krb5-1.19.2/0000755000704600001450000000000014076311661014046 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/0000755000704600001450000000000014076312654014616 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/thread-safe.txt0000644000704600001450000002142514076311657017550 0ustar ghudsonsystemd-journal[May be out of date. Last significant update: Jan 2005.] In general, it's assumed that the library initialization function (if initialization isn't delayed) and the library finalization function are run in some thread-safe fashion, with no other parts of the library in question in use. (If dlopen or dlsym in one thread starts running the initializer, and then dlopen/dlsym in another thread returns and lets you start accessing functions or data in the library before the initializer is finished, that really seems like a dlopen/dlsym bug.) It's also assumed that if library A depends on library B, then library B's initializer runs first, and its finalizer last, whether loading dynamically at run time or at process startup/exit. (It appears that AIX 4.3.3 may violate this, at least when we use gcc's constructor/destructor attributes in shared libraries.) Support for freeing the heap storage allocated by a library has NOT, in general, been written. There are hooks, but often they ignore some of the library's local storage, mutexes, etc. If shared library finalization code doesn't get run at all at dlclose time, or if we can't use it because the execution order is wrong, then you'll get memory leaks. Deal with it. Several debugging variables that are not part of our official API are not protected by mutexes. In general, the only way to set them is by changing the sources and recompiling, which obviously has no run-time thread safety issues, or by stopping the process under a debugger, which we blithely assert is "safe enough". Debug code that we don't normally enable may be less thread safe than might be desired. For example, multiple printf calls may be made, with the assumption that the output will not be intermixed with output from some other thread. Offhand, I'm not aware of any cases where debugging code is "really" unsafe, as in likely to crash the program or produce insecure results. Various libraries may call assert() and abort(). This should only be for "can't happen" cases, and indicate programming errors. In some cases, the compiler may be able to infer that the "can't happen" cases really can't happen, and drop the calls, but in many cases, this is not possible. There are cases (e.g., in the com_err library) where errors arising when dealing with other errors are handled by calling abort, for lack of anything better. We should probably clean those up someday. Various libraries call getenv(). This is perfectly safe, as long as nothing is calling setenv or putenv or what have you, while multiple threads are executing. Of course, that severely curtails the ability to control our libraries through that "interface". Various libraries call the ctype functions/macros (isupper, etc). It is assumed that the program does not call setlocale, or does so only while the program is still single-threaded or while calls into the Kerberos libraries are not in progress. The Windows thread safety support is unfinished. I'm assuming that structure fields that are never written to (e.g., after a structure has been initialized and *then* made possibly visible to multiple threads) are safe to read from one thread while another field is being updated by another thread. If that's not the case, some more work is needed (and I'd like details on why it's not safe). ---------------- libcom_err Issues: The callback hook support (set_com_err_hook, reset_com_err_hook, and calls to com_err and com_err_va) uses a mutex to protect the handle on the hook function. As a side effect of this, if a callback function is registered which pops up a window and waits for the users' acknowledgement, then other errors cannot be reported by other threads until after the acknowledgement. This could be fixed with multiple-reader-one-writer type locks, but that's a bit more complicated. The string returned by error_message may be per-thread storage. It can be passed off between threads, but it shouldn't be in use by any thread by the time the originating thread calls error_message again. Error tables must no longer be in use (including pointers returned by error_message) when the library containing them is unloaded. Temporary: A flag variable has been created in error_message.c which is used to try to catch cases where remove_error_table is called after the library finalization function. This generally indicates out-of-order execution of the library finalization functions. The handling of this flag is not thread-safe, but if the finalization function is called, other threads should in theory be finished with this library anyways. Statics: error_message.c, com_err.c, covered above. ---------------- libprofile (and its use in libkrb5) Does no checks to see if it's opened multiple instances of the same file under different names. Does not guard against trying to open a file while another thread or process is in the process of replacing it, or two threads trying to update a file at the same time. The former should be pretty safe on UNIX with atomic rename, but on Windows there's a race condition; there's a window (so to speak) where the filename does not correspond to an actual file. Statics: prof_file.c, a list of opened config files and their parse trees, and a mutex to protect it. ---------------- libk5crypto Uses of the Yarrow code from the krb5 crypto interface are protected by a single mutex. Initialization of the Yarrow state will be done once, the first time these routines are called. Calls directly to the Yarrow functions are not protected. Uses ctype macros; what happens if the locale is changed in a multi-threaded program? Debug var in pbkdf2.c. Statics: pbkdf2.c: debug variable. Statics: prng.c: Global Yarrow data and mutex. Statics: crypto_libinit.c: library initializer aux data. ---------------- libkrb5 (TBD) Uses: ctype macros Uses: getaddrinfo, getnameinfo. According to current specifications, getaddrinfo should be thread-safe; some implementations are not, and we're not attempting to figure out which ones. NetBSD 1.6, for example, had an unsafe implementation. Uses: res_ninit, res_nsearch. If these aren't available, the non-'n' versions will be used, and they are sometimes not thread-safe. Uses: mkstemp, mktemp -- Are these, or our uses of them, likely to be thread-safe? Uses: sigaction The use of sigaction is in the code prompting for a password; we try to catch the keyboard interrupt character being used and turn it into an error return from that function. THIS IS NOT THREAD-SAFE. Uses: tcgetattr, tcsetattr. This is also in the password-prompting code. These are fine as long as no other threads are accessing the same terminal at the same time. Uses: fopen. This is thread-safe, actually, but a multi-threaded server is likely to be using lots of file descriptors. On 32-bit Solaris platforms, fopen will not work if the next available file descriptor number is 256 or higher. This can cause the keytab code to fail. Statics: prompter.c: interrupt flag Statics: ccdefops.c: default operations table pointer Statics: ktdefname.c: variable to override default keytab name, NO LOCKING. DON'T TOUCH THESE VARIABLES, at least in threaded programs. Statics: conv_creds.c: debug variable Statics: sendto_kdc.c: debug variable, in export list for KDC Statics: parse.c: default realm cache, changed to not cache Statics: krb5_libinit.c: lib init aux data Statics: osconfig.c: various internal variables, probably should be const Statics: init_ctx.c: "brand" string; not written. Statics: cc_memory.c: list of caches, with mutex. Statics: c_ustime.c: last timestamp, to implement "microseconds must always increment" Statics: ktbase.c, ccbase.c, rc_base.c: type registries and mutexes. ---------------- libgssapi_krb5 (TBD) Uses: ctype macros Statics: acquire_cred.c: name of keytab to use, and mutex. Statics: gssapi_krb5.c: Statics: init_sec_context.c: Statics: set_ccache.c: Statics: gssapi_generic.c: OID definitions, non-const by specification. We probably could make them const anyways. The keytab name saved away by krb5_gss_register_acceptor_identity is global and protected by a mutex; the ccache name stored by gss_krb5_ccache_name is per-thread. This inconsistency is due to the anticipated usage patterns. The old ccache name returned by gss_krb5_ccache_name if the last parameter is not a null pointer is also stored per-thread, and will be discarded at the next call to that routine from the same thread, or at thread termination. Needs work: check various objects for thread safety ---------------- libgssrpc New version is in place. Ignore it for now? ---------------- libkadm5* libkdb5 Skip these for now. We may want the KDC libraries to be thread-safe eventually, so the KDC can take better advantage of hyperthreaded or multiprocessor systems. ---------------- libapputils libss Used by single-threaded programs only (but see above re KDC). Don't bother for now. krb5-1.19.2/doc/copyright.rst0000644000704600001450000000032414076311657017361 0ustar ghudsonsystemd-journalCopyright ========= Copyright |copy| 1985-2021 by the Massachusetts Institute of Technology and its contributors. All rights reserved. See :ref:`mitK5license` for additional copyright and license information. krb5-1.19.2/doc/mitK5defaults.rst0000644000704600001450000001031114076311657020067 0ustar ghudsonsystemd-journal.. _mitK5defaults: MIT Kerberos defaults ===================== General defaults ---------------- ========================================== ============================= ==================== Description Default Environment ========================================== ============================= ==================== :ref:`keytab_definition` file |keytab| **KRB5_KTNAME** Client :ref:`keytab_definition` file |ckeytab| **KRB5_CLIENT_KTNAME** Kerberos config file :ref:`krb5.conf(5)` |krb5conf|\ ``:``\ **KRB5_CONFIG** |sysconfdir|\ ``/krb5.conf`` KDC config file :ref:`kdc.conf(5)` |kdcdir|\ ``/kdc.conf`` **KRB5_KDC_PROFILE** GSS mechanism config file |sysconfdir|\ ``/gss/mech`` **GSS_MECH_CONFIG** KDC database path (DB2) |kdcdir|\ ``/principal`` Master key :ref:`stash_definition` |kdcdir|\ ``/.k5.``\ *realm* Admin server ACL file :ref:`kadm5.acl(5)` |kdcdir|\ ``/kadm5.acl`` OTP socket directory |kdcrundir| Plugin base directory |libdir|\ ``/krb5/plugins`` :ref:`rcache_definition` directory ``/var/tmp`` **KRB5RCACHEDIR** Master key default enctype |defmkey| Default :ref:`keysalt list` |defkeysalts| Permitted enctypes |defetypes| KDC default port 88 Admin server port 749 Password change port 464 ========================================== ============================= ==================== Replica KDC propagation defaults -------------------------------- This table shows defaults used by the :ref:`kprop(8)` and :ref:`kpropd(8)` programs. ========================== ================================ =========== Description Default Environment ========================== ================================ =========== kprop database dump file |kdcdir|\ ``/replica_datatrans`` kpropd temporary dump file |kdcdir|\ ``/from_master`` kdb5_util location |sbindir|\ ``/kdb5_util`` kprop location |sbindir|\ ``/kprop`` kpropd ACL file |kdcdir|\ ``/kpropd.acl`` kprop port 754 KPROP_PORT ========================== ================================ =========== .. _paths: Default paths for Unix-like systems ----------------------------------- On Unix-like systems, some paths used by MIT krb5 depend on parameters chosen at build time. For a custom build, these paths default to subdirectories of ``/usr/local``. When MIT krb5 is integrated into an operating system, the paths are generally chosen to match the operating system's filesystem layout. ========================== ============= =========================== =========================== Description Symbolic name Custom build path Typical OS path ========================== ============= =========================== =========================== User programs BINDIR ``/usr/local/bin`` ``/usr/bin`` Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib`` Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var`` Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run`` Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin`` Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc`` Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}`` Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab`` ========================== ============= =========================== =========================== The default client keytab name (DEFCKTNAME) typically defaults to ``FILE:/usr/local/var/krb5/user/%{euid}/client.keytab`` for a custom build. A native build will typically use a path which will vary according to the operating system's layout of ``/var``. krb5-1.19.2/doc/basic/0000755000704600001450000000000014076311657015701 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/basic/rcache_def.rst0000644000704600001450000001134114076311657020476 0ustar ghudsonsystemd-journal.. _rcache_definition: replay cache ============ A replay cache (or "rcache") keeps track of all authenticators recently presented to a service. If a duplicate authentication request is detected in the replay cache, an error message is sent to the application program. The replay cache interface, like the credential cache and :ref:`keytab_definition` interfaces, uses `type:residual` strings to indicate the type of replay cache and any associated cache naming data to use. Background information ---------------------- Some Kerberos or GSSAPI services use a simple authentication mechanism where a message is sent containing an authenticator, which establishes the encryption key that the client will use for talking to the service. But nothing about that prevents an eavesdropper from recording the messages sent by the client, establishing a new connection, and re-sending or "replaying" the same messages; the replayed authenticator will establish the same encryption key for the new session, and the following messages will be decrypted and processed. The attacker may not know what the messages say, and can't generate new messages under the same encryption key, but in some instances it may be harmful to the user (or helpful to the attacker) to cause the server to see the same messages again a second time. For example, if the legitimate client sends "delete first message in mailbox", a replay from an attacker may delete another, different "first" message. (Protocol design to guard against such problems has been discussed in :rfc:`4120#section-10`.) Even if one protocol uses further protection to verify that the client side of the connection actually knows the encryption keys (and thus is presumably a legitimate user), if another service uses the same service principal name, it may be possible to record an authenticator used with the first protocol and "replay" it against the second. The replay cache mitigates these attacks somewhat, by keeping track of authenticators that have been seen until their five-minute window expires. Different authenticators generated by multiple connections from the same legitimate client will generally have different timestamps, and thus will not be considered the same. This mechanism isn't perfect. If a message is sent to one application server but a man-in-the-middle attacker can prevent it from actually arriving at that server, the attacker could then use the authenticator (once!) against a different service on the same host. This could be a problem if the message from the client included something more than authentication in the first message that could be useful to the attacker (which is uncommon; in most protocols the server has to indicate a successful authentication before the client sends additional messages), or if the simple act of presenting the authenticator triggers some interesting action in the service being attacked. Replay cache types ------------------ Unlike the credential cache and keytab interfaces, replay cache types are in lowercase. The following types are defined: #. **none** disables the replay cache. The residual value is ignored. #. **file2** (new in release 1.18) uses a hash-based format to store replay records. The file may grow to accommodate hash collisions. The residual value is the filename. #. **dfl** is the default type if no environment variable or configuration specifies a different type. It stores replay data in a file2 replay cache with a filename based on the effective uid. The residual value is ignored. For the dfl type, the location of the replay cache file is determined as follows: #. The directory is taken from the **KRB5RCACHEDIR** environment variable, or the **TMPDIR** environment variable, or a temporary directory determined at configuration time such as ``/var/tmp``, in descending order of preference. #. The filename is ``krb5_EUID.rcache2`` where EUID is the effective uid of the process. #. The file is opened without following symbolic links, and ownership of the file is verified to match the effective uid. On Windows, the directory for the dfl type is the local appdata directory, unless overridden by the **KRB5RCACHEDIR** environment variable. The filename on Windows is ``krb5.rcache2``, and the file is opened normally. Default replay cache name ------------------------- The default replay cache name is determined by the following, in descending order of priority: #. The **KRB5RCACHENAME** environment variable (new in release 1.18). #. The **KRB5RCACHETYPE** environment variable. If this variable is set, the residual value is empty. #. The **default_rcache_name** profile variable in :ref:`libdefaults` (new in release 1.18). #. If none of the above are set, the default replay cache name is ``dfl:``. krb5-1.19.2/doc/basic/keytab_def.rst0000644000704600001450000000422414076311657020532 0ustar ghudsonsystemd-journal.. _keytab_definition: keytab ====== A keytab (short for "key table") stores long-term keys for one or more principals. Keytabs are normally represented by files in a standard format, although in rare cases they can be represented in other ways. Keytabs are used most often to allow server applications to accept authentications from clients, but can also be used to obtain initial credentials for client applications. Keytabs are named using the format *type*\ ``:``\ *value*. Usually *type* is ``FILE`` and *value* is the absolute pathname of the file. The other possible value for *type* is ``MEMORY``, which indicates a temporary keytab stored in the memory of the current process. A keytab contains one or more entries, where each entry consists of a timestamp (indicating when the entry was written to the keytab), a principal name, a key version number, an encryption type, and the encryption key itself. A keytab can be displayed using the :ref:`klist(1)` command with the ``-k`` option. Keytabs can be created or appended to by extracting keys from the KDC database using the :ref:`kadmin(1)` :ref:`ktadd` command. Keytabs can be manipulated using the :ref:`ktutil(1)` and :ref:`k5srvutil(1)` commands. Default keytab -------------- The default keytab is used by server applications if the application does not request a specific keytab. The name of the default keytab is determined by the following, in decreasing order of preference: #. The **KRB5_KTNAME** environment variable. #. The **default_keytab_name** profile variable in :ref:`libdefaults`. #. The hardcoded default, |keytab|. Default client keytab --------------------- The default client keytab is used, if it is present and readable, to automatically obtain initial credentials for GSSAPI client applications. The principal name of the first entry in the client keytab is used by default when obtaining initial credentials. The name of the default client keytab is determined by the following, in decreasing order of preference: #. The **KRB5_CLIENT_KTNAME** environment variable. #. The **default_client_keytab_name** profile variable in :ref:`libdefaults`. #. The hardcoded default, |ckeytab|. krb5-1.19.2/doc/basic/date_format.rst0000644000704600001450000001105014076311657020715 0ustar ghudsonsystemd-journal.. _datetime: Supported date and time formats =============================== .. _duration: Time duration ------------- This format is used to express a time duration in the Kerberos configuration files and user commands. The allowed formats are: ====================== ============== ============ Format Example Value ---------------------- -------------- ------------ h:m[:s] 36:00 36 hours NdNhNmNs 8h30s 8 hours 30 seconds N (number of seconds) 3600 1 hour ====================== ============== ============ Here *N* denotes a number, *d* - days, *h* - hours, *m* - minutes, *s* - seconds. .. note:: The time interval should not exceed 2147483647 seconds. Examples:: Request a ticket valid for one hour, five hours, 30 minutes and 10 days respectively: kinit -l 3600 kinit -l 5:00 kinit -l 30m kinit -l "10d 0h 0m 0s" .. _getdate: getdate time ------------ Some of the kadmin and kdb5_util commands take a date-time in a human-readable format. Some of the acceptable date-time strings are: +-----------+------------------+-----------------+ | | Format | Example | +===========+==================+=================+ | Date | mm/dd/yy | 07/27/12 | | +------------------+-----------------+ | | month dd, yyyy | Jul 27, 2012 | | +------------------+-----------------+ | | yyyy-mm-dd | 2012-07-27 | +-----------+------------------+-----------------+ | Absolute | HH:mm[:ss]pp | 08:30 PM | | time +------------------+-----------------+ | | hh:mm[:ss] | 20:30 | +-----------+------------------+-----------------+ | Relative | N tt | 30 sec | | time | | | +-----------+------------------+-----------------+ | Time zone | Z | EST | | +------------------+-----------------+ | | z | -0400 | +-----------+------------------+-----------------+ (See :ref:`abbreviation`.) Examples:: Create a principal that expires on the date indicated: addprinc test1 -expire "3/27/12 10:00:07 EST" addprinc test2 -expire "January 23, 2015 10:05pm" addprinc test3 -expire "22:00 GMT" Add a principal that will expire in 30 minutes: addprinc test4 -expire "30 minutes" .. _abstime: Absolute time ------------- This rarely used date-time format can be noted in one of the following ways: +------------------------+----------------------+--------------+ | Format | Example | Value | +========================+======================+==============+ | yyyymmddhhmmss | 20141231235900 | One minute | +------------------------+----------------------+ before 2015 | | yyyy.mm.dd.hh.mm.ss | 2014.12.31.23.59.00 | | +------------------------+----------------------+ | | yymmddhhmmss | 141231235900 | | +------------------------+----------------------+ | | yy.mm.dd.hh.mm.ss | 14.12.31.23.59.00 | | +------------------------+----------------------+ | | dd-month-yyyy:hh:mm:ss | 31-Dec-2014:23:59:00 | | +------------------------+----------------------+--------------+ | hh:mm:ss | 20:00:00 | 8 o'clock in | +------------------------+----------------------+ the evening | | hhmmss | 200000 | | +------------------------+----------------------+--------------+ (See :ref:`abbreviation`.) Example:: Set the default expiration date to July 27, 2012 at 20:30 default_principal_expiration = 20120727203000 .. _abbreviation: Abbreviations used in this document ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | *month* : locale’s month name or its abbreviation; | *dd* : day of month (01-31); | *HH* : hours (00-12); | *hh* : hours (00-23); | *mm* : in time - minutes (00-59); in date - month (01-12); | *N* : number; | *pp* : AM or PM; | *ss* : seconds (00-60); | *tt* : time units (hours, minutes, min, seconds, sec); | *yyyy* : year; | *yy* : last two digits of the year; | *Z* : alphabetic time zone abbreviation; | *z* : numeric time zone; .. note:: - If the date specification contains spaces, you may need to enclose it in double quotes; - All keywords are case-insensitive. krb5-1.19.2/doc/basic/ccache_def.rst0000644000704600001450000001516614076311657020470 0ustar ghudsonsystemd-journal.. _ccache_definition: Credential cache ================ A credential cache (or "ccache") holds Kerberos credentials while they remain valid and, generally, while the user's session lasts, so that authenticating to a service multiple times (e.g., connecting to a web or mail server more than once) doesn't require contacting the KDC every time. A credential cache usually contains one initial ticket which is obtained using a password or another form of identity verification. If this ticket is a ticket-granting ticket, it can be used to obtain additional credentials without the password. Because the credential cache does not store the password, less long-term damage can be done to the user's account if the machine is compromised. A credentials cache stores a default client principal name, set when the cache is created. This is the name shown at the top of the :ref:`klist(1)` *-A* output. Each normal cache entry includes a service principal name, a client principal name (which, in some ccache types, need not be the same as the default), lifetime information, and flags, along with the credential itself. There are also other entries, indicated by special names, that store additional information. ccache types ------------ The credential cache interface, like the :ref:`keytab_definition` and :ref:`rcache_definition` interfaces, uses `TYPE:value` strings to indicate the type of credential cache and any associated cache naming data to use. There are several kinds of credentials cache supported in the MIT Kerberos library. Not all are supported on every platform. In most cases, it should be correct to use the default type built into the library. #. **API** is only implemented on Windows. It communicates with a server process that holds the credentials in memory for the user, rather than writing them to disk. #. **DIR** points to the storage location of the collection of the credential caches in *FILE:* format. It is most useful when dealing with multiple Kerberos realms and KDCs. For release 1.10 the directory must already exist. In post-1.10 releases the requirement is for parent directory to exist and the current process must have permissions to create the directory if it does not exist. See :ref:`col_ccache` for details. New in release 1.10. The following residual forms are supported: * DIR:dirname * DIR::dirpath/filename - a single cache within the directory Switching to a ccache of the latter type causes it to become the primary for the directory. #. **FILE** caches are the simplest and most portable. A simple flat file format is used to store one credential after another. This is the default ccache type if no type is specified in a ccache name. #. **KCM** caches work by contacting a daemon process called ``kcm`` to perform cache operations. If the cache name is just ``KCM:``, the default cache as determined by the KCM daemon will be used. Newly created caches must generally be named ``KCM:uid:name``, where *uid* is the effective user ID of the running process. KCM client support is new in release 1.13. A KCM daemon has not yet been implemented in MIT krb5, but the client will interoperate with the KCM daemon implemented by Heimdal. macOS 10.7 and higher provides a KCM daemon as part of the operating system, and the **KCM** cache type is used as the default cache on that platform in a default build. #. **KEYRING** is Linux-specific, and uses the kernel keyring support to store credential data in unswappable kernel memory where only the current user should be able to access it. The following residual forms are supported: * KEYRING:name * KEYRING:process:name - process keyring * KEYRING:thread:name - thread keyring Starting with release 1.12 the *KEYRING* type supports collections. The following new residual forms were added: * KEYRING:session:name - session keyring * KEYRING:user:name - user keyring * KEYRING:persistent:uidnumber - persistent per-UID collection. Unlike the user keyring, this collection survives after the user logs out, until the cache credentials expire. This type of ccache requires support from the kernel; otherwise, it will fall back to the user keyring. See :ref:`col_ccache` for details. #. **MEMORY** caches are for storage of credentials that don't need to be made available outside of the current process. For example, a memory ccache is used by :ref:`kadmin(1)` to store the administrative ticket used to contact the admin server. Memory ccaches are faster than file ccaches and are automatically destroyed when the process exits. #. **MSLSA** is a Windows-specific cache type that accesses the Windows credential store. .. _col_ccache: Collections of caches --------------------- Some credential cache types can support collections of multiple caches. One of the caches in the collection is designated as the *primary* and will be used when the collection is resolved as a cache. When a collection-enabled cache type is the default cache for a process, applications can search the specified collection for a specific client principal, and GSSAPI applications will automatically select between the caches in the collection based on criteria such as the target service realm. Credential cache collections are new in release 1.10, with support from the **DIR** and **API** ccache types. Starting in release 1.12, collections are also supported by the **KEYRING** ccache type. Collections are supported by the **KCM** ccache type in release 1.13. Tool alterations to use cache collection ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * :ref:`kdestroy(1)` *-A* will destroy all caches in the collection. * If the default cache type supports switching, :ref:`kinit(1)` *princname* will search the collection for a matching cache and store credentials there, or will store credentials in a new unique cache of the default type if no existing cache for the principal exists. Either way, kinit will switch to the selected cache. * :ref:`klist(1)` *-l* will list the caches in the collection. * :ref:`klist(1)` *-A* will show the content of all caches in the collection. * :ref:`kswitch(1)` *-p princname* will search the collection for a matching cache and switch to it. * :ref:`kswitch(1)` *-c cachename* will switch to a specified cache. Default ccache name ------------------- The default credential cache name is determined by the following, in descending order of priority: #. The **KRB5CCNAME** environment variable. For example, ``KRB5CCNAME=DIR:/mydir/``. #. The **default_ccache_name** profile variable in :ref:`libdefaults`. #. The hardcoded default, |ccache|. krb5-1.19.2/doc/basic/index.rst0000644000704600001450000000025214076311657017541 0ustar ghudsonsystemd-journal.. _basic_concepts: Kerberos V5 concepts ==================== .. toctree:: :maxdepth: 1 ccache_def keytab_def rcache_def stash_file_def date_format krb5-1.19.2/doc/basic/stash_file_def.rst0000644000704600001450000000202614076311657021372 0ustar ghudsonsystemd-journal.. _stash_definition: stash file ============ The stash file is a local copy of the master key that resides in encrypted form on the KDC's local disk. The stash file is used to authenticate the KDC to itself automatically before starting the :ref:`kadmind(8)` and :ref:`krb5kdc(8)` daemons (e.g., as part of the machine's boot sequence). The stash file, like the keytab file (see :ref:`keytab_file`) is a potential point-of-entry for a break-in, and if compromised, would allow unrestricted access to the Kerberos database. If you choose to install a stash file, it should be readable only by root, and should exist only on the KDC's local disk. The file should not be part of any backup of the machine, unless access to the backup data is secured as tightly as access to the master password itself. .. note:: If you choose not to install a stash file, the KDC will prompt you for the master key each time it starts up. This means that the KDC will not be able to start automatically, such as after a system reboot. krb5-1.19.2/doc/conf.py0000644000704600001450000003132614076311657016124 0ustar ghudsonsystemd-journal# -*- coding: utf-8 -*- # # MIT Kerberos documentation build configuration file, created by # sphinx-quickstart on Wed Oct 13 09:14:03 2010. # # This file is execfile()d with the current directory set to its containing dir. # # Note that not all possible configuration values are present in this # autogenerated file. # # All configuration values have a default; values that are commented out # serve to show the default. import sys, os # If extensions (or modules to document with autodoc) are in another directory, # add these directories to sys.path here. If the directory is relative to the # documentation root, use os.path.abspath to make it absolute, like shown here. #sys.path.insert(0, os.path.abspath('.')) # -- General configuration ----------------------------------------------------- # If your documentation needs a minimal Sphinx version, state it here. #needs_sphinx = '1.0' # Add any Sphinx extension module names here, as strings. They can be extensions # coming with Sphinx (named 'sphinx.ext.*') or your custom ones. #extensions = ['sphinx.ext.autodoc', 'sphinxcontrib.doxylink'] extensions = ['sphinx.ext.autodoc'] # Add any paths that contain templates here, relative to this directory. templates_path = ['_templates'] # The suffix of source filenames. source_suffix = '.rst' # The encoding of source files. #source_encoding = 'utf-8-sig' # The master toctree document. if 'notice' in tags: master_doc = 'notice' else: master_doc = 'index' # General information about the project. project = u'MIT Kerberos' copyright = u'1985-2021, MIT' # The version info for the project you're documenting, acts as replacement for # |version| and |release|, also used in various other places throughout the # built documents. exec(open("version.py").read()) # The short X.Y version. r_list = [r_major, r_minor] if r_patch: r_list += [r_patch] version = '.'.join(map(str, r_list)) # The full version, including alpha/beta/rc tags. release = version if r_tail: release += '-' + r_tail # The language for content autogenerated by Sphinx. Refer to documentation # for a list of supported languages. #language = None # There are two options for replacing |today|: either, you set today to some # non-false value, then it is used: today = ' ' # Else, today_fmt is used as the format for a strftime call. #today_fmt = '%B %d, %Y' # List of patterns, relative to source directory, that match files and # directories to ignore when looking for source files. exclude_patterns = [] # The reST default role (used for this markup: `text`) to use for all documents. #default_role = None # If true, '()' will be appended to :func: etc. cross-reference text. #add_function_parentheses = True # If true, the current module name will be prepended to all description # unit titles (such as .. function::). #add_module_names = True # If true, sectionauthor and moduleauthor directives will be shown in the # output. They are ignored by default. #show_authors = False # The name of the Pygments (syntax highlighting) style to use. pygments_style = 'sphinx' # A list of ignored prefixes for module index sorting. #modindex_common_prefix = [] # -- Options for HTML output --------------------------------------------------- # When we can rely on Sphinx 1.8 (released Sep 2018) we can just set: # html_css_files = ['kerb.css'] # But in the meantime, we add this file using either a way that works # after 1.8 or a way that works before 4.0. def setup(app): if callable(getattr(app, 'add_css_file', None)): app.add_css_file('kerb.css') else: app.add_stylesheet('kerb.css') # The theme to use for HTML and HTML Help pages. See the documentation for # a list of builtin themes. # html_theme = 'default' html_theme = 'agogo' # Theme options are theme-specific and customize the look and feel of a theme # further. For a list of options available for each theme, see the # documentation. html_theme_options = { "linkcolor": "#881f0d", "footerbg": "#5d1509", "bgcolor": "#5d1509", "documentwidth": "80%", "pagewidth": "auto", "sidebarwidth": "20%" } # Add any paths that contain custom themes here, relative to this directory. #html_theme_path = [] # The name for this set of Sphinx documents. If None, it defaults to # " v documentation". html_title = "MIT Kerberos Documentation" # A shorter title for the navigation bar. Default is the same as html_title. #html_short_title = None # The name of an image file (relative to this directory) to place at the top # of the sidebar. if os.environ.get('HTML_LOGO'): html_logo = os.environ['HTML_LOGO'] # The name of an image file (within the static path) to use as favicon of the # docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 # pixels large. #html_favicon = None # Add any paths that contain custom static files (such as style sheets) here, # relative to this directory. They are copied after the builtin static files, # so a file named "default.css" will overwrite the builtin "default.css". html_static_path = ['_static'] # If not '', a 'Last updated on:' timestamp is inserted at every page bottom, # using the given strftime format. #html_last_updated_fmt = '%b %d, %Y' # Custom sidebar templates, maps document names to template names. #html_sidebars = {} # Additional templates that should be rendered to pages, maps page names to # template names. #html_additional_pages = {} # If false, no module index is generated. #html_domain_indices = True # If false, no index is generated. #html_use_index = True # If true, the index is split into individual pages for each letter. html_split_index = True # If true, links to the reST sources are added to the pages. html_show_sourcelink = False # If true, "Created using Sphinx" is shown in the HTML footer. Default is True. #html_show_sphinx = True # If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. #html_show_copyright = True # If true, an OpenSearch description file will be output, and all pages will # contain a tag referring to it. The value of this option must be the # base URL from which the finished HTML is served. #html_use_opensearch = '' # This is the file name suffix for HTML files (e.g., ".xhtml"). #html_file_suffix = None # Output file base name for HTML help builder. htmlhelp_basename = 'MIT Kerberos' pointsize = '10pt' # -- Options for LaTeX output -------------------------------------------------- # The paper size ('letter' or 'a4'). #latex_paper_size = 'letter' # The font size ('10pt', '11pt' or '12pt'). #latex_font_size = '10pt' # Grouping the document tree into LaTeX files. List of tuples # (source start file, target name, title, author, documentclass [howto/manual]). latex_documents = [ ('admin/index', 'admin.tex', u"Kerberos Administration Guide", u'MIT', 'manual'), ('appdev/index', 'appdev.tex', u"Kerberos Application Developer Guide", u'MIT', 'manual'), ('basic/index', 'basic.tex', u"Kerberos Concepts", u'MIT', 'manual'), ('build/index', 'build.tex', u"Building MIT Kerberos", u'MIT', 'manual'), ('plugindev/index', 'plugindev.tex', u"Kerberos Plugin Module Developer Guide", u'MIT', 'manual'), ('user/index', 'user.tex', u"Kerberos User Guide", u'MIT', 'manual') ] # The name of an image file (relative to this directory) to place at the top of # the title page. #latex_logo = None # For "manual" documents, if this is true, then toplevel headings are parts, # not chapters. #latex_use_parts = False # If true, show page references after internal links. #latex_show_pagerefs = False # If true, show URL addresses after external links. #latex_show_urls = False # Additional stuff for the LaTeX preamble. #latex_preamble = '' # Documents to append as an appendix to all manuals. #latex_appendices = [] # If false, no module index is generated. #latex_domain_indices = True if 'mansubs' in tags: bindir = '``@BINDIR@``' sbindir = '``@SBINDIR@``' libdir = '``@LIBDIR@``' localstatedir = '``@LOCALSTATEDIR@``' runstatedir = '``@RUNSTATEDIR@``' sysconfdir = '``@SYSCONFDIR@``' ccache = '``@CCNAME@``' keytab = '``@KTNAME@``' ckeytab = '``@CKTNAME@``' elif 'pathsubs' in tags: # Read configured paths from a file produced by the build system. exec(open("paths.py").read()) else: bindir = ':ref:`BINDIR `' sbindir = ':ref:`SBINDIR `' libdir = ':ref:`LIBDIR `' localstatedir = ':ref:`LOCALSTATEDIR `' runstatedir = ':ref:`RUNSTATEDIR `' sysconfdir = ':ref:`SYSCONFDIR `' ccache = ':ref:`DEFCCNAME `' keytab = ':ref:`DEFKTNAME `' ckeytab = ':ref:`DEFCKTNAME `' rst_epilog = '\n' if 'notice' in tags: exclude_patterns = [ 'admin', 'appdev', 'basic', 'build', 'plugindev', 'user' ] exclude_patterns += [ 'about.rst', 'build_this.rst', 'copyright.rst', 'index.rst', 'mitK5*.rst', 'resources.rst' ] rst_epilog += '.. |copy| replace:: \(C\)' else: exclude_patterns += [ 'notice.rst' ] rst_epilog += '.. |bindir| replace:: %s\n' % bindir rst_epilog += '.. |sbindir| replace:: %s\n' % sbindir rst_epilog += '.. |libdir| replace:: %s\n' % libdir rst_epilog += '.. |kdcdir| replace:: %s\\ ``/krb5kdc``\n' % localstatedir rst_epilog += '.. |kdcrundir| replace:: %s\\ ``/krb5kdc``\n' % runstatedir rst_epilog += '.. |sysconfdir| replace:: %s\n' % sysconfdir rst_epilog += '.. |ccache| replace:: %s\n' % ccache rst_epilog += '.. |keytab| replace:: %s\n' % keytab rst_epilog += '.. |ckeytab| replace:: %s\n' % ckeytab rst_epilog += ''' .. |krb5conf| replace:: ``/etc/krb5.conf`` .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal`` .. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac`` .. |defmkey| replace:: ``aes256-cts-hmac-sha1-96`` .. |copy| unicode:: U+000A9 ''' # -- Options for manual page output -------------------------------------------- # One entry per manual page. List of tuples # (source start file, name, description, authors, manual section). man_pages = [ ('user/user_commands/kinit', 'kinit', u'obtain and cache Kerberos ticket-granting ticket', [u'MIT'], 1), ('user/user_commands/klist', 'klist', u'list cached Kerberos tickets', [u'MIT'], 1), ('user/user_commands/kdestroy', 'kdestroy', u'destroy Kerberos tickets', [u'MIT'], 1), ('user/user_commands/kswitch', 'kswitch', u'switch primary ticket cache', [u'MIT'], 1), ('user/user_commands/kpasswd', 'kpasswd', u'change a user\'s Kerberos password', [u'MIT'], 1), ('user/user_commands/kvno', 'kvno', u'print key version numbers of Kerberos principals', [u'MIT'], 1), ('user/user_commands/ksu', 'ksu', u'Kerberized super-user', [u'MIT'], 1), ('user/user_commands/krb5-config', 'krb5-config', u'tool for linking against MIT Kerberos libraries', [u'MIT'], 1), ('user/user_config/k5login', 'k5login', u'Kerberos V5 acl file for host access', [u'MIT'], 5), ('user/user_config/k5identity', 'k5identity', u'Kerberos V5 client principal selection rules', [u'MIT'], 5), ('user/user_config/kerberos', 'kerberos', u'Overview of using Kerberos', [u'MIT'], 7), ('admin/admin_commands/krb5kdc', 'krb5kdc', u'Kerberos V5 KDC', [u'MIT'], 8), ('admin/admin_commands/kadmin_local', 'kadmin', u'Kerberos V5 database administration program', [u'MIT'], 1), ('admin/admin_commands/kprop', 'kprop', u'propagate a Kerberos V5 principal database to a replica server', [u'MIT'], 8), ('admin/admin_commands/kproplog', 'kproplog', u'display the contents of the Kerberos principal update log', [u'MIT'], 8), ('admin/admin_commands/kpropd', 'kpropd', u'Kerberos V5 replica KDC update server', [u'MIT'], 8), ('admin/admin_commands/kdb5_util', 'kdb5_util', u'Kerberos database maintenance utility', [u'MIT'], 8), ('admin/admin_commands/ktutil', 'ktutil', u'Kerberos keytab file maintenance utility', [u'MIT'], 1), ('admin/admin_commands/k5srvutil', 'k5srvutil', u'host key table (keytab) manipulation utility', [u'MIT'], 1), ('admin/admin_commands/kadmind', 'kadmind', u'KADM5 administration server', [u'MIT'], 8), ('admin/admin_commands/kdb5_ldap_util', 'kdb5_ldap_util', u'Kerberos configuration utility', [u'MIT'], 8), ('admin/conf_files/krb5_conf', 'krb5.conf', u'Kerberos configuration file', [u'MIT'], 5), ('admin/conf_files/kdc_conf', 'kdc.conf', u'Kerberos V5 KDC configuration file', [u'MIT'], 5), ('admin/conf_files/kadm5_acl', 'kadm5.acl', u'Kerberos ACL file', [u'MIT'], 5), ('user/user_commands/sclient', 'sclient', u'sample Kerberos version 5 client', [u'MIT'], 1), ('admin/admin_commands/sserver', 'sserver', u'sample Kerberos version 5 server', [u'MIT'], 8), ] krb5-1.19.2/doc/mitK5license.rst0000644000704600001450000000023514076311657017706 0ustar ghudsonsystemd-journal.. _mitK5license: MIT Kerberos License information ================================ .. toctree:: :hidden: copyright.rst .. include:: notice.rst krb5-1.19.2/doc/build/0000755000704600001450000000000014076311657015717 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/build/osconf.rst0000644000704600001450000000156114076311657017743 0ustar ghudsonsystemd-journalosconf.hin ========== There is one configuration file which you may wish to edit to control various compile-time parameters in the Kerberos distribution:: include/osconf.hin The list that follows is by no means complete, just some of the more interesting variables. **DEFAULT_PROFILE_PATH** The pathname to the file which contains the profiles for the known realms, their KDCs, etc. The default value is |krb5conf|. **DEFAULT_KEYTAB_NAME** The type and pathname to the default server keytab file. The default is |keytab|. **DEFAULT_KDC_ENCTYPE** The default encryption type for the KDC database master key. The default value is |defmkey|. **RCTMPDIR** The directory which stores replay caches. The default is ``/var/tmp``. **DEFAULT_KDB_FILE** The location of the default database. The default value is |kdcdir|\ ``/principal``. krb5-1.19.2/doc/build/directory_org.rst0000644000704600001450000000616614076311657021335 0ustar ghudsonsystemd-journalOrganization of the source directory ==================================== Below is a brief overview of the organization of the complete source directory. More detailed descriptions follow. =============== ============================================== appl Kerberos application client and server programs ccapi Credential cache services clients Kerberos V5 user programs (See :ref:`user_commands`) config Configure scripts config-files Sample Kerberos configuration files include include files needed to build the Kerberos system kadmin Administrative interface to the Kerberos database: :ref:`kadmin(1)`, :ref:`kdb5_util(8)`, :ref:`ktutil(1)`. kdc Kerberos V5 Authentication Service and Key Distribution Center lib_ Libraries for use with/by Kerberos V5 plugins Kerberos plugins directory po Localization infrastructure prototype Templates files containing the MIT copyright message and a placeholder for the title and description of the file. kprop Utilities for propagating the database to replica KDCs :ref:`kprop(8)` and :ref:`kpropd(8)` tests Test suite util_ Various utilities for building/configuring the code, sending bug reports, etc. windows Source code for building Kerberos V5 on Windows (see windows/README) =============== ============================================== .. _lib: lib --- The lib directory contain several subdirectories as well as some definition and glue files. - The apputils directory contains the code for the generic network servicing. - The crypto subdirectory contains the Kerberos V5 encryption library. - The gssapi library contains the Generic Security Services API, which is a library of commands to be used in secure client-server communication. - The kadm5 directory contains the libraries for the KADM5 administration utilities. - The Kerberos 5 database libraries are contained in kdb. - The krb5 directory contains Kerberos 5 API. - The rpc directory contains the API for the Kerberos Remote Procedure Call protocol. .. _util: util ---- The util directory contains several utility programs and libraries. - the programs used to configure and build the code, such as autoconf, lndir, kbuild, reconf, and makedepend, are in this directory. - the profile directory contains most of the functions which parse the Kerberos configuration files (krb5.conf and kdc.conf). - the Kerberos error table library and utilities (et); - the Sub-system library and utilities (ss); - database utilities (db2); - pseudo-terminal utilities (pty); - bug-reporting program send-pr; - a generic support library support used by several of our other libraries; - the build infrastructure for building lightweight Kerberos client (collected-client-lib) - the tool for validating Kerberos configuration files (confvalidator); - the toolkit for kernel integrators for building krb5 code subsets (gss-kernel-lib); - source code for building Kerberos V5 on MacOS (mac) - Windows getopt operations (windows) krb5-1.19.2/doc/build/doing_build.rst0000644000704600001450000001321514076311657020732 0ustar ghudsonsystemd-journalDoing the build =============== .. _do_build: Building within a single tree ----------------------------- If you only need to build Kerberos for one platform, using a single directory tree which contains both the source files and the object files is the simplest. However, if you need to maintain Kerberos for a large number of platforms, you will probably want to use separate build trees for each platform. We recommend that you look at OS Incompatibilities, for notes that we have on particular operating systems. If you don't want separate build trees for each architecture, then use the following abbreviated procedure:: cd /u1/krb5-VERSION/src ./configure make That's it! Building with separate build directories ---------------------------------------- If you wish to keep separate build directories for each platform, you can do so using the following procedure. (Note, this requires that your make program support VPATH. GNU's make will provide this functionality, for example.) If your make program does not support this, see the next section. For example, if you wish to store the binaries in ``tmpbuild`` build directory you might use the following procedure:: mkdir /u1/tmpbuild cd /u1/tmpbuild /u1/krb5-VERSION/src/configure make Building using lndir -------------------- If you wish to keep separate build directories for each platform, and you do not have access to a make program which supports VPATH, all is not lost. You can use the lndir program to create symbolic link trees in your build directory. For example, if you wish to create a build directory for solaris binaries you might use the following procedure:: mkdir /u1/krb5-VERSION/solaris cd /u1/krb5-VERSION/solaris /u1/krb5-VERSION/src/util/lndir `pwd`/../src ./configure make You must give an absolute pathname to lndir because it has a bug that makes it fail for relative pathnames. Note that this version differs from the latest version as distributed and installed by the XConsortium with X11R6. Either version should be acceptable. Installing the binaries ----------------------- Once you have built Kerberos, you should install the binaries. You can do this by running:: make install If you want to install the binaries into a destination directory that is not their final destination, which may be convenient if you want to build a binary distribution to be deployed on multiple hosts, you may use:: make install DESTDIR=/path/to/destdir This will install the binaries under *DESTDIR/PREFIX*, e.g., the user programs will install into *DESTDIR/PREFIX/bin*, the libraries into *DESTDIR/PREFIX/lib*, etc. *DESTDIR* must be an absolute path. Some implementations of make allow multiple commands to be run in parallel, for faster builds. We test our Makefiles in parallel builds with GNU make only; they may not be compatible with other parallel build implementations. Testing the build ----------------- The Kerberos V5 distribution comes with built-in regression tests. To run them, simply type the following command while in the top-level build directory (i.e., the directory where you sent typed make to start building Kerberos; see :ref:`do_build`):: make check However, there are several prerequisites that must be satisfied first: * Configure and build Kerberos with Tcl support. Tcl is used to drive the test suite. This often means passing **-**\ **-with-tcl** to configure to tell it the location of the Tcl configuration script. (See :ref:`options2configure`.) * In addition to Tcl, DejaGnu must be available on the system for some of the tests to run. The test suite will still run the other tests if DejaGnu is not present, but the test coverage will be reduced accordingly. * On some operating systems, you have to run ``make install`` before running ``make check``, or the test suite will pick up installed versions of Kerberos libraries rather than the newly built ones. You can install into a prefix that isn't in the system library search path, though. Alternatively, you can configure with **-**\ **-disable-rpath**, which renders the build tree less suitable for installation, but allows testing without interference from previously installed libraries. There are additional regression tests available, which are not run by ``make check``. These tests require manual setup and teardown of support infrastructure which is not easily automated, or require excessive resources for ordinary use. The procedure for running the manual tests is documented at https://k5wiki.kerberos.org/wiki/Manual_Testing. Cleaning up the build --------------------- * Use ``make clean`` to remove all files generated by running make command. * Use ``make distclean`` to remove all files generated by running ./configure script. After running ``make distclean`` your source tree (ideally) should look like the raw (just un-tarred) source tree. Using autoconf -------------- (If you are not a developer, you can ignore this section.) In the Kerberos V5 source directory, there is a configure script which automatically determines the compilation environment and creates the proper Makefiles for a particular platform. This configure script is generated using autoconf, which you should already have installed if you will be making changes to ``src/configure.in``. Normal users will not need to worry about running autoconf; the distribution comes with the configure script already prebuilt. The autoconf package comes with a script called ``autoreconf`` that will automatically run ``autoconf`` and ``autoheader`` as needed. You should run ``autoreconf`` from the top source directory, e.g.:: cd /u1/krb5-VERSION/src autoreconf --verbose krb5-1.19.2/doc/build/options2configure.rst0000644000704600001450000003565014076311657022141 0ustar ghudsonsystemd-journal.. _options2configure: Options to *configure* ====================== There are a number of options to configure which you can use to control how the Kerberos distribution is built. Most commonly used options -------------------------- **-**\ **-help** Provides help to configure. This will list the set of commonly used options for building Kerberos. **-**\ **-prefix=**\ *PREFIX* By default, Kerberos will install the package's files rooted at ``/usr/local``. If you desire to place the binaries into the directory *PREFIX*, use this option. **-**\ **-exec-prefix=**\ *EXECPREFIX* This option allows one to separate the architecture independent programs from the host-dependent files (configuration files, manual pages). Use this option to install architecture-dependent programs in *EXECPREFIX*. The default location is the value of specified by **-**\ **-prefix** option. **-**\ **-localstatedir=**\ *LOCALSTATEDIR* This option sets the directory for locally modifiable single-machine data. In Kerberos, this mostly is useful for setting a location for the KDC data files, as they will be installed in ``LOCALSTATEDIR/krb5kdc``, which is by default ``PREFIX/var/krb5kdc``. **-**\ **-with-netlib**\ [=\ *libs*] Allows for suppression of or replacement of network libraries. By default, Kerberos V5 configuration will look for ``-lnsl`` and ``-lsocket``. If your operating system has a broken resolver library or fails to pass the tests in ``src/tests/resolv``, you will need to use this option. **-**\ **-with-tcl=**\ *TCLPATH* Some of the unit-tests in the build tree rely upon using a program in Tcl. The directory specified by *TCLPATH* specifies where the Tcl header file (TCLPATH/include/tcl.h) as well as where the Tcl library (TCLPATH/lib) should be found. **-**\ **-enable-dns-for-realm** Enable the use of DNS to look up a host's Kerberos realm, if the information is not provided in :ref:`krb5.conf(5)`. See :ref:`mapping_hostnames` for information about using DNS to determine the default realm. DNS lookups for realm names are disabled by default. **-**\ **-with-system-et** Use an installed version of the error-table (et) support software, the compile_et program, the com_err.h header file and the com_err library. If these are not in the default locations, you may wish to specify ``CPPFLAGS=-I/some/dir`` and ``LDFLAGS=-L/some/other/dir`` options at configuration time as well. If this option is not given, a version supplied with the Kerberos sources will be built and installed along with the rest of the Kerberos tree, for Kerberos applications to link against. **-**\ **-with-system-ss** Use an installed version of the subsystem command-line interface software, the mk_cmds program, the ``ss/ss.h`` header file and the ss library. If these are not in the default locations, you may wish to specify ``CPPFLAGS=-I/some/dir`` and ``LDFLAGS=-L/some/other/dir`` options at configuration time as well. See also the **SS_LIB** option. If this option is not given, the ss library supplied with the Kerberos sources will be compiled and linked into those programs that need it; it will not be installed separately. **-**\ **-with-system-db** Use an installed version of the Berkeley DB package, which must provide an API compatible with version 1.85. This option is unsupported and untested. In particular, we do not know if the database-rename code used in the dumpfile load operation will behave properly. If this option is not given, a version supplied with the Kerberos sources will be built and installed. (We are not updating this version at this time because of licensing issues with newer versions that we haven't investigated sufficiently yet.) Environment variables --------------------- **CC=**\ *COMPILER* Use *COMPILER* as the C compiler. **CFLAGS=**\ *FLAGS* Use *FLAGS* as the default set of C compiler flags. **CPP=**\ *CPP* C preprocessor to use. (e.g., ``CPP='gcc -E'``) **CPPFLAGS=**\ *CPPOPTS* Use *CPPOPTS* as the default set of C preprocessor flags. The most common use of this option is to select certain #define's for use with the operating system's include files. **DB_HEADER=**\ *headername* If db.h is not the correct header file to include to compile against the Berkeley DB 1.85 API, specify the correct header file name with this option. For example, ``DB_HEADER=db3/db_185.h``. **DB_LIB=**\ *libs*... If ``-ldb`` is not the correct library specification for the Berkeley DB library version to be used, override it with this option. For example, ``DB_LIB=-ldb-3.3``. **DEFCCNAME=**\ *ccachename* Override the built-in default credential cache name. For example, ``DEFCCNAME=DIR:/var/run/user/%{USERID}/ccache`` See :ref:`parameter_expansion` for information about supported parameter expansions. **DEFCKTNAME=**\ *keytabname* Override the built-in default client keytab name. The format is the same as for *DEFCCNAME*. **DEFKTNAME=**\ *keytabname* Override the built-in default keytab name. The format is the same as for *DEFCCNAME*. **LD=**\ *LINKER* Use *LINKER* as the default loader if it should be different from C compiler as specified above. **LDFLAGS=**\ *LDOPTS* This option informs the linker where to get additional libraries (e.g., ``-L``). **LIBS=**\ *LDNAME* This option allows one to specify libraries to be passed to the linker (e.g., ``-l``) **SS_LIB=**\ *libs*... If ``-lss`` is not the correct way to link in your installed ss library, for example if additional support libraries are needed, specify the correct link options here. Some variants of this library are around which allow for Emacs-like line editing, but different versions require different support libraries to be explicitly specified. This option is ignored if **-**\ **-with-system-ss** is not specified. **YACC** The 'Yet Another C Compiler' implementation to use. Defaults to the first program found out of: '`bison -y`', '`byacc`', '`yacc`'. **YFLAGS** The list of arguments that will be passed by default to $YACC. This script will default YFLAGS to the empty string to avoid a default value of ``-d`` given by some make applications. Fine tuning of the installation directories ------------------------------------------- **-**\ **-bindir=**\ *DIR* User executables. Defaults to ``EXECPREFIX/bin``, where *EXECPREFIX* is the path specified by **-**\ **-exec-prefix** configuration option. **-**\ **-sbindir=**\ *DIR* System admin executables. Defaults to ``EXECPREFIX/sbin``, where *EXECPREFIX* is the path specified by **-**\ **-exec-prefix** configuration option. **-**\ **-sysconfdir=**\ *DIR* Read-only single-machine data such as krb5.conf. Defaults to ``PREFIX/etc``, where *PREFIX* is the path specified by **-**\ **-prefix** configuration option. **-**\ **-libdir=**\ *DIR* Object code libraries. Defaults to ``EXECPREFIX/lib``, where *EXECPREFIX* is the path specified by **-**\ **-exec-prefix** configuration option. **-**\ **-includedir=**\ *DIR* C header files. Defaults to ``PREFIX/include``, where *PREFIX* is the path specified by **-**\ **-prefix** configuration option. **-**\ **-datarootdir=**\ *DATAROOTDIR* Read-only architecture-independent data root. Defaults to ``PREFIX/share``, where *PREFIX* is the path specified by **-**\ **-prefix** configuration option. **-**\ **-datadir=**\ *DIR* Read-only architecture-independent data. Defaults to path specified by **-**\ **-datarootdir** configuration option. **-**\ **-localedir=**\ *DIR* Locale-dependent data. Defaults to ``DATAROOTDIR/locale``, where *DATAROOTDIR* is the path specified by **-**\ **-datarootdir** configuration option. **-**\ **-mandir=**\ *DIR* Man documentation. Defaults to ``DATAROOTDIR/man``, where *DATAROOTDIR* is the path specified by **-**\ **-datarootdir** configuration option. Program names ------------- **-**\ **-program-prefix=**\ *PREFIX* Prepend *PREFIX* to the names of the programs when installing them. For example, specifying ``--program-prefix=mit-`` at the configure time will cause the program named ``abc`` to be installed as ``mit-abc``. **-**\ **-program-suffix=**\ *SUFFIX* Append *SUFFIX* to the names of the programs when installing them. For example, specifying ``--program-suffix=-mit`` at the configure time will cause the program named ``abc`` to be installed as ``abc-mit``. **-**\ **-program-transform-name=**\ *PROGRAM* Run ``sed -e PROGRAM`` on installed program names. (*PROGRAM* is a sed script). System types ------------ **-**\ **-build=**\ *BUILD* Configure for building on *BUILD* (e.g., ``--build=x86_64-linux-gnu``). **-**\ **-host=**\ *HOST* Cross-compile to build programs to run on *HOST* (e.g., ``--host=x86_64-linux-gnu``). By default, Kerberos V5 configuration will look for "build" option. Optional features ----------------- **-**\ **-disable-option-checking** Ignore unrecognized --enable/--with options. **-**\ **-disable-**\ *FEATURE* Do not include *FEATURE* (same as --enable-FEATURE=no). **-**\ **-enable-**\ *FEATURE*\ [=\ *ARG*] Include *FEATURE* [ARG=yes]. **-**\ **-enable-maintainer-mode** Enable rebuilding of source files, Makefiles, etc. **-**\ **-disable-delayed-initialization** Initialize library code when loaded. Defaults to delay until first use. **-**\ **-disable-thread-support** Don't enable thread support. Defaults to enabled. **-**\ **-disable-rpath** Suppress run path flags in link lines. **-**\ **-enable-athena** Build with MIT Project Athena configuration. **-**\ **-disable-kdc-lookaside-cache** Disable the cache which detects client retransmits. **-**\ **-disable-pkinit** Disable PKINIT plugin support. **-**\ **-disable-aesni** Disable support for using AES instructions on x86 platforms. **-**\ **-enable-asan**\ [=\ *ARG*] Enable building with asan memory error checking. If *ARG* is given, it controls the -fsanitize compilation flag value (the default is "address"). Optional packages ----------------- **-**\ **-with-**\ *PACKAGE*\ [=ARG\] Use *PACKAGE* (e.g., ``--with-imap``). The default value of *ARG* is ``yes``. **-**\ **-without-**\ *PACKAGE* Do not use *PACKAGE* (same as ``--with-PACKAGE=no``) (e.g., ``--without-libedit``). **-**\ **-with-size-optimizations** Enable a few optimizations to reduce code size possibly at some run-time cost. **-**\ **-with-system-et** Use the com_err library and compile_et utility that are already installed on the system, instead of building and installing local versions. **-**\ **-with-system-ss** Use the ss library and mk_cmds utility that are already installed on the system, instead of building and using private versions. **-**\ **-with-system-db** Use the berkeley db utility already installed on the system, instead of using a private version. This option is not recommended; enabling it may result in incompatibility with key databases originating on other systems. **-**\ **-with-netlib=**\ *LIBS* Use the resolver library specified in *LIBS*. Use this variable if the C library resolver is insufficient or broken. **-**\ **-with-hesiod=**\ *path* Compile with Hesiod support. The *path* points to the Hesiod directory. By default Hesiod is unsupported. **-**\ **-with-ldap** Compile OpenLDAP database backend module. **-**\ **-with-lmdb** Compile LMDB database backend module. **-**\ **-with-tcl=**\ *path* Specifies that *path* is the location of a Tcl installation. Tcl is needed for some of the tests run by 'make check'; such tests will be skipped if this option is not set. **-**\ **-with-vague-errors** Do not send helpful errors to client. For example, if the KDC should return only vague error codes to clients. **-**\ **-with-crypto-impl=**\ *IMPL* Use specified crypto implementation (e.g., **-**\ **-with-crypto-impl=**\ *openssl*). The default is the native MIT Kerberos implementation ``builtin``. The other currently implemented crypto backend is ``openssl``. (See :ref:`mitK5features`) **-**\ **-with-prng-alg=**\ *ALG* Use specified PRNG algorithm. For example, to use the OS native prng specify ``--with-prng-alg=os``. The default is ``fortuna``. (See :ref:`mitK5features`) **-**\ **-without-libedit** Do not compile and link against libedit. Some utilities will no longer offer command history or completion in interactive mode if libedit is disabled. **-**\ **-with-readline** Compile and link against GNU readline, as an alternative to libedit. Building with readline breaks the dejagnu test suite, which is a subset of the tests run by 'make check'. **-**\ **-with-system-verto** Use an installed version of libverto. If the libverto header and library are not in default locations, you may wish to specify ``CPPFLAGS=-I/some/dir`` and ``LDFLAGS=-L/some/other/dir`` options at configuration time as well. If this option is not given, the build system will try to detect an installed version of libverto and use it if it is found. Otherwise, a version supplied with the Kerberos sources will be built and installed. The built-in version does not contain the full set of back-end modules and is not a suitable general replacement for the upstream version, but will work for the purposes of Kerberos. Specifying **-**\ **-without-system-verto** will cause the built-in version of libverto to be used unconditionally. **-**\ **-with-krb5-config=**\ *PATH* Use the krb5-config program at *PATH* to obtain the build-time default credential cache, keytab, and client keytab names. The default is to use ``krb5-config`` from the program path. Specify ``--without-krb5-config`` to disable the use of krb5-config and use the usual built-in defaults. **-**\ **-without-keyutils** Build without libkeyutils support. This disables the KEYRING credential cache type. Examples -------- For example, in order to configure Kerberos on a Solaris machine using the suncc compiler with the optimizer turned on, run the configure script with the following options:: % ./configure CC=suncc CFLAGS=-O For a slightly more complicated example, consider a system where several packages to be used by Kerberos are installed in ``/usr/foobar``, including Berkeley DB 3.3, and an ss library that needs to link against the curses library. The configuration of Kerberos might be done thus:: ./configure CPPFLAGS=-I/usr/foobar/include LDFLAGS=-L/usr/foobar/lib \ --with-system-et --with-system-ss --with-system-db \ SS_LIB='-lss -lcurses' DB_HEADER=db3/db_185.h DB_LIB=-ldb-3.3 krb5-1.19.2/doc/build/index.rst0000644000704600001450000000413214076311657017560 0ustar ghudsonsystemd-journal.. _build_V5: Building Kerberos V5 ==================== This section details how to build and install MIT Kerberos software from the source. Prerequisites ------------- In order to build Kerberos V5, you will need approximately 60-70 megabytes of disk space. The exact amount will vary depending on the platform and whether the distribution is compiled with debugging symbol tables or not. Your C compiler must conform to ANSI C (ISO/IEC 9899:1990, "c89"). Some operating systems do not have an ANSI C compiler, or their default compiler requires extra command-line options to enable ANSI C conformance. If you wish to keep a separate build tree, which contains the compiled \*.o file and executables, separate from your source tree, you will need a make program which supports **VPATH**, or you will need to use a tool such as lndir to produce a symbolic link tree for your build tree. Obtaining the software ---------------------- The source code can be obtained from MIT Kerberos Distribution page, at https://kerberos.org/dist/index.html. The MIT Kerberos distribution comes in an archive file, generally named krb5-VERSION-signed.tar, where *VERSION* is a placeholder for the major and minor versions of MIT Kerberos. (For example, MIT Kerberos 1.9 has major version "1" and minor version "9".) The krb5-VERSION-signed.tar contains a compressed tar file consisting of the sources for all of Kerberos (generally named krb5-VERSION.tar.gz) and a PGP signature file for this source tree (generally named krb5-VERSION.tar.gz.asc). MIT highly recommends that you verify the integrity of the source code using this signature, e.g., by running:: tar xf krb5-VERSION-signed.tar gpg --verify krb5-VERSION.tar.gz.asc Unpack krb5-VERSION.tar.gz in some directory. In this section we will assume that you have chosen the top directory of the distribution the directory ``/u1/krb5-VERSION``. Review the README file for the license, copyright and other sprecific to the distribution information. Contents -------- .. toctree:: :maxdepth: 1 directory_org.rst doing_build.rst options2configure.rst osconf.rst krb5-1.19.2/doc/threads.txt0000644000704600001450000000764714076311657017031 0ustar ghudsonsystemd-journalThread safety in the MIT Kerberos libraries The return value from krb5_cc_default_name is a handle on internal storage from the krb5_context. It is valid only until krb5_cc_set_default_name or krb5_free_context is called. If krb5_cc_set_default_name may be called, the calling code must ensure that the storage returned by krb5_cc_default_name is no longer in use by that time. Any use of krb5_context must be confined to one thread at a time by the application code. Uses of credentials caches, replay caches, and keytabs may happen in multiple threads simultaneously as long as none of them destroys the object while other threads may still be using it. (Any internal data modification in those objects will be protected by mutexes or other means, within the krb5 library.) The simple, exposed data structures in krb5.h like krb5_principal are not protected; they should not be used in one thread while another thread might be modifying them. (TO DO: Build a list of which calls keep references to supplied data or return references to otherwise-referenced data, as opposed to everything making copies.) [ This part is a little outdated already. ] // Between these two, we should be able to do pure compile-time // and pure run-time initialization. // POSIX: partial initializer is PTHREAD_MUTEX_INITIALIZER, // finish does nothing // Windows: partial initializer is zero/empty, // finish does the actual work and runs at load time // debug: partial initializer sets one magic value, // finish verifies, sets a new magic value k5_mutex_t foo_mutex = K5_MUTEX_PARTIAL_INITIALIZER; int k5_mutex_finish_init(k5_mutex_t *); // for dynamic allocation int k5_mutex_init(k5_mutex_t *); // Must work for both kinds of allocation, even if it means adding // a flag. int k5_mutex_destroy(k5_mutex_t *); // // Per library, one function to finish the static mutex // initialization. // // A second function called at various possible "first" entry // points which either calls pthread_once on the first function // (POSIX), or checks some flag set by the first function (Windows, // debug support), and possibly returns an error. // // A third function for library termination calls mutex_destroy on // each mutex for the library. // // int k5_mutex_lock(k5_mutex_t *); int k5_mutex_unlock(k5_mutex_t *); // Optional (always defined, but need not do anything): void k5_mutex_assert_locked(k5_mutex_t *); void k5_mutex_assert_unlocked(k5_mutex_t *); k5_key_t key; int k5_key_create(k5_key_t *, void (*destructor)(void *)); void *k5_getspecific(k5_key_t); int k5_setspecific(k5_key_t, const void *); ... stuff to signal library termination ... This is **NOT** an exported interface, and is subject to change. On many platforms with weak reference support, we can declare certain symbols to be weak, and test the addresses before calling them. The references generally will be non-null if the application pulls in the pthread support. Sometimes stubs are present in the C library for some of these routines, and sometimes they're not functional; if so, we need to figure out which ones, and check for the presence of some *other* routines. AIX 4.3.3 doesn't support weak references. However, it looks like calling dlsym(NULL) causes the pthread library to get loaded, so we're going to just go ahead and link against it anyways. On Tru64 we also link against the thread library always. For now, the basic model is: If weak references are supported, use them. Else, assume support is present; if that means explicitly pulling in the thread library, so be it. The locking described above may not be sufficient, at least for good performance. At some point we may want to switch to read/write locks, so multiple threads can grovel over a data structure at once as long as they don't change it. See also notes in src/include/k5-thread.h. krb5-1.19.2/doc/_templates/0000755000704600001450000000000014076311657016755 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/_templates/layout.html0000644000704600001450000000516714076311657021171 0ustar ghudsonsystemd-journal{% extends "!layout.html" %} {% set rellinks = [('search', 'Enter search criteria', 'S', 'Search')] + rellinks + [('index', 'Full Table of Contents', 'C', 'Contents')] %} {# Add a "feedback" button to the rellinks #} {%- macro feedback_rellinks() %} {%- for rellink in rellinks|reverse %} {{ rellink[3] }}{{ reldelim2 }} {%- endfor %} feedback {%- endmacro %} {% block footer %}
Release: {{ release }}
{%- if show_copyright %} {%- if hasdoc('copyright') %} {% trans path=pathto('copyright'), copyright=copyright|e %}© Copyright {{ copyright }}.{% endtrans %} {%- else %} {% trans copyright=copyright|e %}© Copyright {{ copyright }}.{% endtrans %} {%- endif %} {%- endif %}
{{ feedback_rellinks() }}
{% endblock %} {% block header %}
{% if logo %} {% endif %} {% block headertitle %}

{{ shorttitle|e }}

{% endblock %}
{{ feedback_rellinks() }}
{% endblock %} {%- block sidebartoc %}

{{ _('On this page') }}

{{ toc }}

{{ _('Table of contents') }}

{{ toctree(collapse=true, maxdepth=3, titles_only=true, includehidden=false) }}

Full Table of Contents

{%- endblock %} {%- block sidebarsearch %}

{{ _('Search') }}

{%- endblock %} krb5-1.19.2/doc/coding-style0000644000704600001450000000013514076311657017143 0ustar ghudsonsystemd-journalPlease see https://k5wiki.kerberos.org/wiki/Coding_style for the current coding style. krb5-1.19.2/doc/about.rst0000644000704600001450000000345114076311657016467 0ustar ghudsonsystemd-journalContributing to the MIT Kerberos Documentation ============================================== We are looking for documentation writers and editors who could contribute towards improving the MIT KC documentation content. If you are an experienced Kerberos developer and/or administrator, please consider sharing your knowledge and experience with the Kerberos Community. You can suggest your own topic or write about any of the topics listed `here `__. If you have any questions, comments, or suggestions on the existing documents, please send your feedback via email to krb5-bugs@mit.edu. The HTML version of this documentation has a "FEEDBACK" link to the krb5-bugs@mit.edu email address with a pre-constructed subject line. Background ---------- Starting with release 1.11, the Kerberos documentation set is unified in a central form. Man pages, HTML documentation, and PDF documents are compiled from reStructuredText sources, and the application developer documentation incorporates Doxygen markup from the source tree. This project was undertaken along the outline described `here `__. Previous versions of Kerberos 5 attempted to maintain separate documentation in the texinfo format, with separate groff manual pages. Having the API documentation disjoint from the source code implementing that API resulted in the documentation becoming stale, and over time the documentation ceased to match reality. With a fresh start and a source format that is easier to use and maintain, reStructuredText-based documents should provide an improved experience for the user. Consolidating all the documentation formats into a single source document makes the documentation set easier to maintain. krb5-1.19.2/doc/user/0000755000704600001450000000000014076311657015576 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/user/pwd_mgmt.rst0000644000704600001450000001012114076311657020141 0ustar ghudsonsystemd-journalPassword management =================== Your password is the only way Kerberos has of verifying your identity. If someone finds out your password, that person can masquerade as you---send email that comes from you, read, edit, or delete your files, or log into other hosts as you---and no one will be able to tell the difference. For this reason, it is important that you choose a good password, and keep it secret. If you need to give access to your account to someone else, you can do so through Kerberos (see :ref:`grant_access`). You should never tell your password to anyone, including your system administrator, for any reason. You should change your password frequently, particularly any time you think someone may have found out what it is. Changing your password ---------------------- To change your Kerberos password, use the :ref:`kpasswd(1)` command. It will ask you for your old password (to prevent someone else from walking up to your computer when you're not there and changing your password), and then prompt you for the new one twice. (The reason you have to type it twice is to make sure you have typed it correctly.) For example, user ``david`` would do the following:: shell% kpasswd Password for david: <- Type your old password. Enter new password: <- Type your new password. Enter it again: <- Type the new password again. Password changed. shell% If ``david`` typed the incorrect old password, he would get the following message:: shell% kpasswd Password for david: <- Type the incorrect old password. kpasswd: Password incorrect while getting initial ticket shell% If you make a mistake and don't type the new password the same way twice, kpasswd will ask you to try again:: shell% kpasswd Password for david: <- Type the old password. Enter new password: <- Type the new password. Enter it again: <- Type a different new password. kpasswd: Password mismatch while reading password shell% Once you change your password, it takes some time for the change to propagate through the system. Depending on how your system is set up, this might be anywhere from a few minutes to an hour or more. If you need to get new Kerberos tickets shortly after changing your password, try the new password. If the new password doesn't work, try again using the old one. .. _grant_access: Granting access to your account ------------------------------- If you need to give someone access to log into your account, you can do so through Kerberos, without telling the person your password. Simply create a file called :ref:`.k5login(5)` in your home directory. This file should contain the Kerberos principal of each person to whom you wish to give access. Each principal must be on a separate line. Here is a sample .k5login file:: jennifer@ATHENA.MIT.EDU david@EXAMPLE.COM This file would allow the users ``jennifer`` and ``david`` to use your user ID, provided that they had Kerberos tickets in their respective realms. If you will be logging into other hosts across a network, you will want to include your own Kerberos principal in your .k5login file on each of these hosts. Using a .k5login file is much safer than giving out your password, because: * You can take access away any time simply by removing the principal from your .k5login file. * Although the user has full access to your account on one particular host (or set of hosts if your .k5login file is shared, e.g., over NFS), that user does not inherit your network privileges. * Kerberos keeps a log of who obtains tickets, so a system administrator could find out, if necessary, who was capable of using your user ID at a particular time. One common application is to have a .k5login file in root's home directory, giving root access to that machine to the Kerberos principals listed. This allows system administrators to allow users to become root locally, or to log in remotely as root, without their having to give out the root password, and without anyone having to type the root password over the network. Password quality verification ----------------------------- TODO krb5-1.19.2/doc/user/user_commands/0000755000704600001450000000000014076311657020435 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/user/user_commands/kpasswd.rst0000644000704600001450000000204314076311657022642 0ustar ghudsonsystemd-journal.. _kpasswd(1): kpasswd ======= SYNOPSIS -------- **kpasswd** [*principal*] DESCRIPTION ----------- The kpasswd command is used to change a Kerberos principal's password. kpasswd first prompts for the current Kerberos password, then prompts the user twice for the new password, and the password is changed. If the principal is governed by a policy that specifies the length and/or number of character classes required in the new password, the new password must conform to the policy. (The five character classes are lower case, upper case, numbers, punctuation, and all other characters.) OPTIONS ------- *principal* Change the password for the Kerberos principal principal. Otherwise, kpasswd uses the principal name from an existing ccache if there is one; if not, the principal is derived from the identity of the user invoking the kpasswd command. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kadmin(1)`, :ref:`kadmind(8)`, :ref:`kerberos(7)` krb5-1.19.2/doc/user/user_commands/kswitch.rst0000644000704600001450000000145014076311657022643 0ustar ghudsonsystemd-journal.. _kswitch(1): kswitch ======= SYNOPSIS -------- **kswitch** {**-c** *cachename*\|\ **-p** *principal*} DESCRIPTION ----------- kswitch makes the specified credential cache the primary cache for the collection, if a cache collection is available. OPTIONS ------- **-c** *cachename* Directly specifies the credential cache to be made primary. **-p** *principal* Causes the cache collection to be searched for a cache containing credentials for *principal*. If one is found, that collection is made primary. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. FILES ----- |ccache| Default location of Kerberos 5 credentials cache SEE ALSO -------- :ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`klist(1)`, :ref:`kerberos(7)` krb5-1.19.2/doc/user/user_commands/klist.rst0000644000704600001450000000555714076311657022331 0ustar ghudsonsystemd-journal.. _klist(1): klist ===== SYNOPSIS -------- **klist** [**-e**] [[**-c**] [**-l**] [**-A**] [**-f**] [**-s**] [**-a** [**-n**]]] [**-C**] [**-k** [**-i**] [**-t**] [**-K**]] [**-V**] [**-d**] [*cache_name*\|\ *keytab_name*] DESCRIPTION ----------- klist lists the Kerberos principal and Kerberos tickets held in a credentials cache, or the keys held in a keytab file. OPTIONS ------- **-e** Displays the encryption types of the session key and the ticket for each credential in the credential cache, or each key in the keytab file. **-l** If a cache collection is available, displays a table summarizing the caches present in the collection. **-A** If a cache collection is available, displays the contents of all of the caches in the collection. **-c** List tickets held in a credentials cache. This is the default if neither **-c** nor **-k** is specified. **-f** Shows the flags present in the credentials, using the following abbreviations:: F Forwardable f forwarded P Proxiable p proxy D postDateable d postdated R Renewable I Initial i invalid H Hardware authenticated A preAuthenticated T Transit policy checked O Okay as delegate a anonymous **-s** Causes klist to run silently (produce no output). klist will exit with status 1 if the credentials cache cannot be read or is expired, and with status 0 otherwise. **-a** Display list of addresses in credentials. **-n** Show numeric addresses instead of reverse-resolving addresses. **-C** List configuration data that has been stored in the credentials cache when klist encounters it. By default, configuration data is not listed. **-k** List keys held in a keytab file. **-i** In combination with **-k**, defaults to using the default client keytab instead of the default acceptor keytab, if no name is given. **-t** Display the time entry timestamps for each keytab entry in the keytab file. **-K** Display the value of the encryption key in each keytab entry in the keytab file. **-d** Display the authdata types (if any) for each entry. **-V** Display the Kerberos version number and exit. If *cache_name* or *keytab_name* is not specified, klist will display the credentials in the default credentials cache or keytab file as appropriate. If the **KRB5CCNAME** environment variable is set, its value is used to locate the default ticket cache. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. FILES ----- |ccache| Default location of Kerberos 5 credentials cache |keytab| Default location for the local host's keytab file. SEE ALSO -------- :ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` krb5-1.19.2/doc/user/user_commands/ksu.rst0000644000704600001450000003740314076311657022000 0ustar ghudsonsystemd-journal.. _ksu(1): ksu === SYNOPSIS -------- **ksu** [ *target_user* ] [ **-n** *target_principal_name* ] [ **-c** *source_cache_name* ] [ **-k** ] [ **-r** time ] [ **-p** | **-P**] [ **-f** | **-F**] [ **-l** *lifetime* ] [ **-z | Z** ] [ **-q** ] [ **-e** *command* [ args ... ] ] [ **-a** [ args ... ] ] REQUIREMENTS ------------ Must have Kerberos version 5 installed to compile ksu. Must have a Kerberos version 5 server running to use ksu. DESCRIPTION ----------- ksu is a Kerberized version of the su program that has two missions: one is to securely change the real and effective user ID to that of the target user, and the other is to create a new security context. .. note:: For the sake of clarity, all references to and attributes of the user invoking the program will start with "source" (e.g., "source user", "source cache", etc.). Likewise, all references to and attributes of the target account will start with "target". AUTHENTICATION -------------- To fulfill the first mission, ksu operates in two phases: authentication and authorization. Resolving the target principal name is the first step in authentication. The user can either specify his principal name with the **-n** option (e.g., ``-n jqpublic@USC.EDU``) or a default principal name will be assigned using a heuristic described in the OPTIONS section (see **-n** option). The target user name must be the first argument to ksu; if not specified root is the default. If ``.`` is specified then the target user will be the source user (e.g., ``ksu .``). If the source user is root or the target user is the source user, no authentication or authorization takes place. Otherwise, ksu looks for an appropriate Kerberos ticket in the source cache. The ticket can either be for the end-server or a ticket granting ticket (TGT) for the target principal's realm. If the ticket for the end-server is already in the cache, it's decrypted and verified. If it's not in the cache but the TGT is, the TGT is used to obtain the ticket for the end-server. The end-server ticket is then verified. If neither ticket is in the cache, but ksu is compiled with the **GET_TGT_VIA_PASSWD** define, the user will be prompted for a Kerberos password which will then be used to get a TGT. If the user is logged in remotely and does not have a secure channel, the password may be exposed. If neither ticket is in the cache and **GET_TGT_VIA_PASSWD** is not defined, authentication fails. AUTHORIZATION ------------- This section describes authorization of the source user when ksu is invoked without the **-e** option. For a description of the **-e** option, see the OPTIONS section. Upon successful authentication, ksu checks whether the target principal is authorized to access the target account. In the target user's home directory, ksu attempts to access two authorization files: :ref:`.k5login(5)` and .k5users. In the .k5login file each line contains the name of a principal that is authorized to access the account. For example:: jqpublic@USC.EDU jqpublic/secure@USC.EDU jqpublic/admin@USC.EDU The format of .k5users is the same, except the principal name may be followed by a list of commands that the principal is authorized to execute (see the **-e** option in the OPTIONS section for details). Thus if the target principal name is found in the .k5login file the source user is authorized to access the target account. Otherwise ksu looks in the .k5users file. If the target principal name is found without any trailing commands or followed only by ``*`` then the source user is authorized. If either .k5login or .k5users exist but an appropriate entry for the target principal does not exist then access is denied. If neither file exists then the principal will be granted access to the account according to the aname->lname mapping rules. Otherwise, authorization fails. EXECUTION OF THE TARGET SHELL ----------------------------- Upon successful authentication and authorization, ksu proceeds in a similar fashion to su. The environment is unmodified with the exception of USER, HOME and SHELL variables. If the target user is not root, USER gets set to the target user name. Otherwise USER remains unchanged. Both HOME and SHELL are set to the target login's default values. In addition, the environment variable **KRB5CCNAME** gets set to the name of the target cache. The real and effective user ID are changed to that of the target user. The target user's shell is then invoked (the shell name is specified in the password file). Upon termination of the shell, ksu deletes the target cache (unless ksu is invoked with the **-k** option). This is implemented by first doing a fork and then an exec, instead of just exec, as done by su. CREATING A NEW SECURITY CONTEXT ------------------------------- ksu can be used to create a new security context for the target program (either the target shell, or command specified via the **-e** option). The target program inherits a set of credentials from the source user. By default, this set includes all of the credentials in the source cache plus any additional credentials obtained during authentication. The source user is able to limit the credentials in this set by using **-z** or **-Z** option. **-z** restricts the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name. The **-Z** option provides the target user with a fresh target cache (no creds in the cache). Note that for security reasons, when the source user is root and target user is non-root, **-z** option is the default mode of operation. While no authentication takes place if the source user is root or is the same as the target user, additional tickets can still be obtained for the target cache. If **-n** is specified and no credentials can be copied to the target cache, the source user is prompted for a Kerberos password (unless **-Z** specified or **GET_TGT_VIA_PASSWD** is undefined). If successful, a TGT is obtained from the Kerberos server and stored in the target cache. Otherwise, if a password is not provided (user hit return) ksu continues in a normal mode of operation (the target cache will not contain the desired TGT). If the wrong password is typed in, ksu fails. .. note:: During authentication, only the tickets that could be obtained without providing a password are cached in the source cache. OPTIONS ------- **-n** *target_principal_name* Specify a Kerberos target principal name. Used in authentication and authorization phases of ksu. If ksu is invoked without **-n**, a default principal name is assigned via the following heuristic: * Case 1: source user is non-root. If the target user is the source user the default principal name is set to the default principal of the source cache. If the cache does not exist then the default principal name is set to ``target_user@local_realm``. If the source and target users are different and neither ``~target_user/.k5users`` nor ``~target_user/.k5login`` exist then the default principal name is ``target_user_login_name@local_realm``. Otherwise, starting with the first principal listed below, ksu checks if the principal is authorized to access the target account and whether there is a legitimate ticket for that principal in the source cache. If both conditions are met that principal becomes the default target principal, otherwise go to the next principal. a) default principal of the source cache b) target_user\@local_realm c) source_user\@local_realm If a-c fails try any principal for which there is a ticket in the source cache and that is authorized to access the target account. If that fails select the first principal that is authorized to access the target account from the above list. If none are authorized and ksu is configured with **PRINC_LOOK_AHEAD** turned on, select the default principal as follows: For each candidate in the above list, select an authorized principal that has the same realm name and first part of the principal name equal to the prefix of the candidate. For example if candidate a) is ``jqpublic@ISI.EDU`` and ``jqpublic/secure@ISI.EDU`` is authorized to access the target account then the default principal is set to ``jqpublic/secure@ISI.EDU``. * Case 2: source user is root. If the target user is non-root then the default principal name is ``target_user@local_realm``. Else, if the source cache exists the default principal name is set to the default principal of the source cache. If the source cache does not exist, default principal name is set to ``root\@local_realm``. **-c** *source_cache_name* Specify source cache name (e.g., ``-c FILE:/tmp/my_cache``). If **-c** option is not used then the name is obtained from **KRB5CCNAME** environment variable. If **KRB5CCNAME** is not defined the source cache name is set to ``krb5cc_``. The target cache name is automatically set to ``krb5cc_.