Updated: 2022/Sep/29

Please read Privacy Policy. It's for your privacy.


KRB5_GET_INIT_CREDS(3)     Library Functions Manual     KRB5_GET_INIT_CREDS(3)

NAME
     krb5_get_init_creds, krb5_get_init_creds_keytab, krb5_get_init_creds_opt,
     krb5_get_init_creds_opt_alloc, krb5_get_init_creds_opt_free,
     krb5_get_init_creds_opt_init, krb5_get_init_creds_opt_set_address_list,
     krb5_get_init_creds_opt_set_addressless,
     krb5_get_init_creds_opt_set_anonymous,
     krb5_get_init_creds_opt_set_default_flags,
     krb5_get_init_creds_opt_set_etype_list,
     krb5_get_init_creds_opt_set_forwardable,
     krb5_get_init_creds_opt_set_pa_password,
     krb5_get_init_creds_opt_set_paq_request,
     krb5_get_init_creds_opt_set_preauth_list,
     krb5_get_init_creds_opt_set_proxiable,
     krb5_get_init_creds_opt_set_renew_life, krb5_get_init_creds_opt_set_salt,
     krb5_get_init_creds_opt_set_tkt_life,
     krb5_get_init_creds_opt_set_canonicalize,
     krb5_get_init_creds_opt_set_win2k, krb5_get_init_creds_password,
     krb5_prompt, krb5_prompter_posix - Kerberos 5 initial authentication
     functions

LIBRARY
     Kerberos 5 Library (libkrb5, -lkrb5)

SYNOPSIS
     #include <krb5/krb5.h>

     krb5_get_init_creds_opt;

     krb5_error_code
     krb5_get_init_creds_opt_alloc(krb5_context context,
         krb5_get_init_creds_opt **opt);

     void
     krb5_get_init_creds_opt_free(krb5_context context,
         krb5_get_init_creds_opt *opt);

     void
     krb5_get_init_creds_opt_init(krb5_get_init_creds_opt *opt);

     void
     krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt *opt,
         krb5_addresses *addresses);

     void
     krb5_get_init_creds_opt_set_addressless(krb5_get_init_creds_opt *opt,
         krb5_boolean addressless);

     void
     krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt *opt,
         int anonymous);

     void
     krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt *opt,
         int change_password_prompt);

     void
     krb5_get_init_creds_opt_set_default_flags(krb5_context context,
         const char *appname, krb5_const_realm realm,
         krb5_get_init_creds_opt *opt);

     void
     krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt *opt,
         krb5_enctype *etype_list, int etype_list_length);

     void
     krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt *opt,
         int forwardable);

     krb5_error_code
     krb5_get_init_creds_opt_set_pa_password(krb5_context context,
         krb5_get_init_creds_opt *opt, const char *password,
         krb5_s2k_proc key_proc);

     krb5_error_code
     krb5_get_init_creds_opt_set_paq_request(krb5_context context,
         krb5_get_init_creds_opt *opt, krb5_boolean req_pac);

     krb5_error_code
     krb5_get_init_creds_opt_set_pkinit(krb5_context context,
         krb5_get_init_creds_opt *opt, const char *cert_file,
         const char *key_file, const char *x509_anchors, int flags,
         char *password);

     void
     krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt,
         krb5_preauthtype *preauth_list, int preauth_list_length);

     void
     krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt *opt,
         int proxiable);

     void
     krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt *opt,
         krb5_deltat renew_life);

     void
     krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt,
         krb5_data *salt);

     void
     krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt *opt,
         krb5_deltat tkt_life);

     krb5_error_code
     krb5_get_init_creds_opt_set_canonicalize(krb5_context context,
         krb5_get_init_creds_opt *opt, krb5_boolean req);

     krb5_error_code
     krb5_get_init_creds_opt_set_win2k(krb5_context context,
         krb5_get_init_creds_opt *opt, krb5_boolean req);

     krb5_error_code
     krb5_get_init_creds(krb5_context context, krb5_creds *creds,
         krb5_principal client, krb5_prompter_fct prompter,
         void *prompter_data, krb5_deltat start_time,
         const char *in_tkt_service, krb5_get_init_creds_opt *options);

     krb5_error_code
     krb5_get_init_creds_password(krb5_context context, krb5_creds *creds,
         krb5_principal client, const char *password,
         krb5_prompter_fct prompter, void *prompter_data,
         krb5_deltat start_time, const char *in_tkt_service,
         krb5_get_init_creds_opt *in_options);

     krb5_error_code
     krb5_get_init_creds_keytab(krb5_context context, krb5_creds *creds,
         krb5_principal client, krb5_keytab keytab, krb5_deltat start_time,
         const char *in_tkt_service, krb5_get_init_creds_opt *options);

     int
     krb5_prompter_posix(krb5_context context, void *data, const char *name,
         const char *banner, int num_prompts, krb5_prompt prompts[]);

DESCRIPTION
     Getting initial credential ticket for a principal.  That may include
     changing an expired password, and doing preauthentication.  This
     interface that replaces the deprecated krb5_in_tkt and krb5_in_cred
     functions.

