeeyy;;
iinntt ccvvtt;;

iinntt kkrrbb__ggeett__ccrreedd((sseerrvviiccee,,iinnssttaannccee,,rreeaallmm,,cc))
cchhaarr **sseerrvviiccee;;
cchhaarr **iinnssttaannccee;;
cchhaarr **rreeaallmm;;
CCRREEDDEENNTTIIAALLSS **cc;;

lloonngg kkrrbb__mmkk__pprriivv((iinn,,oouutt,,iinn__lleennggtthh,,sscchheedduullee,,kkeeyy,,sseennddeerr,,rreecceeiivveerr))
uu__cchhaarr **iinn;;
uu__cchhaarr **oouutt;;
uu__lloonngg iinn__lleennggtthh;;
ddeess__ccbblloocckk kkeeyy;;
ddeess__kkeeyy__sscchheedduullee sscchheedduullee;;
ssttrruucctt ssoocckkaaddddrr__iinn **sseennddeerr;;
ssttrruucctt ssoocckkaaddddrr__iinn **rreecceeiivveerr;;

lloonngg kkrrbb__rrdd__pprriivv((iinn,,iinn__lleennggtthh,,sscchheedduullee,,kkeeyy,,sseennddeerr,,rreecceeiivveerr,,mmssgg__ddaattaa))

MIT Project Athena Kerberos Version 4.0 1

KERBEROS(3) BSD Programmer's Manual KERBEROS(3)

uu__cchhaarr **iinn;;
uu__lloonngg iinn__lleennggtthh;;
KKeeyy__sscchheedduullee sscchheedduullee;;
ddeess__ccbblloocckk kkeeyy;;
ssttrruucctt ssoocckkaaddddrr__iinn **sseennddeerr;;
ssttrruucctt ssoocckkaaddddrr__iinn **rreecceeiivveerr;;
MMSSGG__DDAATT **mmssgg__ddaattaa;;

lloonngg kkrrbb__mmkk__ssaaffee((iinn,,oouutt,,iinn__lleennggtthh,,kkeeyy,,sseennddeerr,,rreecceeiivveerr))
uu__cchhaarr **iinn;;
uu__cchhaarr **oouutt;;
uu__lloonngg iinn__lleennggtthh;;
ddeess__ccbblloocckk kkeeyy;;
ssttrruucctt ssoocckkaaddddrr__iinn **sseennddeerr;;
ssttrruucctt ssoocckkaaddddrr__iinn **rreecceeiivveerr;;

lloonngg kkrrbb__rrdd__ssaaffee((iinn,,lleennggtthh,,kkeeyy,,sseennddeerr,,rreecceeiivveerr,,mmssgg__ddaattaa))
uu__cchhaarr **iinn;;
uu__lloonngg lleennggtthh;;
ddeess__ccbblloocckk kkeeyy;;
ssttrruucctt ssoocckkaaddddrr__iinn **sseennddeerr;;
ssttrruucctt ssoocckkaaddddrr__iinn **rreecceeiivveerr;;
MMSSGG__DDAATT **mmssgg__ddaattaa;;

lloonngg kkrrbb__mmkk__eerrrr((oouutt,,ccooddee,,ssttrriinngg))
uu__cchhaarr **oouutt;;
lloonngg ccooddee;;
cchhaarr **ssttrriinngg;;

lloonngg kkrrbb__rrdd__eerrrr((iinn,,lleennggtthh,,ccooddee,,mmssgg__ddaattaa))
uu__cchhaarr **iinn;;
uu__lloonngg lleennggtthh;;
lloonngg ccooddee;;
MMSSGG__DDAATT **mmssgg__ddaattaa;;

DDEESSCCRRIIPPTTIIOONN
This library supports network authentication and various
related operations. The library contains many routines
beyond those described in this man page, but they are not
intended to be used directly. Instead, they are called by
the routines that are described, the authentication server
and the login program.

_k_r_b___e_r_r___t_x_t_[_] contains text string descriptions of various
Kerberos error codes returned by some of the routines
below.

_k_r_b___m_k___r_e_q takes a pointer to a text structure in which an
authenticator is to be built. It also takes the name,
instance, and realm of the service to be used and an
optional checksum. It is up to the application to decide

MIT Project Athena Kerberos Version 4.0 2

KERBEROS(3) BSD Programmer's Manual KERBEROS(3)

how to generate the checksum. _k_r_b___m_k___r_e_q then retrieves a
ticket for the desired service and creates an authentica-
tor. The authenticator is built in _a_u_t_h_e_n_t and is acces-
sible to the calling procedure.

It is up to the application to get the authenticator to
the service where it will be read by _k_r_b___r_d___r_e_q_. Unless
an attacker posesses the session key contained in the
ticket, it will be unable to modify the authenticator.
Thus, the checksum can be used to verify the authenticity
of the other data that will pass through a connection.