(gen_sym())``, where gen_sym generates a new number such that the resulting cache does not already exist. For example:: krb5cc_1984.2 **-k** Do not delete the target cache upon termination of the target shell or a command (**-e** command). Without **-k**, ksu deletes the target cache. **-z** Restrict the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name. Use the **-n** option if you want the tickets for other then the default principal. Note that the **-z** option is mutually exclusive with the **-Z** option. **-Z** Don't copy any tickets from the source cache to the target cache. Just create a fresh target cache, where the default principal name of the cache is initialized to the target principal name. Note that the **-Z** option is mutually exclusive with the **-z** option. **-q** Suppress the printing of status messages. Ticket granting ticket options: **-l** *lifetime* **-r** *time* **-p** **-P** **-f** **-F** The ticket granting ticket options only apply to the case where there are no appropriate tickets in the cache to authenticate the source user. In this case if ksu is configured to prompt users for a Kerberos password (**GET_TGT_VIA_PASSWD** is defined), the ticket granting ticket options that are specified will be used when getting a ticket granting ticket from the Kerberos server. **-l** *lifetime* (:ref:`duration` string.) Specifies the lifetime to be requested for the ticket; if this option is not specified, the default ticket lifetime (12 hours) is used instead. **-r** *time* (:ref:`duration` string.) Specifies that the **renewable** option should be requested for the ticket, and specifies the desired total lifetime of the ticket. **-p** specifies that the **proxiable** option should be requested for the ticket. **-P** specifies that the **proxiable** option should not be requested for the ticket, even if the default configuration is to ask for proxiable tickets. **-f** option specifies that the **forwardable** option should be requested for the ticket. **-F** option specifies that the **forwardable** option should not be requested for the ticket, even if the default configuration is to ask for forwardable tickets. **-e** *command* [*args* ...] ksu proceeds exactly the same as if it was invoked without the **-e** option, except instead of executing the target shell, ksu executes the specified command. Example of usage:: ksu bob -e ls -lag The authorization algorithm for **-e** is as follows: If the source user is root or source user == target user, no authorization takes place and the command is executed. If source user id != 0, and ``~target_user/.k5users`` file does not exist, authorization fails. Otherwise, ``~target_user/.k5users`` file must have an appropriate entry for target principal to get authorized. The .k5users file format: A single principal entry on each line that may be followed by a list of commands that the principal is authorized to execute. A principal name followed by a ``*`` means that the user is authorized to execute any command. Thus, in the following example:: jqpublic@USC.EDU ls mail /local/kerberos/klist jqpublic/secure@USC.EDU * jqpublic/admin@USC.EDU ``jqpublic@USC.EDU`` is only authorized to execute ``ls``, ``mail`` and ``klist`` commands. ``jqpublic/secure@USC.EDU`` is authorized to execute any command. ``jqpublic/admin@USC.EDU`` is not authorized to execute any command. Note, that ``jqpublic/admin@USC.EDU`` is authorized to execute the target shell (regular ksu, without the **-e** option) but ``jqpublic@USC.EDU`` is not. The commands listed after the principal name must be either a full path names or just the program name. In the second case, **CMD_PATH** specifying the location of authorized programs must be defined at the compilation time of ksu. Which command gets executed? If the source user is root or the target user is the source user or the user is authorized to execute any command (``*`` entry) then command can be either a full or a relative path leading to the target program. Otherwise, the user must specify either a full path or just the program name. **-a** *args* Specify arguments to be passed to the target shell. Note that all flags and parameters following -a will be passed to the shell, thus all options intended for ksu must precede **-a**. The **-a** option can be used to simulate the **-e** option if used as follows:: -a -c [command [arguments]]. **-c** is interpreted by the c-shell to execute the command. INSTALLATION INSTRUCTIONS ------------------------- ksu can be compiled with the following four flags: **GET_TGT_VIA_PASSWD** In case no appropriate tickets are found in the source cache, the user will be prompted for a Kerberos password. The password is then used to get a ticket granting ticket from the Kerberos server. The danger of configuring ksu with this macro is if the source user is logged in remotely and does not have a secure channel, the password may get exposed. **PRINC_LOOK_AHEAD** During the resolution of the default principal name, **PRINC_LOOK_AHEAD** enables ksu to find principal names in the .k5users file as described in the OPTIONS section (see **-n** option). **CMD_PATH** Specifies a list of directories containing programs that users are authorized to execute (via .k5users file). **HAVE_GETUSERSHELL** If the source user is non-root, ksu insists that the target user's shell to be invoked is a "legal shell". *getusershell(3)* is called to obtain the names of "legal shells". Note that the target user's shell is obtained from the passwd file. Sample configuration:: KSU_OPTS = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /usr/ucb /local/bin" ksu should be owned by root and have the set user id bit turned on. ksu attempts to get a ticket for the end server just as Kerberized telnet and rlogin. Thus, there must be an entry for the server in the Kerberos database (e.g., ``host/nii.isi.edu@ISI.EDU``). The keytab file must be in an appropriate location. SIDE EFFECTS ------------ ksu deletes all expired tickets from the source cache. AUTHOR OF KSU ------------- GENNADY (ARI) MEDVINSKY ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kerberos(7)`, :ref:`kinit(1)` krb5-1.19.2/doc/user/user_commands/kvno.rst0000644000704600001450000000640214076311657022146 0ustar ghudsonsystemd-journal.. _kvno(1): kvno ==== SYNOPSIS -------- **kvno** [**-c** *ccache*] [**-e** *etype*] [**-k** *keytab*] [**-q**] [**-u** | **-S** *sname*] [**-P**] [**--cached-only**] [**--no-store**] [**--out-cache** *cache*] [[{**-F** *cert_file* | {**-I** | **-U**} *for_user*} [**-P**]] | **--u2u** *ccache*] *service1 service2* ... DESCRIPTION ----------- kvno acquires a service ticket for the specified Kerberos principals and prints out the key version numbers of each. OPTIONS ------- **-c** *ccache* Specifies the name of a credentials cache to use (if not the default) **-e** *etype* Specifies the enctype which will be requested for the session key of all the services named on the command line. This is useful in certain backward compatibility situations. **-k** *keytab* Decrypt the acquired tickets using *keytab* to confirm their validity. **-q** Suppress printing output when successful. If a service ticket cannot be obtained, an error message will still be printed and kvno will exit with nonzero status. **-u** Use the unknown name type in requested service principal names. This option Cannot be used with *-S*. **-P** Specifies that the *service1 service2* ... arguments are to be treated as services for which credentials should be acquired using constrained delegation. This option is only valid when used in conjunction with protocol transition. **-S** *sname* Specifies that the *service1 service2* ... arguments are interpreted as hostnames, and the service principals are to be constructed from those hostnames and the service name *sname*. The service hostnames will be canonicalized according to the usual rules for constructing service principals. **-I** *for_user* Specifies that protocol transition (S4U2Self) is to be used to acquire a ticket on behalf of *for_user*. If constrained delegation is not requested, the service name must match the credentials cache client principal. **-U** *for_user* Same as -I, but treats *for_user* as an enterprise name. **-F** *cert_file* Specifies that protocol transition is to be used, identifying the client principal with the X.509 certificate in *cert_file*. The certificate file must be in PEM format. **--cached-only** Only retrieve credentials already present in the cache, not from the KDC. (Added in release 1.19.) **--no-store** Do not store retrieved credentials in the cache. If **--out-cache** is also specified, credentials will still be stored into the output credential cache. (Added in release 1.19.) **--out-cache** *ccache* Initialize *ccache* and store all retrieved credentials into it. Do not store acquired credentials in the input cache. (Added in release 1.19.) **--u2u** *ccache* Requests a user-to-user ticket. *ccache* must contain a local krbtgt ticket for the server principal. The reported version number will typically be 0, as the resulting ticket is not encrypted in the server's long-term key. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. FILES ----- |ccache| Default location of the credentials cache SEE ALSO -------- :ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` krb5-1.19.2/doc/user/user_commands/kinit.rst0000644000704600001450000001655414076311657022320 0ustar ghudsonsystemd-journal.. _kinit(1): kinit ===== SYNOPSIS -------- **kinit** [**-V**] [**-l** *lifetime*] [**-s** *start_time*] [**-r** *renewable_life*] [**-p** | -**P**] [**-f** | -**F**] [**-a**] [**-A**] [**-C**] [**-E**] [**-v**] [**-R**] [**-k** [**-i** | -**t** *keytab_file*]] [**-c** *cache_name*] [**-n**] [**-S** *service_name*] [**-I** *input_ccache*] [**-T** *armor_ccache*] [**-X** *attribute*\ [=\ *value*]] [**--request-pac** | **--no-request-pac**] [*principal*] DESCRIPTION ----------- kinit obtains and caches an initial ticket-granting ticket for *principal*. If *principal* is absent, kinit chooses an appropriate principal name based on existing credential cache contents or the local username of the user invoking kinit. Some options modify the choice of principal name. OPTIONS ------- **-V** display verbose output. **-l** *lifetime* (:ref:`duration` string.) Requests a ticket with the lifetime *lifetime*. For example, ``kinit -l 5:30`` or ``kinit -l 5h30m``. If the **-l** option is not specified, the default ticket lifetime (configured by each site) is used. Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum ticket lifetime. **-s** *start_time* (:ref:`duration` string.) Requests a postdated ticket. Postdated tickets are issued with the **invalid** flag set, and need to be resubmitted to the KDC for validation before use. *start_time* specifies the duration of the delay before the ticket can become valid. **-r** *renewable_life* (:ref:`duration` string.) Requests renewable tickets, with a total lifetime of *renewable_life*. **-f** requests forwardable tickets. **-F** requests non-forwardable tickets. **-p** requests proxiable tickets. **-P** requests non-proxiable tickets. **-a** requests tickets restricted to the host's local address[es]. **-A** requests tickets not restricted by address. **-C** requests canonicalization of the principal name, and allows the KDC to reply with a different client principal from the one requested. **-E** treats the principal name as an enterprise name. **-v** requests that the ticket-granting ticket in the cache (with the **invalid** flag set) be passed to the KDC for validation. If the ticket is within its requested time range, the cache is replaced with the validated ticket. **-R** requests renewal of the ticket-granting ticket. Note that an expired ticket cannot be renewed, even if the ticket is still within its renewable life. Note that renewable tickets that have expired as reported by :ref:`klist(1)` may sometimes be renewed using this option, because the KDC applies a grace period to account for client-KDC clock skew. See :ref:`krb5.conf(5)` **clockskew** setting. **-k** [**-i** | **-t** *keytab_file*] requests a ticket, obtained from a key in the local host's keytab. The location of the keytab may be specified with the **-t** *keytab_file* option, or with the **-i** option to specify the use of the default client keytab; otherwise the default keytab will be used. By default, a host ticket for the local host is requested, but any principal may be specified. On a KDC, the special keytab location ``KDB:`` can be used to indicate that kinit should open the KDC database and look up the key directly. This permits an administrator to obtain tickets as any principal that supports authentication based on the key. **-n** Requests anonymous processing. Two types of anonymous principals are supported. For fully anonymous Kerberos, configure pkinit on the KDC and configure **pkinit_anchors** in the client's :ref:`krb5.conf(5)`. Then use the **-n** option with a principal of the form ``@REALM`` (an empty principal name followed by the at-sign and a realm name). If permitted by the KDC, an anonymous ticket will be returned. A second form of anonymous tickets is supported; these realm-exposed tickets hide the identity of the client but not the client's realm. For this mode, use ``kinit -n`` with a normal principal name. If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal. As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation. **-I** *input_ccache* Specifies the name of a credentials cache that already contains a ticket. When obtaining that ticket, if information about how that ticket was obtained was also stored to the cache, that information will be used to affect how new credentials are obtained, including preselecting the same methods of authenticating to the KDC. **-T** *armor_ccache* Specifies the name of a credentials cache that already contains a ticket. If supported by the KDC, this cache will be used to armor the request, preventing offline dictionary attacks and allowing the use of additional preauthentication mechanisms. Armoring also makes sure that the response from the KDC is not modified in transit. **-c** *cache_name* use *cache_name* as the Kerberos 5 credentials (ticket) cache location. If this option is not used, the default cache location is used. The default cache location may vary between systems. If the **KRB5CCNAME** environment variable is set, its value is used to locate the default cache. If a principal name is specified and the type of the default cache supports a collection (such as the DIR type), an existing cache containing credentials for the principal is selected or a new one is created and becomes the new primary cache. Otherwise, any existing contents of the default cache are destroyed by kinit. **-S** *service_name* specify an alternate service name to use when getting initial tickets. **-X** *attribute*\ [=\ *value*] specify a pre-authentication *attribute* and *value* to be interpreted by pre-authentication modules. The acceptable attribute and value values vary from module to module. This option may be specified multiple times to specify multiple attributes. If no value is specified, it is assumed to be "yes". The following attributes are recognized by the PKINIT pre-authentication mechanism: **X509_user_identity**\ =\ *value* specify where to find user's X509 identity information **X509_anchors**\ =\ *value* specify where to find trusted X509 anchor information **flag_RSA_PROTOCOL**\ [**=yes**] specify use of RSA, rather than the default Diffie-Hellman protocol **disable_freshness**\ [**=yes**] disable sending freshness tokens (for testing purposes only) **--request-pac** | **--no-request-pac** mutually exclusive. If **--request-pac** is set, ask the KDC to include a PAC in authdata; if **--no-request-pac** is set, ask the KDC not to include a PAC; if neither are set, the KDC will follow its default, which is typically is to include a PAC if doing so is supported. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. FILES ----- |ccache| default location of Kerberos 5 credentials cache |keytab| default location for the local host's keytab. SEE ALSO -------- :ref:`klist(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` krb5-1.19.2/doc/user/user_commands/kdestroy.rst0000644000704600001450000000325614076311657023041 0ustar ghudsonsystemd-journal.. _kdestroy(1): kdestroy ======== SYNOPSIS -------- **kdestroy** [**-A**] [**-q**] [**-c** *cache_name*] [**-p** *princ_name*] DESCRIPTION ----------- The kdestroy utility destroys the user's active Kerberos authorization tickets by overwriting and deleting the credentials cache that contains them. If the credentials cache is not specified, the default credentials cache is destroyed. OPTIONS ------- **-A** Destroys all caches in the collection, if a cache collection is available. May be used with the **-c** option to specify the collection to be destroyed. **-q** Run quietly. Normally kdestroy beeps if it fails to destroy the user's tickets. The **-q** flag suppresses this behavior. **-c** *cache_name* Use *cache_name* as the credentials (ticket) cache name and location; if this option is not used, the default cache name and location are used. The default credentials cache may vary between systems. If the **KRB5CCNAME** environment variable is set, its value is used to name the default ticket cache. **-p** *princ_name* If a cache collection is available, destroy the cache for *princ_name* instead of the primary cache. May be used with the **-c** option to specify the collection to be searched. NOTE ---- Most installations recommend that you place the kdestroy command in your .logout file, so that your tickets are destroyed automatically when you log out. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. FILES ----- |ccache| Default location of Kerberos 5 credentials cache SEE ALSO -------- :ref:`kinit(1)`, :ref:`klist(1)`, :ref:`kerberos(7)` krb5-1.19.2/doc/user/user_commands/sclient.rst0000644000704600001450000000076114076311657022634 0ustar ghudsonsystemd-journal.. _sclient(1): sclient ======= SYNOPSIS -------- **sclient** *remotehost* DESCRIPTION ----------- sclient is a sample application, primarily useful for testing purposes. It contacts a sample server :ref:`sserver(8)` and authenticates to it using Kerberos version 5 tickets, then displays the server's response. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kinit(1)`, :ref:`sserver(8)`, :ref:`kerberos(7)` krb5-1.19.2/doc/user/user_commands/krb5-config.rst0000644000704600001450000000456314076311657023305 0ustar ghudsonsystemd-journal.. _krb5-config(1): krb5-config =========== SYNOPSIS -------- **krb5-config** [**-**\ **-help** | **-**\ **-all** | **-**\ **-version** | **-**\ **-vendor** | **-**\ **-prefix** | **-**\ **-exec-prefix** | **-**\ **-defccname** | **-**\ **-defktname** | **-**\ **-defcktname** | **-**\ **-cflags** | **-**\ **-libs** [*libraries*]] DESCRIPTION ----------- krb5-config tells the application programmer what flags to use to compile and link programs against the installed Kerberos libraries. OPTIONS ------- **-**\ **-help** prints a usage message. This is the default behavior when no options are specified. **-**\ **-all** prints the version, vendor, prefix, and exec-prefix. **-**\ **-version** prints the version number of the Kerberos installation. **-**\ **-vendor** prints the name of the vendor of the Kerberos installation. **-**\ **-prefix** prints the prefix for which the Kerberos installation was built. **-**\ **-exec-prefix** prints the prefix for executables for which the Kerberos installation was built. **-**\ **-defccname** prints the built-in default credentials cache location. **-**\ **-defktname** prints the built-in default keytab location. **-**\ **-defcktname** prints the built-in default client (initiator) keytab location. **-**\ **-cflags** prints the compilation flags used to build the Kerberos installation. **-**\ **-libs** [*library*] prints the compiler options needed to link against *library*. Allowed values for *library* are: ============ =============================================== krb5 Kerberos 5 applications (default) gssapi GSSAPI applications with Kerberos 5 bindings kadm-client Kadmin client kadm-server Kadmin server kdb Applications that access the Kerberos database ============ =============================================== EXAMPLES -------- krb5-config is particularly useful for compiling against a Kerberos installation that was installed in a non-standard location. For example, a Kerberos installation that is installed in ``/opt/krb5/`` but uses libraries in ``/usr/local/lib/`` for text localization would produce the following output:: shell% krb5-config --libs krb5 -L/opt/krb5/lib -Wl,-rpath -Wl,/opt/krb5/lib -L/usr/local/lib -lkrb5 -lk5crypto -lcom_err SEE ALSO -------- :ref:`kerberos(7)`, cc(1) krb5-1.19.2/doc/user/user_commands/index.rst0000644000704600001450000000032014076311657022271 0ustar ghudsonsystemd-journal.. _user_commands: User commands ============= .. toctree:: :maxdepth: 1 kdestroy.rst kinit.rst klist.rst kpasswd.rst krb5-config.rst ksu.rst kswitch.rst kvno.rst sclient.rst krb5-1.19.2/doc/user/user_config/0000755000704600001450000000000014076311657020101 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/user/user_config/kerberos.rst0000644000704600001450000001600514076311657022451 0ustar ghudsonsystemd-journal.. _kerberos(7): kerberos ======== DESCRIPTION ----------- The Kerberos system authenticates individual users in a network environment. After authenticating yourself to Kerberos, you can use Kerberos-enabled programs without having to present passwords or certificates to those programs. If you receive the following response from :ref:`kinit(1)`: kinit: Client not found in Kerberos database while getting initial credentials you haven't been registered as a Kerberos user. See your system administrator. A Kerberos name usually contains three parts. The first is the **primary**, which is usually a user's or service's name. The second is the **instance**, which in the case of a user is usually null. Some users may have privileged instances, however, such as ``root`` or ``admin``. In the case of a service, the instance is the fully qualified name of the machine on which it runs; i.e. there can be an ssh service running on the machine ABC (ssh/ABC@REALM), which is different from the ssh service running on the machine XYZ (ssh/XYZ@REALM). The third part of a Kerberos name is the **realm**. The realm corresponds to the Kerberos service providing authentication for the principal. Realms are conventionally all-uppercase, and often match the end of hostnames in the realm (for instance, host01.example.com might be in realm EXAMPLE.COM). When writing a Kerberos name, the principal name is separated from the instance (if not null) by a slash, and the realm (if not the local realm) follows, preceded by an "@" sign. The following are examples of valid Kerberos names:: david jennifer/admin joeuser@BLEEP.COM cbrown/root@FUBAR.ORG When you authenticate yourself with Kerberos you get an initial Kerberos **ticket**. (A Kerberos ticket is an encrypted protocol message that provides authentication.) Kerberos uses this ticket for network utilities such as ssh. The ticket transactions are done transparently, so you don't have to worry about their management. Note, however, that tickets expire. Administrators may configure more privileged tickets, such as those with service or instance of ``root`` or ``admin``, to expire in a few minutes, while tickets that carry more ordinary privileges may be good for several hours or a day. If your login session extends beyond the time limit, you will have to re-authenticate yourself to Kerberos to get new tickets using the :ref:`kinit(1)` command. Some tickets are **renewable** beyond their initial lifetime. This means that ``kinit -R`` can extend their lifetime without requiring you to re-authenticate. If you wish to delete your local tickets, use the :ref:`kdestroy(1)` command. Kerberos tickets can be forwarded. In order to forward tickets, you must request **forwardable** tickets when you kinit. Once you have forwardable tickets, most Kerberos programs have a command line option to forward them to the remote host. This can be useful for, e.g., running kinit on your local machine and then sshing into another to do work. Note that this should not be done on untrusted machines since they will then have your tickets. ENVIRONMENT VARIABLES --------------------- Several environment variables affect the operation of Kerberos-enabled programs. These include: **KRB5CCNAME** Default name for the credentials cache file, in the form *TYPE*:*residual*. The type of the default cache may determine the availability of a cache collection. ``FILE`` is not a collection type; ``KEYRING``, ``DIR``, and ``KCM`` are. If not set, the value of **default_ccache_name** from configuration files (see **KRB5_CONFIG**) will be used. If that is also not set, the default *type* is ``FILE``, and the *residual* is the path /tmp/krb5cc_*uid*, where *uid* is the decimal user ID of the user. **KRB5_KTNAME** Specifies the location of the default keytab file, in the form *TYPE*:*residual*. If no *type* is present, the **FILE** type is assumed and *residual* is the pathname of the keytab file. If unset, |keytab| will be used. **KRB5_CONFIG** Specifies the location of the Kerberos configuration file. The default is |sysconfdir|\ ``/krb5.conf``. Multiple filenames can be specified, separated by a colon; all files which are present will be read. **KRB5_KDC_PROFILE** Specifies the location of the KDC configuration file, which contains additional configuration directives for the Key Distribution Center daemon and associated programs. The default is |kdcdir|\ ``/kdc.conf``. **KRB5RCACHENAME** (New in release 1.18) Specifies the location of the default replay cache, in the form *type*:*residual*. The ``file2`` type with a pathname residual specifies a replay cache file in the version-2 format in the specified location. The ``none`` type (residual is ignored) disables the replay cache. The ``dfl`` type (residual is ignored) indicates the default, which uses a file2 replay cache in a temporary directory. The default is ``dfl:``. **KRB5RCACHETYPE** Specifies the type of the default replay cache, if **KRB5RCACHENAME** is unspecified. No residual can be specified, so ``none`` and ``dfl`` are the only useful types. **KRB5RCACHEDIR** Specifies the directory used by the ``dfl`` replay cache type. The default is the value of the **TMPDIR** environment variable, or ``/var/tmp`` if **TMPDIR** is not set. **KRB5_TRACE** Specifies a filename to write trace log output to. Trace logs can help illuminate decisions made internally by the Kerberos libraries. For example, ``env KRB5_TRACE=/dev/stderr kinit`` would send tracing information for :ref:`kinit(1)` to ``/dev/stderr``. The default is not to write trace log output anywhere. **KRB5_CLIENT_KTNAME** Default client keytab file name. If unset, |ckeytab| will be used). **KPROP_PORT** :ref:`kprop(8)` port to use. Defaults to 754. **GSS_MECH_CONFIG** Specifies a filename containing GSSAPI mechanism module configuration. The default is to read |sysconfdir|\ ``/gss/mech`` and files with a ``.conf`` suffix within the directory |sysconfdir|\ ``/gss/mech.d``. Most environment variables are disabled for certain programs, such as login system programs and setuid programs, which are designed to be secure when run within an untrusted process environment. SEE ALSO -------- :ref:`kdestroy(1)`, :ref:`kinit(1)`, :ref:`klist(1)`, :ref:`kswitch(1)`, :ref:`kpasswd(1)`, :ref:`ksu(1)`, :ref:`krb5.conf(5)`, :ref:`kdc.conf(5)`, :ref:`kadmin(1)`, :ref:`kadmind(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)` BUGS ---- AUTHORS ------- | Steve Miller, MIT Project Athena/Digital Equipment Corporation | Clifford Neuman, MIT Project Athena | Greg Hudson, MIT Kerberos Consortium | Robbie Harwood, Red Hat, Inc. HISTORY ------- The MIT Kerberos 5 implementation was developed at MIT, with contributions from many outside parties. It is currently maintained by the MIT Kerberos Consortium. RESTRICTIONS ------------ Copyright 1985, 1986, 1989-1996, 2002, 2011, 2018 Masachusetts Institute of Technology krb5-1.19.2/doc/user/user_config/k5identity.rst0000644000704600001450000000414314076311657022726 0ustar ghudsonsystemd-journal.. _.k5identity(5): .k5identity =========== DESCRIPTION ----------- The .k5identity file, which resides in a user's home directory, contains a list of rules for selecting a client principals based on the server being accessed. These rules are used to choose a credential cache within the cache collection when possible. Blank lines and lines beginning with ``#`` are ignored. Each line has the form: *principal* *field*\=\ *value* ... If the server principal meets all of the field constraints, then principal is chosen as the client principal. The following fields are recognized: **realm** If the realm of the server principal is known, it is matched against *value*, which may be a pattern using shell wildcards. For host-based server principals, the realm will generally only be known if there is a :ref:`domain_realm` section in :ref:`krb5.conf(5)` with a mapping for the hostname. **service** If the server principal is a host-based principal, its service component is matched against *value*, which may be a pattern using shell wildcards. **host** If the server principal is a host-based principal, its hostname component is converted to lower case and matched against *value*, which may be a pattern using shell wildcards. If the server principal matches the constraints of multiple lines in the .k5identity file, the principal from the first matching line is used. If no line matches, credentials will be selected some other way, such as the realm heuristic or the current primary cache. EXAMPLE ------- The following example .k5identity file selects the client principal ``alice@KRBTEST.COM`` if the server principal is within that realm, the principal ``alice/root@EXAMPLE.COM`` if the server host is within a servers subdomain, and the principal ``alice/mail@EXAMPLE.COM`` when accessing the IMAP service on ``mail.example.com``:: alice@KRBTEST.COM realm=KRBTEST.COM alice/root@EXAMPLE.COM host=*.servers.example.com alice/mail@EXAMPLE.COM host=mail.example.com service=imap SEE ALSO -------- kerberos(1), :ref:`krb5.conf(5)` krb5-1.19.2/doc/user/user_config/k5login.rst0000644000704600001450000000345414076311657022211 0ustar ghudsonsystemd-journal.. _.k5login(5): .k5login ======== DESCRIPTION ----------- The .k5login file, which resides in a user's home directory, contains a list of the Kerberos principals. Anyone with valid tickets for a principal in the file is allowed host access with the UID of the user in whose home directory the file resides. One common use is to place a .k5login file in root's home directory, thereby granting system administrators remote root access to the host via Kerberos. EXAMPLES -------- Suppose the user ``alice`` had a .k5login file in her home directory containing just the following line:: bob@FOOBAR.ORG This would allow ``bob`` to use Kerberos network applications, such as ssh(1), to access ``alice``'s account, using ``bob``'s Kerberos tickets. In a default configuration (with **k5login_authoritative** set to true in :ref:`krb5.conf(5)`), this .k5login file would not let ``alice`` use those network applications to access her account, since she is not listed! With no .k5login file, or with **k5login_authoritative** set to false, a default rule would permit the principal ``alice`` in the machine's default realm to access the ``alice`` account. Let us further suppose that ``alice`` is a system administrator. Alice and the other system administrators would have their principals in root's .k5login file on each host:: alice@BLEEP.COM joeadmin/root@BLEEP.COM This would allow either system administrator to log in to these hosts using their Kerberos tickets instead of having to type the root password. Note that because ``bob`` retains the Kerberos tickets for his own principal, ``bob@FOOBAR.ORG``, he would not have any of the privileges that require ``alice``'s tickets, such as root access to any of the site's hosts, or the ability to change ``alice``'s password. SEE ALSO -------- kerberos(1) krb5-1.19.2/doc/user/user_config/index.rst0000644000704600001450000000045514076311657021746 0ustar ghudsonsystemd-journalUser config files ================= The following files in your home directory can be used to control the behavior of Kerberos as it applies to your account (unless they have been disabled by your host's configuration): .. toctree:: :maxdepth: 1 kerberos.rst k5login.rst k5identity.rst krb5-1.19.2/doc/user/index.rst0000644000704600001450000000020714076311657017436 0ustar ghudsonsystemd-journalFor users ========= .. toctree:: :maxdepth: 2 pwd_mgmt.rst tkt_mgmt.rst user_config/index.rst user_commands/index.rst krb5-1.19.2/doc/user/tkt_mgmt.rst0000644000704600001450000003047714076311657020171 0ustar ghudsonsystemd-journalTicket management ================= On many systems, Kerberos is built into the login program, and you get tickets automatically when you log in. Other programs, such as ssh, can forward copies of your tickets to a remote host. Most of these programs also automatically destroy your tickets when they exit. However, MIT recommends that you explicitly destroy your Kerberos tickets when you are through with them, just to be sure. One way to help ensure that this happens is to add the :ref:`kdestroy(1)` command to your .logout file. Additionally, if you are going to be away from your machine and are concerned about an intruder using your permissions, it is safest to either destroy all copies of your tickets, or use a screensaver that locks the screen. Kerberos ticket properties -------------------------- There are various properties that Kerberos tickets can have: If a ticket is **forwardable**, then the KDC can issue a new ticket (with a different network address, if necessary) based on the forwardable ticket. This allows for authentication forwarding without requiring a password to be typed in again. For example, if a user with a forwardable TGT logs into a remote system, the KDC could issue a new TGT for that user with the network address of the remote system, allowing authentication on that host to work as though the user were logged in locally. When the KDC creates a new ticket based on a forwardable ticket, it sets the **forwarded** flag on that new ticket. Any tickets that are created based on a ticket with the forwarded flag set will also have their forwarded flags set. A **proxiable** ticket is similar to a forwardable ticket in that it allows a service to take on the identity of the client. Unlike a forwardable ticket, however, a proxiable ticket is only issued for specific services. In other words, a ticket-granting ticket cannot be issued based on a ticket that is proxiable but not forwardable. A **proxy** ticket is one that was issued based on a proxiable ticket. A **postdated** ticket is issued with the invalid flag set. After the starting time listed on the ticket, it can be presented to the KDC to obtain valid tickets. Ticket-granting tickets with the **postdateable** flag set can be used to obtain postdated service tickets. **Renewable** tickets can be used to obtain new session keys without the user entering their password again. A renewable ticket has two expiration times. The first is the time at which this particular ticket expires. The second is the latest possible expiration time for any ticket issued based on this renewable ticket. A ticket with the **initial flag** set was issued based on the authentication protocol, and not on a ticket-granting ticket. Application servers that wish to ensure that the user's key has been recently presented for verification could specify that this flag must be set to accept the ticket. An **invalid** ticket must be rejected by application servers. Postdated tickets are usually issued with this flag set, and must be validated by the KDC before they can be used. A **preauthenticated** ticket is one that was only issued after the client requesting the ticket had authenticated itself to the KDC. The **hardware authentication** flag is set on a ticket which required the use of hardware for authentication. The hardware is expected to be possessed only by the client which requested the tickets. If a ticket has the **transit policy** checked flag set, then the KDC that issued this ticket implements the transited-realm check policy and checked the transited-realms list on the ticket. The transited-realms list contains a list of all intermediate realms between the realm of the KDC that issued the first ticket and that of the one that issued the current ticket. If this flag is not set, then the application server must check the transited realms itself or else reject the ticket. The **okay as delegate** flag indicates that the server specified in the ticket is suitable as a delegate as determined by the policy of that realm. Some client applications may use this flag to decide whether to forward tickets to a remote host, although many applications do not honor it. An **anonymous** ticket is one in which the named principal is a generic principal for that realm; it does not actually specify the individual that will be using the ticket. This ticket is meant only to securely distribute a session key. .. _obtain_tkt: Obtaining tickets with kinit ---------------------------- If your site has integrated Kerberos V5 with the login system, you will get Kerberos tickets automatically when you log in. Otherwise, you may need to explicitly obtain your Kerberos tickets, using the :ref:`kinit(1)` program. Similarly, if your Kerberos tickets expire, use the kinit program to obtain new ones. To use the kinit program, simply type ``kinit`` and then type your password at the prompt. For example, Jennifer (whose username is ``jennifer``) works for Bleep, Inc. (a fictitious company with the domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU). She would type:: shell% kinit Password for jennifer@ATHENA.MIT.EDU: <-- [Type jennifer's password here.] shell% If you type your password incorrectly, kinit will give you the following error message:: shell% kinit Password for jennifer@ATHENA.MIT.EDU: <-- [Type the wrong password here.] kinit: Password incorrect shell% and you won't get Kerberos tickets. By default, kinit assumes you want tickets for your own username in your default realm. Suppose Jennifer's friend David is visiting, and he wants to borrow a window to check his mail. David needs to get tickets for himself in his own realm, EXAMPLE.COM. He would type:: shell% kinit david@EXAMPLE.COM Password for david@EXAMPLE.COM: <-- [Type david's password here.] shell% David would then have tickets which he could use to log onto his own machine. Note that he typed his password locally on Jennifer's machine, but it never went over the network. Kerberos on the local host performed the authentication to the KDC in the other realm. If you want to be able to forward your tickets to another host, you need to request forwardable tickets. You do this by specifying the **-f** option:: shell% kinit -f Password for jennifer@ATHENA.MIT.EDU: <-- [Type your password here.] shell% Note that kinit does not tell you that it obtained forwardable tickets; you can verify this using the :ref:`klist(1)` command (see :ref:`view_tkt`). Normally, your tickets are good for your system's default ticket lifetime, which is ten hours on many systems. You can specify a different ticket lifetime with the **-l** option. Add the letter **s** to the value for seconds, **m** for minutes, **h** for hours, or **d** for days. For example, to obtain forwardable tickets for ``david@EXAMPLE.COM`` that would be good for three hours, you would type:: shell% kinit -f -l 3h david@EXAMPLE.COM Password for david@EXAMPLE.COM: <-- [Type david's password here.] shell% .. note:: You cannot mix units; specifying a lifetime of 3h30m would result in an error. Note also that most systems specify a maximum ticket lifetime. If you request a longer ticket lifetime, it will be automatically truncated to the maximum lifetime. .. _view_tkt: Viewing tickets with klist -------------------------- The :ref:`klist(1)` command shows your tickets. When you first obtain tickets, you will have only the ticket-granting ticket. The listing would look like this:: shell% klist Ticket cache: /tmp/krb5cc_ttypa Default principal: jennifer@ATHENA.MIT.EDU Valid starting Expires Service principal 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU shell% The ticket cache is the location of your ticket file. In the above example, this file is named ``/tmp/krb5cc_ttypa``. The default principal is your Kerberos principal. The "valid starting" and "expires" fields describe the period of time during which the ticket is valid. The "service principal" describes each ticket. The ticket-granting ticket has a first component ``krbtgt``, and a second component which is the realm name. Now, if ``jennifer`` connected to the machine ``daffodil.mit.edu``, and then typed "klist" again, she would have gotten the following result:: shell% klist Ticket cache: /tmp/krb5cc_ttypa Default principal: jennifer@ATHENA.MIT.EDU Valid starting Expires Service principal 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU 06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU shell% Here's what happened: when ``jennifer`` used ssh to connect to the host ``daffodil.mit.edu``, the ssh program presented her ticket-granting ticket to the KDC and requested a host ticket for the host ``daffodil.mit.edu``. The KDC sent the host ticket, which ssh then presented to the host ``daffodil.mit.edu``, and she was allowed to log in without typing her password. Suppose your Kerberos tickets allow you to log into a host in another domain, such as ``trillium.example.com``, which is also in another Kerberos realm, ``EXAMPLE.COM``. If you ssh to this host, you will receive a ticket-granting ticket for the realm ``EXAMPLE.COM``, plus the new host ticket for ``trillium.example.com``. klist will now show:: shell% klist Ticket cache: /tmp/krb5cc_ttypa Default principal: jennifer@ATHENA.MIT.EDU Valid starting Expires Service principal 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU 06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU 06/07/04 20:24:18 06/08/04 05:49:19 krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU 06/07/04 20:24:18 06/08/04 05:49:19 host/trillium.example.com@EXAMPLE.COM shell% Depending on your host's and realm's configuration, you may also see a ticket with the service principal ``host/trillium.example.com@``. If so, this means that your host did not know what realm trillium.example.com is in, so it asked the ``ATHENA.MIT.EDU`` KDC for a referral. The next time you connect to ``trillium.example.com``, the odd-looking entry will be used to avoid needing to ask for a referral again. You can use the **-f** option to view the flags that apply to your tickets. The flags are: ===== ========================= F Forwardable f forwarded P Proxiable p proxy D postDateable d postdated R Renewable I Initial i invalid H Hardware authenticated A preAuthenticated T Transit policy checked O Okay as delegate a anonymous ===== ========================= Here is a sample listing. In this example, the user *jennifer* obtained her initial tickets (**I**), which are forwardable (**F**) and postdated (**d**) but not yet validated (**i**):: shell% klist -f Ticket cache: /tmp/krb5cc_320 Default principal: jennifer@ATHENA.MIT.EDU Valid starting Expires Service principal 31/07/05 19:06:25 31/07/05 19:16:25 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU Flags: FdiI shell% In the following example, the user *david*'s tickets were forwarded (**f**) to this host from another host. The tickets are reforwardable (**F**):: shell% klist -f Ticket cache: /tmp/krb5cc_p11795 Default principal: david@EXAMPLE.COM Valid starting Expires Service principal 07/31/05 11:52:29 07/31/05 21:11:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM Flags: Ff 07/31/05 12:03:48 07/31/05 21:11:23 host/trillium.example.com@EXAMPLE.COM Flags: Ff shell% Destroying tickets with kdestroy -------------------------------- Your Kerberos tickets are proof that you are indeed yourself, and tickets could be stolen if someone gains access to a computer where they are stored. If this happens, the person who has them can masquerade as you until they expire. For this reason, you should destroy your Kerberos tickets when you are away from your computer. Destroying your tickets is easy. Simply type kdestroy:: shell% kdestroy shell% If :ref:`kdestroy(1)` fails to destroy your tickets, it will beep and give an error message. For example, if kdestroy can't find any tickets to destroy, it will give the following message:: shell% kdestroy kdestroy: No credentials cache file found while destroying cache shell% krb5-1.19.2/doc/_static/0000755000704600001450000000000014076311657016246 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/_static/kerb.css_t0000644000704600001450000000463114076311657020232 0ustar ghudsonsystemd-journal/* * kerb.css * ~~~~~~~~~~~ * * Sphinx stylesheet -- modification to agogo theme. * */ div.body { padding-right: .5em; text-align: left; overflow-x: hidden; } /* Page layout */ div.header, div.content, div.footer { margin-left: auto; margin-right: auto; padding-left: 1em; padding-right: 1em; max-width: 60em; } div.header-wrapper { background: white; border-bottom: 3px solid #2e3436; border-top: 13px solid #5d1509; } /* Header */ div.header { padding-top: 10px; padding-bottom: 0px; } div.header h1 { font-family: "Georgia", "Times New Roman", serif, black; font-weight: normal; } div.header h1 a { color: {{ theme_bgcolor }}; font-size: 120%; padding-top: 10px; } div.header div.right a { color: #fcaf3e; letter-spacing: .1em; text-transform: lowercase; float: right; } div.header div.rel { font-family: "Georgia", "Times New Roman", serif, black; font-weight: normal; margin-bottom: 1.6em; } /* Content */ div.document { width: 80%; float: left; margin: 0; background-color: white; padding-top: 20px; padding-bottom: 20px; } div.document div.section h1 { margin-bottom: 20px; padding: 1px; line-height: 130%; } div.document div.section dl { margin-top: 15px; margin-bottom: 5px; padding: 1px; text-align: left; } /* Sidebar */ div.sidebar { float: right; font-size: .9em; width: 20%; margin: 0; padding: 0; background-color: #F9F9F9; } div.sidebar ul { list-style-type: none; margin-left: .5em; } div.sidebar li.toctree-l1 a { margin-left: .5em; } div.sidebar li.toctree-l2 a { margin-left: .5em; } div.sidebar li.toctree-l3 a { margin-left: .5em; } div.sidebar li.toctree-l2.current a { border-right: 2px solid #fcaf3e !important; } div.sidebar li.toctree-l3.current a { font-weight: bold; } div.sidebar li.toctree-l4 a { display: none; } div.sidebar input[type=text] { width: auto; } /* Other body styles */ dt:target, .highlighted { background-color: #c1c1c1; } /* Code displays */ pre { overflow: auto; overflow-y: hidden; } td.linenos pre { padding: 5px 0px; border: 0; background-color: transparent; color: #aaa; } /* ordered lists */ ol.arabic { list-style: decimal; } ol.loweralpha { list-style: lower-alpha; } ol.upperalpha { list-style: upper-alpha; } ol.lowerroman { list-style-type: lower-roman; } ol.upperroman { list-style-type: upper-roman; } krb5-1.19.2/doc/formats/0000755000704600001450000000000014076311657016273 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/formats/rcache_file_format.rst0000644000704600001450000000455614076311657022633 0ustar ghudsonsystemd-journalReplay cache file format ======================== This section documents the second version of the replay cache file format, used by the "file2" replay cache type (new in release 1.18). The first version of the file replay cache format is not documented. All accesses to the replay cache file take place under an exclusive POSIX or Windows file lock, obtained when the file is opened and released when it is closed. Replay cache files are automatically created when first accessed. For each store operation, a tag is derived from the checksum part of the :RFC:`3961` ciphertext of the authenticator. The checksum is coerced to a fixed length of 12 bytes, either through truncation or right-padding with zero bytes. A four-byte timestamp is appended to the tag to produce a total record length of 16 bytes. Bytes 0 through 15 of the file contain a hash seed for the SipHash-2-4 algorithm (siphash_); this field is populated with random bytes when the file is first created. All remaining bytes are divided into a series of expanding hash tables: * Bytes 16-16383: hash table 1 (1023 slots) * Bytes 16384-49151: hash table 2 (2048 slots) * Bytes 49152-114687: hash table 3 (4096 slots) * ... Only some hash tables will be present in the file at any specific time, and the final table may be only partially filled. Replay cache files may be sparse if the filesystem supports it. For each table present in the file, the tag is hashed with SipHash-2-4 using the seed recorded in the file. The first byte of the seed is incremented by one (modulo 256) for each table after the first. The resulting hash value is taken modulo one less than the table size (1022 for the first hash table, 2047 for the second) to produce the index. The record may be found at the slot given by the index or at the next slot. All candidate locations for the record must be searched until a slot is found with a timestamp of zero (indicating a slot which has never been written to) or an offset is reached at or beyond the end of the file. Any candidate location with a timestamp value of zero, with a timestamp value less than the current time minus clockskew, or at or beyond the end of the file is available for writing. When all candidate locations have been searched without finding a match, the new entry is written to the earliest candidate available for writing. .. _siphash: https://131002.net/siphash/siphash.pdf krb5-1.19.2/doc/formats/ccache_file_format.rst0000644000704600001450000001430414076311657022604 0ustar ghudsonsystemd-journal.. _ccache_file_format: Credential cache file format ============================ There are four versions of the file format used by the FILE credential cache type. The first byte of the file always has the value 5, and the value of the second byte contains the version number (1 through 4). Versions 1 and 2 of the file format use native byte order for integer representations. Versions 3 and 4 always use big-endian byte order. After the two-byte version indicator, the file has three parts: the header (in version 4 only), the default principal name, and a sequence of credentials. Header format ------------- The header appears only in format version 4. It begins with a 16-bit integer giving the length of the entire header, followed by a sequence of fields. Each field consists of a 16-bit tag, a 16-bit length, and a value of the given length. A file format implementation should ignore fields with unknown tags. At this time there is only one defined header field. Its tag value is 1, its length is always 8, and its contents are two 32-bit integers giving the seconds and microseconds of the time offset of the KDC relative to the client. Adding this offset to the current time on the client should give the current time on the KDC, if that offset has not changed since the initial authentication. .. _cache_principal_format: Principal format ---------------- The default principal is marshalled using the following informal grammar:: principal ::= name type (32 bits) [omitted in version 1] count of components (32 bits) [includes realm in version 1] realm (data) component1 (data) component2 (data) ... data ::= length (32 bits) value (length bytes) There is no external framing on the default principal, so it must be parsed according to the above grammar in order to find the sequence of credentials which follows. .. _ccache_credential_format: Credential format ----------------- The credential format uses the following informal grammar (referencing the ``principal`` and ``data`` types from the previous section):: credential ::= client (principal) server (principal) keyblock (keyblock) authtime (32 bits) starttime (32 bits) endtime (32 bits) renew_till (32 bits) is_skey (1 byte, 0 or 1) ticket_flags (32 bits) addresses (addresses) authdata (authdata) ticket (data) second_ticket (data) keyblock ::= enctype (16 bits) [repeated twice in version 3] data addresses ::= count (32 bits) address1 address2 ... address ::= addrtype (16 bits) data authdata ::= count (32 bits) authdata1 authdata2 ... authdata ::= ad_type (16 bits) data There is no external framing on a marshalled credential, so it must be parsed according to the above grammar in order to find the next credential. There is also no count of credentials or marker at the end of the sequence of credentials; the sequence ends when the file ends. Credential cache configuration entries -------------------------------------- Configuration entries are encoded as credential entries. The client principal of the entry is the default principal of the cache. The server principal has the realm ``X-CACHECONF:`` and two or three components, the first of which is ``krb5_ccache_conf_data``. The server principal's second component is the configuration key. The third component, if it exists, is a principal to which the configuration key is associated. The configuration value is stored in the ticket field of the entry. All other entry fields are zeroed. Programs using credential caches must be aware of configuration entries for several reasons: * A program which displays the contents of a cache should not generally display configuration entries. * The ticket field of a configuration entry is not (usually) a valid encoding of a Kerberos ticket. An implementation must not treat the cache file as malformed if it cannot decode the ticket field. * Configuration entries have an endtime field of 0 and might therefore always be considered expired, but they should not be treated as unimportant as a result. For instance, a program which copies credentials from one cache to another should not omit configuration entries because of the endtime. The following configuration keys are currently used in MIT krb5: fast_avail The presence of this key with a non-empty value indicates that the KDC asserted support for FAST (see :rfc:`6113`) during the initial authentication, using the negotiation method described in :rfc:`6806` section 11. This key is not associated with any principal. pa_config_data The value of this key contains a JSON object representation of parameters remembered by the preauthentication mechanism used during the initial authentication. These parameters may be used when refreshing credentials. This key is associated with the server principal of the initial authentication (usually the local krbtgt principal of the client realm). pa_type The value of this key is the ASCII decimal representation of the preauth type number used during the initial authentication. This key is associated with the server principal of the initial authentication. proxy_impersonator The presence of this key indicates that the cache is a synthetic delegated credential for use with S4U2Proxy. The value is the name of the intermediate service whose TGT can be used to make S4U2Proxy requests for target services. This key is not associated with any principal. refresh_time The presence of this key indicates that the cache was acquired by the GSS mechanism using a client keytab. The value is the ASCII decimal representation of a timestamp at which the GSS mechanism should attempt to refresh the credential cache from the client keytab. start_realm This key indicates the realm of the ticket-granting ticket to be used for TGS requests, when making a referrals request or beginning a cross-realm request. If it is not present, the client realm is used. krb5-1.19.2/doc/formats/freshness_token.rst0000644000704600001450000000155614076311657022234 0ustar ghudsonsystemd-journalPKINIT freshness tokens ======================= :rfc:`8070` specifies a pa-data type PA_AS_FRESHNESS, which clients should reflect within signed PKINIT data to prove recent access to the client certificate private key. The contents of a freshness token are left to the KDC implementation. The MIT krb5 KDC uses the following format for freshness tokens (starting in release 1.17): * a four-byte big-endian POSIX timestamp * a four-byte big-endian key version number * an :rfc:`3961` checksum, with no ASN.1 wrapper The checksum is computed using the first key in the local krbtgt principal entry for the realm (e.g. ``krbtgt/KRBTEST.COM@KRBTEST.COM`` if the request is to the ``KRBTEST.COM`` realm) of the indicated key version. The checksum type must be the mandatory checksum type for the encryption type of the krbtgt key. The key usage value for the checksum is 514. krb5-1.19.2/doc/formats/cookie.rst0000644000704600001450000000743014076311657020302 0ustar ghudsonsystemd-journalKDC cookie format ================= :rfc:`6113` section 5.2 specifies a pa-data type PA-FX-COOKIE, which clients are required to reflect back to the KDC during pre-authentication. The MIT krb5 KDC uses the following formats for cookies. Trivial cookie (version 0) -------------------------- If there is no pre-authentication mechanism state information to save, a trivial cookie containing the value "MIT" is used. A trivial cookie is needed to indicate that the conversation can continue. Secure cookie (version 1) ------------------------- In release 1.14 and later, a secure cookie can be sent if there is any mechanism state to save for the next request. A secure cookie contains the concatenation of the following: * the four bytes "MIT1" * a four-byte big-endian kvno value * an :rfc:`3961` ciphertext The ciphertext is encrypted in the cookie key with key usage number 513. The cookie key is derived from a key in the local krbtgt principal entry for the realm (e.g. ``krbtgt/KRBTEST.COM@KRBTEST.COM`` if the request is to the ``KRBTEST.COM`` realm). The first krbtgt key for the indicated kvno value is combined with the client principal as follows:: cookie-key <- random-to-key(PRF+(tgt-key, "COOKIE" | client-princ)) where **random-to-key** is the :rfc:`3961` random-to-key operation for the krbtgt key's encryption type, **PRF+** is defined in :rfc:`6113`, and ``|`` denotes concatenation. *client-princ* is the request client principal name with realm, marshalled according to :rfc:`1964` section 2.1.1. The plain text of the encrypted part of a cookie is the DER encoding of the following ASN.1 type:: SecureCookie ::= SEQUENCE { time INTEGER, data SEQUENCE OF PA-DATA, ... } The time field represents the cookie creation time; for brevity, it is encoded as an integer giving the POSIX timestamp rather than as an ASN.1 GeneralizedTime value. The data field contains one element for each pre-authentication type which requires saved state. For mechanisms which have separate request and reply types, the request type is used; this allows the KDC to determine whether a cookie is relevant to a request by comparing the request pa-data types to the cookie data types. SPAKE cookie format (version 1) ------------------------------- Inside the SecureCookie wrapper, a data value of type 151 contains state for SPAKE pre-authentication. This data is the concatenation of the following: * a two-byte big-endian version number with the value 1 * a two-byte big-endian stage number * a four-byte big-endian group number * a four-byte big-endian length and data for the SPAKE value * a four-byte big-endian length and data for the transcript hash * zero or more second factor records, each consisting of: - a four-byte big-endian second-factor type - a four-byte big-endian length and data The stage value is 0 if the cookie was sent with a challenge message. Otherwise it is 1 for the first encdata message sent by the KDC during an exchange, 2 for the second, etc.. The group value indicates the group number used in the SPAKE challenge. For a stage-0 cookie, the SPAKE value is the KDC private key, represented in the scalar marshalling form of the group. For other cookies, the SPAKE value is the SPAKE result K, represented in the group element marshalling form. For a stage-0 cookie, the transcript hash is the intermediate hash after updating with the client support message (if one was sent) and challenge. For other cookies it is the final hash. For a stage-0 cookie, there may be any number of second-factor records, including none; a second-factor type need not create a state field if it does not need one, and no record is created for SF-NONE. For other cookies, there must be exactly one second-factor record corresponding to the factor type chosen by the client. krb5-1.19.2/doc/formats/keytab_file_format.rst0000644000704600001450000000337514076311657022663 0ustar ghudsonsystemd-journal.. _keytab_file_format: Keytab file format ================== There are two versions of the file format used by the FILE keytab type. The first byte of the file always has the value 5, and the value of the second byte contains the version number (1 or 2). Version 1 of the file format uses native byte order for integer representations. Version 2 always uses big-endian byte order. After the two-byte version indicator, the file contains a sequence of signed 32-bit record lengths followed by key records or holes. A positive record length indicates a valid key entry whose size is equal to or less than the record length. A negative length indicates a zero-filled hole whose size is the inverse of the length. A length of 0 indicates the end of the file. Key entry format ---------------- A key entry may be smaller in size than the record length which precedes it, because it may have replaced a hole which is larger than the key entry. Key entries use the following informal grammar:: entry ::= principal timestamp (32 bits) key version (8 bits) enctype (16 bits) key length (16 bits) key contents key version (32 bits) [in release 1.14 and later] principal ::= count of components (16 bits) [includes realm in version 1] realm (data) component1 (data) component2 (data) ... name type (32 bits) [omitted in version 1] data ::= length (16 bits) value (length bytes) The 32-bit key version overrides the 8-bit key version. To determine if it is present, the implementation must check that at least 4 bytes remain in the record after the other fields are read, and that the value of the 32-bit integer contained in those bytes is non-zero. krb5-1.19.2/doc/formats/index.rst0000644000704600001450000000026414076311657020136 0ustar ghudsonsystemd-journalProtocols and file formats ========================== .. toctree:: :maxdepth: 1 ccache_file_format keytab_file_format rcache_file_format cookie freshness_token krb5-1.19.2/doc/kadm5/0000755000704600001450000000000014076311657015621 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/kadm5/adb-unit-test.tex0000644000704600001450000000621014076311657021022 0ustar ghudsonsystemd-journal% This document is included for historical purposes only, and does not % apply to krb5 today. \documentstyle[times,fullpage]{article} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% Make _ actually generate an _, and allow line-breaking after it. \let\underscore=\_ \catcode`_=13 \def_{\underscore\penalty75\relax} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \newcommand{\test}[1]{\begin{description} \setlength{\itemsep}{0pt} #1 \end{description} } \newcommand{\numtest}[2]{\begin{description} \setlength{\itemsep}{0pt} \Number{#1} #2 \end{description} } \newcommand{\Number}[1]{\item[Number:] #1} \newcommand{\Reason}[1]{\item[Reason:] #1} %\newcommand{\Call}[1]{\item[Call:] #1} \newcommand{\Expected}[1]{\item[Expected:] #1} \newcommand{\Conditions}[1]{\item[Conditions:] #1} \newcommand{\Priority}[1]{\item[Priority:] #1} \newcommand{\Status}[1]{\item[Status:] #1} %\newcommand{\Number}[1]{} %\newcommand{\Reason}[1]{} \newcommand{\Call}[1]{} %\newcommand{\Expected}[1]{} %\newcommand{\Conditions}[1]{} %\newcommand{\Priority}[1]{} \title{OpenV*Secure Admin Database API\\ Unit Test Description} \author{Jonathan I. Kamens} \begin{document} \maketitle %\tableofcontents \section{Introduction} The following is a description of a black-box unit test of the OpenV*Secure Admin Database API (osa_adb). Each API function is listed, followed by the tests that should be performed on it. The tests described here are based on the ``OV*Secure Admin Server Implementation Design'' revision 1.14. \section{osa_adb_get_lock and osa_adb_release_lock} \numtest{1}{ \Reason{A shared lock can be acquired.} \Status{Implemented} } \numtest{2}{ \Reason{An exclusive lock can be acquired and released.} \Status{Implemented} } \numtest{3}{ \Reason{A permanent lock can be acquired and released.} \Status{Implemented} } \numtest{4}{ \Reason{Attempting to release a lock when none is held fails with NOTLOCKED.} \Status{Implemented} } \numtest{5}{ \Reason{Two processes can both acquire a shared lock.} \Status{Implemented} } \numtest{6}{ \Reason{An attempt to acquire a shared lock while another process holds an exclusive lock fails with CANTLOCK_DB.} \Status{Implemented} } \numtest{7}{ \Reason{An attempt to acquire an exclusive lock while another process holds a shared lock fails with CANTLOCK_DB.} \Status{Implemented} } \numtest{8}{ \Reason{An attempt to open the database while a process holds a permanent lock fails with NO_LOCKFILE.} \Status{Implemented} } \numtest{9}{ \Reason{An attempt to acquire an exclusive lock while a process holds a permanent lock fails with NO_LOCKFILE.} \Status{Implemented} } \numtest{10}{ \Reason{Acquiring a permanent lock deletes the lockfile.} \Status{Implemented} } \numtest{11}{ \Reason{Releasing a permanent lock re-creates the lockfile.} \Status{Implemented} } \numtest{12}{ \Reason{A process can perform a get operation while another process holds a shared lock.} \Status{Implemented} } \numtest{13}{ \Reason{A process that is running and has opened the adb principal database can retrieve a principal created after the open occurred.} \Status{Implemented, but not working} } \end{document} krb5-1.19.2/doc/kadm5/api-server-design.tex0000644000704600001450000013305114076311657021672 0ustar ghudsonsystemd-journal% This document is included for historical purposes only, and does not % apply to krb5 today. \documentstyle[12pt,fullpage]{article} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% Make _ actually generate an _, and allow line-breaking after it. \let\underscore=\_ \catcode`_=13 \def_{\underscore\penalty75\relax} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \setlength{\parskip}{.7\baselineskip} \setlength{\parindent}{0pt} \def\v#1{\verb+#1+} \def\k#1{K$_#1$} \title{KADM5 Library and Server \\ Implementation Design} \author{Barry Jaspan} \begin{document} \sloppy \maketitle {\setlength{\parskip}{0pt}\tableofcontents} \section{Overview} The KADM5 administration system is designed around the KADM5 API. The ``server-side'' library libkadm5srv.a implements the KADM5 API by operating directly on the underlying KDC and admin databases. The ``client-side'' library libkadm5clnt.a implements the KADM5 API via an RPC mechanism. The administration server kadmind accepts RPC requests from the client-side library and translates them into calls to the server-side library, performing authentication, authorization, and logging along the way. The two libraries, libkadm5clnt.a and libkadm5srv.a, export the identical kadm5 interface; for example, both contain definitions for kadm5_get_principal, and all other kadm5 functions. In most cases, the client library function just marshalls arguments and results into and out of an RPC call, whereas the server library function performs the actual operation on the database file. kadm5_init_*, however, are substantially different even though they export the same interface: on the client, they establish the RPC connection and GSS-API context, whereas on the server side the open the database files, read in the password dictionary, and the like. Also, the kadm5_free functions operate on local process memory in both libraries. The admin server is implemented as a nearly-stateless transaction server, where each admin API function represents a single transaction. No per-client or per-connection information is stored; only local database handles are maintained between requests. The RPC mechanism provides access to remote callers' authentication credentials for authorization purposes. The admin API is exported via an RPC interface that hides all details about network encoding, authentication, and encryption of data on the wire. The RPC mechanism does, however, allow the server to access the underlying authentication credentials for authorization purposes. The admin system maintains two databases: % \begin{itemize} \item The master Kerberos (KDC) database is used to store all the information that the Kerberos server understands, thus allowing the greatest functionality with no modifications to a standard KDC. \item The KDC database also stores kadm5-specific per-principal information in each principal's krb5_tl_data list. In a prior version, this data was stored in a separate admin principal database; thus, when this document refers to ``the admin principal database,'' it now refers to the appropriate krb5_tl_data entries in the KDC database. \item The policy database stores kadm5 policy information. \end{itemize} The per-principal information stored in the admin principal database consists of the principal's policy name and an array of the principal's previous keys. The old keys are stored encrypted in the key of the special principal ``kadmin/history'' that is created by the server library when it is first needed. Since a change in kadmin/history's key renders every principal's key history array useless, it can only be changed using the ovsec_adm_edit utility; that program will reencrypt every principal's key history in the new key.\footnote{ovsec_adm_edit has not yet been implemented, and there are currently no plans to implement it; thus, the history cannot currently be changed.} The server library refuses all requests to change kadmin/history's key. \section{API Handles} Each call to kadm5_init_* on the client or server creates a new API handle. The handles encapsulate the API and structure versions specified by kadm5_init_*'s caller and all other internal data needed by the library. A process can have multiple open API handles simultaneously by calling kadm5_init_* multiple times, and call can specify a different version, client or service principal, and so forth. Each kadm5 function verifies the handle it is given with the CHECK_HANDLE or _KADM5_CHECK_HANDLE macros. The CHECK_HANDLE macro differs for the client and server library because the handle types used by those libraries differ, so it is defined in both $<$client_internal.h$>$ and $<$server_internal.h$>$ in the library source directory. In each header file, CHECK_HANDLE first calls GENERIC_CHECK_HANDLE, defined in $<$admin_internal.h$>$, which verifies the magic number, API version, and structure version that is contained in both client and server handles. CHECK_HANDLE then calls either CLIENT_CHECK_HANDLE or SERVER_CHECK_HANDLE respectively to verify the client- or server-library specific handle fields. The CHECK_HANDLE macro is useful because it inlines the handle check instead of requiring a separate function call. However, using CHECK_HANDLE means that a source file cannot be compiled once and included into both the client and server library, because CHECK_HANDLE is always either specific to either the client or server library, not both. There are a number of functions that can be implemented with the same code in both the client and server libraries, however, including all of the kadm5_free functions and kadm5_chpass_principal_util. The _KADM5_CHECK_HANDLE macro solves this problem; instead of inlining the handle check, it calls the function _kadm5_check_handle which is defined separately in both the client and server library, in client_init.c and server_init.c. Since these two files are only compiled once and put in a single library, they simply verify the handle they are passed with CHECK_HANDLE and return the result. \section{API Versioning} The KADM5 system was designed by OpenVision to support multiple versions of the KADM5 API. MIT has not adopted this level of support, and considers the KADM5 C API to be unstable from release to release. This section describes the original design intent; bear in mind that only the most recent API is supported by current MIT krb5 releases, and that the API version does not necessarily change with API changes unless there is a need to do so for wire compatibility. Historically, three versions of the KADM5 API have existed: KADM5_API_VERSION_1 through KADM5_API_VERSION_3. The first version was equivalent to the initial OpenVision API, OVSEC_KADM_API_VERSION_1; the second was created during the initial integration of the OpenVision system into the MIT release; and the third was created for MIT krb5 1.8 to add lockout fields to policy entries. MIT dropped wire compatibility support for version 1 in MIT krb5 1.8 (as version 1 was never used in shipped MIT code), but retains wire compatibility support for version 2. Implementing a versioned API in C via with both local and RPC access presents a number of design issues, some of them quite subtle. The contexts in which versioning considerations must be made include: \begin{enumerate} \item Typedefs, function declarations, and defined constants depend on the API version a client is written to and must be correct at compile time. \item Each function in the server library must behave according to the API version specified by the caller at runtime to kadm5_init_*. \item The XDR functions used by the RPC layer to transmit function arguments and results must encode data structures correctly depending on the API version specified by the client at runtime. \item Each function in the client library must behave according to the API version specified by the caller at runtime to kadm5_init_*. \item The RPC server (kadmind) must accept calls from a client using any supported API version, and must then invoke the function in the server library corresponding to the RPC with the API version indicated by the client caller. \item When a first API function is invoked that needs to call a second function in the API on its own behalf, and that second API function's behavior depends on the API version specified, the first API function must either be prepared to call the second API function at whatever version its caller specifies or have a means of always calling the second API function at a pre-determined version. \end{enumerate} The following functions describe how each context is handled. \subsection{Designing for future compatibility} Any code whose behavior depends on the API version should be written so as to be compatible with future, currently unknown API versions on the grounds that any particular piece of API behavior will most likely not change between versions. For example, in the current system, the code is not written as ``if this is VERSION_1, do X, else if this is VERSION_2, do Y''; instead, it is written as ``if this is VERSION_1, do X; else, do Y.'' The former will require additional work when VERSION_3 is defined, even if ``do Y'' is still the correct action, whereas the latter will work without modification in that case. \subsection{Header file declarations} Typedefs, defined constants and macros, and function declarations may change between versions. A client is always written to a single, specific API version, and thus expects the header files to define everything according to that API. Failure of a header file to define values correctly will result in either compiler warnings (e.g. if the pointer type of a function argument changes) or fatal errors (e.g. if the number of arguments to a function changes, or the fields of a structure change). For example, in VERSION_1, kadm5_get_policy took a pointer to a pointer to a structure, and in VERSION_2 it takes a pointer to a structure; that would generate a warning if not correct. In VERSION_1, kadm5_randkey_principal accepted three arguments but in VERSION_2 accepts four; that would generate a fatal error. The header file defines everything correctly based on the value of the USE_KADM5_API_VERSION constant. The constant can be assigned to an integer corresponding to any supported API version, and defaults to the newest version. The header files then simply use an \#ifdef to include the right definitions: % \begin{verbatim} #if USE_KADM5_API_VERSION == 1 kadm5_ret_t kadm5_get_principal(void *server_handle, krb5_principal principal, kadm5_principal_ent_t *ent); #else kadm5_ret_t kadm5_get_principal(void *server_handle, krb5_principal principal, kadm5_principal_ent_t ent, long mask); #endif \end{verbatim} \subsection{Server library functions} Server library functions must know how many and what type of arguments to expect, and must operate on those arguments correctly, based on the API version with which they are invoked. The API version is contained in the handle that is always passed as their first argument, generated by kadm5_init_* (to which the client specified the API version to use at run-time). In general, it is probably unsafe for a compiled function in a library to re-interpret the number and type of defined arguments at run-time since the calling conventions may not allow it; for example, a function whose first argument was a short in one version and a pointer in the next might fail if it simply typed-casted the argument. In that case, the function would have to written to take variable arguments (i.e. use $<$stdarg.h$>$) and extract them from the stack based on the API version. Alternatively, a separate function for each API version could be defined, and $<$kadm5/admin.h$>$ could be written to \v{\#define} the exported function name based on the value of USE_KADM5_API_VERSION. In the current system, it turns out, that isn't necessary, and future implementors should take try to ensure that no version has semantics that will cause such problems in the future. All the functions in KADM5 that have different arguments or results between VERSION_1 and VERSION_2 do so simply by type-casting their arguments to the appropriate version and then have separate code paths to handle each one correctly. kadm5_get_principal, in svr_principal.c, is a good example. In VERSION_1, it took the address of a pointer to a kadm5_principal_ent_t to fill in with a pointer to allocated memory; in VERSION_2, it takes a pointer to a structure to fill in, and a mask of which fields in that structure should be filled in. Also, the contents of the kadm5_principal_ent_t changed slightly between the two versions. kadm5_get_principal handles versioning as follows (following along in the source code will be helpful): \begin{enumerate} \item If VERSION_1, it saves away its entry argument (address of a pointer to a structure) and resets its value to contain the address of a locally stack-allocated entry structure; this allows most of the function to written once, in terms of VERSION_2 semantics. If VERSION_1, it also resets its mask argument to be KADM5_PRINCIPAL_NORMAL_MASK, because that is the equivalent to VERSION_1 behavior, which was to return all the fields of the structure. \item The bulk of the function is implemented as expected for VERSION_2. \item The new fields in the VERSION_2 entry structure are assigned inside a block that is only execute if the caller specified VERSION_2. This saves a little time for a VERSION_1 caller. \item After the entry structure is filled, the function checks again if it was called as VERSION_1. If so, it allocates a new kadm5_principal_ent_t_v1 structure (which is conveniently defined in the header file) with malloc, copies the appropriate values from the entry structure into the VERSION_1 entry structure, and then writes the address of the newly allocated memory into address specified by the original entry argument which it had previously saved away. \end{enumerate} There is another complication involved in a function re-interpreting the number of arguments it receives at compile time---it cannot assign any value to an argument for which the client did not pass a value. For example, a VERSION_1 client only passes three arguments to kadm5_get_principal. If the implementation of kadm5_get_principal notices that the caller is VERSION_1 and therefore assigns its fourth argument, mask, to a value that mimics the VERSION_1 behavior, it may inadvertently overwrite data on its caller's stack. This problem can be avoided simply by using a true local variable in such cases, instead of treating an unpassed argument as a local variable. \subsection{XDR functions} The XDR functions used to encode function arguments and results must know how to encode the data for any API version. This is important both so that all the data gets correctly transmitted and so that protocol compatibility between clients or servers using the new library but an old API version is maintained; specific, new kadmind servers should support old kadm5 clients. The signature of all XDR functions is strictly defined: they take the address of an XDR function and the address of the data object to be encoded or decoded. It is thus impossible to provide the API version of the data object as an additional argument to an XDR function. There are two other means to convey the information, storing the API version to use as a field in the data object itself and creating separate XDR functions to handle each different version of the data object, and both of them are used in KADM5. In the client library, each kadm5 function collects its arguments into a single structure to be passed by the RPC; similarly, it expects all of the results to come back as a single structure from the RPC that it will then decode back into its constituent pieces (these are the standard ONC RPC semantics). In order to pass versioning information to the XDR functions, each function argument and result datatype has a filed to store the API version. For example, consider kadm5_get_principal's structures: % \begin{verbatim} struct gprinc_arg { krb5_ui_4 api_version; krb5_principal princ; long mask; }; typedef struct gprinc_arg gprinc_arg; bool_t xdr_gprinc_arg(); struct gprinc_ret { krb5_ui_4 api_version; kadm5_ret_t code; kadm5_principal_ent_rec rec; }; typedef struct gprinc_ret gprinc_ret; bool_t xdr_gprinc_ret(); \end{verbatim} % kadm5_get_principal (in client_principal.c) assigns the api_version field of the gprinc_arg to the version specified by its caller, assigns the princ field based on its arguments, and assigns the mask field from its argument if the caller specified VERSION_2. It then calls the RPC function clnt_call, specifying the XDR functions xdr_gprinc_arg and xdr_gprinc_ret to handle the arguments and results. xdr_gprinc_arg is invoked with a pointer to the gprinc_arg structure just described. It first encodes the api_version field; this allows the server to know what to expect. It then encodes the krb5_principal structure and, if api_version is VERSION_2, the mask. If api_version is not VERSION_2, it does not encode {\it anything} in place of the mask, because an old VERSION_1 server will not expect any other data to arrive on the wire there. The server performs the kadm5_get_principal call and returns its results in an XDR encoded gprinc_ret structure. clnt_call, which has been blocking until the results arrived, invokes xdr_gprinc_ret with a pointer to the encoded data for it to decode. xdr_gprinc_ret first decodes the api_version field, and then the code field since that is present in all versions to date. The kadm5_principal_ent_rec presents a problem, however. The structure does not itself contain an api_version field, but the structure is different between the two versions. Thus, a single XDR function cannot decode both versions of the structure because it will have no way to decide which version to expect. The solution is to have two functions, kadm5_principal_ent_rec_v1 and kadm5_principal_ent_rec, which always decode according to VERSION_1 or VERSION_2, respectively. gprinc_ret knows which one to invoke because it has the api_version field returned by the server (which is always the same as that specified by the client in the gpring_arg). In hindsight, it probably would have been better to encode the API version of all structures directly in a version field in the structure itself; then multiple XDR functions for a single data type wouldn't be necessary, and the data objects would stand complete on their own. This can be added in a future API version if desired. \subsection{Client library functions} Just as with server library functions, client library functions must be able to interpret their arguments and provide result according to the API version specified by the caller. Again, kadm5_get_principal (in client_principal.c) is a good example. The gprinc_ret structure that it gets back from clnt_call contains a kadm5_principal_ent_rec or a kadm5_principal_ent_rec_v1 (the logic is simplified somewhat because the VERSION_2 structure only has new fields added on the end). If kadm5_get_principal was invoked with VERSION_2, that structure should be copied into the pointer provided as the entry argument; if it was invoked with VERSION_1, however, the structure should be copied into allocated memory whose address is then written into the pointer provided by the entry argument. Client library functions make this determination based on the API version specified in the provided handle, just like server library functions do. \subsection{Admin server stubs} When an RPC call arrives at the server, the RPC layer authenticates the call using the GSS-API, decodes the arguments into their single-structure form (ie: a gprinc_arg) and dispatches the call to a stub function in the server (in server_stubs.c). The stub function first checks the caller's authorization to invoke the function and, if authorized, calls the kadm5 function corresponding to the RPC function with the arguments specified in the single-structure argument. Once again, kadm5_get_principal is a good example for the issues involved. The contents of the gprinc_arg given to the stub (get_principal_1) depends on the API version the caller on the client side specified; that version is available to the server in the api_version field of the gprinc_arg. When the server calls kadm5_get_principal in the server library, it must give that function an API handle that contains the API version requested by the client; otherwise the function semantics might not be correct. One possibility would be for the server to call kadm5_init for each client request, specifying the client's API version number and thus generating an API handle with the correct version, but that would be prohibitively inefficient. Instead, the server dips down in the server library's internal abstraction barrier, using the function new_server_handle to cons up a server handle based on the server's own global_server_handle but using the API version specified by the client. The server then passes the newly generated handle to kadm5_get_principal, ensuring the right behavior, and creates the gprinc_ret structure in a manner similar to that described above. Although new_server_handle solves the problem of providing the server with an API handle containing the right API version number, it does not solve another problem: that a single source file, server_stubs.c, needs to be able to invoke functions with arguments appropriate for multiple API versions. If the client specifies VERSION_1, for example, the server must invoke kadm5_get_principal with three arguments, but if the client specifies VERSION_2 the server must invoke kadm5_get_principal with four arguments. The compiler will not allow this inconsistency. The server defines wrapper functions in a separate source file that match the old version, and the separate source file is compiled with USE_KADM5_API_VERSION set to the old version; see kadm5_get_principal_v1 in server_glue_v1.c. The server then calls the correct variant of kadm5_get_principal_* based on the API version and puts the return values into the gprinc_ret in a manner similar to that described above. Neither of these solutions are necessarily correct. new_server_handle violates the server library's abstraction barrier and is at best a kludge; the server library should probably export a function to provide this behavior without violating the abstraction; alternatively, the librar should be modified so that having the server call kadm5_init for each client RPC request would not be too inefficient. The glue functions in server_glue_v1.c really are not necessary, because the server stubs could always just pass dummy arguments for the extra arguments; after all, the glue functions pass {\it nothing} for the extra arguments, so they just end up as stack garbage anyway. Another alternative to the new_server_handle problem is to have the server always invoke server library functions at a single API version, and then have the stubs take care of converting the function arguments and results back into the form expected by the caller. In general, however, this might require the stubs to duplicate substantial logic already present in the server library and further violate the server library's abstraction barrier. \subsection{KADM5 self-reference} Some kadm5 functions call other kadm5 functions ``on their own behalf'' to perform functionality that is necessary but that does not directly affect what the client sees. For example, kadm5_chpass_principal has to enforce password policies; thus, it needs to call kadm5_get_principal and, if the principal has a policy, kadm5_get_policy and kadm5_modify_principal in the process of changing a principal's password. This leads to a complication: what API handle should kadm5_chpass_principal pass to the other kadm5 functions it calls? The ``obvious,'' but wrong, answer is that it should pass the handle it was given by its caller. The caller may provide an API handle specifying any valid API version. Although the semantics of kadm5_chpass_principal did not change between VERSION_1 and VERSION_2, the declarations of both kadm5_get_principal and kadm5_get_policy did. Thus, to use the caller's API handle, kadm5_chpass_principal will have to have a separate code path for each API version, even though it itself did not change between versions, and duplicate a lot of logic found elsewhere in the library. Instead, each API handle contains a ``local-use handle,'' or lhandle, that kadm5 functions should use to call other kadm5 functions. For example, the client-side library's handle structure is: % \begin{verbatim} typedef struct _kadm5_server_handle_t { krb5_ui_4 magic_number; krb5_ui_4 struct_version; krb5_ui_4 api_version; char * cache_name; int destroy_cache; CLIENT * clnt; krb5_context context; kadm5_config_params params; struct _kadm5_server_handle_t *lhandle; } kadm5_server_handle_rec, *kadm5_server_handle_t; \end{verbatim} % The lhandle field is allocated automatically when the handle is created. All of the fields of the API handle that are accessed outside kadm5_init are also duplicated in the lhandle; however, the api_version field of the lhandle is always set to a {\it constant} value, regardless of the API version specified by the caller to kadm5_init. In the current implementation, the lhandle's api_version is always VERSION_2. By passing the caller's handle's lhandle to recursively called kadm5 functions, a kadm5 function is assured of invoking the second kadm5 function with a known API version. Additionally, the lhandle's lhandle field points back to the lhandle, in case kadm5 functions call themselves more than one level deep; handle$->$lhandle always points to the same lhandle, no matter how many times the indirection is performed. This scheme might break down if a kadm5 function has to call another kadm5 function to perform operations that they client will see and for its own benefit, since the semantics of the recursively-called kadm5 function may depend on the API version specified and the client may be depending on a particular version's behavior. Future implementors should avoid creating a situation in which this is possible. \section{Server Main} The admin server starts by trapping all fatal signals and directing them to a cleanup-and-exit function. It then creates and exports the RPC interface and enters its main loop. The main loop dispatches all incoming requests to the RPC mechanism. In a previous version, after 15 seconds of inactivity, the server closed all open databases; each database was be automatically reopened by the API function implementations as necessary. That behavior existed to protect against loss of written data before the process exited. The current database libraries write all changes out to disk immediately, however, so this behavior is no longer required or performed. \section{Remote Procedure Calls} The RPC for the Admin system will be based on ONC RPC. ONC RPC is used because it is a well-known, portable RPC mechanism. The underlying external data representation (xdr) mechanisms for wire encapsulation are well-known and extensible. Authentication to the admin server and encryption of all RPC functional arguments and results are be handled via the AUTH_GSSAPI authentication flavor of ONC RPC. \section{Database Record Types} \label{sec:db-types} \subsection{Admin Principal, osa_princ_ent_t} The admin principal database stores records of the type osa_princ_ent_t (declared in $<$kadm5/adb.h$>$), which is the subset of the kadm5_principal_ent_t structure that is not stored in the Kerberos database plus the necessary bookkeeping information. The records are keyed by the ASCII representation of the principal's name, including the trailing NULL. \begin{verbatim} typedef struct _osa_pw_hist_t { int n_key_data; krb5_key_data *key_data; } osa_pw_hist_ent, *osa_pw_hist_t; typedef struct _osa_princ_ent_t { char * policy; u_int32 aux_attributes; unsigned int old_key_len; unsigned int old_key_next; krb5_kvno admin_history_kvno; osa_pw_hist_ent *old_keys; u_int32 num_old_keys; u_int32 next_old_key; krb5_kvno admin_history_kvno; osa_pw_hist_ent *old_keys; } osa_princ_ent_rec, *osa_princ_ent_t; \end{verbatim} The fields that are different from kadm5_principal_ent_t are: \begin{description} \item[num_old_keys] The number of previous keys in the old_keys array. This value must be 0 $\le$ num_old_keys $<$ pw_history_num. \item[old_key_next] The index into old_keys where the next key should be inserted. This value must be 0 $\le$ old_key_next $\le$ num_old_keys. \item[admin_history_kvno] The key version number of the kadmin/history principal's key used to encrypt the values in old_keys. If the server library finds that kadmin/history's kvno is different from the value in this field, it returns KADM5_BAD_HIST_KEY. \item[old_keys] The array of the principal's previous passwords, each encrypted in the kadmin/history key. There are num_old_keys elements. Each ``password'' in the array is itself an array of n_key_data krb5_key_data structures, one for each keysalt type the password was encoded in. \end{description} \subsection{Policy, osa_policy_ent_t} The policy database stores records of the type osa_policy_ent_t (declared in $<$kadm5/adb.h$>$) , which is all of kadm5_policy_ent_t plus necessary bookkeeping information. The records are keyed by the policy name. \begin{verbatim} typedef struct _osa_policy_ent_t { char *policy; u_int32 pw_min_life; u_int32 pw_max_life; u_int32 pw_min_length; u_int32 pw_min_classes; u_int32 pw_history_num; u_int32 refcnt; } osa_policy_ent_rec, *osa_policy_ent_t; \end{verbatim} \subsection{Kerberos, krb5_db_entry} The Kerberos database stores records of type krb5_db_entry, which is defined in the $<$k5-int.h$>$ header file. The semantics of each field are defined in the libkdb functional specification. \section{Database Access Methods} \subsection{Principal and Policy Databases} This section describes the database abstraction used for the admin policy database; the admin principal database used to be treated in the same manner but is now handled more directly as krb5_tl_data; thus, nothing in this section applies to it any more. Since both databases export equivalent functionality, the API is only described once. The character T is used to represent both ``princ'' and ``policy''. The location of the principal database is defined by the configuration parameters given to any of the kadm5_init functions in the server library. Note that this is {\it only} a database abstraction. All functional intelligence, such as maintaining policy reference counts or sanity checking, must be implemented above this layer. Prototypes for the osa functions are supplied in $<$kadm5/adb.h$>$. The routines are defined in libkadm5srv.a. They require linking with the Berkely DB library. \subsubsection{Error codes} The database routines use com_err for error codes. The error code table name is ``adb'' and the offsets are the same as the order presented here. The error table header file is $<$kadm5/adb_err.h$>$. Callers of the OSA routines should first call init_adb_err_tbl() to initialize the database table. \begin{description} \item[OSA_ADB_OK] Operation successful. \item[OSA_ADB_FAILURE] General failure. \item[OSA_ADB_DUP] Operation would create a duplicate database entry. \item[OSA_ADB_NOENT] Named entry not in database. \item[OSA_ADB_BAD_PRINC] The krb5_principal structure is invalid. \item[OSA_ADB_BAD_POLICY] The specified policy name is invalid. \item[OSA_ADB_XDR_FAILURE] The principal or policy structure cannot be encoded for storage. \item[OSA_ADB_BADLOCKMODE] Bad lock mode specified. \item[OSA_ADB_CANTLOCK_DB] Cannot lock database, presumably because it is already locked. \item[OSA_ADB_NOTLOCKED] Internal error, database not locked when unlock is called. \item[OSA_ADB_NOLOCKFILE] KADM5 administration database lock file missing. \end{description} Database functions can also return system errors. Unless otherwise specified, database functions return OSA_ADB_OK. \subsubsection{Locking} All of the osa_adb functions except open and close lock and unlock the database to prevent concurrency collisions. The overall locking algorithm is as follows: \begin{enumerate} \item osa_adb_open_T calls osa_adb_init_db to allocate the osa_adb_T_t structure and open the locking file for further use. \item Each osa_adb functions locks the locking file and opens the appropriate database with osa_adb_open_and_lock, performs its action, and then closes the database and unlocks the locking file with osa_adb_close_and_unlock. \item osa_adb_close_T calls osa_adb_fini_db to close the locking file and deallocate the db structure. \end{enumerate} Functions which modify the database acquire an exclusive lock, others acquire a shared lock. osa_adb_iter_T acquires an exclusive lock for safety but as stated below consequences of modifying the database in the iteration function are undefined. \subsubsection{Function descriptions} \begin{verbatim} osa_adb_ret_t osa_adb_create_T_db(kadm5_config_params *params) \end{verbatim} % Create the database and lockfile specified in params. The database must not already exist, or EEXIST is returned. The lock file is only created after the database file has been created successfully. \begin{verbatim} osa_adb_ret_t osa_adb_rename_T_db(kadm5_config_params *fromparams, kadm5_config_params *toparams) \end{verbatim} % Rename the database named by fromparams to that named by toparams. The fromparams database must already exist; the toparams database may exist or not. When the function returns, the database named by fromparams no longer exists, and toparams has been overwritten with fromparams. This function acquires a permanent lock on both databases for the duration of its operation, so a failure is likely to leave the databases unusable. \begin{verbatim} osa_adb_ret_t osa_adb_destroy_policy_db(kadm5_config_params *params) \end{verbatim} % Destroy the database named by params. The database file and lock file are deleted. \begin{verbatim} osa_adb_ret_t osa_adb_open_T(osa_adb_T_t *db, char *filename); \end{verbatim} % Open the database named filename. Returns OSA_ADB_NOLOCKFILE if the database does not exist or if the lock file is missing. The database is not actually opened in the operating-system file sense until a lock is acquire. \begin{verbatim} osa_adb_ret_t osa_adb_close_T(osa_adb_T_t db); \end{verbatim} % Release all shared or exclusive locks (on BOTH databases, since they use the same lock file) and close the database. It is an error to exit while a permanent lock is held; OSA_ADB_NOLOCKFILE is returned in this case. \begin{verbatim} osa_adb_ret_t osa_adb_get_lock(osa_adb_T_t db, int mode) \end{verbatim} Acquire a lock on the administration databases; note that both databases are locked simultaneously by a single call. The mode argument can be OSA_ADB_SHARED, OSA_ADB_EXCLUSIVE, or OSA_ADB_PERMANENT. The first two and the third are really disjoint locking semantics and should not be interleaved. Shared and exclusive locks have the usual semantics, and a program can upgrade a shared lock to an exclusive lock by calling the function again. A reference count of open locks is maintained by this function and osa_adb_release_lock so the functions can be called multiple times; the actual lock is not released until the final osa_adb_release_lock. Note, however, that once a lock is upgraded from shared to exclusive, or from exclusive to permanent, it is not downgraded again until released completely. In other words, get_lock(SHARED), get_lock(EXCLUSIVE), release_lock() leaves the process with an exclusive lock with a reference count of one. An attempt to get a shared or exclusive lock that conflicts with another process results in the OSA_ADB_CANLOCK_DB error code. This function and osa_adb_release_lock are called automatically as needed by all other osa_adb functions to acquire shared and exclusive locks and so are not normally needed. They can be used explicitly by a program that wants to perform multiple osa_adb functions within the context of a single lock. Acquiring an OSA_ADB_PERMANENT lock is different. A permanent lock consists of first acquiring an exclusive lock and then {\it deleting the lock file}. Any subsequent attempt to acquire a lock by a different process will fail with OSA_ADB_NOLOCKFILE instead of OSA_ADB_CANTLOCK_DB (attempts in the same process will ``succeed'' because only the reference count gets incremented). The lock file is recreated by osa_adb_release_lock when the last pending lock is released. The purpose of a permanent lock is to absolutely ensure that the database remain locked during non-atomic operations. If the locking process dies while holding a permanent lock, all subsequent osa_adb operations will fail, even through a system reboot. This is useful, for example, for ovsec_adm_import which creates both new database files in a temporary location and renames them into place. If both renames do not fully complete the database will probably be inconsistent and everything should stop working until an administrator can clean it up. \begin{verbatim} osa_adb_ret_t osa_adb_release_lock(osa_adb_T_t db) \end{verbatim} Releases a shared, exclusive, or permanent lock acquired with osa_adb_get_lock, or just decrements the reference count if multiple locks are held. When a permanent lock is released, the lock file is re-created. All of a process' shared or exclusive database locks are released when the process terminates. A permanent lock is {\it not} released when the process exits (although the exclusive lock it begins with obviously is). \begin{verbatim} osa_adb_ret_t osa_adb_create_T(osa_adb_T_t db, osa_T_ent_t entry); \end{verbatim} % Adds the entry to the database. All fields are defined. Returns OSA_ADB_DUP if it already exists. \begin{verbatim} osa_adb_ret_t osa_adb_destroy_T(osa_adb_T_t db, osa_T_t name); \end{verbatim} Removes the named entry from the database. Returns OSA_ADB_NOENT if it does not exist. \begin{verbatim} osa_adb_ret_t osa_adb_get_T(osa_adb_T_t db, osa_T_t name, osa_princ_ent_t *entry); \end{verbatim} Looks up the named entry in the db, and returns it in *entry in allocated storage that must be freed with osa_adb_free_T. Returns OSA_ADB_NOENT if name does not exist, OSA_ADB_MEM if memory cannot be allocated. \begin{verbatim} osa_adb_ret_t osadb_adb_put_T(osa_adb_T_t db, osa_T_ent_t entry); \end{verbatim} Modifies the existing entry named in entry. All fields must be filled in. Returns OSA_DB_NOENT if the named entry does not exist. Note that this cannot be used to rename an entry; rename is implemented by deleting the old name and creating the new one (NOT ATOMIC!). \begin{verbatim} void osa_adb_free_T(osa_T_ent_t); \end{verbatim} Frees the memory associated with an osa_T_ent_t allocated by osa_adb_get_T. \begin{verbatim} typedef osa_adb_ret_t (*osa_adb_iter_T_func)(void *data, osa_T_ent_t entry); osa_adb_ret_t osa_adb_iter_T(osa_adb_T_t db, osa_adb_iter_T_func func, void *data); \end{verbatim} Iterates over every entry in the database. For each entry ent in the database db, the function (*func)(data, ent) is called. If func returns an error code, osa_adb_iter_T returns an error code. If all invocations of func return OSA_ADB_OK, osa_adb_iter_T returns OSA_ADB_OK. The function func is permitted to access the database, but the consequences of modifying the database during the iteration are undefined. \subsection{Kerberos Database} Kerberos uses the libkdb interface to store krb5_db_entry records. It can be accessed and modified in parallel with the Kerberos server, using functions that are defined inside the KDC and the libkdb.a. The libkdb interface is defined in the libkdb functional specifications. \subsubsection{Initialization and Key Access} Keys stored in the Kerberos database are encrypted in the Kerberos master key. The admin server will therefore have to acquire the key before it can perform any key-changing operations, and will have to decrypt and encrypt the keys retrieved from and placed into the database via krb5_db_get_principal and _put_principal. This section describes the internal admin server API that will be used to perform these functions. \begin{verbatim} krb5_principal master_princ; krb5_encrypt_block master_encblock; krb5_keyblock master_keyblock; void kdc_init_master() \end{verbatim} kdc_init_master opens the database and acquires the master key. It also sets the global variables master_princ, master_encblock, and master_keyblock: \begin{itemize} \item master_princ is set to the name of the Kerberos master principal (\v{K/M@REALM}). \item master_encblock is something I have no idea about. \item master_keyblock is the Kerberos master key \end{itemize} \begin{verbatim} krb5_error_code kdb_get_entry_and_key(krb5_principal principal, krb5_db_entry *entry, krb5_keyblock *key) \end{verbatim} kdb_get_entry_and_key retrieves the named principal's entry from the database in entry, and decrypts its key into key. The caller must free entry with krb5_dbm_db_free_principal and free key-$>$contents with free.