     If you only want to verify a username and password, consider using
     krb5_verify_user(3) instead, since it also verifies that initial
     credentials with using a keytab to make sure the response was from the
     KDC.

     First a krb5_get_init_creds_opt structure is initialized with
     krb5_get_init_creds_opt_alloc() or krb5_get_init_creds_opt_init().
     krb5_get_init_creds_opt_alloc() allocates a extendible structures that
     needs to be freed with krb5_get_init_creds_opt_free().  The structure may
     be modified by any of the krb5_get_init_creds_opt_set() functions to
     change request parameters and authentication information.

     If the caller want to use the default options, NULL can be passed
     instead.

     The the actual request to the KDC is done by any of the
     krb5_get_init_creds(), krb5_get_init_creds_password(), or
     krb5_get_init_creds_keytab() functions.  krb5_get_init_creds() is the
     least specialized function and can, with the right in data, behave like
     the latter two.  The latter two are there for compatibility with older
     releases and they are slightly easier to use.

     krb5_prompt is a structure containing the following elements:

     typedef struct {
         const char *prompt;
         int hidden;
         krb5_data *reply;
         krb5_prompt_type type
     } krb5_prompt;

     prompt is the prompt that should shown to the user If hidden is set, the
     prompter function shouldn't echo the output to the display device.  reply
     must be preallocated; it will not be allocated by the prompter function.
     Possible values for the type element are:

           KRB5_PROMPT_TYPE_PASSWORD
           KRB5_PROMPT_TYPE_NEW_PASSWORD
           KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN
           KRB5_PROMPT_TYPE_PREAUTH
           KRB5_PROMPT_TYPE_INFO

     krb5_prompter_posix() is the default prompter function in a POSIX
     environment.  It matches the krb5_prompter_fct and can be used in the
     krb5_get_init_creds functions.  krb5_prompter_posix() doesn't require
     prompter_data.

     If the start_time is zero, then the requested ticket will be valid
     beginning immediately.  Otherwise, the start_time indicates how far in
     the future the ticket should be postdated.

     If the in_tkt_service name is non-NULL, that principal name will be used
     as the server name for the initial ticket request.  The realm of the name
     specified will be ignored and will be set to the realm of the client
     name.  If no in_tkt_service name is specified, krbtgt/CLIENT-
     REALM@CLIENT-REALM will be used.

     For the rest of arguments, a configuration or library default will be
     used if no value is specified in the options structure.

     krb5_get_init_creds_opt_set_address_list() sets the list of addresses
     that is should be stored in the ticket.

     krb5_get_init_creds_opt_set_addressless() controls if the ticket is
     requested with addresses or not,
     krb5_get_init_creds_opt_set_address_list() overrides this option.

     krb5_get_init_creds_opt_set_anonymous() make the request anonymous if the
     anonymous parameter is non-zero.

     krb5_get_init_creds_opt_set_default_flags() sets the default flags using
     the configuration file.

     krb5_get_init_creds_opt_set_etype_list() set a list of enctypes that the
     client is willing to support in the request.

     krb5_get_init_creds_opt_set_forwardable() request a forwardable ticket.

     krb5_get_init_creds_opt_set_pa_password() set the password and key_proc
     that is going to be used to get a new ticket.  password or key_proc can
     be NULL if the caller wants to use the default values.  If the password
     is unset and needed, the user will be prompted for it.

     krb5_get_init_creds_opt_set_paq_request() sets the password that is going
     to be used to get a new ticket.

     krb5_get_init_creds_opt_set_preauth_list() sets the list of client-
     supported preauth types.

     krb5_get_init_creds_opt_set_proxiable() makes the request proxiable.

     krb5_get_init_creds_opt_set_renew_life() sets the requested renewable
     lifetime.

     krb5_get_init_creds_opt_set_salt() sets the salt that is going to be used
     in the request.

     krb5_get_init_creds_opt_set_tkt_life() sets requested ticket lifetime.

     krb5_get_init_creds_opt_set_canonicalize() requests that the KDC
     canonicalize the client principal if possible.

     krb5_get_init_creds_opt_set_win2k() turns on compatibility with Windows
     2000.

SEE ALSO
     krb5(3), krb5_creds(3), krb5_verify_user(3), krb5.conf(5), kerberos(8)

NetBSD 10.99                     Sep 16, 2006                     NetBSD 10.99