_k_r_b___r_d___r_e_q takes an authenticator of type KKTTEEXXTT,, a service
name, an instance, the address of the host originating the
request, and a pointer to a structure of type AAUUTTHH__DDAATT
which is filled in with information obtained from the
authenticator. It also optionally takes the name of the
file in which it will find the secret key(s) for the ser-
vice. If the supplied _i_n_s_t_a_n_c_e contains "*", then the
first service key with the same service name found in the
service key file will be used, and the _i_n_s_t_a_n_c_e argument
will be filled in with the chosen instance. This means
that the caller must provide space for such an instance
name.

It is used to find out information about the principal
when a request has been made to a service. It is up to
the application protocol to get the authenticator from the
client to the service. The authenticator is then passed
to _k_r_b___r_d___r_e_q to extract the desired information.

_k_r_b___r_d___r_e_q returns zero (RD_AP_OK) upon successful authen-
tication. If a packet was forged, modified, or replayed,
authentication will fail. If the authentication fails, a
non-zero value is returned indicating the particular prob-
lem encountered. See _k_r_b_._h for the list of error codes.

If the last argument is the null string (""), krb_rd_req
will use the file /etc/srvtab to find its keys. If the
last argument is NULL, it will assume that the key has
been set by _k_r_b___s_e_t___k_e_y and will not bother looking fur-
ther.

_k_r_b___k_n_t_o_l_n converts a Kerberos name to a local name. It
takes a structure of type AUTH_DAT and uses the name and
instance to look in the database /etc/aname to find the
corresponding local name. The local name is returned and
can be used by an application to change uids, directories,
or other parameters. It is not an integral part of Ker-
beros, but is instead provided to support the use of Ker-
beros in existing utilities.

MIT Project Athena Kerberos Version 4.0 3

KERBEROS(3) BSD Programmer's Manual KERBEROS(3)

_k_r_b___s_e_t___k_e_y takes as an argument a des key. It then cre-
ates a key schedule from it and saves the original key to
be used as an initialization vector. It is used to set
the server's key which must be used to decrypt tickets.

If called with a non-zero second argument, _k_r_b___s_e_t___k_e_y
will first convert the input from a string of arbitrary
length to a DES key by encrypting it with a one-way func-
tion.

In most cases it should not be necessary to call
_k_r_b___s_e_t___k_e_y_. The necessary keys will usually be obtained
and set inside _k_r_b___r_d___r_e_q_. _k_r_b___s_e_t___k_e_y is provided for
those applications that do not wish to place the applica-
tion keys on disk.

_k_r_b___g_e_t___c_r_e_d searches the caller's ticket file for a
ticket for the given service, instance, and realm; and, if
a ticket is found, fills in the given CREDENTIALS struc-
ture with the ticket information.

If the ticket was found, _k_r_b___g_e_t___c_r_e_d returns GC_OK. If
the ticket file can't be found, can't be read, doesn't
belong to the user (other than root), isn't a regular
file, or is in the wrong mode, the error GC_TKFIL is
returned.

_k_r_b___m_k___p_r_i_v creates an encrypted, authenticated message
from any arbitrary application data, pointed to by _i_n and
_i_n___l_e_n_g_t_h bytes long. The private session key, pointed to
by _k_e_y and the key schedule, _s_c_h_e_d_u_l_e_, are used to encrypt
the data and some header information using _p_c_b_c___e_n_c_r_y_p_t_.
_s_e_n_d_e_r and _r_e_c_e_i_v_e_r point to the Internet address of the
two parties. In addition to providing privacy, this pro-
tocol message protects against modifications, insertions
or replays. The encapsulated message and header are
placed in the area pointed to by _o_u_t and the routine
returns the length of the output, or -1 indicating an
error.

_k_r_b___r_d___p_r_i_v decrypts and authenticates a received
_k_r_b___m_k___p_r_i_v message. _i_n points to the beginning of the
received message, whose length is specified in _i_n___l_e_n_g_t_h_.
The private session key, pointed to by _k_e_y_, and the key
schedule, _s_c_h_e_d_u_l_e_, are used to decrypt and verify the
received message. _m_s_g___d_a_t_a is a pointer to a _M_S_G___D_A_T
struct, defined in _k_r_b_._h_. The routine fills in the
_a_p_p___d_a_t_a field with a pointer to the decrypted application
data, _a_p_p___l_e_n_g_t_h with the length of the _a_p_p___d_a_t_a field,
_t_i_m_e___s_e_c and _t_i_m_e___5_m_s with the timestamps in the message,
and _s_w_a_p with a 1 if the byte order of the receiver is

MIT Project Athena Kerberos Version 4.0 4

KERBEROS(3) BSD Programmer's Manual KERBEROS(3)

different than that of the sender. (The application must
still determine if it is appropriate to byte-swap applica-
tion data; the Kerberos protocol fields are already taken
care of). The _h_a_s_h field returns a value useful as input
to the _k_r_b___c_k___r_e_p_l routine.

The routine returns zero if ok, or a Kerberos error code.
Modified messages and old messages cause errors, but it is
up to the caller to check the time sequence of messages,
and to check against recently replayed messages using
_k_r_b___c_k___r_e_p_l if so desired.