\footnote{The caller should also \v{memset(key-$>$contents, 0, key-$>$length)}. There should be a function krb5_free_keyblock_contents for this, but there is not.} \begin{verbatim} krb5_error_code kdb_put_entry_pw(krb5_db_entry *entry, char *pw) \end{verbatim} kdb_put_entry_pw stores entry in the database. All the entry values must already be set; this function does not change any of them except the key. pw, the NULL-terminated password string, is converted to a key using string-to-key with the salt type specified in entry-$>$salt_type.\footnote{The salt_type should be set based on the command line arguments to the kadmin server (see the ``Command Line'' section of the functional specification).} \section{Admin Principal and Policy Database Implementation} The admin principal and policy databases will each be stored in a single hash table, implemented by the Berkeley 4.4BSD db library. Each record will consist of an entire osa_T_ent_t. The key into the hash table is the entry name (for principals, the ASCII representation of the name). The value is the T entry structure. Since the key and data must be self-contained, with no pointers, the Sun xdr mechanisms will be used to marshal and unmarshal data in the database. The server in the first release will be single-threaded in that a request will run to completion (or error) before the next will run, but multiple connections will be allowed simultaneously. \section{ACLs, acl_check} The ACL mechanism described in the ``Authorization ACLs'' section of the functional specifications will be implemented by the acl_check function. \begin{verbatim} enum access_t { ACCESS_DENIED = 0, ACCESS_OK = 1, }; enum access_t acl_check(krb5_principal princ, char *priv); \end{verbatim} The priv argument must be one of ``get'', ``add'', ``delete'', or ``modify''. acl_check returns 1 if the principal princ has the named privilege, 0 if it does not. \section{Function Details} This section discusses specific design issues for Admin API functions that are not addressed by the functional specifications. \subsection{kadm5_create_principal} If the named principal exists in either the Kerberos or admin principal database, but not both, return KADM5_BAD_DB. The principal's initial key is not stored in the key history array at creation time. \subsection{kadm5_delete_principal} If the named principal exists in either the Kerberos or admin principal database, but not both, return KADM5_BAD_DB. \subsection{kadm5_modify_principal} If the named principal exists in either the Kerberos or admin principal database, but not both, return KADM5_BAD_DB. If pw_history_num changes and the new value $n$ is smaller than the current value of num_old_keys, old_keys should end up with the $n$ most recent keys; these are found by counting backwards $n$ elements in old_keys from old_key_next. old_key_nexts should then be reset to 0, the oldest of the saved keys, and num_old_keys set to $n$, the new actual number of old keys in the array. \subsection{kadm5_chpass_principal, randkey_principal} The algorithm for determining whether a password is in the principal's key history is complicated by the use of the kadmin/history \k{h} encrypting key. \begin{enumerate} \item For kadm5_chpass_principal, convert the password to a key using string-to-key and the salt method specified by the command line arguments. \item If the POLICY bit is set and pw_history_num is not zero, check if the new key is in the history. \begin{enumerate} \item Retrieve the principal's current key and decrypt it with \k{M}. If it is the same as the new key, return KADM5_PASS_REUSE. \item Retrieve the kadmin/history key \k{h} and decrypt it with \k{M}. \item Encrypt the principal's new key in \k{h}. \item If the principal's new key encrypted in \k{h} is in old_keys, return KADM5_PASS_REUSE. \item Encrypt the principal's current key in \k{h} and store it in old_keys. \item Erase the memory containing \k{h}. \end{enumerate} \item Encrypt the principal's new key in \k{M} and store it in the database. \item Erase the memory containing \k{M}. \end{enumerate} To store the an encrypted key in old_keys, insert it as the old_key_next element of old_keys, and increment old_key_next by one modulo pw_history_num. \subsection{kadm5_get_principal} If the named principal exists in either the Kerberos or admin principal database, but not both, return KADM5_BAD_DB. \end{document} krb5-1.19.2/doc/kadm5/fullpage.sty0000644000704600001450000000021114076311657020153 0ustar ghudsonsystemd-journal\marginparwidth 0pt \oddsidemargin 0pt \evensidemargin 0pt \marginparsep 0pt \topmargin 0pt \textwidth 6.5in \textheight 8.5 in krb5-1.19.2/doc/kadm5/api-unit-test.tex0000644000704600001450000015667514076311657021072 0ustar ghudsonsystemd-journal% This document is included for historical purposes only, and does not % apply to krb5 today. \documentstyle[times,fullpage]{article} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% Make _ actually generate an _, and allow line-breaking after it. \let\underscore=\_ \catcode`_=13 \def_{\underscore\penalty75\relax} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \newcommand{\test}[1]{\begin{description} \setlength{\itemsep}{0pt} #1 \end{description} } \newcommand{\numtest}[2]{\begin{description} \setlength{\itemsep}{0pt} \Number{#1} #2 \end{description} } \newcommand{\Number}[1]{\item[Number:] #1} \newcommand{\Reason}[1]{\item[Reason:] #1} \newcommand{\Expected}[1]{\item[Expected:] #1} \newcommand{\Conditions}[1]{\item[Conditions:] #1} \newcommand{\Priority}[1]{\item[Priority:] #1} \newcommand{\Status}[1]{\item[Status:] #1} \newcommand{\Vtwonote}[1]{\item[V2 note:] #1} \newcommand{\Version}[1]{\item[Version:] #1} \newcommand{\Call}[1]{} %\newcommand{\Call}[1]{\item[Call:] #1} %\newcommand{\Number}[1]{} %\newcommand{\Reason}[1]{} %\newcommand{\Expected}[1]{} %\newcommand{\Conditions}[1]{} %\newcommand{\Priority}[1]{} \title{KADM5 Admin API\\ Unit Test Description} \author{Jonathan I. Kamens} \begin{document} \maketitle %\tableofcontents \section{Introduction} The following is a description of a black-box unit test of the KADM5 API. Each API function is listed, followed by the tests that should be performed on it. The tests described here are based on the ``Kerberos Administration System KADM5 API Functional Specifications'', revision 1.68. This document was originally written based on the OpenVision API functional specifications, version 1.41, dated August 18, 1994, and many indications of the original version remain. All tests which test for success should verify, using some means other than the return value of the function being tested, that the requested operation was successfully performed. For example: for init, test that other operations can be performed after init; for destroy, test that other operations can't be performed after destroy; for modify functions, verify that all modifications to the database which should have taken place did, and that the new, modified data is in effect; for get operations, verify that the data retrieved is the data that should actually be in the database. The tests would be better if they compared the actual contents of the database before and after each test, rather than relying on the KADM5 API to report the results of changes. Similarly, all tests which test for failure should verify that the no component of the requested operation took place. For example: if init fails, other operations should not work. If a modify fails, all data in the database should be the same as it was before the attempt to modify, and the old data should still be what is enforced. Furthermore, tests which test for failure should verify that the failure code returned is correct for the specific failure condition tested. Most of the tests listed below should be run twice -- once locally on the server after linking against the server API library, and once talking to the server via authenticated Sun RPC after linking against the client API library. Tests which should only be run locally or via RPC are labelled with a ``local'' or ``RPC''. Furthermore, in addition to the tests labelled below, a test should be implemented to verify that a client can't perform operations on the server through the client API library when it's linked against standard Sun RPC instead of OpenV*Secure's authenticated Sun RPC. This will require a client with a modified version of ovsec_kadm_init which doesn't call auth_gssapi_create. This client should call this modified ovsec_kadm_init and then call some other admin API function, specifying arguments to both functions that would work if the authenticated Sun RPC had been used, but shouldn't if authentication wasn't used. The test should verify that the API function call after the init doesn't succeed. There is also another test to see if all the API functions handle getting an invalid server handle correctly. This is not done as part of the tests that are run through the TCL program cause the TCL program has no way of invalidating a server handle. So there is a program that calls init and changes the handle magic number, and then attempts to call each API function with the corrupted server handle. A number of tests have been added or changed to correspond with KADM5 API version 2. Tests which are only performed against the newer version specify the version number in the test description. \section{ovsec_kadm_init} \numtest{1}{ \Reason{An empty string realm is rejected.} \Status{Implemented} \Vtwonote{The empty string is now passed as the realm field of the parameters structure.} } \numtest{2}{ \Reason{A realm containing invalid characters is rejected.} \Status{Implemented} \Vtwonote{The invalid character is now passed as the realm field of the parameters structure.} } \numtest{2.5}{ \Reason{A non-existent realm is rejected.} \Status{Implemented} \Vtwonote{The non-existent realm is now passed as the realm field of the parameters structure.} } \numtest{3}{ \Reason{A bad service name representing an existing principal (different from the client principal) is rejected.} \Conditions{RPC} \Status{Implemented} } \numtest{4}{ \Reason{A bad service name representing a non-existent principal is rejected.} \Conditions{RPC} \Status{Implemented} } \numtest{5}{ \Reason{A bad service name identical to the (existing) client name is rejected.} \Conditions{RPC} \Status{Implemented} } \numtest{6}{ \Reason{A null password causes password prompting.} \Status{Implemented} } \numtest{7}{ \Reason{An empty-string causes password prompting} \Status{Implemented} } \numtest{8}{ \Reason{An incorrect password which is the password of another user is rejected.} \Conditions{RPC} \Status{Implemented} } \numtest{9}{ \Reason{An incorrect password which isn't the password of any user is rejected.} \Conditions{RPC} \Status{Implemented} } \numtest{10}{ \Reason{A null client_name is rejected.} \Status{Implemented} } % Empty string client name is legal. %\numtest{11}{ %\Reason{An empty-string client_name is rejected.} %} \numtest{12}{ \Reason{A client_name referring to a non-existent principal in the default realm is rejected.} \Conditions{RPC} \Status{Implemented} } \numtest{13}{ \Reason{A client_name referring to a non-existent principal with the local realm specified explicitly is rejected.} \Conditions{RPC} \Status{Implemented} } \numtest{14}{ \Reason{A client_name referring to a non-existent principal in a nonexistent realm is rejected.} \Conditions{RPC} \Status{Implemented} } \numtest{15}{ \Reason{A client_name referring to an existing principal in a nonexistent realm is rejected.} \Conditions{RPC} \Status{Implemented} } \numtest{16}{ \Reason{Valid invocation.} \Status{Implemented} } \numtest{17}{ \Reason{Valid invocation (explicit client realm).} \Status{Implemented} } \numtest{18}{ \Reason{Valid invocation (CHANGEPW_SERVICE).} \Status{Implemented} } \numtest{19}{ \Reason{Valid invocation (explicit service realm).} \Status{Implemented} \Vtwonote{The explicit realm is now passed as the realm field of the configuration parameters.} } \numtest{20}{ \Reason{Valid invocation (database access allowed after init).} \Status{Implemented} } %\numtest{21}{ %\Reason{Init fails when called twice in a row.} %\Status{Implemented} %} \numtest{22}{ \Reason{A null password causes master-key prompting.} \Conditions{local} \Status{Implemented} \Vtwonote{Obsolete.} } \numtest{22.5}{ \Reason{A empty string password causes master-key prompting.} \Conditions{local} \Status{Implemented} \Vtwonote{Obsolete.} } %\numtest{23}{ %\Reason{A non-null password causes reading from the kstash.} %\Conditions{local} %\Status{Implemented} %} \numtest{24}{ \Reason{Null service name is ignored in local invocation.} \Conditions{local} \Status{Implemented} } \numtest{25}{ \Reason{Non-null service name is ignored in local invocation.} \Conditions{local} \Status{Implemented} } %\numtest{26}{ %\Reason{Can't do ``get'' operation before calling init.} %\Status{Implemented} %} %\numtest{27}{ %\Reason{Can't do ``add'' operation before calling init.} %\Status{Implemented} %} %\numtest{28}{ %\Reason{Can't do ``modify'' operation before calling init.} %\Status{Implemented} %} %\numtest{29}{ %\Reason{Can't do ``delete'' operation before calling init.} %\Status{Implemented} %} \numtest{30}{ \Reason{Can init after failed init attempt.} \Conditions{local} \Status{Implemented} } \numtest{31}{ \Priority{High} \Reason{Return BAD_STRUCT_VERSION when the mask bits are set to invalid values} \Status{Implemented} } \numtest{32}{ \Priority{High} \Reason{Return BAD_STRUCT_VERSION when the mask bits are not set} \Status{Implemented} } \numtest{33}{ \Priority{High} \Reason{Return OLD_STRUCT_VERSION when attempting to use an old/unsupported structure version} \Status{Implemented} } \numtest{34}{ \Priority{High} \Reason{Return NEW_STRUCT_VERSION when attempting to use a newer version of of the structure then what is supported} \Status{Implemented} } \numtest{35}{ \Priority{High} \Reason{Return BAD_API_VERSION when the mask bits are set to invalid values} \Status{Implemented} } \numtest{36}{ \Priority{High} \Reason{Return BAD_API_VERSION when the mask bits are not set} \Status{Implemented} } \numtest{37}{ \Priority{High} \Reason{Return OLD_LIB_API_VERSION when using an old/unsuppored api version number} \Conditions{RPC} \Status{Implemented} } \numtest{38}{ \Priority{High} \Reason{Return OLD_SERVER_API_VERSION attempting to use an old/unsupported api version number} \Conditions{local} \Status{Implemented} } \numtest{39}{ \Priority{High} \Reason{Return NEW_LIB_API_VERSION when using a newer api version number then supported} \Conditions{RPC} \Status{Implemented} } \numtest{40}{ \Priority{High} \Reason{Return NEW_SERVER_API_VERSION when using a newer api version number then supported} \Conditions{local} \Status{Implemented} } \numtest{41}{ \Priority{High} \Reason{Return BAD_XXX_VERSION when the API and the structure version numbers are reversed} \Status{Implemented} } \numtest{42}{ \Priority{High} \Reason{Succeeds when using valid api and struct version numbers and masks} \Status{Implemented} } \numtest{43}{ \Priority{Low} \Reason{Returns two different server handle when called twice with same info} } \numtest{44}{ \Priority{Low} \Reason{Returns two different server handles when called twice with different info} } \numtest{45}{ \Priority{Bug fix, secure-install/3390} \Reason{Returns SECURE_PRINC_MISSING when ADMIN_SERVICE does not exist.} \Status{Implemented} } \numtest{46}{ \Priority{Bug fix, secure-install/3390} \Reason{Returns SECURE_PRINC_MISSING when CHANGEPW_SERVICE does not exist.} \Status{Implemented} } \numtest{100}{ \Version{KADM5_API_VERSION_2} \Reason{Obeys the profile field of the configuration parameters, if set.} \Status{Implemented} } \numtest{101}{ \Version{KADM5_API_VERSION_2} \Reason{Obeys the kadmind_port field of the configuration parameters, if set.} \Conditions{RPC} \Status{Implemented} } \numtest{102}{ \Version{KADM5_API_VERSION_2} \Reason{Obeys the admin_server field of the configuration parameters, if set with only an admin server name.} \Conditions{RPC} \Status{Implemented} } \numtest{102.5}{ \Version{KADM5_API_VERSION_2} \Reason{Obeys the admin_server field of the configuration parameters, if set with a host name and port number.} \Conditions{RPC} } \numtest{103}{ \Version{KADM5_API_VERSION_2} \Reason{Obeys the dbname field of the configuration parameters, if set.} \Conditions{local} \Status{Implemented} } \numtest{104}{ \Version{KADM5_API_VERSION_2} \Reason{Obeys the admin_dbname field of the configuration parameters, if set.} \Conditions{local} \Status{Implemented} } \numtest{105}{ \Version{KADM5_API_VERSION_2} \Reason{Obeys the admin_lockfile field of the configuration parameters, if set.} \Conditions{local} \Status{Implemented} } \numtest{106}{ \Version{KADM5_API_VERSION_2} \Reason{Obeys the mkey_from_kbd field of the configuration parameters, if set.} \Conditions{local} \Status{Implemented} } \numtest{107}{ \Version{KADM5_API_VERSION_2} \Reason{Obeys the stash_file field of the configuration parameters, if set.} \Conditions{local} \Status{Implemented} } \numtest{108}{ \Version{KADM5_API_VERSION_2} \Reason{Obeys the mkey_name field of the configuration parameters, if set.} \Conditions{local} \Status{Implemented} } \numtest{109}{ \Version{KADM5_API_VERSION_2} \Reason{Obeys the max_life field of the configuration parameters, if set.} \Conditions{local} \Status{Implemented} } \numtest{110}{ \Version{KADM5_API_VERSION_2} \Reason{Obeys the max_rlife field of the configuration parameters, if set.} \Conditions{local} \Status{Implemented} } \numtest{111}{ \Version{KADM5_API_VERSION_2} \Reason{Obeys the expiration field of the configuration parameters, if set.} \Status{Implemented} \Conditions{local} } \numtest{112}{ \Version{KADM5_API_VERSION_2} \Reason{Obeys the flags field of the configuration parameters, if set.} \Conditions{local} \Status{Implemented} } \numtest{113}{ \Version{KADM5_API_VERSION_2} \Reason{Obeys the keysalts and num_keysalts field of the configuration parameters, if set.} \Conditions{local} \Status{Implemented} } \numtest{114}{ \Version{KADM5_API_VERSION_2} \Reason{Returns KADM5_BAD_SERVER_PARAMS if any client-only parameters are specified to server-side init.} \Conditions{local} \Status{Implemented} } \numtest{115}{ \Version{KADM5_API_VERSION_2} \Reason{Returns KADM5_BAD_CLIENT_PARAMS if any client-only parameters are specified to server-side init.} \Conditions{RPC} \Status{Implemented} } \numtest{116}{ \Version{KADM5_API_VERSION_2} \Reason{Two calls to init with clients having different privileges succeeds, and both clients maintain their correct privileges.} \Priority{Bug fix} \Conditions{RPC} \Status{Implemented} } \numtest{117}{ \Version{KADM5_API_VERSION_2} \Reason{The max_life field defaults to value specified in the API Functional Specification when kdc.conf is unreadable.} \Priority{Bug fix, krb5-admin/18} \Conditions{local} \Status{Implemented} } \numtest{150}{ \Version{KADM5_API_VERSION_2} \Reason{init_with_creds works when given an open ccache with a valid credential for ADMIN_SERVICE.} \Conditions{RPC} \Status{Implemented} } \numtest{151}{ \Version{KADM5_API_VERSION_2} \Reason{init_with_creds works when given an open ccache with a valid credential for CHANGEPW_SERVICE.} \Conditions{RPC} \Status{Implemented} } \numtest{152}{ \Version{KADM5_API_VERSION_2} \Reason{init_with_creds fails with KRB5_FCC_NOFILE (was KADM5_GSS_ERROR) when given an open ccache with no credentials.} \Conditions{RPC} \Status{Implemented} } \numtest{153}{ \Version{KADM5_API_VERSION_2} \Reason{init_with_creds fails with KRB5_CC_NOTFOUND (was KADM5_GSS_ERROR) when given an open ccache without credentials for ADMIN_SERVICE or CHANGEPW_SERVICE.} \Conditions{RPC} \Status{Implemented} } \numtest{154}{ \Version{KADM5_API_VERSION_2} \Reason{If the KRB5_KDC_PROFILE environment variable is set to a filename that does not exist, init fails with ENOENT.} \Conditions{RPC} \Status{Implemented} } \section{ovsec_kadm_destroy} \numtest{1}{ \Reason{Valid invocation.} \Status{Implemented} } %\numtest{2}{ %\Reason{Valid invocation (``get'' not allowed after destroy).} %\Status{Implemented} %} %\numtest{3}{ %\Reason{Valid invocation (``add'' not allowed after destroy).} %\Status{Implemented} %} %\numtest{4}{ %\Reason{Valid invocation (``modify'' not allowed after destroy).} %\Status{Implemented} %} %\numtest{5}{ %\Reason{Valid invocation (``delete'' not allowed after destroy).} %\Status{Implemented} %} %\numtest{6}{ %\Reason{Fails if database not initialized.} %\Status{Implemented} %} %\numtest{7}{ %\Reason{Fails if invoked twice in a row.} %\Status{Implemented} %} \numtest{8}{ \Reason{Database can be reinitialized after destroy.} \Status{Implemented} } \numtest{9}{ \Priority{High} \Reason{Returns BAD_SERVER_HANDLE when a null server handle is passed in} \Status{Implemented} } \numtest{10}{ \Priority{Low} \Reason{Connects to correct server when multiple handles exist} \Conditions{client} } \section{ovsec_kadm_create_principal} %In the tests below, ``getu'' refers to a user who has only ``get'' access, %''addu'' refers to a user who has only ``add'' access, ``modifyu'' refers to %a user who has only ``modify'' access, and ``deleteu'' refers to a user %who has only ``delete'' access. ``amu'' refers to a user with ``add'' and %''modify'' access. ``new_princ'' refers to a principal entry structure %filled in as follows: % % krb5_parse_name("newuser", \&new_princ.principal); % krb5_timeofday(\&new_princ.princ_expire_time); % new_princ.princ_expire_time += 130; % krb5_timeofday(\&new_princ.last_pwd_change); % new_princ.last_pwd_change += 140; % krb5_timeofday(\&new_princ.pw_expiration); % new_princ.pw_expiration += 150; % new_princ.max_life = 160; % krb5_parse_name("usera", \&new_princ.mod_name); % krb5_timeofday(\&new_princ.mod_date); % new_princ.mod_date += 170; % new_princ.attributes = 0xabcdabcd; % new_princ.kvno = 180; % new_princ.mkvno = 190; % new_princ.policy = null; % new_princ.aux_attributes = 0xdeadbeef; % %The offsets of 130 through 190 above are used to ensure that the %fields are all known to be different from each other, so that %accidentally switched fields can be detected. Some of the fields in %this structure may be changed by the tests, but they should clean up %after themselves. %\numtest{1}{ %\Reason{Fails if database not initialized.} %\Status{Implemented} %} \numtest{2}{ \Reason{Fails on null princ argument.} \Status{Implemented} } \numtest{3}{ \Reason{Fails on null password argument.} \Status{Implemented} } \numtest{4}{ \Reason{Fails on empty-string password argument.} \Status{Implemented} } \numtest{5}{ \Reason{Fails when mask contains undefined bit.} \Status{Implemented} } \numtest{6}{ \Reason{Fails when mask contains LAST_PWD_CHANGE bit.} \Status{Implemented} } \numtest{7}{ \Reason{Fails when mask contains MOD_TIME bit.} \Status{Implemented} } \numtest{8}{ \Reason{Fails when mask contains MOD_NAME bit.} \Status{Implemented} } \numtest{9}{ \Reason{Fails when mask contains MKVNO bit.} \Status{Implemented} } \numtest{10}{ \Reason{Fails when mask contains AUX_ATTRIBUTES bit.} \Status{Implemented} } \numtest{11}{ \Reason{Fails when mask contains POLICY_CLR bit.} \Status{Implemented} } \numtest{12}{ \Reason{Fails for caller with no access bits.} \Status{Implemented} } \numtest{13}{ \Reason{Fails when caller has ``get'' access and not ``add''.} \Conditions{RPC} \Status{Implemented} } \numtest{14}{ \Reason{Fails when caller has ``modify'' access and not ``add''.} \Conditions{RPC} \Status{Implemented} } \numtest{15}{ \Reason{Fails when caller has ``delete'' access and not ``add''.} \Conditions{RPC} \Status{Implemented} } \numtest{16}{ \Reason{Fails when caller connected with CHANGEPW_SERVICE.} \Conditions{RPC} \Status{Implemented} } \numtest{17}{ \Reason{Fails on attempt to create existing principal.} \Status{Implemented} } \numtest{18}{ \Reason{Fails when password is too short.} \Status{Implemented} } \numtest{19}{ \Reason{Fails when password has too few classes.} \Status{Implemented} } \numtest{20}{ \Reason{Fails when password is in dictionary.} \Status{Implemented} } \numtest{21}{ \Reason{Nonexistent policy is rejected.} \Status{Implemented} } \numtest{22}{ \Reason{Fails on invalid principal name.} \Status{Implemented} } \numtest{23}{ \Reason{Valid invocation.} \Status{Implemented} } \numtest{24}{ \Reason{Succeeds when caller has ``add'' access and another one.} \Status{Implemented} } %\numtest{25}{ %\Reason{Fails when password is too short, when override_qual is true.} %} %\numtest{26}{ %\Reason{Fails when password has too few classes, when % override_qual is true.} %} %\numtest{27}{ %\Reason{Fails when password is in dictionary, when override_qual is % true.} %} \numtest{28}{ \Reason{Succeeds when assigning policy.} \Status{Implemented} } \numtest{29}{ \Priority{High} \Reason{Allows 0 (never) for princ_expire_time.} \Status{Implemented} } \numtest{30}{ \Reason{Allows 0 (never) for pw_expiration when there's no policy.} \Status{Implemented} } \numtest{31}{ \Reason{Allows 0 (never) for pw_expiration when there's a policy with 0 for pw_max_life.} \Status{Implemented} } \numtest{32}{ \Reason{Accepts 0 (never) for pw_expiration when there's a policy with non-zero pw_max_life, and sets pw_expiration to zero.} \Status{Implemented} } \numtest{33}{ \Reason{Accepts and sets non-zero pw_expiration when no policy.} \Status{Implemented} } \numtest{34}{ \Reason{Accepts and sets non-zero pw_expiration when there's a policy with zero pw_max_life.} \Status{Implemented} } \numtest{35}{ \Reason{Accepts and sets non-zero pw_expiration when there's a policy with pw_max_life later than the specified pw_expiration.} \Status{Implemented} } \numtest{36}{ \Reason{Accepts and sets non-zero pw_expiration greater than now_pw_max_life.} \Status{Implemented} } \numtest{37}{ \Priority{High} \Reason{Sets pw_expiration to 0 (never) if there's no policy and no specified pw_expiration.} \Status{Implemented} } \numtest{38}{ \Priority{High} \Reason{Sets pw_expiration to 0 (never) if it isn't specified and the policy has a 0 (never) pw_max_life.} \Status{Implemented} } \numtest{39}{ \Priority{High} \Reason{Sets pw_expiration to now + pw_max_life if it isn't specified and the policy has a non-zero pw_max_life.} \Status{Implemented} } \numtest{40}{ \Priority{High} \Reason{Allows 0 (forever) for max_life.} \Status{Implemented} } \numtest{41}{ \Priority{High} \Reason{Doesn't modify or free mod_name on success.} } \numtest{42}{ \Priority{High} \Reason{Doesn't modify or free mod_name on failure.} } \numtest{43}{ \Priority{High} \Reason{Returns BAD_SERVER_HANDLE when a null server handle is passed in} \Status{Implemented} } \numtest{44}{ \Priority{Low} \Reason{Connects to correct server when multiple handles exist} \Conditions{RPC} } \section{ovsec_kadm_delete_principal} %\numtest{1}{ %\Reason{Fails if database not initialized.} %\Status{Implemented} %} \numtest{2}{ \Reason{Fails on null principal.} \Status{Implemented} } % Empty string principal is legal. %\numtest{3}{ %\Reason{Fails on empty-string principal.} %} % There is not invalid principal names %\numtest{4}{ %\Reason{Fails on invalid principal name.} %} \numtest{5}{ \Priority{High} \Reason{Fails on nonexistent principal.} \Status{Implemented} } \numtest{6}{ \Priority{High} \Reason{Fails when caller connected with CHANGEPW_SERVICE.} \Conditions{RPC} \Status{Implemented} } \numtest{7}{ \Priority{High} \Reason{Fails if caller has ``add'' access and not ``delete''.} \Conditions{RPC} \Status{Implemented} } \numtest{8}{ \Priority{High} \Reason{Fails if caller has ``modify'' access and not ``delete''.} \Conditions{RPC} \Status{Implemented} } \numtest{9}{ \Priority{High} \Reason{Fails if caller has ``get'' access and not ``delete''.} \Conditions{RPC} \Status{Implemented} } \numtest{10}{ \Priority{High} \Reason{Fails if caller has no access bits.} \Conditions{RPC} \Status{Implemented} } \numtest{11}{ \Priority{High} \Reason{Valid invocation.} \Status{Implemented} } \numtest{12}{ \Priority{High} \Reason{Valid invocation (on principal with policy).} \Status{Implemented} } \numtest{13}{ \Priority{High} \Reason{Returns BAD_SERVER_HANDLE when a null server handle is passed in} \Status{Implemented} } \numtest{14}{ \Priority{Low} \Reason{Connects to correct server when multiple handles exist} \Conditions{RPC} } \section{ovsec_kadm_modify_principal} %\numtest{1}{ %\Reason{Fails if database not initialized.} %\Status{Implemented} %} \numtest{2}{ \Priority{High} \Reason{Fails if user connected with CHANGEPW_SERVICE.} \Conditions{RPC} \Status{Implemented} } \numtest{3}{ \Reason{Fails on mask with undefined bit set.} \Status{Implemented} } \numtest{4}{ \Reason{Fails on mask with PRINCIPAL set.} \Status{Implemented} } \numtest{5}{ \Priority{High} \Reason{Fails on mask with LAST_PWD_CHANGE set.} \Status{Implemented} } \numtest{6}{ \Reason{Fails on mask with MOD_TIME set.} \Status{Implemented} } \numtest{7}{ \Reason{Fails on mask with MOD_NAME set.} \Status{Implemented} } \numtest{8}{ \Reason{Fails on mask with MKVNO set.} \Status{Implemented} } \numtest{9}{ \Priority{High} \Reason{Fails on mask with AUX_ATTRIBUTES set.} \Status{Implemented} } \numtest{10}{ \Reason{Fails on nonexistent principal.} \Status{Implemented} } \numtest{11}{ \Priority{High} \Reason{Fails for user with no access bits.} \Conditions{RPC} \Status{Implemented} } \numtest{12}{ \Priority{High} \Reason{Fails for user with ``get'' access.} \Conditions{RPC} \Status{Implemented} } \numtest{13}{ \Priority{High} \Reason{Fails for user with ``add'' access.} \Conditions{RPC} \Status{Implemented} } \numtest{14}{ \Priority{High} \Reason{Fails for user with ``delete'' access.} \Conditions{RPC} \Status{Implemented} } \numtest{15}{ \Priority{High} \Reason{Succeeds for user with ``modify'' access.} \Conditions{RPC} \Status{Implemented} } \numtest{16}{ \Reason{Succeeds for user with ``modify'' and another access.} \Conditions{RPC} \Status{Implemented} } \numtest{17}{ \Priority{High} \Reason{Fails when nonexistent policy is specified.} \Status{Implemented} } \numtest{18}{ \Priority{High} \Reason{Succeeds when existent policy is specified.} \Status{Implemented} } \numtest{19}{ \Reason{Updates policy count when setting policy from none.} \Status{Implemented} } \numtest{20}{ \Reason{Updates policy count when clearing policy from set.} \Status{Implemented} } \numtest{21}{ \Reason{Updates policy count when setting policy from other policy.} \Status{Implemented} } \numtest{21.5}{ \Reason{Policy reference count remains unchanged when policy is changed to itself.} \Status{Implemented.} } \numtest{22}{ \Reason{Allows 0 (never) for pw_expiration when there's no policy.} \Status{Implemented} } \numtest{23}{ \Reason{Allows 0 (never) for pw_expiration when there's a policy with 0 for pw_max_life.} \Status{Implemented} } \numtest{24}{ \Reason{Accepts 0 (never) for pw_expiration when there's a policy with non-zero pw_max_life, but actually sets pw_expiration to last_pwd_change + pw_max_life.} \Status{Implemented} } \numtest{25}{ \Reason{Accepts and sets non-zero pw_expiration when no policy.} \Status{Implemented} } \numtest{26}{ \Reason{Accepts and sets non-zero pw_expiration when there's a policy with zero pw_max_life.} \Status{Implemented} } \numtest{27}{ \Reason{Accepts and sets non-zero pw_expiration when there's a policy with pw_max_life later than the specified pw_expiration.} \Status{Implemented} } \numtest{28}{ \Reason{Accepts non-zero pw_expiration and limits it to last_pwd_change + pw_max_life when it's later than last_pwd_change + non-zero pw_max_life in policy.} \Status{Implemented} } \numtest{29}{ \Priority{High} \Reason{Sets pw_expiration to 0 (never) when a policy is cleared and no pw_expiration is specified.} \Status{Implemented} } \numtest{30}{ \Priority{High} \Reason{Sets pw_expiration to 0 (never) if it isn't specified and the new policy has a 0 (never) pw_max_life.} \Status{Implemented} } \numtest{31}{ \Priority{High} \Reason{Sets pw_expiration to now + pw_max_life if it isn't specified and the new policy has a non-zero pw_max_life.} \Status{Implemented} } \numtest{32}{ \Priority{High} \Reason{Accepts princ_expire_time change.} \Status{Implemented} } \numtest{33}{ \Priority{High} \Reason{Accepts attributes change.} \Status{Implemented} } \numtest{33.25}{ \Priority{High} \Reason{Accepts attributes change (KRB5_KDB_REQUIRES_PW_CHANGE).} \Status{Implemented} } \numtest{33.5}{ \Priority{High} \Reason{Accepts attributes change (KRB5_DISALLOW_TGT_BASE).} \Status{Implemented} } \numtest{33.75}{ \Priority{High} \Reason{Accepts attributes change (KRB5_PW_CHANGE_SERVICE).} \Status{Implemented} } \numtest{34}{ \Priority{High} \Reason{Accepts max_life change.} \Status{Implemented} } \numtest{35}{ \Priority{High} \Reason{Accepts kvno change.} \Status{Implemented} } \numtest{36}{ \Reason{Behaves correctly when policy is set to the same as it was before.} \Status{Implemented} } \numtest{37}{ \Reason{Behaves properly when POLICY_CLR is specified and there was no policy before.} \Status{Implemented} } \numtest{38}{ \Priority{High} \Reason{Accepts 0 (never) for princ_expire_time.} \Status{Implemented} } \numtest{39}{ \Priority{High} \Reason{Accepts 0 for max_life.} \Status{Implemented} } \numtest{40}{ \Reason{Rejects null principal argument.} \Status{Implemented} } \numtest{41}{ \Priority{High} \Reason{Doesn't modify or free mod_name on success.} } \numtest{42}{ \Priority{High} \Reason{Doesn't modify or free mod_name on failure.} } \numtest{43}{ \Priority{High} \Reason{Returns BAD_SERVER_HANDLE when a null server handle is passed in} \Status{Implemented} } \numtest{44}{ \Priority{Low} \Reason{Connects to correct server when multiple handles exist} \Conditions{RPC} } \numtest{100}{ \Version{KADM5_API_VERSION_2} \Priority{bug-fix} \Reason{Accepts max_rlife change.} \Status{Implemented} } \numtest{101}{ \Version{KADM5_API_VERSION_2} \Reason{Rejects last_success change.} \Status{Implemented} } \numtest{102}{ \Version{KADM5_API_VERSION_2} \Reason{Rejects last_failed change.} \Status{Implemented} } \numtest{103}{ \Version{KADM5_API_VERSION_2} \Reason{Rejects fail_auth_count change.} \Status{Implemented} } \numtest{103.5}{ \Version{KADM5_API_VERSION_2} \Reason{Rejects key_data change.} \Status{Implemented} } \numtest{104}{ \Version{KADM5_API_VERSION_2} \Reason{Accepts tl_data change when all types are greater than 256.} \Status{Implemented} } \numtest{105}{ \Version{KADM5_API_VERSION_2} \Reason{Returns KADM5_BAD_TL_TYPE when given tl_data with a type less than 256.} \Status{Implemented} } \section{ovsec_kadm_rename_principal} %\numtest{1}{ %\Reason{Fails if database not initialized.} %\Status{Implemented} %} \numtest{2}{ \Priority{High} \Reason{Fails if user connected with CHANGEPW_SERVICE.} \Conditions{RPC} \Status{Implemented} } \numtest{3}{ \Priority{High} \Reason{Fails for user with no access bits.} \Conditions{RPC} \Status{Implemented} } \numtest{4}{ \Reason{Fails for user with ``modify'' access and not ``add'' or ``delete''.} \Conditions{RPC} \Status{Implemented} } \numtest{5}{ \Reason{Fails for user with ``get'' access and not ``add'' or ``delete''.} \Conditions{RPC} \Status{Implemented} } \numtest{6}{ \Reason{Fails for user with ``modify'' and ``add'' but not ``delete''.} \Conditions{RPC} \Status{Implemented} } \numtest{7}{ \Reason{Fails for user with ``modify'' and ``delete'' but not ``add''.} \Conditions{RPC} \Status{Implemented} } \numtest{8}{ \Reason{Fails for user with ``get'' and ``add'' but not ``delete''.} \Conditions{RPC} \Status{Implemented} } \numtest{9}{ \Reason{Fails for user with ``get'' and ``delete'' but not ``add.''} \Conditions{RPC} \Status{Implemented} } \numtest{10}{ \Reason{Fails for user with ``modify'', ``get'' and ``add'', but not ``delete''.} \Conditions{RPC} \Status{Implemented} } \numtest{11}{ \Reason{Fails for user with ``modify'', ``get'' and ``delete'', but not ``add''.} \Conditions{RPC} \Status{Implemented} } \numtest{12}{ \Priority{High} \Reason{Fails for user with ``add'' but not ``delete''.} \Conditions{RPC} \Status{Implemented} } \numtest{13}{ \Priority{High} \Reason{Fails for user with ``delete'' but not ``add''.} \Conditions{RPC} \Status{Implemented} } \numtest{14}{ \Priority{High} \Reason{Succeeds for user with ``add'' and ``delete'', when that user has non-name-based salt.} \Status{Implemented} } \numtest{15}{ \Priority{High} \Reason{Fails if target principal name exists.} \Status{Implemented} } \numtest{16}{ \Priority{High} \Reason{Returns BAD_SERVER_HANDLE when a null server handle is passed in} \Status{Implemented} } \numtest{17}{ \Priority{Low} \Reason{Connects to correct server when multiple handles exist} \Conditions{RPC} } \numtest{18}{ \Priority{bug fix} \Reason{Returns NO_RENAME_SALT when asked to rename a principal whose salt depends on the principal name.} \Status{Implemented} } \section{ovsec_kadm_chpass_principal} \label{ovseckadmchpassprincipal} \subsection{Quality/history enforcement tests} This section lists a series of tests which will be run a number of times, with various parameter settings (e.g., which access bits user has, whether user connected with ADMIN_SERVICE or CHANGEPW_SERVICE, etc.). The table following the list of tests gives the various parameter settings under which the tests should be run, as well which should succeed and which should fail for each choice of parameter settings. \subsubsection{List of tests} The test number of each of these tests is an offset from the base given in the table below. \numtest{1}{ \Priority{High} \Reason{With history setting of 1, change password to itself.} } \numtest{2}{ \Reason{With history setting of 2 but no password changes since principal creation, change password to itself.} } \numtest{3}{ \Reason{With history setting of 2 and one password change since principal creation, change password to itself and directly previous password.} } \numtest{4}{ \Priority{High} \Reason{With a history setting of 3 and no password changes, change password to itself.} } \numtest{5}{ \Priority{High} \Reason{With a history setting of 3 and 1 password change, change password to itself or previous password.} } \numtest{6}{ \Priority{High} \Reason{With a history setting of 3 and 2 password changes, change password to itself and the two previous passwords.} } \numtest{7}{ \Priority{High} \Reason{Change to previously unused password when now - last_pwd_change $<$ pw_min_life.} } \numtest{8}{ \Priority{High} \Reason{Change to previously unused password that doesn't contain enough character classes.} } \numtest{9}{ \Priority{High} \Reason{Change to previously unused password that's too short.} } \numtest{10}{ \Priority{High} \Reason{Change to previously unused password that's in the dictionary.} } \subsubsection{List of parameter settings} In the table below, ``7 passes'' means that test 7 above passes and the rest of the tests fail. \begin{tabular}{llllll} Base & Modify access? & Own password? & Service & Pass/Fail \\ \hline 0 & No & Yes & ADMIN & all fail \\ 20 & No & Yes & CHANGEPW & all fail \\ 40 & No & No & ADMIN & all fail \\ 60 & No & No & CHANGEPW & all fail \\ 80 & Yes & Yes & ADMIN & 7 passes \\ 100 & Yes & Yes & CHANGEPW & all fail \\ 120 & Yes & No & ADMIN & 7 passes \\ 140 & Yes & No & CHANGEPW & all fail \\ \end{tabular} \subsection{Other quality/history tests} \numtest{161}{ \Priority{High} \Reason{With history of 1, can change password to anything other than itself that doesn't conflict with other quality rules.} } \numtest{162}{ \Reason{With history of 2 and 2 password changes, can change password to original password.} } \numtest{163}{ \Priority{High} \Reason{With history of 3 and 3 password changes, can change password to original password.} } \numtest{164}{ \Priority{High} \Reason{Can change password when now - last_pwd_change $>$ pw_min_life.} } \numtest{165}{ \Priority{High} \Reason{Can change password when it contains exactly the number of classes required by the policy.} } \numtest{166}{ \Priority{High} \Reason{Can change password when it is exactly the length required by the policy.} } \numtest{167}{ \Priority{High} \Reason{Can change password to a word that isn't in the dictionary.} } \subsection{Other tests} %\numtest{168}{ %\Reason{Fails if database not initialized.} %} \numtest{169}{ \Reason{Fails for non-existent principal.} } \numtest{170}{ \Reason{Fails for null password.} } \numtest{171}{ \Priority{High} \Reason{Fails for empty-string password.} } \numtest{172}{ \Priority{High} \Reason{Pw_expiration is set to now + max_pw_life if policy exists and has non-zero max_pw_life.} } \numtest{173}{ \Priority{High} \Reason{Pw_expiration is set to 0 if policy exists and has zero max_pw_life.} } \numtest{174}{ \Priority{High} \Reason{Pw_expiration is set to 0 if no policy.} } \numtest{175}{ \Priority{High} \Reason{KRB5_KDC_REQUIRES_PWCHANGE bit is cleared when password is successfully changed.} } \numtest{176}{ \Priority{High} \Reason{Fails for user with no access bits, on other's password.} } \numtest{177}{ \Priority{High} \Reason{Fails for user with ``get'' but not ``modify'' access, on other's password.} } \numtest{178}{ \Reason{Fails for user with ``delete'' but not ``modify'' access, on other's password.} } \numtest{179}{ \Reason{Fails for user with ``add'' but not ``modify'' access, on other's password.} } \numtest{180}{ \Reason{Succeeds for user with ``get'' and ``modify'' access, on other's password.} \Status{Implemented} } \numtest{180.5}{ \Priority{High} \Reason{Succeeds for user with ``modify'' but not ``get'' access, on other's password.} \Conditions{RPC} \Status{Implemented} } \numtest{180.625}{ \Priority{High} \Reason{Fails for user with modify when connecting with CHANGEPW_SERVICE on others password} \Conditions{RPC} \Status{Implemented} } \numtest{180.75}{ \Priority{High} \Reason{Fails for user with modify when connecting with CHANGEPW_SERVICE on other's password which has expired} \Conditions{RPC} \Status{Implemented} } %\numtest{181}{ %\Reason{Password that would succeed if override_qual were false fails % if override_qual is true.} %\Expected{Returns CANNOT_OVERRIDE.} %} \numtest{182}{ \Priority{High} \Reason{Can not change key of ovsec_adm/history principal.} \Status{Implemented} } \numtest{183}{ \Priority{High} \Reason{Returns BAD_SERVER_HANDLE when a null server handle is passed in} \Status{Implemented} } \numtest{184}{ \Priority{Low} \Reason{Connects to correct server when multiple handles exist} \Conditions{RPC} } \numtest{200}{ \Version{KADM5_API_VERSION_2} \Reason{Creates a key for the principal for each unique encryption type/salt type in use.} \Status{Implemented} } \section{ovsec_kadm_chpass_principal_util} Rerun all the tests listed for ovsec_kadm_chpass_principal above in Section \ref{ovseckadmchpassprincipal}. Verify that they succeed and fail in the same circumstances. Also verify that in each failure case, the error message returned in msg_ret is as specified in the functional specification. Also, run the following additional tests. \numtest{1}{ \Reason{Null msg_ret is rejected.} } \numtest{2}{ \Priority{High} \Reason{New password is put into pw_ret, when it's prompted for.} } \numtest{3}{ \Priority{High} Reason{New password is put into pw_ret, when it's supplied by the caller.} } \numtest{4}{ \Priority{High} \Reason{Successful invocation when pw_ret is null.} } \section{ovsec_kadm_randkey_principal} \subsection{TOOSOON enforcement tests} This test should be run a number of times, as indicated in the table following it. The table also indicates the expected result of each run of the test. \test{ \Reason{Change key when now - last_pwd_change $<$ pw_min_life.} } \subsubsection{List of parameter settings} \begin{tabular}{llllll} Number & Modify Access? & Own Key? & Service & Pass/Fail & Implemented? \\ \hline 1 & No & Yes & ADMIN & fail & Yes \\ 3 & No & Yes & CHANGEPW & fail & Yes \\ 5 & No & No & ADMIN & fail \\ 7 & No & No & CHANGEPW & fail \\ 9 & Yes & Yes & ADMIN & pass \\ 11 & Yes & Yes & CHANGEPW & fail \\ 13 & Yes & No & ADMIN & pass & Yes \\ 15 & Yes & No & CHANGEPW & fail & Yes \\ \end{tabular} \subsection{Other tests} \numtest{17}{ \Reason{Fails if database not initialized.} } \numtest{18}{ \Reason{Fails for non-existent principal.} } \numtest{19}{ \Reason{Fails for null keyblock pointer.} } \numtest{20}{ \Priority{High} \Reason{Pw_expiration is set to now + max_pw_life if policy exists and has non-zero max_pw_life.} } \numtest{21}{ \Priority{High} \Reason{Pw_expiration is set to 0 if policy exists and has zero max_pw_life.} } \numtest{22}{ \Priority{High} \Reason{Pw_expiration is set to 0 if no policy.} } \numtest{23}{ \Priority{High} \Reason{KRB5_KDC_REQUIRES_PWCHANGE bit is cleared when key is successfully changed.} } \numtest{24}{ \Priority{High} \Reason{Fails for user with no access bits, on other's password.} } \numtest{25}{ \Priority{High} \Reason{Fails for user with ``get'' but not ``modify'' access, on other's password.} \Vtwonote{Change-password instead of modify access.} } \numtest{26}{ \Reason{Fails for user with ``delete'' but not ``modify'' access, on other's password.} \Vtwonote{Change-password instead of modify access.} } \numtest{27}{ \Reason{Fails for user with ``add'' but not ``modify'' access, on other's password.} \Vtwonote{Change-password instead of modify access.} } \numtest{28}{ \Reason{Succeeds for user with ``get'' and ``modify'' access, on other's password.} \Status{Implemented} \Vtwonote{Change-password instead of modify access.} } \numtest{28.25}{ \Priority{High} \Reason{Fails for user with get and modify access on others password When conneceted with CHANGEPW_SERVICE} \Status{Implemented} \Vtwonote{Change-password instead of modify access.} } \numtest{28.5}{ \Priority{High} \Reason{Succeeds for user with ``modify'' but not ``get'' access, on other's password.} \Status{Implemented} \Vtwonote{Change-password instead of modify access.} } \numtest{29}{ \Reason{The new key that's assigned is truly random. XXX not sure how to test this.} } \numtest{30}{ \Reason{Succeeds for own key, no other access bits when connecting with CHANGEPW service} \Status{Implemented} } \numtest{31}{ \Reason{Succeeds for own key, no other access bits when connecting with ADMIM service} \Status{Implemented} } \numtest{32}{ \Reason{Cannot change ovsec_adm/history key} \Status{Implemented} } \numtest{33}{ \Priority{High} \Reason{Returns BAD_SERVER_HANDLE when a null server handle is passed in} \Status{Implemented} } \numtest{34}{ \Priority{Low} \Reason{Connects to correct server when multiple handles exist} \Conditions{RPC} } \numtest{100}{ \Version{KADM5_API_VERSION_2} \Reason{Returns a key for each unique encryption type specified in the keysalts.} } \section{ovsec_kadm_get_principal} \numtest{1}{ \Reason{Fails for null ent.} \Status{Implemented} } \numtest{2}{ \Reason{Fails for non-existent principal.} \Status{Implemented} } \numtest{3}{ \Priority{High} \Reason{Fails for user with no access bits, retrieving other principal.} \Conditions{RPC} \Status{Implemented} } \numtest{4}{ \Priority{High} \Reason{Fails for user with ``add'' but not ``get'', getting principal other than his own, using ADMIN_SERVICE.} \Conditions{RPC} \Status{Implemented} } \numtest{5}{ \Reason{Fails for user with ``modify'' but not ``get'', getting principal other than his own, using ADMIN_SERVICE.} \Conditions{RPC} \Status{Implemented} } \numtest{6}{ \Reason{Fails for user with ``delete'' but not ``get'', getting principal other than his own, using ADMIN_SERVICE.} \Conditions{RPC} \Status{Implemented} } \numtest{7}{ \Reason{Fails for user with ``delete'' but not ``get'', getting principal other than his own, using CHANGEPW_SERVICE.} \Conditions{RPC} \Status{Implemented} } \numtest{8}{ \Priority{High} \Reason{Fails for user with ``get'', getting principal other than his own, using CHANGEPW_SERVICE.} \Conditions{RPC} \Status{Implemented} } \numtest{9}{ \Priority{High} \Reason{Succeeds for user without ``get'', retrieving self, using ADMIN_SERVICE.} \Conditions{RPC} \Status{Implemented} } \numtest{10}{ \Reason{Succeeds for user without ``get'', retrieving self, using CHANGEPW_SERVICE.} \Status{Implemented} } \numtest{11}{ \Reason{Succeeds for user with ``get'', retrieving self, using ADMIN_SERVICE.} \Status{Implemented} } \numtest{12}{ \Reason{Succeeds for user with ``get'', retrieving self, using CHANGEPW_SERVICE.} \Status{Implemented} } \numtest{13}{ \Priority{High} \Reason{Succeeds for user with ``get'', retrieving other user, using ADMIN_SERVICE.} \Status{Implemented} } \numtest{14}{ \Reason{Succeeds for user with ``get'' and ``modify'', retrieving other principal, using ADMIN_SERVICE.} \Status{Implemented} } \numtest{15}{ \Priority{High} \Reason{Returns BAD_SERVER_HANDLE when a null server handle is passed in} \Status{Implemented} } \numtest{16}{ \Priority{Low} \Reason{Connects to correct server when multiple handles exist} \Conditions{RPC} } \numtest{100}{ \Version{KADM5_API_VERSION_2} \Reason{If KADM5_PRINCIPAL_NORMAL_MASK is specified, the key_data and tl_data fields are NULL/zero.} \Status{Implemented} } \numtest{101}{ \Version{KADM5_API_VERSION_2} \Reason{If KADM5_KEY_DATA is specified, the key_data fields contain data but the contents are all NULL.} \Conditions{RPC} \Status{Implemented} } \numtest{102}{ \Version{KADM5_API_VERSION_2} \Reason{If KADM5_KEY_DATA is specified, the key_data fields contain data and the contents are all non-NULL.} \Conditions{local} \Status{Implemented} } \numtest{103}{ \Version{KADM5_API_VERSION_2} \Reason{If KADM5_TL_DATA is specified, the tl_data field contains the correct tl_data and no entries whose type is less than 256.} \Status{Implemented} } \section{ovsec_kadm_create_policy} \numtest{1}{ \Reason{Fails for mask with undefined bit set.} \Status{Implemented - untested} } \numtest{2}{ \Priority{High} \Reason{Fails if caller connected with CHANGEPW_SERVICE.} \Conditions{RPC} \Status{Implemented} } \numtest{3}{ \Reason{Fails for mask without POLICY bit set.} \Status{Implemented - untested} } \numtest{4}{ \Reason{Fails for mask with REF_COUNT bit set.} \Status{Implemented} } \numtest{5}{ \Reason{Fails for invalid policy name.} \Status{Implemented - untested} } \numtest{6}{ \Priority{High} \Reason{Fails for existing policy name.} \Status{Implemented} } \numtest{7}{ \Reason{Fails for null policy name.} \Status{Implemented - untested} } \numtest{8}{ \Priority{High} \Reason{Fails for empty-string policy name.} \Status{Implemented} } \numtest{9}{ \Priority{High} \Reason{Accepts 0 for pw_min_life.} \Status{Implemented} } \numtest{10}{ \Priority{High} \Reason{Accepts non-zero for pw_min_life.} \Status{Implemented} } \numtest{11}{ \Priority{High} \Reason{Accepts 0 for pw_max_life.} \Status{Implemented} } \numtest{12}{ \Priority{High} \Reason{Accepts non-zero for pw_max_life.} \Status{Implemented} } \numtest{13}{ \Priority{High} \Reason{Rejects 0 for pw_min_length.} \Status{Implemented} } \numtest{14}{ \Priority{High} \Reason{Accepts non-zero for pw_min_length.} \Status{Implemented} } \numtest{15}{ \Priority{High} \Reason{Rejects 0 for pw_min_classes.} \Status{Implemented} } \numtest{16}{ \Priority{High} \Reason{Accepts 1 for pw_min_classes.} \Status{Implemented} } \numtest{17}{ \Priority{High} \Reason{Accepts 4 for pw_min_classes.} \Status{Implemented} } \numtest{18}{ \Priority{High} \Reason{Rejects 5 for pw_min_classes.} \Status{Implemented} } \numtest{19}{ \Priority{High} \Reason{Rejects 0 for pw_history_num.} \Status{Implemented} } \numtest{20}{ \Priority{High} \Reason{Accepts 1 for pw_history_num.} \Status{Implemented} } \numtest{21}{ \Priority{High} \Reason{Accepts 10 for pw_history_num.} \Status{Implemented} } \numtest{21.5}{ \Reason{Rejects 11 for pw_history_num.} \Status{Implemented - untested} } \numtest{22}{ \Priority{High} \Reason{Fails for user with no access bits.} \Conditions{RPC} \Status{Implemented} } \numtest{23}{ \Priority{High} \Reason{Fails for user with ``get'' but not ``add''.} \Conditions{RPC} \Status{Implemented} } \numtest{24}{ \Reason{Fails for user with ``modify'' but not ``add.''} \Conditions{RPC} \Status{Implemented - untested} } \numtest{25}{ \Reason{Fails for user with ``delete'' but not ``add.''} \Conditions{RPC} \Status{Implemented - untested} } \numtest{26}{ \Priority{High} \Reason{Succeeds for user with ``add.''} \Status{Implemented} } \numtest{27}{ \Reason{Succeeds for user with ``get'' and ``add.''} \Status{Implemented - untested} } \numtest{28}{ \Reason{Rejects null policy argument.} \Status{Implemented - untested} } \numtest{29}{ \Reason{Rejects pw_min_life greater than pw_max_life.} } \numtest{30}{ \Priority{High} \Reason{Returns BAD_SERVER_HANDLE when a null server handle is passed in} \Status{Implemented} } \numtest{31}{ \Priority{Low} \Reason{Connects to correct server when multiple handles exist} \Conditions{RPC} } \section{ovsec_kadm_delete_policy} \numtest{1}{ \Reason{Fails for null policy name.} } \numtest{2}{ \Priority{High} \Reason{Fails for empty-string policy name.} \Status{Implemented} } \numtest{3}{ \Reason{Fails for non-existent policy name.} } \numtest{4}{ \Reason{Fails for bad policy name.} } \numtest{5}{ \Priority{High} \Reason{Fails if caller connected with CHANGEPW_SERVICE.} \Conditions{RPC} \Status{Implemented} } \numtest{6}{ \Priority{High} \Reason{Fails for user with no access bits.} \Conditions{RPC} \Status{Implemented} } \numtest{7}{ \Priority{High} \Reason{Fails for user with ``add'' but not ``delete''.} \Conditions{RPC} \Status{Implemented} } \numtest{8}{ \Reason{Fails for user with ``modify'' but not ``delete''.} \Conditions{RPC} } \numtest{9}{ \Reason{Fails for user with ``get'' but not ``delete.''} \Conditions{RPC} } \numtest{10}{ \Priority{High} \Reason{Succeeds for user with only ``delete''.} \Status{Implemented} } \numtest{11}{ \Reason{Succeeds for user with ``delete'' and ``add''.} } \numtest{12}{ \Priority{High} \Reason{Fails for policy with non-zero reference count.} \Status{Implemented} } \numtest{13}{ \Priority{High} \Reason{Returns BAD_SERVER_HANDLE when a null server handle is passed in} \Status{Implemented} } \numtest{14}{ \Priority{Low} \Reason{Connects to correct server when multiple handles exist} \Conditions{RPC} } \section{ovsec_kadm_modify_policy} \numtest{1}{ \Reason{Fails for mask with undefined bit set.} \Conditions{RPC} } \numtest{2}{ \Priority{High} \Reason{Fails if caller connected with CHANGEPW_SERVICE.} \Status{Implemented} } \numtest{3}{ \Reason{Fails for mask with POLICY bit set.} } \numtest{4}{ \Reason{Fails for mask with REF_COUNT bit set.} \Status{Implemented} } \numtest{5}{ \Reason{Fails for invalid policy name.} } \numtest{6}{ \Reason{Fails for non-existent policy name.} } \numtest{7}{ \Reason{Fails for null policy name.} } \numtest{8}{ \Priority{High} \Reason{Fails for empty-string policy name.} \Status{Implemented} } \numtest{9}{ \Priority{High} \Reason{Accepts 0 for pw_min_life.} \Status{Implemented} } \numtest{10}{ \Priority{High} \Reason{Accepts non-zero for pw_min_life.} \Status{Implemented} } \numtest{11}{ \Priority{High} \Reason{Accepts 0 for pw_max_life.} \Status{Implemented} } \numtest{12}{ \Priority{High} \Reason{Accepts non-zero for pw_max_life.} \Status{Implemented} } \numtest{13}{ \Priority{High} \Reason{Accepts 0 for pw_min_length.} \Status{Implemented} } \numtest{14}{ \Priority{High} \Reason{Accepts non-zero for pw_min_length.} \Status{Implemented} } \numtest{15}{ \Priority{High} \Reason{Rejects 0 for pw_min_classes.} \Status{Implemented} } \numtest{16}{ \Priority{High} \Reason{Accepts 1 for pw_min_classes.} \Status{Implemented} } \numtest{17}{ \Priority{High} \Reason{Accepts 4 for pw_min_classes.} \Status{Implemented} } \numtest{18}{ \Priority{High} \Reason{Rejects 5 for pw_min_classes.} \Status{Implemented} } \numtest{19}{ \Priority{High} \Reason{Rejects 0 for pw_history_num.} \Status{Implemented} } \numtest{20}{ \Priority{High} \Reason{Accepts 1 for pw_history_num.} \Status{Implemented} } \numtest{21}{ \Priority{High} \Reason{Accepts 10 for pw_history_num.} \Status{Implemented} } \numtest{22}{ \Priority{High} \Reason{Fails for user with no access bits.} \Conditions{RPC} \Status{Implemented} } \numtest{23}{ \Priority{High} \Reason{Fails for user with ``get'' but not ``modify''.} \Conditions{RPC} \Status{Implemented} } \numtest{24}{ \Reason{Fails for user with ``add'' but not ``modify.''} \Conditions{RPC} } \numtest{25}{ \Reason{Fails for user with ``delete'' but not ``modify.''} \Conditions{RPC} } \numtest{26}{ \Priority{High} \Reason{Succeeds for user with ``modify.''} \Status{Implemented} } \numtest{27}{ \Reason{Succeeds for user with ``get'' and ``modify.''} } \numtest{28}{ \Reason{Rejects null policy argument.} } \numtest{29}{ \Reason{Rejects change which makes pw_min_life greater than pw_max_life.} } \numtest{30}{ \Priority{High} \Reason{Returns BAD_SERVER_HANDLE when a null server handle is passed in} \Status{Implemented} } \numtest{31}{ \Priority{Low} \Reason{Connects to correct server when multiple handles exist} \Conditions{RPC} } \section{ovsec_kadm_get_policy} \numtest{1}{ \Reason{Fails for null policy.} } \numtest{2}{ \Reason{Fails for invalid policy name.} } \numtest{3}{ \Priority{High} \Reason{Fails for empty-string policy name.} \Status{Implemented} } \numtest{4}{ \Reason{Fails for non-existent policy name.} } \numtest{5}{ \Reason{Fails for null ent.} } \numtest{6}{ \Priority{High} \Reason{Fails for user with no access bits trying to get other's policy, using ADMIN_SERVICE.} \Conditions{RPC} \Status{Implemented} } \numtest{7}{ \Priority{High} \Reason{Fails for user with ``add'' but not ``get'' trying to get other's policy, using ADMIN_SERVICE.} \Conditions{RPC} \Status{Implemented} } \numtest{8}{ \Reason{Fails for user with ``modify'' but not ``get'' trying to get other's policy, using ADMIN_SERVICE.} \Conditions{RPC} } \numtest{9}{ \Reason{Fails for user with ``delete'' but not ``get'' trying to get other's policy, using ADMIN_SERVICE.} \Conditions{RPC} } \numtest{10}{ \Reason{Fails for user with ``delete'' but not ``get'' trying to get other's policy, using CHANGEPW_SERVICE.} \Conditions{RPC} } \numtest{11}{ \Priority{High} \Reason{Succeeds for user with only ``get'', trying to get own policy, using ADMIN_SERVICE.} \Status{Implemented} } \numtest{12}{ \Priority{High} \Reason{Succeeds for user with only ``get'', trying to get own policy, using CHANGEPW_SERVICE.} \Status{Implemented} } \numtest{13}{ \Reason{Succeeds for user with ``add'' and ``get'', trying to get own policy, using ADMIN_SERVICE.} } \numtest{14}{ \Reason{Succeeds for user with ``add'' and ``get'', trying to get own policy, using CHANGEPW_SERVICE.} } \numtest{15}{ \Reason{Succeeds for user without ``get'', trying to get own policy, using ADMIN_SERVICE.} } \numtest{16}{ \Priority{High} \Reason{Succeeds for user without ``get'', trying to get own policy, using CHANGEPW_SERVICE.} \Status{Implemented} } \numtest{17}{ \Priority{High} \Reason{Succeeds for user with ``get'', trying to get other's policy, using ADMIN_SERVICE.} \Status{Implemented} } \numtest{18}{ \Priority{High} \Reason{Fails for user with ``get'', trying to get other's policy, using CHANGEPW_SERVICE.} \Conditions{RPC} \Status{Implemented} } \numtest{19}{ \Reason{Succeeds for user with ``modify'' and ``get'', trying to get other's policy, using ADMIN_SERVICE.} } \numtest{20}{ \Reason{Fails for user with ``modify'' and ``get'', trying to get other's policy, using CHANGEPW_SERVICE.} } \numtest{21}{ \Priority{High} \Reason{Returns BAD_SERVER_HANDLE when a null server handle is passed in} \Status{Implemented} } \numtest{22}{ \Priority{Low} \Reason{Connects to correct server when multiple handles exist} \Conditions{RPC} } \section{ovsec_kadm_free_principal_ent} In addition to the tests listed here, a memory-leak detector such as TestCenter, Purify or dbmalloc should be used to verify that the memory freed by this function is really freed. \numtest{1}{ \Reason{Null princ succeeds.} } \numtest{2}{ \Reason{Non-null princ succeeds.} } \section{ovsec_kadm_free_policy_ent} In addition to the tests listed here, a memory-leak detector such as TestCenter, Purify or dbmalloc should be used to verify that the memory freed by this function is really freed. \numtest{1}{ \Reason{Null policy succeeds.} } \numtest{2}{ \Reason{Non-null policy succeeds.} } \section{ovsec_kadm_get_privs} \numtest{1}{ \Reason{Fails for null pointer argument.} } This test should be run with the 16 possible combinations of access bits (since there are 4 access bits, there are $2^4 = 16$ possible combinations of them): \numtest{2}{ \Priority{High} \Reason{Returns correct bit mask for access bits of user.} \Conditions{RPC} } This test should be run locally: \numtest{3}{ \Priority{High} \Reason{Returns 0x0f.} \Conditions{local} } \end{document} krb5-1.19.2/doc/kadm5/api-funcspec.tex0000644000704600001450000023606614076311657020735 0ustar ghudsonsystemd-journal% This document is included for historical purposes only, and does not % apply to krb5 today. \documentstyle[12pt,fullpage]{article} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% Make _ actually generate an _, and allow line-breaking after it. \let\underscore=\_ \catcode`_=13 \def_{\underscore\penalty75\relax} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \setlength{\parskip}{.7\baselineskip} \setlength{\parindent}{0pt} \def\v#1{\verb+#1+} \title{Kerberos Administration System \\ KADM5 API Functional Specifications} \author{Barry Jaspan} \begin{document} \sloppy \maketitle {\setlength{\parskip}{0pt}\tableofcontents} \section{Introduction} This document describes the Admin API that can be used to maintain principals and policies. It describes the data structures used for each function and the interpretation of each data type field, the semantics of each API function, and the possible return codes. The Admin API is intended to be used by remote clients using an RPC interface. It is implemented by the admin server running on the Kerberos master server. It is also possible for a program running on the Kerberos master server to use the Admin API directly, without going through the admin server. \section{Versions of the API} The versions of this API and a brief description of the changes for each are: \begin{description} \item[KADM5_API_VERSION_1] The initial version of this API, written by OpenVision Technologies and donated to MIT for including in the public release. Originally called OVSEC_KADM_API_VERSION_1. Most everything has been renamed in one way or another, including functions, header files, and data structures. Where possible, the old OVSEC_KADM names have been left behind for compatibility with version 1, and KADM5_API_VERSION_1 is compatible with OVSEC_KADM_API_VERSION_1 at compile-, link-, and run-time. The OVSEC_KADM name compatibility will not be extended to new functionality in future versions because no existing OVSEC_KADM clients will use that functionality; new clients should be written to the KADM5 API. \item[KADM5_API_VERSION_2] This version contains the initial changes necessary to make the OpenVision administration system work with the mid-1996 MIT version of Kerberos 5. Changes include \begin{enumerate} \item The kadm5_init functions now take a structure of parameters instead of just a realm name, allowing the calling program to specify non-default values for various configuration options. See section \ref{sec:configparams} for details. \item The KADM5 API has been extended to support new features of the Kerberos database, including multiple encryption and salt types per principal. See section \ref{sec:keys} for details. \item kadm5_get_principal now allows a principal's keys to be retrieved {\it by local clients only}. This is necessary in order for the kadm5 API to provide the primary Kerberos database interface. \item The KADM5 authorization system has been completely changed. \item The functions kadm5_flush, kadm5_get_principals, and kadm5_get_policies have been added. \item The KADM5 API now obeys a caller-allocates rather than callee-allocates system. kadm5_get_principal and kadm5_get_policy are affected. \end{enumerate} \end{description} \section{Policies and Password Quality} The Admin API Password Quality mechanism provides the following controls. Note that two strings are defined to be ``significantly different'' if they differ by at least one character. The compare is not case sensitive. \begin{itemize} \item A minimum length can be required; a password with fewer than the specified number of characters will not be accepted. \item A minimum number of character classes can be required; a password that does not contain at least one character from at least the specified number of character classes will not be accepted. The character classes are defined by islower(), isupper(), isdigit(), ispunct(), and other. \item Passwords can be required to be different from previous passwords; a password that generates the same encryption key as any of the principal's specified previous number of passwords will not be accepted. This comparison is performed on the encryption keys generated from the passwords, not on the passwords themselves. \item A single ``forbidden password'' dictionary can be specified for all users; a password that is not significantly different from every word in the dictionary will not be accepted. \end{itemize} \section{Data Structures} This section describes the data structures used by the Admin API. They are defined in $<$kadm5/admin.h$>$. \subsection{Principals, kadm5_principal_ent_t} \label{sec:principal-structure} A Kerberos principal entry is represented by a kadm5_principal_ent_t. It contains a subset of the information stored in the master Kerberos database as well as the additional information maintained by the admin system. In the current version, the only additional information is the principal's policy and the aux_attributes flags. The principal may or may not have a policy enforced on it. If the POLICY bit (see section \ref{sec:masks}) is set in aux_attributes, the policy field names the principal's policy. If the POLICY bit is not set in aux_attributes, no policy is enforced on the principal and the value of the policy field is undefined. \begin{figure}[htbp] \begin{verbatim} typedef struct _kadm5_principal_ent_t { krb5_principal principal; krb5_timestamp princ_expire_time; krb5_timestamp last_pwd_change; krb5_timestamp pw_expiration; krb5_deltat max_life; krb5_principal mod_name; krb5_timestamp mod_date; krb5_flags attributes; krb5_kvno kvno; krb5_kvno mkvno; char * policy; u_int32 aux_attributes; krb5_deltat max_renewable_life; krb5_timestamp last_success; krb5_timestamp last_failed; krb5_kvno fail_auth_count; krb5_int16 n_key_data; krb5_int16 n_tl_data; krb5_tl_data *tl_data; krb5_key_data *key_data; } kadm5_principal_ent_rec, *kadm5_principal_ent_t; \end{verbatim} \caption{Definition of kadm5_principal_ent_t.} \label{fig:princ-t} \end{figure} The fields of an kadm5_principal_ent_t are interpreted as follows. \begin{description} \item[principal] The name of the principal; must conform to Kerberos naming specifications. \item[princ_expire_time] The expire time of the principal as a Kerberos timestamp. No Kerberos tickets will be issued for a principal after its expire time. \item[last_pwd_change] The time this principal's password was last changed, as a Kerberos timestamp. \item[pw_expiration] The expire time of the user's current password, as a Kerberos timestamp. No application service tickets will be issued for the principal once the password expire time has passed. Note that the user can only obtain tickets for services that have the PW_CHANGE_SERVICE bit set in the attributes field. \item[max_life] The maximum lifetime of any Kerberos ticket issued to this principal. \item[attributes] A bitfield of attributes for use by the KDC. The symbols and constant values are defined below; their interpretation appears in the libkdb functional specification. \begin{tabular}{clr} {\bf Name} & {\bf Value} \\ KRB5_KDB_DISALLOW_POSTDATED & 0x00000001 \\ KRB5_KDB_DISALLOW_FORWARDABLE & 0x00000002 \\ KRB5_KDB_DISALLOW_TGT_BASED & 0x00000004 \\ KRB5_KDB_DISALLOW_RENEWABLE & 0x00000008 \\ KRB5_KDB_DISALLOW_PROXIABLE & 0x00000010 \\ KRB5_KDB_DISALLOW_DUP_SKEY & 0x00000020 \\ KRB5_KDB_DISALLOW_ALL_TIX & 0x00000040 \\ KRB5_KDB_REQUIRES_PRE_AUTH & 0x00000080 \\ KRB5_KDB_REQUIRES_HW_AUTH & 0x00000100 \\ KRB5_KDB_REQUIRES_PWCHANGE & 0x00000200 \\ KRB5_KDB_DISALLOW_SVR & 0x00001000 \\ KRB5_KDB_PWCHANGE_SERVICE & 0x00002000 \\ KRB5_KDB_SUPPORT_DESMD5 & 0x00004000 \\ KRB5_KDB_NEW_PRINC & 0x00008000 \end{tabular} \item[mod_name] The name of the Kerberos principal that most recently modified this principal. \item[mod_date] The time this principal was last modified, as a Kerberos timestamp. \item[kvno] The version of the principal's current key. \item[mkvno] The version of the Kerberos Master Key in effect when this principal's key was last changed. In KADM5_API_VERSION_2, this field is always zero. \item[policy] If the POLICY bit is set in aux_attributes, the name of the policy controlling this principal. \item[aux_attributes] A bitfield of flags for use by the administration system. Currently, the only valid flag is POLICY, and it indicates whether or not the principal has a policy enforced on it. \item[max_renewable_life] The maximum renewable lifetime of any Kerberos ticket issued to or for this principal. This field only exists in KADM5_API_VERSION_2. \item[last_success] The KDC time of the last successful AS_REQ. This is only updated if KRBCONF_KDC_MODIFIES_KDB is defined during compilation of the KDC. This field only exists in KADM5_API_VERSION_2. \item[last_failed] The KDC time of the last failed AS_REQ. This is only updated if KRBCONF_KDC_MODIFIES_KDB is defined during compilation of the KDC. This field only exists in KADM5_API_VERSION_2. \item[fail_auth_count] The number of consecutive failed AS_REQs. When this number reaches KRB5_MAX_FAIL_COUNT, the KRB5_KDC_DISALLOW_ALL_TIX is set on the principal. This is only updated if KRBCONF_KDC_MODIFIES_KDB is defined during compilation. This field only exists in KADM5_API_VERSION_2. \item[n_tl_data] The number of elements in the \v{tl_data} linked list. This field only exists in KADM5_API_VERSION_2. \item[n_key_data] The number of elements in the \v{key_data} array. This field only exists in KADM5_API_VERSION_2. \item[tl_data] A linked list of tagged data. This list is a mechanism by which programs can store extended information in a principal entry, without having to modify the database API. Each element is of type krb5_tl_data: \begin{verbatim} typedef struct _krb5_tl_data { struct _krb5_tl_data* tl_data_next; krb5_int16 tl_data_type; krb5_int16 tl_data_length; krb5_octet * tl_data_contents; } krb5_tl_data; \end{verbatim} % The KADM5 API only allows elements whose tl_data_type is greater than or equal to 256. Values less than 256 are reserved for internal use by the KADM5 or kdb system. They are filtered out of the list returned by kadm5_get_principal, and generate an error if given to kadm5_modify_principal. The libkdb library defines the tagged data types KRB5_TL_LAST_PWD_CHANGE, KRB5_TL_MOD_PRINC, and KRB5_TL_KADM_DATA, all with values less than 256, which store the last password modification time, time and modifier of last principal modification, and administration system data. All of these entries are expected by the administration system and parsed out into fields of the kadm5_principal_ent_rec structure; as described above, they are not included in the tl_data list. Tagged data elements with types greater than 256 are handled without interpretation by KADM5. Note that an application that calls kadm5_modify_principal with the KADM5_TL_DATA mask bit set is responsible for providing the {\it complete} tl_data list, which it necessarily must obtain from kadm5_get_principal. It is {\it never} possible for an application to construct a complete tl_data list from scratch. \item[key_data] An array of the principal's keys. The keys contained in this array are encrypted in the Kerberos master key. See section \ref{sec:keys} for a discussion of the krb5_key_data structure. \end{description} \subsection{Policies, kadm5_policy_ent_t} \label{sec:policy-fields} If the POLICY bit is set in aux_attributes, the \v{policy} name field in the kadm5_principal_ent_t structure refers to a password policy entry defined in a \v{kadm5_policy_ent_t}. \begin{verbatim} typedef struct _kadm5_policy_ent_t { char *policy; u_int32 pw_min_life; u_int32 pw_max_life; u_int32 pw_min_length; u_int32 pw_min_classes; u_int32 pw_history_num; u_int32 policy_refcnt; } kadm5_policy_ent_rec, *kadm5_policy_ent_t; \end{verbatim} The fields of an kadm5_policy_ent_t are interpreted as follows. Note that a policy's values only apply to a principal using that policy. \begin{description} \item[policy] The name of this policy, as a NULL-terminated string. The ASCII characters between 32 (space) and 126 (tilde), inclusive, are legal. \item[pw_min_life] The minimum password lifetime, in seconds. A principal cannot change its password before pw_min_life seconds have passed since last_pwd_change. \item[pw_max_life] The default duration, in seconds, used to compute pw_expiration when a principal's password is changed. \item[pw_min_length] The minimum password length, in characters. A principal cannot set its password to anything with fewer than this number of characters. This value must be greater than zero. \item[pw_min_classes] The minimum number of character classes in the password. This value can only be 1, 2, 3, 4, or 5. A principal cannot set its password to anything with fewer than this number of character classes in it. \item[pw_history_num] The number of past passwords that are stored for the principal; the minimum value is 1 and the maximum value is 10. A principal cannot set its password to any of its previous pw_history_num passwords. The first ``previous'' password is the current password; thus, a principal with a policy can never reset its password to its current value. \item[policy_refcnt] The number of principals currently using this policy. A policy cannot be deleted unless this number is zero. \end{description} \subsection{Configuration parameters} \label{sec:configparams} The KADM5 API acquires configuration information from the Kerberos configuration file (\$KRB5_CONFIG or DEFAULT_PROFILE_PATH) and from the KDC configuration file (\$KRB5_KDC_CONFIG or DEFAULT_KDC_PROFILE). In KADM5_API_VERSION_2, some of the configuration parameters used by the KADM5 API can be controlled by the caller by providing a kadm5_config_params structure to kadm5_init: % \begin{verbatim} typedef struct _kadm5_config_params { u_int32 mask; /* Client and server fields */ char *realm; char *profile; int kadmind_port; /* client fields */ char *admin_server; /* server fields */ char *dbname; char *admin_dbname; char *admin_lockfile; char *acl_file; char *dict_file; char *admin_keytab; /* server library (database) fields */ int mkey_from_kbd; char *stash_file; char *mkey_name; krb5_enctype enctype; krb5_deltat max_life; krb5_deltat max_rlife; krb5_timestamp expiration; krb5_flags flags; krb5_key_salt_tuple *keysalts; krb5_int32 num_keysalts; } kadm5_config_params; \end{verbatim} % The following list describes each of the fields of the structure, along with the profile relation it overrides, its mask value, its default value, and whether it is valid on the client, server, or both, or neither. \begin{description} \item[mask] No variable. No mask value. A bitfield specifying which fields of the structure contain valid information. A caller sets this mask before calling kadm5_init_*, indicating which parameters are specified. The mask values are defined in $<$kadm5/admin.h$>$ and are all prefixed with KADM5_CONFIG_; the prefix is not included in the descriptions below. \item[realm] No variable. REALM. Client and server. The realm to which these parameters apply, and the realm for which additional parameters are to be acquired, if any. If this field is not specified in the mask, the default local realm is used. \item[profile] Variable: profile (server only). PROFILE. Client and server. The Kerberos profile to use. On the client, the default is the value of the KRB5_CONFIG environment variable, or DEFAULT_PROFILE_PATH if that is not set. On the server, the value of the ``profile'' variable of the KDC configuration file will be used as the first default if it exists; otherwise, the default is the value of the KRB5_KDC_PROFILE environment variable or DEFAULT_KDC_PROFILE. \item[kadmind_port] Variable: kadmind_port. KADMIND_PORT. Client and server. The port number the kadmind server listens on. The client uses this field to determine where to connect, and the server to determine where to listen. The default is 749, which has been assigned by IANA. \item[admin_server] Variable: admin_server. ADMIN_SERVER. Client. The host name of the admin server to which to connect. There is no default. If the value of this field contains a colon (:), the text following the colon is treated as an integer and assigned to the kadmind_port field, overriding any value of the kadmind_port variable. \item[dbname] Variable: dbname. DBNAME. Server. The Kerberos database name to use; the Kerberos database stores principal information. The default is DEFAULT_KDB_FILE. \item[admin_dbname] Variable: admin_database_name. ADBNAME. Neither. If the dbname field is set, this field is set to the value of dbname followed by ``.kadm5''. \item[admin_lockfile] Variable: admin_database_lockfile. ADB_LOCKFILE. Neither. If the admin_dbname field is set, this field is set to the value of admin_dbname followed by ``.lock''. \item[acl_file] Variable: acl_file. ACL_FILE. Server. The admin server's ACL file. The default is DEFAULT_KADM5_ACL_FILE. \item[dict_file] Variable: admin_dict_file. DICT_FILE. Server. The admin server's dictionary file of passwords to disallow. No default. \item[admin_keytab] Variable: admin_keytab. ADMIN_KEYTAB. Server. The keytab file containing the kadmin/admin and kadmin/changepw entries for the server to use. The default is the value of the KRB5_KTNAME environment variable, if defined, else DEFAULT_KADM5_KEYTAB. \item[mkey_from_keyboard] No variable. MKEY_FROM_KEYBOARD. Server. If non-zero, prompt for the master password via the tty instead of using the stash file. If this mask bit is not set, or is set and the value is zero, the stash file is used. \item[stash_file] Variable: key_stash_file. STASH_FILE. Server. The file name containing the master key stash file. No default; libkdb will work with a NULL value. \item[mkey_name] Variable: master_key_name. MKEY_NAME. Server. The name of the master principal for the realm. No default; lbkdb will work with a NULL value. \item[enctype] Variable: master_key_type. ENCTYPE. Server. The encryption type of the master principal. The default is DEFAULT_KDC_ENCTYPE. \item[max_life] Variable: max_life. MAX_LIFE. Maximum lifetime for all tickets issued to the principal. The default is 28800, which is 8 hours. \item[max_rlife, expiration, flags] Variables: max_renewable_life, default_principal_expiration, default_principal_flags. MAX_LIFE, MAX_RLIFE, EXPIRATION, FLAGS. Server. Default values for new principals. All default to 0. \item[keysalts, num_keysalts] Variable: supported_enctypes. ENCTYPES. Server. The list of supported encryption type/salt type tuples; both fields must be assigned if ENCTYPES is set. The default is a list containing one enctype, DES-CBC-CRC with normal salt. \end{description} \subsection{Principal keys} \label{sec:keys} In KADM5_API_VERSION_1, all principals had a single key. The encryption method was always DES, and the salt type was determined outside the API (by command-line options to the administration server). In KADM5_API_VERSION_2, principals can have multiple keys, each with its own encryption type and salt. Each time a principal's key is changed with kadm5_create_principal, kadm5_chpass_principal or kadm5_randkey_principal, existing key entries are removed and a key entry for each encryption and salt type tuple specified in the configuration parameters is added. There is no provision for specifying encryption and salt type information on a per-principal basis; in a future version, this will probably be part of the admin policy. There is also presently no provision for keeping multiple key versions for a single principal active in the database. A single key is represented by a krb5_key_data: % \begin{verbatim} typedef struct _krb5_key_data { krb5_int16 key_data_ver; /* Version */ krb5_int16 key_data_kvno; /* Key Version */ krb5_int16 key_data_type[2]; /* Array of types */ krb5_int16 key_data_length[2]; /* Array of lengths */ krb5_octet * key_data_contents[2]; /* Array of pointers */ } krb5_key_data; \end{verbatim} % \begin{description} \item[key_data_ver] The version number of the structure. Versions 1 and 2 are currently defined. If key_data_ver is 1 then the key is either a random key (not requiring a salt) or the salt is the normal v5 salt which is the same as the realm and therefore doesn't need to be saved in the database. \item[key_data_kvno] The key version number of this key. \item[key_data_type] The first element is the enctype of this key. In a version 2 structure, the second element is the salttype of this key. The legal encryption types are defined in $<$krb5.h$>$. The legal salt types are defined in $<$k5-int.h$>$. \item[key_data_length] The first element is length this key. In a version 2 structure, the second element is length of the salt for this key. \item[key_data_contents] The first element is the content of this key. In a version 2 structure, the second element is the contents of the salt for this key. \end{description} \subsection{Field masks} \label{sec:masks} The API functions for creating, retrieving, and modifying principals and policies allow for a relevant subset of the fields of the kadm5_principal_ent_t and kadm5_policy_ent_t to be specified or changed. The chosen fields are determined by a bitmask that is passed to the relevant function. Each API function has different rules for which mask values can be specified, and can specify whether a given mask value is mandatory, optional, or forbidden. Mandatory fields must be present and forbidden fields must not be present or an error is generated. When creating a principal or policy, optional fields have a default value if they are not specified. When modifying a principal or policy, optional fields are unchanged if they are not specified. When retrieving a principal, optional fields are simply not provided if they are not specified; not specifying undeeded fields for retrieval may improve efficiency. The values for forbidden fields are defined in the function semantics. The masks for principals are in table \ref{tab:princ-bits} and the masks for policies are in table \ref{tab:policy-bits}. They are defined in $<$kadm5/admin.h$>$. The KADM5_ prefix has been removed from the Name fields. In the Create and Modify fields, M means mandatory, F means forbidden, and O means optional. Create fields that are optional specify the default value. The notation ``K/M value'' means that the field inherits its value from the corresponding field in the Kerberos master principal, for KADM5_API_VERSION_1, and from the configuration parameters for KADM5_API_VERSION_2. All masks for principals are optional for retrevial, {\it except} that the KEY_DATA mask is illegal when specified by a remote client; for details, see the function semantics for kadm5_get_principal. Note that the POLICY and POLICY_CLR bits are special. When POLICY is set, the policy is assigned to the principal. When POLICY_CLR is specified, the policy is unassigned to the principal and as a result no policy controls the principal. For convenience, the mask KADM5_PRINCIPAL_NORMAL_MASK contains all of the principal masks {\it except} KADM5_KEY_DATA and KADM5_TL_DATA, and the mask KADM5_POLICY_NORMAL_MASK contains all of the policy masks. \begin{table}[htbp] \begin{tabular}{@{}lclll} {\bf Name} & {\bf Value} & {\bf Fields Affected} & {\bf Create} & {\bf Modify} \\ PRINCIPAL & 0x000001 & principal & M & F \\ PRINC_EXPIRE_TIME & 0x000002 & princ_expire_time & O, K/M value & O \\ PW_EXPIRATION & 0x000004 & pw_expiration & O, now+pw_max_life & O \\ LAST_PWD_CHANGE & 0x000008 & last_pwd_change & F & F \\ ATTRIBUTES & 0x000010 & attributes & O, 0 & O \\ MAX_LIFE & 0x000020 & max_life & O, K/M value & O \\ MOD_TIME & 0x000040 & mod_date & F & F \\ MOD_NAME & 0x000080 & mod_name & F & F \\ KVNO & 0x000100 & kvno & O, 1 & O \\ MKVNO & 0x000200 & mkvno & F & F \\ AUX_ATTRIBUTES & 0x000400 & aux_attributes & F & F \\ POLICY & 0x000800 & policy & O, none & O \\ POLICY_CLR & 0x001000 & policy & F & O \\ MAX_RLIFE & 0x002000 & max_renewable_life & O, K/M value & O \\ LAST_SUCCESS & 0x004000 & last_success & F & F \\ LAST_FAILED & 0x008000 & last_failed & F & F \\ FAIL_AUTH_COUNT & 0x010000 & fail_auth_count & F & O \\ KEY_DATA & 0x020000 & n_key_data, key_data & F & F \\ TL_DATA & 0x040000 & n_tl_data, tl_data & O, 0, NULL & O \end{tabular} \caption{Mask bits for creating, retrieving, and modifying principals.} \label{tab:princ-bits} \end{table} \begin{table}[htbp] \begin{tabular}{@{}lclll} Name & Value & Field Affected & Create & Modify \\ POLICY & same & policy & M & F \\ PW_MAX_LIFE & 0x004000 & pw_max_life & O, 0 (infinite) & O \\ PW_MIN_LIFE & 0x008000 & pw_min_life & O, 0 & O \\ PW_MIN_LENGTH & 0x010000 & pw_min_length & O, 1 & O \\ PW_MIN_CLASSES & 0x020000 & pw_min_classes & O, 1 & O \\ PW_HISTORY_NUM & 0x040000 & pw_history_num & O, 0 & O \\ REF_COUNT & 0x080000 & pw_refcnt & F & F \end{tabular} \caption{Mask bits for creating/modifying policies.} \label{tab:policy-bits} \end{table} \section{Constants, Header Files, Libraries} $<$kadm5/admin.h$>$ includes a number of required header files, including RPC, Kerberos 5, com_err, and admin com_err defines. It contains prototypes for all kadm5 routines mentioned below, as well as all Admin API data structures, type definitions and defines mentioned in this document. Before \v{\#include}ing $<$kadm5/admin.h$>$, the programmer can specify the API version number that the program will use by \v{\#define}ing USE_KADM5_API_VERSION; for example, define that symbol to be 1 to use KADM5_API_VERSION_1. This will ensure that the correct functional prototypes and data structures are defined. If no version symbol is defined, the most recent version supported by the header files will be used. Some of the defines and their values contained in $<$kadm5/admin.h$>$ include the following, whose KADM5_ prefixes have been removed. Symbols that do not exist in KADM5_API_VERSION_2 do not have a KADM5_ prefix, but instead retain only with OVSEC_KADM_ prefix for compatibility. \begin{description} \item[admin service principal] ADMIN_SERVICE (``kadmin/admin'') \item[admin history key] HIST_PRINCIPAL (``kadmin/history'') \item[change password principal] CHANGEPW_SERVICE (``kadmin/changepw'') \item[server acl file path] ACLFILE (``/krb5/ovsec_adm.acl''). In KADM5_API_VERSION 2, this is controlled by configuration parameters. \item[dictionary] WORDFILE (``/krb5/kadmind.dict''). In KADM5_API_VERSION 2, this is controlled by configuration parameters. \end{description} KADM5 errors are described in $<$kadm5/kadm_err.h$>$, which is included by $<$kadm5/admin.h$>$. The locations of the admin policy and principal databases, as well as defines and type definitions for the databases, are defined in $<$kadm5/adb.h$>$. Some of the defines in that file are: \begin{description} \item[admin policy database] POLICY_DB (``/krb5/kadm5_policy.db''). In KADM5_API_VERSION 2, this is controlled by configuration parameters. \item[admin principal database] PRINCIPAL_DB (``/krb5/ovsec_principal.db''). In KADM5_API_VERSION 2, this is controlled by configuration parameters. \end{description} Client applications will link against libkadm5clnt.a and server programs against libkadm5srv.a. Client applications must also link against: libgssapi_krb5.a, libkrb5.a, libcrypto.a, libgssrpc.a, libcom_err.a, and libdyn.a. Server applications must also link against: libkdb5.a, libkrb5.a, libcrypto.a, libgssrpc.a, libcom_err.a, and libdyn.a. \section{Error Codes} The error codes that can be returned by admin functions are listed below. Error codes indicated with a ``*'' can be returned by every admin function and always have the same meaning; these codes are omitted from the list presented with each function. The admin system guarantees that a function that returns an error code has no other side effect. The Admin system will use \v{com_err} for error codes. Note that this means \v{com_err} codes may be returned from functions that the admin routines call (e.g. the kerberos library). Callers should not expect that only KADM5 errors will be returned. The Admin system error code table name will be ``ovk'', and the offsets will be the same as the order presented here. As mentioned above, the error table include file will be $<$kadm5/kadm_err.h$>$. Note that these error codes are also used as protocol error code constants and therefore must not change between product releases. Additional codes should be added at the end of the list, not in the middle. The integer value of KADM5_FAILURE is 43787520; the remaining values are assigned in sequentially increasing order. \begin{description} \item[* KADM5_FAILURE] Operation failed for unspecified reason \item[* KADM5_AUTH_GET] Operation requires ``get'' privilege \item[* KADM5_AUTH_ADD] Operation requires ``add'' privilege \item[* KADM5_AUTH_MODIFY] Operation requires ``modify'' privilege \item[* KADM5_AUTH_DELETE] Operation requires ``delete'' privilege \item[* KADM5_AUTH_INSUFFICIENT] Insufficient authorization for operation \item[* KADM5_BAD_DB] Database inconsistency detected \item[KADM5_DUP] Principal or policy already exists \item[KADM5_RPC_ERROR] Communication failure with server \item[KADM5_NO_SRV] No administration server found for realm \item[KADM5_BAD_HIST_KEY] Password history principal key version mismatch \item[KADM5_NOT_INIT] Connection to server not initialized \item[KADM5_UNK_PRINC] Principal does not exist \item[KADM5_UNK_POLICY] Policy does not exist \item[KADM5_BAD_MASK] Invalid field mask for operation \item[KADM5_BAD_CLASS] Invalid number of character classes \item[KADM5_BAD_LENGTH] Invalid password length \item[KADM5_BAD_POLICY] Illegal policy name \item[KADM5_BAD_PRINCIPAL] Illegal principal name. \item[KADM5_BAD_AUX_ATTR] Invalid auxiliary attributes \item[KADM5_BAD_HISTORY] Invalid password history count \item[KADM5_BAD_MIN_PASS_LIFE] Password minimum life is greater then password maximum life \item[KADM5_PASS_Q_TOOSHORT] Password is too short \item[KADM5_PASS_Q_CLASS] Password does not contain enough character classes \item[KADM5_PASS_Q_DICT] Password is in the password dictionary \item[KADM5_PASS_REUSE] Cannot reuse password \item[KADM5_PASS_TOOSOON] Current password's minimum life has not expired \item[KADM5_POLICY_REF] Policy is in use \item[KADM5_INIT] Connection to server already initialized \item[KADM5_BAD_PASSWORD] Incorrect password \item[KADM5_PROTECT_PRINCIPAL] Cannot change protected principal \item[* KADM5_BAD_SERVER_HANDLE] Programmer error! Bad Admin server handle \item[* KADM5_BAD_STRUCT_VERSION] Programmer error! Bad API structure version \item[* KADM5_OLD_STRUCT_VERSION] API structure version specified by application is no longer supported (to fix, recompile application against current Admin API header files and libraries) \item[* KADM5_NEW_STRUCT_VERSION] API structure version specified by application is unknown to libraries (to fix, obtain current Admin API header files and libraries and recompile application) \item[* KADM5_BAD_API_VERSION] Programmer error! Bad API version \item[* KADM5_OLD_LIB_API_VERSION] API version specified by application is no longer supported by libraries (to fix, update application to adhere to current API version and recompile) \item[* KADM5_OLD_SERVER_API_VERSION] API version specified by application is no longer supported by server (to fix, update application to adhere to current API version and recompile) \item[* KADM5_NEW_LIB_API_VERSION] API version specified by application is unknown to libraries (to fix, obtain current Admin API header files and libraries and recompile application) \item[* KADM5_NEW_SERVER_API_VERSION] API version specified by application is unknown to server (to fix, obtain and install newest Admin Server) \item[KADM5_SECURE_PRINC_MISSING] Database error! Required principal missing \item[KADM5_NO_RENAME_SALT] The salt type of the specified principal does not support renaming \item[KADM5_BAD_CLIENT_PARAMS] Illegal configuration parameter for remote KADM5 client \item[KADM5_BAD_SERVER_PARAMS] Illegal configuration parameter for local KADM5 client. \item[KADM5_AUTH_LIST] Operation requires ``list'' privilege \item[KADM5_AUTH_CHANGEPW] Operation requires ``change-password'' privilege \item[KADM5_BAD_TL_TYPE] Programmer error! Illegal tagged data list element type \item[KADM5_MISSING_CONF_PARAMS] Required parameters in kdc.conf missing \item[KADM5_BAD_SERVER_NAME] Bad krb5 admin server hostname \item[KADM5_AUTH_SETKEY] Operation requires ``set-key'' privilege \item[KADM5_SETKEY_DUP_ENCTYPES] Multiple values for single or folded enctype \end{description} \section{Authentication and Authorization} \label{sec:auth} Two Kerberos principals exist for use in communicating with the Admin system: kadmin/admin and kadmin/changepw. Both principals have the KRB5_KDB_DISALLOW_TGT_BASED bit set in their attributes so that service tickets for them can only be acquired via a password-based (AS_REQ) request. Additionally, kadmin/changepw has the KRB5_KDB_PWCHANGE_SERVICE bit set so that a principal with an expired password can still obtain a service ticket for it. The Admin system accepts requests that are authenticated to either service principal, but the sets of operations that can be performed by a request authenticated to each service are different. In particular, only the functions chpass_principal, randkey_principal, get_principal, and get_policy can be performed by a request authenticated to the kadmin/changepw service, and they can only be performed when the target principal of the operation is the same as the authenticated client principal; the function semantics descriptions below give the precise details. This means that administrative operations can only be performed when authenticated to the kadmin/admin service. The reason for this distinction is that tickets for kadmin/changepw can be acquired with an expired password, and the KADM system does not want to allow an administrator with an expired password to perform administrative operations on arbitrary principals. Each Admin API operation authenticated to the kadmin/admin service requires a specific authorization to run. This version uses a simple named privilege system with the following names and meanings: \begin{description} \item[Get] Able to examine the attributes (NOT key data) of principals and policies. \item[Add] Able to add principals and policies. \item[Modify] Able to modify attributes of existing principals and policies; this does not include changing passwords. \item[Delete] Able to remove principals and policies. \item[List] Able to retrieve a list of principals and policies. \item[Changepw] Able to change the password of principals. \item[Setkey] Able to set principal keys directly. \end{description} Privileges are specified via an external configuration file on the Kerberos master server. Table \ref{tab:func-overview} summarizes the authorization requirements of each function. Additionally, each API function description identifies the privilege required to perform it. The Authorization checks only happen if you are using the RPC mechanism. If you are using the server-side API functions locally on the admin server, the only authorization check is if you can access the approporiate local files. \section{Functions} \subsection{Overview} The functions provided by the Admin API, and the authorization they require, are listed in the table \ref{tab:func-overview}. The ``kadm5_'' prefix has been removed from each function name. The function semantics in the following sections omit details that are the same for every function. \begin{itemize} \item The effects of every function are atomic. \item Every function performs an authorization check and returns the appropriate KADM5_AUTH_* error code if the caller does not have the required privilege. No other information or error code is ever returned to an unauthorized user. \item Every function checks its arguments for NULL pointers or other obviously invalid values, and returns EINVAL if any are detected. \item Any function that performs a policy check uses the policy named in the principal's policy field. If the POLICY bit is not set in the principal's aux_attributes field, however, the principal has no policy, so the policy check is not performed. \item Unless otherwise specified, all functions return KADM5_OK. \end{itemize} \begin{table}[htbp] \caption{Summary of functions and required authorization.