I would appreciate any donations. Wishlist or send e-mail type donations to maekawa AT daemon-systems.org.

Thank you.

KRB5_VERIFY_INIT_CREDS(3)  Library Functions Manual  KRB5_VERIFY_INIT_CREDS(3)

     krb5_verify_init_creds_opt_set_ap_req_nofail, krb5_verify_init_creds -
     verifies a credential cache is correct by using a local keytab

     Kerberos 5 Library (libkrb5, -lkrb5)

     #include <krb5/krb5.h>

     struct krb5_verify_init_creds_opt;
     krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *options);

     krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt *options,
         int ap_req_nofail);

     krb5_verify_init_creds(krb5_context context, krb5_creds *creds,
         krb5_principal ap_req_server, krb5_ccache *ccache,
         krb5_verify_init_creds_opt *options);

     The krb5_verify_init_creds function verifies the initial tickets with the
     local keytab to make sure the response of the KDC was spoof-ed.

     krb5_verify_init_creds will use principal ap_req_server from the local
     keytab, if NULL is passed in, the code will guess the local hostname and
     use that to form host/hostname/GUESSED-REALM-FOR-HOSTNAME.  creds is the
     credential that krb5_verify_init_creds should verify.  If ccache is given
     krb5_verify_init_creds() stores all credentials it fetched from the KDC
     there, otherwise it will use a memory credential cache that is destroyed
     when done.

     krb5_verify_init_creds_opt_init() cleans the the structure, must be used
     before trying to pass it in to krb5_verify_init_creds().

     krb5_verify_init_creds_opt_set_ap_req_nofail() controls controls the
     behavior if ap_req_server doesn't exists in the local keytab or in the
     KDC's database, if it's true, the error will be ignored.  Note that this
     use is possible insecure.

     krb5(3), krb5_get_init_creds(3), krb5_verify_user(3), krb5.conf(5)

NetBSD 8.0                        May 1, 2006                       NetBSD 8.0