_k_r_b___m_k___s_a_f_e creates an authenticated, but unencrypted mes-
sage from any arbitrary application data, pointed to by _i_n
and _i_n___l_e_n_g_t_h bytes long. The private session key,
pointed to by _k_e_y_, is used to seed the _q_u_a_d___c_k_s_u_m_(_) check-
sum algorithm used as part of the authentication. _s_e_n_d_e_r
and _r_e_c_e_i_v_e_r point to the Internet address of the two par-
ties. This message does not provide privacy, but does
protect (via detection) against modifications, insertions
or replays. The encapsulated message and header are
placed in the area pointed to by _o_u_t and the routine
returns the length of the output, or -1 indicating an
error. The authentication provided by this routine is not
as strong as that provided by _k_r_b___m_k___p_r_i_v or by computing
the checksum using _c_b_c___c_k_s_u_m instead, both of which
authenticate via DES.

_k_r_b___r_d___s_a_f_e authenticates a received _k_r_b___m_k___s_a_f_e message.
_i_n points to the beginning of the received message, whose
length is specified in _i_n___l_e_n_g_t_h_. The private session
key, pointed to by _k_e_y_, is used to seed the quad_cksum()
routine as part of the authentication. _m_s_g___d_a_t_a is a
pointer to a _M_S_G___D_A_T struct, defined in _k_r_b_._h _. The rou-
tine fills in these _M_S_G___D_A_T fields: the _a_p_p___d_a_t_a field
with a pointer to the application data, _a_p_p___l_e_n_g_t_h with
the length of the _a_p_p___d_a_t_a field, _t_i_m_e___s_e_c and _t_i_m_e___5_m_s
with the timestamps in the message, and _s_w_a_p with a 1 if
the byte order of the receiver is different than that of
the sender. (The application must still determine if it
is appropriate to byte-swap application data; the Kerberos
protocol fields are already taken care of). The _h_a_s_h
field returns a value useful as input to the _k_r_b___c_k___r_e_p_l
routine.

MIT Project Athena Kerberos Version 4.0 5

KERBEROS(3) BSD Programmer's Manual KERBEROS(3)

_k_r_b___m_k___e_r_r constructs an application level error message
that may be used along with _k_r_b___m_k___p_r_i_v or _k_r_b___m_k___s_a_f_e_.
_o_u_t is a pointer to the output buffer, _c_o_d_e is an applica-
tion specific error code, and _s_t_r_i_n_g is an application
specific error string.

_k_r_b___r_d___e_r_r unpacks a received _k_r_b___m_k___e_r_r message. _i_n
points to the beginning of the received message, whose
length is specified in _i_n___l_e_n_g_t_h_. _c_o_d_e is a pointer to a
value to be filled in with the error value provided by the
application. _m_s_g___d_a_t_a is a pointer to a _M_S_G___D_A_T struct,
defined in _k_r_b_._h _. The routine fills in these _M_S_G___D_A_T
fields: the _a_p_p___d_a_t_a field with a pointer to the applica-
tion error text, _a_p_p___l_e_n_g_t_h with the length of the
_a_p_p___d_a_t_a field, and _s_w_a_p with a 1 if the byte order of the
receiver is different than that of the sender. (The
application must still determine if it is appropriate to
byte-swap application data; the Kerberos protocol fields
are already taken care of).

The routine returns zero if the error message has been
successfully received, or a Kerberos error code.

The _K_T_E_X_T structure is used to pass around text of varying
lengths. It consists of a buffer for the data, and a
length. krb_rd_req takes an argument of this type con-
taining the authenticator, and krb_mk_req returns the
authenticator in a structure of this type. KTEXT itself
is really a pointer to the structure. The actual struc-
ture is of type KTEXT_ST.

The _A_U_T_H___D_A_T structure is filled in by krb_rd_req. It
must be allocated before calling krb_rd_req, and a pointer
to it is passed. The structure is filled in with data
obtained from Kerberos. _M_S_G___D_A_T structure is filled in by
either krb_rd_priv, krb_rd_safe, or krb_rd_err. It must
be allocated before the call and a pointer to it is
passed. The structure is filled in with data obtained
from Kerberos.

FFIILLEESS
/usr/include/kerberosIV/krb.h
/usr/lib/libkrb.a
/usr/include/kerberosIV/des.h
/usr/lib/libdes.a
/etc/kerberosIV/aname
/etc/kerberosIV/srvtab
/tmp/tkt[uid]

MIT Project Athena Kerberos Version 4.0 6

KERBEROS(3) BSD Programmer's Manual KERBEROS(3)

SSEEEE AALLSSOO
kerberos(1), des_crypt(3)

DDIIAAGGNNOOSSTTIICCSS
BBUUGGSS
The caller of _k_r_b___r_d___r_e_q_, _k_r_b___r_d___p_r_i_v_, _a_n_d _k_r_b___r_d___s_a_f_e
must check time order and for replay attempts.
_k_r_b___c_k___r_e_p_l is not implemented yet.

AAUUTTHHOORRSS
Clifford Neuman, MIT Project Athena
Steve Miller, MIT Project Athena/Digital Equipment Corpo-
ration

RREESSTTRRIICCTTIIOONNSS
COPYRIGHT 1985,1986,1989 Massachusetts Institute of Tech-
nology

MIT Project Athena Kerberos Version 4.0 7