} \label{tab:func-overview} \begin{tabular}{@{}llp{3.24in}} \\ {\bf Function Name} & {\bf Authorization} & {\bf Operation} \\ init & none & Open a connection with the kadm5 library. OBSOLETE but still provided---use init_with_password instead. \\ init_with_password & none & Open a connection with the kadm5 library using a password to obtain initial credentials. \\ init_with_skey & none & Open a connection with the kadm5 library using the keytab entry to obtain initial credentials. \\ destroy & none & Close the connection with the kadm5 library. \\ flush & none & Flush all database changes to disk; no-op when called remotely. \\ create_principal & add & Create a new principal. \\ delete_principal & delete & Delete a principal. \\ modify_principal & modify & Modify the attributes of an existing principal (not password). \\ rename_principal & add and delete & Rename a principal. \\ get_principal & get\footnotemark & Retrieve a principal. \\ get_principals & list & Retrieve some or all principal names. \\ chpass_principal & changepw\footnotemark[\thefootnote] & Change a principal's password. \\ chpass_principal_util & changepw\footnotemark[\thefootnote] & Utility wrapper around chpass_principal. \\ randkey_principal & changepw\footnotemark[\thefootnote] & Randomize a principal's key. \\ setkey_principal & setkey & Explicitly set a principal's keys. \\ decrypt_key & none & Decrypt a principal key. \\ create_policy & add & Create a new policy. \\ delete_policy & delete & Delete a policy. \\ modify_policy & modify & Modify the attributes of a policy. \\ get_policy & get & Retrieve a policy. \\ get_policies & list & Retrieve some or all policy names. \\ free_principal_ent & none & Free the memory associated with an kadm5_principal_ent_t. \\ free_policy_ent & none & Free the memory associated with an kadm5_policy_ent_t. \\ get_privs & none & Return the caller's admin server privileges. \end{tabular} \end{table} \footnotetext[\thefootnote]{These functions also allow a principal to perform the operation on itself; see the function's semantics for details.} \subsection{kadm5_init_*} In KADM5_API_VERSION 1: \begin{verbatim} kadm5_ret_t kadm5_init_with_password(char *client_name, char *pass, char *service_name, char *realm, unsigned long struct_version, unsigned long api_version, void **server_handle) kadm5_ret_t kadm5_init_with_skey(char *client_name, char *keytab, char *service_name, char *realm, unsigned long struct_version, unsigned long api_version, void **server_handle) kadm5_ret_t kadm5_init(char *client_name, char *pass, char *service_name, char *realm, unsigned long struct_version, unsigned long api_version, void **server_handle) \end{verbatim} In KADM5_API_VERSION 2: \begin{verbatim} kadm5_ret_t kadm5_init_with_password(char *client_name, char *pass, char *service_name, kadm5_config_params *realm_params, unsigned long struct_version, unsigned long api_version, void **server_handle) kadm5_ret_t kadm5_init_with_skey(char *client_name, char *keytab, char *service_name, kadm5_config_params *realm_params, unsigned long struct_version, unsigned long api_version, void **server_handle) kadm5_ret_t kadm5_init(char *client_name, char *pass, char *service_name, kadm5_config_params *realm_params, unsigned long struct_version, unsigned long api_version, void **server_handle) kadm5_ret_t kadm5_init_with_creds(char *client_name, krb5_ccache ccache, char *service_name, kadm5_config_params *params, krb5_ui_4 struct_version, krb5_ui_4 api_version, void **server_handle) \end{verbatim} AUTHORIZATION REQUIRED: none NOTE: kadm5_init is an obsolete function provided for backwards compatibility. It is identical to kadm5_init_with_password. These three functions open a connection to the kadm5 library and initialize any necessary state information. They behave differently when called from local and remote clients. In KADM5_API_VERSION_2, these functions take a kadm5_config_params structure instead of a realm name as an argument. The semantics are similar: if a NULL pointer is passed for the realm_params argument, the default realm and default parameters for that realm, as specified in the krb5 configuration file (e.g. /etc/krb5.conf) are used. If a realm_params structure is provided, the fields that are set override the default values. If a parameter is specified to the local or remote libraries that does not apply to that side, an error code (KADM5_BAD_CLIENT_PARAMS or KADM5_BAD_SERVER_PARAMS) is returned. See section \ref{sec:configparams} for a discussion of configuration parameters. For remote clients, the semantics are: \begin{enumerate} \item Initializes all the com_err error tables used by the Admin system. \item Acquires configuration parameters. In KADM5_API_VERSION_1, all the defaults specified in the configuration file are used, according to the realm. In KADM5_API_VERSION_2, the values in params_in are merged with the default values. If an illegal mask value is specified, KADM5_BAD_CLIENT_PARAMS is returned. \item Acquires a Kerberos ticket for the specified service. \begin{enumerate} \item The ticket's client is client_name, which can be any valid Kerberos principal. If client_name does not include a realm, the default realm of the local host is used \item The ticket's service is service_name@realm. service_name must be one of the constants KADM5_ADMIN_SERVICE or KADM5_CHANGEPW_SERVICE. \item If realm is NULL, client_name's realm is used. \item For init_with_password, an initial ticket is acquired and decoded with the password pass, which must be client_name's password. If pass is NULL or an empty string, the user is prompted (via the tty) for a password. \item For init_with_skey, an initial ticket is acquired and decoded with client_name's key obtained from the specified keytab. If keytab is NULL or an empty string the default keytab is used. \item For init_with_creds, ccache must be an open credential cache that already has a ticket for the specified client and server. Alternatively, if a site chooses to disable the DISALLOW_TGT_BASED flag on the admin and changepw principals, the ccache can contain a ticket-granting ticket for client_name. \end{enumerate} \item Creates a GSS-API authenticated connection to the Admin server, using the just-acquired Kerberos ticket. \item Verifies that the struct_version and api_version specified by the caller are valid and known to the library. \item Sends the specified api_version to the server. \item Upon successful completion, fills in server_handle with a handle for this connection, to be used in all subsequent API calls. \end{enumerate} The caller should always specify KADM5_STRUCT_VERSION for the struct_version argument, a valid and supported API version constant for the api_version argument (currently, KADM5_API_VERSION_1 or KADM5_API_VERSION_2), and a valid pointer in which the server handle will be stored. If any kadm5_init_* is invoked locally its semantics are: \begin{enumerate} \item Initializes all the com_err error tables used by the Admin system. \item Acquires configuration parameters. In KADM5_API_VERSION_1, all the defaults specified in the configuration file are used, according to the realm. In KADM5_API_VERSION_2, the values in params_in are merged with the default values. If an illegal mask value is specified, KADM5_BAD_SERVER_PARAMS is returned. \item Initializes direct access to the KDC database. In KADM5_API_VERISON_1, if pass (or keytab) is NULL or an empty string, reads the master password from the stash file; otherwise, the non-NULL password is ignored and the user is prompted for it via the tty. In KADM5_API_VERSION_2, if the MKEY_FROM_KEYBOARD parameter mask is set and the value is non-zero, reads the master password from the user via the tty; otherwise, the master key is read from the stash file. Calling init_with_skey or init_with_creds with the MKEY_FROM_KEYBOARD mask set with a non-zero field is illegal, and calling them without the mask set is exactly like calling init_with_password. \item Initializes the dictionary (if present) for dictionary checks. \item Parses client_name as a Kerberos principal. client_name should usually be specified as the name of the program. \item Verifies that the struct_version and api_version specified by the caller are valid. \item Fills in server_handle with a handle containing all state information (version numbers and client name) for this ``connection.'' \end{enumerate} The service_name argument is not used. RETURN CODES: \begin{description} \item[KADM5_NO_SRV] No Admin server can be found for the specified realm. \item[KADM5_RPC_ERROR] The RPC connection to the server cannot be initiated. \item[KADM5_BAD_PASSWORD] Incorrect password. \item[KADM5_SECURE_PRINC_MISSING] The principal KADM5_ADMIN_SERVICE or KADM5_CHANGEPW_SERVICE does not exist. This is a special-case replacement return code for ``Server not found in database'' for these required principals. \item[KADM5_BAD_CLIENT_PARAMS] A field in the parameters mask was specified to the remote client library that is not legal for remote clients. \item[KADM5_BAD_SERVER_PARAMS] A field in the parameters mask was specified to the local client library that is not legal for local clients. \end{description} \subsection{kadm5_flush} \begin{verbatim} kadm5_ret_t kadm5_flush(void *server_handle) \end{verbatim} AUTHORIZATION REQUIRED: none Flush all changes to the Kerberos databases, leaving the connection to the Admin API open. This function behaves differently when called by local and remote clients. For local clients, the function closes and reopens the Kerberos database with krb5_db_fini() and krb5_db_init(). Although it is unlikely, either of these functions could return errors; in that case, this function calls kadm5_destroy and returns the error code. Therefore, if kadm5_flush does not return KADM5_OK, the connection to the Admin server has been terminated and, in principle, the databases might be corrupt. For remote clients, the function is a no-op. \subsection{kadm5_destroy} \begin{verbatim} kadm5_ret_t kadm5_destroy(void *server_handle) \end{verbatim} AUTHORIZATION REQUIRED: none Close the connection to the Admin server and releases all related resources. This function behaves differently when called by local and remote clients. For remote clients, the semantics are: \begin{enumerate} \item Destroy the temporary credential cache created by kadm5_init. \item Tear down the GSS-API context negotiated with the server. \item Close the RPC connection. \item Free storage space associated with server_handle, after erasing its magic number so it won't be mistaken for a valid handle by the library later. \end{enumerate} For local clients, this function just frees the storage space associated with server_handle after erasing its magic number. RETURN CODES: \subsection{kadm5_create_principal} \begin{verbatim} kadm5_ret_t kadm5_create_principal(void *server_handle, kadm5_principal_ent_t princ, u_int32 mask, char *pw); \end{verbatim} AUTHORIZATION REQUIRED: add \begin{enumerate} \item Return KADM5_BAD_MASK if the mask is invalid. \item If the named principal exists, return KADM5_DUP. \item If the POLICY bit is set and the named policy does not exist, return KADM5_UNK_POLICY. \item If KADM5_POLICY bit is set in aux_attributes check to see if the password does not meets quality standards, return the appropriate KADM5_PASS_Q_* error code if it fails. \item Store the principal, set the key; see section \ref{sec:keys}. \item If the POLICY bit is set, increment the named policy's reference count by one. \item Set the pw_expiration field. \begin{enumerate} \item If the POLICY bit is set in mask, then if pw_max_life is non-zero, set pw_expiration to now + pw_maxlife, otherwise set pw_max_life to never. \item If the PW_EXPIRATION bit is set in mask, set pw_expiration to the requested value, overriding the value set above. \end{enumerate} NOTE: This is a change from the original semantics, in which policy expiration was enforced even on administrators. The old semantics are not preserved, even for version 1 callers, because this is a server-specific policy decision; besides, the new semantics are less restrictive, so all previous callers should continue to function properly. \item Set mod_date to now and set mod_name to caller. \item Set last_pwd_change to now. \end{enumerate} RETURN CODES: \begin{description} \item[KADM5_BAD_MASK] The field mask is invalid for a create operation. \item[KADM5_DUP] Principal already exists. \item[KADM5_UNK_POLICY] Policy named in entry does not exist. \item[KADM5_PASS_Q_*] Specified password does not meet policy standards. \end{description} \subsection{kadm5_delete_principal} \begin{verbatim} kadm5_ret_t kadm5_delete_principal(void *server_handle, krb5_principal princ); \end{verbatim} AUTHORIZATION REQUIRED: delete \begin{enumerate} \item Return KADM5_UNK_PRINC if the principal does not exist. \item If the POLICY bit is set in aux_attributes, decrement the named policy's reference count by one. \item Delete principal. \end{enumerate} RETURN CODES: \begin{description} \item[KADM5_UNK_PRINC] Principal does not exist. \end{description} \subsection{kadm5_modify_principal} \begin{verbatim} kadm5_ret_t kadm5_modify_principal(void *server_handle, kadm5_principal_ent_t princ, u_int32 mask); \end{verbatim} Modify the attributes of the principal named in kadm5_principal_ent_t. This does not allow the principal to be renamed or for its password to be changed. AUTHORIZATION REQUIRED: modify Although a principal's pw_expiration is usually computed based on its policy and the time at which it changes its password, this function also allows it to be specified explicitly. This allows an administrator, for example, to create a principal and assign it to a policy with a pw_max_life of one month, but to declare that the new principal must change its password away from its initial value sometime within the first week. \begin{enumerate} \item Return KADM5_UNK_PRINC if the principal does not exist. \item Return KADM5_BAD_MASK if the mask is invalid. \item If POLICY bit is set but the new policy does not exist, return KADM5_UNK_POLICY. \item If either the POLICY or POLICY_CLR bits are set, update the corresponding bits in aux_attributes. \item Update policy reference counts. \begin{enumerate} \item If the POLICY bit is set, then increment policy count on new policy. \item If the POLICY or POLICY_CLR bit is set, and the POLICY bit in aux_attributes is set, decrement policy count on old policy. \end{enumerate} \item Set pw_expiration appropriately. pw_expiration can change if: the POLICY bit is set in mask, so the principal is changing to a policy (either from another policy or no policy); the POLICY_CLR bit is set in mask, so the principal is changing to no policy; or PW_EXPIRATION is set. \begin{enumerate} \item If the POLICY bit is set in mask, set pw_expiration to last_pwd_change + pw_max_life if pw_max_life is non-zero, otherwise set pw_expiration to never. \item If the POLICY_CLR biti s set in mask, set pw_expiration to never. \item If PW_EXPIRATION is set, set pw_expiration to the requested value, overriding the value from the previous two cases. NOTE: This is a change from the original semantics, in which policy expiration was enforced even on administrators. The old semantics are not preserved, even for version 1 callers, because this is a server-specific policy decision; besides, the new semantics are less restrictive, so all previous callers should continue to function properly. \end{enumerate} % Here is the previous, and confusing, text of pw_expiration semantics: %\begin{enumerate} %\item If the POLICY bit is not set in aux_attributes, then %\begin{enumerate} %\item if the PW_EXPIRATION bit is set, set pw_expiration to the given %value, else %\item set pw_expiration to never. %\end{enumerate} %\item Otherwise, if the PW_EXPIRATION bit is set, set pw_expiration to %the sooner of the given value and last_pwd_change + pw_max_life. %\item Otherwise, set pw_expiration to last_pwd_change + pw_max_life. %\end{enumerate} \item Update the remaining fields specified in the mask. \item Update mod_name field to caller and mod_date to now. \end{enumerate} RETURN CODES: \begin{description} \item[KADM5_UNK_PRINC] Entry does not exist. \item[KADM5_BAD_MASK] The mask is not valid for a modify operation. \item[KADM5_UNK_POLICY] The POLICY bit is set but the new policy does not exist. \item[KADM5_BAD_TL_TYPE] The KADM5_TL_DATA bit is set in mask, and the given tl_data list contains an element whose type is less than 256. \end{description} \subsection{kadm5_rename_principal} \begin{verbatim} kadm5_ret_t kadm5_rename_principal(void *server_handle, krb5_principal source, krb5_principal target); \end{verbatim} AUTHORIZATION REQUIRED: add and delete \begin{enumerate} \item Check to see if source principal exists, if not return KADM5_UNK_PRINC error. \item Check to see if target exists, if so return KADM5_DUP error. \item Create the new principal named target, then delete the old principal named source. All of target's fields will be the same as source's fields, except that mod_name and mod_date will be updated to reflect the current caller and time. \end{enumerate} Note that since the principal name may have been used as the salt for the principal's key, renaming the principal may render the principal's current password useless; with the new salt, the key generated by string-to-key on the password will suddenly be different. Therefore, an application that renames a principal must also require the user to specify a new password for the principal (and administrators should notify the affected party). Note also that, by the same argument, renaming a principal will invalidate that principal's password history information; since the salt will be different, a user will be able to select a previous password without error. RETURN CODES: \begin{description} \item[KADM5_UNK_PRINC] Source principal does not exist. \item[KADM5_DUP] Target principal already exist. \end{description} \subsection{kadm5_chpass_principal} \begin{verbatim} kadm5_ret_t kadm5_chpass_principal(void *server_handle, krb5_principal princ, char *pw); \end{verbatim} AUTHORIZATION REQUIRED: changepw, or the calling principal being the same as the princ argument. If the request is authenticated to the kadmin/changepw service, the changepw privilege is disregarded. Change a principal's password. See section \ref{sec:keys} for a description of how the keys are determined. This function enforces password policy and dictionary checks. If the new password specified is in the password dictionary, and the policy bit is set KADM5_PASS_DICT is returned. If the principal's POLICY bit is set in aux_attributes, compliance with each of the named policy fields is verified and an appropriate error code is returned if verification fails. Note that the policy checks are only be performed if the POLICY bit is set in the principal's aux_attributes field. \begin{enumerate} \item Make sure principal exists, if not return KADM5_UNK_PRINC error. \item If caller does not have modify privilege, (now - last_pwd_change) $<$ pw_min_life, and the KRB5_KDB_REQUIRES_PWCHANGE bit is not set in the principal's attributes, return KADM5_PASS_TOOSOON. \item If the principal your are trying to change is kadmin/history return KADM5_PROTECT_PRINCIPAL. \item If the password does not meet the quality standards, return the appropriate KADM5_PASS_Q_* error code. \item Convert password to key; see section \ref{sec:keys}. \item If the new key is in the principal's password history, return KADM5_PASS_REUSE. \item Store old key in history. \item Update principal to have new key. \item Increment principal's key version number by one. \item If the POLICY bit is set, set pw_expiration to now + max_pw_life. If the POLICY bit is not set, set pw_expiration to never. \item If the KRB5_KDB_REQUIRES_PWCHANGE bit is set in the principal's attributes, clear it. \item Update last_pwd_change and mod_date to now, update mod_name to caller. \end{enumerate} RETURN CODES: \begin{description} \item[KADM5_UNK_PRINC] Principal does not exist. \item[KADM5_PASS_Q_*] Requested password does not meet quality standards. \item[KADM5_PASS_REUSE] Requested password is in user's password history. \item[KADM5_PASS_TOOSOON] Current password has not reached minimum life \item[KADM5_PROTECT_PRINCIPAL] Cannot change the password of a special principal \end{description} \subsection{kadm5_chpass_principal_util} \begin{verbatim} kadm5_ret_t kadm5_chpass_principal_util(void *server_handle, krb5_principal princ, char *new_pw, char **pw_ret, char *msg_ret); \end{verbatim} AUTHORIZATION REQUIRED: changepw, or the calling principal being the same as the princ argument. If the request is authenticated to the kadmin/changepw service, the changepw privilege is disregarded. This function is a wrapper around kadm5_chpass_principal. It can read a new password from a user, change a principal's password, and return detailed error messages. msg_ret should point to a char buffer in the caller's space of sufficient length for the error messages described below. 1024 bytes is recommended. It will also return the new password to the caller if pw_ret is non-NULL. \begin{enumerate} \item If new_pw is NULL, this routine will prompt the user for the new password (using the strings specified by KADM5_PW_FIRST_PROMPT and KADM5_PW_SECOND_PROMPT) and read (without echoing) the password input. Since it is likely that this will simply call krb5_read_password only terminal-based applications will make use of the password reading functionality. If the passwords don't match the string ``New passwords do not match - password not changed.'' will be copied into msg_ret, and the error code KRB5_LIBOS_BADPWDMATCH will be returned. For other errors that occur while reading the new password, copy the string ``$ occurred while trying to read new password.'' followed by a blank line and the string specified by CHPASS_UTIL_PASSWORD_NOT_CHANGED into msg_ret and return the error code returned by krb5_read_password. \item If pw_ret is non-NULL, and the password was prompted, set *pw_ret to point to a static buffer containing the password. If pw_ret is non-NULL and the password was supplied, set *pw_ret to the supplied password. \item Call kadm5_chpass_principal with princ, and new_pw. \item If successful copy the string specified by CHPASS_UTIL_PASSWORD_CHANGED into msg_ret and return zero. \item For a policy related failure copy the appropriate message (from below) followed by a newline and ``Password not changed.'' into msg_ret filling in the parameters from the principal's policy information. If the policy information cannot be obtained copy the generic message if one is specified below. Return the error code from kadm5_chpass_principal. Detailed messages: \begin{description} \item[PASS_Q_TOO_SHORT] New password is too short. Please choose a password which is more than $<$pw-min-len$>$ characters. \item[PASS_Q_TOO_SHORT - generic] New password is too short. Please choose a longer password. \item[PASS_REUSE] New password was used previously. Please choose a different password. \item[PASS_Q_CLASS] New password does not have enough character classes. Classes include lower class letters, upper case letters, digits, punctuation and all other characters. Please choose a password with at least $<$min-classes$>$ character classes. \item[PASS_Q_CLASS - generic] New password does not have enough character classes. Classes include lower class letters, upper case letters, digits, punctuation and all other characters. \item[PASS_Q_DICT] New password was found in a dictionary of possible passwords and therefore may be easily guessed. Please choose another password. See the kpasswd man page for help in choosing a good password. \item[PASS_TOOSOON] Password cannot be changed because it was changed too recently. Please wait until $<$last-pw-change+pw-min-life$>$ before you change it. If you need to change your password before then, contact your system security administrator. \item[PASS_TOOSOON - generic] Password cannot be changed because it was changed too recently. If you need to change your now please contact your system security administrator. \end{description} \item For other errors copy the string ``$<$com_err message$>$ occurred while trying to change password.'' following by a blank line and ``Password not changed.'' into msg_ret. Return the error code returned by kadm5_chpass_principal. \end{enumerate} RETURN CODES: \begin{description} \item[KRB5_LIBOS_BADPWDMATCH] Typed new passwords did not match. \item[KADM5_UNK_PRINC] Principal does not exist. \item[KADM5_PASS_Q_*] Requested password does not meet quality standards. \item[KADM5_PASS_REUSE] Requested password is in user's password history. \item[KADM5_PASS_TOOSOON] Current password has not reached minimum life. \end{description} \subsection{kadm5_randkey_principal} In KADM5_API_VERSION_1: \begin{verbatim} kadm5_ret_t kadm5_randkey_principal(void *server_handle, krb5_principal princ, krb5_keyblock **new_key) \end{verbatim} In KADM5_API_VERSION_2: \begin{verbatim} kadm5_ret_t kadm5_randkey_principal(void *server_handle, krb5_principal princ, krb5_keyblock **new_keys, int *n_keys) \end{verbatim} AUTHORIZATION REQUIRED: changepw, or the calling principal being the same as the princ argument. If the request is authenticated to the kadmin/changepw service, the changepw privilege is disregarded. Generate and assign a new random key to the named principal, and return the generated key in allocated storage. In KADM5_API_VERSION_2, multiple keys may be generated and returned as an array, and n_new_keys is filled in with the number of keys generated. See section \ref{sec:keys} for a description of how the keys are chosen. In KADM5_API_VERSION_1, the caller must free the returned krb5_keyblock * with krb5_free_keyblock. In KADM5_API_VERSION_2, the caller must free each returned keyblock with krb5_free_keyblock. If the principal's POLICY bit is set in aux_attributes and the caller does not have modify privilege , compliance with the password minimum life specified by the policy is verified and an appropriate error code is returned if verification fails. \begin{enumerate} \item If the principal does not exist, return KADM5_UNK_PRINC. \item If caller does not have modify privilege, (now - last_pwd_change) $<$ pw_min_life, and the KRB5_KDB_REQUIRES_PWCHANGE bit is not set in the principal's attributes, return KADM5_PASS_TOOSOON. \item If the principal you are trying to change is kadmin/history return KADM5_PROTECT_PRINCIPAL. \item Store old key in history. \item Update principal to have new key. \item Increment principal's key version number by one. \item If the POLICY bit in aux_attributes is set, set pw_expiration to now + max_pw_life. \item If the KRB5_KDC_REQUIRES_PWCHANGE bit is set in the principal's attributes, clear it. \item Update last_pwd_change and mod_date to now, update mod_name to caller. \end{enumerate} RETURN CODES: \begin{description} \item[KADM5_UNK_PRINC] Principal does not exist. \item[KADM5_PASS_TOOSOON] The minimum lifetime for the current key has not expired. \item[KADM5_PROTECT_PRINCIPAL] Cannot change the password of a special principal \end{description} This function can also be used as part of a sequence to create a new principal with a random key. The steps to perform the operation securely are \begin{enumerate} \item Create the principal with kadm5_create_principal with a random password string and with the KRB5_KDB_DISALLOW_ALL_TIX bit set in the attributes field. \item Randomize the principal's key with kadm5_randkey_principal. \item Call kadm5_modify_principal to reset the KRB5_KDB_DISALLOW_ALL_TIX bit in the attributes field. \end{enumerate} The three steps are necessary to ensure secure creation. Since an attacker might be able to guess the initial password assigned by the client program, the principal must be disabled until the key can be truly randomized. \subsection{kadm5_setkey_principal} \begin{verbatim} kadm5_ret_t kadm5_setkey_principal(void *server_handle, krb5_principal princ, krb5_keyblock *new_keys, int n_keys) \end{verbatim} AUTHORIZATION REQUIRED: setkey. This function does not allow the use of regular changepw authorization because it bypasses the password policy mechanism. This function only exists in KADM5_API_VERSION_2. Explicitly sets the specified principal's keys to the n_keys keys in the new_keys array. The keys in new_keys should not be encrypted in the Kerberos master key; this function will perform that operation itself (the keys will be protected during transmission from the calling client to the kadmind server by the AUTH_GSSAPI RPC layer). This function completely bypasses the principal's password policy, if set. \begin{enumerate} \item If the principal does not exist, return KADM5_UNK_PRINC. \item If the principal you are trying to change is kadmin/history return KADM5_PROTECT_PRINCIPAL. \item If new_keys contains more than one key of any ENCTYPE_DES_CBC_* type that is folded, return KADM5_SETKEY_DUP_ENCTYPES. \item Store old key in history. \item Update principal to have new key. \item Increment principal's key version number by one. \item If the POLICY bit in aux_attributes is set, set pw_expiration to now + max_pw_life. \item If the KRB5_KDC_REQUIRES_PWCHANGE bit is set in the principal's attributes, clear it. \item Update last_pwd_change and mod_date to now, update mod_name to caller. \end{enumerate} RETURN CODES: \begin{description} \item[KADM5_UNK_PRINC] Principal does not exist. \item[KADM5_PROTECT_PRINCIPAL] Cannot change the password of a special principal \end{description} This function can also be used as part of a sequence to create a new principal with an explicitly key. The steps to perform the operation securely are \begin{enumerate} \item Create the principal with kadm5_create_principal with a random password string and with the KRB5_KDB_DISALLOW_ALL_TIX bit set in the attributes field. \item Set the principal's key with kadm5_setkey_principal. \item Call kadm5_modify_principal to reset the KRB5_KDB_DISALLOW_ALL_TIX bit in the attributes field. \end{enumerate} The three steps are necessary to ensure secure creation. Since an attacker might be able to guess the initial password assigned by the client program, the principal must be disabled until the key can be truly randomized. \subsection{kadm5_get_principal} In KADM5_API_VERSION_1: \begin{verbatim} kadm5_ret_t kadm5_get_principal(void *server_handle, krb5_principal princ, kadm5_principal_ent_t *ent); \end{verbatim} In KADM5_API_VERSION_2: \begin{verbatim} kadm5_ret_t kadm5_get_principal(void *server_handle, krb5_principal princ, kadm5_principal_ent_t ent, u_int32 mask); \end{verbatim} AUTHORIZATION REQUIRED: get, or the calling principal being the same as the princ argument. If the request is authenticated to the kadmin/changepw service, the get privilege is disregarded. In KADM5_API_VERSION_1, return all of the principal's attributes in allocated memory; if an error is returned entry is set to NULL. In KADM5_API_VERSION_2, fill in the fields of the principal structure specified in the mask; memory for the structure is not allocated. Typically, a caller will specify the mask KADM5_PRINCIPAL_NORMAL_MASK, which includes all the fields {\it except} key_data and tl_data to improve time and memory efficiency. A caller that wants key_data and tl_data can bitwise-OR those masks onto NORMAL_MASK. Note that even if KADM5_TL_DATA is specified, this function will not return internal tl_data elements whose type is less than 256. The caller must free the returned entry with kadm5_free_principal_ent. The function behaves differently for local and remote clients. For remote clients, the KEY_DATA mask is illegal and results in a KADM5_BAD_MASK error. RETURN CODES: \begin{description} \item[KADM5_UNK_PRINC] Principal does not exist. \item[KADM5_BAD_MASK] The mask is not valid for a get operation. \end{description} \subsection{kadm5_decyrpt_key} \begin{verbatim} kadm5_ret_t kadm5_decrypt_key(void *server_handle, kadm5_principal_ent_t entry, krb5_int32 ktype, krb5_int32 stype, krb5_int32 kvno, krb5_keyblock *keyblock, krb5_keysalt *keysalt, int *kvnop) \end{verbatim} AUTHORIZATION REQUIRED: none, local function Searches a principal's key_data array to find a key with the specified enctype, salt type, and kvno, and decrypts the key into keyblock and keysalt if found. entry must have been returned by kadm5_get_principal with at least the KADM5_KEY_DATA mask set. Returns ENOENT if the key cannot be found, EINVAL if the key_data array is empty (as it always is in an RPC client). If ktype or stype is -1, it is ignored for the search. If kvno is -1, ktype and stype are ignored and the key with the max kvno is returned. If kvno is 0, only the key with the max kvno is returned and only if it matches the ktype and stype; otherwise, ENOENT is returned. \subsection{kadm5_get_principals} \begin{verbatim} kadm5_ret_t kadm5_get_principals(void *server_handle, char *exp, char ***princs, int *count) \end{verbatim} Retrieves the list of principal names. AUTHORIZATION REQUIRED: list If \v{exp} is NULL, all principal names are retrieved; otherwise, principal names that match the expression exp are retrieved. \v{princs} is filled in with a pointer to a NULL-terminated array of strings, and \v{count} is filled in with the number of principal names in the array. \v{princs} must be freed with a call to \v{kadm5_free_name_list}. All characters in the expression match themselves except ``?'' which matches any single character, ``*'' which matches any number of consecutive characters, and ``[chars]'' which matches any single character of ``chars''. Any character which follows a ``$\backslash$'' matches itself exactly, and a ``$\backslash$'' cannot be the last character in the string. \subsection{kadm5_create_policy} \begin{verbatim} kadm5_ret_t kadm5_create_policy(void *server_handle, kadm5_policy_ent_t policy, u_int32 mask); \end{verbatim} Create a new policy. AUTHORIZATION REQUIRED: add \begin{enumerate} \item Check to see if mask is valid, if not return KADM5_BAD_MASK error. \item Return KADM5_BAD_POLICY if the policy name contains illegal characters. \item Check to see if the policy already exists, if so return KADM5_DUP error. \item If the PW_MIN_CLASSES bit is set and pw_min_classes is not 1, 2, 3, 4, or 5, return KADM5_BAD_CLASS. \item Create a new policy setting the appropriate fields determined by the mask. \end{enumerate} RETURN CODES: \begin{description} \item[KADM5_DUP] Policy already exists \item[KADM5_BAD_MASK] The mask is not valid for a create operation. \item[KADM5_BAD_CLASS] The specified number of character classes is invalid. \item[KADM5_BAD_POLICY] The policy name contains illegal characters. \end{description} \subsection{kadm5_delete_policy} \begin{verbatim} kadm5_ret_t kadm5_delete_policy(void *server_handle, char *policy); \end{verbatim} Deletes a policy. AUTHORIZATION REQUIRED: delete \begin{enumerate} \item Return KADM5_BAD_POLICY if the policy name contains illegal characters. \item Return KADM5_UNK_POLICY if the named policy does not exist. \item Return KADM5_POLICY_REF if the named policy's refcnt is not 0. \item Delete policy. \end{enumerate} RETURN CODES: \begin{description} \item[KADM5_BAD_POLICY] The policy name contains illegal characters. \item[KADM5_UNK_POLICY] Policy does not exist. \item[KADM5_POLICY_REF] Policy is being referenced. \end{description} \subsection{kadm5_modify_policy} \begin{verbatim} kadm5_ret_t kadm5_modify_policy(void *server_handle, kadm5_policy_ent_t policy, u_int32 mask); \end{verbatim} Modify an existing policy. Note that modifying a policy has no affect on a principal using the policy until the next time the principal's password is changed. AUTHORIZATION REQUIRED: modify \begin{enumerate} \item Return KADM5_BAD_POLICY if the policy name contains illegal characters. \item Check to see if mask is legal, if not return KADM5_BAD_MASK error. \item Check to see if policy exists, if not return KADM5_UNK_POLICY error. \item If the PW_MIN_CLASSES bit is set and pw_min_classes is not 1, 2, 3, 4, or 5, return KADM5_BAD_CLASS. \item Update the fields specified in the mask. \end{enumerate} RETURN CODES: \begin{description} \item[KADM5_BAD_POLICY] The policy name contains illegal characters. \item[KADM5_UNK_POLICY] Policy not found. \item[KADM5_BAD_MASK] The mask is not valid for a modify operation. \item[KADM5_BAD_CLASS] The specified number of character classes is invalid. \end{description} \subsection{kadm5_get_policy} In KADM5_API_VERSION_1: \begin{verbatim} kadm5_ret_t kadm5_get_policy(void *server_handle, char *policy, kadm5_policy_ent_t *ent); \end{verbatim} In KADM5_API_VERSION_2: \begin{verbatim} kadm5_ret_t kadm5_get_policy(void *server_handle, char *policy, kadm5_policy_ent_t ent); \end{verbatim} AUTHORIZATION REQUIRED: get, or the calling principal's policy being the same as the policy argument. If the request is authenticated to the kadmin/changepw service, the get privilege is disregarded. In KADM5_API_VERSION_1, return the policy's attributes in allocated memory; if an error is returned entry is set to NULL. In KADM5_API_VERSION_2, fill in fields of the policy structure allocated by the caller. The caller must free the returned entry with kadm5_free_policy_ent RETURN CODES: \begin{description} \item[KADM5_BAD_POLICY] The policy name contains illegal characters. \item[KADM5_UNK_POLICY] Policy not found. \end{description} \subsection{kadm5_get_policies} \begin{verbatim} kadm5_ret_t kadm5_get_policies(void *server_handle, char *exp, char ***pols, int *count) \end{verbatim} Retrieves the list of principal names. AUTHORIZATION REQUIRED: list If \v{exp} is NULL, all principal names are retrieved; otherwise, principal names that match the expression exp are retrieved. \v{pols} is filled in with a pointer to a NULL-terminated array of strings, and \v{count} is filled in with the number of principal names in the array. \v{pols} must be freed with a call to \v{kadm5_free_name_list}. All characters in the expression match themselves except ``?'' which matches any single character, ``*'' which matches any number of consecutive characters, and ``[chars]'' which matches any single character of ``chars''. Any character which follows a ``$\backslash$'' matches itself exactly, and a ``$\backslash$'' cannot be the last character in the string. \subsection{kadm5_free_principal_ent, _policy_ent} \begin{verbatim} void kadm5_free_principal_ent(void *server_handle, kadm5_principal_ent_t princ); \end{verbatim} In KADM5_API_VERSION_1, free the structure and contents allocated by a call to kadm5_get_principal. In KADM5_API_VERSION_2, free the contents allocated by a call to kadm5_get_principal. AUTHORIZATION REQUIRED: none (local operation) \begin{verbatim} void kadm5_free_policy_ent(kadm5_policy_ent_t policy); \end{verbatim} Free memory that was allocated by a call to kadm5_get_policy. If the argument is NULL, the function returns successfully. AUTHORIZATION REQUIRED: none (local operation) \subsection{kadm5_free_name_list} \begin{verbatim} void kadm5_free_name_list(void *server_handle, char **names, int *count); \end{verbatim} Free the memory that was allocated by kadm5_get_principals or kadm5_get_policies. names and count must be a matched pair of values returned from one of those two functions. \subsection{kadm5_free_key_data} \begin{verbatim} void kadm5_free_key_data(void *server_handle, krb5_int16 *n_key_data, krb5_key_data *key_data) \end{verbatim} Free the memory that was allocated by kadm5_randkey_principal. n_key_data and key_data must be a matched pair of values returned from that function. \subsection{kadm5_get_privs} \begin{verbatim} kadm5_ret_t kadm5_get_privs(void *server_handle, u_int32 *privs); \end{verbatim} Return the caller's admin server privileges in the integer pointed to by the argument. The Admin API does not define any way for a principal's privileges to be set. Note that this function will probably be removed or drastically changed in future versions of this system. The returned value is a bitmask indicating the caller's privileges: \begin{tabular}{llr} {\bf Privilege} & {\bf Symbol} & {\bf Value} \\ Get & KADM5_PRIV_GET & 0x01 \\ Add & KADM5_PRIV_ADD & 0x02 \\ Modify & KADM5_PRIV_MODIFY & 0x04 \\ Delete & KADM5_PRIV_DELETE & 0x08 \\ List & KADM5_PRIV_LIST & 0x10 \\ Changepw & KADM5_PRIV_CPW & 0x20 \end{tabular} There is no guarantee that a caller will have a privilege indicated by this function for any length of time or for any particular target; applications using this function must still be prepared to handle all possible KADM5_AUTH_* error codes. In the initial MIT Kerberos version of the admin server, permissions depend both on the caller and the target; this function returns a bitmask representing all privileges the caller can possibly have for any possible target. \end{document} krb5-1.19.2/doc/iprop-notes.txt0000644000704600001450000001520614076311657017644 0ustar ghudsonsystemd-journalSome (intentional) changes from Sun's submission are noted in the install guide. Bugs or issues: The "full resync" part of the protocol involves the primary side firing off a normal kprop (and going back to servicing requests), and the replica side stopping all the incremental propagation stuff and waiting for the kprop. If the connection from the primary never comes in for some reason, the replica side just blocks forever, and never resumes incremental propagation. The protocol does not currently pass policy database changes; this was an intentional decision on Sun's part. The policy database is only relevant to the primary KDC, and is usually fairly static (aside from refcount updates), but not propagating it does mean that a replica maintained via iprop can't simply be promoted to a primary in disaster recovery or other cases without doing a full propagation or restoring a database from backups. Shawn had a good suggestion after I started the integration work, and which I haven't had a chance to implement: Make the update-log code fit in as a sort of pseudo-database layer via the DAL, being called through the standard DAL methods, and doing its work around calls through to the real database back end again through the DAL methods. So for example, creating a "iprop+db2" database would create an update log and the real db2 database; storing a principal entry would update the update log as well; etc. At least initially, we wouldn't treat it as a differently-named database; the installation of the hooks would be done by explicitly checking if iprop is enabled, etc. The "iprop role" is assumed to be either primary or replica. The primary writes a log, and the replica fetches it. But what about a cascade propagation model where A sends to B which sends to C, perhaps because A's bandwidth is highly limited, or B and C are co-located? In such a case, B would want to operate in both modes. Granted, with iprop the bandwidth issues should be less important, but there may still be reasons one may wish to run in such a configuration. The propagation of changes does not happen in real time. It's not a "push" protocol; the replicas poll periodically for changes. Perhaps a future revision of the protocol could address that. kadmin/cli/kadmin.c call to kadm5_init_iprop - is this needed in client-side program? Should it be done in libkadm5srv instead as part of the existing kadm5_init* so that database-accessing applications that don't get updated at the source level will automatically start changing the update log as needed? Locking: Currently DAL exports the DB locking interface to the caller; we want to slip the iprop code in between -- run it plus the DB update operation with the DB lock held, whether or not the caller grabbed the lock. (Does the caller always grab the lock before making changes?) Currently we're using a file lock on the update log itself; this will be independent of whether the DB back end implements locking (which may be a good thing or a bad thing, depending). Various logging calls with odd format strings like "" should be fixed. Why are different principal names used, when incremental propagation requires that normal kprop (which uses host principals) be possible anyways? Why is this tied to kadmind, aside from (a) wanting to prevent other db changes, which locking protocols should deal with anyways, (b) existing acl code, (c) existing server process? The incremental propagation protocol requires an ACL entry on the primary, listing the replica. Since the full-resync part uses normal kprop, the replica also has to have an ACL entry for the primary. If this is missing, I suspect the behavior will be that every two minutes, the primary side will (at the prompting of the replica) dump out the database and attempt a full propagation. Possible optimizations: If an existing dump file has a recent enough serial number, just send it, without dumping again? Use just one dump file instead of one per replica? Requiring normal kprop means the replica still can't be behind a NAT or firewall without special configuration. The incremental parts can work in such a configuration, so long as outgoing TCP connections are allowed. Still limited to IPv4 because of limitations in MIT's version of the RPC code. (This could be fixed for kprop, if IPv6 sites want to do full propagation only. Doing incremental propagation over IPv6 will take work on the RPC library, and probably introduce backwards-incompatible ABI changes.) Overflow checks for ulogentries times block size? If file can't be made the size indicated by ulogentries, should we truncate or error out? If we error out, this could blow out when resizing the log because of a too-large log entry. The kprop invocation doesn't specify a realm name, so it'll only work for the default realm. No clean way to specify a port number, either. Would it be overkill to come up with a way to configure host+port for kpropd on the primary? Preferably in a way that'd support cascading propagations. The kadmind process, when it needs to run kprop, extracts the replica host name from the client principal name. It assumes that the principal name will be of the form foo/hostname@REALM, and looks specifically for the "/" and "@" to chop up the string form of the name. If looking up that name won't give a working IPv4 address for the replica, kprop will fail (and kpropd will keep waiting, incremental updates will stop, etc). Mapping between file offsets and structure addresses, we should be careful about alignment. We're probably okay on current platforms, but if we break log-format compatibility with Sun at some point, use the chance to make the kdb_ent_header_t offsets be more strictly aligned in the file. (16 or 32 bytes?) Not thread safe! The kdb5.c code will get a lock on the update log file while making changes, but the lock is per-process. Currently there are no processes I know of that use multiple threads and change the database. (There's the Novell patch to make the KDC multithreaded, but the kdc-kdb-update option doesn't currently compile.) Logging in kpropd is poor to useless. If there are any problems, run it in debug mode ("-d"). You'll still lose all output from the invocation of kdb5_util dump and kprop run out of kadmind. Other man page updates needed: Anything with new -x options. Comments from lha: Verify both client and server are demanding privacy from RPC. Authorization code in check_iprop_rpcsec_auth is weird. Check realm checking, is it trusting the client realm length? What will happen if my realm is named "A" and I can get a cross realm (though multihop) to ATHENA.MIT.EDU's iprop server? Why is the ACL not applied before we get to the functions themselves? krb5-1.19.2/doc/admin/0000755000704600001450000000000014076311657015710 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/admin/realm_config.rst0000644000704600001450000002571714076311657021103 0ustar ghudsonsystemd-journalRealm configuration decisions ============================= Before installing Kerberos V5, it is necessary to consider the following issues: * The name of your Kerberos realm (or the name of each realm, if you need more than one). * How you will assign your hostnames to Kerberos realms. * Which ports your KDC and and kadmind services will use, if they will not be using the default ports. * How many replica KDCs you need and where they should be located. * The hostnames of your primary and replica KDCs. * How frequently you will propagate the database from the primary KDC to the replica KDCs. Realm name ---------- Although your Kerberos realm can be any ASCII string, convention is to make it the same as your domain name, in upper-case letters. For example, hosts in the domain ``example.com`` would be in the Kerberos realm:: EXAMPLE.COM If you need multiple Kerberos realms, MIT recommends that you use descriptive names which end with your domain name, such as:: BOSTON.EXAMPLE.COM HOUSTON.EXAMPLE.COM .. _mapping_hostnames: Mapping hostnames onto Kerberos realms -------------------------------------- Mapping hostnames onto Kerberos realms is done in one of three ways. The first mechanism works through a set of rules in the :ref:`domain_realm` section of :ref:`krb5.conf(5)`. You can specify mappings for an entire domain or on a per-hostname basis. Typically you would do this by specifying the mappings for a given domain or subdomain and listing the exceptions. The second mechanism is to use KDC host-based service referrals. With this method, the KDC's krb5.conf has a full [domain_realm] mapping for hosts, but the clients do not, or have mappings for only a subset of the hosts they might contact. When a client needs to contact a server host for which it has no mapping, it will ask the client realm's KDC for the service ticket, and will receive a referral to the appropriate service realm. To use referrals, clients must be running MIT krb5 1.6 or later, and the KDC must be running MIT krb5 1.7 or later. The **host_based_services** and **no_host_referral** variables in the :ref:`kdc_realms` section of :ref:`kdc.conf(5)` can be used to fine-tune referral behavior on the KDC. It is also possible for clients to use DNS TXT records, if **dns_lookup_realm** is enabled in :ref:`krb5.conf(5)`. Such lookups are disabled by default because DNS is an insecure protocol and security holes could result if DNS records are spoofed. If enabled, the client will try to look up a TXT record formed by prepending the prefix ``_kerberos`` to the hostname in question. If that record is not found, the client will attempt a lookup by prepending ``_kerberos`` to the host's domain name, then its parent domain, up to the top-level domain. For the hostname ``boston.engineering.example.com``, the names looked up would be:: _kerberos.boston.engineering.example.com _kerberos.engineering.example.com _kerberos.example.com _kerberos.com The value of the first TXT record found is taken as the realm name. Even if you do not choose to use this mechanism within your site, you may wish to set it up anyway, for use when interacting with other sites. Ports for the KDC and admin services ------------------------------------ The default ports used by Kerberos are port 88 for the KDC and port 749 for the admin server. You can, however, choose to run on other ports, as long as they are specified in each host's :ref:`krb5.conf(5)` files or in DNS SRV records, and the :ref:`kdc.conf(5)` file on each KDC. For a more thorough treatment of port numbers used by the Kerberos V5 programs, refer to the :ref:`conf_firewall`. Replica KDCs ------------ Replica KDCs provide an additional source of Kerberos ticket-granting services in the event of inaccessibility of the primary KDC. The number of replica KDCs you need and the decision of where to place them, both physically and logically, depends on the specifics of your network. Kerberos authentication requires that each client be able to contact a KDC. Therefore, you need to anticipate any likely reason a KDC might be unavailable and have a replica KDC to take up the slack. Some considerations include: * Have at least one replica KDC as a backup, for when the primary KDC is down, is being upgraded, or is otherwise unavailable. * If your network is split such that a network outage is likely to cause a network partition (some segment or segments of the network to become cut off or isolated from other segments), have a replica KDC accessible to each segment. * If possible, have at least one replica KDC in a different building from the primary, in case of power outages, fires, or other localized disasters. .. _kdc_hostnames: Hostnames for KDCs ------------------ MIT recommends that your KDCs have a predefined set of CNAME records (DNS hostname aliases), such as ``kerberos`` for the primary KDC and ``kerberos-1``, ``kerberos-2``, ... for the replica KDCs. This way, if you need to swap a machine, you only need to change a DNS entry, rather than having to change hostnames. As of MIT krb5 1.4, clients can locate a realm's KDCs through DNS using SRV records (:rfc:`2782`), assuming the Kerberos realm name is also a DNS domain name. These records indicate the hostname and port number to contact for that service, optionally with weighting and prioritization. The domain name used in the SRV record name is the realm name. Several different Kerberos-related service names are used: _kerberos._udp This is for contacting any KDC by UDP. This entry will be used the most often. Normally you should list port 88 on each of your KDCs. _kerberos._tcp This is for contacting any KDC by TCP. Normally you should use port 88. This entry should be omitted if the KDC does not listen on TCP ports, as was the default prior to release 1.13. _kerberos-master._udp This entry should refer to those KDCs, if any, that will immediately see password changes to the Kerberos database. If a user is logging in and the password appears to be incorrect, the client will retry with the primary KDC before failing with an "incorrect password" error given. If you have only one KDC, or for whatever reason there is no accessible KDC that would get database changes faster than the others, you do not need to define this entry. _kerberos-adm._tcp This should list port 749 on your primary KDC. Support for it is not complete at this time, but it will eventually be used by the :ref:`kadmin(1)` program and related utilities. For now, you will also need the **admin_server** variable in :ref:`krb5.conf(5)`. _kerberos-master._tcp The corresponding TCP port for _kerberos-master._udp, assuming the primary KDC listens on a TCP port. _kpasswd._udp This entry should list port 464 on your primary KDC. It is used when a user changes her password. If this entry is not defined but a _kerberos-adm._tcp entry is defined, the client will use the _kerberos-adm._tcp entry with the port number changed to 464. _kpasswd._tcp The corresponding TCP port for _kpasswd._udp. The DNS SRV specification requires that the hostnames listed be the canonical names, not aliases. So, for example, you might include the following records in your (BIND-style) zone file:: $ORIGIN foobar.com. _kerberos TXT "FOOBAR.COM" kerberos CNAME daisy kerberos-1 CNAME use-the-force-luke kerberos-2 CNAME bunny-rabbit _kerberos._udp SRV 0 0 88 daisy SRV 0 0 88 use-the-force-luke SRV 0 0 88 bunny-rabbit _kerberos-master._udp SRV 0 0 88 daisy _kerberos-adm._tcp SRV 0 0 749 daisy _kpasswd._udp SRV 0 0 464 daisy Clients can also be configured with the explicit location of services using the **kdc**, **master_kdc**, **admin_server**, and **kpasswd_server** variables in the :ref:`realms` section of :ref:`krb5.conf(5)`. Even if some clients will be configured with explicit server locations, providing SRV records will still benefit unconfigured clients, and be useful for other sites. .. _kdc_discovery: KDC Discovery ------------- As of MIT krb5 1.15, clients can also locate KDCs in DNS through URI records (:rfc:`7553`). Limitations with the SRV record format may result in extra DNS queries in situations where a client must failover to other transport types, or find a primary server. The URI record can convey more information about a realm's KDCs with a single query. The client performs a query for the following URI records: * ``_kerberos.REALM`` for finding KDCs. * ``_kerberos-adm.REALM`` for finding kadmin services. * ``_kpasswd.REALM`` for finding password services. The URI record includes a priority, weight, and a URI string that consists of case-insensitive colon separated fields, in the form ``scheme:[flags]:transport:residual``. * *scheme* defines the registered URI type. It should always be ``krb5srv``. * *flags* contains zero or more flag characters. Currently the only valid flag is ``m``, which indicates that the record is for a primary server. * *transport* defines the transport type of the residual URL or address. Accepted values are ``tcp``, ``udp``, or ``kkdcp`` for the MS-KKDCP type. * *residual* contains the hostname, IP address, or URL to be contacted using the specified transport, with an optional port extension. The MS-KKDCP transport type uses a HTTPS URL, and can include a port and/or path extension. An example of URI records in a zone file:: _kerberos.EXAMPLE.COM URI 10 1 krb5srv:m:tcp:kdc1.example.com URI 20 1 krb5srv:m:udp:kdc2.example.com:89 URI 40 1 krb5srv::udp:10.10.0.23 URI 30 1 krb5srv::kkdcp:https://proxy:89/auth URI lookups are enabled by default, and can be disabled by setting **dns_uri_lookup** in the :ref:`libdefaults` section of :ref:`krb5.conf(5)` to False. When enabled, URI lookups take precedence over SRV lookups, falling back to SRV lookups if no URI records are found. .. _db_prop: Database propagation -------------------- The Kerberos database resides on the primary KDC, and must be propagated regularly (usually by a cron job) to the replica KDCs. In deciding how frequently the propagation should happen, you will need to balance the amount of time the propagation takes against the maximum reasonable amount of time a user should have to wait for a password change to take effect. If the propagation time is longer than this maximum reasonable time (e.g., you have a particularly large database, you have a lot of replicas, or you experience frequent network delays), you may wish to cut down on your propagation delay by performing the propagation in parallel. To do this, have the primary KDC propagate the database to one set of replicas, and then have each of these replicas propagate the database to additional replicas. See also :ref:`incr_db_prop` krb5-1.19.2/doc/admin/princ_dns.rst0000644000704600001450000001155614076311657020431 0ustar ghudsonsystemd-journalPrincipal names and DNS ======================= Kerberos clients can do DNS lookups to canonicalize service principal names. This can cause difficulties when setting up Kerberos application servers, especially when the client's name for the service is different from what the service thinks its name is. Service principal names ----------------------- A frequently used kind of principal name is the host-based service principal name. This kind of principal name has two components: a service name and a hostname. For example, ``imap/imap.example.com`` is the principal name of the "imap" service on the host "imap.example.com". Other possible service names for the first component include "host" (remote login services such as ssh), "HTTP", and "nfs" (Network File System). Service administrators often publish well-known hostname aliases that they would prefer users to use instead of the canonical name of the service host. This gives service administrators more flexibility in deploying services. For example, a shell login server might be named "long-vanity-hostname.example.com", but users will naturally prefer to type something like "login.example.com". Hostname aliases also allow for administrators to set up load balancing for some sorts of services based on rotating ``CNAME`` records in DNS. Service principal canonicalization ---------------------------------- In the MIT krb5 client library, canonicalization of host-based service principals is controlled by the **dns_canonicalize_hostname**, **rnds**, and **qualify_shortname** variables in :ref:`libdefaults`. If **dns_canonicalize_hostname** is set to ``true`` (the default value), the client performs forward resolution by looking up the IPv4 and/or IPv6 addresses of the hostname using ``getaddrinfo()``. This process will typically add a domain suffix to the hostname if needed, and follow CNAME records in the DNS. If **rdns** is also set to ``true`` (the default), the client will then perform a reverse lookup of the first returned Internet address using ``getnameinfo()``, finding the name associated with the PTR record. If **dns_canonicalize_hostname** is set to ``false``, the hostname is not canonicalized using DNS. If the hostname has only one component (i.e. it contains no "." characters), the host's primary DNS search domain will be appended, if there is one. The **qualify_shortname** variable can be used to override or disable this suffix. If **dns_canonicalize_hostname** is set to ``fallback`` (added in release 1.18), the hostname is initially treated according to the rules for ``dns_canonicalize_hostname=false``. If a ticket request fails because the service principal is unknown, the hostname will be canonicalized according to the rules for ``dns_canonicalize_hostname=true`` and the request will be retried. In all cases, the hostname is converted to lowercase, and any trailing dot is removed. Reverse DNS mismatches ---------------------- Sometimes, an enterprise will have control over its forward DNS but not its reverse DNS. The reverse DNS is sometimes under the control of the Internet service provider of the enterprise, and the enterprise may not have much influence in setting up reverse DNS records for its address space. If there are difficulties with getting forward and reverse DNS to match, it is best to set ``rdns = false`` on client machines. Overriding application behavior ------------------------------- Applications can choose to use a default hostname component in their service principal name when accepting authentication, which avoids some sorts of hostname mismatches. Because not all relevant applications do this yet, using the :ref:`krb5.conf(5)` setting:: [libdefaults] ignore_acceptor_hostname = true will allow the Kerberos library to override the application's choice of service principal hostname and will allow a server program to accept incoming authentications using any key in its keytab that matches the service name and realm name (if given). This setting defaults to "false" and is available in releases krb5-1.10 and later. Provisioning keytabs -------------------- One service principal entry that should be in the keytab is a principal whose hostname component is the canonical hostname that ``getaddrinfo()`` reports for all known aliases for the host. If the reverse DNS information does not match this canonical hostname, an additional service principal entry should be in the keytab for this different hostname. Specific application advice --------------------------- Secure shell (ssh) ~~~~~~~~~~~~~~~~~~ Setting ``GSSAPIStrictAcceptorCheck = no`` in the configuration file of modern versions of the openssh daemon will allow the daemon to try any key in its keytab when accepting a connection, rather than looking for the keytab entry that matches the host's own idea of its name (typically the name that ``gethostname()`` returns). This requires krb5-1.10 or later. krb5-1.19.2/doc/admin/backup_host.rst0000644000704600001450000000340114076311657020742 0ustar ghudsonsystemd-journalBackups of secure hosts ======================= When you back up a secure host, you should exclude the host's keytab file from the backup. If someone obtained a copy of the keytab from a backup, that person could make any host masquerade as the host whose keytab was compromised. In many configurations, knowledge of the host's keytab also allows root access to the host. This could be particularly dangerous if the compromised keytab was from one of your KDCs. If the machine has a disk crash and the keytab file is lost, it is easy to generate another keytab file. (See :ref:`add_princ_kt`.) If you are unable to exclude particular files from backups, you should ensure that the backups are kept as secure as the host's root password. Backing up the Kerberos database -------------------------------- As with any file, it is possible that your Kerberos database could become corrupted. If this happens on one of the replica KDCs, you might never notice, since the next automatic propagation of the database would install a fresh copy. However, if it happens to the primary KDC, the corrupted database would be propagated to all of the replicas during the next propagation. For this reason, MIT recommends that you back up your Kerberos database regularly. Because the primary KDC is continuously dumping the database to a file in order to propagate it to the replica KDCs, it is a simple matter to have a cron job periodically copy the dump file to a secure machine elsewhere on your network. (Of course, it is important to make the host where these backups are stored as secure as your KDCs, and to encrypt its transmission across your network.) Then if your database becomes corrupted, you can load the most recent dump onto the primary KDC. (See :ref:`restore_from_dump`.) krb5-1.19.2/doc/admin/troubleshoot.rst0000644000704600001450000001074714076311657021204 0ustar ghudsonsystemd-journal.. _troubleshoot: Troubleshooting =============== .. _trace_logging: Trace logging ------------- Most programs using MIT krb5 1.9 or later can be made to provide information about internal krb5 library operations using trace logging. To enable this, set the **KRB5_TRACE** environment variable to a filename before running the program. On many operating systems, the filename ``/dev/stdout`` can be used to send trace logging output to standard output. Some programs do not honor **KRB5_TRACE**, either because they use secure library contexts (this generally applies to setuid programs and parts of the login system) or because they take direct control of the trace logging system using the API. Here is a short example showing trace logging output for an invocation of the :ref:`kvno(1)` command:: shell% env KRB5_TRACE=/dev/stdout kvno krbtgt/KRBTEST.COM [9138] 1332348778.823276: Getting credentials user@KRBTEST.COM -> krbtgt/KRBTEST.COM@KRBTEST.COM using ccache FILE:/me/krb5/build/testdir/ccache [9138] 1332348778.823381: Retrieving user@KRBTEST.COM -> krbtgt/KRBTEST.COM@KRBTEST.COM from FILE:/me/krb5/build/testdir/ccache with result: 0/Unknown code 0 krbtgt/KRBTEST.COM@KRBTEST.COM: kvno = 1 List of errors -------------- Frequently seen errors ~~~~~~~~~~~~~~~~~~~~~~ #. :ref:`init_creds_ETYPE_NOSUPP` #. :ref:`cert_chain_ETYPE_NOSUPP` #. :ref:`err_cert_chain_cert_expired` Errors seen by admins ~~~~~~~~~~~~~~~~~~~~~ .. _prop_failed_start: #. :ref:`kprop_no_route` #. :ref:`kprop_con_refused` #. :ref:`kprop_sendauth_exchange` .. _prop_failed_end: ----- .. _init_creds_etype_nosupp: KDC has no support for encryption type while getting initial credentials ........................................................................ .. _cert_chain_etype_nosupp: credential verification failed: KDC has no support for encryption type ...................................................................... This most commonly happens when trying to use a principal with only DES keys, in a release (MIT krb5 1.7 or later) which disables DES by default. DES encryption is considered weak due to its inadequate key size. If you cannot migrate away from its use, you can re-enable DES by adding ``allow_weak_crypto = true`` to the :ref:`libdefaults` section of :ref:`krb5.conf(5)`. .. _err_cert_chain_cert_expired: Cannot create cert chain: certificate has expired ................................................. This error message indicates that PKINIT authentication failed because the client certificate, KDC certificate, or one of the certificates in the signing chain above them has expired. If the KDC certificate has expired, this message appears in the KDC log file, and the client will receive a "Preauthentication failed" error. (Prior to release 1.11, the KDC log file message erroneously appears as "Out of memory". Prior to release 1.12, the client will receive a "Generic error".) If the client or a signing certificate has expired, this message may appear in trace_logging_ output from :ref:`kinit(1)` or, starting in release 1.12, as an error message from kinit or another program which gets initial tickets. The error message is more likely to appear properly on the client if the principal entry has no long-term keys. .. _kprop_no_route: kprop: No route to host while connecting to server .................................................. Make sure that the hostname of the replica KDC (as given to kprop) is correct, and that any firewalls between the primary and the replica allow a connection on port 754. .. _kprop_con_refused: kprop: Connection refused while connecting to server .................................................... If the replica KDC is intended to run kpropd out of inetd, make sure that inetd is configured to accept krb5_prop connections. inetd may need to be restarted or sent a SIGHUP to recognize the new configuration. If the replica is intended to run kpropd in standalone mode, make sure that it is running. .. _kprop_sendauth_exchange: kprop: Server rejected authentication (during sendauth exchange) while authenticating to server ............................................................................................... Make sure that: #. The time is synchronized between the primary and replica KDCs. #. The master stash file was copied from the primary to the expected location on the replica. #. The replica has a keytab file in the default location containing a ``host`` principal for the replica's hostname. krb5-1.19.2/doc/admin/conf_files/0000755000704600001450000000000014076311657020017 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/admin/conf_files/krb5_conf.rst0000644000704600001450000013722214076311657022430 0ustar ghudsonsystemd-journal.. _krb5.conf(5): krb5.conf ========= The krb5.conf file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. Normally, you should install your krb5.conf file in the directory ``/etc``. You can override the default location by setting the environment variable **KRB5_CONFIG**. Multiple colon-separated filenames may be specified in **KRB5_CONFIG**; all files which are present will be read. Starting in release 1.14, directory names can also be specified in **KRB5_CONFIG**; all files within the directory whose names consist solely of alphanumeric characters, dashes, or underscores will be read. Structure --------- The krb5.conf file is set up in the style of a Windows INI file. Lines beginning with '#' or ';' (possibly after initial whitespace) are ignored as comments. Sections are headed by the section name, in square brackets. Each section may contain zero or more relations, of the form:: foo = bar or:: fubar = { foo = bar baz = quux } Placing a '\*' after the closing bracket of a section name indicates that the section is *final*, meaning that if the same section appears within a later file specified in **KRB5_CONFIG**, it will be ignored. A subsection can be marked as final by placing a '\*' after either the tag name or the closing brace. The krb5.conf file can include other files using either of the following directives at the beginning of a line:: include FILENAME includedir DIRNAME *FILENAME* or *DIRNAME* should be an absolute path. The named file or directory must exist and be readable. Including a directory includes all files within the directory whose names consist solely of alphanumeric characters, dashes, or underscores. Starting in release 1.15, files with names ending in ".conf" are also included, unless the name begins with ".". Included profile files are syntactically independent of their parents, so each included file must begin with a section header. Starting in release 1.17, files are read in alphanumeric order; in previous releases, they may be read in any order. The krb5.conf file can specify that configuration should be obtained from a loadable module, rather than the file itself, using the following directive at the beginning of a line before any section headers:: module MODULEPATH:RESIDUAL *MODULEPATH* may be relative to the library path of the krb5 installation, or it may be an absolute path. *RESIDUAL* is provided to the module at initialization time. If krb5.conf uses a module directive, :ref:`kdc.conf(5)` should also use one if it exists. Sections -------- The krb5.conf file may contain the following sections: =================== ======================================================= :ref:`libdefaults` Settings used by the Kerberos V5 library :ref:`realms` Realm-specific contact information and settings :ref:`domain_realm` Maps server hostnames to Kerberos realms :ref:`capaths` Authentication paths for non-hierarchical cross-realm :ref:`appdefaults` Settings used by some Kerberos V5 applications :ref:`plugins` Controls plugin module registration =================== ======================================================= Additionally, krb5.conf may include any of the relations described in :ref:`kdc.conf(5)`, but it is not a recommended practice. .. _libdefaults: [libdefaults] ~~~~~~~~~~~~~ The libdefaults section may contain any of the following relations: **allow_weak_crypto** If this flag is set to false, then weak encryption types (as noted in :ref:`Encryption_types` in :ref:`kdc.conf(5)`) will be filtered out of the lists **default_tgs_enctypes**, **default_tkt_enctypes**, and **permitted_enctypes**. The default value for this tag is false. **canonicalize** If this flag is set to true, initial ticket requests to the KDC will request canonicalization of the client principal name, and answers with different client principals than the requested principal will be accepted. The default value is false. **ccache_type** This parameter determines the format of credential cache types created by :ref:`kinit(1)` or other programs. The default value is 4, which represents the most current format. Smaller values can be used for compatibility with very old implementations of Kerberos which interact with credential caches on the same host. **clockskew** Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is invalid. The default value is 300 seconds, or five minutes. The clockskew setting is also used when evaluating ticket start and expiration times. For example, tickets that have reached their expiration time can still be used (and renewed if they are renewable tickets) if they have been expired for a shorter duration than the **clockskew** setting. **default_ccache_name** This relation specifies the name of the default credential cache. The default is |ccache|. This relation is subject to parameter expansion (see below). New in release 1.11. **default_client_keytab_name** This relation specifies the name of the default keytab for obtaining client credentials. The default is |ckeytab|. This relation is subject to parameter expansion (see below). New in release 1.11. **default_keytab_name** This relation specifies the default keytab name to be used by application servers such as sshd. The default is |keytab|. This relation is subject to parameter expansion (see below). **default_rcache_name** This relation specifies the name of the default replay cache. The default is ``dfl:``. This relation is subject to parameter expansion (see below). New in release 1.18. **default_realm** Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then a realm must be specified with every Kerberos principal when invoking programs such as :ref:`kinit(1)`. **default_tgs_enctypes** Identifies the supported list of session key encryption types that the client should request when making a TGS-REQ, in order of preference from highest to lowest. The list may be delimited with commas or whitespace. See :ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of the accepted values for this tag. Starting in release 1.18, the default value is the value of **permitted_enctypes**. For previous releases or if **permitted_enctypes** is not set, the default value is |defetypes|. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. **default_tkt_enctypes** Identifies the supported list of session key encryption types that the client should request when making an AS-REQ, in order of preference from highest to lowest. The format is the same as for default_tgs_enctypes. Starting in release 1.18, the default value is the value of **permitted_enctypes**. For previous releases or if **permitted_enctypes** is not set, the default value is |defetypes|. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. **dns_canonicalize_hostname** Indicate whether name lookups will be used to canonicalize hostnames for use in service principal names. Setting this flag to false can improve security by reducing reliance on DNS, but means that short hostnames will not be canonicalized to fully-qualified hostnames. If this option is set to ``fallback`` (new in release 1.18), DNS canonicalization will only be performed the server hostname is not found with the original name when requesting credentials. The default value is true. **dns_lookup_kdc** Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the krb5.conf information for the realm. (Note that the admin_server entry must be in the krb5.conf realm information in order to contact kadmind, because the DNS implementation for kadmin is incomplete.) Enabling this option does open up a type of denial-of-service attack, if someone spoofs the DNS records and redirects you to another server. However, it's no worse than a denial of service, because that fake KDC will be unable to decode anything you send it (besides the initial ticket request, which has no encrypted data), and anything the fake KDC sends will not be trusted without verification using some secret that it won't know. **dns_uri_lookup** Indicate whether DNS URI records should be used to locate the KDCs and other servers for a realm, if they are not listed in the krb5.conf information for the realm. SRV records are used as a fallback if no URI records were found. The default value is true. New in release 1.15. **enforce_ok_as_delegate** If this flag to true, GSSAPI credential delegation will be disabled when the ``ok-as-delegate`` flag is not set in the service ticket. If this flag is false, the ``ok-as-delegate`` ticket flag is only enforced when an application specifically requests enforcement. The default value is false. **err_fmt** This relation allows for custom error message formatting. If a value is set, error messages will be formatted by substituting a normal error message for %M and an error code for %C in the value. **extra_addresses** This allows a computer to use multiple local addresses, in order to allow Kerberos to work in a network that uses NATs while still using address-restricted tickets. The addresses should be in a comma-separated list. This option has no effect if **noaddresses** is true. **forwardable** If this flag is true, initial tickets will be forwardable by default, if allowed by the KDC. The default value is false. **ignore_acceptor_hostname** When accepting GSSAPI or krb5 security contexts for host-based service principals, ignore any hostname passed by the calling application, and allow clients to authenticate to any service principal in the keytab matching the service name and realm name (if given). This option can improve the administrative flexibility of server applications on multihomed hosts, but could compromise the security of virtual hosting environments. The default value is false. New in release 1.10. **k5login_authoritative** If this flag is true, principals must be listed in a local user's k5login file to be granted login access, if a :ref:`.k5login(5)` file exists. If this flag is false, a principal may still be granted login access through other mechanisms even if a k5login file exists but does not list the principal. The default value is true. **k5login_directory** If set, the library will look for a local user's k5login file within the named directory, with a filename corresponding to the local username. If not set, the library will look for k5login files in the user's home directory, with the filename .k5login. For security reasons, .k5login files must be owned by the local user or by root. **kcm_mach_service** On macOS only, determines the name of the bootstrap service used to contact the KCM daemon for the KCM credential cache type. If the value is ``-``, Mach RPC will not be used to contact the KCM daemon. The default value is ``org.h5l.kcm``. **kcm_socket** Determines the path to the Unix domain socket used to access the KCM daemon for the KCM credential cache type. If the value is ``-``, Unix domain sockets will not be used to contact the KCM daemon. The default value is ``/var/run/.heim_org.h5l.kcm-socket``. **kdc_default_options** Default KDC options (Xored for multiple values) when requesting initial tickets. By default it is set to 0x00000010 (KDC_OPT_RENEWABLE_OK). **kdc_timesync** Accepted values for this relation are 1 or 0. If it is nonzero, client machines will compute the difference between their time and the time returned by the KDC in the timestamps in the tickets and use this value to correct for an inaccurate system clock when requesting service tickets or authenticating to services. This corrective factor is only used by the Kerberos library; it is not used to change the system clock. The default value is 1. **noaddresses** If this flag is true, requests for initial tickets will not be made with address restrictions set, allowing the tickets to be used across NATs. The default value is true. **permitted_enctypes** Identifies the encryption types that servers will permit for session keys and for ticket and authenticator encryption, ordered by preference from highest to lowest. Starting in release 1.18, this tag also acts as the default value for **default_tgs_enctypes** and **default_tkt_enctypes**. The default value for this tag is |defetypes|. **plugin_base_dir** If set, determines the base directory where krb5 plugins are located. The default value is the ``krb5/plugins`` subdirectory of the krb5 library directory. This relation is subject to parameter expansion (see below) in release 1.17 and later. **preferred_preauth_types** This allows you to set the preferred preauthentication types which the client will attempt before others which may be advertised by a KDC. The default value for this setting is "17, 16, 15, 14", which forces libkrb5 to attempt to use PKINIT if it is supported. **proxiable** If this flag is true, initial tickets will be proxiable by default, if allowed by the KDC. The default value is false. **qualify_shortname** If this string is set, it determines the domain suffix for single-component hostnames when DNS canonicalization is not used (either because **dns_canonicalize_hostname** is false or because forward canonicalization failed). The default value is the first search domain of the system's DNS configuration. To disable qualification of shortnames, set this relation to the empty string with ``qualify_shortname = ""``. (New in release 1.18.) **rdns** If this flag is true, reverse name lookup will be used in addition to forward name lookup to canonicalizing hostnames for use in service principal names. If **dns_canonicalize_hostname** is set to false, this flag has no effect. The default value is true. **realm_try_domains** Indicate whether a host's domain components should be used to determine the Kerberos realm of the host. The value of this variable is an integer: -1 means not to search, 0 means to try the host's domain itself, 1 means to also try the domain's immediate parent, and so forth. The library's usual mechanism for locating Kerberos realms is used to determine whether a domain is a valid realm, which may involve consulting DNS if **dns_lookup_kdc** is set. The default is not to search domain components. **renew_lifetime** (:ref:`duration` string.) Sets the default renewable lifetime for initial ticket requests. The default value is 0. **spake_preauth_groups** A whitespace or comma-separated list of words which specifies the groups allowed for SPAKE preauthentication. The possible values are: ============ ================================ edwards25519 Edwards25519 curve (:rfc:`7748`) P-256 NIST P-256 curve (:rfc:`5480`) P-384 NIST P-384 curve (:rfc:`5480`) P-521 NIST P-521 curve (:rfc:`5480`) ============ ================================ The default value for the client is ``edwards25519``. The default value for the KDC is empty. New in release 1.17. **ticket_lifetime** (:ref:`duration` string.) Sets the default lifetime for initial ticket requests. The default value is 1 day. **udp_preference_limit** When sending a message to the KDC, the library will try using TCP before UDP if the size of the message is above **udp_preference_limit**. If the message is smaller than **udp_preference_limit**, then UDP will be tried before TCP. Regardless of the size, both protocols will be tried if the first attempt fails. **verify_ap_req_nofail** If this flag is true, then an attempt to verify initial credentials will fail if the client machine does not have a keytab. The default value is false. **client_aware_channel_bindings** If this flag is true, then all application protocol authentication requests will be flagged to indicate that the application supports channel bindings when operating over a secure channel. The default value is false. .. _realms: [realms] ~~~~~~~~ Each tag in the [realms] section of the file is the name of a Kerberos realm. The value of the tag is a subsection with relations that define the properties of that particular realm. For each realm, the following tags may be specified in the realm's subsection: **admin_server** Identifies the host where the administration server is running. Typically, this is the primary Kerberos server. This tag must be given a value in order to communicate with the :ref:`kadmind(8)` server for the realm. **auth_to_local** This tag allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated. The possible values are: **RULE:**\ *exp* The local name will be formulated from *exp*. The format for *exp* is **[**\ *n*\ **:**\ *string*\ **](**\ *regexp*\ **)s/**\ *pattern*\ **/**\ *replacement*\ **/g**. The integer *n* indicates how many components the target principal should have. If this matches, then a string will be formed from *string*, substituting the realm of the principal for ``$0`` and the *n*'th component of the principal for ``$n`` (e.g., if the principal was ``johndoe/admin`` then ``[2:$2$1foo]`` would result in the string ``adminjohndoefoo``). If this string matches *regexp*, then the ``s//[g]`` substitution command will be run over the string. The optional **g** will cause the substitution to be global over the *string*, instead of replacing only the first match in the *string*. **DEFAULT** The principal name will be used as the local user name. If the principal has more than one component or is not in the default realm, this rule is not applicable and the conversion will fail. For example:: [realms] ATHENA.MIT.EDU = { auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/ auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$// auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/ auth_to_local = DEFAULT } would result in any principal without ``root`` or ``admin`` as the second component to be translated with the default rule. A principal with a second component of ``admin`` will become its first component. ``root`` will be used as the local name for any principal with a second component of ``root``. The exception to these two rules are any principals ``johndoe/*``, which will always get the local name ``guest``. **auth_to_local_names** This subsection allows you to set explicit mappings from principal names to local user names. The tag is the mapping name, and the value is the corresponding local user name. **default_domain** This tag specifies the domain used to expand hostnames when translating Kerberos 4 service principals to Kerberos 5 principals (for example, when converting ``rcmd.hostname`` to ``host/hostname.domain``). **disable_encrypted_timestamp** If this flag is true, the client will not perform encrypted timestamp preauthentication if requested by the KDC. Setting this flag can help to prevent dictionary attacks by active attackers, if the realm's KDCs support SPAKE preauthentication or if initial authentication always uses another mechanism or always uses FAST. This flag persists across client referrals during initial authentication. This flag does not prevent the KDC from offering encrypted timestamp. New in release 1.17. **http_anchors** When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag can be used to specify the location of the CA certificate which should be trusted to issue the certificate for a proxy server. If left unspecified, the system-wide default set of CA certificates is used. The syntax for values is similar to that of values for the **pkinit_anchors** tag: **FILE:** *filename* *filename* is assumed to be the name of an OpenSSL-style ca-bundle file. **DIR:** *dirname* *dirname* is assumed to be an directory which contains CA certificates. All files in the directory will be examined; if they contain certificates (in PEM format), they will be used. **ENV:** *envvar* *envvar* specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For example, ``ENV:X509_PROXY_CA``, where environment variable ``X509_PROXY_CA`` has been set to ``FILE:/tmp/my_proxy.pem``. **kdc** The name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included. If the name or address contains colons (for example, if it is an IPv6 address), enclose it in square brackets to distinguish the colon from a port separator. For your computer to be able to communicate with the KDC for each realm, this tag must be given a value in each realm subsection in the configuration file, or there must be DNS SRV records specifying the KDCs. **kpasswd_server** Points to the server where all the password changes are performed. If there is no such entry, DNS will be queried (unless forbidden by **dns_lookup_kdc**). Finally, port 464 on the **admin_server** host will be tried. **master_kdc** The name for **primary_kdc** prior to release 1.19. Its value is used as a fallback if **primary_kdc** is not specified. **primary_kdc** Identifies the primary KDC(s). Currently, this tag is used in only one case: If an attempt to get credentials fails because of an invalid password, the client software will attempt to contact the primary KDC, in case the user's password has just been changed, and the updated database has not been propagated to the replica servers yet. New in release 1.19. **v4_instance_convert** This subsection allows the administrator to configure exceptions to the **default_domain** mapping rule. It contains V4 instances (the tag name) which should be translated to some specific hostname (the tag value) as the second component in a Kerberos V5 principal name. **v4_realm** This relation is used by the krb524 library routines when converting a V5 principal name to a V4 principal name. It is used when the V4 realm name and the V5 realm name are not the same, but still share the same principal names and passwords. The tag value is the Kerberos V4 realm name. .. _domain_realm: [domain_realm] ~~~~~~~~~~~~~~ The [domain_realm] section provides a translation from a domain name or hostname to a Kerberos realm name. The tag name can be a host name or domain name, where domain names are indicated by a prefix of a period (``.``). The value of the relation is the Kerberos realm name for that particular host or domain. A host name relation implicitly provides the corresponding domain name relation, unless an explicit domain name relation is provided. The Kerberos realm may be identified either in the realms_ section or using DNS SRV records. Host names and domain names should be in lower case. For example:: [domain_realm] crash.mit.edu = TEST.ATHENA.MIT.EDU .dev.mit.edu = TEST.ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU maps the host with the name ``crash.mit.edu`` into the ``TEST.ATHENA.MIT.EDU`` realm. The second entry maps all hosts under the domain ``dev.mit.edu`` into the ``TEST.ATHENA.MIT.EDU`` realm, but not the host with the name ``dev.mit.edu``. That host is matched by the third entry, which maps the host ``mit.edu`` and all hosts under the domain ``mit.edu`` that do not match a preceding rule into the realm ``ATHENA.MIT.EDU``. If no translation entry applies to a hostname used for a service principal for a service ticket request, the library will try to get a referral to the appropriate realm from the client realm's KDC. If that does not succeed, the host's realm is considered to be the hostname's domain portion converted to uppercase, unless the **realm_try_domains** setting in [libdefaults] causes a different parent domain to be used. .. _capaths: [capaths] ~~~~~~~~~ In order to perform direct (non-hierarchical) cross-realm authentication, configuration is needed to determine the authentication paths between realms. A client will use this section to find the authentication path between its realm and the realm of the server. The server will use this section to verify the authentication path used by the client, by checking the transited field of the received ticket. There is a tag for each participating client realm, and each tag has subtags for each of the server realms. The value of the subtags is an intermediate realm which may participate in the cross-realm authentication. The subtags may be repeated if there is more then one intermediate realm. A value of "." means that the two realms share keys directly, and no intermediate realms should be allowed to participate. Only those entries which will be needed on the client or the server need to be present. A client needs a tag for its local realm with subtags for all the realms of servers it will need to authenticate to. A server needs a tag for each realm of the clients it will serve, with a subtag of the server realm. For example, ``ANL.GOV``, ``PNL.GOV``, and ``NERSC.GOV`` all wish to use the ``ES.NET`` realm as an intermediate realm. ANL has a sub realm of ``TEST.ANL.GOV`` which will authenticate with ``NERSC.GOV`` but not ``PNL.GOV``. The [capaths] section for ``ANL.GOV`` systems would look like this:: [capaths] ANL.GOV = { TEST.ANL.GOV = . PNL.GOV = ES.NET NERSC.GOV = ES.NET ES.NET = . } TEST.ANL.GOV = { ANL.GOV = . } PNL.GOV = { ANL.GOV = ES.NET } NERSC.GOV = { ANL.GOV = ES.NET } ES.NET = { ANL.GOV = . } The [capaths] section of the configuration file used on ``NERSC.GOV`` systems would look like this:: [capaths] NERSC.GOV = { ANL.GOV = ES.NET TEST.ANL.GOV = ES.NET TEST.ANL.GOV = ANL.GOV PNL.GOV = ES.NET ES.NET = . } ANL.GOV = { NERSC.GOV = ES.NET } PNL.GOV = { NERSC.GOV = ES.NET } ES.NET = { NERSC.GOV = . } TEST.ANL.GOV = { NERSC.GOV = ANL.GOV NERSC.GOV = ES.NET } When a subtag is used more than once within a tag, clients will use the order of values to determine the path. The order of values is not important to servers. .. _appdefaults: [appdefaults] ~~~~~~~~~~~~~ Each tag in the [appdefaults] section names a Kerberos V5 application or an option that is used by some Kerberos V5 application[s]. The value of the tag defines the default behaviors for that application. For example:: [appdefaults] telnet = { ATHENA.MIT.EDU = { option1 = false } } telnet = { option1 = true option2 = true } ATHENA.MIT.EDU = { option2 = false } option2 = true The above four ways of specifying the value of an option are shown in order of decreasing precedence. In this example, if telnet is running in the realm EXAMPLE.COM, it should, by default, have option1 and option2 set to true. However, a telnet program in the realm ``ATHENA.MIT.EDU`` should have ``option1`` set to false and ``option2`` set to true. Any other programs in ATHENA.MIT.EDU should have ``option2`` set to false by default. Any programs running in other realms should have ``option2`` set to true. The list of specifiable options for each application may be found in that application's man pages. The application defaults specified here are overridden by those specified in the realms_ section. .. _plugins: [plugins] ~~~~~~~~~ * pwqual_ interface * kadm5_hook_ interface * clpreauth_ and kdcpreauth_ interfaces Tags in the [plugins] section can be used to register dynamic plugin modules and to turn modules on and off. Not every krb5 pluggable interface uses the [plugins] section; the ones that do are documented here. New in release 1.9. Each pluggable interface corresponds to a subsection of [plugins]. All subsections support the same tags: **disable** This tag may have multiple values. If there are values for this tag, then the named modules will be disabled for the pluggable interface. **enable_only** This tag may have multiple values. If there are values for this tag, then only the named modules will be enabled for the pluggable interface. **module** This tag may have multiple values. Each value is a string of the form ``modulename:pathname``, which causes the shared object located at *pathname* to be registered as a dynamic module named *modulename* for the pluggable interface. If *pathname* is not an absolute path, it will be treated as relative to the **plugin_base_dir** value from :ref:`libdefaults`. For pluggable interfaces where module order matters, modules registered with a **module** tag normally come first, in the order they are registered, followed by built-in modules in the order they are documented below. If **enable_only** tags are used, then the order of those tags overrides the normal module order. The following subsections are currently supported within the [plugins] section: .. _ccselect: ccselect interface ################## The ccselect subsection controls modules for credential cache selection within a cache collection. In addition to any registered dynamic modules, the following built-in modules exist (and may be disabled with the disable tag): **k5identity** Uses a .k5identity file in the user's home directory to select a client principal **realm** Uses the service realm to guess an appropriate cache from the collection **hostname** If the service principal is host-based, uses the service hostname to guess an appropriate cache from the collection .. _pwqual: pwqual interface ################ The pwqual subsection controls modules for the password quality interface, which is used to reject weak passwords when passwords are changed. The following built-in modules exist for this interface: **dict** Checks against the realm dictionary file **empty** Rejects empty passwords **hesiod** Checks against user information stored in Hesiod (only if Kerberos was built with Hesiod support) **princ** Checks against components of the principal name .. _kadm5_hook: kadm5_hook interface #################### The kadm5_hook interface provides plugins with information on principal creation, modification, password changes and deletion. This interface can be used to write a plugin to synchronize MIT Kerberos with another database such as Active Directory. No plugins are built in for this interface. .. _kadm5_auth: kadm5_auth interface #################### The kadm5_auth section (introduced in release 1.16) controls modules for the kadmin authorization interface, which determines whether a client principal is allowed to perform a kadmin operation. The following built-in modules exist for this interface: **acl** This module reads the :ref:`kadm5.acl(5)` file, and authorizes operations which are allowed according to the rules in the file. **self** This module authorizes self-service operations including password changes, creation of new random keys, fetching the client's principal record or string attributes, and fetching the policy record associated with the client principal. .. _clpreauth: .. _kdcpreauth: clpreauth and kdcpreauth interfaces ################################### The clpreauth and kdcpreauth interfaces allow plugin modules to provide client and KDC preauthentication mechanisms. The following built-in modules exist for these interfaces: **pkinit** This module implements the PKINIT preauthentication mechanism. **encrypted_challenge** This module implements the encrypted challenge FAST factor. **encrypted_timestamp** This module implements the encrypted timestamp mechanism. .. _hostrealm: hostrealm interface ################### The hostrealm section (introduced in release 1.12) controls modules for the host-to-realm interface, which affects the local mapping of hostnames to realm names and the choice of default realm. The following built-in modules exist for this interface: **profile** This module consults the [domain_realm] section of the profile for authoritative host-to-realm mappings, and the **default_realm** variable for the default realm. **dns** This module looks for DNS records for fallback host-to-realm mappings and the default realm. It only operates if the **dns_lookup_realm** variable is set to true. **domain** This module applies heuristics for fallback host-to-realm mappings. It implements the **realm_try_domains** variable, and uses the uppercased parent domain of the hostname if that does not produce a result. .. _localauth: localauth interface ################### The localauth section (introduced in release 1.12) controls modules for the local authorization interface, which affects the relationship between Kerberos principals and local system accounts. The following built-in modules exist for this interface: **default** This module implements the **DEFAULT** type for **auth_to_local** values. **rule** This module implements the **RULE** type for **auth_to_local** values. **names** This module looks for an **auth_to_local_names** mapping for the principal name. **auth_to_local** This module processes **auth_to_local** values in the default realm's section, and applies the default method if no **auth_to_local** values exist. **k5login** This module authorizes a principal to a local account according to the account's :ref:`.k5login(5)` file. **an2ln** This module authorizes a principal to a local account if the principal name maps to the local account name. .. _certauth: certauth interface ################## The certauth section (introduced in release 1.16) controls modules for the certificate authorization interface, which determines whether a certificate is allowed to preauthenticate a user via PKINIT. The following built-in modules exist for this interface: **pkinit_san** This module authorizes the certificate if it contains a PKINIT Subject Alternative Name for the requested client principal, or a Microsoft UPN SAN matching the principal if **pkinit_allow_upn** is set to true for the realm. **pkinit_eku** This module rejects the certificate if it does not contain an Extended Key Usage attribute consistent with the **pkinit_eku_checking** value for the realm. **dbmatch** This module authorizes or rejects the certificate according to whether it matches the **pkinit_cert_match** string attribute on the client principal, if that attribute is present. PKINIT options -------------- .. note:: The following are PKINIT-specific options. These values may be specified in [libdefaults] as global defaults, or within a realm-specific subsection of [libdefaults], or may be specified as realm-specific values in the [realms] section. A realm-specific value overrides, not adds to, a generic [libdefaults] specification. The search order is: 1. realm-specific subsection of [libdefaults]:: [libdefaults] EXAMPLE.COM = { pkinit_anchors = FILE:/usr/local/example.com.crt } 2. realm-specific value in the [realms] section:: [realms] OTHERREALM.ORG = { pkinit_anchors = FILE:/usr/local/otherrealm.org.crt } 3. generic value in the [libdefaults] section:: [libdefaults] pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ .. _pkinit_identity: Specifying PKINIT identity information ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The syntax for specifying Public Key identity, trust, and revocation information for PKINIT is as follows: **FILE:**\ *filename*\ [**,**\ *keyfilename*] This option has context-specific behavior. In **pkinit_identity** or **pkinit_identities**, *filename* specifies the name of a PEM-format file containing the user's certificate. If *keyfilename* is not specified, the user's private key is expected to be in *filename* as well. Otherwise, *keyfilename* is the name of the file containing the private key. In **pkinit_anchors** or **pkinit_pool**, *filename* is assumed to be the name of an OpenSSL-style ca-bundle file. **DIR:**\ *dirname* This option has context-specific behavior. In **pkinit_identity** or **pkinit_identities**, *dirname* specifies a directory with files named ``*.crt`` and ``*.key`` where the first part of the file name is the same for matching pairs of certificate and private key files. When a file with a name ending with ``.crt`` is found, a matching file ending with ``.key`` is assumed to contain the private key. If no such file is found, then the certificate in the ``.crt`` is not used. In **pkinit_anchors** or **pkinit_pool**, *dirname* is assumed to be an OpenSSL-style hashed CA directory where each CA cert is stored in a file named ``hash-of-ca-cert.#``. This infrastructure is encouraged, but all files in the directory will be examined and if they contain certificates (in PEM format), they will be used. In **pkinit_revoke**, *dirname* is assumed to be an OpenSSL-style hashed CA directory where each revocation list is stored in a file named ``hash-of-ca-cert.r#``. This infrastructure is encouraged, but all files in the directory will be examined and if they contain a revocation list (in PEM format), they will be used. **PKCS12:**\ *filename* *filename* is the name of a PKCS #12 format file, containing the user's certificate and private key. **PKCS11:**\ [**module_name=**]\ *modname*\ [**:slotid=**\ *slot-id*][**:token=**\ *token-label*][**:certid=**\ *cert-id*][**:certlabel=**\ *cert-label*] All keyword/values are optional. *modname* specifies the location of a library implementing PKCS #11. If a value is encountered with no keyword, it is assumed to be the *modname*. If no module-name is specified, the default is ``opensc-pkcs11.so``. ``slotid=`` and/or ``token=`` may be specified to force the use of a particular smard card reader or token if there is more than one available. ``certid=`` and/or ``certlabel=`` may be specified to force the selection of a particular certificate on the device. See the **pkinit_cert_match** configuration option for more ways to select a particular certificate to use for PKINIT. **ENV:**\ *envvar* *envvar* specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For example, ``ENV:X509_PROXY``, where environment variable ``X509_PROXY`` has been set to ``FILE:/tmp/my_proxy.pem``. PKINIT krb5.conf options ~~~~~~~~~~~~~~~~~~~~~~~~ **pkinit_anchors** Specifies the location of trusted anchor (root) certificates which the client trusts to sign KDC certificates. This option may be specified multiple times. These values from the config file are not used if the user specifies X509_anchors on the command line. **pkinit_cert_match** Specifies matching rules that the client certificate must match before it is used to attempt PKINIT authentication. If a user has multiple certificates available (on a smart card, or via other media), there must be exactly one certificate chosen before attempting PKINIT authentication. This option may be specified multiple times. All the available certificates are checked against each rule in order until there is a match of exactly one certificate. The Subject and Issuer comparison strings are the :rfc:`2253` string representations from the certificate Subject DN and Issuer DN values. The syntax of the matching rules is: [*relation-operator*\ ]\ *component-rule* ... where: *relation-operator* can be either ``&&``, meaning all component rules must match, or ``||``, meaning only one component rule must match. The default is ``&&``. *component-rule* can be one of the following. Note that there is no punctuation or whitespace between component rules. | ****\ *regular-expression* | ****\ *regular-expression* | ****\ *regular-expression* | ****\ *extended-key-usage-list* | ****\ *key-usage-list* *extended-key-usage-list* is a comma-separated list of required Extended Key Usage values. All values in the list must be present in the certificate. Extended Key Usage values can be: * pkinit * msScLogin * clientAuth * emailProtection *key-usage-list* is a comma-separated list of required Key Usage values. All values in the list must be present in the certificate. Key Usage values can be: * digitalSignature * keyEncipherment Examples:: pkinit_cert_match = ||.*DoE.*.*@EXAMPLE.COM pkinit_cert_match = &&msScLogin,clientAuth.*DoE.* pkinit_cert_match = msScLogin,clientAuthdigitalSignature **pkinit_eku_checking** This option specifies what Extended Key Usage value the KDC certificate presented to the client must contain. (Note that if the KDC certificate has the pkinit SubjectAlternativeName encoded as the Kerberos TGS name, EKU checking is not necessary since the issuing CA has certified this as a KDC certificate.) The values recognized in the krb5.conf file are: **kpKDC** This is the default value and specifies that the KDC must have the id-pkinit-KPKdc EKU as defined in :rfc:`4556`. **kpServerAuth** If **kpServerAuth** is specified, a KDC certificate with the id-kp-serverAuth EKU will be accepted. This key usage value is used in most commercially issued server certificates. **none** If **none** is specified, then the KDC certificate will not be checked to verify it has an acceptable EKU. The use of this option is not recommended. **pkinit_dh_min_bits** Specifies the size of the Diffie-Hellman key the client will attempt to use. The acceptable values are 1024, 2048, and 4096. The default is 2048. **pkinit_identities** Specifies the location(s) to be used to find the user's X.509 identity information. If this option is specified multiple times, each value is attempted in order until certificates are found. Note that these values are not used if the user specifies **X509_user_identity** on the command line. **pkinit_kdc_hostname** The presence of this option indicates that the client is willing to accept a KDC certificate with a dNSName SAN (Subject Alternative Name) rather than requiring the id-pkinit-san as defined in :rfc:`4556`. This option may be specified multiple times. Its value should contain the acceptable hostname for the KDC (as contained in its certificate). **pkinit_pool** Specifies the location of intermediate certificates which may be used by the client to complete the trust chain between a KDC certificate and a trusted anchor. This option may be specified multiple times. **pkinit_require_crl_checking** The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, verification fails. If the certificate being verified is not listed in a CRL, or there is no CRL present for its issuing CA, and **pkinit_require_crl_checking** is false, then verification succeeds. However, if **pkinit_require_crl_checking** is true and there is no CRL information available for the issuing CA, then verification fails. **pkinit_require_crl_checking** should be set to true if the policy is such that up-to-date CRLs must be present for every CA. **pkinit_revoke** Specifies the location of Certificate Revocation List (CRL) information to be used by the client when verifying the validity of the KDC certificate presented. This option may be specified multiple times. .. _parameter_expansion: Parameter expansion ------------------- Starting with release 1.11, several variables, such as **default_keytab_name**, allow parameters to be expanded. Valid parameters are: ================= =================================================== %{TEMP} Temporary directory %{uid} Unix real UID or Windows SID %{euid} Unix effective user ID or Windows SID %{USERID} Same as %{uid} %{null} Empty string %{LIBDIR} Installation library directory %{BINDIR} Installation binary directory %{SBINDIR} Installation admin binary directory %{username} (Unix) Username of effective user ID %{APPDATA} (Windows) Roaming application data for current user %{COMMON_APPDATA} (Windows) Application data for all users %{LOCAL_APPDATA} (Windows) Local application data for current user %{SYSTEM} (Windows) Windows system folder %{WINDOWS} (Windows) Windows folder %{USERCONFIG} (Windows) Per-user MIT krb5 config file directory %{COMMONCONFIG} (Windows) Common MIT krb5 config file directory ================= =================================================== Sample krb5.conf file --------------------- Here is an example of a generic krb5.conf file:: [libdefaults] default_realm = ATHENA.MIT.EDU dns_lookup_kdc = true dns_lookup_realm = false [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu kdc = kerberos-1.mit.edu kdc = kerberos-2.mit.edu admin_server = kerberos.mit.edu primary_kdc = kerberos.mit.edu } EXAMPLE.COM = { kdc = kerberos.example.com kdc = kerberos-1.example.com admin_server = kerberos.example.com } [domain_realm] mit.edu = ATHENA.MIT.EDU [capaths] ATHENA.MIT.EDU = { EXAMPLE.COM = . } EXAMPLE.COM = { ATHENA.MIT.EDU = . } FILES ----- |krb5conf| SEE ALSO -------- syslog(3) krb5-1.19.2/doc/admin/conf_files/kadm5_acl.rst0000644000704600001450000001437714076311657022405 0ustar ghudsonsystemd-journal.. _kadm5.acl(5): kadm5.acl ========= DESCRIPTION ----------- The Kerberos :ref:`kadmind(8)` daemon uses an Access Control List (ACL) file to manage access rights to the Kerberos database. For operations that affect principals, the ACL file also controls which principals can operate on which other principals. The default location of the Kerberos ACL file is |kdcdir|\ ``/kadm5.acl`` unless this is overridden by the *acl_file* variable in :ref:`kdc.conf(5)`. SYNTAX ------ Empty lines and lines starting with the sharp sign (``#``) are ignored. Lines containing ACL entries have the format:: principal permissions [target_principal [restrictions] ] .. note:: Line order in the ACL file is important. The first matching entry will control access for an actor principal on a target principal. *principal* (Partially or fully qualified Kerberos principal name.) Specifies the principal whose permissions are to be set. Each component of the name may be wildcarded using the ``*`` character. *permissions* Specifies what operations may or may not be performed by a *principal* matching a particular entry. This is a string of one or more of the following list of characters or their upper-case counterparts. If the character is *upper-case*, then the operation is disallowed. If the character is *lower-case*, then the operation is permitted. == ====================================================== a [Dis]allows the addition of principals or policies c [Dis]allows the changing of passwords for principals d [Dis]allows the deletion of principals or policies e [Dis]allows the extraction of principal keys i [Dis]allows inquiries about principals or policies l [Dis]allows the listing of all principals or policies m [Dis]allows the modification of principals or policies p [Dis]allows the propagation of the principal database (used in :ref:`incr_db_prop`) s [Dis]allows the explicit setting of the key for a principal x Short for admcilsp. All privileges (except ``e``) \* Same as x. == ====================================================== .. note:: The ``extract`` privilege is not included in the wildcard privilege; it must be explicitly assigned. This privilege allows the user to extract keys from the database, and must be handled with great care to avoid disclosure of important keys like those of the kadmin/* or krbtgt/* principals. The **lockdown_keys** principal attribute can be used to prevent key extraction from specific principals regardless of the granted privilege. *target_principal* (Optional. Partially or fully qualified Kerberos principal name.) Specifies the principal on which *permissions* may be applied. Each component of the name may be wildcarded using the ``*`` character. *target_principal* can also include back-references to *principal*, in which ``*number`` matches the corresponding wildcard in *principal*. *restrictions* (Optional) A string of flags. Allowed restrictions are: {+\|-}\ *flagname* flag is forced to the indicated value. The permissible flags are the same as those for the **default_principal_flags** variable in :ref:`kdc.conf(5)`. *-clearpolicy* policy is forced to be empty. *-policy pol* policy is forced to be *pol*. -{*expire, pwexpire, maxlife, maxrenewlife*} *time* (:ref:`getdate` string) associated value will be forced to MIN(*time*, requested value). The above flags act as restrictions on any add or modify operation which is allowed due to that ACL line. .. warning:: If the kadmind ACL file is modified, the kadmind daemon needs to be restarted for changes to take effect. EXAMPLE ------- Here is an example of a kadm5.acl file:: */admin@ATHENA.MIT.EDU * # line 1 joeadmin@ATHENA.MIT.EDU ADMCIL # line 2 joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3 */root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4 */root@ATHENA.MIT.EDU l * # line 5 sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6 (line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with an ``admin`` instance has all administrative privileges except extracting keys. (lines 1-3) The user ``joeadmin`` has all permissions except extracting keys with his ``admin`` instance, ``joeadmin/admin@ATHENA.MIT.EDU`` (matches line 1). He has no permissions at all with his null instance, ``joeadmin@ATHENA.MIT.EDU`` (matches line 2). His ``root`` and other non-``admin``, non-null instances (e.g., ``extra`` or ``dbadmin``) have inquire permissions with any principal that has the instance ``root`` (matches line 3). (line 4) Any ``root`` principal in ``ATHENA.MIT.EDU`` can inquire or change the password of their null instance, but not any other null instance. (Here, ``*1`` denotes a back-reference to the component matching the first wildcard in the actor principal.) (line 5) Any ``root`` principal in ``ATHENA.MIT.EDU`` can generate the list of principals in the database, and the list of policies in the database. This line is separate from line 4, because list permission can only be granted globally, not to specific target principals. (line 6) Finally, the Service Management System principal ``sms@ATHENA.MIT.EDU`` has all permissions except extracting keys, but any principal that it creates or modifies will not be able to get postdateable tickets or tickets with a life of longer than 9 hours. MODULE BEHAVIOR --------------- The ACL file can coexist with other authorization modules in release 1.16 and later, as configured in the :ref:`kadm5_auth` section of :ref:`krb5.conf(5)`. The ACL file will positively authorize operations according to the rules above, but will never authoritatively deny an operation, so other modules can authorize operations in addition to those authorized by the ACL file. To operate without an ACL file, set the *acl_file* variable in :ref:`kdc.conf(5)` to the empty string with ``acl_file = ""``. SEE ALSO -------- :ref:`kdc.conf(5)`, :ref:`kadmind(8)` krb5-1.19.2/doc/admin/conf_files/kdc_conf.rst0000644000704600001450000011514014076311657022321 0ustar ghudsonsystemd-journal.. _kdc.conf(5): kdc.conf ======== The kdc.conf file supplements :ref:`krb5.conf(5)` for programs which are typically only used on a KDC, such as the :ref:`krb5kdc(8)` and :ref:`kadmind(8)` daemons and the :ref:`kdb5_util(8)` program. Relations documented here may also be specified in krb5.conf; for the KDC programs mentioned, krb5.conf and kdc.conf will be merged into a single configuration profile. Normally, the kdc.conf file is found in the KDC state directory, |kdcdir|. You can override the default location by setting the environment variable **KRB5_KDC_PROFILE**. Please note that you need to restart the KDC daemon for any configuration changes to take effect. Structure --------- The kdc.conf file is set up in the same format as the :ref:`krb5.conf(5)` file. Sections -------- The kdc.conf file may contain the following sections: ==================== ================================================= :ref:`kdcdefaults` Default values for KDC behavior :ref:`kdc_realms` Realm-specific database configuration and settings :ref:`dbdefaults` Default database settings :ref:`dbmodules` Per-database settings :ref:`logging` Controls how Kerberos daemons perform logging ==================== ================================================= .. _kdcdefaults: [kdcdefaults] ~~~~~~~~~~~~~ Some relations in the [kdcdefaults] section specify default values for realm variables, to be used if the [realms] subsection does not contain a relation for the tag. See the :ref:`kdc_realms` section for the definitions of these relations. * **host_based_services** * **kdc_listen** * **kdc_ports** * **kdc_tcp_listen** * **kdc_tcp_ports** * **no_host_referral** * **restrict_anonymous_to_tgt** The following [kdcdefaults] variables have no per-realm equivalent: **kdc_max_dgram_reply_size** Specifies the maximum packet size that can be sent over UDP. The default value is 4096 bytes. **kdc_tcp_listen_backlog** (Integer.) Set the size of the listen queue length for the KDC daemon. The value may be limited by OS settings. The default value is 5. **spake_preauth_kdc_challenge** (String.) Specifies the group for a SPAKE optimistic challenge. See the **spake_preauth_groups** variable in :ref:`libdefaults` for possible values. The default is not to issue an optimistic challenge. (New in release 1.17.) .. _kdc_realms: [realms] ~~~~~~~~ Each tag in the [realms] section is the name of a Kerberos realm. The value of the tag is a subsection where the relations define KDC parameters for that particular realm. The following example shows how to define one parameter for the ATHENA.MIT.EDU realm:: [realms] ATHENA.MIT.EDU = { max_renewable_life = 7d 0h 0m 0s } The following tags may be specified in a [realms] subsection: **acl_file** (String.) Location of the access control list file that :ref:`kadmind(8)` uses to determine which principals are allowed which permissions on the Kerberos database. To operate without an ACL file, set this relation to the empty string with ``acl_file = ""``. The default value is |kdcdir|\ ``/kadm5.acl``. For more information on Kerberos ACL file see :ref:`kadm5.acl(5)`. **database_module** (String.) This relation indicates the name of the configuration section under :ref:`dbmodules` for database-specific parameters used by the loadable database library. The default value is the realm name. If this configuration section does not exist, default values will be used for all database parameters. **database_name** (String, deprecated.) This relation specifies the location of the Kerberos database for this realm, if the DB2 module is being used and the :ref:`dbmodules` configuration section does not specify a database name. The default value is |kdcdir|\ ``/principal``. **default_principal_expiration** (:ref:`abstime` string.) Specifies the default expiration date of principals created in this realm. The default value is 0, which means no expiration date. **default_principal_flags** (Flag string.) Specifies the default attributes of principals created in this realm. The format for this string is a comma-separated list of flags, with '+' before each flag that should be enabled and '-' before each flag that should be disabled. The **postdateable**, **forwardable**, **tgt-based**, **renewable**, **proxiable**, **dup-skey**, **allow-tickets**, and **service** flags default to enabled. There are a number of possible flags: **allow-tickets** Enabling this flag means that the KDC will issue tickets for this principal. Disabling this flag essentially deactivates the principal within this realm. **dup-skey** Enabling this flag allows the KDC to issue user-to-user service tickets for this principal. **forwardable** Enabling this flag allows the principal to obtain forwardable tickets. **hwauth** If this flag is enabled, then the principal is required to preauthenticate using a hardware device before receiving any tickets. **no-auth-data-required** Enabling this flag prevents PAC or AD-SIGNEDPATH data from being added to service tickets for the principal. **ok-as-delegate** If this flag is enabled, it hints the client that credentials can and should be delegated when authenticating to the service. **ok-to-auth-as-delegate** Enabling this flag allows the principal to use S4USelf tickets. **postdateable** Enabling this flag allows the principal to obtain postdateable tickets. **preauth** If this flag is enabled on a client principal, then that principal is required to preauthenticate to the KDC before receiving any tickets. On a service principal, enabling this flag means that service tickets for this principal will only be issued to clients with a TGT that has the preauthenticated bit set. **proxiable** Enabling this flag allows the principal to obtain proxy tickets. **pwchange** Enabling this flag forces a password change for this principal. **pwservice** If this flag is enabled, it marks this principal as a password change service. This should only be used in special cases, for example, if a user's password has expired, then the user has to get tickets for that principal without going through the normal password authentication in order to be able to change the password. **renewable** Enabling this flag allows the principal to obtain renewable tickets. **service** Enabling this flag allows the the KDC to issue service tickets for this principal. In release 1.17 and later, user-to-user service tickets are still allowed if the **dup-skey** flag is set. **tgt-based** Enabling this flag allows a principal to obtain tickets based on a ticket-granting-ticket, rather than repeating the authentication process that was used to obtain the TGT. **dict_file** (String.) Location of the dictionary file containing strings that are not allowed as passwords. The file should contain one string per line, with no additional whitespace. If none is specified or if there is no policy assigned to the principal, no dictionary checks of passwords will be performed. **encrypted_challenge_indicator** (String.) Specifies the authentication indicator value that the KDC asserts into tickets obtained using FAST encrypted challenge pre-authentication. New in 1.16. **host_based_services** (Whitespace- or comma-separated list.) Lists services which will get host-based referral processing even if the server principal is not marked as host-based by the client. **iprop_enable** (Boolean value.) Specifies whether incremental database propagation is enabled. The default value is false. **iprop_ulogsize** (Integer.) Specifies the maximum number of log entries to be retained for incremental propagation. The default value is 1000. Prior to release 1.11, the maximum value was 2500. New in release 1.19. **iprop_master_ulogsize** The name for **iprop_ulogsize** prior to release 1.19. Its value is used as a fallback if **iprop_ulogsize** is not specified. **iprop_replica_poll** (Delta time string.) Specifies how often the replica KDC polls for new updates from the primary. The default value is ``2m`` (that is, two minutes). New in release 1.17. **iprop_slave_poll** (Delta time string.) The name for **iprop_replica_poll** prior to release 1.17. Its value is used as a fallback if **iprop_replica_poll** is not specified. **iprop_listen** (Whitespace- or comma-separated list.) Specifies the iprop RPC listening addresses and/or ports for the :ref:`kadmind(8)` daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If kadmind fails to bind to any of the specified addresses, it will fail to start. The default (when **iprop_enable** is true) is to bind to the wildcard address at the port specified in **iprop_port**. New in release 1.15. **iprop_port** (Port number.) Specifies the port number to be used for incremental propagation. When **iprop_enable** is true, this relation is required in the replica KDC configuration file, and this relation or **iprop_listen** is required in the primary configuration file, as there is no default port number. Port numbers specified in **iprop_listen** entries will override this port number for the :ref:`kadmind(8)` daemon. **iprop_resync_timeout** (Delta time string.) Specifies the amount of time to wait for a full propagation to complete. This is optional in configuration files, and is used by replica KDCs only. The default value is 5 minutes (``5m``). New in release 1.11. **iprop_logfile** (File name.) Specifies where the update log file for the realm database is to be stored. The default is to use the **database_name** entry from the realms section of the krb5 config file, with ``.ulog`` appended. (NOTE: If **database_name** isn't specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the [dbmodules] section, then the hard-coded default for **database_name** is used. Determination of the **iprop_logfile** default value will not use values from the [dbmodules] section.) **kadmind_listen** (Whitespace- or comma-separated list.) Specifies the kadmin RPC listening addresses and/or ports for the :ref:`kadmind(8)` daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If kadmind fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address at the port specified in **kadmind_port**, or the standard kadmin port (749). New in release 1.15. **kadmind_port** (Port number.) Specifies the port on which the :ref:`kadmind(8)` daemon is to listen for this realm. Port numbers specified in **kadmind_listen** entries will override this port number. The assigned port for kadmind is 749, which is used by default. **key_stash_file** (String.) Specifies the location where the master key has been stored (via kdb5_util stash). The default is |kdcdir|\ ``/.k5.REALM``, where *REALM* is the Kerberos realm. **kdc_listen** (Whitespace- or comma-separated list.) Specifies the UDP listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If no port is specified, the standard port (88) is used. If the KDC daemon fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address on the standard port. New in release 1.15. **kdc_ports** (Whitespace- or comma-separated list, deprecated.) Prior to release 1.15, this relation lists the ports for the :ref:`krb5kdc(8)` daemon to listen on for UDP requests. In release 1.15 and later, it has the same meaning as **kdc_listen** if that relation is not defined. **kdc_tcp_listen** (Whitespace- or comma-separated list.) Specifies the TCP listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If no port is specified, the standard port (88) is used. To disable listening on TCP, set this relation to the empty string with ``kdc_tcp_listen = ""``. If the KDC daemon fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address on the standard port. New in release 1.15. **kdc_tcp_ports** (Whitespace- or comma-separated list, deprecated.) Prior to release 1.15, this relation lists the ports for the :ref:`krb5kdc(8)` daemon to listen on for UDP requests. In release 1.15 and later, it has the same meaning as **kdc_tcp_listen** if that relation is not defined. **kpasswd_listen** (Comma-separated list.) Specifies the kpasswd listening addresses and/or ports for the :ref:`kadmind(8)` daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If kadmind fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address at the port specified in **kpasswd_port**, or the standard kpasswd port (464). New in release 1.15. **kpasswd_port** (Port number.) Specifies the port on which the :ref:`kadmind(8)` daemon is to listen for password change requests for this realm. Port numbers specified in **kpasswd_listen** entries will override this port number. The assigned port for password change requests is 464, which is used by default. **master_key_name** (String.) Specifies the name of the principal associated with the master key. The default is ``K/M``. **master_key_type** (Key type string.) Specifies the master key's key type. The default value for this is |defmkey|. For a list of all possible values, see :ref:`Encryption_types`. **max_life** (:ref:`duration` string.) Specifies the maximum time period for which a ticket may be valid in this realm. The default value is 24 hours. **max_renewable_life** (:ref:`duration` string.) Specifies the maximum time period during which a valid ticket may be renewed in this realm. The default value is 0. **no_host_referral** (Whitespace- or comma-separated list.) Lists services to block from getting host-based referral processing, even if the client marks the server principal as host-based or the service is also listed in **host_based_services**. ``no_host_referral = *`` will disable referral processing altogether. **reject_bad_transit** (Boolean value.) If set to true, the KDC will check the list of transited realms for cross-realm tickets against the transit path computed from the realm names and the capaths section of its :ref:`krb5.conf(5)` file; if the path in the ticket to be issued contains any realms not in the computed path, the ticket will not be issued, and an error will be returned to the client instead. If this value is set to false, such tickets will be issued anyways, and it will be left up to the application server to validate the realm transit path. If the disable-transited-check flag is set in the incoming request, this check is not performed at all. Having the **reject_bad_transit** option will cause such ticket requests to be rejected always. This transit path checking and config file option currently apply only to TGS requests. The default value is true. **restrict_anonymous_to_tgt** (Boolean value.) If set to true, the KDC will reject ticket requests from anonymous principals to service principals other than the realm's ticket-granting service. This option allows anonymous PKINIT to be enabled for use as FAST armor tickets without allowing anonymous authentication to services. The default value is false. New in release 1.9. **spake_preauth_indicator** (String.) Specifies an authentication indicator value that the KDC asserts into tickets obtained using SPAKE pre-authentication. The default is not to add any indicators. This option may be specified multiple times. New in release 1.17. **supported_enctypes** (List of *key*:*salt* strings.) Specifies the default key/salt combinations of principals for this realm. Any principals created through :ref:`kadmin(1)` will have keys of these types. The default value for this tag is |defkeysalts|. For lists of possible values, see :ref:`Keysalt_lists`. .. _dbdefaults: [dbdefaults] ~~~~~~~~~~~~ The [dbdefaults] section specifies default values for some database parameters, to be used if the [dbmodules] subsection does not contain a relation for the tag. See the :ref:`dbmodules` section for the definitions of these relations. * **ldap_kerberos_container_dn** * **ldap_kdc_dn** * **ldap_kdc_sasl_authcid** * **ldap_kdc_sasl_authzid** * **ldap_kdc_sasl_mech** * **ldap_kdc_sasl_realm** * **ldap_kadmind_dn** * **ldap_kadmind_sasl_authcid** * **ldap_kadmind_sasl_authzid** * **ldap_kadmind_sasl_mech** * **ldap_kadmind_sasl_realm** * **ldap_service_password_file** * **ldap_conns_per_server** .. _dbmodules: [dbmodules] ~~~~~~~~~~~ The [dbmodules] section contains parameters used by the KDC database library and database modules. Each tag in the [dbmodules] section is the name of a Kerberos realm or a section name specified by a realm's **database_module** parameter. The following example shows how to define one database parameter for the ATHENA.MIT.EDU realm:: [dbmodules] ATHENA.MIT.EDU = { disable_last_success = true } The following tags may be specified in a [dbmodules] subsection: **database_name** This DB2-specific tag indicates the location of the database in the filesystem. The default is |kdcdir|\ ``/principal``. **db_library** This tag indicates the name of the loadable database module. The value should be ``db2`` for the DB2 module, ``klmdb`` for the LMDB module, or ``kldap`` for the LDAP module. **disable_last_success** If set to ``true``, suppresses KDC updates to the "Last successful authentication" field of principal entries requiring preauthentication. Setting this flag may improve performance. (Principal entries which do not require preauthentication never update the "Last successful authentication" field.). First introduced in release 1.9. **disable_lockout** If set to ``true``, suppresses KDC updates to the "Last failed authentication" and "Failed password attempts" fields of principal entries requiring preauthentication. Setting this flag may improve performance, but also disables account lockout. First introduced in release 1.9. **ldap_conns_per_server** This LDAP-specific tag indicates the number of connections to be maintained per LDAP server. **ldap_kdc_dn** and **ldap_kadmind_dn** These LDAP-specific tags indicate the default DN for binding to the LDAP server. The :ref:`krb5kdc(8)` daemon uses **ldap_kdc_dn**, while the :ref:`kadmind(8)` daemon and other administrative programs use **ldap_kadmind_dn**. The kadmind DN must have the rights to read and write the Kerberos data in the LDAP database. The KDC DN must have the same rights, unless **disable_lockout** and **disable_last_success** are true, in which case it only needs to have rights to read the Kerberos data. These tags are ignored if a SASL mechanism is set with **ldap_kdc_sasl_mech** or **ldap_kadmind_sasl_mech**. **ldap_kdc_sasl_mech** and **ldap_kadmind_sasl_mech** These LDAP-specific tags specify the SASL mechanism (such as ``EXTERNAL``) to use when binding to the LDAP server. New in release 1.13. **ldap_kdc_sasl_authcid** and **ldap_kadmind_sasl_authcid** These LDAP-specific tags specify the SASL authentication identity to use when binding to the LDAP server. Not all SASL mechanisms require an authentication identity. If the SASL mechanism requires a secret (such as the password for ``DIGEST-MD5``), these tags also determine the name within the **ldap_service_password_file** where the secret is stashed. New in release 1.13. **ldap_kdc_sasl_authzid** and **ldap_kadmind_sasl_authzid** These LDAP-specific tags specify the SASL authorization identity to use when binding to the LDAP server. In most circumstances they do not need to be specified. New in release 1.13. **ldap_kdc_sasl_realm** and **ldap_kadmind_sasl_realm** These LDAP-specific tags specify the SASL realm to use when binding to the LDAP server. In most circumstances they do not need to be set. New in release 1.13. **ldap_kerberos_container_dn** This LDAP-specific tag indicates the DN of the container object where the realm objects will be located. **ldap_servers** This LDAP-specific tag indicates the list of LDAP servers that the Kerberos servers can connect to. The list of LDAP servers is whitespace-separated. The LDAP server is specified by a LDAP URI. It is recommended to use ``ldapi:`` or ``ldaps:`` URLs to connect to the LDAP server. **ldap_service_password_file** This LDAP-specific tag indicates the file containing the stashed passwords (created by ``kdb5_ldap_util stashsrvpw``) for the **ldap_kdc_dn** and **ldap_kadmind_dn** objects, or for the **ldap_kdc_sasl_authcid** or **ldap_kadmind_sasl_authcid** names for SASL authentication. This file must be kept secure. **mapsize** This LMDB-specific tag indicates the maximum size of the two database environments in megabytes. The default value is 128. Increase this value to address "Environment mapsize limit reached" errors. New in release 1.17. **max_readers** This LMDB-specific tag indicates the maximum number of concurrent reading processes for the databases. The default value is 128. New in release 1.17. **nosync** This LMDB-specific tag can be set to improve the throughput of kadmind and other administrative agents, at the expense of durability (recent database changes may not survive a power outage or other sudden reboot). It does not affect the throughput of the KDC. The default value is false. New in release 1.17. **unlockiter** If set to ``true``, this DB2-specific tag causes iteration operations to release the database lock while processing each principal. Setting this flag to ``true`` can prevent extended blocking of KDC or kadmin operations when dumps of large databases are in progress. First introduced in release 1.13. The following tag may be specified directly in the [dbmodules] section to control where database modules are loaded from: **db_module_dir** This tag controls where the plugin system looks for database modules. The value should be an absolute path. .. _logging: [logging] ~~~~~~~~~ The [logging] section indicates how :ref:`krb5kdc(8)` and :ref:`kadmind(8)` perform logging. It may contain the following relations: **admin_server** Specifies how :ref:`kadmind(8)` performs logging. **kdc** Specifies how :ref:`krb5kdc(8)` performs logging. **default** Specifies how either daemon performs logging in the absence of relations specific to the daemon. **debug** (Boolean value.) Specifies whether debugging messages are included in log outputs other than SYSLOG. Debugging messages are always included in the system log output because syslog performs its own priority filtering. The default value is false. New in release 1.15. Logging specifications may have the following forms: **FILE=**\ *filename* or **FILE:**\ *filename* This value causes the daemon's logging messages to go to the *filename*. If the ``=`` form is used, the file is overwritten. If the ``:`` form is used, the file is appended to. **STDERR** This value causes the daemon's logging messages to go to its standard error stream. **CONSOLE** This value causes the daemon's logging messages to go to the console, if the system supports it. **DEVICE=**\ ** This causes the daemon's logging messages to go to the specified device. **SYSLOG**\ [\ **:**\ *severity*\ [\ **:**\ *facility*\ ]] This causes the daemon's logging messages to go to the system log. For backward compatibility, a severity argument may be specified, and must be specified in order to specify a facility. This argument will be ignored. The facility argument specifies the facility under which the messages are logged. This may be any of the following facilities supported by the syslog(3) call minus the LOG\_ prefix: **KERN**, **USER**, **MAIL**, **DAEMON**, **AUTH**, **LPR**, **NEWS**, **UUCP**, **CRON**, and **LOCAL0** through **LOCAL7**. If no facility is specified, the default is **AUTH**. In the following example, the logging messages from the KDC will go to the console and to the system log under the facility LOG_DAEMON, and the logging messages from the administrative server will be appended to the file ``/var/adm/kadmin.log`` and sent to the device ``/dev/tty04``. :: [logging] kdc = CONSOLE kdc = SYSLOG:INFO:DAEMON admin_server = FILE:/var/adm/kadmin.log admin_server = DEVICE=/dev/tty04 If no logging specification is given, the default is to use syslog. To disable logging entirely, specify ``default = DEVICE=/dev/null``. .. _otp: [otp] ~~~~~ Each subsection of [otp] is the name of an OTP token type. The tags within the subsection define the configuration required to forward a One Time Password request to a RADIUS server. For each token type, the following tags may be specified: **server** This is the server to send the RADIUS request to. It can be a hostname with optional port, an ip address with optional port, or a Unix domain socket address. The default is |kdcdir|\ ``/.socket``. **secret** This tag indicates a filename (which may be relative to |kdcdir|) containing the secret used to encrypt the RADIUS packets. The secret should appear in the first line of the file by itself; leading and trailing whitespace on the line will be removed. If the value of **server** is a Unix domain socket address, this tag is optional, and an empty secret will be used if it is not specified. Otherwise, this tag is required. **timeout** An integer which specifies the time in seconds during which the KDC should attempt to contact the RADIUS server. This tag is the total time across all retries and should be less than the time which an OTP value remains valid for. The default is 5 seconds. **retries** This tag specifies the number of retries to make to the RADIUS server. The default is 3 retries (4 tries). **strip_realm** If this tag is ``true``, the principal without the realm will be passed to the RADIUS server. Otherwise, the realm will be included. The default value is ``true``. **indicator** This tag specifies an authentication indicator to be included in the ticket if this token type is used to authenticate. This option may be specified multiple times. (New in release 1.14.) In the following example, requests are sent to a remote server via UDP:: [otp] MyRemoteTokenType = { server = radius.mydomain.com:1812 secret = SEmfiajf42$ timeout = 15 retries = 5 strip_realm = true } An implicit default token type named ``DEFAULT`` is defined for when the per-principal configuration does not specify a token type. Its configuration is shown below. You may override this token type to something applicable for your situation:: [otp] DEFAULT = { strip_realm = false } PKINIT options -------------- .. note:: The following are pkinit-specific options. These values may be specified in [kdcdefaults] as global defaults, or within a realm-specific subsection of [realms]. Also note that a realm-specific value over-rides, does not add to, a generic [kdcdefaults] specification. The search order is: 1. realm-specific subsection of [realms]:: [realms] EXAMPLE.COM = { pkinit_anchors = FILE:/usr/local/example.com.crt } 2. generic value in the [kdcdefaults] section:: [kdcdefaults] pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ For information about the syntax of some of these options, see :ref:`Specifying PKINIT identity information ` in :ref:`krb5.conf(5)`. **pkinit_anchors** Specifies the location of trusted anchor (root) certificates which the KDC trusts to sign client certificates. This option is required if pkinit is to be supported by the KDC. This option may be specified multiple times. **pkinit_dh_min_bits** Specifies the minimum number of bits the KDC is willing to accept for a client's Diffie-Hellman key. The default is 2048. **pkinit_allow_upn** Specifies that the KDC is willing to accept client certificates with the Microsoft UserPrincipalName (UPN) Subject Alternative Name (SAN). This means the KDC accepts the binding of the UPN in the certificate to the Kerberos principal name. The default value is false. Without this option, the KDC will only accept certificates with the id-pkinit-san as defined in :rfc:`4556`. There is currently no option to disable SAN checking in the KDC. **pkinit_eku_checking** This option specifies what Extended Key Usage (EKU) values the KDC is willing to accept in client certificates. The values recognized in the kdc.conf file are: **kpClientAuth** This is the default value and specifies that client certificates must have the id-pkinit-KPClientAuth EKU as defined in :rfc:`4556`. **scLogin** If scLogin is specified, client certificates with the Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be accepted. **none** If none is specified, then client certificates will not be checked to verify they have an acceptable EKU. The use of this option is not recommended. **pkinit_identity** Specifies the location of the KDC's X.509 identity information. This option is required if pkinit is to be supported by the KDC. **pkinit_indicator** Specifies an authentication indicator to include in the ticket if pkinit is used to authenticate. This option may be specified multiple times. (New in release 1.14.) **pkinit_pool** Specifies the location of intermediate certificates which may be used by the KDC to complete the trust chain between a client's certificate and a trusted anchor. This option may be specified multiple times. **pkinit_revoke** Specifies the location of Certificate Revocation List (CRL) information to be used by the KDC when verifying the validity of client certificates. This option may be specified multiple times. **pkinit_require_crl_checking** The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, verification fails. If the certificate being verified is not listed in a CRL, or there is no CRL present for its issuing CA, and **pkinit_require_crl_checking** is false, then verification succeeds. However, if **pkinit_require_crl_checking** is true and there is no CRL information available for the issuing CA, then verification fails. **pkinit_require_crl_checking** should be set to true if the policy is such that up-to-date CRLs must be present for every CA. **pkinit_require_freshness** Specifies whether to require clients to include a freshness token in PKINIT requests. The default value is false. (New in release 1.17.) .. _Encryption_types: Encryption types ---------------- Any tag in the configuration files which requires a list of encryption types can be set to some combination of the following strings. Encryption types marked as "weak" and "deprecated" are available for compatibility but not recommended for use. ==================================================== ========================================================= des3-cbc-raw Triple DES cbc mode raw (weak) des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd Triple DES cbc mode with HMAC/sha1 (deprecated) aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1 AES-256 CTS mode with 96-bit SHA-1 HMAC aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1 AES-128 CTS mode with 96-bit SHA-1 HMAC aes256-cts-hmac-sha384-192 aes256-sha2 AES-256 CTS mode with 192-bit SHA-384 HMAC aes128-cts-hmac-sha256-128 aes128-sha2 AES-128 CTS mode with 128-bit SHA-256 HMAC arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5 (deprecated) arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak) camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with CMAC camellia128-cts-cmac camellia128-cts Camellia-128 CTS mode with CMAC des3 The triple DES family: des3-cbc-sha1 aes The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128 rc4 The RC4 family: arcfour-hmac camellia The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac ==================================================== ========================================================= The string **DEFAULT** can be used to refer to the default set of types for the variable in question. Types or families can be removed from the current list by prefixing them with a minus sign ("-"). Types or families can be prefixed with a plus sign ("+") for symmetry; it has the same meaning as just listing the type or family. For example, "``DEFAULT -rc4``" would be the default set of encryption types with RC4 types removed, and "``des3 DEFAULT``" would be the default set of encryption types with triple DES types moved to the front. While **aes128-cts** and **aes256-cts** are supported for all Kerberos operations, they are not supported by very old versions of our GSSAPI implementation (krb5-1.3.1 and earlier). Services running versions of krb5 without AES support must not be given keys of these encryption types in the KDC database. The **aes128-sha2** and **aes256-sha2** encryption types are new in release 1.15. Services running versions of krb5 without support for these newer encryption types must not be given keys of these encryption types in the KDC database. .. _Keysalt_lists: Keysalt lists ------------- Kerberos keys for users are usually derived from passwords. Kerberos commands and configuration parameters that affect generation of keys take lists of enctype-salttype ("keysalt") pairs, known as *keysalt lists*. Each keysalt pair is an enctype name followed by a salttype name, in the format *enc*:*salt*. Individual keysalt list members are separated by comma (",") characters or space characters. For example:: kadmin -e aes256-cts:normal,aes128-cts:normal would start up kadmin so that by default it would generate password-derived keys for the **aes256-cts** and **aes128-cts** encryption types, using a **normal** salt. To ensure that people who happen to pick the same password do not have the same key, Kerberos 5 incorporates more information into the key using something called a salt. The supported salt types are as follows: ================= ============================================ normal default for Kerberos Version 5 norealm same as the default, without using realm information onlyrealm uses only realm information as the salt special generate a random salt ================= ============================================ Sample kdc.conf File -------------------- Here's an example of a kdc.conf file:: [kdcdefaults] kdc_listen = 88 kdc_tcp_listen = 88 [realms] ATHENA.MIT.EDU = { kadmind_port = 749 max_life = 12h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = aes256-cts-hmac-sha1-96 supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal database_module = openldap_ldapconf } [logging] kdc = FILE:/usr/local/var/krb5kdc/kdc.log admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log [dbdefaults] ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu [dbmodules] openldap_ldapconf = { db_library = kldap disable_last_success = true ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu" # this object needs to have read rights on # the realm container and principal subtrees ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu" # this object needs to have read and write rights on # the realm container and principal subtrees ldap_service_password_file = /etc/kerberos/service.keyfile ldap_servers = ldaps://kerberos.mit.edu ldap_conns_per_server = 5 } FILES ------ |kdcdir|\ ``/kdc.conf`` SEE ALSO --------- :ref:`krb5.conf(5)`, :ref:`krb5kdc(8)`, :ref:`kadm5.acl(5)` krb5-1.19.2/doc/admin/conf_files/index.rst0000644000704600001450000000120114076311657021652 0ustar ghudsonsystemd-journalConfiguration Files =================== Kerberos uses configuration files to allow administrators to specify settings on a per-machine basis. :ref:`krb5.conf(5)` applies to all applications using the Kerboros library, on clients and servers. For KDC-specific applications, additional settings can be specified in :ref:`kdc.conf(5)`; the two files are merged into a configuration profile used by applications accessing the KDC database directly. :ref:`kadm5.acl(5)` is also only used on the KDC, it controls permissions for modifying the KDC database. Contents -------- .. toctree:: :maxdepth: 1 krb5_conf kdc_conf kadm5_acl krb5-1.19.2/doc/admin/conf_ldap.rst0000644000704600001450000001302114076311657020364 0ustar ghudsonsystemd-journal.. _conf_ldap: Configuring Kerberos with OpenLDAP back-end =========================================== 1. Make sure the LDAP server is using local authentication (``ldapi://``) or TLS (``ldaps``). See https://www.openldap.org/doc/admin24/tls.html for instructions on configuring TLS support in OpenLDAP. 2. Add the Kerberos schema file to the LDAP Server using the OpenLDAP LDIF file from the krb5 source directory (``src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif``). The following example uses local authentication:: ldapadd -Y EXTERNAL -H ldapi:/// -f /path/to/kerberos.openldap.ldif 3. Choose DNs for the :ref:`krb5kdc(8)` and :ref:`kadmind(8)` servers to bind to the LDAP server, and create them if necessary. Specify these DNs with the **ldap_kdc_dn** and **ldap_kadmind_dn** directives in :ref:`kdc.conf(5)`. The kadmind DN will also be used for administrative commands such as :ref:`kdb5_util(8)`. Alternatively, you may configure krb5kdc and kadmind to use SASL authentication to access the LDAP server; see the :ref:`dbmodules` relations **ldap_kdc_sasl_mech** and similar. 4. Specify a location for the LDAP service password file by setting **ldap_service_password_file**. Use ``kdb5_ldap_util stashsrvpw`` to stash passwords for the KDC and kadmind DNs chosen above. For example:: kdb5_ldap_util stashsrvpw -f /path/to/service.keyfile cn=krbadmin,dc=example,dc=com Skip this step if you are using SASL authentication and the mechanism does not require a password. 5. Choose a DN for the global Kerberos container entry (but do not create the entry at this time). Specify this DN with the **ldap_kerberos_container_dn** directive in :ref:`kdc.conf(5)`. Realm container entries will be created underneath this DN. Principal entries may exist either underneath the realm container (the default) or in separate trees referenced from the realm container. 6. Configure the LDAP server ACLs to enable the KDC and kadmin server DNs to read and write the Kerberos data. If **disable_last_success** and **disable_lockout** are both set to true in the :ref:`dbmodules` subsection for the realm, then the KDC DN only requires read access to the Kerberos data. Sample access control information:: access to dn.base="" by * read access to dn.base="cn=Subschema" by * read # Provide access to the realm container. access to dn.subtree= "cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com" by dn.exact="cn=kdc-service,dc=example,dc=com" write by dn.exact="cn=adm-service,dc=example,dc=com" write by * none # Provide access to principals, if not underneath the realm container. access to dn.subtree= "ou=users,dc=example,dc=com" by dn.exact="cn=kdc-service,dc=example,dc=com" write by dn.exact="cn=adm-service,dc=example,dc=com" write by * none access to * by * read If the locations of the container and principals or the DNs of the service objects for a realm are changed then this information should be updated. 7. In :ref:`kdc.conf(5)`, make sure the following relations are set in the :ref:`dbmodules` subsection for the realm:: db_library (set to ``kldap``) ldap_kerberos_container_dn ldap_kdc_dn ldap_kadmind_dn ldap_service_password_file ldap_servers 8. Create the realm using :ref:`kdb5_ldap_util(8)` (see :ref:`ldap_create_realm`):: kdb5_ldap_util create -subtrees ou=users,dc=example,dc=com -s Use the **-subtrees** option if the principals are to exist in a separate subtree from the realm container. Before executing the command, make sure that the subtree mentioned above ``(ou=users,dc=example,dc=com)`` exists. If the principals will exist underneath the realm container, omit the **-subtrees** option and do not worry about creating the principal subtree. For more information, refer to the section :ref:`ops_on_ldap`. The realm object is created under the **ldap_kerberos_container_dn** specified in the configuration file. This operation will also create the Kerberos container, if not present already. This container can be used to store information related to multiple realms. 9. Add an ``eq`` index for ``krbPrincipalName`` to speed up principal lookup operations. See https://www.openldap.org/doc/admin24/tuning.html#Indexes for details. With the LDAP back end it is possible to provide aliases for principal entries. Currently we provide no administrative utilities for creating aliases, so it must be done by direct manipulation of the LDAP entries. An entry with aliases contains multiple values of the *krbPrincipalName* attribute. Since LDAP attribute values are not ordered, it is necessary to specify which principal name is canonical, by using the *krbCanonicalName* attribute. Therefore, to create aliases for an entry, first set the *krbCanonicalName* attribute of the entry to the canonical principal name (which should be identical to the pre-existing *krbPrincipalName* value), and then add additional *krbPrincipalName* attributes for the aliases. Principal aliases are only returned by the KDC when the client requests canonicalization. Canonicalization is normally requested for service principals; for client principals, an explicit flag is often required (e.g., ``kinit -C``) and canonicalization is only performed for initial ticket requests. krb5-1.19.2/doc/admin/install_kdc.rst0000644000704600001450000004656514076311657020751 0ustar ghudsonsystemd-journalInstalling KDCs =============== When setting up Kerberos in a production environment, it is best to have multiple replica KDCs alongside with a primary KDC to ensure the continued availability of the Kerberized services. Each KDC contains a copy of the Kerberos database. The primary KDC contains the writable copy of the realm database, which it replicates to the replica KDCs at regular intervals. All database changes (such as password changes) are made on the primary KDC. Replica KDCs provide Kerberos ticket-granting services, but not database administration, when the primary KDC is unavailable. MIT recommends that you install all of your KDCs to be able to function as either the primary or one of the replicas. This will enable you to easily switch your primary KDC with one of the replicas if necessary (see :ref:`switch_primary_replica`). This installation procedure is based on that recommendation. .. warning:: - The Kerberos system relies on the availability of correct time information. Ensure that the primary and all replica KDCs have properly synchronized clocks. - It is best to install and run KDCs on secured and dedicated hardware with limited access. If your KDC is also a file server, FTP server, Web server, or even just a client machine, someone who obtained root access through a security hole in any of those areas could potentially gain access to the Kerberos database. Install and configure the primary KDC ------------------------------------- Install Kerberos either from the OS-provided packages or from the source (See :ref:`do_build`). .. note:: For the purpose of this document we will use the following names:: kerberos.mit.edu - primary KDC kerberos-1.mit.edu - replica KDC ATHENA.MIT.EDU - realm name .k5.ATHENA.MIT.EDU - stash file admin/admin - admin principal See :ref:`mitK5defaults` for the default names and locations of the relevant to this topic files. Adjust the names and paths to your system environment. Edit KDC configuration files ---------------------------- Modify the configuration files, :ref:`krb5.conf(5)` and :ref:`kdc.conf(5)`, to reflect the correct information (such as domain-realm mappings and Kerberos servers names) for your realm. (See :ref:`mitK5defaults` for the recommended default locations for these files). Most of the tags in the configuration have default values that will work well for most sites. There are some tags in the :ref:`krb5.conf(5)` file whose values must be specified, and this section will explain those. If the locations for these configuration files differs from the default ones, set **KRB5_CONFIG** and **KRB5_KDC_PROFILE** environment variables to point to the krb5.conf and kdc.conf respectively. For example:: export KRB5_CONFIG=/yourdir/krb5.conf export KRB5_KDC_PROFILE=/yourdir/kdc.conf krb5.conf ~~~~~~~~~ If you are not using DNS TXT records (see :ref:`mapping_hostnames`), you must specify the **default_realm** in the :ref:`libdefaults` section. If you are not using DNS URI or SRV records (see :ref:`kdc_hostnames` and :ref:`kdc_discovery`), you must include the **kdc** tag for each *realm* in the :ref:`realms` section. To communicate with the kadmin server in each realm, the **admin_server** tag must be set in the :ref:`realms` section. An example krb5.conf file:: [libdefaults] default_realm = ATHENA.MIT.EDU [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu kdc = kerberos-1.mit.edu admin_server = kerberos.mit.edu } kdc.conf ~~~~~~~~ The kdc.conf file can be used to control the listening ports of the KDC and kadmind, as well as realm-specific defaults, the database type and location, and logging. An example kdc.conf file:: [kdcdefaults] kdc_listen = 88 kdc_tcp_listen = 88 [realms] ATHENA.MIT.EDU = { kadmind_port = 749 max_life = 12h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = aes256-cts supported_enctypes = aes256-cts:normal aes128-cts:normal # If the default location does not suit your setup, # explicitly configure the following values: # database_name = /var/krb5kdc/principal # key_stash_file = /var/krb5kdc/.k5.ATHENA.MIT.EDU # acl_file = /var/krb5kdc/kadm5.acl } [logging] # By default, the KDC and kadmind will log output using # syslog. You can instead send log output to files like this: kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log Replace ``ATHENA.MIT.EDU`` and ``kerberos.mit.edu`` with the name of your Kerberos realm and server respectively. .. note:: You have to have write permission on the target directories (these directories must exist) used by **database_name**, **key_stash_file**, and **acl_file**. .. _create_db: Create the KDC database ----------------------- You will use the :ref:`kdb5_util(8)` command on the primary KDC to create the Kerberos database and the optional :ref:`stash_definition`. .. note:: If you choose not to install a stash file, the KDC will prompt you for the master key each time it starts up. This means that the KDC will not be able to start automatically, such as after a system reboot. :ref:`kdb5_util(8)` will prompt you for the master password for the Kerberos database. This password can be any string. A good password is one you can remember, but that no one else can guess. Examples of bad passwords are words that can be found in a dictionary, any common or popular name, especially a famous person (or cartoon character), your username in any form (e.g., forward, backward, repeated twice, etc.), and any of the sample passwords that appear in this manual. One example of a password which might be good if it did not appear in this manual is "MITiys4K5!", which represents the sentence "MIT is your source for Kerberos 5!" (It's the first letter of each word, substituting the numeral "4" for the word "for", and includes the punctuation mark at the end.) The following is an example of how to create a Kerberos database and stash file on the primary KDC, using the :ref:`kdb5_util(8)` command. Replace ``ATHENA.MIT.EDU`` with the name of your Kerberos realm:: shell% kdb5_util create -r ATHENA.MIT.EDU -s Initializing database '/usr/local/var/krb5kdc/principal' for realm 'ATHENA.MIT.EDU', master key name 'K/M@ATHENA.MIT.EDU' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: <= Type the master password. Re-enter KDC database master key to verify: <= Type it again. shell% This will create five files in |kdcdir| (or at the locations specified in :ref:`kdc.conf(5)`): * two Kerberos database files, ``principal``, and ``principal.ok`` * the Kerberos administrative database file, ``principal.kadm5`` * the administrative database lock file, ``principal.kadm5.lock`` * the stash file, in this example ``.k5.ATHENA.MIT.EDU``. If you do not want a stash file, run the above command without the **-s** option. For more information on administrating Kerberos database see :ref:`db_operations`. .. _admin_acl: Add administrators to the ACL file ---------------------------------- Next, you need create an Access Control List (ACL) file and put the Kerberos principal of at least one of the administrators into it. This file is used by the :ref:`kadmind(8)` daemon to control which principals may view and make privileged modifications to the Kerberos database files. The ACL filename is determined by the **acl_file** variable in :ref:`kdc.conf(5)`; the default is |kdcdir|\ ``/kadm5.acl``. For more information on Kerberos ACL file see :ref:`kadm5.acl(5)`. .. _addadmin_kdb: Add administrators to the Kerberos database ------------------------------------------- Next you need to add administrative principals (i.e., principals who are allowed to administer Kerberos database) to the Kerberos database. You *must* add at least one principal now to allow communication between the Kerberos administration daemon kadmind and the kadmin program over the network for further administration. To do this, use the kadmin.local utility on the primary KDC. kadmin.local is designed to be run on the primary KDC host without using Kerberos authentication to an admin server; instead, it must have read and write access to the Kerberos database on the local filesystem. The administrative principals you create should be the ones you added to the ACL file (see :ref:`admin_acl`). In the following example, the administrative principal ``admin/admin`` is created:: shell% kadmin.local kadmin.local: addprinc admin/admin@ATHENA.MIT.EDU No policy specified for "admin/admin@ATHENA.MIT.EDU"; assigning "default". Enter password for principal admin/admin@ATHENA.MIT.EDU: <= Enter a password. Re-enter password for principal admin/admin@ATHENA.MIT.EDU: <= Type it again. Principal "admin/admin@ATHENA.MIT.EDU" created. kadmin.local: .. _start_kdc_daemons: Start the Kerberos daemons on the primary KDC --------------------------------------------- At this point, you are ready to start the Kerberos KDC (:ref:`krb5kdc(8)`) and administrative daemons on the primary KDC. To do so, type:: shell% krb5kdc shell% kadmind Each server daemon will fork and run in the background. .. note:: Assuming you want these daemons to start up automatically at boot time, you can add them to the KDC's ``/etc/rc`` or ``/etc/inittab`` file. You need to have a :ref:`stash_definition` in order to do this. You can verify that they started properly by checking for their startup messages in the logging locations you defined in :ref:`krb5.conf(5)` (see :ref:`logging`). For example:: shell% tail /var/log/krb5kdc.log Dec 02 12:35:47 beeblebrox krb5kdc[3187](info): commencing operation shell% tail /var/log/kadmin.log Dec 02 12:35:52 beeblebrox kadmind[3189](info): starting Any errors the daemons encounter while starting will also be listed in the logging output. As an additional verification, check if :ref:`kinit(1)` succeeds against the principals that you have created on the previous step (:ref:`addadmin_kdb`). Run:: shell% kinit admin/admin@ATHENA.MIT.EDU Install the replica KDCs ------------------------ You are now ready to start configuring the replica KDCs. .. note:: Assuming you are setting the KDCs up so that you can easily switch the primary KDC with one of the replicas, you should perform each of these steps on the primary KDC as well as the replica KDCs, unless these instructions specify otherwise. .. _replica_host_key: Create host keytabs for replica KDCs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Each KDC needs a ``host`` key in the Kerberos database. These keys are used for mutual authentication when propagating the database dump file from the primary KDC to the secondary KDC servers. On the primary KDC, connect to administrative interface and create the host principal for each of the KDCs' ``host`` services. For example, if the primary KDC were called ``kerberos.mit.edu``, and you had a replica KDC named ``kerberos-1.mit.edu``, you would type the following:: shell% kadmin kadmin: addprinc -randkey host/kerberos.mit.edu No policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU"; assigning "default" Principal "host/kerberos.mit.edu@ATHENA.MIT.EDU" created. kadmin: addprinc -randkey host/kerberos-1.mit.edu No policy specified for "host/kerberos-1.mit.edu@ATHENA.MIT.EDU"; assigning "default" Principal "host/kerberos-1.mit.edu@ATHENA.MIT.EDU" created. It is not strictly necessary to have the primary KDC server in the Kerberos database, but it can be handy if you want to be able to swap the primary KDC with one of the replicas. Next, extract ``host`` random keys for all participating KDCs and store them in each host's default keytab file. Ideally, you should extract each keytab locally on its own KDC. If this is not feasible, you should use an encrypted session to send them across the network. To extract a keytab directly on a replica KDC called ``kerberos-1.mit.edu``, you would execute the following command:: kadmin: ktadd host/kerberos-1.mit.edu Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. If you are instead extracting a keytab for the replica KDC called ``kerberos-1.mit.edu`` on the primary KDC, you should use a dedicated temporary keytab file for that machine's keytab:: kadmin: ktadd -k /tmp/kerberos-1.keytab host/kerberos-1.mit.edu Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. The file ``/tmp/kerberos-1.keytab`` can then be installed as ``/etc/krb5.keytab`` on the host ``kerberos-1.mit.edu``. Configure replica KDCs ~~~~~~~~~~~~~~~~~~~~~~ Database propagation copies the contents of the primary's database, but does not propagate configuration files, stash files, or the kadm5 ACL file. The following files must be copied by hand to each replica (see :ref:`mitK5defaults` for the default locations for these files): * krb5.conf * kdc.conf * kadm5.acl * master key stash file Move the copied files into their appropriate directories, exactly as on the primary KDC. kadm5.acl is only needed to allow a replica to swap with the primary KDC. The database is propagated from the primary KDC to the replica KDCs via the :ref:`kpropd(8)` daemon. You must explicitly specify the principals which are allowed to provide Kerberos dump updates on the replica machine with a new database. Create a file named kpropd.acl in the KDC state directory containing the ``host`` principals for each of the KDCs:: host/kerberos.mit.edu@ATHENA.MIT.EDU host/kerberos-1.mit.edu@ATHENA.MIT.EDU .. note:: If you expect that the primary and replica KDCs will be switched at some point of time, list the host principals from all participating KDC servers in kpropd.acl files on all of the KDCs. Otherwise, you only need to list the primary KDC's host principal in the kpropd.acl files of the replica KDCs. Then, add the following line to ``/etc/inetd.conf`` on each KDC (adjust the path to kpropd):: krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd You also need to add the following line to ``/etc/services`` on each KDC, if it is not already present (assuming that the default port is used):: krb5_prop 754/tcp # Kerberos replica propagation Restart inetd daemon. Alternatively, start :ref:`kpropd(8)` as a stand-alone daemon. This is required when incremental propagation is enabled. Now that the replica KDC is able to accept database propagation, you’ll need to propagate the database from the primary server. NOTE: Do not start the replica KDC yet; you still do not have a copy of the primary's database. .. _kprop_to_replicas: Propagate the database to each replica KDC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ First, create a dump file of the database on the primary KDC, as follows:: shell% kdb5_util dump /usr/local/var/krb5kdc/replica_datatrans Then, manually propagate the database to each replica KDC, as in the following example:: shell% kprop -f /usr/local/var/krb5kdc/replica_datatrans kerberos-1.mit.edu Database propagation to kerberos-1.mit.edu: SUCCEEDED You will need a script to dump and propagate the database. The following is an example of a Bourne shell script that will do this. .. note:: Remember that you need to replace ``/usr/local/var/krb5kdc`` with the name of the KDC state directory. :: #!/bin/sh kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu" kdb5_util dump /usr/local/var/krb5kdc/replica_datatrans for kdc in $kdclist do kprop -f /usr/local/var/krb5kdc/replica_datatrans $kdc done You will need to set up a cron job to run this script at the intervals you decided on earlier (see :ref:`db_prop`). Now that the replica KDC has a copy of the Kerberos database, you can start the krb5kdc daemon:: shell% krb5kdc As with the primary KDC, you will probably want to add this command to the KDCs' ``/etc/rc`` or ``/etc/inittab`` files, so they will start the krb5kdc daemon automatically at boot time. Propagation failed? ################### You may encounter the following error messages. For a more detailed discussion on possible causes and solutions click on the error link to be redirected to :ref:`troubleshoot` section. .. include:: ./troubleshoot.rst :start-after: _prop_failed_start: :end-before: _prop_failed_end: Add Kerberos principals to the database --------------------------------------- Once your KDCs are set up and running, you are ready to use :ref:`kadmin(1)` to load principals for your users, hosts, and other services into the Kerberos database. This procedure is described fully in :ref:`add_mod_del_princs`. You may occasionally want to use one of your replica KDCs as the primary. This might happen if you are upgrading the primary KDC, or if your primary KDC has a disk crash. See the following section for the instructions. .. _switch_primary_replica: Switching primary and replica KDCs ---------------------------------- You may occasionally want to use one of your replica KDCs as the primary. This might happen if you are upgrading the primary KDC, or if your primary KDC has a disk crash. Assuming you have configured all of your KDCs to be able to function as either the primary KDC or a replica KDC (as this document recommends), all you need to do to make the changeover is: If the primary KDC is still running, do the following on the *old* primary KDC: #. Kill the kadmind process. #. Disable the cron job that propagates the database. #. Run your database propagation script manually, to ensure that the replicas all have the latest copy of the database (see :ref:`kprop_to_replicas`). On the *new* primary KDC: #. Start the :ref:`kadmind(8)` daemon (see :ref:`start_kdc_daemons`). #. Set up the cron job to propagate the database (see :ref:`kprop_to_replicas`). #. Switch the CNAMEs of the old and new primary KDCs. If you can't do this, you'll need to change the :ref:`krb5.conf(5)` file on every client machine in your Kerberos realm. Incremental database propagation -------------------------------- If you expect your Kerberos database to become large, you may wish to set up incremental propagation to replica KDCs. See :ref:`incr_db_prop` for details. krb5-1.19.2/doc/admin/lockout.rst0000644000704600001450000001324214076311657020124 0ustar ghudsonsystemd-journal.. _lockout: Account lockout =============== As of release 1.8, the KDC can be configured to lock out principals after a number of failed authentication attempts within a period of time. Account lockout can make it more difficult to attack a principal's password by brute force, but also makes it easy for an attacker to deny access to a principal. Configuring account lockout --------------------------- Account lockout only works for principals with the **+requires_preauth** flag set. Without this flag, the KDC cannot know whether or not a client successfully decrypted the ticket it issued. It is also important to set the **-allow_svr** flag on a principal to protect its password from an off-line dictionary attack through a TGS request. You can set these flags on a principal with :ref:`kadmin(1)` as follows:: kadmin: modprinc +requires_preauth -allow_svr PRINCNAME Account lockout parameters are configured via :ref:`policy objects `. There may be an existing policy associated with user principals (such as the "default" policy), or you may need to create a new one and associate it with each user principal. The policy parameters related to account lockout are: * :ref:`maxfailure `: the number of failed attempts before the principal is locked out * :ref:`failurecountinterval `: the allowable interval between failed attempts * :ref:`lockoutduration `: the amount of time a principal is locked out for Here is an example of setting these parameters on a new policy and associating it with a principal:: kadmin: addpol -maxfailure 10 -failurecountinterval 180 -lockoutduration 60 lockout_policy kadmin: modprinc -policy lockout_policy PRINCNAME Testing account lockout ----------------------- To test that account lockout is working, try authenticating as the principal (hopefully not one that might be in use) multiple times with the wrong password. For instance, if **maxfailure** is set to 2, you might see:: $ kinit user Password for user@KRBTEST.COM: kinit: Password incorrect while getting initial credentials $ kinit user Password for user@KRBTEST.COM: kinit: Password incorrect while getting initial credentials $ kinit user kinit: Client's credentials have been revoked while getting initial credentials Account lockout principal state ------------------------------- A principal entry keeps three pieces of state related to account lockout: * The time of last successful authentication * The time of last failed authentication * A counter of failed attempts The time of last successful authentication is not actually needed for the account lockout system to function, but may be of administrative interest. These fields can be observed with the **getprinc** kadmin command. For example:: kadmin: getprinc user Principal: user@KRBTEST.COM ... Last successful authentication: [never] Last failed authentication: Mon Dec 03 12:30:33 EST 2012 Failed password attempts: 2 ... A principal which has been locked out can be administratively unlocked with the **-unlock** option to the **modprinc** kadmin command:: kadmin: modprinc -unlock PRINCNAME This command will reset the number of failed attempts to 0. KDC replication and account lockout ----------------------------------- The account lockout state of a principal is not replicated by either traditional :ref:`kprop(8)` or incremental propagation. Because of this, the number of attempts an attacker can make within a time period is multiplied by the number of KDCs. For instance, if the **maxfailure** parameter on a policy is 10 and there are four KDCs in the environment (a primary and three replicas), an attacker could make as many as 40 attempts before the principal is locked out on all four KDCs. An administrative unlock is propagated from the primary to the replica KDCs during the next propagation. Propagation of an administrative unlock will cause the counter of failed attempts on each replica to reset to 1 on the next failure. If a KDC environment uses a replication strategy other than kprop or incremental propagation, such as the LDAP KDB module with multi-master LDAP replication, then account lockout state may be replicated between KDCs and the concerns of this section may not apply. .. _disable_lockout: KDC performance and account lockout ----------------------------------- In order to fully track account lockout state, the KDC must write to the the database on each successful and failed authentication. Writing to the database is generally more expensive than reading from it, so these writes may have a significant impact on KDC performance. As of release 1.9, it is possible to turn off account lockout state tracking in order to improve performance, by setting the **disable_last_success** and **disable_lockout** variables in the database module subsection of :ref:`kdc.conf(5)`. For example:: [dbmodules] DB = { disable_last_success = true disable_lockout = true } Of the two variables, setting **disable_last_success** will usually have the largest positive impact on performance, and will still allow account lockout policies to operate. However, it will make it impossible to observe the last successful authentication time with kadmin. KDC setup and account lockout ----------------------------- To update the account lockout state on principals, the KDC must be able to write to the principal database. For the DB2 module, no special setup is required. For the LDAP module, the KDC DN must be granted write access to the principal objects. If the KDC DN has only read access, account lockout will not function. krb5-1.19.2/doc/admin/env_variables.rst0000644000704600001450000000013314076311657021257 0ustar ghudsonsystemd-journalEnvironment variables ===================== This content has moved to :ref:`kerberos(7)`. krb5-1.19.2/doc/admin/admin_commands/0000755000704600001450000000000014076311657020661 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/admin/admin_commands/ktutil.rst0000644000704600001450000000425614076311657022736 0ustar ghudsonsystemd-journal.. _ktutil(1): ktutil ====== SYNOPSIS -------- **ktutil** DESCRIPTION ----------- The ktutil command invokes a command interface from which an administrator can read, write, or edit entries in a keytab. (Kerberos V4 srvtab files are no longer supported.) COMMANDS -------- list ~~~~ **list** [**-t**] [**-k**] [**-e**] Displays the current keylist. If **-t**, **-k**, and/or **-e** are specified, also display the timestamp, key contents, or enctype (respectively). Alias: **l** read_kt ~~~~~~~ **read_kt** *keytab* Read the Kerberos V5 keytab file *keytab* into the current keylist. Alias: **rkt** write_kt ~~~~~~~~ **write_kt** *keytab* Write the current keylist into the Kerberos V5 keytab file *keytab*. Alias: **wkt** clear_list ~~~~~~~~~~ **clear_list** Clear the current keylist. Alias: **clear** delete_entry ~~~~~~~~~~~~ **delete_entry** *slot* Delete the entry in slot number *slot* from the current keylist. Alias: **delent** add_entry ~~~~~~~~~ **add_entry** {**-key**\|\ **-password**} **-p** *principal* **-k** *kvno* [**-e** *enctype*] [**-f**\|\ **-s** *salt*] Add *principal* to keylist using key or password. If the **-f** flag is specified, salt information will be fetched from the KDC; in this case the **-e** flag may be omitted, or it may be supplied to force a particular enctype. If the **-f** flag is not specified, the **-e** flag must be specified, and the default salt will be used unless overridden with the **-s** option. Alias: **addent** list_requests ~~~~~~~~~~~~~ **list_requests** Displays a listing of available commands. Aliases: **lr**, **?** quit ~~~~ **quit** Quits ktutil. Aliases: **exit**, **q** EXAMPLE ------- :: ktutil: add_entry -password -p alice@BLEEP.COM -k 1 -e aes128-cts-hmac-sha1-96 Password for alice@BLEEP.COM: ktutil: add_entry -password -p alice@BLEEP.COM -k 1 -e aes256-cts-hmac-sha1-96 Password for alice@BLEEP.COM: ktutil: write_kt keytab ktutil: ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kadmin(1)`, :ref:`kdb5_util(8)`, :ref:`kerberos(7)` krb5-1.19.2/doc/admin/admin_commands/kadmind.rst0000644000704600001450000001041214076311657023020 0ustar ghudsonsystemd-journal.. _kadmind(8): kadmind ======= SYNOPSIS -------- **kadmind** [**-x** *db_args*] [**-r** *realm*] [**-m**] [**-nofork**] [**-proponly**] [**-port** *port-number*] [**-P** *pid_file*] [**-p** *kdb5_util_path*] [**-K** *kprop_path*] [**-k** *kprop_port*] [**-F** *dump_file*] DESCRIPTION ----------- kadmind starts the Kerberos administration server. kadmind typically runs on the primary Kerberos server, which stores the KDC database. If the KDC database uses the LDAP module, the administration server and the KDC server need not run on the same machine. kadmind accepts remote requests from programs such as :ref:`kadmin(1)` and :ref:`kpasswd(1)` to administer the information in these database. kadmind requires a number of configuration files to be set up in order for it to work: :ref:`kdc.conf(5)` The KDC configuration file contains configuration information for the KDC and admin servers. kadmind uses settings in this file to locate the Kerberos database, and is also affected by the **acl_file**, **dict_file**, **kadmind_port**, and iprop-related settings. :ref:`kadm5.acl(5)` kadmind's ACL (access control list) tells it which principals are allowed to perform administration actions. The pathname to the ACL file can be specified with the **acl_file** :ref:`kdc.conf(5)` variable; by default, it is |kdcdir|\ ``/kadm5.acl``. After the server begins running, it puts itself in the background and disassociates itself from its controlling terminal. kadmind can be configured for incremental database propagation. Incremental propagation allows replica KDC servers to receive principal and policy updates incrementally instead of receiving full dumps of the database. This facility can be enabled in the :ref:`kdc.conf(5)` file with the **iprop_enable** option. Incremental propagation requires the principal ``kiprop/PRIMARY\@REALM`` (where PRIMARY is the primary KDC's canonical host name, and REALM the realm name). In release 1.13, this principal is automatically created and registered into the datebase. OPTIONS ------- **-r** *realm* specifies the realm that kadmind will serve; if it is not specified, the default realm of the host is used. **-m** causes the master database password to be fetched from the keyboard (before the server puts itself in the background, if not invoked with the **-nofork** option) rather than from a file on disk. **-nofork** causes the server to remain in the foreground and remain associated to the terminal. **-proponly** causes the server to only listen and respond to Kerberos replica incremental propagation polling requests. This option can be used to set up a hierarchical propagation topology where a replica KDC provides incremental updates to other Kerberos replicas. **-port** *port-number* specifies the port on which the administration server listens for connections. The default port is determined by the **kadmind_port** configuration variable in :ref:`kdc.conf(5)`. **-P** *pid_file* specifies the file to which the PID of kadmind process should be written after it starts up. This file can be used to identify whether kadmind is still running and to allow init scripts to stop the correct process. **-p** *kdb5_util_path* specifies the path to the kdb5_util command to use when dumping the KDB in response to full resync requests when iprop is enabled. **-K** *kprop_path* specifies the path to the kprop command to use to send full dumps to replicas in response to full resync requests. **-k** *kprop_port* specifies the port by which the kprop process that is spawned by kadmind connects to the replica kpropd, in order to transfer the dump file during an iprop full resync request. **-F** *dump_file* specifies the file path to be used for dumping the KDB in response to full resync requests when iprop is enabled. **-x** *db_args* specifies database-specific arguments. See :ref:`Database Options ` in :ref:`kadmin(1)` for supported arguments. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kpasswd(1)`, :ref:`kadmin(1)`, :ref:`kdb5_util(8)`, :ref:`kdb5_ldap_util(8)`, :ref:`kadm5.acl(5)`, :ref:`kerberos(7)` krb5-1.19.2/doc/admin/admin_commands/kprop.rst0000644000704600001450000000207514076311657022552 0ustar ghudsonsystemd-journal.. _kprop(8): kprop ===== SYNOPSIS -------- **kprop** [**-r** *realm*] [**-f** *file*] [**-d**] [**-P** *port*] [**-s** *keytab*] *replica_host* DESCRIPTION ----------- kprop is used to securely propagate a Kerberos V5 database dump file from the primary Kerberos server to a replica Kerberos server, which is specified by *replica_host*. The dump file must be created by :ref:`kdb5_util(8)`. OPTIONS ------- **-r** *realm* Specifies the realm of the primary server. **-f** *file* Specifies the filename where the dumped principal database file is to be found; by default the dumped database file is normally |kdcdir|\ ``/replica_datatrans``. **-P** *port* Specifies the port to use to contact the :ref:`kpropd(8)` server on the remote host. **-d** Prints debugging information. **-s** *keytab* Specifies the location of the keytab file. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kpropd(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`, :ref:`kerberos(7)` krb5-1.19.2/doc/admin/admin_commands/krb5kdc.rst0000644000704600001450000000722714076311657022750 0ustar ghudsonsystemd-journal.. _krb5kdc(8): krb5kdc ======= SYNOPSIS -------- **krb5kdc** [**-x** *db_args*] [**-d** *dbname*] [**-k** *keytype*] [**-M** *mkeyname*] [**-p** *portnum*] [**-m**] [**-r** *realm*] [**-n**] [**-w** *numworkers*] [**-P** *pid_file*] [**-T** *time_offset*] DESCRIPTION ----------- krb5kdc is the Kerberos version 5 Authentication Service and Key Distribution Center (AS/KDC). OPTIONS ------- The **-r** *realm* option specifies the realm for which the server should provide service. This option may be specified multiple times to serve multiple realms. If no **-r** option is given, the default realm (as specified in :ref:`krb5.conf(5)`) will be served. The **-d** *dbname* option specifies the name under which the principal database can be found. This option does not apply to the LDAP database. The **-k** *keytype* option specifies the key type of the master key to be entered manually as a password when **-m** is given; the default is |defmkey|. The **-M** *mkeyname* option specifies the principal name for the master key in the database (usually ``K/M`` in the KDC's realm). The **-m** option specifies that the master database password should be fetched from the keyboard rather than from a stash file. The **-n** option specifies that the KDC does not put itself in the background and does not disassociate itself from the terminal. The **-P** *pid_file* option tells the KDC to write its PID into *pid_file* after it starts up. This can be used to identify whether the KDC is still running and to allow init scripts to stop the correct process. The **-p** *portnum* option specifies the default UDP and TCP port numbers which the KDC should listen on for Kerberos version 5 requests, as a comma-separated list. This value overrides the port numbers specified in the :ref:`kdcdefaults` section of :ref:`kdc.conf(5)`, but may be overridden by realm-specific values. If no value is given from any source, the default port is 88. The **-w** *numworkers* option tells the KDC to fork *numworkers* processes to listen to the KDC ports and process requests in parallel. The top level KDC process (whose pid is recorded in the pid file if the **-P** option is also given) acts as a supervisor. The supervisor will relay SIGHUP signals to the worker subprocesses, and will terminate the worker subprocess if the it is itself terminated or if any other worker process exits. The **-x** *db_args* option specifies database-specific arguments. See :ref:`Database Options ` in :ref:`kadmin(1)` for supported arguments. The **-T** *offset* option specifies a time offset, in seconds, which the KDC will operate under. It is intended only for testing purposes. EXAMPLE ------- The KDC may service requests for multiple realms (maximum 32 realms). The realms are listed on the command line. Per-realm options that can be specified on the command line pertain for each realm that follows it and are superseded by subsequent definitions of the same option. For example:: krb5kdc -p 2001 -r REALM1 -p 2002 -r REALM2 -r REALM3 specifies that the KDC listen on port 2001 for REALM1 and on port 2002 for REALM2 and REALM3. Additionally, per-realm parameters may be specified in the :ref:`kdc.conf(5)` file. The location of this file may be specified by the **KRB5_KDC_PROFILE** environment variable. Per-realm parameters specified in this file take precedence over options specified on the command line. See the :ref:`kdc.conf(5)` description for further details. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kdb5_util(8)`, :ref:`kdc.conf(5)`, :ref:`krb5.conf(5)`, :ref:`kdb5_ldap_util(8)`, :ref:`kerberos(7)` krb5-1.19.2/doc/admin/admin_commands/kdb5_ldap_util.rst0000644000704600001450000002656114076311657024307 0ustar ghudsonsystemd-journal.. _kdb5_ldap_util(8): kdb5_ldap_util =============== SYNOPSIS -------- .. _kdb5_ldap_util_synopsis: **kdb5_ldap_util** [**-D** *user_dn* [**-w** *passwd*]] [**-H** *ldapuri*] **command** [*command_options*] .. _kdb5_ldap_util_synopsis_end: DESCRIPTION ----------- kdb5_ldap_util allows an administrator to manage realms, Kerberos services and ticket policies. COMMAND-LINE OPTIONS -------------------- .. _kdb5_ldap_util_options: **-r** *realm* Specifies the realm to be operated on. **-D** *user_dn* Specifies the Distinguished Name (DN) of the user who has sufficient rights to perform the operation on the LDAP server. **-w** *passwd* Specifies the password of *user_dn*. This option is not recommended. **-H** *ldapuri* Specifies the URI of the LDAP server. By default, kdb5_ldap_util operates on the default realm (as specified in :ref:`krb5.conf(5)`) and connects and authenticates to the LDAP server in the same manner as :ref:kadmind(8)` would given the parameters in :ref:`dbdefaults` in :ref:`kdc.conf(5)`. .. _kdb5_ldap_util_options_end: COMMANDS -------- create ~~~~~~ .. _kdb5_ldap_util_create: **create** [**-subtrees** *subtree_dn_list*] [**-sscope** *search_scope*] [**-containerref** *container_reference_dn*] [**-k** *mkeytype*] [**-kv** *mkeyVNO*] [**-M** *mkeyname*] [**-m|-P** *password*\|\ **-sf** *stashfilename*] [**-s**] [**-maxtktlife** *max_ticket_life*] [**-maxrenewlife** *max_renewable_ticket_life*] [*ticket_flags*] Creates realm in directory. Options: **-subtrees** *subtree_dn_list* Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (``:``). **-sscope** *search_scope* Specifies the scope for searching the principals under the subtree. The possible values are 1 or one (one level), 2 or sub (subtrees). **-containerref** *container_reference_dn* Specifies the DN of the container object in which the principals of a realm will be created. If the container reference is not configured for a realm, the principals will be created in the realm container. **-k** *mkeytype* Specifies the key type of the master key in the database. The default is given by the **master_key_type** variable in :ref:`kdc.conf(5)`. **-kv** *mkeyVNO* Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. **-M** *mkeyname* Specifies the principal name for the master key in the database. If not specified, the name is determined by the **master_key_name** variable in :ref:`kdc.conf(5)`. **-m** Specifies that the master database password should be read from the TTY rather than fetched from a file on the disk. **-P** *password* Specifies the master database password. This option is not recommended. **-sf** *stashfilename* Specifies the stash file of the master database password. **-s** Specifies that the stash file is to be created. **-maxtktlife** *max_ticket_life* (:ref:`getdate` string) Specifies maximum ticket life for principals in this realm. **-maxrenewlife** *max_renewable_ticket_life* (:ref:`getdate` string) Specifies maximum renewable life of tickets for principals in this realm. *ticket_flags* Specifies global ticket flags for the realm. Allowable flags are documented in the description of the **add_principal** command in :ref:`kadmin(1)`. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU create -subtrees o=org -sscope SUB Password for "cn=admin,o=org": Initializing database for realm 'ATHENA.MIT.EDU' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: .. _kdb5_ldap_util_create_end: modify ~~~~~~ .. _kdb5_ldap_util_modify: **modify** [**-subtrees** *subtree_dn_list*] [**-sscope** *search_scope*] [**-containerref** *container_reference_dn*] [**-maxtktlife** *max_ticket_life*] [**-maxrenewlife** *max_renewable_ticket_life*] [*ticket_flags*] Modifies the attributes of a realm. Options: **-subtrees** *subtree_dn_list* Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (``:``). This list replaces the existing list. **-sscope** *search_scope* Specifies the scope for searching the principals under the subtrees. The possible values are 1 or one (one level), 2 or sub (subtrees). **-containerref** *container_reference_dn* Specifies the DN of the container object in which the principals of a realm will be created. **-maxtktlife** *max_ticket_life* (:ref:`getdate` string) Specifies maximum ticket life for principals in this realm. **-maxrenewlife** *max_renewable_ticket_life* (:ref:`getdate` string) Specifies maximum renewable life of tickets for principals in this realm. *ticket_flags* Specifies global ticket flags for the realm. Allowable flags are documented in the description of the **add_principal** command in :ref:`kadmin(1)`. Example:: shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify +requires_preauth Password for "cn=admin,o=org": shell% .. _kdb5_ldap_util_modify_end: view ~~~~ .. _kdb5_ldap_util_view: **view** Displays the attributes of a realm. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU view Password for "cn=admin,o=org": Realm Name: ATHENA.MIT.EDU Subtree: ou=users,o=org Subtree: ou=servers,o=org SearchScope: ONE Maximum ticket life: 0 days 01:00:00 Maximum renewable life: 0 days 10:00:00 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE .. _kdb5_ldap_util_view_end: destroy ~~~~~~~ .. _kdb5_ldap_util_destroy: **destroy** [**-f**] Destroys an existing realm. Options: **-f** If specified, will not prompt the user for confirmation. Example:: shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy Password for "cn=admin,o=org": Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? (type 'yes' to confirm)? yes OK, deleting database of 'ATHENA.MIT.EDU'... shell% .. _kdb5_ldap_util_destroy_end: list ~~~~ .. _kdb5_ldap_util_list: **list** Lists the names of realms under the container. Example:: shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list Password for "cn=admin,o=org": ATHENA.MIT.EDU OPENLDAP.MIT.EDU MEDIA-LAB.MIT.EDU shell% .. _kdb5_ldap_util_list_end: stashsrvpw ~~~~~~~~~~ .. _kdb5_ldap_util_stashsrvpw: **stashsrvpw** [**-f** *filename*] *name* Allows an administrator to store the password for service object in a file so that KDC and Administration server can use it to authenticate to the LDAP server. Options: **-f** *filename* Specifies the complete path of the service password file. By default, ``/usr/local/var/service_passwd`` is used. *name* Specifies the name of the object whose password is to be stored. If :ref:`krb5kdc(8)` or :ref:`kadmind(8)` are configured for simple binding, this should be the distinguished name it will use as given by the **ldap_kdc_dn** or **ldap_kadmind_dn** variable in :ref:`kdc.conf(5)`. If the KDC or kadmind is configured for SASL binding, this should be the authentication name it will use as given by the **ldap_kdc_sasl_authcid** or **ldap_kadmind_sasl_authcid** variable. Example:: kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org Password for "cn=service-kdc,o=org": Re-enter password for "cn=service-kdc,o=org": .. _kdb5_ldap_util_stashsrvpw_end: create_policy ~~~~~~~~~~~~~ .. _kdb5_ldap_util_create_policy: **create_policy** [**-maxtktlife** *max_ticket_life*] [**-maxrenewlife** *max_renewable_ticket_life*] [*ticket_flags*] *policy_name* Creates a ticket policy in the directory. Options: **-maxtktlife** *max_ticket_life* (:ref:`getdate` string) Specifies maximum ticket life for principals. **-maxrenewlife** *max_renewable_ticket_life* (:ref:`getdate` string) Specifies maximum renewable life of tickets for principals. *ticket_flags* Specifies the ticket flags. If this option is not specified, by default, no restriction will be set by the policy. Allowable flags are documented in the description of the **add_principal** command in :ref:`kadmin(1)`. *policy_name* Specifies the name of the ticket policy. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU create_policy -maxtktlife "1 day" -maxrenewlife "1 week" -allow_postdated +needchange -allow_forwardable tktpolicy Password for "cn=admin,o=org": .. _kdb5_ldap_util_create_policy_end: modify_policy ~~~~~~~~~~~~~ .. _kdb5_ldap_util_modify_policy: **modify_policy** [**-maxtktlife** *max_ticket_life*] [**-maxrenewlife** *max_renewable_ticket_life*] [*ticket_flags*] *policy_name* Modifies the attributes of a ticket policy. Options are same as for **create_policy**. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU modify_policy -maxtktlife "60 minutes" -maxrenewlife "10 hours" +allow_postdated -requires_preauth tktpolicy Password for "cn=admin,o=org": .. _kdb5_ldap_util_modify_policy_end: view_policy ~~~~~~~~~~~ .. _kdb5_ldap_util_view_policy: **view_policy** *policy_name* Displays the attributes of the named ticket policy. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU view_policy tktpolicy Password for "cn=admin,o=org": Ticket policy: tktpolicy Maximum ticket life: 0 days 01:00:00 Maximum renewable life: 0 days 10:00:00 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE .. _kdb5_ldap_util_view_policy_end: destroy_policy ~~~~~~~~~~~~~~ .. _kdb5_ldap_util_destroy_policy: **destroy_policy** [**-force**] *policy_name* Destroys an existing ticket policy. Options: **-force** Forces the deletion of the policy object. If not specified, the user will be prompted for confirmation before deleting the policy. *policy_name* Specifies the name of the ticket policy. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU destroy_policy tktpolicy Password for "cn=admin,o=org": This will delete the policy object 'tktpolicy', are you sure? (type 'yes' to confirm)? yes ** policy object 'tktpolicy' deleted. .. _kdb5_ldap_util_destroy_policy_end: list_policy ~~~~~~~~~~~ .. _kdb5_ldap_util_list_policy: **list_policy** Lists ticket policies. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU list_policy Password for "cn=admin,o=org": tktpolicy tmppolicy userpolicy .. _kdb5_ldap_util_list_policy_end: ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kadmin(1)`, :ref:`kerberos(7)` krb5-1.19.2/doc/admin/admin_commands/kdb5_util.rst0000644000704600001450000003526314076311657023306 0ustar ghudsonsystemd-journal.. _kdb5_util(8): kdb5_util ========= SYNOPSIS -------- .. _kdb5_util_synopsis: **kdb5_util** [**-r** *realm*] [**-d** *dbname*] [**-k** *mkeytype*] [**-kv** *mkeyVNO*] [**-M** *mkeyname*] [**-m**] [**-sf** *stashfilename*] [**-P** *password*] [**-x** *db_args*] *command* [*command_options*] .. _kdb5_util_synopsis_end: DESCRIPTION ----------- kdb5_util allows an administrator to perform maintenance procedures on the KDC database. Databases can be created, destroyed, and dumped to or loaded from ASCII files. kdb5_util can create a Kerberos master key stash file or perform live rollover of the master key. When kdb5_util is run, it attempts to acquire the master key and open the database. However, execution continues regardless of whether or not kdb5_util successfully opens the database, because the database may not exist yet or the stash file may be corrupt. Note that some KDC database modules may not support all kdb5_util commands. COMMAND-LINE OPTIONS -------------------- .. _kdb5_util_options: **-r** *realm* specifies the Kerberos realm of the database. **-d** *dbname* specifies the name under which the principal database is stored; by default the database is that listed in :ref:`kdc.conf(5)`. The password policy database and lock files are also derived from this value. **-k** *mkeytype* specifies the key type of the master key in the database. The default is given by the **master_key_type** variable in :ref:`kdc.conf(5)`. **-kv** *mkeyVNO* Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. **-M** *mkeyname* principal name for the master key in the database. If not specified, the name is determined by the **master_key_name** variable in :ref:`kdc.conf(5)`. **-m** specifies that the master database password should be read from the keyboard rather than fetched from a file on disk. **-sf** *stash_file* specifies the stash filename of the master database password. If not specified, the filename is determined by the **key_stash_file** variable in :ref:`kdc.conf(5)`. **-P** *password* specifies the master database password. Using this option may expose the password to other users on the system via the process list. **-x** *db_args* specifies database-specific options. See :ref:`kadmin(1)` for supported options. .. _kdb5_util_options_end: COMMANDS -------- create ~~~~~~ .. _kdb5_util_create: **create** [**-s**] Creates a new database. If the **-s** option is specified, the stash file is also created. This command fails if the database already exists. If the command is successful, the database is opened just as if it had already existed when the program was first run. .. _kdb5_util_create_end: destroy ~~~~~~~ .. _kdb5_util_destroy: **destroy** [**-f**] Destroys the database, first overwriting the disk sectors and then unlinking the files, after prompting the user for confirmation. With the **-f** argument, does not prompt the user. .. _kdb5_util_destroy_end: stash ~~~~~ .. _kdb5_util_stash: **stash** [**-f** *keyfile*] Stores the master principal's keys in a stash file. The **-f** argument can be used to override the *keyfile* specified in :ref:`kdc.conf(5)`. .. _kdb5_util_stash_end: dump ~~~~ .. _kdb5_util_dump: **dump** [**-b7**\|\ **-r13**\|\ **-r18**] [**-verbose**] [**-mkey_convert**] [**-new_mkey_file** *mkey_file*] [**-rev**] [**-recurse**] [*filename* [*principals*...]] Dumps the current Kerberos and KADM5 database into an ASCII file. By default, the database is dumped in current format, "kdb5_util load_dump version 7". If filename is not specified, or is the string "-", the dump is sent to standard output. Options: **-b7** causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util load_dump version 4"). This was the dump format produced on releases prior to 1.2.2. **-r13** causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util load_dump version 5"). This was the dump format produced on releases prior to 1.8. **-r18** causes the dump to be in the Kerberos 5 1.8 format ("kdb5_util load_dump version 6"). This was the dump format produced on releases prior to 1.11. **-verbose** causes the name of each principal and policy to be printed as it is dumped. **-mkey_convert** prompts for a new master key. This new master key will be used to re-encrypt principal key data in the dumpfile. The principal keys themselves will not be changed. **-new_mkey_file** *mkey_file* the filename of a stash file. The master key in this stash file will be used to re-encrypt the key data in the dumpfile. The key data in the database will not be changed. **-rev** dumps in reverse order. This may recover principals that do not dump normally, in cases where database corruption has occurred. **-recurse** causes the dump to walk the database recursively (btree only). This may recover principals that do not dump normally, in cases where database corruption has occurred. In cases of such corruption, this option will probably retrieve more principals than the **-rev** option will. .. versionchanged:: 1.15 Release 1.15 restored the functionality of the **-recurse** option. .. versionchanged:: 1.5 The **-recurse** option ceased working until release 1.15, doing a normal dump instead of a recursive traversal. .. _kdb5_util_dump_end: load ~~~~ .. _kdb5_util_load: **load** [**-b7**\|\ **-r13**\|\ **-r18**] [**-hash**] [**-verbose**] [**-update**] *filename* Loads a database dump from the named file into the named database. If no option is given to determine the format of the dump file, the format is detected automatically and handled as appropriate. Unless the **-update** option is given, **load** creates a new database containing only the data in the dump file, overwriting the contents of any previously existing database. Note that when using the LDAP KDC database module, the **-update** flag is required. Options: **-b7** requires the database to be in the Kerberos 5 Beta 7 format ("kdb5_util load_dump version 4"). This was the dump format produced on releases prior to 1.2.2. **-r13** requires the database to be in Kerberos 5 1.3 format ("kdb5_util load_dump version 5"). This was the dump format produced on releases prior to 1.8. **-r18** requires the database to be in Kerberos 5 1.8 format ("kdb5_util load_dump version 6"). This was the dump format produced on releases prior to 1.11. **-hash** stores the database in hash format, if using the DB2 database type. If this option is not specified, the database will be stored in btree format. This option is not recommended, as databases stored in hash format are known to corrupt data and lose principals. **-verbose** causes the name of each principal and policy to be printed as it is dumped. **-update** records from the dump file are added to or updated in the existing database. Otherwise, a new database is created containing only what is in the dump file and the old one destroyed upon successful completion. .. _kdb5_util_load_end: ark ~~~ **ark** [**-e** *enc*:*salt*,...] *principal* Adds new random keys to *principal* at the next available key version number. Keys for the current highest key version number will be preserved. The **-e** option specifies the list of encryption and salt types to be used for the new keys. add_mkey ~~~~~~~~ **add_mkey** [**-e** *etype*] [**-s**] Adds a new master key to the master key principal, but does not mark it as active. Existing master keys will remain. The **-e** option specifies the encryption type of the new master key; see :ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of possible values. The **-s** option stashes the new master key in the stash file, which will be created if it doesn't already exist. After a new master key is added, it should be propagated to replica servers via a manual or periodic invocation of :ref:`kprop(8)`. Then, the stash files on the replica servers should be updated with the kdb5_util **stash** command. Once those steps are complete, the key is ready to be marked active with the kdb5_util **use_mkey** command. use_mkey ~~~~~~~~ **use_mkey** *mkeyVNO* [*time*] Sets the activation time of the master key specified by *mkeyVNO*. Once a master key becomes active, it will be used to encrypt newly created principal keys. If no *time* argument is given, the current time is used, causing the specified master key version to become active immediately. The format for *time* is :ref:`getdate` string. After a new master key becomes active, the kdb5_util **update_princ_encryption** command can be used to update all principal keys to be encrypted in the new master key. list_mkeys ~~~~~~~~~~ **list_mkeys** List all master keys, from most recent to earliest, in the master key principal. The output will show the kvno, enctype, and salt type for each mkey, similar to the output of :ref:`kadmin(1)` **getprinc**. A ``*`` following an mkey denotes the currently active master key. purge_mkeys ~~~~~~~~~~~ **purge_mkeys** [**-f**] [**-n**] [**-v**] Delete master keys from the master key principal that are not used to protect any principals. This command can be used to remove old master keys all principal keys are protected by a newer master key. **-f** does not prompt for confirmation. **-n** performs a dry run, showing master keys that would be purged, but not actually purging any keys. **-v** gives more verbose output. update_princ_encryption ~~~~~~~~~~~~~~~~~~~~~~~ **update_princ_encryption** [**-f**] [**-n**] [**-v**] [*princ-pattern*] Update all principal records (or only those matching the *princ-pattern* glob pattern) to re-encrypt the key data using the active database master key, if they are encrypted using a different version, and give a count at the end of the number of principals updated. If the **-f** option is not given, ask for confirmation before starting to make changes. The **-v** option causes each principal processed to be listed, with an indication as to whether it needed updating or not. The **-n** option performs a dry run, only showing the actions which would have been taken. tabdump ~~~~~~~ **tabdump** [**-H**] [**-c**] [**-e**] [**-n**] [**-o** *outfile*] *dumptype* Dump selected fields of the database in a tabular format suitable for reporting (e.g., using traditional Unix text processing tools) or importing into relational databases. The data format is tab-separated (default), or optionally comma-separated (CSV), with a fixed number of columns. The output begins with a header line containing field names, unless suppression is requested using the **-H** option. The *dumptype* parameter specifies the name of an output table (see below). Options: **-H** suppress writing the field names in a header line **-c** use comma separated values (CSV) format, with minimal quoting, instead of the default tab-separated (unquoted, unescaped) format **-e** write empty hexadecimal string fields as empty fields instead of as "-1". **-n** produce numeric output for fields that normally have symbolic output, such as enctypes and flag names. Also requests output of time stamps as decimal POSIX time_t values. **-o** *outfile* write the dump to the specified output file instead of to standard output Dump types: **keydata** principal encryption key information, including actual key data (which is still encrypted in the master key) **name** principal name **keyindex** index of this key in the principal's key list **kvno** key version number **enctype** encryption type **key** key data as a hexadecimal string **salttype** salt type **salt** salt data as a hexadecimal string **keyinfo** principal encryption key information (as in **keydata** above), excluding actual key data **princ_flags** principal boolean attributes. Flag names print as hexadecimal numbers if the **-n** option is specified, and all flag positions are printed regardless of whether or not they are set. If **-n** is not specified, print all known flag names for each principal, but only print hexadecimal flag names if the corresponding flag is set. **name** principal name **flag** flag name **value** boolean value (0 for clear, or 1 for set) **princ_lockout** state information used for tracking repeated password failures **name** principal name **last_success** time stamp of most recent successful authentication **last_failed** time stamp of most recent failed authentication **fail_count** count of failed attempts **princ_meta** principal metadata **name** principal name **modby** name of last principal to modify this principal **modtime** timestamp of last modification **lastpwd** timestamp of last password change **policy** policy object name **mkvno** key version number of the master key that encrypts this principal's key data **hist_kvno** key version number of the history key that encrypts the key history data for this principal **princ_stringattrs** string attributes (key/value pairs) **name** principal name **key** attribute name **value** attribute value **princ_tktpolicy** per-principal ticket policy data, including maximum ticket lifetimes **name** principal name **expiration** principal expiration date **pw_expiration** password expiration date **max_life** maximum ticket lifetime **max_renew_life** maximum renewable ticket lifetime Examples:: $ kdb5_util tabdump -o keyinfo.txt keyinfo $ cat keyinfo.txt name keyindex kvno enctype salttype salt K/M@EXAMPLE.COM 0 1 aes256-cts-hmac-sha384-192 normal -1 foo@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 bar@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 $ sqlite3 sqlite> .mode tabs sqlite> .import keyinfo.txt keyinfo sqlite> select * from keyinfo where enctype like 'aes256-%'; K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 sqlite> .quit $ awk -F'\t' '$4 ~ /aes256-/ { print }' keyinfo.txt K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kadmin(1)`, :ref:`kerberos(7)` krb5-1.19.2/doc/admin/admin_commands/kadmin_local.rst0000644000704600001450000007410014076311657024032 0ustar ghudsonsystemd-journal.. _kadmin(1): kadmin ====== SYNOPSIS -------- .. _kadmin_synopsis: **kadmin** [**-O**\|\ **-N**] [**-r** *realm*] [**-p** *principal*] [**-q** *query*] [[**-c** *cache_name*]\|[**-k** [**-t** *keytab*]]\|\ **-n**] [**-w** *password*] [**-s** *admin_server*\ [:*port*]] [command args...] **kadmin.local** [**-r** *realm*] [**-p** *principal*] [**-q** *query*] [**-d** *dbname*] [**-e** *enc*:*salt* ...] [**-m**] [**-x** *db_args*] [command args...] .. _kadmin_synopsis_end: DESCRIPTION ----------- kadmin and kadmin.local are command-line interfaces to the Kerberos V5 administration system. They provide nearly identical functionalities; the difference is that kadmin.local directly accesses the KDC database, while kadmin performs operations using :ref:`kadmind(8)`. Except as explicitly noted otherwise, this man page will use "kadmin" to refer to both versions. kadmin provides for the maintenance of Kerberos principals, password policies, and service key tables (keytabs). The remote kadmin client uses Kerberos to authenticate to kadmind using the service principal ``kadmin/admin`` or ``kadmin/ADMINHOST`` (where *ADMINHOST* is the fully-qualified hostname of the admin server). If the credentials cache contains a ticket for one of these principals, and the **-c** credentials_cache option is specified, that ticket is used to authenticate to kadmind. Otherwise, the **-p** and **-k** options are used to specify the client Kerberos principal name used to authenticate. Once kadmin has determined the principal name, it requests a service ticket from the KDC, and uses that service ticket to authenticate to kadmind. Since kadmin.local directly accesses the KDC database, it usually must be run directly on the primary KDC with sufficient permissions to read the KDC database. If the KDC database uses the LDAP database module, kadmin.local can be run on any host which can access the LDAP server. OPTIONS ------- .. _kadmin_options: **-r** *realm* Use *realm* as the default database realm. **-p** *principal* Use *principal* to authenticate. Otherwise, kadmin will append ``/admin`` to the primary principal name of the default ccache, the value of the **USER** environment variable, or the username as obtained with getpwuid, in order of preference. **-k** Use a keytab to decrypt the KDC response instead of prompting for a password. In this case, the default principal will be ``host/hostname``. If there is no keytab specified with the **-t** option, then the default keytab will be used. **-t** *keytab* Use *keytab* to decrypt the KDC response. This can only be used with the **-k** option. **-n** Requests anonymous processing. Two types of anonymous principals are supported. For fully anonymous Kerberos, configure PKINIT on the KDC and configure **pkinit_anchors** in the client's :ref:`krb5.conf(5)`. Then use the **-n** option with a principal of the form ``@REALM`` (an empty principal name followed by the at-sign and a realm name). If permitted by the KDC, an anonymous ticket will be returned. A second form of anonymous tickets is supported; these realm-exposed tickets hide the identity of the client but not the client's realm. For this mode, use ``kinit -n`` with a normal principal name. If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal. As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation. **-c** *credentials_cache* Use *credentials_cache* as the credentials cache. The cache should contain a service ticket for the ``kadmin/admin`` or ``kadmin/ADMINHOST`` (where *ADMINHOST* is the fully-qualified hostname of the admin server) service; it can be acquired with the :ref:`kinit(1)` program. If this option is not specified, kadmin requests a new service ticket from the KDC, and stores it in its own temporary ccache. **-w** *password* Use *password* instead of prompting for one. Use this option with care, as it may expose the password to other users on the system via the process list. **-q** *query* Perform the specified query and then exit. **-d** *dbname* Specifies the name of the KDC database. This option does not apply to the LDAP database module. **-s** *admin_server*\ [:*port*] Specifies the admin server which kadmin should contact. **-m** If using kadmin.local, prompt for the database master password instead of reading it from a stash file. **-e** "*enc*:*salt* ..." Sets the keysalt list to be used for any new keys created. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible values. **-O** Force use of old AUTH_GSSAPI authentication flavor. **-N** Prevent fallback to AUTH_GSSAPI authentication flavor. **-x** *db_args* Specifies the database specific arguments. See the next section for supported options. .. _kadmin_options_end: Starting with release 1.14, if any command-line arguments remain after the options, they will be treated as a single query to be executed. This mode of operation is intended for scripts and behaves differently from the interactive mode in several respects: * Query arguments are split by the shell, not by kadmin. * Informational and warning messages are suppressed. Error messages and query output (e.g. for **get_principal**) will still be displayed. * Confirmation prompts are disabled (as if **-force** was given). Password prompts will still be issued as required. * The exit status will be non-zero if the query fails. The **-q** option does not carry these behavior differences; the query will be processed as if it was entered interactively. The **-q** option cannot be used in combination with a query in the remaining arguments. .. _dboptions: DATABASE OPTIONS ---------------- Database options can be used to override database-specific defaults. Supported options for the DB2 module are: **-x dbname=**\ \*filename* Specifies the base filename of the DB2 database. **-x lockiter** Make iteration operations hold the lock for the duration of the entire operation, rather than temporarily releasing the lock while handling each principal. This is the default behavior, but this option exists to allow command line override of a [dbmodules] setting. First introduced in release 1.13. **-x unlockiter** Make iteration operations unlock the database for each principal, instead of holding the lock for the duration of the entire operation. First introduced in release 1.13. Supported options for the LDAP module are: **-x host=**\ *ldapuri* Specifies the LDAP server to connect to by a LDAP URI. **-x binddn=**\ *bind_dn* Specifies the DN used to bind to the LDAP server. **-x bindpwd=**\ *password* Specifies the password or SASL secret used to bind to the LDAP server. Using this option may expose the password to other users on the system via the process list; to avoid this, instead stash the password using the **stashsrvpw** command of :ref:`kdb5_ldap_util(8)`. **-x sasl_mech=**\ *mechanism* Specifies the SASL mechanism used to bind to the LDAP server. The bind DN is ignored if a SASL mechanism is used. New in release 1.13. **-x sasl_authcid=**\ *name* Specifies the authentication name used when binding to the LDAP server with a SASL mechanism, if the mechanism requires one. New in release 1.13. **-x sasl_authzid=**\ *name* Specifies the authorization name used when binding to the LDAP server with a SASL mechanism. New in release 1.13. **-x sasl_realm=**\ *realm* Specifies the realm used when binding to the LDAP server with a SASL mechanism, if the mechanism uses one. New in release 1.13. **-x debug=**\ *level* sets the OpenLDAP client library debug level. *level* is an integer to be interpreted by the library. Debugging messages are printed to standard error. New in release 1.12. COMMANDS -------- When using the remote client, available commands may be restricted according to the privileges specified in the :ref:`kadm5.acl(5)` file on the admin server. .. _add_principal: add_principal ~~~~~~~~~~~~~ **add_principal** [*options*] *newprinc* Creates the principal *newprinc*, prompting twice for a password. If no password policy is specified with the **-policy** option, and the policy named ``default`` is assigned to the principal if it exists. However, creating a policy named ``default`` will not automatically assign this policy to previously existing principals. This policy assignment can be suppressed with the **-clearpolicy** option. This command requires the **add** privilege. Aliases: **addprinc**, **ank** Options: **-expire** *expdate* (:ref:`getdate` string) The expiration date of the principal. **-pwexpire** *pwexpdate* (:ref:`getdate` string) The password expiration date. **-maxlife** *maxlife* (:ref:`duration` or :ref:`getdate` string) The maximum ticket life for the principal. **-maxrenewlife** *maxrenewlife* (:ref:`duration` or :ref:`getdate` string) The maximum renewable life of tickets for the principal. **-kvno** *kvno* The initial key version number. **-policy** *policy* The password policy used by this principal. If not specified, the policy ``default`` is used if it exists (unless **-clearpolicy** is specified). **-clearpolicy** Prevents any policy from being assigned when **-policy** is not specified. {-\|+}\ **allow_postdated** **-allow_postdated** prohibits this principal from obtaining postdated tickets. **+allow_postdated** clears this flag. {-\|+}\ **allow_forwardable** **-allow_forwardable** prohibits this principal from obtaining forwardable tickets. **+allow_forwardable** clears this flag. {-\|+}\ **allow_renewable** **-allow_renewable** prohibits this principal from obtaining renewable tickets. **+allow_renewable** clears this flag. {-\|+}\ **allow_proxiable** **-allow_proxiable** prohibits this principal from obtaining proxiable tickets. **+allow_proxiable** clears this flag. {-\|+}\ **allow_dup_skey** **-allow_dup_skey** disables user-to-user authentication for this principal by prohibiting others from obtaining a service ticket encrypted in this principal's TGT session key. **+allow_dup_skey** clears this flag. {-\|+}\ **requires_preauth** **+requires_preauth** requires this principal to preauthenticate before being allowed to kinit. **-requires_preauth** clears this flag. When **+requires_preauth** is set on a service principal, the KDC will only issue service tickets for that service principal if the client's initial authentication was performed using preauthentication. {-\|+}\ **requires_hwauth** **+requires_hwauth** requires this principal to preauthenticate using a hardware device before being allowed to kinit. **-requires_hwauth** clears this flag. When **+requires_hwauth** is set on a service principal, the KDC will only issue service tickets for that service principal if the client's initial authentication was performed using a hardware device to preauthenticate. {-\|+}\ **ok_as_delegate** **+ok_as_delegate** sets the **okay as delegate** flag on tickets issued with this principal as the service. Clients may use this flag as a hint that credentials should be delegated when authenticating to the service. **-ok_as_delegate** clears this flag. {-\|+}\ **allow_svr** **-allow_svr** prohibits the issuance of service tickets for this principal. In release 1.17 and later, user-to-user service tickets are still allowed unless the **-allow_dup_skey** flag is also set. **+allow_svr** clears this flag. {-\|+}\ **allow_tgs_req** **-allow_tgs_req** specifies that a Ticket-Granting Service (TGS) request for a service ticket for this principal is not permitted. **+allow_tgs_req** clears this flag. {-\|+}\ **allow_tix** **-allow_tix** forbids the issuance of any tickets for this principal. **+allow_tix** clears this flag. {-\|+}\ **needchange** **+needchange** forces a password change on the next initial authentication to this principal. **-needchange** clears this flag. {-\|+}\ **password_changing_service** **+password_changing_service** marks this principal as a password change service principal. {-\|+}\ **ok_to_auth_as_delegate** **+ok_to_auth_as_delegate** allows this principal to acquire forwardable tickets to itself from arbitrary users, for use with constrained delegation. {-\|+}\ **no_auth_data_required** **+no_auth_data_required** prevents PAC or AD-SIGNEDPATH data from being added to service tickets for the principal. {-\|+}\ **lockdown_keys** **+lockdown_keys** prevents keys for this principal from leaving the KDC via kadmind. The chpass and extract operations are denied for a principal with this attribute. The chrand operation is allowed, but will not return the new keys. The delete and rename operations are also denied if this attribute is set, in order to prevent a malicious administrator from replacing principals like krbtgt/* or kadmin/* with new principals without the attribute. This attribute can be set via the network protocol, but can only be removed using kadmin.local. **-randkey** Sets the key of the principal to a random value. **-nokey** Causes the principal to be created with no key. New in release 1.12. **-pw** *password* Sets the password of the principal to the specified string and does not prompt for a password. Note: using this option in a shell script may expose the password to other users on the system via the process list. **-e** *enc*:*salt*,... Uses the specified keysalt list for setting the keys of the principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible values. **-x** *db_princ_args* Indicates database-specific options. The options for the LDAP database module are: **-x dn=**\ *dn* Specifies the LDAP object that will contain the Kerberos principal being created. **-x linkdn=**\ *dn* Specifies the LDAP object to which the newly created Kerberos principal object will point. **-x containerdn=**\ *container_dn* Specifies the container object under which the Kerberos principal is to be created. **-x tktpolicy=**\ *policy* Associates a ticket policy to the Kerberos principal. .. note:: - The **containerdn** and **linkdn** options cannot be specified with the **dn** option. - If the *dn* or *containerdn* options are not specified while adding the principal, the principals are created under the principal container configured in the realm or the realm container. - *dn* and *containerdn* should be within the subtrees or principal container configured in the realm. Example:: kadmin: addprinc jennifer No policy specified for "jennifer@ATHENA.MIT.EDU"; defaulting to no policy. Enter password for principal jennifer@ATHENA.MIT.EDU: Re-enter password for principal jennifer@ATHENA.MIT.EDU: Principal "jennifer@ATHENA.MIT.EDU" created. kadmin: .. _add_principal_end: .. _modify_principal: modify_principal ~~~~~~~~~~~~~~~~ **modify_principal** [*options*] *principal* Modifies the specified principal, changing the fields as specified. The options to **add_principal** also apply to this command, except for the **-randkey**, **-pw**, and **-e** options. In addition, the option **-clearpolicy** will clear the current policy of a principal. This command requires the *modify* privilege. Alias: **modprinc** Options (in addition to the **addprinc** options): **-unlock** Unlocks a locked principal (one which has received too many failed authentication attempts without enough time between them according to its password policy) so that it can successfully authenticate. .. _modify_principal_end: .. _rename_principal: rename_principal ~~~~~~~~~~~~~~~~ **rename_principal** [**-force**] *old_principal* *new_principal* Renames the specified *old_principal* to *new_principal*. This command prompts for confirmation, unless the **-force** option is given. This command requires the **add** and **delete** privileges. Alias: **renprinc** .. _rename_principal_end: .. _delete_principal: delete_principal ~~~~~~~~~~~~~~~~ **delete_principal** [**-force**] *principal* Deletes the specified *principal* from the database. This command prompts for deletion, unless the **-force** option is given. This command requires the **delete** privilege. Alias: **delprinc** .. _delete_principal_end: .. _change_password: change_password ~~~~~~~~~~~~~~~ **change_password** [*options*] *principal* Changes the password of *principal*. Prompts for a new password if neither **-randkey** or **-pw** is specified. This command requires the **changepw** privilege, or that the principal running the program is the same as the principal being changed. Alias: **cpw** The following options are available: **-randkey** Sets the key of the principal to a random value. **-pw** *password* Set the password to the specified string. Using this option in a script may expose the password to other users on the system via the process list. **-e** *enc*:*salt*,... Uses the specified keysalt list for setting the keys of the principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible values. **-keepold** Keeps the existing keys in the database. This flag is usually not necessary except perhaps for ``krbtgt`` principals. Example:: kadmin: cpw systest Enter password for principal systest@BLEEP.COM: Re-enter password for principal systest@BLEEP.COM: Password for systest@BLEEP.COM changed. kadmin: .. _change_password_end: .. _purgekeys: purgekeys ~~~~~~~~~ **purgekeys** [**-all**\|\ **-keepkvno** *oldest_kvno_to_keep*] *principal* Purges previously retained old keys (e.g., from **change_password -keepold**) from *principal*. If **-keepkvno** is specified, then only purges keys with kvnos lower than *oldest_kvno_to_keep*. If **-all** is specified, then all keys are purged. The **-all** option is new in release 1.12. This command requires the **modify** privilege. .. _purgekeys_end: .. _get_principal: get_principal ~~~~~~~~~~~~~ **get_principal** [**-terse**] *principal* Gets the attributes of principal. With the **-terse** option, outputs fields as quoted tab-separated strings. This command requires the **inquire** privilege, or that the principal running the the program to be the same as the one being listed. Alias: **getprinc** Examples:: kadmin: getprinc tlyu/admin Principal: tlyu/admin@BLEEP.COM Expiration date: [never] Last password change: Mon Aug 12 14:16:47 EDT 1996 Password expiration date: [never] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 1, aes256-cts-hmac-sha384-192 MKey: vno 1 Attributes: Policy: [none] kadmin: getprinc -terse systest systest@BLEEP.COM 3 86400 604800 1 785926535 753241234 785900000 tlyu/admin@BLEEP.COM 786100034 0 0 kadmin: .. _get_principal_end: .. _list_principals: list_principals ~~~~~~~~~~~~~~~ **list_principals** [*expression*] Retrieves all or some principal names. *expression* is a shell-style glob expression that can contain the wild-card characters ``?``, ``*``, and ``[]``. All principal names matching the expression are printed. If no expression is provided, all principal names are printed. If the expression does not contain an ``@`` character, an ``@`` character followed by the local realm is appended to the expression. This command requires the **list** privilege. Alias: **listprincs**, **get_principals**, **getprincs** Example:: kadmin: listprincs test* test3@SECURE-TEST.OV.COM test2@SECURE-TEST.OV.COM test1@SECURE-TEST.OV.COM testuser@SECURE-TEST.OV.COM kadmin: .. _list_principals_end: .. _get_strings: get_strings ~~~~~~~~~~~ **get_strings** *principal* Displays string attributes on *principal*. This command requires the **inquire** privilege. Alias: **getstrs** .. _get_strings_end: .. _set_string: set_string ~~~~~~~~~~ **set_string** *principal* *name* *value* Sets a string attribute on *principal*. String attributes are used to supply per-principal configuration to the KDC and some KDC plugin modules. The following string attribute names are recognized by the KDC: **require_auth** Specifies an authentication indicator which is required to authenticate to the principal as a service. Multiple indicators can be specified, separated by spaces; in this case any of the specified indicators will be accepted. (New in release 1.14.) **session_enctypes** Specifies the encryption types supported for session keys when the principal is authenticated to as a server. See :ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of the accepted values. **otp** Enables One Time Passwords (OTP) preauthentication for a client *principal*. The *value* is a JSON string representing an array of objects, each having optional ``type`` and ``username`` fields. **pkinit_cert_match** Specifies a matching expression that defines the certificate attributes required for the client certificate used by the principal during PKINIT authentication. The matching expression is in the same format as those used by the **pkinit_cert_match** option in :ref:`krb5.conf(5)`. (New in release 1.16.) This command requires the **modify** privilege. Alias: **setstr** Example:: set_string host/foo.mit.edu session_enctypes aes128-cts set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]" .. _set_string_end: .. _del_string: del_string ~~~~~~~~~~ **del_string** *principal* *key* Deletes a string attribute from *principal*. This command requires the **delete** privilege. Alias: **delstr** .. _del_string_end: .. _add_policy: add_policy ~~~~~~~~~~ **add_policy** [*options*] *policy* Adds a password policy named *policy* to the database. This command requires the **add** privilege. Alias: **addpol** The following options are available: **-maxlife** *time* (:ref:`duration` or :ref:`getdate` string) Sets the maximum lifetime of a password. **-minlife** *time* (:ref:`duration` or :ref:`getdate` string) Sets the minimum lifetime of a password. **-minlength** *length* Sets the minimum length of a password. **-minclasses** *number* Sets the minimum number of character classes required in a password. The five character classes are lower case, upper case, numbers, punctuation, and whitespace/unprintable characters. **-history** *number* Sets the number of past keys kept for a principal. This option is not supported with the LDAP KDC database module. .. _policy_maxfailure: **-maxfailure** *maxnumber* Sets the number of authentication failures before the principal is locked. Authentication failures are only tracked for principals which require preauthentication. The counter of failed attempts resets to 0 after a successful attempt to authenticate. A *maxnumber* value of 0 (the default) disables lockout. .. _policy_failurecountinterval: **-failurecountinterval** *failuretime* (:ref:`duration` or :ref:`getdate` string) Sets the allowable time between authentication failures. If an authentication failure happens after *failuretime* has elapsed since the previous failure, the number of authentication failures is reset to 1. A *failuretime* value of 0 (the default) means forever. .. _policy_lockoutduration: **-lockoutduration** *lockouttime* (:ref:`duration` or :ref:`getdate` string) Sets the duration for which the principal is locked from authenticating if too many authentication failures occur without the specified failure count interval elapsing. A duration of 0 (the default) means the principal remains locked out until it is administratively unlocked with ``modprinc -unlock``. **-allowedkeysalts** Specifies the key/salt tuples supported for long-term keys when setting or changing a principal's password/keys. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of the accepted values, but note that key/salt tuples must be separated with commas (',') only. To clear the allowed key/salt policy use a value of '-'. Example:: kadmin: add_policy -maxlife "2 days" -minlength 5 guests kadmin: .. _add_policy_end: .. _modify_policy: modify_policy ~~~~~~~~~~~~~ **modify_policy** [*options*] *policy* Modifies the password policy named *policy*. Options are as described for **add_policy**. This command requires the **modify** privilege. Alias: **modpol** .. _modify_policy_end: .. _delete_policy: delete_policy ~~~~~~~~~~~~~ **delete_policy** [**-force**] *policy* Deletes the password policy named *policy*. Prompts for confirmation before deletion. The command will fail if the policy is in use by any principals. This command requires the **delete** privilege. Alias: **delpol** Example:: kadmin: del_policy guests Are you sure you want to delete the policy "guests"? (yes/no): yes kadmin: .. _delete_policy_end: .. _get_policy: get_policy ~~~~~~~~~~ **get_policy** [ **-terse** ] *policy* Displays the values of the password policy named *policy*. With the **-terse** flag, outputs the fields as quoted strings separated by tabs. This command requires the **inquire** privilege. Alias: **getpol** Examples:: kadmin: get_policy admin Policy: admin Maximum password life: 180 days 00:00:00 Minimum password life: 00:00:00 Minimum password length: 6 Minimum number of password character classes: 2 Number of old keys kept: 5 Reference count: 17 kadmin: get_policy -terse admin admin 15552000 0 6 2 5 17 kadmin: The "Reference count" is the number of principals using that policy. With the LDAP KDC database module, the reference count field is not meaningful. .. _get_policy_end: .. _list_policies: list_policies ~~~~~~~~~~~~~ **list_policies** [*expression*] Retrieves all or some policy names. *expression* is a shell-style glob expression that can contain the wild-card characters ``?``, ``*``, and ``[]``. All policy names matching the expression are printed. If no expression is provided, all existing policy names are printed. This command requires the **list** privilege. Aliases: **listpols**, **get_policies**, **getpols**. Examples:: kadmin: listpols test-pol dict-only once-a-min test-pol-nopw kadmin: listpols t* test-pol test-pol-nopw kadmin: .. _list_policies_end: .. _ktadd: ktadd ~~~~~ | **ktadd** [options] *principal* | **ktadd** [options] **-glob** *princ-exp* Adds a *principal*, or all principals matching *princ-exp*, to a keytab file. Each principal's keys are randomized in the process. The rules for *princ-exp* are described in the **list_principals** command. This command requires the **inquire** and **changepw** privileges. With the **-glob** form, it also requires the **list** privilege. The options are: **-k[eytab]** *keytab* Use *keytab* as the keytab file. Otherwise, the default keytab is used. **-e** *enc*:*salt*,... Uses the specified keysalt list for setting the new keys of the principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible values. **-q** Display less verbose information. **-norandkey** Do not randomize the keys. The keys and their version numbers stay unchanged. This option cannot be specified in combination with the **-e** option. An entry for each of the principal's unique encryption types is added, ignoring multiple keys with the same encryption type but different salt types. Alias: **xst** Example:: kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/tmp/foo-new-keytab kadmin: .. _ktadd_end: .. _ktremove: ktremove ~~~~~~~~ **ktremove** [options] *principal* [*kvno* | *all* | *old*] Removes entries for the specified *principal* from a keytab. Requires no permissions, since this does not require database access. If the string "all" is specified, all entries for that principal are removed; if the string "old" is specified, all entries for that principal except those with the highest kvno are removed. Otherwise, the value specified is parsed as an integer, and all entries whose kvno match that integer are removed. The options are: **-k[eytab]** *keytab* Use *keytab* as the keytab file. Otherwise, the default keytab is used. **-q** Display less verbose information. Alias: **ktrem** Example:: kadmin: ktremove kadmin/admin all Entry for principal kadmin/admin with kvno 3 removed from keytab FILE:/etc/krb5.keytab kadmin: .. _ktremove_end: lock ~~~~ Lock database exclusively. Use with extreme caution! This command only works with the DB2 KDC database module. unlock ~~~~~~ Release the exclusive database lock. list_requests ~~~~~~~~~~~~~ Lists available for kadmin requests. Aliases: **lr**, **?** quit ~~~~ Exit program. If the database was locked, the lock is released. Aliases: **exit**, **q** HISTORY ------- The kadmin program was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kpasswd(1)`, :ref:`kadmind(8)`, :ref:`kerberos(7)` krb5-1.19.2/doc/admin/admin_commands/k5srvutil.rst0000644000704600001450000000401214076311657023360 0ustar ghudsonsystemd-journal.. _k5srvutil(1): k5srvutil ========= SYNOPSIS -------- **k5srvutil** *operation* [**-i**] [**-f** *filename*] [**-e** *keysalts*] DESCRIPTION ----------- k5srvutil allows an administrator to list keys currently in a keytab, to obtain new keys for a principal currently in a keytab, or to delete non-current keys from a keytab. *operation* must be one of the following: **list** Lists the keys in a keytab, showing version number and principal name. **change** Uses the kadmin protocol to update the keys in the Kerberos database to new randomly-generated keys, and updates the keys in the keytab to match. If a key's version number doesn't match the version number stored in the Kerberos server's database, then the operation will fail. If the **-i** flag is given, k5srvutil will prompt for confirmation before changing each key. If the **-k** option is given, the old and new keys will be displayed. Ordinarily, keys will be generated with the default encryption types and key salts. This can be overridden with the **-e** option. Old keys are retained in the keytab so that existing tickets continue to work, but **delold** should be used after such tickets expire, to prevent attacks against the old keys. **delold** Deletes keys that are not the most recent version from the keytab. This operation should be used some time after a change operation to remove old keys, after existing tickets issued for the service have expired. If the **-i** flag is given, then k5srvutil will prompt for confirmation for each principal. **delete** Deletes particular keys in the keytab, interactively prompting for each key. In all cases, the default keytab is used unless this is overridden by the **-f** option. k5srvutil uses the :ref:`kadmin(1)` program to edit the keytab in place. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kadmin(1)`, :ref:`ktutil(1)`, :ref:`kerberos(7)` krb5-1.19.2/doc/admin/admin_commands/kproplog.rst0000644000704600001450000000504314076311657023252 0ustar ghudsonsystemd-journal.. _kproplog(8): kproplog ======== SYNOPSIS -------- **kproplog** [**-h**] [**-e** *num*] [-v] **kproplog** [-R] DESCRIPTION ----------- The kproplog command displays the contents of the KDC database update log to standard output. It can be used to keep track of incremental updates to the principal database. The update log file contains the update log maintained by the :ref:`kadmind(8)` process on the primary KDC server and the :ref:`kpropd(8)` process on the replica KDC servers. When updates occur, they are logged to this file. Subsequently any KDC replica configured for incremental updates will request the current data from the primary KDC and update their log file with any updates returned. The kproplog command requires read access to the update log file. It will display update entries only for the KDC it runs on. If no options are specified, kproplog displays a summary of the update log. If invoked on the primary, kproplog also displays all of the update entries. If invoked on a replica KDC server, kproplog displays only a summary of the updates, which includes the serial number of the last update received and the associated time stamp of the last update. OPTIONS ------- **-R** Reset the update log. This forces full resynchronization. If used on a replica then that replica will request a full resync. If used on the primary then all replicas will request full resyncs. **-h** Display a summary of the update log. This information includes the database version number, state of the database, the number of updates in the log, the time stamp of the first and last update, and the version number of the first and last update entry. **-e** *num* Display the last *num* update entries in the log. This is useful when debugging synchronization between KDC servers. **-v** Display individual attributes per update. An example of the output generated for one entry:: Update Entry Update serial # : 4 Update operation : Add Update principal : test@EXAMPLE.COM Update size : 424 Update committed : True Update time stamp : Fri Feb 20 23:37:42 2004 Attributes changed : 6 Principal Key data Password last changed Modifying principal Modification time TL data ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kpropd(8)`, :ref:`kerberos(7)` krb5-1.19.2/doc/admin/admin_commands/index.rst0000644000704600001450000000040314076311657022517 0ustar ghudsonsystemd-journalAdministration programs ======================== .. toctree:: :maxdepth: 1 kadmin_local.rst kadmind.rst kdb5_util.rst kdb5_ldap_util.rst krb5kdc.rst kprop.rst kpropd.rst kproplog.rst ktutil.rst k5srvutil.rst sserver.rst krb5-1.19.2/doc/admin/admin_commands/kpropd.rst0000644000704600001450000001104214076311657022710 0ustar ghudsonsystemd-journal.. _kpropd(8): kpropd ====== SYNOPSIS -------- **kpropd** [**-r** *realm*] [**-A** *admin_server*] [**-a** *acl_file*] [**-f** *replica_dumpfile*] [**-F** *principal_database*] [**-p** *kdb5_util_prog*] [**-P** *port*] [**--pid-file**\ =\ *pid_file*] [**-D**] [**-d**] [**-s** *keytab_file*] DESCRIPTION ----------- The *kpropd* command runs on the replica KDC server. It listens for update requests made by the :ref:`kprop(8)` program. If incremental propagation is enabled, it periodically requests incremental updates from the primary KDC. When the replica receives a kprop request from the primary, kpropd accepts the dumped KDC database and places it in a file, and then runs :ref:`kdb5_util(8)` to load the dumped database into the active database which is used by :ref:`krb5kdc(8)`. This allows the primary Kerberos server to use :ref:`kprop(8)` to propagate its database to the replica servers. Upon a successful download of the KDC database file, the replica Kerberos server will have an up-to-date KDC database. Where incremental propagation is not used, kpropd is commonly invoked out of inetd(8) as a nowait service. This is done by adding a line to the ``/etc/inetd.conf`` file which looks like this:: kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd kpropd can also run as a standalone daemon, backgrounding itself and waiting for connections on port 754 (or the port specified with the **-P** option if given). Standalone mode is required for incremental propagation. Starting in release 1.11, kpropd automatically detects whether it was run from inetd and runs in standalone mode if it is not. Prior to release 1.11, the **-S** option is required to run kpropd in standalone mode; this option is now accepted for backward compatibility but does nothing. Incremental propagation may be enabled with the **iprop_enable** variable in :ref:`kdc.conf(5)`. If incremental propagation is enabled, the replica periodically polls the primary KDC for updates, at an interval determined by the **iprop_replica_poll** variable. If the replica receives updates, kpropd updates its log file with any updates from the primary. :ref:`kproplog(8)` can be used to view a summary of the update entry log on the replica KDC. If incremental propagation is enabled, the principal ``kiprop/replicahostname@REALM`` (where *replicahostname* is the name of the replica KDC host, and *REALM* is the name of the Kerberos realm) must be present in the replica's keytab file. :ref:`kproplog(8)` can be used to force full replication when iprop is enabled. OPTIONS -------- **-r** *realm* Specifies the realm of the primary server. **-A** *admin_server* Specifies the server to be contacted for incremental updates; by default, the primary admin server is contacted. **-f** *file* Specifies the filename where the dumped principal database file is to be stored; by default the dumped database file is |kdcdir|\ ``/from_master``. **-F** *kerberos_db* Path to the Kerberos database file, if not the default. **-p** Allows the user to specify the pathname to the :ref:`kdb5_util(8)` program; by default the pathname used is |sbindir|\ ``/kdb5_util``. **-D** In this mode, kpropd will not detach itself from the current job and run in the background. Instead, it will run in the foreground. **-d** Turn on debug mode. kpropd will print out debugging messages during the database propogation and will run in the foreground (implies **-D**). **-P** Allow for an alternate port number for kpropd to listen on. This is only useful in combination with the **-S** option. **-a** *acl_file* Allows the user to specify the path to the kpropd.acl file; by default the path used is |kdcdir|\ ``/kpropd.acl``. **--pid-file**\ =\ *pid_file* In standalone mode, write the process ID of the daemon into *pid_file*. **-s** *keytab_file* Path to a keytab to use for acquiring acceptor credentials. **-x** *db_args* Database-specific arguments. See :ref:`Database Options ` in :ref:`kadmin(1)` for supported arguments. FILES ----- kpropd.acl Access file for kpropd; the default location is ``/usr/local/var/krb5kdc/kpropd.acl``. Each entry is a line containing the principal of a host from which the local machine will allow Kerberos database propagation via :ref:`kprop(8)`. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kprop(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`, :ref:`kerberos(7)`, inetd(8) krb5-1.19.2/doc/admin/admin_commands/sserver.rst0000644000704600001450000000623514076311657023112 0ustar ghudsonsystemd-journal.. _sserver(8): sserver ======= SYNOPSIS -------- **sserver** [ **-p** *port* ] [ **-S** *keytab* ] [ *server_port* ] DESCRIPTION ----------- sserver and :ref:`sclient(1)` are a simple demonstration client/server application. When sclient connects to sserver, it performs a Kerberos authentication, and then sserver returns to sclient the Kerberos principal which was used for the Kerberos authentication. It makes a good test that Kerberos has been successfully installed on a machine. The service name used by sserver and sclient is sample. Hence, sserver will require that there be a keytab entry for the service ``sample/hostname.domain.name@REALM.NAME``. This keytab is generated using the :ref:`kadmin(1)` program. The keytab file is usually installed as |keytab|. The **-S** option allows for a different keytab than the default. sserver is normally invoked out of inetd(8), using a line in ``/etc/inetd.conf`` that looks like this:: sample stream tcp nowait root /usr/local/sbin/sserver sserver Since ``sample`` is normally not a port defined in ``/etc/services``, you will usually have to add a line to ``/etc/services`` which looks like this:: sample 13135/tcp When using sclient, you will first have to have an entry in the Kerberos database, by using :ref:`kadmin(1)`, and then you have to get Kerberos tickets, by using :ref:`kinit(1)`. Also, if you are running the sclient program on a different host than the sserver it will be connecting to, be sure that both hosts have an entry in /etc/services for the sample tcp port, and that the same port number is in both files. When you run sclient you should see something like this:: sendauth succeeded, reply is: reply len 32, contents: You are nlgilman@JIMI.MIT.EDU COMMON ERROR MESSAGES --------------------- 1) kinit returns the error:: kinit: Client not found in Kerberos database while getting initial credentials This means that you didn't create an entry for your username in the Kerberos database. 2) sclient returns the error:: unknown service sample/tcp; check /etc/services This means that you don't have an entry in /etc/services for the sample tcp port. 3) sclient returns the error:: connect: Connection refused This probably means you didn't edit /etc/inetd.conf correctly, or you didn't restart inetd after editing inetd.conf. 4) sclient returns the error:: sclient: Server not found in Kerberos database while using sendauth This means that the ``sample/hostname@LOCAL.REALM`` service was not defined in the Kerberos database; it should be created using :ref:`kadmin(1)`, and a keytab file needs to be generated to make the key for that service principal available for sclient. 5) sclient returns the error:: sendauth rejected, error reply is: "No such file or directory" This probably means sserver couldn't find the keytab file. It was probably not installed in the proper directory. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`sclient(1)`, :ref:`kerberos(7)`, services(5), inetd(8) krb5-1.19.2/doc/admin/database.rst0000644000704600001450000007607114076311657020221 0ustar ghudsonsystemd-journalDatabase administration ======================= A Kerberos database contains all of a realm's Kerberos principals, their passwords, and other administrative information about each principal. For the most part, you will use the :ref:`kdb5_util(8)` program to manipulate the Kerberos database as a whole, and the :ref:`kadmin(1)` program to make changes to the entries in the database. (One notable exception is that users will use the :ref:`kpasswd(1)` program to change their own passwords.) The kadmin program has its own command-line interface, to which you type the database administrating commands. :ref:`kdb5_util(8)` provides a means to create, delete, load, or dump a Kerberos database. It also contains commands to roll over the database master key, and to stash a copy of the key so that the :ref:`kadmind(8)` and :ref:`krb5kdc(8)` daemons can use the database without manual input. :ref:`kadmin(1)` provides for the maintenance of Kerberos principals, password policies, and service key tables (keytabs). Normally it operates as a network client using Kerberos authentication to communicate with :ref:`kadmind(8)`, but there is also a variant, named kadmin.local, which directly accesses the Kerberos database on the local filesystem (or through LDAP). kadmin.local is necessary to set up enough of the database to be able to use the remote version. kadmin can authenticate to the admin server using the service principal ``kadmin/admin`` or ``kadmin/HOST`` (where *HOST* is the hostname of the admin server). If the credentials cache contains a ticket for either service principal and the **-c** ccache option is specified, that ticket is used to authenticate to KADM5. Otherwise, the **-p** and **-k** options are used to specify the client Kerberos principal name used to authenticate. Once kadmin has determined the principal name, it requests a ``kadmin/admin`` Kerberos service ticket from the KDC, and uses that service ticket to authenticate to KADM5. See :ref:`kadmin(1)` for the available kadmin and kadmin.local commands and options. kadmin options -------------- You can invoke :ref:`kadmin(1)` or kadmin.local with any of the following options: .. include:: admin_commands/kadmin_local.rst :start-after: kadmin_synopsis: :end-before: kadmin_synopsis_end: **OPTIONS** .. include:: admin_commands/kadmin_local.rst :start-after: _kadmin_options: :end-before: _kadmin_options_end: Date Format ----------- For the supported date-time formats see :ref:`getdate` section in :ref:`datetime`. Principals ---------- Each entry in the Kerberos database contains a Kerberos principal and the attributes and policies associated with that principal. .. _add_mod_del_princs: Adding, modifying and deleting principals ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To add a principal to the database, use the :ref:`kadmin(1)` **add_principal** command. To modify attributes of a principal, use the kadmin **modify_principal** command. To delete a principal, use the kadmin **delete_principal** command. .. include:: admin_commands/kadmin_local.rst :start-after: _add_principal: :end-before: _add_principal_end: .. include:: admin_commands/kadmin_local.rst :start-after: _modify_principal: :end-before: _modify_principal_end: .. include:: admin_commands/kadmin_local.rst :start-after: _delete_principal: :end-before: _delete_principal_end: Examples ######## If you want to create a principal which is contained by a LDAP object, all you need to do is:: kadmin: addprinc -x dn=cn=jennifer,dc=example,dc=com jennifer No policy specified for "jennifer@ATHENA.MIT.EDU"; defaulting to no policy. Enter password for principal jennifer@ATHENA.MIT.EDU: <= Type the password. Re-enter password for principal jennifer@ATHENA.MIT.EDU: <=Type it again. Principal "jennifer@ATHENA.MIT.EDU" created. kadmin: If you want to create a principal under a specific LDAP container and link to an existing LDAP object, all you need to do is:: kadmin: addprinc -x containerdn=dc=example,dc=com -x linkdn=cn=david,dc=example,dc=com david No policy specified for "david@ATHENA.MIT.EDU"; defaulting to no policy. Enter password for principal david@ATHENA.MIT.EDU: <= Type the password. Re-enter password for principal david@ATHENA.MIT.EDU: <=Type it again. Principal "david@ATHENA.MIT.EDU" created. kadmin: If you want to associate a ticket policy to a principal, all you need to do is:: kadmin: modprinc -x tktpolicy=userpolicy david Principal "david@ATHENA.MIT.EDU" modified. kadmin: If, on the other hand, you want to set up an account that expires on January 1, 2000, that uses a policy called "stduser", with a temporary password (which you want the user to change immediately), you would type the following:: kadmin: addprinc david -expire "1/1/2000 12:01am EST" -policy stduser +needchange Enter password for principal david@ATHENA.MIT.EDU: <= Type the password. Re-enter password for principal david@ATHENA.MIT.EDU: <= Type it again. Principal "david@ATHENA.MIT.EDU" created. kadmin: If you want to delete a principal:: kadmin: delprinc jennifer Are you sure you want to delete the principal "jennifer@ATHENA.MIT.EDU"? (yes/no): yes Principal "jennifer@ATHENA.MIT.EDU" deleted. Make sure that you have removed this principal from all ACLs before reusing. kadmin: Retrieving information about a principal ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To retrieve a listing of the attributes and/or policies associated with a principal, use the :ref:`kadmin(1)` **get_principal** command. To generate a listing of principals, use the kadmin **list_principals** command. .. include:: admin_commands/kadmin_local.rst :start-after: _get_principal: :end-before: _get_principal_end: .. include:: admin_commands/kadmin_local.rst :start-after: _list_principals: :end-before: _list_principals_end: Changing passwords ~~~~~~~~~~~~~~~~~~ To change a principal's password use the :ref:`kadmin(1)` **change_password** command. .. include:: admin_commands/kadmin_local.rst :start-after: _change_password: :end-before: _change_password_end: .. note:: Password changes through kadmin are subject to the same password policies as would apply to password changes through :ref:`kpasswd(1)`. .. _policies: Policies -------- A policy is a set of rules governing passwords. Policies can dictate minimum and maximum password lifetimes, minimum number of characters and character classes a password must contain, and the number of old passwords kept in the database. Adding, modifying and deleting policies ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To add a new policy, use the :ref:`kadmin(1)` **add_policy** command. To modify attributes of a principal, use the kadmin **modify_policy** command. To delete a policy, use the kadmin **delete_policy** command. .. include:: admin_commands/kadmin_local.rst :start-after: _add_policy: :end-before: _add_policy_end: .. include:: admin_commands/kadmin_local.rst :start-after: _modify_policy: :end-before: _modify_policy_end: .. include:: admin_commands/kadmin_local.rst :start-after: _delete_policy: :end-before: _delete_policy_end: .. note:: You must cancel the policy from *all* principals before deleting it. The *delete_policy* command will fail if the policy is in use by any principals. Retrieving policies ~~~~~~~~~~~~~~~~~~~ To retrieve a policy, use the :ref:`kadmin(1)` **get_policy** command. You can retrieve the list of policies with the kadmin **list_policies** command. .. include:: admin_commands/kadmin_local.rst :start-after: _get_policy: :end-before: _get_policy_end: .. include:: admin_commands/kadmin_local.rst :start-after: _list_policies: :end-before: _list_policies_end: Policies and principals ~~~~~~~~~~~~~~~~~~~~~~~ Policies can be applied to principals as they are created by using the **-policy** flag to :ref:`add_principal`. Existing principals can be modified by using the **-policy** or **-clearpolicy** flag to :ref:`modify_principal`. .. _updating_history_key: Updating the history key ~~~~~~~~~~~~~~~~~~~~~~~~ If a policy specifies a number of old keys kept of two or more, the stored old keys are encrypted in a history key, which is found in the key data of the ``kadmin/history`` principal. Currently there is no support for proper rollover of the history key, but you can change the history key (for example, to use a better encryption type) at the cost of invalidating currently stored old keys. To change the history key, run:: kadmin: change_password -randkey kadmin/history This command will fail if you specify the **-keepold** flag. Only one new history key will be created, even if you specify multiple key/salt combinations. In the future, we plan to migrate towards encrypting old keys in the master key instead of the history key, and implementing proper rollover support for stored old keys. .. _privileges: Privileges ---------- Administrative privileges for the Kerberos database are stored in the file :ref:`kadm5.acl(5)`. .. note:: A common use of an admin instance is so you can grant separate permissions (such as administrator access to the Kerberos database) to a separate Kerberos principal. For example, the user ``joeadmin`` might have a principal for his administrative use, called ``joeadmin/admin``. This way, ``joeadmin`` would obtain ``joeadmin/admin`` tickets only when he actually needs to use those permissions. .. _db_operations: Operations on the Kerberos database ----------------------------------- The :ref:`kdb5_util(8)` command is the primary tool for administrating the Kerberos database. .. include:: admin_commands/kdb5_util.rst :start-after: _kdb5_util_synopsis: :end-before: _kdb5_util_synopsis_end: **OPTIONS** .. include:: admin_commands/kdb5_util.rst :start-after: _kdb5_util_options: :end-before: _kdb5_util_options_end: .. toctree:: :maxdepth: 1 Dumping a Kerberos database to a file ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To dump a Kerberos database into a file, use the :ref:`kdb5_util(8)` **dump** command on one of the KDCs. .. include:: admin_commands/kdb5_util.rst :start-after: _kdb5_util_dump: :end-before: _kdb5_util_dump_end: Examples ######## :: shell% kdb5_util dump dumpfile shell% shell% kbd5_util dump -verbose dumpfile kadmin/admin@ATHENA.MIT.EDU krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU kadmin/history@ATHENA.MIT.EDU K/M@ATHENA.MIT.EDU kadmin/changepw@ATHENA.MIT.EDU shell% If you specify which principals to dump, you must use the full principal, as in the following example:: shell% kdb5_util dump -verbose dumpfile K/M@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU K/M@ATHENA.MIT.EDU shell% Otherwise, the principals will not match those in the database and will not be dumped:: shell% kdb5_util dump -verbose dumpfile K/M kadmin/admin shell% If you do not specify a dump file, kdb5_util will dump the database to the standard output. .. _restore_from_dump: Restoring a Kerberos database from a dump file ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To restore a Kerberos database dump from a file, use the :ref:`kdb5_util(8)` **load** command on one of the KDCs. .. include:: admin_commands/kdb5_util.rst :start-after: _kdb5_util_load: :end-before: _kdb5_util_load_end: Examples ######## To dump a single principal and later load it, updating the database: :: shell% kdb5_util dump dumpfile principal@REALM shell% shell% kdb5_util load -update dumpfile shell% .. note:: If the database file exists, and the *-update* flag was not given, *kdb5_util* will overwrite the existing database. .. note:: Using kdb5_util to dump and reload the principal database is only necessary when upgrading from versions of krb5 prior to 1.2.0---newer versions will use the existing database as-is. .. _create_stash: Creating a stash file ~~~~~~~~~~~~~~~~~~~~~ A stash file allows a KDC to authenticate itself to the database utilities, such as :ref:`kadmind(8)`, :ref:`krb5kdc(8)`, and :ref:`kdb5_util(8)`. To create a stash file, use the :ref:`kdb5_util(8)` **stash** command. .. include:: admin_commands/kdb5_util.rst :start-after: _kdb5_util_stash: :end-before: _kdb5_util_stash_end: Example ####### shell% kdb5_util stash kdb5_util: Cannot find/read stored master key while reading master key kdb5_util: Warning: proceeding without master key Enter KDC database master key: <= Type the KDC database master password. shell% If you do not specify a stash file, kdb5_util will stash the key in the file specified in your :ref:`kdc.conf(5)` file. Creating and destroying a Kerberos database ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you need to create a new Kerberos database, use the :ref:`kdb5_util(8)` **create** command. .. include:: admin_commands/kdb5_util.rst :start-after: _kdb5_util_create: :end-before: _kdb5_util_create_end: If you need to destroy the current Kerberos database, use the :ref:`kdb5_util(8)` **destroy** command. .. include:: admin_commands/kdb5_util.rst :start-after: _kdb5_util_destroy: :end-before: _kdb5_util_destroy_end: Examples ######## :: shell% kdb5_util -r ATHENA.MIT.EDU create -s Loading random data Initializing database '/usr/local/var/krb5kdc/principal' for realm 'ATHENA.MIT.EDU', master key name 'K/M@ATHENA.MIT.EDU' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: <= Type the master password. Re-enter KDC database master key to verify: <= Type it again. shell% shell% kdb5_util -r ATHENA.MIT.EDU destroy Deleting KDC database stored in '/usr/local/var/krb5kdc/principal', are you sure? (type 'yes' to confirm)? <= yes OK, deleting database '/usr/local/var/krb5kdc/principal'... ** Database '/usr/local/var/krb5kdc/principal' destroyed. shell% .. _updating_master_key: Updating the master key ~~~~~~~~~~~~~~~~~~~~~~~ Starting with release 1.7, :ref:`kdb5_util(8)` allows the master key to be changed using a rollover process, with minimal loss of availability. To roll over the master key, follow these steps: #. On the primary KDC, run ``kdb5_util list_mkeys`` to view the current master key version number (KVNO). If you have never rolled over the master key before, this will likely be version 1:: $ kdb5_util list_mkeys Master keys for Principal: K/M@KRBTEST.COM KVNO: 1, Enctype: aes256-cts-hmac-sha384-192, Active on: Thu Jan 01 00:00:00 UTC 1970 * #. On the primary KDC, run ``kdb5_util use_mkey 1`` to ensure that a master key activation list is present in the database. This step is unnecessary in release 1.11.4 or later, or if the database was initially created with release 1.7 or later. #. On the primary KDC, run ``kdb5_util add_mkey -s`` to create a new master key and write it to the stash file. Enter a secure password when prompted. If this is the first time you are changing the master key, the new key will have version 2. The new master key will not be used until you make it active. #. Propagate the database to all replica KDCs, either manually or by waiting until the next scheduled propagation. If you do not have any replica KDCs, you can skip this and the next step. #. On each replica KDC, run ``kdb5_util list_mkeys`` to verify that the new master key is present, and then ``kdb5_util stash`` to write the new master key to the replica KDC's stash file. #. On the primary KDC, run ``kdb5_util use_mkey 2`` to begin using the new master key. Replace ``2`` with the version of the new master key, as appropriate. You can optionally specify a date for the new master key to become active; by default, it will become active immediately. Prior to release 1.12, :ref:`kadmind(8)` must be restarted for this change to take full effect. #. On the primary KDC, run ``kdb5_util update_princ_encryption``. This command will iterate over the database and re-encrypt all keys in the new master key. If the database is large and uses DB2, the primary KDC will become unavailable while this command runs, but clients should fail over to replica KDCs (if any are present) during this time period. In release 1.13 and later, you can instead run ``kdb5_util -x unlockiter update_princ_encryption`` to use unlocked iteration; this variant will take longer, but will keep the database available to the KDC and kadmind while it runs. #. Wait until the above changes have propagated to all replica KDCs and until all running KDC and kadmind processes have serviced requests using updated principal entries. #. On the primary KDC, run ``kdb5_util purge_mkeys`` to clean up the old master key. .. _ops_on_ldap: Operations on the LDAP database ------------------------------- The :ref:`kdb5_ldap_util(8)` is the primary tool for administrating the Kerberos LDAP database. It allows an administrator to manage realms, Kerberos services (KDC and Admin Server) and ticket policies. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_synopsis: :end-before: _kdb5_ldap_util_synopsis_end: **OPTIONS** .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_options: :end-before: _kdb5_ldap_util_options_end: .. _ldap_create_realm: Creating a Kerberos realm ~~~~~~~~~~~~~~~~~~~~~~~~~ If you need to create a new realm, use the :ref:`kdb5_ldap_util(8)` **create** command as follows. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_create: :end-before: _kdb5_ldap_util_create_end: .. _ldap_mod_realm: Modifying a Kerberos realm ~~~~~~~~~~~~~~~~~~~~~~~~~~ If you need to modify a realm, use the :ref:`kdb5_ldap_util(8)` **modify** command as follows. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_modify: :end-before: _kdb5_ldap_util_modify_end: Destroying a Kerberos realm ~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you need to destroy a Kerberos realm, use the :ref:`kdb5_ldap_util(8)` **destroy** command as follows. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_destroy: :end-before: _kdb5_ldap_util_destroy_end: Retrieving information about a Kerberos realm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you need to display the attributes of a realm, use the :ref:`kdb5_ldap_util(8)` **view** command as follows. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_view: :end-before: _kdb5_ldap_util_view_end: Listing available Kerberos realms ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you need to display the list of the realms, use the :ref:`kdb5_ldap_util(8)` **list** command as follows. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_list: :end-before: _kdb5_ldap_util_list_end: .. _stash_ldap: Stashing service object's password ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The :ref:`kdb5_ldap_util(8)` **stashsrvpw** command allows an administrator to store the password of service object in a file. The KDC and Administration server uses this password to authenticate to the LDAP server. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_stashsrvpw: :end-before: _kdb5_ldap_util_stashsrvpw_end: Ticket Policy operations ~~~~~~~~~~~~~~~~~~~~~~~~ Creating a Ticket Policy ######################## To create a new ticket policy in directory , use the :ref:`kdb5_ldap_util(8)` **create_policy** command. Ticket policy objects are created under the realm container. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_create_policy: :end-before: _kdb5_ldap_util_create_policy_end: Modifying a Ticket Policy ######################### To modify a ticket policy in directory, use the :ref:`kdb5_ldap_util(8)` **modify_policy** command. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_modify_policy: :end-before: _kdb5_ldap_util_modify_policy_end: Retrieving Information About a Ticket Policy ############################################ To display the attributes of a ticket policy, use the :ref:`kdb5_ldap_util(8)` **view_policy** command. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_view_policy: :end-before: _kdb5_ldap_util_view_policy_end: Destroying a Ticket Policy ########################## To destroy an existing ticket policy, use the :ref:`kdb5_ldap_util(8)` **destroy_policy** command. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_destroy_policy: :end-before: _kdb5_ldap_util_destroy_policy_end: Listing available Ticket Policies ################################# To list the name of ticket policies in a realm, use the :ref:`kdb5_ldap_util(8)` **list_policy** command. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_list_policy: :end-before: _kdb5_ldap_util_list_policy_end: .. _xrealm_authn: Cross-realm authentication -------------------------- In order for a KDC in one realm to authenticate Kerberos users in a different realm, it must share a key with the KDC in the other realm. In both databases, there must be krbtgt service principals for both realms. For example, if you need to do cross-realm authentication between the realms ``ATHENA.MIT.EDU`` and ``EXAMPLE.COM``, you would need to add the principals ``krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU`` and ``krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM`` to both databases. These principals must all have the same passwords, key version numbers, and encryption types; this may require explicitly setting the key version number with the **-kvno** option. In the ATHENA.MIT.EDU and EXAMPLE.COM cross-realm case, the administrators would run the following commands on the KDCs in both realms:: shell%: kadmin.local -e "aes256-cts:normal" kadmin: addprinc -requires_preauth krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM Enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM: Re-enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM: kadmin: addprinc -requires_preauth krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU: Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU: kadmin: .. note:: Even if most principals in a realm are generally created with the **requires_preauth** flag enabled, this flag is not desirable on cross-realm authentication keys because doing so makes it impossible to disable preauthentication on a service-by-service basis. Disabling it as in the example above is recommended. .. note:: It is very important that these principals have good passwords. MIT recommends that TGT principal passwords be at least 26 characters of random ASCII text. .. _changing_krbtgt_key: Changing the krbtgt key ----------------------- A Kerberos Ticket Granting Ticket (TGT) is a service ticket for the principal ``krbtgt/REALM``. The key for this principal is created when the Kerberos database is initialized and need not be changed. However, it will only have the encryption types supported by the KDC at the time of the initial database creation. To allow use of newer encryption types for the TGT, this key has to be changed. Changing this key using the normal :ref:`kadmin(1)` **change_password** command would invalidate any previously issued TGTs. Therefore, when changing this key, normally one should use the **-keepold** flag to change_password to retain the previous key in the database as well as the new key. For example:: kadmin: change_password -randkey -keepold krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU .. warning:: After issuing this command, the old key is still valid and is still vulnerable to (for instance) brute force attacks. To completely retire an old key or encryption type, run the kadmin **purgekeys** command to delete keys with older kvnos, ideally first making sure that all tickets issued with the old keys have expired. Only the first krbtgt key of the newest key version is used to encrypt ticket-granting tickets. However, the set of encryption types present in the krbtgt keys is used by default to determine the session key types supported by the krbtgt service (see :ref:`session_key_selection`). Because non-MIT Kerberos clients sometimes send a limited set of encryption types when making AS requests, it can be important for the krbtgt service to support multiple encryption types. This can be accomplished by giving the krbtgt principal multiple keys, which is usually as simple as not specifying any **-e** option when changing the krbtgt key, or by setting the **session_enctypes** string attribute on the krbtgt principal (see :ref:`set_string`). Due to a bug in releases 1.8 through 1.13, renewed and forwarded tickets may not work if the original ticket was obtained prior to a krbtgt key change and the modified ticket is obtained afterwards. Upgrading the KDC to release 1.14 or later will correct this bug. .. _incr_db_prop: Incremental database propagation -------------------------------- Overview ~~~~~~~~ At some very large sites, dumping and transmitting the database can take more time than is desirable for changes to propagate from the primary KDC to the replica KDCs. The incremental propagation support added in the 1.7 release is intended to address this. With incremental propagation enabled, all programs on the primary KDC that change the database also write information about the changes to an "update log" file, maintained as a circular buffer of a certain size. A process on each replica KDC connects to a service on the primary KDC (currently implemented in the :ref:`kadmind(8)` server) and periodically requests the changes that have been made since the last check. By default, this check is done every two minutes. Incremental propagation uses the following entries in the per-realm data in the KDC config file (See :ref:`kdc.conf(5)`): ====================== =============== =========================================== iprop_enable *boolean* If *true*, then incremental propagation is enabled, and (as noted below) normal kprop propagation is disabled. The default is *false*. iprop_master_ulogsize *integer* Indicates the number of entries that should be retained in the update log. The default is 1000; the maximum number is 2500. iprop_replica_poll *time interval* Indicates how often the replica should poll the primary KDC for changes to the database. The default is two minutes. iprop_port *integer* Specifies the port number to be used for incremental propagation. This is required in both primary and replica configuration files. iprop_resync_timeout *integer* Specifies the number of seconds to wait for a full propagation to complete. This is optional on replica configurations. Defaults to 300 seconds (5 minutes). iprop_logfile *file name* Specifies where the update log file for the realm database is to be stored. The default is to use the *database_name* entry from the realms section of the config file :ref:`kdc.conf(5)`, with *.ulog* appended. (NOTE: If database_name isn't specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the *dbmodules* section, then the hard-coded default for *database_name* is used. Determination of the *iprop_logfile* default value will not use values from the *dbmodules* section.) ====================== =============== =========================================== Both primary and replica sides must have a principal named ``kiprop/hostname`` (where *hostname* is the lowercase, fully-qualified, canonical name for the host) registered in the Kerberos database, and have keys for that principal stored in the default keytab file (|keytab|). The ``kiprop/hostname`` principal may have been created automatically for the primary KDC, but it must always be created for replica KDCs. On the primary KDC side, the ``kiprop/hostname`` principal must be listed in the kadmind ACL file :ref:`kadm5.acl(5)`, and given the **p** privilege (see :ref:`privileges`). On the replica KDC side, :ref:`kpropd(8)` should be run. When incremental propagation is enabled, it will connect to the kadmind on the primary KDC and start requesting updates. The normal kprop mechanism is disabled by the incremental propagation support. However, if the replica has been unable to fetch changes from the primary KDC for too long (network problems, perhaps), the log on the primary may wrap around and overwrite some of the updates that the replica has not yet retrieved. In this case, the replica will instruct the primary KDC to dump the current database out to a file and invoke a one-time kprop propagation, with special options to also convey the point in the update log at which the replica should resume fetching incremental updates. Thus, all the keytab and ACL setup previously described for kprop propagation is still needed. If an environment has a large number of replicas, it may be desirable to arrange them in a hierarchy instead of having the primary serve updates to every replica. To do this, run ``kadmind -proponly`` on each intermediate replica, and ``kpropd -A upstreamhostname`` on downstream replicas to direct each one to the appropriate upstream replica. There are several known restrictions in the current implementation: - The incremental update protocol does not transport changes to policy objects. Any policy changes on the primary will result in full resyncs to all replicas. - The replica's KDB module must support locking; it cannot be using the LDAP KDB module. - The primary and replica must be able to initiate TCP connections in both directions, without an intervening NAT. Sun/MIT incremental propagation differences ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sun donated the original code for supporting incremental database propagation to MIT. Some changes have been made in the MIT source tree that will be visible to administrators. (These notes are based on Sun's patches. Changes to Sun's implementation since then may not be reflected here.) The Sun config file support looks for ``sunw_dbprop_enable``, ``sunw_dbprop_master_ulogsize``, and ``sunw_dbprop_slave_poll``. The incremental propagation service is implemented as an ONC RPC service. In the Sun implementation, the service is registered with rpcbind (also known as portmapper) and the client looks up the port number to contact. In the MIT implementation, where interaction with some modern versions of rpcbind doesn't always work well, the port number must be specified in the config file on both the primary and replica sides. The Sun implementation hard-codes pathnames in ``/var/krb5`` for the update log and the per-replica kprop dump files. In the MIT implementation, the pathname for the update log is specified in the config file, and the per-replica dump files are stored in |kdcdir|\ ``/replica_datatrans_hostname``. krb5-1.19.2/doc/admin/dictionary.rst0000644000704600001450000001044614076311657020614 0ustar ghudsonsystemd-journal.. _dictionary: Addressing dictionary attack risks ================================== Kerberos initial authentication is normally secured using the client principal's long-term key, which for users is generally derived from a password. Using a pasword-derived long-term key carries the risk of a dictionary attack, where an attacker tries a sequence of possible passwords, possibly requiring much less effort than would be required to try all possible values of the key. Even if :ref:`password policy objects ` are used to force users not to pick trivial passwords, dictionary attacks can sometimes be successful against a significant fraction of the users in a realm. Dictionary attacks are not a concern for principals using random keys. A dictionary attack may be online or offline. An online dictionary attack is performed by trying each password in a separate request to the KDC, and is therefore visible to the KDC and also limited in speed by the KDC's processing power and the network capacity between the client and the KDC. Online dictionary attacks can be mitigated using :ref:`account lockout `. This measure is not totally satisfactory, as it makes it easy for an attacker to deny access to a client principal. An offline dictionary attack is performed by obtaining a ciphertext generated using the password-derived key, and trying each password against the ciphertext. This category of attack is invisible to the KDC and can be performed much faster than an online attack. The attack will generally take much longer with more recent encryption types (particularly the ones based on AES), because those encryption types use a much more expensive string-to-key function. However, the best defense is to deny the attacker access to a useful ciphertext. The required defensive measures depend on the attacker's level of network access. An off-path attacker has no access to packets sent between legitimate users and the KDC. An off-path attacker could gain access to an attackable ciphertext either by making an AS request for a client principal which does not have the **+requires_preauth** flag, or by making a TGS request (after authenticating as a different user) for a server principal which does not have the **-allow_svr** flag. To address off-path attackers, a KDC administrator should set those flags on principals with password-derived keys:: kadmin: add_principal +requires_preauth -allow_svr princname An attacker with passive network access (one who can monitor packets sent between legitimate users and the KDC, but cannot change them or insert their own packets) can gain access to an attackable ciphertext by observing an authentication by a user using the most common form of preauthentication, encrypted timestamp. Any of the following methods can prevent dictionary attacks by attackers with passive network access: * Enabling :ref:`SPAKE preauthentication ` (added in release 1.17) on the KDC, and ensuring that all clients are able to support it. * Using an :ref:`HTTPS proxy ` for communication with the KDC, if the attacker cannot monitor communication between the proxy server and the KDC. * Using FAST, protecting the initial authentication with either a random key (such as a host key) or with :ref:`anonymous PKINIT `. An attacker with active network access (one who can inject or modify packets sent between legitimate users and the KDC) can try to fool the client software into sending an attackable ciphertext using an encryption type and salt string of the attacker's choosing. Any of the following methods can prevent dictionary attacks by active attackers: * Enabling SPAKE preauthentication and setting the **disable_encrypted_timestamp** variable to ``true`` in the :ref:`realms` subsection of the client configuration. * Using an HTTPS proxy as described above, configured in the client's krb5.conf realm configuration. If :ref:`KDC discovery ` is used to locate a proxy server, an active attacker may be able to use DNS spoofing to cause the client to use a different HTTPS server or to not use HTTPS. * Using FAST as described above. If :ref:`PKINIT ` or :ref:`OTP ` are used for initial authentication, the principal's long-term keys are not used and dictionary attacks are usually not a concern. krb5-1.19.2/doc/admin/appl_servers.rst0000644000704600001450000001620414076311657021152 0ustar ghudsonsystemd-journalApplication servers =================== If you need to install the Kerberos V5 programs on an application server, please refer to the Kerberos V5 Installation Guide. Once you have installed the software, you need to add that host to the Kerberos database (see :ref:`add_mod_del_princs`), and generate a keytab for that host, that contains the host's key. You also need to make sure the host's clock is within your maximum clock skew of the KDCs. Keytabs ------- A keytab is a host's copy of its own keylist, which is analogous to a user's password. An application server that needs to authenticate itself to the KDC has to have a keytab that contains its own principal and key. Just as it is important for users to protect their passwords, it is equally important for hosts to protect their keytabs. You should always store keytab files on local disk, and make them readable only by root, and you should never send a keytab file over a network in the clear. Ideally, you should run the :ref:`kadmin(1)` command to extract a keytab on the host on which the keytab is to reside. .. _add_princ_kt: Adding principals to keytabs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To generate a keytab, or to add a principal to an existing keytab, use the **ktadd** command from kadmin. .. include:: admin_commands/kadmin_local.rst :start-after: _ktadd: :end-before: _ktadd_end: Examples ######## Here is a sample session, using configuration files that enable only AES encryption:: kadmin: ktadd host/daffodil.mit.edu@ATHENA.MIT.EDU Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab kadmin: Removing principals from keytabs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To remove a principal from an existing keytab, use the kadmin **ktremove** command. .. include:: admin_commands/kadmin_local.rst :start-after: _ktremove: :end-before: _ktremove_end: Using a keytab to acquire client credentials ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ While keytabs are ordinarily used to accept credentials from clients, they can also be used to acquire initial credentials, allowing one service to authenticate to another. To manually obtain credentials using a keytab, use the :ref:`kinit(1)` **-k** option, together with the **-t** option if the keytab is not in the default location. Beginning with release 1.11, GSSAPI applications can be configured to automatically obtain initial credentials from a keytab as needed. The recommended configuration is as follows: #. Create a keytab containing a single entry for the desired client identity. #. Place the keytab in a location readable by the service, and set the **KRB5_CLIENT_KTNAME** environment variable to its filename. Alternatively, use the **default_client_keytab_name** profile variable in :ref:`libdefaults`, or use the default location of |ckeytab|. #. Set **KRB5CCNAME** to a filename writable by the service, which will not be used for any other purpose. Do not manually obtain credentials at this location. (Another credential cache type besides **FILE** can be used if desired, as long the cache will not conflict with another use. A **MEMORY** cache can be used if the service runs as a long-lived process. See :ref:`ccache_definition` for details.) #. Start the service. When it authenticates using GSSAPI, it will automatically obtain credentials from the client keytab into the specified credential cache, and refresh them before they expire. Clock Skew ---------- A Kerberos application server host must keep its clock synchronized or it will reject authentication requests from clients. Modern operating systems typically provide a facility to maintain the correct time; make sure it is enabled. This is especially important on virtual machines, where clocks tend to drift more rapidly than normal machine clocks. The default allowable clock skew is controlled by the **clockskew** variable in :ref:`libdefaults`. Getting DNS information correct ------------------------------- Several aspects of Kerberos rely on name service. When a hostname is used to name a service, clients may canonicalize the hostname using forward and possibly reverse name resolution. The result of this canonicalization must match the principal entry in the host's keytab, or authentication will fail. To work with all client canonicalization configurations, each host's canonical name must be the fully-qualified host name (including the domain), and each host's IP address must reverse-resolve to the canonical name. Configuration of hostnames varies by operating system. On the application server itself, canonicalization will typically use the ``/etc/hosts`` file rather than the DNS. Ensure that the line for the server's hostname is in the following form:: IP address fully-qualified hostname aliases Here is a sample ``/etc/hosts`` file:: # this is a comment 127.0.0.1 localhost localhost.mit.edu 10.0.0.6 daffodil.mit.edu daffodil trillium wake-robin The output of ``klist -k`` for this example host should look like:: viola# klist -k Keytab name: /etc/krb5.keytab KVNO Principal ---- ------------------------------------------------------------ 2 host/daffodil.mit.edu@ATHENA.MIT.EDU If you were to ssh to this host with a fresh credentials cache (ticket file), and then :ref:`klist(1)`, the output should list a service principal of ``host/daffodil.mit.edu@ATHENA.MIT.EDU``. .. _conf_firewall: Configuring your firewall to work with Kerberos V5 -------------------------------------------------- If you need off-site users to be able to get Kerberos tickets in your realm, they must be able to get to your KDC. This requires either that you have a replica KDC outside your firewall, or that you configure your firewall to allow UDP requests into at least one of your KDCs, on whichever port the KDC is running. (The default is port 88; other ports may be specified in the KDC's :ref:`kdc.conf(5)` file.) Similarly, if you need off-site users to be able to change their passwords in your realm, they must be able to get to your Kerberos admin server on the kpasswd port (which defaults to 464). If you need off-site users to be able to administer your Kerberos realm, they must be able to get to your Kerberos admin server on the administrative port (which defaults to 749). If your on-site users inside your firewall will need to get to KDCs in other realms, you will also need to configure your firewall to allow outgoing TCP and UDP requests to port 88, and to port 464 to allow password changes. If your on-site users inside your firewall will need to get to Kerberos admin servers in other realms, you will also need to allow outgoing TCP and UDP requests to port 749. If any of your KDCs are outside your firewall, you will need to allow kprop requests to get through to the remote KDC. :ref:`kprop(8)` uses the ``krb5_prop`` service on port 754 (tcp). The book *UNIX System Security*, by David Curry, is a good starting point for learning to configure firewalls. krb5-1.19.2/doc/admin/pkinit.rst0000644000704600001450000003434314076311657017747 0ustar ghudsonsystemd-journal.. _pkinit: PKINIT configuration ==================== PKINIT is a preauthentication mechanism for Kerberos 5 which uses X.509 certificates to authenticate the KDC to clients and vice versa. PKINIT can also be used to enable anonymity support, allowing clients to communicate securely with the KDC or with application servers without authenticating as a particular client principal. Creating certificates --------------------- PKINIT requires an X.509 certificate for the KDC and one for each client principal which will authenticate using PKINIT. For anonymous PKINIT, a KDC certificate is required, but client certificates are not. A commercially issued server certificate can be used for the KDC certificate, but generally cannot be used for client certificates. The instruction in this section describe how to establish a certificate authority and create standard PKINIT certificates. Skip this section if you are using a commercially issued server certificate as the KDC certificate for anonymous PKINIT, or if you are configuring a client to use an Active Directory KDC. Generating a certificate authority certificate ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You can establish a new certificate authority (CA) for use with a PKINIT deployment with the commands:: openssl genrsa -out cakey.pem 2048 openssl req -key cakey.pem -new -x509 -out cacert.pem -days 3650 The second command will ask for the values of several certificate fields. These fields can be set to any values. You can adjust the expiration time of the CA certificate by changing the number after ``-days``. Since the CA certificate must be deployed to client machines each time it changes, it should normally have an expiration time far in the future; however, expiration times after 2037 may cause interoperability issues in rare circumstances. The result of these commands will be two files, cakey.pem and cacert.pem. cakey.pem will contain a 2048-bit RSA private key, which must be carefully protected. cacert.pem will contain the CA certificate, which must be placed in the filesystems of the KDC and each client host. cakey.pem will be required to create KDC and client certificates. Generating a KDC certificate ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A KDC certificate for use with PKINIT is required to have some unusual fields, which makes generating them with OpenSSL somewhat complicated. First, you will need a file containing the following:: [kdc_cert] basicConstraints=CA:FALSE keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement extendedKeyUsage=1.3.6.1.5.2.3.5 subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer issuerAltName=issuer:copy subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name [kdc_princ_name] realm=EXP:0,GeneralString:${ENV::REALM} principal_name=EXP:1,SEQUENCE:kdc_principal_seq [kdc_principal_seq] name_type=EXP:0,INTEGER:2 name_string=EXP:1,SEQUENCE:kdc_principals [kdc_principals] princ1=GeneralString:krbtgt princ2=GeneralString:${ENV::REALM} If the above contents are placed in extensions.kdc, you can generate and sign a KDC certificate with the following commands:: openssl genrsa -out kdckey.pem 2048 openssl req -new -out kdc.req -key kdckey.pem env REALM=YOUR_REALMNAME openssl x509 -req -in kdc.req \ -CAkey cakey.pem -CA cacert.pem -out kdc.pem -days 365 \ -extfile extensions.kdc -extensions kdc_cert -CAcreateserial rm kdc.req The second command will ask for the values of certificate fields, which can be set to any values. In the third command, substitute your KDC's realm name for YOUR_REALMNAME. You can adjust the certificate's expiration date by changing the number after ``-days``. Remember to create a new KDC certificate before the old one expires. The result of this operation will be in two files, kdckey.pem and kdc.pem. Both files must be placed in the KDC's filesystem. kdckey.pem, which contains the KDC's private key, must be carefully protected. If you examine the KDC certificate with ``openssl x509 -in kdc.pem -text -noout``, OpenSSL will not know how to display the KDC principal name in the Subject Alternative Name extension, so it will appear as ``othername:``. This is normal and does not mean anything is wrong with the KDC certificate. Generating client certificates ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PKINIT client certificates also must have some unusual certificate fields. To generate a client certificate with OpenSSL for a single-component principal name, you will need an extensions file (different from the KDC extensions file above) containing:: [client_cert] basicConstraints=CA:FALSE keyUsage=digitalSignature,keyEncipherment,keyAgreement extendedKeyUsage=1.3.6.1.5.2.3.4 subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer issuerAltName=issuer:copy subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name [princ_name] realm=EXP:0,GeneralString:${ENV::REALM} principal_name=EXP:1,SEQUENCE:principal_seq [principal_seq] name_type=EXP:0,INTEGER:1 name_string=EXP:1,SEQUENCE:principals [principals] princ1=GeneralString:${ENV::CLIENT} If the above contents are placed in extensions.client, you can generate and sign a client certificate with the following commands:: openssl genrsa -out clientkey.pem 2048 openssl req -new -key clientkey.pem -out client.req env REALM=YOUR_REALMNAME CLIENT=YOUR_PRINCNAME openssl x509 \ -CAkey cakey.pem -CA cacert.pem -req -in client.req \ -extensions client_cert -extfile extensions.client \ -days 365 -out client.pem rm client.req Normally, the first two commands should be run on the client host, and the resulting client.req file transferred to the certificate authority host for the third command. As in the previous steps, the second command will ask for the values of certificate fields, which can be set to any values. In the third command, substitute your realm's name for YOUR_REALMNAME and the client's principal name (without realm) for YOUR_PRINCNAME. You can adjust the certificate's expiration date by changing the number after ``-days``. The result of this operation will be two files, clientkey.pem and client.pem. Both files must be present on the client's host; clientkey.pem, which contains the client's private key, must be protected from access by others. As in the KDC certificate, OpenSSL will display the client principal name as ``othername:`` in the Subject Alternative Name extension of a PKINIT client certificate. If the client principal name contains more than one component (e.g. ``host/example.com@REALM``), the ``[principals]`` section of ``extensions.client`` must be altered to contain multiple entries. (Simply setting ``CLIENT`` to ``host/example.com`` would generate a certificate for ``host\/example.com@REALM`` which would not match the multi-component principal name.) For a two-component principal, the section should read:: [principals] princ1=GeneralString:${ENV::CLIENT1} princ2=GeneralString:${ENV::CLIENT2} The environment variables ``CLIENT1`` and ``CLIENT2`` must then be set to the first and second components when running ``openssl x509``. Configuring the KDC ------------------- The KDC must have filesystem access to the KDC certificate (kdc.pem) and the KDC private key (kdckey.pem). Configure the following relation in the KDC's :ref:`kdc.conf(5)` file, either in the :ref:`kdcdefaults` section or in a :ref:`kdc_realms` subsection (with appropriate pathnames):: pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem If any clients will authenticate using regular (as opposed to anonymous) PKINIT, the KDC must also have filesystem access to the CA certificate (cacert.pem), and the following configuration (with the appropriate pathname):: pkinit_anchors = FILE:/var/lib/krb5kdc/cacert.pem Because of the larger size of requests and responses using PKINIT, you may also need to allow TCP access to the KDC:: kdc_tcp_listen = 88 Restart the :ref:`krb5kdc(8)` daemon to pick up the configuration changes. The principal entry for each PKINIT-using client must be configured to require preauthentication. Ensure this with the command:: kadmin -q 'modprinc +requires_preauth YOUR_PRINCNAME' Starting with release 1.12, it is possible to remove the long-term keys of a principal entry, which can save some space in the database and help to clarify some PKINIT-related error conditions by not asking for a password:: kadmin -q 'purgekeys -all YOUR_PRINCNAME' These principal options can also be specified at principal creation time as follows:: kadmin -q 'add_principal +requires_preauth -nokey YOUR_PRINCNAME' By default, the KDC requires PKINIT client certificates to have the standard Extended Key Usage and Subject Alternative Name attributes for PKINIT. Starting in release 1.16, it is possible to authorize client certificates based on the subject or other criteria instead of the standard PKINIT Subject Alternative Name, by setting the **pkinit_cert_match** string attribute on each client principal entry. For example:: kadmin set_string user@REALM pkinit_cert_match "CN=user@REALM$" The **pkinit_cert_match** string attribute follows the syntax used by the :ref:`krb5.conf(5)` **pkinit_cert_match** relation. To allow the use of non-PKINIT client certificates, it will also be necessary to disable key usage checking using the **pkinit_eku_checking** relation; for example:: [kdcdefaults] pkinit_eku_checking = none Configuring the clients ----------------------- Client hosts must be configured to trust the issuing authority for the KDC certificate. For a newly established certificate authority, the client host must have filesystem access to the CA certificate (cacert.pem) and the following relation in :ref:`krb5.conf(5)` in the appropriate :ref:`realms` subsection (with appropriate pathnames):: pkinit_anchors = FILE:/etc/krb5/cacert.pem If the KDC certificate is a commercially issued server certificate, the issuing certificate is most likely included in a system directory. You can specify it by filename as above, or specify the whole directory like so:: pkinit_anchors = DIR:/etc/ssl/certs A commercially issued server certificate will usually not have the standard PKINIT principal name or Extended Key Usage extensions, so the following additional configuration is required:: pkinit_eku_checking = kpServerAuth pkinit_kdc_hostname = hostname.of.kdc.certificate Multiple **pkinit_kdc_hostname** relations can be configured to recognize multiple KDC certificates. If the KDC is an Active Directory domain controller, setting **pkinit_kdc_hostname** is necessary, but it should not be necessary to set **pkinit_eku_checking**. To perform regular (as opposed to anonymous) PKINIT authentication, a client host must have filesystem access to a client certificate (client.pem), and the corresponding private key (clientkey.pem). Configure the following relations in the client host's :ref:`krb5.conf(5)` file in the appropriate :ref:`realms` subsection (with appropriate pathnames):: pkinit_identities = FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem If the KDC and client are properly configured, it should now be possible to run ``kinit username`` without entering a password. .. _anonymous_pkinit: Anonymous PKINIT ---------------- Anonymity support in Kerberos allows a client to obtain a ticket without authenticating as any particular principal. Such a ticket can be used as a FAST armor ticket, or to securely communicate with an application server anonymously. To configure anonymity support, you must generate or otherwise procure a KDC certificate and configure the KDC host, but you do not need to generate any client certificates. On the KDC, you must set the **pkinit_identity** variable to provide the KDC certificate, but do not need to set the **pkinit_anchors** variable or store the issuing certificate if you won't have any client certificates to verify. On client hosts, you must set the **pkinit_anchors** variable (and possibly **pkinit_kdc_hostname** and **pkinit_eku_checking**) in order to trust the issuing authority for the KDC certificate, but do not need to set the **pkinit_identities** variable. Anonymity support is not enabled by default. To enable it, you must create the principal ``WELLKNOWN/ANONYMOUS`` using the command:: kadmin -q 'addprinc -randkey WELLKNOWN/ANONYMOUS' Some Kerberos deployments include application servers which lack proper access control, and grant some level of access to any user who can authenticate. In such an environment, enabling anonymity support on the KDC would present a security issue. If you need to enable anonymity support for TGTs (for use as FAST armor tickets) without enabling anonymous authentication to application servers, you can set the variable **restrict_anonymous_to_tgt** to ``true`` in the appropriate :ref:`kdc_realms` subsection of the KDC's :ref:`kdc.conf(5)` file. To obtain anonymous credentials on a client, run ``kinit -n``, or ``kinit -n @REALMNAME`` to specify a realm. The resulting tickets will have the client name ``WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS``. Freshness tokens ---------------- Freshness tokens can ensure that the client has recently had access to its certificate private key. If freshness tokens are not required by the KDC, a client program with temporary possession of the private key can compose requests for future timestamps and use them later. In release 1.17 and later, freshness tokens are supported by the client and are sent by the KDC when the client indicates support for them. Because not all clients support freshness tokens yet, they are not required by default. To check if freshness tokens are supported by a realm's clients, look in the KDC logs for the lines:: PKINIT: freshness token received from PKINIT: no freshness token received from To require freshness tokens for all clients in a realm (except for clients authenticating anonymously), set the **pkinit_require_freshness** variable to ``true`` in the appropriate :ref:`kdc_realms` subsection of the KDC's :ref:`kdc.conf(5)` file. To test that this option is in effect, run ``kinit -X disable_freshness`` and verify that authentication is unsuccessful. krb5-1.19.2/doc/admin/install_clients.rst0000644000704600001450000000544214076311657021636 0ustar ghudsonsystemd-journalInstalling and configuring UNIX client machines =============================================== The Kerberized client programs include :ref:`kinit(1)`, :ref:`klist(1)`, :ref:`kdestroy(1)`, and :ref:`kpasswd(1)`. All of these programs are in the directory |bindir|. You can often integrate Kerberos with the login system on client machines, typically through the use of PAM. The details vary by operating system, and should be covered in your operating system's documentation. If you do this, you will need to make sure your users know to use their Kerberos passwords when they log in. You will also need to educate your users to use the ticket management programs kinit, klist, and kdestroy. If you do not have Kerberos password changing integrated into the native password program (again, typically through PAM), you will need to educate users to use kpasswd in place of its non-Kerberos counterparts passwd. Client machine configuration files ---------------------------------- Each machine running Kerberos should have a :ref:`krb5.conf(5)` file. At a minimum, it should define a **default_realm** setting in :ref:`libdefaults`. If you are not using DNS SRV records (:ref:`kdc_hostnames`) or URI records (:ref:`kdc_discovery`), it must also contain a :ref:`realms` section containing information for your realm's KDCs. Consider setting **rdns** to false in order to reduce your dependence on precisely correct DNS information for service hostnames. Turning this flag off means that service hostnames will be canonicalized through forward name resolution (which adds your domain name to unqualified hostnames, and resolves CNAME records in DNS), but not through reverse address lookup. The default value of this flag is true for historical reasons only. If you anticipate users frequently logging into remote hosts (e.g., using ssh) using forwardable credentials, consider setting **forwardable** to true so that users obtain forwardable tickets by default. Otherwise users will need to use ``kinit -f`` to get forwardable tickets. Consider adjusting the **ticket_lifetime** setting to match the likely length of sessions for your users. For instance, if most of your users will be logging in for an eight-hour workday, you could set the default to ten hours so that tickets obtained in the morning expire shortly after the end of the workday. Users can still manually request longer tickets when necessary, up to the maximum allowed by each user's principal record on the KDC. If a client host may access services in different realms, it may be useful to define a :ref:`domain_realm` mapping so that clients know which hosts belong to which realms. However, if your clients and KDC are running release 1.7 or later, it is also reasonable to leave this section out on client machines and just define it in the KDC's krb5.conf. krb5-1.19.2/doc/admin/advanced/0000755000704600001450000000000014076311657017455 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/admin/advanced/index.rst0000644000704600001450000000012414076311657021313 0ustar ghudsonsystemd-journalAdvanced topics =============== .. toctree:: :maxdepth: 1 retiring-des.rst krb5-1.19.2/doc/admin/advanced/retiring-des.rst0000644000704600001450000005045314076311657022612 0ustar ghudsonsystemd-journal.. _retiring-des: Retiring DES ======================= Version 5 of the Kerberos protocol was originally implemented using the Data Encryption Standard (DES) as a block cipher for encryption. While it was considered secure at the time, advancements in computational ability have rendered DES vulnerable to brute force attacks on its 56-bit keyspace. As such, it is now considered insecure and should not be used (:rfc:`6649`). History ------- DES was used in the original Kerberos implementation, and was the only cryptosystem in krb5 1.0. Partial support for triple-DES (3DES) was added in version 1.1, with full support following in version 1.2. The Advanced Encryption Standard (AES), which supersedes DES, gained partial support in version 1.3.0 of krb5 and full support in version 1.3.2. However, deployments of krb5 using Kerberos databases created with older versions of krb5 will not necessarily start using strong crypto for ordinary operation without administrator intervention. MIT krb5 began flagging deprecated encryption types with release 1.17, and removed DES (single-DES) support in release 1.18. As a consequence, a release prior to 1.18 is required to perform these migrations. Types of keys ------------- * The database master key: This key is not exposed to user requests, but is used to encrypt other key material stored in the kerberos database. The database master key is currently stored as ``K/M`` by default. * Password-derived keys: User principals frequently have keys derived from a password. When a new password is set, the KDC uses various string2key functions to generate keys in the database for that principal. * Keytab keys: Application server principals generally use random keys which are not derived from a password. When the database entry is created, the KDC generates random keys of various enctypes to enter in the database, which are conveyed to the application server and stored in a keytab. * Session keys: These are short-term keys generated by the KDC while processing client requests, with an enctype selected by the KDC. For details on the various enctypes and how enctypes are selected by the KDC for session keys and client/server long-term keys, see :ref:`enctypes`. When using the :ref:`kadmin(1)` interface to generate new long-term keys, the **-e** argument can be used to force a particular set of enctypes, overriding the KDC default values. .. note:: When the KDC is selecting a session key, it has no knowledge about the kerberos installation on the server which will receive the service ticket, only what keys are in the database for the service principal. In order to allow uninterrupted operation to clients while migrating away from DES, care must be taken to ensure that kerberos installations on application server machines are configured to support newer encryption types before keys of those new encryption types are created in the Kerberos database for those server principals. Upgrade procedure ----------------- This procedure assumes that the KDC software has already been upgraded to a modern version of krb5 that supports non-DES keys, so that the only remaining task is to update the actual keys used to service requests. The realm used for demonstrating this procedure, ZONE.MIT.EDU, is an example of the worst-case scenario, where all keys in the realm are DES. The realm was initially created with a very old version of krb5, and **supported_enctypes** in :ref:`kdc.conf(5)` was set to a value appropriate when the KDC was installed, but was not updated as the KDC was upgraded: :: [realms] ZONE.MIT.EDU = { [...] master_key_type = des-cbc-crc supported_enctypes = des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 } This resulted in the keys for all principals in the realm being forced to DES-only, unless specifically requested using :ref:`kadmin(1)`. Before starting the upgrade, all KDCs were running krb5 1.11, and the database entries for some "high-value" principals were: :: [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU' [...] Number of keys: 1 Key: vno 1, des-cbc-crc:v4 [...] [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/admin' [...] Number of keys: 1 Key: vno 15, des-cbc-crc [...] [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/changepw' [...] Number of keys: 1 Key: vno 14, des-cbc-crc [...] The ``krbtgt/REALM`` key appears to have never been changed since creation (its kvno is 1), and all three database entries have only a des-cbc-crc key. The krbtgt key and KDC keys ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Perhaps the biggest single-step improvement in the security of the cell is gained by strengthening the key of the ticket-granting service principal, ``krbtgt/REALM``---if this principal's key is compromised, so is the entire realm. Since the server that will handle service tickets for this principal is the KDC itself, it is easy to guarantee that it will be configured to support any encryption types which might be selected. However, the default KDC behavior when creating new keys is to remove the old keys, which would invalidate all existing tickets issued against that principal, rendering the TGTs cached by clients useless. Instead, a new key can be created with the old key retained, so that existing tickets will still function until their scheduled expiry (see :ref:`changing_krbtgt_key`). :: [root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\ > aes128-cts-hmac-sha1-96:normal,des3-hmac-sha1:normal,des-cbc-crc:normal [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \ > -keepold krbtgt/ZONE.MIT.EDU" Authenticating as principal root/admin@ZONE.MIT.EDU with password. Key for "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" randomized. .. note:: The new ``krbtgt@REALM`` key should be propagated to replica KDCs immediately so that TGTs issued by the primary KDC can be used to issue service tickets on replica KDCs. Replica KDCs will refuse requests using the new TGT kvno until the new krbtgt entry has been propagated to them. It is necessary to explicitly specify the enctypes for the new database entry, since **supported_enctypes** has not been changed. Leaving **supported_enctypes** unchanged makes a potential rollback operation easier, since all new keys of new enctypes are the result of explicit administrator action and can be easily enumerated. Upgrading the krbtgt key should have minimal user-visible disruption other than that described in the note above, since only clients which list the new enctypes as supported will use them, per the procedure in :ref:`session_key_selection`. Once the krbtgt key is updated, the session and ticket keys for user TGTs will be strong keys, but subsequent requests for service tickets will still get DES keys until the service principals have new keys generated. Application service remains uninterrupted due to the key-selection procedure on the KDC. After the change, the database entry is now: :: [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU' [...] Number of keys: 5 Key: vno 2, aes256-cts-hmac-sha1-96 Key: vno 2, aes128-cts-hmac-sha1-96 Key: vno 2, des3-cbc-sha1 Key: vno 2, des-cbc-crc Key: vno 1, des-cbc-crc:v4 [...] Since the expected disruptions from rekeying the krbtgt principal are minor, after a short testing period, it is appropriate to rekey the other high-value principals, ``kadmin/admin@REALM`` and ``kadmin/changepw@REALM``. These are the service principals used for changing user passwords and updating application keytabs. The kadmin and password-changing services are regular kerberized services, so the session-key-selection algorithm described in :ref:`session_key_selection` applies. It is particularly important to have strong session keys for these services, since user passwords and new long-term keys are conveyed over the encrypted channel. :: [root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\ > aes128-cts-hmac-sha1-96:normal,des3-hmac-sha1:normal [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \ > kadmin/admin" Authenticating as principal root/admin@ZONE.MIT.EDU with password. Key for "kadmin/admin@ZONE.MIT.EDU" randomized. [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \ > kadmin/changepw" Authenticating as principal root/admin@ZONE.MIT.EDU with password. Key for "kadmin/changepw@ZONE.MIT.EDU" randomized. It is not necessary to retain a single-DES key for these services, since password changes are not part of normal daily workflow, and disruption from a client failure is likely to be minimal. Furthermore, if a kerberos client experiences failure changing a user password or keytab key, this indicates that that client will become inoperative once services are rekeyed to non-DES enctypes. Such problems can be detected early at this stage, giving more time for corrective action. Adding strong keys to application servers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Before switching the default enctypes for new keys over to strong enctypes, it may be desired to test upgrading a handful of services with the new configuration before flipping the switch for the defaults. This still requires using the **-e** argument in :ref:`kadmin(1)` to get non-default enctypes: :: [root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\ > aes128-cts-hmac-sha1-96:normal,des3-cbc-sha1:normal,des-cbc-crc:normal [root@casio krb5kdc]# kadmin -r ZONE.MIT.EDU -p zephyr/zephyr@ZONE.MIT.EDU -k -t \ > /etc/zephyr/krb5.keytab -q "ktadd -e ${enctypes} \ > -k /etc/zephyr/krb5.keytab zephyr/zephyr@ZONE.MIT.EDU" Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab. Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/zephyr/krb5.keytab. Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/zephyr/krb5.keytab. Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/zephyr/krb5.keytab. Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des-cbc-crc added to keytab WRFILE:/etc/zephyr/krb5.keytab. Be sure to remove the old keys from the application keytab, per best practice. :: [root@casio krb5kdc]# k5srvutil -f /etc/zephyr/krb5.keytab delold Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab. Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 3 removed from keytab WRFILE:/etc/zephyr/krb5.keytab. Adding strong keys by default ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Once the high-visibility services have been rekeyed, it is probably appropriate to change :ref:`kdc.conf(5)` to generate keys with the new encryption types by default. This enables server administrators to generate new enctypes with the **change** subcommand of :ref:`k5srvutil(1)`, and causes user password changes to add new encryption types for their entries. It will probably be necessary to implement administrative controls to cause all user principal keys to be updated in a reasonable period of time, whether by forcing password changes or a password synchronization service that has access to the current password and can add the new keys. :: [realms] ZONE.MIT.EDU = { supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-hmac-sha1:normal des-cbc-crc:normal .. note:: The krb5kdc process must be restarted for these changes to take effect. At this point, all service administrators can update their services and the servers behind them to take advantage of strong cryptography. If necessary, the server's krb5 installation should be configured and/or upgraded to a version supporting non-DES keys. See :ref:`enctypes` for krb5 version and configuration settings. Only when the service is configured to accept non-DES keys should the key version number be incremented and new keys generated (``k5srvutil change && k5srvutil delold``). :: root@dr-willy:~# k5srvutil change Authenticating as principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab. Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. root@dr-willy:~# klist -e -k -t /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 10/10/12 17:03:59 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC-32) 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (AES-256 CTS mode with 96-bit SHA-1 HMAC) 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (AES-128 CTS mode with 96-bit SHA-1 HMAC) 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (Triple DES cbc mode with HMAC/sha1) 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC-32) root@dr-willy:~# k5srvutil delold Authenticating as principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab. Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 2 removed from keytab WRFILE:/etc/krb5.keytab. When a single service principal is shared by multiple backend servers in a load-balanced environment, it may be necessary to schedule downtime or adjust the population in the load-balanced pool in order to propagate the updated keytab to all hosts in the pool with minimal service interruption. Removing DES keys from usage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This situation remains something of a testing or transitory state, as new DES keys are still being generated, and will be used if requested by a client. To make more progress removing DES from the realm, the KDC should be configured to not generate such keys by default. .. note:: An attacker posing as a client can implement a brute force attack against a DES key for any principal, if that key is in the current (highest-kvno) key list. This attack is only possible if **allow_weak_crypto = true** is enabled on the KDC. Setting the **+requires_preauth** flag on a principal forces this attack to be an online attack, much slower than the offline attack otherwise available to the attacker. However, setting this flag on a service principal is not always advisable; see the entry in :ref:`add_principal` for details. The following KDC configuration will not generate DES keys by default: :: [realms] ZONE.MIT.EDU = { supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-hmac-sha1:normal .. note:: As before, the KDC process must be restarted for this change to take effect. It is best practice to update kdc.conf on all KDCs, not just the primary, to avoid unpleasant surprises should the primary fail and a replica need to be promoted. It is now appropriate to remove the legacy single-DES key from the ``krbtgt/REALM`` entry: :: [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -randkey -keepold \ > krbtgt/ZONE.MIT.EDU" Authenticating as principal host/admin@ATHENA.MIT.EDU with password. Key for "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" randomized. After the maximum ticket lifetime has passed, the old database entry should be removed. :: [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'purgekeys krbtgt/ZONE.MIT.EDU' Authenticating as principal root/admin@ZONE.MIT.EDU with password. Old keys for principal "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" purged. After the KDC is restarted with the new **supported_enctypes**, all user password changes and application keytab updates will not generate DES keys by default. :: contents-vnder-pressvre:~> kpasswd zonetest@ZONE.MIT.EDU Password for zonetest@ZONE.MIT.EDU: [enter old password] Enter new password: [enter new password] Enter it again: [enter new password] Password changed. contents-vnder-pressvre:~> kadmin -r ZONE.MIT.EDU -q 'getprinc zonetest' [...] Number of keys: 3 Key: vno 9, aes256-cts-hmac-sha1-96 Key: vno 9, aes128-cts-hmac-sha1-96 Key: vno 9, des3-cbc-sha1 [...] [kaduk@glossolalia ~]$ kadmin -p kaduk@ZONE.MIT.EDU -r ZONE.MIT.EDU -k \ > -t kaduk-zone.keytab -q 'ktadd -k kaduk-zone.keytab kaduk@ZONE.MIT.EDU' Authenticating as principal kaduk@ZONE.MIT.EDU with keytab kaduk-zone.keytab. Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:kaduk-zone.keytab. Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:kaduk-zone.keytab. Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type des3-cbc-sha1 added to keytab WRFILE:kaduk-zone.keytab. Once all principals have been re-keyed, DES support can be disabled on the KDC (**allow_weak_crypto = false**), and client machines can remove **allow_weak_crypto = true** from their :ref:`krb5.conf(5)` configuration files, completing the migration. **allow_weak_crypto** takes precedence over all places where DES enctypes could be explicitly configured. DES keys will not be used, even if they are present, when **allow_weak_crypto = false**. Support for legacy services ~~~~~~~~~~~~~~~~~~~~~~~~~~~ If there remain legacy services which do not support non-DES enctypes (such as older versions of AFS), **allow_weak_crypto** must remain enabled on the KDC. Client machines need not have this setting, though---applications which require DES can use API calls to allow weak crypto on a per-request basis, overriding the system krb5.conf. However, having **allow_weak_crypto** set on the KDC means that any principals which have a DES key in the database could still use those keys. To minimize the use of DES in the realm and restrict it to just legacy services which require DES, it is necessary to remove all other DES keys. The realm has been configured such that at password and keytab change, no DES keys will be generated by default. The task then reduces to requiring user password changes and having server administrators update their service keytabs. Administrative outreach will be necessary, and if the desire to eliminate DES is sufficiently strong, the KDC administrators may choose to randkey any principals which have not been rekeyed after some timeout period, forcing the user to contact the helpdesk for access. The Database Master Key ----------------------- This procedure does not alter ``K/M@REALM``, the key used to encrypt key material in the Kerberos database. (This is the key stored in the stash file on the KDC if stash files are used.) However, the security risk of a single-DES key for ``K/M`` is minimal, given that access to material encrypted in ``K/M`` (the Kerberos database) is generally tightly controlled. If an attacker can gain access to the encrypted database, they likely have access to the stash file as well, rendering the weak cryptography broken by non-cryptographic means. As such, upgrading ``K/M`` to a stronger encryption type is unlikely to be a high-priority task. Is is possible to upgrade the master key used for the database, if desired. Using :ref:`kdb5_util(8)`'s **add_mkey**, **use_mkey**, and **update_princ_encryption** commands, a new master key can be added and activated for use on new key material, and the existing entries converted to the new master key. krb5-1.19.2/doc/admin/spake.rst0000644000704600001450000000447414076311657017556 0ustar ghudsonsystemd-journal.. _spake: SPAKE Preauthentication ======================= SPAKE preauthentication (added in release 1.17) uses public key cryptography techniques to protect against :ref:`password dictionary attacks `. Unlike :ref:`PKINIT `, it does not require any additional infrastructure such as certificates; it simply needs to be turned on. Using SPAKE preauthentication may modestly increase the CPU and network load on the KDC. SPAKE preauthentication can use one of four elliptic curve groups for its password-authenticated key exchange. The recommended group is ``edwards25519``; three NIST curves (``P-256``, ``P-384``, and ``P-521``) are also supported. By default, SPAKE with the ``edwards25519`` group is enabled on clients, but the KDC does not offer SPAKE by default. To turn it on, set the **spake_preauth_groups** variable in :ref:`libdefaults` to a list of allowed groups. This variable affects both the client and the KDC. Simply setting it to ``edwards25519`` is recommended:: [libdefaults] spake_preauth_groups = edwards25519 Set the **+requires_preauth** and **-allow_svr** flags on client principal entries, as you would for any preauthentication mechanism:: kadmin: modprinc +requires_preauth -allow_svr PRINCNAME Clients which do not implement SPAKE preauthentication will fall back to encrypted timestamp. An active attacker can force a fallback to encrypted timestamp by modifying the initial KDC response, defeating the protection against dictionary attacks. To prevent this fallback on clients which do implement SPAKE preauthentication, set the **disable_encrypted_timestamp** variable to ``true`` in the :ref:`realms` subsection for realms whose KDCs offer SPAKE preauthentication. By default, SPAKE preauthentication requires an extra network round trip to the KDC during initial authentication. If most of the clients in a realm support SPAKE, this extra round trip can be eliminated using an optimistic challenge, by setting the **spake_preauth_kdc_challenge** variable in :ref:`kdcdefaults` to a single group name:: [kdcdefaults] spake_preauth_kdc_challenge = edwards25519 Using optimistic challenge will cause the KDC to do extra work for initial authentication requests that do not result in SPAKE preauthentication, but will save work when SPAKE preauthentication is used. krb5-1.19.2/doc/admin/install_appl_srv.rst0000644000704600001450000000717114076311657022024 0ustar ghudsonsystemd-journalUNIX Application Servers ======================== An application server is a host that provides one or more services over the network. Application servers can be "secure" or "insecure." A "secure" host is set up to require authentication from every client connecting to it. An "insecure" host will still provide Kerberos authentication, but will also allow unauthenticated clients to connect. If you have Kerberos V5 installed on all of your client machines, MIT recommends that you make your hosts secure, to take advantage of the security that Kerberos authentication affords. However, if you have some clients that do not have Kerberos V5 installed, you can run an insecure server, and still take advantage of Kerberos V5's single sign-on capability. .. _keytab_file: The keytab file --------------- All Kerberos server machines need a keytab file to authenticate to the KDC. By default on UNIX-like systems this file is named |keytab|. The keytab file is an local copy of the host's key. The keytab file is a potential point of entry for a break-in, and if compromised, would allow unrestricted access to its host. The keytab file should be readable only by root, and should exist only on the machine's local disk. The file should not be part of any backup of the machine, unless access to the backup data is secured as tightly as access to the machine's root password. In order to generate a keytab for a host, the host must have a principal in the Kerberos database. The procedure for adding hosts to the database is described fully in :ref:`add_mod_del_princs`. (See :ref:`replica_host_key` for a brief description.) The keytab is generated by running :ref:`kadmin(1)` and issuing the :ref:`ktadd` command. For example, to generate a keytab file to allow the host ``trillium.mit.edu`` to authenticate for the services host, ftp, and pop, the administrator ``joeadmin`` would issue the command (on ``trillium.mit.edu``):: trillium% kadmin Authenticating as principal root/admin@ATHENA.MIT.EDU with password. Password for root/admin@ATHENA.MIT.EDU: kadmin: ktadd host/trillium.mit.edu ftp/trillium.mit.edu pop/trillium.mit.edu Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. kadmin: quit trillium% If you generate the keytab file on another host, you need to get a copy of the keytab file onto the destination host (``trillium``, in the above example) without sending it unencrypted over the network. Some advice about secure hosts ------------------------------ Kerberos V5 can protect your host from certain types of break-ins, but it is possible to install Kerberos V5 and still leave your host vulnerable to attack. Obviously an installation guide is not the place to try to include an exhaustive list of countermeasures for every possible attack, but it is worth noting some of the larger holes and how to close them. We recommend that backups of secure machines exclude the keytab file (|keytab|). If this is not possible, the backups should at least be done locally, rather than over a network, and the backup tapes should be physically secured. The keytab file and any programs run by root, including the Kerberos V5 binaries, should be kept on local disk. The keytab file should be readable only by root. krb5-1.19.2/doc/admin/dbtypes.rst0000644000704600001450000001472414076311657020124 0ustar ghudsonsystemd-journalDatabase types ============== A Kerberos database can be implemented with one of three built-in database providers, called KDB modules. Software which incorporates the MIT krb5 KDC may also provide its own KDB module. The following subsections describe the three built-in KDB modules and the configuration specific to them. The database type can be configured with the **db_library** variable in the :ref:`dbmodules` subsection for the realm. For example:: [dbmodules] ATHENA.MIT.EDU = { db_library = db2 } If the ``ATHENA.MIT.EDU`` realm subsection contains a **database_module** setting, then the subsection within ``[dbmodules]`` should use that name instead of ``ATHENA.MIT.EDU``. To transition from one database type to another, stop the :ref:`kadmind(8)` service, use ``kdb5_util dump`` to create a dump file, change the **db_library** value and set any appropriate configuration for the new database type, and use ``kdb5_util load`` to create and populate the new database. If the new database type is LDAP, create the new database using ``kdb5_ldap_util`` and populate it from the dump file using ``kdb5_util load -update``. Then restart the :ref:`krb5kdc(8)` and :ref:`kadmind(8)` services. Berkeley database module (db2) ------------------------------ The default KDB module is ``db2``, which uses a version of the Berkeley DB library. It creates four files based on the database pathname. If the pathname ends with ``principal`` then the four files are: * ``principal``, containing principal entry data * ``principal.ok``, a lock file for the principal database * ``principal.kadm5``, containing policy object data * ``principal.kadm5.lock``, a lock file for the policy database For large databases, the :ref:`kdb5_util(8)` **dump** command (perhaps invoked by :ref:`kprop(8)` or by :ref:`kadmind(8)` for incremental propagation) may cause :ref:`krb5kdc(8)` to stop for a noticeable period of time while it iterates over the database. This delay can be avoided by disabling account lockout features so that the KDC does not perform database writes (see :ref:`disable_lockout`). Alternatively, a slower form of iteration can be enabled by setting the **unlockiter** variable to ``true``. For example:: [dbmodules] ATHENA.MIT.EDU = { db_library = db2 unlockiter = true } In rare cases, a power failure or other unclean system shutdown may cause inconsistencies in the internal pointers within a database file, such that ``kdb5_util dump`` cannot retrieve all principal entries in the database. In this situation, it may be possible to retrieve all of the principal data by running ``kdb5_util dump -recurse`` to iterate over the database using the tree pointers instead of the iteration pointers. Running ``kdb5_util dump -rev`` to iterate over the database backwards may also retrieve some of the data which is not retrieved by a normal dump operation. Lightning Memory-Mapped Database module (klmdb) ----------------------------------------------- The klmdb module was added in release 1.17. It uses the LMDB library, and may offer better performance and reliability than the db2 module. It creates four files based on the database pathname. If the pathname ends with ``principal``, then the four files are: * ``principal.mdb``, containing policy object data and most principal entry data * ``principal.mdb-lock``, a lock file for the primary database * ``principal.lockout.mdb``, containing the account lockout attributes (last successful authentication time, last failed authentication time, and number of failed attempts) for each principal entry * ``principal.lockout.mdb-lock``, a lock file for the lockout database Separating out the lockout attributes ensures that the KDC will never block on an administrative operation such as a database dump or load. It also allows the KDC to operate without write access to the primary database. If both account lockout features are disabled (see :ref:`disable_lockout`), the lockout database files will be created but will not subsequently be opened, and the account lockout attributes will always have zero values. Because LMDB creates a memory map to the database files, it requires a configured memory map size which also determines the maximum size of the database. This size is applied equally to the two databases, so twice the configured size will be consumed in the process address space; this is primarily a limitation on 32-bit platforms. The default value of 128 megabytes should be sufficient for several hundred thousand principal entries. If the limit is reached, kadmin operations will fail and the error message "Environment mapsize limit reached" will appear in the kadmind log file. In this case, the **mapsize** variable can be used to increase the map size. The following example sets the map size to 512 megabytes:: [dbmodules] ATHENA.MIT.EDU = { db_library = klmdb mapsize = 512 } LMDB has a configurable maximum number of readers. The default value of 128 should be sufficient for most deployments. If you are going to use a large number of KDC worker processes, it may be necessary to set the **max_readers** variable to a larger number. By default, LMDB synchronizes database files to disk after each write transaction to ensure durability in the case of an unclean system shutdown. The klmdb module always turns synchronization off for the lockout database to ensure reasonable KDC performance, but leaves it on for the primary database. If high throughput for administrative operations (including password changes) is required, the **nosync** variable can be set to "true" to disable synchronization for the primary database. The klmdb module does not support explicit locking with the :ref:`kadmin(1)` **lock** command. LDAP module (kldap) ------------------- The kldap module stores principal and policy data using an LDAP server. To use it you must configure an LDAP server to use the Kerberos schema. See :ref:`conf_ldap` for details. Because :ref:`krb5kdc(8)` is single-threaded, latency in LDAP database accesses may limit KDC operation throughput. If the LDAP server is located on the same server host as the KDC and accessed through an ``ldapi://`` URL, latency should be minimal. If this is not possible, consider starting multiple KDC worker processes with the :ref:`krb5kdc(8)` **-w** option to enable concurrent processing of KDC requests. The kldap module does not support explicit locking with the :ref:`kadmin(1)` **lock** command. krb5-1.19.2/doc/admin/https.rst0000644000704600001450000000364614076311657017615 0ustar ghudsonsystemd-journal.. _https: HTTPS proxy configuration ========================= In addition to being able to use UDP or TCP to communicate directly with a KDC as is outlined in RFC4120, and with kpasswd services in a similar fashion, the client libraries can attempt to use an HTTPS proxy server to communicate with a KDC or kpasswd service, using the protocol outlined in [MS-KKDCP]. Communicating with a KDC through an HTTPS proxy allows clients to contact servers when network firewalls might otherwise prevent them from doing so. The use of TLS also encrypts all traffic between the clients and the KDC, preventing observers from conducting password dictionary attacks or from observing the client and server principals being authenticated, at additional computational cost to both clients and servers. An HTTPS proxy server is provided as a feature in some versions of Microsoft Windows Server, and a WSGI implementation named `kdcproxy` is available in the python package index. Configuring the clients ----------------------- To use an HTTPS proxy, a client host must trust the CA which issued that proxy's SSL certificate. If that CA's certificate is not in the system-wide default set of trusted certificates, configure the following relation in the client host's :ref:`krb5.conf(5)` file in the appropriate :ref:`realms` subsection:: http_anchors = FILE:/etc/krb5/cacert.pem Adjust the pathname to match the path of the file which contains a copy of the CA's certificate. The `http_anchors` option is documented more fully in :ref:`krb5.conf(5)`. Configure the client to access the KDC and kpasswd service by specifying their locations in its :ref:`krb5.conf(5)` file in the form of HTTPS URLs for the proxy server:: kdc = https://server.fqdn/KdcProxy kpasswd_server = https://server.fqdn/KdcProxy If the proxy and client are properly configured, client commands such as ``kinit``, ``kvno``, and ``kpasswd`` should all function normally. krb5-1.19.2/doc/admin/various_envs.rst0000644000704600001450000000115114076311657021163 0ustar ghudsonsystemd-journalVarious links ============= Whitepapers ----------- #. https://kerberos.org/software/whitepapers.html Tutorials --------- #. Fulvio Ricciardi _ Troubleshooting --------------- #. https://wiki.ncsa.illinois.edu/display/ITS/Windows+Kerberos+Troubleshooting #. https://www.shrubbery.net/solaris9ab/SUNWaadm/SYSADV6/p27.html #. https://docs.oracle.com/cd/E19253-01/816-4557/trouble-1/index.html #. https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb463167(v=technet.10)#EBAA #. https://bugs.launchpad.net/ubuntu/+source/libpam-heimdal/+bug/86528 krb5-1.19.2/doc/admin/auth_indicator.rst0000644000704600001450000000443514076311657021445 0ustar ghudsonsystemd-journal.. _auth_indicator: Authentication indicators ========================= As of release 1.14, the KDC can be configured to annotate tickets if the client authenticated using a stronger preauthentication mechanism such as :ref:`PKINIT ` or :ref:`OTP `. These annotations are called "authentication indicators." Service principals can be configured to require particular authentication indicators in order to authenticate to that service. An authentication indicator value can be any string chosen by the KDC administrator; there are no pre-set values. To use authentication indicators with PKINIT or OTP, first configure the KDC to include an indicator when that preauthentication mechanism is used. For PKINIT, use the **pkinit_indicator** variable in :ref:`kdc.conf(5)`. For OTP, use the **indicator** variable in the token type definition, or specify the indicators in the **otp** user string as described in :ref:`otp_preauth`. To require an indicator to be present in order to authenticate to a service principal, set the **require_auth** string attribute on the principal to the indicator value to be required. If you wish to allow one of several indicators to be accepted, you can specify multiple indicator values separated by spaces. For example, a realm could be configured to set the authentication indicator value "strong" when PKINIT is used to authenticate, using a setting in the :ref:`kdc_realms` subsection:: pkinit_indicator = strong A service principal could be configured to require the "strong" authentication indicator value:: $ kadmin setstr host/high.value.server require_auth strong Password for user/admin@KRBTEST.COM: A user who authenticates with PKINIT would be able to obtain a ticket for the service principal:: $ kinit -X X509_user_identity=FILE:/my/cert.pem,/my/key.pem user $ kvno host/high.value.server host/high.value.server@KRBTEST.COM: kvno = 1 but a user who authenticates with a password would not:: $ kinit user Password for user@KRBTEST.COM: $ kvno host/high.value.server kvno: KDC policy rejects request while getting credentials for host/high.value.server@KRBTEST.COM GSSAPI server applications can inspect authentication indicators through the :ref:`auth-indicators ` name attribute. krb5-1.19.2/doc/admin/install.rst0000644000704600001450000000065014076311657020111 0ustar ghudsonsystemd-journalInstallation guide ================== Contents -------- .. toctree:: :maxdepth: 2 install_kdc.rst install_clients.rst install_appl_srv.rst Additional references --------------------- #. Debian: `Setting up MIT Kerberos 5 `_ #. Solaris: `Configuring the Kerberos Service `_ krb5-1.19.2/doc/admin/index.rst0000644000704600001450000000103314076311657017546 0ustar ghudsonsystemd-journalFor administrators ================== .. toctree:: :maxdepth: 1 install.rst conf_files/index.rst realm_config.rst database.rst dbtypes.rst lockout.rst conf_ldap.rst appl_servers.rst host_config.rst backup_host.rst pkinit.rst otp.rst spake.rst dictionary.rst princ_dns.rst enctypes.rst https.rst auth_indicator.rst .. toctree:: :maxdepth: 1 admin_commands/index.rst ../mitK5defaults.rst env_variables.rst troubleshoot.rst advanced/index.rst various_envs.rst krb5-1.19.2/doc/admin/otp.rst0000644000704600001450000000663414076311657017255 0ustar ghudsonsystemd-journal.. _otp_preauth: OTP Preauthentication ===================== OTP is a preauthentication mechanism for Kerberos 5 which uses One Time Passwords (OTP) to authenticate the client to the KDC. The OTP is passed to the KDC over an encrypted FAST channel in clear-text. The KDC uses the password along with per-user configuration to proxy the request to a third-party RADIUS system. This enables out-of-the-box compatibility with a large number of already widely deployed proprietary systems. Additionally, our implementation of the OTP system allows for the passing of RADIUS requests over a UNIX domain stream socket. This permits the use of a local companion daemon which can handle the details of authentication. Defining token types -------------------- Token types are defined in either :ref:`krb5.conf(5)` or :ref:`kdc.conf(5)` according to the following format:: [otp] = { server = (default: see below) secret = timeout = (default: 5 [seconds]) retries = (default: 3) strip_realm = (default: true) indicator = (default: none) } If the server field begins with '/', it will be interpreted as a UNIX socket. Otherwise, it is assumed to be in the format host:port. When a UNIX domain socket is specified, the secret field is optional and an empty secret is used by default. If the server field is not specified, it defaults to |kdcrundir|\ ``/.socket``. When forwarding the request over RADIUS, by default the principal is used in the User-Name attribute of the RADIUS packet. The strip_realm parameter controls whether the principal is forwarded with or without the realm portion. If an indicator field is present, tickets issued using this token type will be annotated with the specified authentication indicator (see :ref:`auth_indicator`). This key may be specified multiple times to add multiple indicators. The default token type ---------------------- A default token type is used internally when no token type is specified for a given user. It is defined as follows:: [otp] DEFAULT = { strip_realm = false } The administrator may override the internal ``DEFAULT`` token type simply by defining a configuration with the same name. Token instance configuration ---------------------------- To enable OTP for a client principal, the administrator must define the **otp** string attribute for that principal. (See :ref:`set_string`.) The **otp** user string is a JSON string of the format: .. code-block:: xml [{ "type": , "username": , "indicators": [, ...] }, ...] This is an array of token objects. Both fields of token objects are optional. The **type** field names the token type of this token; if not specified, it defaults to ``DEFAULT``. The **username** field specifies the value to be sent in the User-Name RADIUS attribute. If not specified, the principal name is sent, with or without realm as defined in the token type. The **indicators** field specifies a list of authentication indicators to annotate tickets with, overriding any indicators specified in the token type. For ease of configuration, an empty array (``[]``) is treated as equivalent to one DEFAULT token (``[{}]``). Other considerations -------------------- #. FAST is required for OTP to work. krb5-1.19.2/doc/admin/enctypes.rst0000644000704600001450000002073514076311657020303 0ustar ghudsonsystemd-journal.. _enctypes: Encryption types ================ Kerberos can use a variety of cipher algorithms to protect data. A Kerberos **encryption type** (also known as an **enctype**) is a specific combination of a cipher algorithm with an integrity algorithm to provide both confidentiality and integrity to data. Enctypes in requests -------------------- Clients make two types of requests (KDC-REQ) to the KDC: AS-REQs and TGS-REQs. The client uses the AS-REQ to obtain initial tickets (typically a Ticket-Granting Ticket (TGT)), and uses the TGS-REQ to obtain service tickets. The KDC uses three different keys when issuing a ticket to a client: * The long-term key of the service: the KDC uses this to encrypt the actual service ticket. The KDC only uses the first long-term key in the most recent kvno for this purpose. * The session key: the KDC randomly chooses this key and places one copy inside the ticket and the other copy inside the encrypted part of the reply. * The reply-encrypting key: the KDC uses this to encrypt the reply it sends to the client. For AS replies, this is a long-term key of the client principal. For TGS replies, this is either the session key of the authenticating ticket, or a subsession key. Each of these keys is of a specific enctype. Each request type allows the client to submit a list of enctypes that it is willing to accept. For the AS-REQ, this list affects both the session key selection and the reply-encrypting key selection. For the TGS-REQ, this list only affects the session key selection. .. _session_key_selection: Session key selection --------------------- The KDC chooses the session key enctype by taking the intersection of its **permitted_enctypes** list, the list of long-term keys for the most recent kvno of the service, and the client's requested list of enctypes. Starting in krb5-1.11, it is possible to set a string attribute on a service principal to control what session key enctypes the KDC may issue for service tickets for that principal. See :ref:`set_string` in :ref:`kadmin(1)` for details. Choosing enctypes for a service ------------------------------- Generally, a service should have a key of the strongest enctype that both it and the KDC support. If the KDC is running a release earlier than krb5-1.11, it is also useful to generate an additional key for each enctype that the service can support. The KDC will only use the first key in the list of long-term keys for encrypting the service ticket, but the additional long-term keys indicate the other enctypes that the service supports. As noted above, starting with release krb5-1.11, there are additional configuration settings that control session key enctype selection independently of the set of long-term keys that the KDC has stored for a service principal. Configuration variables ----------------------- The following ``[libdefaults]`` settings in :ref:`krb5.conf(5)` will affect how enctypes are chosen. **allow_weak_crypto** defaults to *false* starting with krb5-1.8. When *false*, removes weak enctypes from **permitted_enctypes**, **default_tkt_enctypes**, and **default_tgs_enctypes**. Do not set this to *true* unless the use of weak enctypes is an acceptable risk for your environment and the weak enctypes are required for backward compatibility. **permitted_enctypes** controls the set of enctypes that a service will permit for session keys and for ticket and authenticator encryption. The KDC and other programs that access the Kerberos database will ignore keys of non-permitted enctypes. Starting in release 1.18, this setting also acts as the default for **default_tkt_enctypes** and **default_tgs_enctypes**. **default_tkt_enctypes** controls the default set of enctypes that the Kerberos client library requests when making an AS-REQ. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. **default_tgs_enctypes** controls the default set of enctypes that the Kerberos client library requests when making a TGS-REQ. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. The following per-realm setting in :ref:`kdc.conf(5)` affects the generation of long-term keys. **supported_enctypes** controls the default set of enctype-salttype pairs that :ref:`kadmind(8)` will use for generating long-term keys, either randomly or from passwords Enctype compatibility --------------------- See :ref:`Encryption_types` for additional information about enctypes. ========================== ========== ======== ======= enctype weak? krb5 Windows ========================== ========== ======== ======= des-cbc-crc weak <1.18 >=2000 des-cbc-md4 weak <1.18 ? des-cbc-md5 weak <1.18 >=2000 des3-cbc-sha1 deprecated >=1.1 none arcfour-hmac deprecated >=1.3 >=2000 arcfour-hmac-exp weak >=1.3 >=2000 aes128-cts-hmac-sha1-96 >=1.3 >=Vista aes256-cts-hmac-sha1-96 >=1.3 >=Vista aes128-cts-hmac-sha256-128 >=1.15 none aes256-cts-hmac-sha384-192 >=1.15 none camellia128-cts-cmac >=1.9 none camellia256-cts-cmac >=1.9 none ========================== ========== ======== ======= krb5 releases 1.18 and later do not support single-DES. krb5 releases 1.8 and later disable the single-DES enctypes by default. Microsoft Windows releases Windows 7 and later disable single-DES enctypes by default. krb5 releases 1.17 and later flag deprecated encryption types (including ``des3-cbc-sha1`` and ``arcfour-hmac``) in KDC logs and kadmin output. krb5 release 1.19 issues a warning during initial authentication if ``des3-cbc-sha1`` is used. Future releases will disable ``des3-cbc-sha1`` by default and eventually remove support for it. Migrating away from older encryption types ------------------------------------------ Administrator intervention may be required to migrate a realm away from legacy encryption types, especially if the realm was created using krb5 release 1.2 or earlier. This migration should be performed before upgrading to krb5 versions which disable or remove support for legacy encryption types. If there is a **supported_enctypes** setting in :ref:`kdc.conf(5)` on the KDC, make sure that it does not include weak or deprecated encryption types. This will ensure that newly created keys do not use those encryption types by default. Check the ``krbtgt/REALM`` principal using the :ref:`kadmin(1)` **getprinc** command. If it lists a weak or deprecated encryption type as the first key, it must be migrated using the procedure in :ref:`changing_krbtgt_key`. Check the ``kadmin/history`` principal, which should have only one key entry. If it uses a weak or deprecated encryption type, it should be upgraded following the notes in :ref:`updating_history_key`. Check the other kadmin principals: kadmin/changepw, kadmin/admin, and any kadmin/hostname principals that may exist. These principals can be upgraded with **change_password -randkey** in kadmin. Check the ``K/M`` entry. If it uses a weak or deprecated encryption type, it should be upgraded following the procedure in :ref:`updating_master_key`. User and service principals using legacy encryption types can be enumerated with the :ref:`kdb5_util(8)` **tabdump keyinfo** command. Service principals can be migrated with a keytab rotation on the service host, which can be accomplished using the :ref:`k5srvutil(1)` **change** and **delold** commands. Allow enough time for existing tickets to expire between the change and delold operations. User principals with password-based keys can be migrated with a password change. The realm administrator can set a password expiration date using the :ref:`kadmin(1)` **modify_principal -pwexpire** command to force a password change. If a legacy encryption type has not yet been disabled by default in the version of krb5 running on the KDC, it can be disabled administratively with the **permitted_enctypes** variable. For example, setting **permitted_enctypes** to ``DEFAULT -des3 -rc4`` will cause any database keys of the triple-DES and RC4 encryption types to be ignored. krb5-1.19.2/doc/admin/host_config.rst0000644000704600001450000002222214076311657020744 0ustar ghudsonsystemd-journalHost configuration ================== All hosts running Kerberos software, whether they are clients, application servers, or KDCs, can be configured using :ref:`krb5.conf(5)`. Here we describe some of the behavior changes you might want to make. Default realm ------------- In the :ref:`libdefaults` section, the **default_realm** realm relation sets the default Kerberos realm. For example:: [libdefaults] default_realm = ATHENA.MIT.EDU The default realm affects Kerberos behavior in the following ways: * When a principal name is parsed from text, the default realm is used if no ``@REALM`` component is specified. * The default realm affects login authorization as described below. * For programs which operate on a Kerberos database, the default realm is used to determine which database to operate on, unless the **-r** parameter is given to specify a realm. * A server program may use the default realm when looking up its key in a :ref:`keytab file `, if its realm is not determined by :ref:`domain_realm` configuration or by the server program itself. * If :ref:`kinit(1)` is passed the **-n** flag, it requests anonymous tickets from the default realm. In some situations, these uses of the default realm might conflict. For example, it might be desirable for principal name parsing to use one realm by default, but for login authorization to use a second realm. In this situation, the first realm can be configured as the default realm, and **auth_to_local** relations can be used as described below to use the second realm for login authorization. .. _login_authorization: Login authorization ------------------- If a host runs a Kerberos-enabled login service such as OpenSSH with GSSAPIAuthentication enabled, login authorization rules determine whether a Kerberos principal is allowed to access a local account. By default, a Kerberos principal is allowed access to an account if its realm matches the default realm and its name matches the account name. (For historical reasons, access is also granted by default if the name has two components and the second component matches the default realm; for instance, ``alice/ATHENA.MIT.EDU@ATHENA.MIT.EDU`` is granted access to the ``alice`` account if ``ATHENA.MIT.EDU`` is the default realm.) The simplest way to control local access is using :ref:`.k5login(5)` files. To use these, place a ``.k5login`` file in the home directory of each account listing the principal names which should have login access to that account. If it is not desirable to use ``.k5login`` files located in account home directories, the **k5login_directory** relation in the :ref:`libdefaults` section can specify a directory containing one file per account uname. By default, if a ``.k5login`` file is present, it controls authorization both positively and negatively--any principal name contained in the file is granted access and any other principal name is denied access, even if it would have had access if the ``.k5login`` file didn't exist. The **k5login_authoritative** relation in the :ref:`libdefaults` section can be set to false to make ``.k5login`` files provide positive authorization only. The **auth_to_local** relation in the :ref:`realms` section for the default realm can specify pattern-matching rules to control login authorization. For example, the following configuration allows access to principals from a different realm than the default realm:: [realms] DEFAULT.REALM = { # Allow access to principals from OTHER.REALM. # # [1:$1@$0] matches single-component principal names and creates # a selection string containing the principal name and realm. # # (.*@OTHER\.REALM) matches against the selection string, so that # only principals in OTHER.REALM are matched. # # s/@OTHER\.REALM$// removes the realm name, leaving behind the # principal name as the account name. auth_to_local = RULE:[1:$1@$0](.*@OTHER\.REALM)s/@OTHER\.REALM$// # Also allow principals from the default realm. Omit this line # to only allow access to principals in OTHER.REALM. auth_to_local = DEFAULT } The **auth_to_local_names** subsection of the :ref:`realms` section for the default realm can specify explicit mappings from principal names to local accounts. The key used in this subsection is the principal name without realm, so it is only safe to use in a Kerberos environment with a single realm or a tightly controlled set of realms. An example use of **auth_to_local_names** might be:: [realms] ATHENA.MIT.EDU = { auth_to_local_names = { # Careful, these match principals in any realm! host/example.com = hostaccount fred = localfred } } Local authorization behavior can also be modified using plugin modules; see :ref:`hostrealm_plugin` for details. .. _plugin_config: Plugin module configuration --------------------------- Many aspects of Kerberos behavior, such as client preauthentication and KDC service location, can be modified through the use of plugin modules. For most of these behaviors, you can use the :ref:`plugins` section of krb5.conf to register third-party modules, and to switch off registered or built-in modules. A plugin module takes the form of a Unix shared object (``modname.so``) or Windows DLL (``modname.dll``). If you have installed a third-party plugin module and want to register it, you do so using the **module** relation in the appropriate subsection of the [plugins] section. The value for **module** must give the module name and the path to the module, separated by a colon. The module name will often be the same as the shared object's name, but in unusual cases (such as a shared object which implements multiple modules for the same interface) it might not be. For example, to register a client preauthentication module named ``mypreauth`` installed at ``/path/to/mypreauth.so``, you could write:: [plugins] clpreauth = { module = mypreauth:/path/to/mypreauth.so } Many of the pluggable behaviors in MIT krb5 contain built-in modules which can be switched off. You can disable a built-in module (or one you have registered) using the **disable** directive in the appropriate subsection of the [plugins] section. For example, to disable the use of .k5identity files to select credential caches, you could write:: [plugins] ccselect = { disable = k5identity } If you want to disable multiple modules, specify the **disable** directive multiple times, giving one module to disable each time. Alternatively, you can explicitly specify which modules you want to be enabled for that behavior using the **enable_only** directive. For example, to make :ref:`kadmind(8)` check password quality using only a module you have registered, and no other mechanism, you could write:: [plugins] pwqual = { module = mymodule:/path/to/mymodule.so enable_only = mymodule } Again, if you want to specify multiple modules, specify the **enable_only** directive multiple times, giving one module to enable each time. Some Kerberos interfaces use different mechanisms to register plugin modules. KDC location modules ~~~~~~~~~~~~~~~~~~~~ For historical reasons, modules to control how KDC servers are located are registered simply by placing the shared object or DLL into the "libkrb5" subdirectory of the krb5 plugin directory, which defaults to |libdir|\ ``/krb5/plugins``. For example, Samba's winbind krb5 locator plugin would be registered by placing its shared object in |libdir|\ ``/krb5/plugins/libkrb5/winbind_krb5_locator.so``. .. _gssapi_plugin_config: GSSAPI mechanism modules ~~~~~~~~~~~~~~~~~~~~~~~~ GSSAPI mechanism modules are registered using the file |sysconfdir|\ ``/gss/mech`` or configuration files in the |sysconfdir|\ ``/gss/mech.d`` directory with a ``.conf`` suffix. Each line in these files has the form:: name oid pathname [options] Only the name, oid, and pathname are required. *name* is the mechanism name, which may be used for debugging or logging purposes. *oid* is the object identifier of the GSSAPI mechanism to be registered. *pathname* is a path to the module shared object or DLL. *options* (if present) are options provided to the plugin module, surrounded in square brackets. *type* (if present) can be used to indicate a special type of module. Currently the only special module type is "interposer", for a module designed to intercept calls to other mechanisms. If the environment variable **GSS_MECH_CONFIG** is set, its value is used as the sole mechanism configuration filename. .. _profile_plugin_config: Configuration profile modules ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A configuration profile module replaces the information source for :ref:`krb5.conf(5)` itself. To use a profile module, begin krb5.conf with the line:: module PATHNAME:STRING where *PATHNAME* is a path to the module shared object or DLL, and *STRING* is a string to provide to the module. The module will then take over, and the rest of krb5.conf will be ignored. krb5-1.19.2/doc/appdev/0000755000704600001450000000000014076311657016077 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/appdev/princ_handle.rst0000644000704600001450000000175614076311657021270 0ustar ghudsonsystemd-journalPrincipal manipulation and parsing ================================== Kerberos principal structure .. :c:type:`krb5_principal_data` :c:type:`krb5_principal` .. Create and free principal .. :c:func:`krb5_build_principal()` :c:func:`krb5_build_principal_alloc_va()` :c:func:`krb5_build_principal_ext()` :c:func:`krb5_copy_principal()` :c:func:`krb5_free_principal()` :c:func:`krb5_cc_get_principal()` .. Comparing .. :c:func:`krb5_principal_compare()` :c:func:`krb5_principal_compare_flags()` :c:func:`krb5_principal_compare_any_realm()` :c:func:`krb5_sname_match()` :c:func:`krb5_sname_to_principal()` .. Parsing: .. :c:func:`krb5_parse_name()` :c:func:`krb5_parse_name_flags()` :c:func:`krb5_unparse_name()` :c:func:`krb5_unparse_name_flags()` .. Utilities: .. :c:func:`krb5_is_config_principal()` :c:func:`krb5_kuserok()` :c:func:`krb5_set_password()` :c:func:`krb5_set_password_using_ccache()` :c:func:`krb5_set_principal_realm()` :c:func:`krb5_realm_compare()` .. krb5-1.19.2/doc/appdev/gssapi.rst0000644000704600001450000007750014076311657020130 0ustar ghudsonsystemd-journalDeveloping with GSSAPI ====================== The GSSAPI (Generic Security Services API) allows applications to communicate securely using Kerberos 5 or other security mechanisms. We recommend using the GSSAPI (or a higher-level framework which encompasses GSSAPI, such as SASL) for secure network communication over using the libkrb5 API directly. GSSAPIv2 is specified in :rfc:`2743` and :rfc:`2744`. Also see :rfc:`7546` for a description of how to use the GSSAPI in a client or server program. This documentation will describe how various ways of using the GSSAPI will behave with the krb5 mechanism as implemented in MIT krb5, as well as krb5-specific extensions to the GSSAPI. Name types ---------- A GSSAPI application can name a local or remote entity by calling gss_import_name_, specifying a name type and a value. The following name types are supported by the krb5 mechanism: * **GSS_C_NT_HOSTBASED_SERVICE**: The value should be a string of the form ``service`` or ``service@hostname``. This is the most common way to name target services when initiating a security context, and is the most likely name type to work across multiple mechanisms. * **GSS_KRB5_NT_PRINCIPAL_NAME**: The value should be a principal name string. This name type only works with the krb5 mechanism, and is defined in the ```` header. * **GSS_C_NT_USER_NAME** or **GSS_C_NULL_OID**: The value is treated as an unparsed principal name string, as above. These name types may work with mechanisms other than krb5, but will have different interpretations in those mechanisms. **GSS_C_NT_USER_NAME** is intended to be used with a local username, which will parse into a single-component principal in the default realm. * **GSS_C_NT_ANONYMOUS**: The value is ignored. The anonymous principal is used, allowing a client to authenticate to a server without asserting a particular identity (which may or may not be allowed by a particular server or Kerberos realm). * **GSS_C_NT_MACHINE_UID_NAME**: The value is uid_t object. On Unix-like systems, the username of the uid is looked up in the system user database and the resulting username is parsed as a principal name. * **GSS_C_NT_STRING_UID_NAME**: As above, but the value is a decimal string representation of the uid. * **GSS_C_NT_EXPORT_NAME**: The value must be the result of a gss_export_name_ call. * **GSS_KRB5_NT_ENTERPRISE_NAME**: The value should be a krb5 enterprise name string (see :rfc:`6806` section 5), in the form ``user@suffix``. This name type is used to convey alias names, and is defined in the ```` header. (New in release 1.17.) * **GSS_KRB5_NT_X509_CERT**: The value should be an X.509 certificate encoded according to :rfc:`5280`. This name form can be used for the desired_name parameter of gss_acquire_cred_impersonate_name(), to identify the S4U2Self user by certificate. (New in release 1.19.) Initiator credentials --------------------- A GSSAPI client application uses gss_init_sec_context_ to establish a security context. The *initiator_cred_handle* parameter determines what tickets are used to establish the connection. An application can either pass **GSS_C_NO_CREDENTIAL** to use the default client credential, or it can use gss_acquire_cred_ beforehand to acquire an initiator credential. The call to gss_acquire_cred_ may include a *desired_name* parameter, or it may pass **GSS_C_NO_NAME** if it does not have a specific name preference. If the desired name for a krb5 initiator credential is a host-based name, it is converted to a principal name of the form ``service/hostname`` in the local realm, where *hostname* is the local hostname if not specified. The hostname will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the **rdns** variable in :ref:`libdefaults`. If a desired name is specified in the call to gss_acquire_cred_, the krb5 mechanism will attempt to find existing tickets for that client principal name in the default credential cache or collection. If the default cache type does not support a collection, and the default cache contains credentials for a different principal than the desired name, a **GSS_S_CRED_UNAVAIL** error will be returned with a minor code indicating a mismatch. If no existing tickets are available for the desired name, but the name has an entry in the default client :ref:`keytab_definition`, the krb5 mechanism will acquire initial tickets for the name using the default client keytab. If no desired name is specified, credential acquisition will be deferred until the credential is used in a call to gss_init_sec_context_ or gss_inquire_cred_. If the call is to gss_init_sec_context_, the target name will be used to choose a client principal name using the credential cache selection facility. (This facility might, for instance, try to choose existing tickets for a client principal in the same realm as the target service). If there are no existing tickets for the chosen principal, but it is present in the default client keytab, the krb5 mechanism will acquire initial tickets using the keytab. If the target name cannot be used to select a client principal (because the credentials are used in a call to gss_inquire_cred_), or if the credential cache selection facility cannot choose a principal for it, the default credential cache will be selected if it exists and contains tickets. If the default credential cache does not exist, but the default client keytab does, the krb5 mechanism will try to acquire initial tickets for the first principal in the default client keytab. If the krb5 mechanism acquires initial tickets using the default client keytab, the resulting tickets will be stored in the default cache or collection, and will be refreshed by future calls to gss_acquire_cred_ as they approach their expire time. Acceptor names -------------- A GSSAPI server application uses gss_accept_sec_context_ to establish a security context based on tokens provided by the client. The *acceptor_cred_handle* parameter determines what :ref:`keytab_definition` entries may be authenticated to by the client, if the krb5 mechanism is used. The simplest choice is to pass **GSS_C_NO_CREDENTIAL** as the acceptor credential. In this case, clients may authenticate to any service principal in the default keytab (typically |keytab|, or the value of the **KRB5_KTNAME** environment variable). This is the recommended approach if the server application has no specific requirements to the contrary. A server may acquire an acceptor credential with gss_acquire_cred_ and a *cred_usage* of **GSS_C_ACCEPT** or **GSS_C_BOTH**. If the *desired_name* parameter is **GSS_C_NO_NAME**, then clients will be allowed to authenticate to any service principal in the default keytab, just as if no acceptor credential was supplied. If a server wishes to specify a *desired_name* to gss_acquire_cred_, the most common choice is a host-based name. If the host-based *desired_name* contains just a *service*, then clients will be allowed to authenticate to any host-based service principal (that is, a principal of the form ``service/hostname@REALM``) for the named service, regardless of hostname or realm, as long as it is present in the default keytab. If the input name contains both a *service* and a *hostname*, clients will be allowed to authenticate to any host-based principal for the named service and hostname, regardless of realm. .. note:: If a *hostname* is specified, it will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the **rdns** variable in :ref:`libdefaults`. .. note:: If the **ignore_acceptor_hostname** variable in :ref:`libdefaults` is enabled, then *hostname* will be ignored even if one is specified in the input name. .. note:: In MIT krb5 versions prior to 1.10, and in Heimdal's implementation of the krb5 mechanism, an input name with just a *service* is treated like an input name of ``service@localhostname``, where *localhostname* is the string returned by gethostname(). If the *desired_name* is a krb5 principal name or a local system name type which is mapped to a krb5 principal name, clients will only be allowed to authenticate to that principal in the default keytab. Name Attributes --------------- In release 1.8 or later, the gss_inquire_name_ and gss_get_name_attribute_ functions, specified in :rfc:`6680`, can be used to retrieve name attributes from the *src_name* returned by gss_accept_sec_context_. The following attributes are defined when the krb5 mechanism is used: .. _gssapi_authind_attr: * "auth-indicators" attribute: This attribute will be included in the gss_inquire_name_ output if the ticket contains :ref:`authentication indicators `. One indicator is returned per invocation of gss_get_name_attribute_, so multiple invocations may be necessary to retrieve all of the indicators from the ticket. (New in release 1.15.) Credential store extensions --------------------------- Beginning with release 1.11, the following GSSAPI extensions declared in ```` can be used to specify how credentials are acquired or stored:: struct gss_key_value_element_struct { const char *key; const char *value; }; typedef struct gss_key_value_element_struct gss_key_value_element_desc; struct gss_key_value_set_struct { OM_uint32 count; gss_key_value_element_desc *elements; }; typedef const struct gss_key_value_set_struct gss_key_value_set_desc; typedef const gss_key_value_set_desc *gss_const_key_value_set_t; OM_uint32 gss_acquire_cred_from(OM_uint32 *minor_status, const gss_name_t desired_name, OM_uint32 time_req, const gss_OID_set desired_mechs, gss_cred_usage_t cred_usage, gss_const_key_value_set_t cred_store, gss_cred_id_t *output_cred_handle, gss_OID_set *actual_mechs, OM_uint32 *time_rec); OM_uint32 gss_store_cred_into(OM_uint32 *minor_status, gss_cred_id_t input_cred_handle, gss_cred_usage_t cred_usage, const gss_OID desired_mech, OM_uint32 overwrite_cred, OM_uint32 default_cred, gss_const_key_value_set_t cred_store, gss_OID_set *elements_stored, gss_cred_usage_t *cred_usage_stored); The additional *cred_store* parameter allows the caller to specify information about how the credentials should be obtained and stored. The following options are supported by the krb5 mechanism: * **ccache**: For acquiring initiator credentials, the name of the :ref:`credential cache ` to which the handle will refer. For storing credentials, the name of the cache where the credentials should be stored. If a collection name is given, the primary cache of the collection will be used; this behavior may change in future releases to select a cache from the collection. * **client_keytab**: For acquiring initiator credentials, the name of the :ref:`keytab ` which will be used, if necessary, to refresh the credentials in the cache. * **keytab**: For acquiring acceptor credentials, the name of the :ref:`keytab ` to which the handle will refer. In release 1.19 and later, this option also determines the keytab to be used for verification when initiator credentials are acquired using a password and verified. * **password**: For acquiring initiator credentials, this option instructs the mechanism to acquire fresh credentials into a unique memory credential cache. This option may not be used with the **ccache** or **client_keytab** options, and a *desired_name* must be specified. (New in release 1.19.) * **rcache**: For acquiring acceptor credentials, the name of the :ref:`replay cache ` to be used when processing the initiator tokens. (New in release 1.13.) * **verify**: For acquiring initiator credentials, this option instructs the mechanism to verify the credentials by obtaining a ticket to a service with a known key. The service key is obtained from the keytab specified with the **keytab** option or the default keytab. The value may be the name of a principal in the keytab, or the empty string. If the empty string is given, any ``host`` service principal in the keytab may be used. (New in release 1.19.) Importing and exporting credentials ----------------------------------- The following GSSAPI extensions can be used to import and export credentials (declared in ````):: OM_uint32 gss_export_cred(OM_uint32 *minor_status, gss_cred_id_t cred_handle, gss_buffer_t token); OM_uint32 gss_import_cred(OM_uint32 *minor_status, gss_buffer_t token, gss_cred_id_t *cred_handle); The first function serializes a GSSAPI credential handle into a buffer; the second unseralizes a buffer into a GSSAPI credential handle. Serializing a credential does not destroy it. If any of the mechanisms used in *cred_handle* do not support serialization, gss_export_cred will return **GSS_S_UNAVAILABLE**. As with other GSSAPI serialization functions, these extensions are only intended to work with a matching implementation on the other side; they do not serialize credentials in a standardized format. A serialized credential may contain secret information such as ticket session keys. The serialization format does not protect this information from eavesdropping or tampering. The calling application must take care to protect the serialized credential when communicating it over an insecure channel or to an untrusted party. A krb5 GSSAPI credential may contain references to a credential cache, a client keytab, an acceptor keytab, and a replay cache. These resources are normally serialized as references to their external locations (such as the filename of the credential cache). Because of this, a serialized krb5 credential can only be imported by a process with similar privileges to the exporter. A serialized credential should not be trusted if it originates from a source with lower privileges than the importer, as it may contain references to external credential cache, keytab, or replay cache resources not accessible to the originator. An exception to the above rule applies when a krb5 GSSAPI credential refers to a memory credential cache, as is normally the case for delegated credentials received by gss_accept_sec_context_. In this case, the contents of the credential cache are serialized, so that the resulting token may be imported even if the original memory credential cache no longer exists. Constrained delegation (S4U) ---------------------------- The Microsoft S4U2Self and S4U2Proxy Kerberos protocol extensions allow an intermediate service to acquire credentials from a client to a target service without requiring the client to delegate a ticket-granting ticket, if the KDC is configured to allow it. To perform a constrained delegation operation, the intermediate service must submit to the KDC an "evidence ticket" from the client to the intermediate service. An evidence ticket can be acquired when the client authenticates to the intermediate service with Kerberos, or with an S4U2Self request if the KDC allows it. The MIT krb5 GSSAPI library represents an evidence ticket using a "proxy credential", which is a special kind of gss_cred_id_t object whose underlying credential cache contains the evidence ticket and a krbtgt ticket for the intermediate service. To acquire a proxy credential during client authentication, the service should first create an acceptor credential using the **GSS_C_BOTH** usage. The application should then pass this credential as the *acceptor_cred_handle* to gss_accept_sec_context_, and also pass a *delegated_cred_handle* output parameter to receive a proxy credential containing the evidence ticket. The output value of *delegated_cred_handle* may be a delegated ticket-granting ticket if the client sent one, or a proxy credential if not. If the library can determine that the client's ticket is not a valid evidence ticket, it will place **GSS_C_NO_CREDENTIAL** in *delegated_cred_handle*. To acquire a proxy credential using an S4U2Self request, the service can use the following GSSAPI extension:: OM_uint32 gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, gss_cred_id_t icred, gss_name_t desired_name, OM_uint32 time_req, gss_OID_set desired_mechs, gss_cred_usage_t cred_usage, gss_cred_id_t *output_cred, gss_OID_set *actual_mechs, OM_uint32 *time_rec); The parameters to this function are similar to those of gss_acquire_cred_, except that *icred* is used to make an S4U2Self request to the KDC for a ticket from *desired_name* to the intermediate service. Both *icred* and *desired_name* are required for this function; passing **GSS_C_NO_CREDENTIAL** or **GSS_C_NO_NAME** will cause the call to fail. *icred* must contain a krbtgt ticket for the intermediate service. The result of this operation is a proxy credential. (Prior to release 1.18, the result of this operation may be a regular credential for *desired_name*, if the KDC issues a non-forwardable ticket.) Once the intermediate service has a proxy credential, it can simply pass it to gss_init_sec_context_ as the *initiator_cred_handle* parameter, and the desired service as the *target_name* parameter. The GSSAPI library will present the krbtgt ticket and evidence ticket in the proxy credential to the KDC in an S4U2Proxy request; if the intermediate service has the appropriate permissions, the KDC will issue a ticket from the client to the target service. The GSSAPI library will then use this ticket to authenticate to the target service. If an application needs to find out whether a credential it holds is a proxy credential and the name of the intermediate service, it can query the credential with the **GSS_KRB5_GET_CRED_IMPERSONATOR** OID (new in release 1.16, declared in ````) using the gss_inquire_cred_by_oid extension (declared in ````):: OM_uint32 gss_inquire_cred_by_oid(OM_uint32 *minor_status, const gss_cred_id_t cred_handle, gss_OID desired_object, gss_buffer_set_t *data_set); If the call succeeds and *cred_handle* is a proxy credential, *data_set* will be set to a single-element buffer set containing the unparsed principal name of the intermediate service. If *cred_handle* is not a proxy credential, *data_set* will be set to an empty buffer set. If the library does not support the query, gss_inquire_cred_by_oid will return **GSS_S_UNAVAILABLE**. AEAD message wrapping --------------------- The following GSSAPI extensions (declared in ````) can be used to wrap and unwrap messages with additional "associated data" which is integrity-checked but is not included in the output buffer:: OM_uint32 gss_wrap_aead(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int conf_req_flag, gss_qop_t qop_req, gss_buffer_t input_assoc_buffer, gss_buffer_t input_payload_buffer, int *conf_state, gss_buffer_t output_message_buffer); OM_uint32 gss_unwrap_aead(OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_buffer_t input_message_buffer, gss_buffer_t input_assoc_buffer, gss_buffer_t output_payload_buffer, int *conf_state, gss_qop_t *qop_state); Wrap tokens created with gss_wrap_aead will successfully unwrap only if the same *input_assoc_buffer* contents are presented to gss_unwrap_aead. IOV message wrapping -------------------- The following extensions (declared in ````) can be used for in-place encryption, fine-grained control over wrap token layout, and for constructing wrap tokens compatible with Microsoft DCE RPC:: typedef struct gss_iov_buffer_desc_struct { OM_uint32 type; gss_buffer_desc buffer; } gss_iov_buffer_desc, *gss_iov_buffer_t; OM_uint32 gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int conf_req_flag, gss_qop_t qop_req, int *conf_state, gss_iov_buffer_desc *iov, int iov_count); OM_uint32 gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int *conf_state, gss_qop_t *qop_state, gss_iov_buffer_desc *iov, int iov_count); OM_uint32 gss_wrap_iov_length(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int conf_req_flag, gss_qop_t qop_req, int *conf_state, gss_iov_buffer_desc *iov, int iov_count); OM_uint32 gss_release_iov_buffer(OM_uint32 *minor_status, gss_iov_buffer_desc *iov, int iov_count); The caller of gss_wrap_iov provides an array of gss_iov_buffer_desc structures, each containing a type and a gss_buffer_desc structure. Valid types include: * **GSS_C_BUFFER_TYPE_DATA**: A data buffer to be included in the token, and to be encrypted or decrypted in-place if the token is confidentiality-protected. * **GSS_C_BUFFER_TYPE_HEADER**: The GSSAPI wrap token header and underlying cryptographic header. * **GSS_C_BUFFER_TYPE_TRAILER**: The cryptographic trailer, if one is required. * **GSS_C_BUFFER_TYPE_PADDING**: Padding to be combined with the data during encryption and decryption. (The implementation may choose to place padding in the trailer buffer, in which case it will set the padding buffer length to 0.) * **GSS_C_BUFFER_TYPE_STREAM**: For unwrapping only, a buffer containing a complete wrap token in standard format to be unwrapped. * **GSS_C_BUFFER_TYPE_SIGN_ONLY**: A buffer to be included in the token's integrity protection checksum, but not to be encrypted or included in the token itself. For gss_wrap_iov, the IOV list should contain one HEADER buffer, followed by zero or more SIGN_ONLY buffers, followed by one or more DATA buffers, followed by a TRAILER buffer. The memory pointed to by the buffers is not required to be contiguous or in any particular order. If *conf_req_flag* is true, DATA buffers will be encrypted in-place, while SIGN_ONLY buffers will not be modified. The type of an output buffer may be combined with **GSS_C_BUFFER_FLAG_ALLOCATE** to request that gss_wrap_iov allocate the buffer contents. If gss_wrap_iov allocates a buffer, it sets the **GSS_C_BUFFER_FLAG_ALLOCATED** flag on the buffer type. gss_release_iov_buffer can be used to release all allocated buffers within an iov list and unset their allocated flags. Here is an example of how gss_wrap_iov can be used with allocation requested (*ctx* is assumed to be a previously established gss_ctx_id_t):: OM_uint32 major, minor; gss_iov_buffer_desc iov[4]; char str[] = "message"; iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_FLAG_ALLOCATE; iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; iov[1].buffer.value = str; iov[1].buffer.length = strlen(str); iov[2].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_FLAG_ALLOCATE; iov[3].type = GSS_IOV_BUFFER_TYPE_TRAILER | GSS_IOV_BUFFER_FLAG_ALLOCATE; major = gss_wrap_iov(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL, iov, 4); if (GSS_ERROR(major)) handle_error(major, minor); /* Transmit or otherwise use resulting buffers. */ (void)gss_release_iov_buffer(&minor, iov, 4); If the caller does not choose to request buffer allocation by gss_wrap_iov, it should first call gss_wrap_iov_length to query the lengths of the HEADER, PADDING, and TRAILER buffers. DATA buffers must be provided in the iov list so that padding length can be computed correctly, but the output buffers need not be initialized. Here is an example of using gss_wrap_iov_length and gss_wrap_iov:: OM_uint32 major, minor; gss_iov_buffer_desc iov[4]; char str[1024] = "message", *ptr; iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER; iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; iov[1].buffer.value = str; iov[1].buffer.length = strlen(str); iov[2].type = GSS_IOV_BUFFER_TYPE_PADDING; iov[3].type = GSS_IOV_BUFFER_TYPE_TRAILER; major = gss_wrap_iov_length(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL, iov, 4); if (GSS_ERROR(major)) handle_error(major, minor); if (strlen(str) + iov[0].buffer.length + iov[2].buffer.length + iov[3].buffer.length > sizeof(str)) handle_out_of_space_error(); ptr = str + strlen(str); iov[0].buffer.value = ptr; ptr += iov[0].buffer.length; iov[2].buffer.value = ptr; ptr += iov[2].buffer.length; iov[3].buffer.value = ptr; major = gss_wrap_iov(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL, iov, 4); if (GSS_ERROR(major)) handle_error(major, minor); If the context was established using the **GSS_C_DCE_STYLE** flag (described in :rfc:`4757`), wrap tokens compatible with Microsoft DCE RPC can be constructed. In this case, the IOV list must include a SIGN_ONLY buffer, a DATA buffer, a second SIGN_ONLY buffer, and a HEADER buffer in that order (the order of the buffer contents remains arbitrary). The application must pad the DATA buffer to a multiple of 16 bytes as no padding or trailer buffer is used. gss_unwrap_iov may be called with an IOV list just like one which would be provided to gss_wrap_iov. DATA buffers will be decrypted in-place if they were encrypted, and SIGN_ONLY buffers will not be modified. Alternatively, gss_unwrap_iov may be called with a single STREAM buffer, zero or more SIGN_ONLY buffers, and a single DATA buffer. The STREAM buffer is interpreted as a complete wrap token. The STREAM buffer will be modified in-place to decrypt its contents. The DATA buffer will be initialized to point to the decrypted data within the STREAM buffer, unless it has the **GSS_C_BUFFER_FLAG_ALLOCATE** flag set, in which case it will be initialized with a copy of the decrypted data. Here is an example (*token* and *token_len* are assumed to be a pre-existing pointer and length for a modifiable region of data):: OM_uint32 major, minor; gss_iov_buffer_desc iov[2]; iov[0].type = GSS_IOV_BUFFER_TYPE_STREAM; iov[0].buffer.value = token; iov[0].buffer.length = token_len; iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 2); if (GSS_ERROR(major)) handle_error(major, minor); /* Decrypted data is in iov[1].buffer, pointing to a subregion of * token. */ .. _gssapi_mic_token: IOV MIC tokens -------------- The following extensions (declared in ````) can be used in release 1.12 or later to construct and verify MIC tokens using an IOV list:: OM_uint32 gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_qop_t qop_req, gss_iov_buffer_desc *iov, int iov_count); OM_uint32 gss_get_mic_iov_length(OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_qop_t qop_req, gss_iov_buffer_desc *iov, iov_count); OM_uint32 gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_qop_t *qop_state, gss_iov_buffer_desc *iov, int iov_count); The caller of gss_get_mic_iov provides an array of gss_iov_buffer_desc structures, each containing a type and a gss_buffer_desc structure. Valid types include: * **GSS_C_BUFFER_TYPE_DATA** and **GSS_C_BUFFER_TYPE_SIGN_ONLY**: The corresponding buffer for each of these types will be signed for the MIC token, in the order provided. * **GSS_C_BUFFER_TYPE_MIC_TOKEN**: The GSSAPI MIC token. The type of the MIC_TOKEN buffer may be combined with **GSS_C_BUFFER_FLAG_ALLOCATE** to request that gss_get_mic_iov allocate the buffer contents. If gss_get_mic_iov allocates the buffer, it sets the **GSS_C_BUFFER_FLAG_ALLOCATED** flag on the buffer type. gss_release_iov_buffer can be used to release all allocated buffers within an iov list and unset their allocated flags. Here is an example of how gss_get_mic_iov can be used with allocation requested (*ctx* is assumed to be a previously established gss_ctx_id_t):: OM_uint32 major, minor; gss_iov_buffer_desc iov[3]; iov[0].type = GSS_IOV_BUFFER_TYPE_DATA; iov[0].buffer.value = "sign1"; iov[0].buffer.length = 5; iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; iov[1].buffer.value = "sign2"; iov[1].buffer.length = 5; iov[2].type = GSS_IOV_BUFFER_TYPE_MIC_TOKEN | GSS_IOV_BUFFER_FLAG_ALLOCATE; major = gss_get_mic_iov(&minor, ctx, GSS_C_QOP_DEFAULT, iov, 3); if (GSS_ERROR(major)) handle_error(major, minor); /* Transmit or otherwise use iov[2].buffer. */ (void)gss_release_iov_buffer(&minor, iov, 3); If the caller does not choose to request buffer allocation by gss_get_mic_iov, it should first call gss_get_mic_iov_length to query the length of the MIC_TOKEN buffer. Here is an example of using gss_get_mic_iov_length and gss_get_mic_iov:: OM_uint32 major, minor; gss_iov_buffer_desc iov[2]; char data[1024]; iov[0].type = GSS_IOV_BUFFER_TYPE_MIC_TOKEN; iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; iov[1].buffer.value = "message"; iov[1].buffer.length = 7; major = gss_get_mic_iov_length(&minor, ctx, GSS_C_QOP_DEFAULT, iov, 2); if (GSS_ERROR(major)) handle_error(major, minor); if (iov[0].buffer.length > sizeof(data)) handle_out_of_space_error(); iov[0].buffer.value = data; major = gss_get_mic_iov(&minor, ctx, GSS_C_QOP_DEFAULT, iov, 2); if (GSS_ERROR(major)) handle_error(major, minor); .. _gss_accept_sec_context: https://tools.ietf.org/html/rfc2744.html#section-5.1 .. _gss_acquire_cred: https://tools.ietf.org/html/rfc2744.html#section-5.2 .. _gss_export_name: https://tools.ietf.org/html/rfc2744.html#section-5.13 .. _gss_get_name_attribute: https://tools.ietf.org/html/6680.html#section-7.5 .. _gss_import_name: https://tools.ietf.org/html/rfc2744.html#section-5.16 .. _gss_init_sec_context: https://tools.ietf.org/html/rfc2744.html#section-5.19 .. _gss_inquire_name: https://tools.ietf.org/html/rfc6680.txt#section-7.4 .. _gss_inquire_cred: https://tools.ietf.org/html/rfc2744.html#section-5.21 krb5-1.19.2/doc/appdev/h5l_mit_apidiff.rst0000644000704600001450000000354614076311657021664 0ustar ghudsonsystemd-journalDifferences between Heimdal and MIT Kerberos API ================================================ .. tabularcolumns:: |l|l| .. table:: ======================================== ================================================= :c:func:`krb5_auth_con_getaddrs()` H5l: If either of the pointers to local_addr and remote_addr is not NULL, it is freed first and then reallocated before being populated with the content of corresponding address from authentication context. :c:func:`krb5_auth_con_setaddrs()` H5l: If either address is NULL, the previous address remains in place :c:func:`krb5_auth_con_setports()` H5l: Not implemented as of version 1.3.3 :c:func:`krb5_auth_con_setrecvsubkey()` H5l: If either port is NULL, the previous port remains in place :c:func:`krb5_auth_con_setsendsubkey()` H5l: Not implemented as of version 1.3.3 :c:func:`krb5_cc_set_config()` MIT: Before version 1.10 it was assumed that the last argument *data* is ALWAYS non-zero. :c:func:`krb5_cccol_last_change_time()` MIT: not implemented :c:func:`krb5_set_default_realm()` H5l: Caches the computed default realm context field. If the second argument is NULL, it tries to retrieve it from libdefaults or DNS. MIT: Computes the default realm each time if it wasn't explicitly set in the context ======================================== ================================================= krb5-1.19.2/doc/appdev/init_creds.rst0000644000704600001450000003116614076311657020763 0ustar ghudsonsystemd-journalInitial credentials =================== Software that performs tasks such as logging users into a computer when they type their Kerberos password needs to get initial credentials (usually ticket granting tickets) from Kerberos. Such software shares some behavior with the :ref:`kinit(1)` program. Whenever a program grants access to a resource (such as a local login session on a desktop computer) based on a user successfully getting initial Kerberos credentials, it must verify those credentials against a secure shared secret (e.g., a host keytab) to ensure that the user credentials actually originate from a legitimate KDC. Failure to perform this verification is a critical vulnerability, because a malicious user can execute the "Zanarotti attack": the user constructs a fake response that appears to come from the legitimate KDC, but whose contents come from an attacker-controlled KDC. Some applications read a Kerberos password over the network (ideally over a secure channel), which they then verify against the KDC. While this technique may be the only practical way to integrate Kerberos into some existing legacy systems, its use is contrary to the original design goals of Kerberos. The function :c:func:`krb5_get_init_creds_password` will get initial credentials for a client using a password. An application that needs to verify the credentials can call :c:func:`krb5_verify_init_creds`. Here is an example of code to obtain and verify TGT credentials, given strings *princname* and *password* for the client principal name and password:: krb5_error_code ret; krb5_creds creds; krb5_principal client_princ = NULL; memset(&creds, 0, sizeof(creds)); ret = krb5_parse_name(context, princname, &client_princ); if (ret) goto cleanup; ret = krb5_get_init_creds_password(context, &creds, client_princ, password, NULL, NULL, 0, NULL, NULL); if (ret) goto cleanup; ret = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, NULL); cleanup: krb5_free_principal(context, client_princ); krb5_free_cred_contents(context, &creds); return ret; Options for get_init_creds -------------------------- The function :c:func:`krb5_get_init_creds_password` takes an options parameter (which can be a null pointer). Use the function :c:func:`krb5_get_init_creds_opt_alloc` to allocate an options structure, and :c:func:`krb5_get_init_creds_opt_free` to free it. For example:: krb5_error_code ret; krb5_get_init_creds_opt *opt = NULL; krb5_creds creds; memset(&creds, 0, sizeof(creds)); ret = krb5_get_init_creds_opt_alloc(context, &opt); if (ret) goto cleanup; krb5_get_init_creds_opt_set_tkt_life(opt, 24 * 60 * 60); ret = krb5_get_init_creds_password(context, &creds, client_princ, password, NULL, NULL, 0, NULL, opt); if (ret) goto cleanup; cleanup: krb5_get_init_creds_opt_free(context, opt); krb5_free_cred_contents(context, &creds); return ret; Getting anonymous credentials ----------------------------- As of release 1.8, it is possible to obtain fully anonymous or partially anonymous (realm-exposed) credentials, if the KDC supports it. The MIT KDC supports issuing fully anonymous credentials as of release 1.8 if configured appropriately (see :ref:`anonymous_pkinit`), but does not support issuing realm-exposed anonymous credentials at this time. To obtain fully anonymous credentials, call :c:func:`krb5_get_init_creds_opt_set_anonymous` on the options structure to set the anonymous flag, and specify a client principal with the KDC's realm and a single empty data component (the principal obtained by parsing ``@``\ *realmname*). Authentication will take place using anonymous PKINIT; if successful, the client principal of the resulting tickets will be ``WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS``. Here is an example:: krb5_get_init_creds_opt_set_anonymous(opt, 1); ret = krb5_build_principal(context, &client_princ, strlen(myrealm), myrealm, "", (char *)NULL); if (ret) goto cleanup; ret = krb5_get_init_creds_password(context, &creds, client_princ, password, NULL, NULL, 0, NULL, opt); if (ret) goto cleanup; To obtain realm-exposed anonymous credentials, set the anonymous flag on the options structure as above, but specify a normal client principal in order to prove membership in the realm. Authentication will take place as it normally does; if successful, the client principal of the resulting tickets will be ``WELLKNOWN/ANONYMOUS@``\ *realmname*. User interaction ---------------- Authenticating a user usually requires the entry of secret information, such as a password. A password can be supplied directly to :c:func:`krb5_get_init_creds_password` via the *password* parameter, or the application can supply prompter and/or responder callbacks instead. If callbacks are used, the user can also be queried for other secret information such as a PIN, informed of impending password expiration, or prompted to change a password which has expired. Prompter callback ~~~~~~~~~~~~~~~~~ A prompter callback can be specified via the *prompter* and *data* parameters to :c:func:`krb5_get_init_creds_password`. The prompter will be invoked each time the krb5 library has a question to ask or information to present. When the prompter callback is invoked, the *banner* argument (if not null) is intended to be displayed to the user, and the questions to be answered are specified in the *prompts* array. Each prompt contains a text question in the *prompt* field, a *hidden* bit to indicate whether the answer should be hidden from display, and a storage area for the answer in the *reply* field. The callback should fill in each question's ``reply->data`` with the answer, up to a maximum number of ``reply->length`` bytes, and then reset ``reply->length`` to the length of the answer. A prompter callback can call :c:func:`krb5_get_prompt_types` to get an array of type constants corresponding to the prompts, to get programmatic information about the semantic meaning of the questions. :c:func:`krb5_get_prompt_types` may return a null pointer if no prompt type information is available. Text-based applications can use a built-in text prompter implementation by supplying :c:func:`krb5_prompter_posix` as the *prompter* parameter and a null pointer as the *data* parameter. For example:: ret = krb5_get_init_creds_password(context, &creds, client_princ, NULL, krb5_prompter_posix, NULL, 0, NULL, NULL); Responder callback ~~~~~~~~~~~~~~~~~~ A responder callback can be specified through the init_creds options using the :c:func:`krb5_get_init_creds_opt_set_responder` function. Responder callbacks can present a more sophisticated user interface for authentication secrets. The responder callback is usually invoked only once per authentication, with a list of questions produced by all of the allowed preauthentication mechanisms. When the responder callback is invoked, the *rctx* argument can be accessed to obtain the list of questions and to answer them. The :c:func:`krb5_responder_list_questions` function retrieves an array of question types. For each question type, the :c:func:`krb5_responder_get_challenge` function retrieves additional information about the question, if applicable, and the :c:func:`krb5_responder_set_answer` function sets the answer. Responder question types, challenges, and answers are UTF-8 strings. The question type is a well-known string; the meaning of the challenge and answer depend on the question type. If an application does not understand a question type, it cannot interpret the challenge or provide an answer. Failing to answer a question typically results in the prompter callback being used as a fallback. Password question ################# The :c:macro:`KRB5_RESPONDER_QUESTION_PASSWORD` (or ``"password"``) question type requests the user's password. This question does not have a challenge, and the response is simply the password string. One-time password question ########################## The :c:macro:`KRB5_RESPONDER_QUESTION_OTP` (or ``"otp"``) question type requests a choice among one-time password tokens and the PIN and value for the chosen token. The challenge and answer are JSON-encoded strings, but an application can use convenience functions to avoid doing any JSON processing itself. The :c:func:`krb5_responder_otp_get_challenge` function decodes the challenge into a krb5_responder_otp_challenge structure. The :c:func:`krb5_responder_otp_set_answer` function selects one of the token information elements from the challenge and supplies the value and pin for that token. PKINIT password or PIN question ############################### The :c:macro:`KRB5_RESPONDER_QUESTION_PKINIT` (or ``"pkinit"``) question type requests PINs for hardware devices and/or passwords for encrypted credentials which are stored on disk, potentially also supplying information about the state of the hardware devices. The challenge and answer are JSON-encoded strings, but an application can use convenience functions to avoid doing any JSON processing itself. The :c:func:`krb5_responder_pkinit_get_challenge` function decodes the challenges into a krb5_responder_pkinit_challenge structure. The :c:func:`krb5_responder_pkinit_set_answer` function can be used to supply the PIN or password for a particular client credential, and can be called multiple times. Example ####### Here is an example of using a responder callback:: static krb5_error_code my_responder(krb5_context context, void *data, krb5_responder_context rctx) { krb5_error_code ret; krb5_responder_otp_challenge *chl; if (krb5_responder_get_challenge(context, rctx, KRB5_RESPONDER_QUESTION_PASSWORD)) { ret = krb5_responder_set_answer(context, rctx, KRB5_RESPONDER_QUESTION_PASSWORD, "open sesame"); if (ret) return ret; } ret = krb5_responder_otp_get_challenge(context, rctx, &chl); if (ret == 0 && chl != NULL) { ret = krb5_responder_otp_set_answer(context, rctx, 0, "1234", NULL); krb5_responder_otp_challenge_free(context, rctx, chl); if (ret) return ret; } return 0; } static krb5_error_code get_creds(krb5_context context, krb5_principal client_princ) { krb5_error_code ret; krb5_get_init_creds_opt *opt = NULL; krb5_creds creds; memset(&creds, 0, sizeof(creds)); ret = krb5_get_init_creds_opt_alloc(context, &opt); if (ret) goto cleanup; ret = krb5_get_init_creds_opt_set_responder(context, opt, my_responder, NULL); if (ret) goto cleanup; ret = krb5_get_init_creds_password(context, &creds, client_princ, NULL, NULL, NULL, 0, NULL, opt); cleanup: krb5_get_init_creds_opt_free(context, opt); krb5_free_cred_contents(context, &creds); return ret; } Verifying initial credentials ----------------------------- Use the function :c:func:`krb5_verify_init_creds` to verify initial credentials. It takes an options structure (which can be a null pointer). Use :c:func:`krb5_verify_init_creds_opt_init` to initialize the caller-allocated options structure, and :c:func:`krb5_verify_init_creds_opt_set_ap_req_nofail` to set the "nofail" option. For example:: krb5_verify_init_creds_opt vopt; krb5_verify_init_creds_opt_init(&vopt); krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, 1); ret = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, &vopt); The confusingly named "nofail" option, when set, means that the verification must actually succeed in order for :c:func:`krb5_verify_init_creds` to indicate success. The default state of this option (cleared) means that if there is no key material available to verify the user credentials, the verification will succeed anyway. (The default can be changed by a configuration file setting.) This accommodates a use case where a large number of unkeyed shared desktop workstations need to allow users to log in using Kerberos. The security risks from this practice are mitigated by the absence of valuable state on the shared workstations---any valuable resources that the users would access reside on networked servers. krb5-1.19.2/doc/appdev/index.rst0000644000704600001450000000033614076311657017742 0ustar ghudsonsystemd-journalFor application developers ========================== .. toctree:: :maxdepth: 1 gssapi.rst y2038.rst h5l_mit_apidiff.rst init_creds.rst princ_handle.rst .. toctree:: :maxdepth: 1 refs/index.rst krb5-1.19.2/doc/appdev/refs/0000755000704600001450000000000014076311657017036 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/appdev/refs/api/0000755000704600001450000000000014076311657017607 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/appdev/refs/api/index.rst0000644000704600001450000002643314076311657021460 0ustar ghudsonsystemd-journalkrb5 API ======== Frequently used public interfaces ---------------------------------- .. toctree:: :maxdepth: 1 krb5_build_principal.rst krb5_build_principal_alloc_va.rst krb5_build_principal_ext.rst krb5_cc_close.rst krb5_cc_default.rst krb5_cc_default_name.rst krb5_cc_destroy.rst krb5_cc_dup.rst krb5_cc_get_name.rst krb5_cc_get_principal.rst krb5_cc_get_type.rst krb5_cc_initialize.rst krb5_cc_new_unique.rst krb5_cc_resolve.rst krb5_change_password.rst krb5_chpw_message.rst krb5_expand_hostname.rst krb5_free_context.rst krb5_free_error_message.rst krb5_free_principal.rst krb5_fwd_tgt_creds.rst krb5_get_default_realm.rst krb5_get_error_message.rst krb5_get_host_realm.rst krb5_get_credentials.rst krb5_get_fallback_host_realm.rst krb5_get_init_creds_keytab.rst krb5_get_init_creds_opt_alloc.rst krb5_get_init_creds_opt_free.rst krb5_get_init_creds_opt_get_fast_flags.rst krb5_get_init_creds_opt_set_address_list.rst krb5_get_init_creds_opt_set_anonymous.rst krb5_get_init_creds_opt_set_canonicalize.rst krb5_get_init_creds_opt_set_change_password_prompt.rst krb5_get_init_creds_opt_set_etype_list.rst krb5_get_init_creds_opt_set_expire_callback.rst krb5_get_init_creds_opt_set_fast_ccache.rst krb5_get_init_creds_opt_set_fast_ccache_name.rst krb5_get_init_creds_opt_set_fast_flags.rst krb5_get_init_creds_opt_set_forwardable.rst krb5_get_init_creds_opt_set_in_ccache.rst krb5_get_init_creds_opt_set_out_ccache.rst krb5_get_init_creds_opt_set_pa.rst krb5_get_init_creds_opt_set_pac_request.rst krb5_get_init_creds_opt_set_preauth_list.rst krb5_get_init_creds_opt_set_proxiable.rst krb5_get_init_creds_opt_set_renew_life.rst krb5_get_init_creds_opt_set_responder.rst krb5_get_init_creds_opt_set_salt.rst krb5_get_init_creds_opt_set_tkt_life.rst krb5_get_init_creds_password.rst krb5_get_profile.rst krb5_get_prompt_types.rst krb5_get_renewed_creds.rst krb5_get_validated_creds.rst krb5_init_context.rst krb5_init_secure_context.rst krb5_is_config_principal.rst krb5_is_thread_safe.rst krb5_kt_close.rst krb5_kt_client_default.rst krb5_kt_default.rst krb5_kt_default_name.rst krb5_kt_dup.rst krb5_kt_get_name.rst krb5_kt_get_type.rst krb5_kt_resolve.rst krb5_kuserok.rst krb5_parse_name.rst krb5_parse_name_flags.rst krb5_principal_compare.rst krb5_principal_compare_any_realm.rst krb5_principal_compare_flags.rst krb5_prompter_posix.rst krb5_realm_compare.rst krb5_responder_get_challenge.rst krb5_responder_list_questions.rst krb5_responder_set_answer.rst krb5_responder_otp_get_challenge.rst krb5_responder_otp_set_answer.rst krb5_responder_otp_challenge_free.rst krb5_responder_pkinit_get_challenge.rst krb5_responder_pkinit_set_answer.rst krb5_responder_pkinit_challenge_free.rst krb5_set_default_realm.rst krb5_set_password.rst krb5_set_password_using_ccache.rst krb5_set_principal_realm.rst krb5_set_trace_callback.rst krb5_set_trace_filename.rst krb5_sname_match.rst krb5_sname_to_principal.rst krb5_unparse_name.rst krb5_unparse_name_ext.rst krb5_unparse_name_flags.rst krb5_unparse_name_flags_ext.rst krb5_us_timeofday.rst krb5_verify_authdata_kdc_issued.rst Rarely used public interfaces -------------------------------- .. toctree:: :maxdepth: 1 krb5_425_conv_principal.rst krb5_524_conv_principal.rst krb5_address_compare.rst krb5_address_order.rst krb5_address_search.rst krb5_allow_weak_crypto.rst krb5_aname_to_localname.rst krb5_anonymous_principal.rst krb5_anonymous_realm.rst krb5_appdefault_boolean.rst krb5_appdefault_string.rst krb5_auth_con_free.rst krb5_auth_con_genaddrs.rst krb5_auth_con_get_checksum_func.rst krb5_auth_con_getaddrs.rst krb5_auth_con_getauthenticator.rst krb5_auth_con_getflags.rst krb5_auth_con_getkey.rst krb5_auth_con_getkey_k.rst krb5_auth_con_getlocalseqnumber.rst krb5_auth_con_getrcache.rst krb5_auth_con_getrecvsubkey.rst krb5_auth_con_getrecvsubkey_k.rst krb5_auth_con_getremoteseqnumber.rst krb5_auth_con_getsendsubkey.rst krb5_auth_con_getsendsubkey_k.rst krb5_auth_con_init.rst krb5_auth_con_set_checksum_func.rst krb5_auth_con_set_req_cksumtype.rst krb5_auth_con_setaddrs.rst krb5_auth_con_setflags.rst krb5_auth_con_setports.rst krb5_auth_con_setrcache.rst krb5_auth_con_setrecvsubkey.rst krb5_auth_con_setrecvsubkey_k.rst krb5_auth_con_setsendsubkey.rst krb5_auth_con_setsendsubkey_k.rst krb5_auth_con_setuseruserkey.rst krb5_cc_cache_match.rst krb5_cc_copy_creds.rst krb5_cc_end_seq_get.rst krb5_cc_get_config.rst krb5_cc_get_flags.rst krb5_cc_get_full_name.rst krb5_cc_move.rst krb5_cc_next_cred.rst krb5_cc_remove_cred.rst krb5_cc_retrieve_cred.rst krb5_cc_select.rst krb5_cc_set_config.rst krb5_cc_set_default_name.rst krb5_cc_set_flags.rst krb5_cc_start_seq_get.rst krb5_cc_store_cred.rst krb5_cc_support_switch.rst krb5_cc_switch.rst krb5_cccol_cursor_free.rst krb5_cccol_cursor_new.rst krb5_cccol_cursor_next.rst krb5_cccol_have_content.rst krb5_clear_error_message.rst krb5_check_clockskew.rst krb5_copy_addresses.rst krb5_copy_authdata.rst krb5_copy_authenticator.rst krb5_copy_checksum.rst krb5_copy_context.rst krb5_copy_creds.rst krb5_copy_data.rst krb5_copy_error_message.rst krb5_copy_keyblock.rst krb5_copy_keyblock_contents.rst krb5_copy_principal.rst krb5_copy_ticket.rst krb5_find_authdata.rst krb5_free_addresses.rst krb5_free_ap_rep_enc_part.rst krb5_free_authdata.rst krb5_free_authenticator.rst krb5_free_cred_contents.rst krb5_free_creds.rst krb5_free_data.rst krb5_free_data_contents.rst krb5_free_default_realm.rst krb5_free_enctypes.rst krb5_free_error.rst krb5_free_host_realm.rst krb5_free_keyblock.rst krb5_free_keyblock_contents.rst krb5_free_keytab_entry_contents.rst krb5_free_string.rst krb5_free_ticket.rst krb5_free_unparsed_name.rst krb5_get_etype_info.rst krb5_get_permitted_enctypes.rst krb5_get_server_rcache.rst krb5_get_time_offsets.rst krb5_init_context_profile.rst krb5_init_creds_free.rst krb5_init_creds_get.rst krb5_init_creds_get_creds.rst krb5_init_creds_get_error.rst krb5_init_creds_get_times.rst krb5_init_creds_init.rst krb5_init_creds_set_keytab.rst krb5_init_creds_set_password.rst krb5_init_creds_set_service.rst krb5_init_creds_step.rst krb5_init_keyblock.rst krb5_is_referral_realm.rst krb5_kt_add_entry.rst krb5_kt_end_seq_get.rst krb5_kt_get_entry.rst krb5_kt_have_content.rst krb5_kt_next_entry.rst krb5_kt_read_service_key.rst krb5_kt_remove_entry.rst krb5_kt_start_seq_get.rst krb5_make_authdata_kdc_issued.rst krb5_merge_authdata.rst krb5_mk_1cred.rst krb5_mk_error.rst krb5_mk_ncred.rst krb5_mk_priv.rst krb5_mk_rep.rst krb5_mk_rep_dce.rst krb5_mk_req.rst krb5_mk_req_extended.rst krb5_mk_safe.rst krb5_os_localaddr.rst krb5_pac_add_buffer.rst krb5_pac_free.rst krb5_pac_get_buffer.rst krb5_pac_get_types.rst krb5_pac_init.rst krb5_pac_parse.rst krb5_pac_sign.rst krb5_pac_sign_ext.rst krb5_pac_verify.rst krb5_pac_verify_ext.rst krb5_pac_get_client_info.rst krb5_prepend_error_message.rst krb5_principal2salt.rst krb5_rd_cred.rst krb5_rd_error.rst krb5_rd_priv.rst krb5_rd_rep.rst krb5_rd_rep_dce.rst krb5_rd_req.rst krb5_rd_safe.rst krb5_read_password.rst krb5_salttype_to_string.rst krb5_server_decrypt_ticket_keytab.rst krb5_set_default_tgs_enctypes.rst krb5_set_error_message.rst krb5_set_kdc_recv_hook.rst krb5_set_kdc_send_hook.rst krb5_set_real_time.rst krb5_string_to_cksumtype.rst krb5_string_to_deltat.rst krb5_string_to_enctype.rst krb5_string_to_salttype.rst krb5_string_to_timestamp.rst krb5_timeofday.rst krb5_timestamp_to_sfstring.rst krb5_timestamp_to_string.rst krb5_tkt_creds_free.rst krb5_tkt_creds_get.rst krb5_tkt_creds_get_creds.rst krb5_tkt_creds_get_times.rst krb5_tkt_creds_init.rst krb5_tkt_creds_step.rst krb5_verify_init_creds.rst krb5_verify_init_creds_opt_init.rst krb5_verify_init_creds_opt_set_ap_req_nofail.rst krb5_vprepend_error_message.rst krb5_vset_error_message.rst krb5_vwrap_error_message.rst krb5_wrap_error_message.rst Public interfaces that should not be called directly ------------------------------------------------------- .. toctree:: :maxdepth: 1 krb5_c_block_size.rst krb5_c_checksum_length.rst krb5_c_crypto_length.rst krb5_c_crypto_length_iov.rst krb5_c_decrypt.rst krb5_c_decrypt_iov.rst krb5_c_derive_prfplus.rst krb5_c_encrypt.rst krb5_c_encrypt_iov.rst krb5_c_encrypt_length.rst krb5_c_enctype_compare.rst krb5_c_free_state.rst krb5_c_fx_cf2_simple.rst krb5_c_init_state.rst krb5_c_is_coll_proof_cksum.rst krb5_c_is_keyed_cksum.rst krb5_c_keyed_checksum_types.rst krb5_c_keylengths.rst krb5_c_make_checksum.rst krb5_c_make_checksum_iov.rst krb5_c_make_random_key.rst krb5_c_padding_length.rst krb5_c_prf.rst krb5_c_prfplus.rst krb5_c_prf_length.rst krb5_c_random_add_entropy.rst krb5_c_random_make_octets.rst krb5_c_random_os_entropy.rst krb5_c_random_to_key.rst krb5_c_string_to_key.rst krb5_c_string_to_key_with_params.rst krb5_c_valid_cksumtype.rst krb5_c_valid_enctype.rst krb5_c_verify_checksum.rst krb5_c_verify_checksum_iov.rst krb5_cksumtype_to_string.rst krb5_decode_authdata_container.rst krb5_decode_ticket.rst krb5_deltat_to_string.rst krb5_encode_authdata_container.rst krb5_enctype_to_name.rst krb5_enctype_to_string.rst krb5_free_checksum.rst krb5_free_checksum_contents.rst krb5_free_cksumtypes.rst krb5_free_tgt_creds.rst krb5_k_create_key.rst krb5_k_decrypt.rst krb5_k_decrypt_iov.rst krb5_k_encrypt.rst krb5_k_encrypt_iov.rst krb5_k_free_key.rst krb5_k_key_enctype.rst krb5_k_key_keyblock.rst krb5_k_make_checksum.rst krb5_k_make_checksum_iov.rst krb5_k_prf.rst krb5_k_reference_key.rst krb5_k_verify_checksum.rst krb5_k_verify_checksum_iov.rst Legacy convenience interfaces ------------------------------ .. toctree:: :maxdepth: 1 krb5_recvauth.rst krb5_recvauth_version.rst krb5_sendauth.rst Deprecated public interfaces ------------------------------ .. toctree:: :maxdepth: 1 krb5_524_convert_creds.rst krb5_auth_con_getlocalsubkey.rst krb5_auth_con_getremotesubkey.rst krb5_auth_con_initivector.rst krb5_build_principal_va.rst krb5_c_random_seed.rst krb5_calculate_checksum.rst krb5_checksum_size.rst krb5_encrypt.rst krb5_decrypt.rst krb5_eblock_enctype.rst krb5_encrypt_size.rst krb5_finish_key.rst krb5_finish_random_key.rst krb5_cc_gen_new.rst krb5_get_credentials_renew.rst krb5_get_credentials_validate.rst krb5_get_in_tkt_with_password.rst krb5_get_in_tkt_with_skey.rst krb5_get_in_tkt_with_keytab.rst krb5_get_init_creds_opt_init.rst krb5_init_random_key.rst krb5_kt_free_entry.rst krb5_random_key.rst krb5_process_key.rst krb5_string_to_key.rst krb5_use_enctype.rst krb5_verify_checksum.rst krb5-1.19.2/doc/appdev/refs/types/0000755000704600001450000000000014076311657020202 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/appdev/refs/types/index.rst0000644000704600001450000000436614076311657022054 0ustar ghudsonsystemd-journalkrb5 types and structures ========================= Public ------- .. toctree:: :maxdepth: 1 krb5_address.rst krb5_addrtype.rst krb5_ap_req.rst krb5_ap_rep.rst krb5_ap_rep_enc_part.rst krb5_authdata.rst krb5_authdatatype.rst krb5_authenticator.rst krb5_boolean.rst krb5_checksum.rst krb5_const_pointer.rst krb5_const_principal.rst krb5_cred.rst krb5_cred_enc_part.rst krb5_cred_info.rst krb5_creds.rst krb5_crypto_iov.rst krb5_cryptotype.rst krb5_data.rst krb5_deltat.rst krb5_enc_data.rst krb5_enc_kdc_rep_part.rst krb5_enc_tkt_part.rst krb5_encrypt_block.rst krb5_enctype.rst krb5_error.rst krb5_error_code.rst krb5_expire_callback_func.rst krb5_flags.rst krb5_get_init_creds_opt.rst krb5_gic_opt_pa_data.rst krb5_int16.rst krb5_int32.rst krb5_kdc_rep.rst krb5_kdc_req.rst krb5_keyblock.rst krb5_keytab_entry.rst krb5_keyusage.rst krb5_kt_cursor.rst krb5_kvno.rst krb5_last_req_entry.rst krb5_magic.rst krb5_mk_req_checksum_func.rst krb5_msgtype.rst krb5_octet.rst krb5_pa_pac_req.rst krb5_pa_server_referral_data.rst krb5_pa_svr_referral_data.rst krb5_pa_data.rst krb5_pointer.rst krb5_post_recv_fn.rst krb5_pre_send_fn.rst krb5_preauthtype.rst krb5_principal.rst krb5_principal_data.rst krb5_prompt.rst krb5_prompt_type.rst krb5_prompter_fct.rst krb5_pwd_data.rst krb5_responder_context.rst krb5_responder_fn.rst krb5_responder_otp_challenge.rst krb5_responder_otp_tokeninfo.rst krb5_responder_pkinit_challenge.rst krb5_responder_pkinit_identity.rst krb5_response.rst krb5_replay_data.rst krb5_ticket.rst krb5_ticket_times.rst krb5_timestamp.rst krb5_tkt_authent.rst krb5_trace_callback.rst krb5_trace_info.rst krb5_transited.rst krb5_typed_data.rst krb5_ui_2.rst krb5_ui_4.rst krb5_verify_init_creds_opt.rst passwd_phrase_element.rst Internal --------- .. toctree:: :maxdepth: 1 krb5_auth_context.rst krb5_cksumtype krb5_context.rst krb5_cc_cursor.rst krb5_ccache.rst krb5_cccol_cursor.rst krb5_init_creds_context.rst krb5_key.rst krb5_keytab.rst krb5_pac.rst krb5_rcache.rst krb5_tkt_creds_context.rst krb5-1.19.2/doc/appdev/refs/types/krb5_int32.rst0000644000704600001450000000021214076311657022611 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-int32-struct: krb5_int32 ========== .. .. c:type:: krb5_int32 .. krb5_int32 is a signed 32-bit integer type krb5-1.19.2/doc/appdev/refs/types/krb5_ui_4.rst0000644000704600001450000000021114076311657022511 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-ui4-struct: krb5_ui_4 ========== .. .. c:type:: krb5_ui_4 .. krb5_ui_4 is an unsigned 32-bit integer type. krb5-1.19.2/doc/appdev/refs/index.rst0000644000704600001450000000024514076311657020700 0ustar ghudsonsystemd-journalComplete reference - API and datatypes ====================================== .. toctree:: :maxdepth: 1 api/index.rst types/index.rst macros/index.rst krb5-1.19.2/doc/appdev/refs/macros/0000755000704600001450000000000014076311657020322 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/appdev/refs/macros/index.rst0000644000704600001450000002711614076311657022172 0ustar ghudsonsystemd-journalkrb5 simple macros ========================= Public ------- .. toctree:: :maxdepth: 1 ADDRTYPE_ADDRPORT.rst ADDRTYPE_CHAOS.rst ADDRTYPE_DDP.rst ADDRTYPE_INET.rst ADDRTYPE_INET6.rst ADDRTYPE_IPPORT.rst ADDRTYPE_ISO.rst ADDRTYPE_IS_LOCAL.rst ADDRTYPE_NETBIOS.rst ADDRTYPE_XNS.rst AD_TYPE_EXTERNAL.rst AD_TYPE_FIELD_TYPE_MASK.rst AD_TYPE_REGISTERED.rst AD_TYPE_RESERVED.rst AP_OPTS_ETYPE_NEGOTIATION.rst AP_OPTS_MUTUAL_REQUIRED.rst AP_OPTS_RESERVED.rst AP_OPTS_USE_SESSION_KEY.rst AP_OPTS_USE_SUBKEY.rst AP_OPTS_WIRE_MASK.rst CKSUMTYPE_CMAC_CAMELLIA128.rst CKSUMTYPE_CMAC_CAMELLIA256.rst CKSUMTYPE_CRC32.rst CKSUMTYPE_DESCBC.rst CKSUMTYPE_HMAC_MD5_ARCFOUR.rst CKSUMTYPE_HMAC_SHA1_96_AES128.rst CKSUMTYPE_HMAC_SHA1_96_AES256.rst CKSUMTYPE_HMAC_SHA256_128_AES128.rst CKSUMTYPE_HMAC_SHA384_192_AES256.rst CKSUMTYPE_HMAC_SHA1_DES3.rst CKSUMTYPE_MD5_HMAC_ARCFOUR.rst CKSUMTYPE_NIST_SHA.rst CKSUMTYPE_RSA_MD4.rst CKSUMTYPE_RSA_MD4_DES.rst CKSUMTYPE_RSA_MD5.rst CKSUMTYPE_RSA_MD5_DES.rst ENCTYPE_AES128_CTS_HMAC_SHA1_96.rst ENCTYPE_AES128_CTS_HMAC_SHA256_128.rst ENCTYPE_AES256_CTS_HMAC_SHA1_96.rst ENCTYPE_AES256_CTS_HMAC_SHA384_192.rst ENCTYPE_ARCFOUR_HMAC.rst ENCTYPE_ARCFOUR_HMAC_EXP.rst ENCTYPE_CAMELLIA128_CTS_CMAC.rst ENCTYPE_CAMELLIA256_CTS_CMAC.rst ENCTYPE_DES3_CBC_ENV.rst ENCTYPE_DES3_CBC_RAW.rst ENCTYPE_DES3_CBC_SHA.rst ENCTYPE_DES3_CBC_SHA1.rst ENCTYPE_DES_CBC_CRC.rst ENCTYPE_DES_CBC_MD4.rst ENCTYPE_DES_CBC_MD5.rst ENCTYPE_DES_CBC_RAW.rst ENCTYPE_DES_HMAC_SHA1.rst ENCTYPE_DSA_SHA1_CMS.rst ENCTYPE_MD5_RSA_CMS.rst ENCTYPE_NULL.rst ENCTYPE_RC2_CBC_ENV.rst ENCTYPE_RSA_ENV.rst ENCTYPE_RSA_ES_OAEP_ENV.rst ENCTYPE_SHA1_RSA_CMS.rst ENCTYPE_UNKNOWN.rst KDC_OPT_ALLOW_POSTDATE.rst KDC_OPT_CANONICALIZE.rst KDC_OPT_CNAME_IN_ADDL_TKT.rst KDC_OPT_DISABLE_TRANSITED_CHECK.rst KDC_OPT_ENC_TKT_IN_SKEY.rst KDC_OPT_FORWARDABLE.rst KDC_OPT_FORWARDED.rst KDC_OPT_POSTDATED.rst KDC_OPT_PROXIABLE.rst KDC_OPT_PROXY.rst KDC_OPT_RENEW.rst KDC_OPT_RENEWABLE.rst KDC_OPT_RENEWABLE_OK.rst KDC_OPT_REQUEST_ANONYMOUS.rst KDC_OPT_VALIDATE.rst KDC_TKT_COMMON_MASK.rst KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.rst KRB5_ANONYMOUS_PRINCSTR.rst KRB5_ANONYMOUS_REALMSTR.rst KRB5_AP_REP.rst KRB5_AP_REQ.rst KRB5_AS_REP.rst KRB5_AS_REQ.rst KRB5_AUTHDATA_AND_OR.rst KRB5_AUTHDATA_AP_OPTIONS.rst KRB5_AUTHDATA_AUTH_INDICATOR.rst KRB5_AUTHDATA_CAMMAC.rst KRB5_AUTHDATA_ETYPE_NEGOTIATION.rst KRB5_AUTHDATA_FX_ARMOR.rst KRB5_AUTHDATA_IF_RELEVANT.rst KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.rst KRB5_AUTHDATA_KDC_ISSUED.rst KRB5_AUTHDATA_MANDATORY_FOR_KDC.rst KRB5_AUTHDATA_OSF_DCE.rst KRB5_AUTHDATA_SESAME.rst KRB5_AUTHDATA_SIGNTICKET.rst KRB5_AUTHDATA_WIN2K_PAC.rst KRB5_AUTH_CONTEXT_DO_SEQUENCE.rst KRB5_AUTH_CONTEXT_DO_TIME.rst KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.rst KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.rst KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.rst KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.rst KRB5_AUTH_CONTEXT_PERMIT_ALL.rst KRB5_AUTH_CONTEXT_RET_SEQUENCE.rst KRB5_AUTH_CONTEXT_RET_TIME.rst KRB5_AUTH_CONTEXT_USE_SUBKEY.rst KRB5_CRED.rst KRB5_CRYPTO_TYPE_CHECKSUM.rst KRB5_CRYPTO_TYPE_DATA.rst KRB5_CRYPTO_TYPE_EMPTY.rst KRB5_CRYPTO_TYPE_HEADER.rst KRB5_CRYPTO_TYPE_PADDING.rst KRB5_CRYPTO_TYPE_SIGN_ONLY.rst KRB5_CRYPTO_TYPE_STREAM.rst KRB5_CRYPTO_TYPE_TRAILER.rst KRB5_CYBERSAFE_SECUREID.rst KRB5_DOMAIN_X500_COMPRESS.rst KRB5_ENCPADATA_REQ_ENC_PA_REP.rst KRB5_ERROR.rst KRB5_FAST_REQUIRED.rst KRB5_GC_CACHED.rst KRB5_GC_CANONICALIZE.rst KRB5_GC_CONSTRAINED_DELEGATION.rst KRB5_GC_FORWARDABLE.rst KRB5_GC_NO_STORE.rst KRB5_GC_NO_TRANSIT_CHECK.rst KRB5_GC_USER_USER.rst KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.rst KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.rst KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.rst KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.rst KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.rst KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.rst KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.rst KRB5_GET_INIT_CREDS_OPT_PROXIABLE.rst KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.rst KRB5_GET_INIT_CREDS_OPT_SALT.rst KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.rst KRB5_INIT_CONTEXT_SECURE.rst KRB5_INIT_CONTEXT_KDC.rst KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.rst KRB5_INT16_MAX.rst KRB5_INT16_MIN.rst KRB5_INT32_MAX.rst KRB5_INT32_MIN.rst KRB5_KEYUSAGE_AD_ITE.rst KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.rst KRB5_KEYUSAGE_AD_MTE.rst KRB5_KEYUSAGE_AD_SIGNEDPATH.rst KRB5_KEYUSAGE_APP_DATA_CKSUM.rst KRB5_KEYUSAGE_APP_DATA_ENCRYPT.rst KRB5_KEYUSAGE_AP_REP_ENCPART.rst KRB5_KEYUSAGE_AP_REQ_AUTH.rst KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.rst KRB5_KEYUSAGE_AS_REP_ENCPART.rst KRB5_KEYUSAGE_AS_REQ.rst KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.rst KRB5_KEYUSAGE_CAMMAC.rst KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.rst KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.rst KRB5_KEYUSAGE_FAST_ENC.rst KRB5_KEYUSAGE_FAST_FINISHED.rst KRB5_KEYUSAGE_FAST_REP.rst KRB5_KEYUSAGE_FAST_REQ_CHKSUM.rst KRB5_KEYUSAGE_GSS_TOK_MIC.rst KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.rst KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.rst KRB5_KEYUSAGE_IAKERB_FINISHED.rst KRB5_KEYUSAGE_KDC_REP_TICKET.rst KRB5_KEYUSAGE_KRB_CRED_ENCPART.rst KRB5_KEYUSAGE_KRB_ERROR_CKSUM.rst KRB5_KEYUSAGE_KRB_PRIV_ENCPART.rst KRB5_KEYUSAGE_KRB_SAFE_CKSUM.rst KRB5_KEYUSAGE_PA_AS_FRESHNESS.rst KRB5_KEYUSAGE_PA_FX_COOKIE.rst KRB5_KEYUSAGE_PA_OTP_REQUEST.rst KRB5_KEYUSAGE_PA_PKINIT_KX.rst KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.rst KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.rst KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.rst KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.rst KRB5_KEYUSAGE_PA_SAM_RESPONSE.rst KRB5_KEYUSAGE_SPAKE.rst KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.rst KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.rst KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.rst KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.rst KRB5_KEYUSAGE_TGS_REQ_AUTH.rst KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.rst KRB5_KPASSWD_ACCESSDENIED.rst KRB5_KPASSWD_AUTHERROR.rst KRB5_KPASSWD_BAD_VERSION.rst KRB5_KPASSWD_HARDERROR.rst KRB5_KPASSWD_INITIAL_FLAG_NEEDED.rst KRB5_KPASSWD_MALFORMED.rst KRB5_KPASSWD_SOFTERROR.rst KRB5_KPASSWD_SUCCESS.rst KRB5_LRQ_ALL_ACCT_EXPTIME.rst KRB5_LRQ_ALL_LAST_INITIAL.rst KRB5_LRQ_ALL_LAST_RENEWAL.rst KRB5_LRQ_ALL_LAST_REQ.rst KRB5_LRQ_ALL_LAST_TGT.rst KRB5_LRQ_ALL_LAST_TGT_ISSUED.rst KRB5_LRQ_ALL_PW_EXPTIME.rst KRB5_LRQ_NONE.rst KRB5_LRQ_ONE_ACCT_EXPTIME.rst KRB5_LRQ_ONE_LAST_INITIAL.rst KRB5_LRQ_ONE_LAST_RENEWAL.rst KRB5_LRQ_ONE_LAST_REQ.rst KRB5_LRQ_ONE_LAST_TGT.rst KRB5_LRQ_ONE_LAST_TGT_ISSUED.rst KRB5_LRQ_ONE_PW_EXPTIME.rst KRB5_NT_ENTERPRISE_PRINCIPAL.rst KRB5_NT_ENT_PRINCIPAL_AND_ID.rst KRB5_NT_MS_PRINCIPAL.rst KRB5_NT_MS_PRINCIPAL_AND_ID.rst KRB5_NT_PRINCIPAL.rst KRB5_NT_SMTP_NAME.rst KRB5_NT_SRV_HST.rst KRB5_NT_SRV_INST.rst KRB5_NT_SRV_XHST.rst KRB5_NT_UID.rst KRB5_NT_UNKNOWN.rst KRB5_NT_WELLKNOWN.rst KRB5_NT_X500_PRINCIPAL.rst KRB5_PAC_CLIENT_INFO.rst KRB5_PAC_CREDENTIALS_INFO.rst KRB5_PAC_DELEGATION_INFO.rst KRB5_PAC_LOGON_INFO.rst KRB5_PAC_PRIVSVR_CHECKSUM.rst KRB5_PAC_SERVER_CHECKSUM.rst KRB5_PAC_UPN_DNS_INFO.rst KRB5_PADATA_AFS3_SALT.rst KRB5_PADATA_AP_REQ.rst KRB5_PADATA_AS_CHECKSUM.rst KRB5_PADATA_AS_FRESHNESS.rst KRB5_PADATA_ENCRYPTED_CHALLENGE.rst KRB5_PADATA_ENC_SANDIA_SECURID.rst KRB5_PADATA_ENC_TIMESTAMP.rst KRB5_PADATA_ENC_UNIX_TIME.rst KRB5_PADATA_ETYPE_INFO.rst KRB5_PADATA_ETYPE_INFO2.rst KRB5_PADATA_FOR_USER.rst KRB5_PADATA_FX_COOKIE.rst KRB5_PADATA_FX_ERROR.rst KRB5_PADATA_FX_FAST.rst KRB5_PADATA_GET_FROM_TYPED_DATA.rst KRB5_PADATA_NONE.rst KRB5_PADATA_OSF_DCE.rst KRB5_PADATA_OTP_CHALLENGE.rst KRB5_PADATA_OTP_PIN_CHANGE.rst KRB5_PADATA_OTP_REQUEST.rst KRB5_PADATA_PAC_OPTIONS.rst KRB5_PADATA_PAC_REQUEST.rst KRB5_PADATA_PKINIT_KX.rst KRB5_PADATA_PK_AS_REP.rst KRB5_PADATA_PK_AS_REP_OLD.rst KRB5_PADATA_PK_AS_REQ.rst KRB5_PADATA_PK_AS_REQ_OLD.rst KRB5_PADATA_PW_SALT.rst KRB5_PADATA_REFERRAL.rst KRB5_PADATA_S4U_X509_USER.rst KRB5_PADATA_SAM_CHALLENGE.rst KRB5_PADATA_SAM_CHALLENGE_2.rst KRB5_PADATA_SAM_REDIRECT.rst KRB5_PADATA_SAM_RESPONSE.rst KRB5_PADATA_SAM_RESPONSE_2.rst KRB5_PADATA_SESAME.rst KRB5_PADATA_SPAKE.rst KRB5_PADATA_SVR_REFERRAL_INFO.rst KRB5_PADATA_TGS_REQ.rst KRB5_PADATA_USE_SPECIFIED_KVNO.rst KRB5_PRINCIPAL_COMPARE_CASEFOLD.rst KRB5_PRINCIPAL_COMPARE_ENTERPRISE.rst KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.rst KRB5_PRINCIPAL_COMPARE_UTF8.rst KRB5_PRINCIPAL_PARSE_ENTERPRISE.rst KRB5_PRINCIPAL_PARSE_IGNORE_REALM.rst KRB5_PRINCIPAL_PARSE_NO_DEF_REALM.rst KRB5_PRINCIPAL_PARSE_NO_REALM.rst KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.rst KRB5_PRINCIPAL_UNPARSE_DISPLAY.rst KRB5_PRINCIPAL_UNPARSE_NO_REALM.rst KRB5_PRINCIPAL_UNPARSE_SHORT.rst KRB5_PRIV.rst KRB5_PROMPT_TYPE_NEW_PASSWORD.rst KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.rst KRB5_PROMPT_TYPE_PASSWORD.rst KRB5_PROMPT_TYPE_PREAUTH.rst KRB5_PVNO.rst KRB5_REALM_BRANCH_CHAR.rst KRB5_RECVAUTH_BADAUTHVERS.rst KRB5_RECVAUTH_SKIP_VERSION.rst KRB5_REFERRAL_REALM.rst KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.rst KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.rst KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.rst KRB5_RESPONDER_QUESTION_PKINIT.rst KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.rst KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.rst KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.rst KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.rst KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.rst KRB5_RESPONDER_OTP_FORMAT_DECIMAL.rst KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.rst KRB5_RESPONDER_QUESTION_OTP.rst KRB5_RESPONDER_QUESTION_PASSWORD.rst KRB5_SAFE.rst KRB5_SAM_MUST_PK_ENCRYPT_SAD.rst KRB5_SAM_SEND_ENCRYPTED_SAD.rst KRB5_SAM_USE_SAD_AS_KEY.rst KRB5_TC_MATCH_2ND_TKT.rst KRB5_TC_MATCH_AUTHDATA.rst KRB5_TC_MATCH_FLAGS.rst KRB5_TC_MATCH_FLAGS_EXACT.rst KRB5_TC_MATCH_IS_SKEY.rst KRB5_TC_MATCH_KTYPE.rst KRB5_TC_MATCH_SRV_NAMEONLY.rst KRB5_TC_MATCH_TIMES.rst KRB5_TC_MATCH_TIMES_EXACT.rst KRB5_TC_NOTICKET.rst KRB5_TC_OPENCLOSE.rst KRB5_TC_SUPPORTED_KTYPES.rst KRB5_TGS_NAME.rst KRB5_TGS_NAME_SIZE.rst KRB5_TGS_REP.rst KRB5_TGS_REQ.rst KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.rst KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.rst KRB5_WELLKNOWN_NAMESTR.rst LR_TYPE_INTERPRETATION_MASK.rst LR_TYPE_THIS_SERVER_ONLY.rst MAX_KEYTAB_NAME_LEN.rst MSEC_DIRBIT.rst MSEC_VAL_MASK.rst SALT_TYPE_AFS_LENGTH.rst SALT_TYPE_NO_LENGTH.rst THREEPARAMOPEN.rst TKT_FLG_ANONYMOUS.rst TKT_FLG_ENC_PA_REP.rst TKT_FLG_FORWARDABLE.rst TKT_FLG_FORWARDED.rst TKT_FLG_HW_AUTH.rst TKT_FLG_INITIAL.rst TKT_FLG_INVALID.rst TKT_FLG_MAY_POSTDATE.rst TKT_FLG_OK_AS_DELEGATE.rst TKT_FLG_POSTDATED.rst TKT_FLG_PRE_AUTH.rst TKT_FLG_PROXIABLE.rst TKT_FLG_PROXY.rst TKT_FLG_RENEWABLE.rst TKT_FLG_TRANSIT_POLICY_CHECKED.rst VALID_INT_BITS.rst VALID_UINT_BITS.rst krb5_const.rst krb5_princ_component.rst krb5_princ_name.rst krb5_princ_realm.rst krb5_princ_set_realm.rst krb5_princ_set_realm_data.rst krb5_princ_set_realm_length.rst krb5_princ_size.rst krb5_princ_type.rst krb5_roundup.rst krb5_x.rst krb5_xc.rst Deprecated macros ------------------------------ .. toctree:: :maxdepth: 1 krb524_convert_creds_kdc.rst krb524_init_ets.rst krb5-1.19.2/doc/appdev/y2038.rst0000644000704600001450000000246514076311657017425 0ustar ghudsonsystemd-journalYear 2038 considerations for uses of krb5_timestamp =================================================== POSIX time values, which measure the number of seconds since January 1 1970, will exceed the maximum value representable in a signed 32-bit integer in January 2038. This documentation describes considerations for consumers of the MIT krb5 libraries. Applications or libraries which use libkrb5 and consume the timestamps included in credentials or other structures make use of the :c:type:`krb5_timestamp` type. For historical reasons, krb5_timestamp is a signed 32-bit integer, even on platforms where a larger type is natively used to represent time values. To behave properly for time values after January 2038, calling code should cast krb5_timestamp values to uint32_t, and then to time_t:: (time_t)(uint32_t)timestamp Used in this way, krb5_timestamp values can represent time values up until February 2106, provided that the platform uses a 64-bit or larger time_t type. This usage will also remain safe if a later version of MIT krb5 changes krb5_timestamp to an unsigned 32-bit integer. The GSSAPI only uses representations of time intervals, not absolute times. Callers of the GSSAPI should require no changes to behave correctly after January 2038, provided that they use MIT krb5 release 1.16 or later. krb5-1.19.2/doc/contributing.txt0000644000704600001450000000472614076311657020101 0ustar ghudsonsystemd-journal Contributing to MIT Kerberos DESIGN ====== If you are planning to contribute a substantial amount of work, please ensure that you have a discussion about the design on the krbdev@mit.edu list. Some changes may require coordination with standards groups. For example, interface changes and extensions for the GSS-API should be discussed in the IETF KITTEN Working Group. STYLE ===== Please follow the guidelines in doc/coding-style for new code. For existing code, please preserve its existing indentation and brace conventions. These existing conventions usually resemble the guidelines in doc/coding-style. Exceptions to the style in doc/coding-style are usually large past contributions or imports from other parties. These include (not an exhaustive list): src/appl/bsd src/appl/gssftp src/appl/telnet src/kadmin src/lib/kadm5 src/lib/gssapi/mechglue src/lib/rpc PATCHES ======= We prefer patches in either unified or context diff format (diff -u or diff -c). As is usual practice, please specify the original file before the modified file on the diff command line. It's also useful to perform the diff from the top level of the tree, e.g., diff -ur src.orig src It's even more useful if you use our anonymous Subversion repository at svn://anonsvn.mit.edu/krb5 and use "svn diff" (or "svk diff" if you prefer to use SVK) to generate your patches. It is much easier for us to integrate patches which are generated against current code on the trunk. Please ensure that your source tree is up-to-date before generating your patch. COPYRIGHT ========= If you are submitting substantial quantities of new code, or are substantially modifying existing code, please be clear about the copyright status of your contributions. Note that if your contribution was created in the course of your employment, your employer may own copyright in your contribution. We prefer that MIT receives the ownership of the contributions, but will generally accept contributed code with copyright owned by other parties provided that the license conditions are substantially identical to the existing license on the MIT krb5 code. Appropriate copyright notices and license terms should be added to new or changed files, unless the contributed code is being assigned to the already-listed copyright holder in the file, or the contribution is being released to the public domain. Please make sure that the year in the copyright statement is kept up-to-date. krb5-1.19.2/doc/resources.rst0000644000704600001450000000361014076311657017364 0ustar ghudsonsystemd-journalResources ========= Mailing lists ------------- * kerberos@mit.edu is a community resource for discussion and questions about MIT krb5 and other Kerberos implementations. To subscribe to the list, please follow the instructions at https://mailman.mit.edu/mailman/listinfo/kerberos. * krbdev@mit.edu is the primary list for developers of MIT Kerberos. To subscribe to the list, please follow the instructions at https://mailman.mit.edu/mailman/listinfo/krbdev. * krb5-bugs@mit.edu is notified when a ticket is created or updated. This list helps track bugs and feature requests. In addition, this list is used to track documentation criticism and recommendations for improvements. * krbcore@mit.edu is a private list for the MIT krb5 core team. Send mail to this list if you need to contact the core team. * krbcore-security@mit.edu is the point of contact for security problems with MIT Kerberos. Please use PGP-encrypted mail to report possible vulnerabilities to this list. IRC channels ------------ The IRC channel `#kerberos` on libera.chat is a community resource for general Kerberos discussion and support. The main IRC channel for MIT Kerberos development is `#krbdev` on Libera Chat. For more information about Libera Chat, see https://libera.chat/. Archives -------- * The archive https://mailman.mit.edu/pipermail/kerberos/ contains past postings from the `kerberos@mit.edu` list. * The https://mailman.mit.edu/pipermail/krbdev/ contains past postings from the `krbdev@mit.edu` list. Wiki ---- The wiki at https://k5wiki.kerberos.org/ contains useful information for developers working on the MIT Kerberos source code. Some of the information on the wiki may be useful for advanced users or system administrators. Web pages --------- * https://web.mit.edu/kerberos/ is the MIT Kerberos software web page. * https://kerberos.org/ is the MIT Kerberos Consortium web page. krb5-1.19.2/doc/tools/0000755000704600001450000000000014076311662015754 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/tools/define_document.tmpl0000644000704600001450000000154014076311657022006 0ustar ghudsonsystemd-journal.. highlight:: c .. $composite.macro_reference($composite.name): #set $title = $composite.name $title #echo ''.join(['=']*len($title)) # .. .. data:: $composite.name .. #if $composite.short_description is not None and len($composite.short_description) $composite.short_description #end if $composite.long_description #if $composite.name_signature is not None and len($composite.name_signature) #echo ''.join(['=']*(len($composite.name_signature)+4)) + '== ======================' # ``$composite.name_signature`` ``$composite.initializer`` #echo ''.join(['=']*(len($composite.name_signature)+4)) + '== ======================' # #else #echo ''.join(['=']*(len($composite.name)+4)) + '=== ======================' # ``$composite.name`` ``$composite.initializer`` #echo ''.join(['=']*(len($composite.name)+4)) + '=== ======================' # #end if krb5-1.19.2/doc/tools/docmodel.py0000644000704600001450000002147114076311657020125 0ustar ghudsonsystemd-journal''' Copyright 2011 by the Massachusetts Institute of Technology. All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original M.I.T. software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. ''' import re from Cheetah.Template import Template class Attribute(object): def __init__(self, **argkw): self.definition = argkw.get('definition') self.name = argkw.get('name') self.type = argkw.get('type') self.typeId = argkw.get('typeId') self.short_description = argkw.get('short_description') self.long_description = argkw.get('long_description') self.version = argkw.get('version') def __repr__(self): result = list() for (attr,value) in self.__dict__.iteritems(): result.append('%s=%s' % (attr,value)) return 'Attribute: %s' % ','.join(result) class CompositeType(): def __init__(self, **argkw): self.category = 'composite' self.definition = argkw.get('definition') self.name = argkw.get('name') self.name_signature = argkw.get('name_signature') self.Id = argkw.get('Id') self.initializer = argkw.get('initializer') self.active = argkw.get('active', False) self.version = argkw.get('version') self.return_type = argkw.get('return_type') self.short_description = argkw.get('short_description') self.long_description = argkw.get('long_description') self.friends = argkw.get('friends') self.type = argkw.get('type') self.attributes = self._setAttributes(argkw.get('attributes')) def __repr__(self): result = list() for (attr,value) in self.__dict__.iteritems(): if attr == 'attributes': if value is not None: attributes = ['%s' % a for a in value] value = '\n %s' % '\n '.join(attributes) result.append('%s: %s' % (attr,value)) result = '\n'.join(result) return result def _setAttributes(self, attributes): result = None if attributes is not None: result = list() for a in attributes: result.append(Attribute(**a)) return result def struct_reference(self, name): result = re.sub(r'_', '-', name) result = '_%s-struct' % result return result def macro_reference(self, name): result = re.sub(r'_', '-', name) result = '_%s-data' % result return result class Parameter(object): def __init__(self, **argkw): self.seqno = argkw.get('seqno') self.name = argkw.get('name') self.direction = argkw.get('direction') self.type = argkw.get('type') self.typeId = argkw.get('typeId') self.description = argkw.get('description') self.version = argkw.get('version') def __repr__(self): content = (self.name,self.direction,self.seqno,self.type,self.typeId,self.description) return 'Parameter: name=%s,direction=%s,seqno=%s,type=%s,typeId=%s,descr=%s' % content class Function(object): def __init__(self, **argkw): self.category = 'function' self.name = argkw.get('name') self.Id = argkw.get('Id') self.active = argkw.get('active', False) self.version = argkw.get('version') self.parameters = self._setParameters(argkw.get('parameters')) self.return_type = argkw.get('return_type') self.return_description = argkw.get('return_description') self.retval_description = argkw.get('retval_description') self.warn_description = argkw.get('warn_description') self.sa_description = argkw.get('sa_description') self.notes_description = argkw.get('notes_description') self.version_num = argkw.get('version_num') self.short_description = argkw.get('short_description') self.long_description = argkw.get('long_description') self.deprecated_description = argkw.get('deprecated_description') self.friends = argkw.get('friends') def _setParameters(self, parameters): result = None if parameters is not None: result = list() for p in parameters: result.append(Parameter(**p)) return result def getObjectRow(self): result = [str(self.Id), self.name, self.category] return ','.join(result) def getObjectDescriptionRow(self): result = [self.Id, self.active, self.version, self.short_description, self.long_description] return ','.join(result) def getParameterRows(self): result = list() for p in self.parameters: p_row = [self.Id, p.name, p.seqno, p.type, p.typeId, p.description, p.version] result.append(','.join(p_row)) return '\n'.join(result) def __repr__(self): lines = list() lines.append('Category: %s' % self.category) lines.append('Function name: %s' % self.name) lines.append('Function Id: %s' % self.Id) parameters = [' %s' % p for p in self.parameters] lines.append('Parameters:\n%s' % '\n'.join(parameters)) lines.append('Function return type: %s' % self.return_type) lines.append('Function return type description:\n%s' % self.return_description) lines.append('Function retval description:\n%s' % self.retval_description) lines.append('Function short description:\n%s' % self.short_description) lines.append('Function long description:\n%s' % self.long_description) lines.append('Warning description:\n%s' % self.warn_description) lines.append('See also description:\n%s' % self.sa_description) lines.append('NOTE description:\n%s' % self.notes_description) lines.append('Version introduced:\n%s' % self.version_num) lines.append('Deprecated description:\n%s' % self.deprecated_description) result = '\n'.join(lines) return result class DocModel(object): def __init__(self, **argkw): if len(argkw): self.name = argkw['name'] if argkw['category'] == 'function': self.category = 'function' self.function = Function(**argkw) elif argkw['category'] == 'composite': self.category = 'composite' self.composite = CompositeType(**argkw) def __repr__(self): obj = getattr(self,self.category) return str(obj) def signature(self): param_list = list() for p in self.function.parameters: if p.type is "... " : param_list.append('%s %s' % (p.type,' ')) else: param_list.append('%s %s' % (p.type, p.name)) param_list = ', '.join(param_list) result = '%s %s(%s)' % (self.function.return_type, self.function.name, param_list) return result def save(self, path, template_path): f = open(template_path, 'r') t = Template(f.read(),self) out = open(path, 'w') out.write(str(t)) out.close() f.close() class DocModelTest(DocModel): def __init__(self): doc_path = '../docutil/example.yml' argkw = yaml.load(open(doc_path,'r')) super(DocModelTest,self).__init__(**argkw) def run_tests(self): self.test_save() def test_print(self): print('testing') print(self) def test_save(self): template_path = '../docutil/function2edit.html' path = '/var/tsitkova/Sources/v10/trunk/documentation/test_doc.html' self.save(path, template_path) if __name__ == '__main__': tester = DocModelTest() tester.run_tests() krb5-1.19.2/doc/tools/__pycache__/0000755000704600001450000000000014076311664020166 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/tools/__pycache__/doxybuilder_types.cpython-36.pyc0000644000704600001450000002534614076311662026402 0ustar ghudsonsystemd-journal3 `d: @sdZddlZddlZddlZddlZddlmZddlTddddd d d d d ddddg ZGddde Z Gddde Z e dkre e eZejdS)a Copyright 2011 by the Massachusetts Institute of Technology. All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original M.I.T. software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. N)etree)*ZTRUEZFALSEZKRB5_ATTR_DEPRECATED KRB5_CALLCONVKRB5_CALLCONV_CZKRB5_CALLCONV_WRONGZKRB5_GENERAL__ZKRB5_KEYUSAGE_PA_REFERRALZKRB5_OLD_CRYPTOZKRB5INT_BEGIN_DECLSZKRB5INT_END_DECLSZ krb5_cc_opsZkrb5_octet_datac@sheZdZddZdddZdddZdd Zd d Zd d ZddZ ddZ ddZ ddZ ddZ dS) DoxyTypescCs ||_dS)N)xmlpath)selfrr //tmp/krb5-1.19.2/doc/tools/doxybuilder_types.py__init__*szDoxyTypes.__init__NcCsd|j|f}tj|}|j}|jdd}|j|}|jdd}|j|} t} xN|jdD]@} i} | j d} |dks| |krb| dkr|j | } n| j | qbW|| | d}|S) Nz%s/%sz./compounddef/briefdescriptionrz!./compounddef/detaileddescriptionz.//memberdef[@kind]kindvariable)brief_descriptiondetailed_description attributes) rrparsegetrootxpath_get_brief_description_get_detailed_descriptionlistiterfindattrib_process_variable_nodeappend)rfilenameincludepathtreeroot brief_noder details_noderZfieldsnodedatar resultr r r run_compound-s&     zDoxyTypes.run_compoundc Csd|j|f}tj|}|j}t}x|jdD]|}i}|jd} |dksT| |kr2| dkrh|j|}n&| dkr||j|}n| dkr|j |}d|kr|dt krq2|j |q2W|S) z Parses xml file generated by doxygen. @param filename: doxygen xml file name @param include: members sections to include, in None -- include all z%s/%sz.//memberdef[@kind]r Ntypedefr definename) rrrrrrr_process_typedef_noder_process_define_node exclude_typesr) rrrrrrr$r"r#r r r r runJs$     z DoxyTypes.runc Cs|jdd}|jd}|jdd}|j|jdd}|jdd}|j|}|jdd}|j|} tjdd |}tjd d |}tjd d |}|d jd dkr|ddf}d|||d |d || td } |ddk rd|d} d|j | f} t j j | s | S|j | } | dk r| jd}|dk rDt|rD|| d<| jd}|dk rt|r|j| dkrd|| df| d<| d| d<| S)Nz ./name/text()ridz./definition/text()z./typez./briefdescriptionz./detaileddescriptionrrz\*( composite) category definitionr(Id initializertypeshort_descriptionlong_descriptionrz%s.xmlz%s/%srr7rz%s %sr8r)rr_process_type_noderrresubfindrrosrexistsr%getlen)rr"Zt_nameZt_IdZ t_definitionZt_typer Zt_briefr!Z t_detailedZ typedef_descrrrZ compound_inforrr r r r)esP           zDoxyTypes._process_typedef_nodec Cs|jdd}|jd}|jdd}|j|jdd}|jdd}|j|}|jdd}|j|} tjdd |}tjd d |}tjd d |}d |||d |d || td } | S)Nz ./name/text()rr-z./definition/text()z./typez./briefdescriptionz./detaileddescriptionrr.rz\*r r/) r2r3r(r4r5r6r7r8r)rrr9rrr:r;r) rr"Zv_nameZv_IdZ v_definitionZv_typer Zv_briefr!rZvariable_descrr r r rs*    z DoxyTypes._process_variable_nodec Cs|jdd}d}d}d}t|jddkrd}t}x6|jdD](}|j|} | dk rBt| rB|j| qBW|dk r|j|}d||f}tjdd|j}t|jd dkrt|jd } t|jd dkr|j |jd d}t|dkrt|jd } | dkr|d r|d }| dkrVt|jd ddkrV|jd d|d }| d kr|jd d dk r||jd d }n|jd d}|j d } |jdd} |j | }|jdd}|j |}tjdd|}dd||| |d||td }|S)Nz ./name/text()rr.z./param/defnamez./paramz %s (%s) z, \))z ./initializerz./initializer/refz./initializer/text()r/r-z./briefdescriptionz./detaileddescriptionz *\\ * r1) r2r3r(Zname_signaturer4r5r6r7r8r) rr@r_process_paragraph_contentrjoinr:r;stripr9rrr)rr"Zd_nameZ d_initializerZd_typeZ d_signatureZprm_strZprm_listpxZlen_refZlen_textZd_Idr Zd_briefr!rZ define_descrr r r r*s\   "     zDoxyTypes._process_define_nodecCsLt}x6|jdD](}|j|}|dk rt|r|j|qWdj|}|S)Nz./para )rrrCr@rrD)rr"r$rFrGr r r rs  z DoxyTypes._get_brief_descriptioncCs`t}xJ|jdD]<}t|jdr(qqt|jdr:qq|j|}|j|qWdj|}|S)a! Description node is comprised of ... sections. There are few types of these sections: a) Content section b) Return value section -- skip c) Parameter list section -- skip @param node: detailed description node z./paraz./simplesect[@kind='return']z./parameterlist[@kind='param']rH)rrr@rCrrD)rr"r$rFrGr r r rs   z#DoxyTypes._get_detailed_descriptioncCst}|jd}xv|D]l}||jkr:|j|jq|jjdkr|jr^|j|jnT|jjddkr|jd|jn.|jr|jd|jn|jd|jq|jjdkr|jr|j|jn|jd |jq|jjd kr(|jr|j|jn|jd |jq|jjd krL|jd |jq|jjd kr|jd|jt j |ddd|jdqWdj |}|S)Nz .//text()refr0rz :c:func:`%s`z :c:data:`%s`z :c:type:`%s`Zemphasisz*%s*ZcomputeroutputZdefnamez%s, Zverbatimz :: z cSsdS)NTr )rGr r r +sz6DoxyTypes._process_paragraph_content..rHrB) rrZ getparentrrEtagZis_tailr<isuppertextwrapindentrD)rr"r$Zcontenter r r rC s:    z$DoxyTypes._process_paragraph_contentcCsd|jd}t|dkr |d}nt|dkr0d}dj|jd}tjdd|}tjdd|}||fS) aR Type node has form type_string for build in types and 'type_name' postfix (ex. *, **m, etc.) for user defined types. z ./ref/@refidr/rNrBz .//text()rr)rr@rDr:r;)rr"Zp_idZp_typer r r r92s    zDoxyTypes._process_type_nodecCs(||j}d||jf}|j||dS)Nz %s/%s.rst)r2r(save)robj templates target_dirZ template_pathZoutpathr r r rPLs zDoxyTypes.save)N)N)__name__ __module__ __qualname__r r%r,r)rr*rrrCr9rPr r r r r)s  39 %rcsDeZdZfddZddZddZddZd d Zd d ZZ S) DoxyBuilderTypescs$ddi|_||_tt|j|dS)Nr1ztype_document.tmpl)rRrSsuperrWr )rrZrstpath) __class__r r r Ts zDoxyBuilderTypes.__init__cCs|j|jdS)N)process_typedef_nodesprocess_define_nodes)rr r r run_allZszDoxyBuilderTypes.run_allcCsd}|j|dS)Nz krb5_8hin.xml)r,)rrr r r test_run^szDoxyBuilderTypes.test_runcCsd}|j|dgd}dS)Nzstruct__krb5__octet__data.xmlr )r)r,)rrr$r r r process_variable_nodesbsz'DoxyBuilderTypes.process_variable_nodescCsbd}|j|dgd}d|j}tjj|s6tj|dx&|D]}tf|}|j||j|qmakedirsDocModelrPrR)rrr$rStrQr r r rZfs     z&DoxyBuilderTypes.process_typedef_nodescCshd}|j|dgd}d|j}tjj|s6tj|dx,|D]$}tf|}ddi}|j|||qr_r`rP)rrr$rSrarQZtmplr r r r[qs     z%DoxyBuilderTypes.process_define_nodes) rTrUrVr r\r]r^rZr[ __classcell__r r )rYr rWSs   rW__main__)__doc__sysr=r:rMZlxmlrZdocmodelr+objectrrWrTZ xml_inpathZ rst_outpathbuilderr\r r r r s& ,* krb5-1.19.2/doc/tools/__pycache__/doxybuilder_funcs.cpython-36.pyc0000644000704600001450000004214714076311664026354 0ustar ghudsonsystemd-journal3 `T@sdZddlZddlZddlmZddlmZddlmZddl TdgZ Gdd d e Z Gd d d eZ Gd d d e ZGdddeZGdddeZedkreeeZejdS)a Copyright 2011 by the Massachusetts Institute of Technology. All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original M.I.T. software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. N) defaultdict) make_parser)ContentHandler)*Zkrb5_free_octet_datac@s4eZdZdZddZgfddZddZdd Zd S) DocNodez/ Represents the structure of xml node. cCs$||_t|_t|_tt|_dS)a @param node: name - the name of a node. @param attributes: a dictionary populated with attributes of a node @param children: a dictionary with lists of children nodes. Nodes in lists are ordered as they appear in a document. @param content: a content of xml node represented as a list of tuples [(type,value)] with type = ['char'|'element']. If type is 'char' then the value is a character string otherwise it is a reference to a child node. N)namelistcontentdict attributesrchildren)selfrr//tmp/krb5-1.19.2/doc/tools/doxybuilder_funcs.py__init__&s zDocNode.__init__c Cst}|j|j|d}|j|d||d<xR|jD]H\}}|dkrZ|dkr~|j|q6|j|d|}|dk r6|jd|q6W|j|d<||dj|}|dk r|dkrtj dd|}n|j }|S)Ndefaultcharz %s z[ ]+ ) rgetrappendr walkpopjoinresubstrip) r decoratorsZsub_wsstackresult decoratorZobj_typeobjpartialrrrr6s$  z DocNode.walkcCs,dddi}|j|d}t|dkr(d}|S)NrcSs|S)Nr)nodevaluerrrOsz$DocNode.getContent..rr)rlen)r rr rrr getContentNs    zDocNode.getContentcCsnd|jg}x(|jjD]\}}|jd||fqWx,|jjD]\}}|jd|t|fqBWdj|S)Nz Content: %sz Attr: %s = %sz Child: %s,%i )r r iteritemsrr r'r)r r keyr%rrr__repr__Vs  zDocNode.__repr__N)__name__ __module__ __qualname____doc__rrr(r,rrrrr"s  rc@s<eZdZddZddZddZddZd d Zd d Zd S)DoxyContenHandlercCs ||_tt|_d|_d|_dS)N)builderrintcounters_nodes_current)r r2rrrras zDoxyContenHandler.__init__cCsdS)Nr)r rrr startDocumentgszDoxyContenHandler.startDocumentcCs ddl}dS)Nr)sys)r r8rrr endDocumentjszDoxyContenHandler.endDocumentcCs||jjkrg|_|dkrF|jd}|dkr4td|j|d7<|jdkrTdSt|}x|jD]\}}||j|<qfW|j dk r|j j |j ||jj |j ||_ dS)N memberdefkindzKind is not definedr) r2toplevelr5r ValueErrorr4ritemsr r6r r)r rattrsr;r$r+r%rrr startElementms     zDoxyContenHandler.startElementcCs$|jdk r |jjjd|jfdS)Nr)r6r rr)r r rrr characterss zDoxyContenHandler.characterscCsn||jjkrtype_string for build in types and 'type_name' postfix (ex. *, **m, etc.) for user defined types. refNrZrefidKRB5_ATTR_DEPRECATEDrKRB5_CALLCONV_CKRB5_CALLCONV_WRONG KRB5_CALLCONV)r rr r(rrr)r rZ type_ref_nodeZ p_type_idrrrrrxs zDoxyFuncs._process_type_nodecCs`|jjd}t}|dk rRd|ji}x,|D]$}|jt|j|d|jdq*Wdj|}|S)zL Description node is comprised of ... sections paraNrrr))r rrparagraph_content_decoratorrstrrr)r r$rr rerrrrys    z#DoxyFuncs._process_description_nodecCs4|jdkr,|jddkr0t}|j}|SndSdS)N simplesectr;return)rr setr()r r$r%Zcontrrr"return_value_description_decorator$s  z,DoxyFuncs.return_value_description_decoratorcCs|jdkr|dS|jdkr0|jddkrdSn|jdkrb|jddkrTd|d Sd|d SnX|jd krxd |d S|jdkrd|S|jdkrd|dS|jdkrd|dSdSdS)Nrr)rr;rrz()rz:c:func:`z:data:emphasisrZ itemizedlistZlistitemz - computeroutputz**z :c:func:`z:data:`)rr r)r r$r%rrrr-s$           z%DoxyFuncs.paragraph_content_decoratorcCsD|jdkr.|jjd}|dk r*d||f}|S|jdkrq$x8|D]0}|j|jd}|j|d}|dk rD|j|qDWq$W|S)Nrr)rrr)rr rrrrr) r r$r retrrsimplesect_listrrrrrrzvs      z+DoxyFuncs._process_return_value_descriptioncCs|jjd}d}t}|dk rx|D]}|jjd}|dkr>q$x|D]}|jd}|dkrD|jjd} | dkrpqDx| D]|} | jjd} | dk r| djjd} | dk r| dj} nd } d |ji}| j|d jd }|d} d | | f}|j|qvWqDWq$W|S)zQ retval descriptions reside inside detailed description section. rNrr;retvalrrrrrrrz %s %s) r rrr r(rrrr)r r$rr rrrrr;rrrvalZ val_descrrrrrrr{s6          z%DoxyFuncs._process_retval_descriptioncCs&|jdkr|jddkr"|SndSdS)Nrr;warning)rr )r r$r%rrrreturn_warning_decorators z"DoxyFuncs.return_warning_decoratorcCstd}|jjd}|dk rpxV|D]N}|jjd}|dkr8qx2|D]*}|j|jd}|j|d}|dk r>|Sq>WqW|S)Nrr)rrr)r rrrr)r r$r rrrrrrrrr|s       z&DoxyFuncs._process_warning_descriptioncCs&|jdkr|jddkr"|SndSdS)Nrr;Zsee)rr )r r$r%rrrreturn_seealso_decorators z"DoxyFuncs.return_seealso_decoratorcCshd}|jjd}|dk rdxJ|D]B}|jjd}|dkr8qx&|D]}|j|jd}|j|d}q>WqW|S)Nrr)rrr)r rrrr)r r$r rrrrrrrrr}s     z&DoxyFuncs._process_seealso_descriptioncCs&|jdkr|jddkr"|SndSdS)Nrr;version)rr )r r$r%rrrreturn_version_decorators z"DoxyFuncs.return_version_decoratorcCstd}|jjd}|dk rpxV|D]N}|jjd}|dkr8qx2|D]*}|j|jd}|j|d}|dk r>|Sq>WqW|S)Nrr)rrr)r rrrr)r r$r rrrrrrrrrs       z&DoxyFuncs._process_version_descriptioncCs.|jdkr&|jddkr*|jddSndSdS)Nrr;Znotez z )rr replace)r r$r%rrrreturn_notes_decorators z DoxyFuncs.return_notes_decoratorcCstd}|jjd}|dk rpxV|D]N}|jjd}|dkr8qx2|D]*}|j|jd}|j|d}|dk r>|Sq>WqW|S)Nrr)rrr)r rrrr)r r$r rrrrrrrrr~s       z$DoxyFuncs._process_notes_descriptioncCs`|jdkrX|jdjdd kr\|jjd}|ddk r\|jjd}d|dj}|SndSdS) NxrefsectrbZ deprecated_r xreftitlerZxrefdescriptionz DEPRECATED %srw)rr rr rr()r r$r%rZ xrefdescrZdeprecated_descrrrrreturn_deprecated_decorators    z%DoxyFuncs.return_deprecated_decoratorcCstd}|jjd}|dk rpxV|D]N}|jjd}|dkr8qx2|D]*}|j|jd}|j|d}|dk r>|Sq>WqW|S)Nrr)rrr)r rrrr)r r$r rrZ xrefsect_listrrrrrrs       z)DoxyFuncs._process_deprecated_descriptionRcCshtdt||t|g}t}x8t|dd|ddD]\}}|j|||qs$   >4 krb5-1.19.2/doc/tools/__pycache__/docmodel.cpython-36.pyc0000644000704600001450000002217614076311663024411 0ustar ghudsonsystemd-journal3 `9#@sdZddlZddlmZGdddeZGdddZGdd d eZGd d d eZGd d d eZ Gddde Z e dkre Z e j dS)a Copyright 2011 by the Massachusetts Institute of Technology. All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original M.I.T. software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. N)Templatec@seZdZddZddZdS) AttributecKsX|jd|_|jd|_|jd|_|jd|_|jd|_|jd|_|jd|_dS)N definitionnametypetypeIdshort_descriptionlong_descriptionversion)getrrrrrr r )selfargkwr&/tmp/krb5-1.19.2/doc/tools/docmodel.py__init__s      zAttribute.__init__cCs>t}x(|jjD]\}}|jd||fqWddj|S)Nz%s=%sz Attribute: %s,)list__dict__ iteritemsappendjoin)r resultattrvaluerrr__repr__&szAttribute.__repr__N)__name__ __module__ __qualname__rrrrrrrs rc@s4eZdZddZddZddZddZd d Zd S) CompositeTypecKsd|_|jd|_|jd|_|jd|_|jd|_|jd|_|jdd|_|jd |_|jd |_ |jd |_ |jd |_ |jd |_ |jd|_ |j|jd|_dS)N compositerrname_signatureId initializeractiveFr return_typerr friendsr attributes)categoryr rrr r!r"r#r r$rr r%r_setAttributesr&)r r rrrr.s           zCompositeType.__init__cCsjt}xT|jjD]F\}}|dkrF|dk rFdd|D}ddj|}|jd||fqWdj|}|S)Nr&cSsg|] }d|qS)z%sr).0arrr Csz*CompositeType.__repr__..z %sz z%s: %s )rrrrr)r rrrr&rrrr>s zCompositeType.__repr__cCs4d}|dk r0t}x|D]}|jtf|qW|S)N)rrr)r r&rr*rrrr(Ks  zCompositeType._setAttributescCstjdd|}d|}|S)N_-z _%s-struct)resub)r rrrrrstruct_referenceTszCompositeType.struct_referencecCstjdd|}d|}|S)Nr-r.z_%s-data)r/r0)r rrrrrmacro_referenceZszCompositeType.macro_referenceN)rrrrrr(r1r2rrrrr-s   rc@seZdZddZddZdS) ParametercKsX|jd|_|jd|_|jd|_|jd|_|jd|_|jd|_|jd|_dS)Nseqnor directionrr descriptionr )r r4rr5rrr6r )r r rrrras      zParameter.__init__cCs$|j|j|j|j|j|jf}d|S)NzCParameter: name=%s,direction=%s,seqno=%s,type=%s,typeId=%s,descr=%s)rr5r4rrr6)r contentrrrrjszParameter.__repr__N)rrrrrrrrrr3`s r3c@s<eZdZddZddZddZddZd d Zd d Zd S)FunctioncKsd|_|jd|_|jd|_|jdd|_|jd|_|j|jd|_|jd|_|jd |_ |jd |_ |jd |_ |jd |_ |jd |_ |jd|_|jd|_|jd|_|jd|_|jd|_dS)Nfunctionrr!r#Fr parametersr$return_descriptionretval_descriptionwarn_descriptionsa_descriptionnotes_description version_numrr deprecated_descriptionr%)r'r rr!r#r _setParametersr:r$r;r<r=r>r?r@rr rAr%)r r rrrros"             zFunction.__init__cCs4d}|dk r0t}x|D]}|jtf|qW|S)N)rrr3)r r:rprrrrBs  zFunction._setParameterscCst|j|j|jg}dj|S)Nr)strr!rr'r)r rrrr getObjectRowszFunction.getObjectRowcCs"|j|j|j|j|jg}dj|S)Nr)r!r#r rr r)r rrrrgetObjectDescriptionRows z Function.getObjectDescriptionRowcCsPt}x>|jD]4}|j|j|j|j|j|j|jg}|j dj |qWdj |S)Nrr,) rr:r!rr4rrr6r rr)r rrCZp_rowrrrgetParameterRowss zFunction.getParameterRowscCst}|jd|j|jd|j|jd|jdd|jD}|jddj||jd|j|jd |j|jd |j |jd |j |jd |j |jd |j |jd|j |jd|j|jd|j|jd|jdj|}|S)Nz Category: %szFunction name: %szFunction Id: %scSsg|] }d|qS)z %sr)r)rCrrrr+sz%Function.__repr__..zParameters: %sr,zFunction return type: %sz$Function return type description: %szFunction retval description: %szFunction short description: %szFunction long description: %szWarning description: %szSee also description: %szNOTE description: %szVersion introduced: %szDeprecated description: %s)rrr'rr!r:rr$r;r<rr r=r>r?r@rA)r linesr:rrrrrs$ zFunction.__repr__N) rrrrrBrErFrGrrrrrr8ns   r8c@s,eZdZddZddZddZddZd S) DocModelcKsTt|rP|d|_|ddkr2d|_tf||_n|ddkrPd|_tf||_dS)Nrr'r9r)lenrr'r8r9rr)r r rrrrs   zDocModel.__init__cCst||j}t|S)N)getattrr'rD)r objrrrrs zDocModel.__repr__cCsrt}xF|jjD]:}|jdkr4|jd|jdfq|jd|j|jfqWdj|}d|jj|jj|f}|S)Nz... z%s %s z, z %s %s(%s))rr9r:rrrrr$)r Z param_listrCrrrr signatures  zDocModel.signaturecCsDt|d}t|j|}t|d}|jt||j|jdS)Nrw)openrreadwriterDclose)r path template_pathftoutrrrsaves   z DocModel.saveN)rrrrrrNrZrrrrrIs  rIcs4eZdZfddZddZddZddZZS) DocModelTestcs*d}tjt|d}tt|jf|dS)Nz../docutil/example.ymlrO)ZyamlloadrQsuperr[r)r Zdoc_pathr ) __class__rrrszDocModelTest.__init__cCs |jdS)N) test_save)r rrr run_testsszDocModelTest.run_testscCstdt|dS)NZtesting)print)r rrr test_printszDocModelTest.test_printcCsd}d}|j||dS)Nz../docutil/function2edit.htmlz;/var/tsitkova/Sources/v10/trunk/documentation/test_doc.html)rZ)r rVrUrrrr_szDocModelTest.test_save)rrrrr`rbr_ __classcell__rr)r^rr[s r[__main__)__doc__r/ZCheetah.Templaterobjectrrr3r8rIr[rZtesterr`rrrrs 3Q%krb5-1.19.2/doc/tools/doxybuilder_funcs.py0000644000704600001450000005232414076311657022070 0ustar ghudsonsystemd-journal''' Copyright 2011 by the Massachusetts Institute of Technology. All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original M.I.T. software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. ''' import sys import re from collections import defaultdict from xml.sax import make_parser from xml.sax.handler import ContentHandler from docmodel import * exclude_funcs = ['krb5_free_octet_data'] class DocNode(object): """ Represents the structure of xml node. """ def __init__(self, name): """ @param node: name - the name of a node. @param attributes: a dictionary populated with attributes of a node @param children: a dictionary with lists of children nodes. Nodes in lists are ordered as they appear in a document. @param content: a content of xml node represented as a list of tuples [(type,value)] with type = ['char'|'element']. If type is 'char' then the value is a character string otherwise it is a reference to a child node. """ self.name = name self.content = list() self.attributes = dict() self.children = defaultdict(list) def walk(self, decorators, sub_ws, stack=[]): result = list() decorator = decorators.get(self.name, decorators['default']) stack.append(decorators['default']) decorators['default'] = decorator for (obj_type,obj) in self.content: if obj_type == 'char': if obj != '': result.append(obj) else: partial = obj.walk(decorators,1, stack) if partial is not None: result.append(' %s ' % partial) decorators['default'] = stack.pop() result = decorator(self, ''.join(result)) if result is not None: if sub_ws == 1: result = re.sub(r'[ ]+', r' ', result) else: result = result.strip() return result def getContent(self): decorators = {'default': lambda node,value: value} result = self.walk(decorators, 1) if len(result) == 0: result = None return result def __repr__(self): result = ['Content: %s' % self.content] for (key,value) in self.attributes.iteritems(): result.append('Attr: %s = %s' % (key,value)) for (key,value) in self.children.iteritems(): result.append('Child: %s,%i' % (key,len(value))) return '\n'.join(result) class DoxyContenHandler(ContentHandler): def __init__(self, builder): self.builder = builder self.counters = defaultdict(int) self._nodes = None self._current = None def startDocument(self): pass def endDocument(self): import sys def startElement(self, name, attrs): if name == self.builder.toplevel: self._nodes = [] if name == 'memberdef': kind = attrs.get('kind') if kind is None: raise ValueError('Kind is not defined') self.counters[kind] += 1 if self._nodes is None: return node = DocNode(name) for (key,value) in attrs.items(): node.attributes[key] = value if self._current is not None: self._current.children[name].append(node) self._nodes.append(self._current) self._current = node def characters(self, content): if self._current is not None: self._current.content.append(('char',content.strip())) def endElement(self, name): if name == self.builder.toplevel: assert(len(self._nodes) == 0) self._nodes = None self.builder.document.append(self._current) self._current = None else: if self._nodes is not None: node = self._current self._current = self._nodes.pop() self._current.content.append(('element',node)) class XML2AST(object): """ Translates XML document into Abstract Syntax Tree like representation The content of document is stored in self.document """ def __init__(self, xmlpath, toplevel='doxygen'): self.document = list() self.toplevel = toplevel self.parser = make_parser() handler = DoxyContenHandler(self) self.parser.setContentHandler(handler) filename = 'krb5_8hin.xml' filepath = '%s/%s' % (xmlpath,filename) self.parser.parse(open(filepath,'r')) class DoxyFuncs(XML2AST): def __init__(self, path): super(DoxyFuncs, self).__init__(path,toplevel='memberdef') self.objects = list() def run(self): for node in self.document: self.process(node) def process(self, node): node_type = node.attributes['kind'] if node_type == 'function': data = self._process_function_node(node) else: return if 'name' in data and data['name'] in exclude_funcs: return self.objects.append(DocModel(**data)) def save(self, templates, target_dir): for obj in self.objects: template_path = templates[obj.category] outpath = '%s/%s.rst' % (target_dir,obj.name) obj.save(outpath, template_path) def _process_function_node(self, node): f_name = node.children['name'][0].getContent() f_Id = node.attributes['id'] f_ret_type = self._process_type_node(node.children['type'][0]) f_brief = node.children['briefdescription'][0].getContent() f_detailed = node.children['detaileddescription'][0] detailed_description = self._process_description_node(f_detailed) return_value_description = self._process_return_value_description(f_detailed) retval_description = self._process_retval_description(f_detailed) warning_description = self._process_warning_description(f_detailed) seealso_description = self._process_seealso_description(f_detailed) notes_description = self._process_notes_description(f_detailed) f_version = self._process_version_description(f_detailed) deprecated_description = self._process_deprecated_description(f_detailed) param_description_map = self.process_parameter_description(f_detailed) f_definition = node.children['definition'][0].getContent() f_argsstring = node.children['argsstring'][0].getContent() function_descr = {'category': 'function', 'name': f_name, 'Id': f_Id, 'return_type': f_ret_type[1], 'return_description': return_value_description, 'retval_description': retval_description, 'sa_description': seealso_description, 'warn_description': warning_description, 'notes_description': notes_description, 'short_description': f_brief, 'version_num': f_version, 'long_description': detailed_description, 'deprecated_description': deprecated_description, 'parameters': list()} parameters = function_descr['parameters'] for (i,p) in enumerate(node.children['param']): type_node = p.children['type'][0] p_type = self._process_type_node(type_node) if p_type[1].find('...') > -1 : p_name = '' else: p_name = None p_name_node = p.children.get('declname') if p_name_node is not None: p_name = p_name_node[0].getContent() (p_direction,p_descr) = param_description_map.get(p_name,(None,None)) param_descr = {'seqno': i, 'name': p_name, 'direction': p_direction, 'type': p_type[1], 'typeId': p_type[0], 'description': p_descr} parameters.append(param_descr) result = Function(**function_descr) print(result, file=self.tmp) return function_descr def _process_type_node(self, type_node): """ Type node has form type_string for build in types and 'type_name' postfix (ex. *, **m, etc.) for user defined types. """ type_ref_node = type_node.children.get('ref') if type_ref_node is not None: p_type_id = type_ref_node[0].attributes['refid'] else: p_type_id = None p_type = type_node.getContent() # remove some macros p_type = re.sub('KRB5_ATTR_DEPRECATED', '', p_type) p_type = re.sub('KRB5_CALLCONV_C', '', p_type) p_type = re.sub('KRB5_CALLCONV_WRONG', '', p_type) p_type = re.sub('KRB5_CALLCONV', '', p_type) p_type = p_type.strip() return (p_type_id, p_type) def _process_description_node(self, node): """ Description node is comprised of ... sections """ para = node.children.get('para') result = list() if para is not None: decorators = {'default': self.paragraph_content_decorator} for e in para: result.append(str(e.walk(decorators, 1))) result.append('\n') result = '\n'.join(result) return result def return_value_description_decorator(self, node, value): if node.name == 'simplesect': if node.attributes['kind'] == 'return': cont = set() cont = node.getContent() return value else: return None def paragraph_content_decorator(self, node, value): if node.name == 'para': return value + '\n' elif node.name == 'simplesect': if node.attributes['kind'] == 'return': return None elif node.name == 'ref': if value.find('()') >= 0: # functions return ':c:func:' + '`' + value + '`' else: # macro's return ':data:' + '`' + value + '`' elif node.name == 'emphasis': return '*' + value + '*' elif node.name == 'itemizedlist': return '\n' + value elif node.name == 'listitem': return '\n\t - ' + value + '\n' elif node.name == 'computeroutput': return '**' + value + '**' else: return None def parameter_name_decorator(self, node, value): if node.name == 'parametername': direction = node.attributes.get('direction') if direction is not None: value = '%s:%s' % (value,direction) return value elif node.name == 'parameterdescription': return None else: return value def parameter_description_decorator(self, node, value): if node.name == 'parameterdescription': return value elif node.name == 'parametername': return None else: return value def process_parameter_description(self, node): """ Parameter descriptions reside inside detailed description section. """ para = node.children.get('para') result = dict() if para is not None: for e in para: param_list = e.children.get('parameterlist') if param_list is None: continue param_items = param_list[0].children.get('parameteritem') if param_items is None: continue for it in param_items: decorators = {'default': self.parameter_name_decorator} direction = None name = it.walk(decorators,0).split(':') if len(name) == 2: direction = name[1] decorators = {'default': self.parameter_description_decorator, 'para': self.paragraph_content_decorator} description = it.walk(decorators, 0) result[name[0]] = (direction,description) return result def _process_return_value_description(self, node): result = None ret = list() para = node.children.get('para') if para is not None: for p in para: simplesect_list = p.children.get('simplesect') if simplesect_list is None: continue for it in simplesect_list: decorators = {'default': self.return_value_description_decorator, 'para': self.parameter_name_decorator} result = it.walk(decorators, 1) if result is not None: ret.append(result) return ret def _process_retval_description(self, node): """ retval descriptions reside inside detailed description section. """ para = node.children.get('para') result = None ret = list() if para is not None: for e in para: param_list = e.children.get('parameterlist') if param_list is None: continue for p in param_list: kind = p.attributes['kind'] if kind == 'retval': param_items = p.children.get('parameteritem') if param_items is None: continue for it in param_items: param_descr = it.children.get('parameterdescription') if param_descr is not None: val = param_descr[0].children.get('para') if val is not None: val_descr = val[0].getContent() else: val_descr ='' decorators = {'default': self.parameter_name_decorator} name = it.walk(decorators, 1).split(':') val = name[0] result = " %s %s" % (val, val_descr) ret.append (result) return ret def return_warning_decorator(self, node, value): if node.name == 'simplesect': if node.attributes['kind'] == 'warning': return value else: return None def _process_warning_description(self, node): result = None para = node.children.get('para') if para is not None: for p in para: simplesect_list = p.children.get('simplesect') if simplesect_list is None: continue for it in simplesect_list: decorators = {'default': self.return_warning_decorator, 'para': self.paragraph_content_decorator} result = it.walk(decorators, 1) # Assuming that only one Warning per function if result is not None: return result return result def return_seealso_decorator(self, node, value): if node.name == 'simplesect': if node.attributes['kind'] == 'see': return value else: return None def _process_seealso_description(self, node): result = None para = node.children.get('para') if para is not None: for p in para: simplesect_list = p.children.get('simplesect') if simplesect_list is None: continue for it in simplesect_list: decorators = {'default': self.return_seealso_decorator, 'para': self.paragraph_content_decorator} result = it.walk(decorators, 1) return result def return_version_decorator(self, node, value): if node.name == 'simplesect': if node.attributes['kind'] == 'version': return value else: return None def _process_version_description(self, node): result = None para = node.children.get('para') if para is not None: for p in para: simplesect_list = p.children.get('simplesect') if simplesect_list is None: continue for it in simplesect_list: decorators = {'default': self.return_version_decorator, 'para': self.paragraph_content_decorator} result = it.walk(decorators, 1) if result is not None: return result return result def return_notes_decorator(self, node, value): if node.name == 'simplesect': if node.attributes['kind'] == 'note': # We indent notes with an extra tab. Do it for all paragraphs. return value.replace("\n ", "\n\n\t "); else: return None def _process_notes_description(self, node): result = None para = node.children.get('para') if para is not None: for p in para: simplesect_list = p.children.get('simplesect') if simplesect_list is None: continue for it in simplesect_list: decorators = {'default': self.return_notes_decorator, 'para': self.paragraph_content_decorator} result = it.walk(decorators, 1) if result is not None: return result return result def return_deprecated_decorator(self, node, value): if node.name == 'xrefsect': if node.attributes['id'].find('deprecated_') > -1: xreftitle = node.children.get('xreftitle') if xreftitle[0] is not None: xrefdescr = node.children.get('xrefdescription') deprecated_descr = "DEPRECATED %s" % xrefdescr[0].getContent() return deprecated_descr else: return None def _process_deprecated_description(self, node): result = None para = node.children.get('para') if para is not None: for p in para: xrefsect_list = p.children.get('xrefsect') if xrefsect_list is None: continue for it in xrefsect_list: decorators = {'default': self.return_deprecated_decorator, 'para': self.paragraph_content_decorator} result = it.walk(decorators, 1) if result is not None: return result return result def break_into_lines(self, value, linelen=82): breaks = range(0,len(value),linelen) + [len(value)] result = list() for (start,end) in zip(breaks[:-1],breaks[1:]): result.append(value[start:end]) result = '\n'.join(result) return result def _save(self, table, path = None): if path is None: f = sys.stdout else: f = open(path, 'w') for l in table: f.write('%s\n' % ','.join(l)) if path is not None: f.close() class DoxyBuilderFuncs(DoxyFuncs): def __init__(self, xmlpath, rstpath): super(DoxyBuilderFuncs,self).__init__(xmlpath) self.target_dir = rstpath outfile = '%s/%s' % (self.target_dir, 'out.txt') self.tmp = open(outfile, 'w') def run_all(self): self.run() templates = {'function': 'func_document.tmpl'} self.save(templates, self.target_dir) def test_run(self): self.run() if __name__ == '__main__': builder = DoxyBuilderFuncs(xmlpath, rstpath) builder.run_all() krb5-1.19.2/doc/tools/type_document.tmpl0000644000704600001450000000143014076311657021533 0ustar ghudsonsystemd-journal.. highlight:: c .. $composite.struct_reference($composite.name): #set $title = $composite.name $title #echo ''.join(['=']*len($title)) # .. .. c:type:: $composite.name .. #if $composite.short_description is not None and len($composite.short_description) $composite.short_description #end if $composite.long_description Declaration ------------ $composite.definition #if $composite.Id is not None #if len($composite.attributes) Members --------- #end if #for $attr in $composite.attributes: #if $attr.name is not None .. c:member:: $attr.type $composite.name.$attr.name $attr.short_description #if $attr.long_description is not None $attr.long_description #end if #end if #end for #end if krb5-1.19.2/doc/tools/func_document.tmpl0000644000704600001450000000311214076311657021504 0ustar ghudsonsystemd-journal#if $function.short_description is not None #set $title = $function.name + ' - ' + $function.short_description #else #set $title = $function.name #end if $title #echo ''.join(['=']*len($title)) # .. .. c:function:: $signature .. :param: #for $param in $function.parameters: #if $param.name == '' #continue #end if #if $param.direction is not None #set name_description = '**[%s]** **%s**' % ($param.direction, $param.name) #else #set name_description = '**%s**' % $param.name #end if #if $param.description is not None #set $description= ' - ' + $param.description #else #set $description='' #end if $name_description$description #end for .. #if len($function.retval_description) > 0 :retval: #for $retval in $function.retval_description: - $retval #end for #end if #if len($function.return_description) > 0 :return: #for $retval in $function.return_description: - $retval #end for #end if .. #if $function.deprecated_description is not None $function.deprecated_description #end if #if $function.long_description is not None $function.long_description #end if .. #if $function.sa_description is not None .. seealso:: $function.sa_description #end if #if $function.warn_description is not None or $function.notes_description is not None #if $function.warn_description is not None .. warning:: $function.warn_description #end if #if $function.notes_description is not None .. note:: $function.notes_description #end if #end if #if $function.version_num is not None .. note:: $function.version_num #end if krb5-1.19.2/doc/tools/README0000644000704600001450000000524614076311657016647 0ustar ghudsonsystemd-journalHow to deploy the Doxygen output in Sphinx project. ==================================================== The text below is meant to give the instructions on how to incorporate MIT Kerberos API reference documentation into Sphinx document hierarchy. The Sphinx API documentation can be constructed with (Part B) or without (Part A) the bridge to the original Doxygen HTML output. Pre-requisites: - python 2.5+ with Cheetah, lxml and xml extension modules installed; - For part B only: - Sphinx "doxylink" extension; - Doxygen HTML output Part A: Transforming Doxygen XML output into reStructuredText (rst) without the bridge to Doxygen HTML output. 1. Delete lines containing text "Doxygen reference" from the template files func_document.tmpl and type_document.tmpl; 2. In the Doxygen configuration file set GENERATE_XML to YES. Generate Doxygen XML output; 3. Suppose the Doxygen XML output is located in doxy_xml_dir and the desired output directory is rst_dir. Run: python doxy.py -i doxy_xml_dir -o rst_dir -t func This will result in the storing of the API function documentation files in rst format in the rst_dir. The file names are constructed based on the function name. For example, the file for krb5_build_principal() will be krb5_build_principal.rst Run: python doxy.py -i doxy_xml_dir -o rst_dir -t typedef It is similar to the API function conversion, but for data types. The result will be stored under rst_dir/types directory Alternatively, running python doxy.py -i doxy_xml_dir -o rst_dir or python doxy.py -i doxy_xml_dir -o rst_dir -t all converts Doxygen XML output into reStructuredText format files both for API functions and data types; 4. In appdev/index.rst add the following section to point to the API references: .. toctree:: :maxdepth: 1 refs/index.rst 5. Copy the content of rst_dir into appdev/refs/api/ directory and rst_dir/types into appdev/refs/types directory; 6. Rebuild Sphinx source: sphinx-build source_dir build_dir Part B: Bridge to Doxygen HTML output. 1. Transform Doxygen XML output into reStructuredText. In src/Doxygen configuration file request generation of the tag file and XML output: GENERATE_TAGFILE = krb5doxy.tag GENERATE_XML = YES 2. Modify Sphinx conf.py file to point to the "doxylink" extension and Doxygen tag file: extensions = ['sphinx.ext.autodoc', 'sphinxcontrib.doxylink'] doxylink = { ' krb5doxy' : ('/tmp/krb5doxy.tag, ' doxy_html_dir ') } where doxy_html_dir is the location of the Doxygen HTML output 3. Continue with steps 3 - 6 of Part A. krb5-1.19.2/doc/tools/doxy.py0000644000704600001450000000477714076311657017334 0ustar ghudsonsystemd-journal''' Copyright 2011 by the Massachusetts Institute of Technology. All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original M.I.T. software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. ''' import sys import os import re from optparse import OptionParser from doxybuilder_types import * from doxybuilder_funcs import * def processOptions(): usage = "\n\t\t%prog -t type -i in_dir -o out_dir" description = "Description:\n\tProcess doxygen output for c-types and/or functions" parser = OptionParser(usage=usage, description=description) parser.add_option("-t", "--type", type="string", dest="action_type", help="process typedef and/or function. Possible choices: typedef, func, all. Default: all.", default="all") parser.add_option("-i", "--in", type="string", dest="in_dir", help="input directory") parser.add_option("-o", "--out", type="string", dest= "out_dir", help="output directory. Note: The subdirectory ./types will be created for typedef") (options, args) = parser.parse_args() action = options.action_type in_dir = options.in_dir out_dir = options.out_dir if in_dir is None or out_dir is None: parser.error("Input and output directories are required") if action == "all" or action == "typedef": builder = DoxyBuilderTypes(in_dir, out_dir) builder.run_all() if action == "all" or action == "func" or action == "function": builder = DoxyBuilderFuncs(in_dir, out_dir) builder.run_all() if __name__ == '__main__': parser = processOptions() krb5-1.19.2/doc/tools/doxybuilder_types.py0000644000704600001450000003514414076311657022117 0ustar ghudsonsystemd-journal''' Copyright 2011 by the Massachusetts Institute of Technology. All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting. WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original M.I.T. software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty. ''' import sys import os import re import textwrap from lxml import etree from docmodel import * exclude_types = [ 'TRUE', 'FALSE', 'KRB5_ATTR_DEPRECATED', 'KRB5_CALLCONV', 'KRB5_CALLCONV_C', 'KRB5_CALLCONV_WRONG', 'KRB5_GENERAL__', 'KRB5_KEYUSAGE_PA_REFERRAL', 'KRB5_OLD_CRYPTO', 'KRB5INT_BEGIN_DECLS', 'KRB5INT_END_DECLS', 'krb5_cc_ops', 'krb5_octet_data' ] class DoxyTypes(object): def __init__(self, xmlpath): self.xmlpath = xmlpath def run_compound(self, filename, include=None): path = '%s/%s' % (self.xmlpath,filename) tree = etree.parse(path) root = tree.getroot() brief_node = root.xpath('./compounddef/briefdescription')[0] brief_description = self._get_brief_description(brief_node) details_node = root.xpath('./compounddef/detaileddescription')[0] detailed_description = self._get_detailed_description(details_node) fields = list() for node in root.iterfind(".//memberdef[@kind]"): data = {} kind = node.attrib['kind'] if include is None or kind in include: if kind == 'variable': data = self._process_variable_node(node) else: pass fields.append(data) result = {'brief_description': brief_description, 'detailed_description': detailed_description, 'attributes': fields} return result def run(self, filename, include=None): """ Parses xml file generated by doxygen. @param filename: doxygen xml file name @param include: members sections to include, in None -- include all """ path = '%s/%s' % (self.xmlpath,filename) tree = etree.parse(path) root = tree.getroot() result = list() for node in root.iterfind(".//memberdef[@kind]"): data = {} kind = node.attrib['kind'] if include is None or kind in include: if kind == 'typedef': data = self._process_typedef_node(node) elif kind == 'variable': data = self._process_variable_node(node) elif kind == 'define': data = self._process_define_node(node) if 'name' in data and data['name'] in exclude_types: continue result.append(data) return result def _process_typedef_node(self, node): t_name = node.xpath('./name/text()')[0] t_Id = node.attrib['id'] t_definition = node.xpath('./definition/text()')[0] t_type = self._process_type_node(node.xpath("./type")[0]) brief_node = node.xpath('./briefdescription')[0] t_brief = self._get_brief_description(brief_node) details_node = node.xpath('./detaileddescription')[0] t_detailed = self._get_detailed_description(details_node) # remove macros t_definition = re.sub('KRB5_CALLCONV_C', '', t_definition) t_definition = re.sub('KRB5_CALLCONV', '', t_definition) t_definition = re.sub(r'\*', '\\*', t_definition) # handle fp if t_type[1].find('(') >= 0: t_type = (t_type[0],None) typedef_descr = {'category': 'composite', 'definition': t_definition, 'name': t_name, 'Id': t_Id, 'initializer': '', 'type': t_type[1], 'short_description': t_brief, 'long_description': t_detailed, 'attributes': list() } if t_type[0] is not None : filename = '%s.xml' % t_type[0] path = '%s/%s' % (self.xmlpath,filename) if not os.path.exists(path): # nothing can be done return typedef_descr compound_info = self.run_compound(filename) if compound_info is not None: brief_description = compound_info.get('brief_description') if brief_description is not None and len(brief_description): # override brief description typedef_descr['short_description'] = brief_description detailed_description = compound_info.get('detailed_description') if detailed_description is not None and len(detailed_description): # check if this is not a duplicate if detailed_description.find(t_detailed) < 0: typedef_descr['long_description'] = '%s\n%s' % \ (detailed_description, typedef_descr['long_description']) typedef_descr['attributes'] = compound_info['attributes'] return typedef_descr def _process_variable_node(self, node): v_name = node.xpath('./name/text()')[0] v_Id = node.attrib['id'] v_definition = node.xpath('./definition/text()')[0] v_type = self._process_type_node(node.xpath("./type")[0]) brief_node = node.xpath('./briefdescription')[0] v_brief = self._get_brief_description(brief_node) details_node = node.xpath('./detaileddescription')[0] detailed_description = self._get_detailed_description(details_node) # remove macros v_definition = re.sub('KRB5_CALLCONV_C', '', v_definition) v_definition = re.sub('KRB5_CALLCONV', '', v_definition) v_definition = re.sub(r'\*', '\\*', v_definition) variable_descr = {'category': 'variable', 'definition': v_definition, 'name': v_name, 'Id': v_Id, 'initializer': '', 'type': v_type[1], 'short_description': v_brief, 'long_description': detailed_description, 'attributes': list() } return variable_descr def _process_define_node(self, node): d_name = node.xpath('./name/text()')[0] d_initializer = '' d_type = '' d_signature = '' # Process param/defname node if len(node.xpath('./param/defname')) > 0: prm_str = '' prm_list = list() for p in node.xpath("./param"): x = self._process_paragraph_content(p) if x is not None and len(x): prm_list.append(x) if prm_list is not None: prm_str = prm_str.join(prm_list) d_signature = " %s (%s) " % (d_name , prm_str) d_signature = re.sub(r', \)', ')', d_signature).strip() if len(node.xpath('./initializer')) > 0: len_ref = len(node.xpath('./initializer/ref')) if len(node.xpath('./initializer/ref')) > 0: d_type = self._process_type_node(node.xpath("./initializer/ref")[0]) if len(d_type) > 0: len_text = len(node.xpath('./initializer/text()')) if len_text == 0 and d_type[1]: d_initializer = d_type[1] if len_text > 0 and len(node.xpath('./initializer/text()')[0]) > 0: d_initializer = node.xpath('./initializer/text()')[0] + d_type[1] if len_text > 1: if node.xpath('./initializer/text()')[1] is not None: d_initializer = d_initializer + node.xpath('./initializer/text()')[1] else: d_initializer = node.xpath('./initializer/text()')[0] d_Id = node.attrib['id'] brief_node = node.xpath('./briefdescription')[0] d_brief = self._get_brief_description(brief_node) details_node = node.xpath('./detaileddescription')[0] detailed_description = self._get_detailed_description(details_node) # Condense multiline macros, stripping leading whitespace. d_initializer = re.sub(" *\\\\\n *", " ", d_initializer) define_descr = {'category': 'composite', 'definition': '', 'name': d_name, 'name_signature': d_signature, 'Id': d_Id, 'initializer': d_initializer, 'type': '', 'short_description': d_brief, 'long_description': detailed_description, 'attributes': list() } return define_descr def _get_brief_description(self, node): result = list() for p in node.xpath("./para"): x = self._process_paragraph_content(p) if x is not None and len(x): result.append(x) result = '\n'.join(result) return result def _get_detailed_description(self, node): """ Description node is comprised of ... sections. There are few types of these sections: a) Content section b) Return value section -- skip c) Parameter list section -- skip @param node: detailed description node """ result = list() for p in node.xpath("./para"): if len(p.xpath("./simplesect[@kind='return']")): continue elif len(p.xpath("./parameterlist[@kind='param']")): continue else: x = self._process_paragraph_content(p) result.append(x) result = '\n'.join(result) return result def _process_paragraph_content(self, node): result = list() content = node.xpath(".//text()") for e in content: if node is e.getparent(): result.append(e.strip()) elif e.getparent().tag == 'ref': if e.is_tail: result.append(e.strip()) elif e.strip().find('(') > 0: result.append(':c:func:`%s`' % e.strip()) elif e.isupper(): result.append(':c:data:`%s`' % e.strip()) else: result.append(':c:type:`%s`' % e.strip()) elif e.getparent().tag == 'emphasis': if e.is_tail: result.append(e.strip()) else: result.append('*%s*' % e.strip()) elif e.getparent().tag == 'computeroutput': if e.is_tail: result.append(e.strip()) else: result.append('*%s*' % e.strip()) elif e.getparent().tag == 'defname': result.append('%s, ' % e.strip()) elif e.getparent().tag == 'verbatim': result.append('\n::\n\n') result.append(textwrap.indent(e, ' ', lambda x: True)) result.append('\n') result = ' '.join(result) return result def _process_type_node(self, node): """ Type node has form type_string for build in types and 'type_name' postfix (ex. *, **m, etc.) for user defined types. """ p_id = node.xpath("./ref/@refid") if len(p_id) == 1: p_id = p_id[0] elif len(p_id) == 0: p_id = None p_type = ' '.join(node.xpath(".//text()")) # remove macros p_type = re.sub('KRB5_CALLCONV_C', ' ', p_type) p_type = re.sub('KRB5_CALLCONV', ' ', p_type) return (p_id,p_type) def save(self, obj, templates, target_dir): template_path = templates[obj.category] outpath = '%s/%s.rst' % (target_dir,obj.name) obj.save(outpath, template_path) class DoxyBuilderTypes(DoxyTypes): def __init__(self, xmlpath, rstpath): self.templates = { 'composite': 'type_document.tmpl'} self.target_dir = rstpath super(DoxyBuilderTypes,self).__init__(xmlpath) def run_all(self): self.process_typedef_nodes() self.process_define_nodes() def test_run(self): filename = 'krb5_8hin.xml' self.run(filename) def process_variable_nodes(self): filename = 'struct__krb5__octet__data.xml' result = self.run(filename, include=['variable']) def process_typedef_nodes(self): # run parser for typedefs filename = 'krb5_8hin.xml' result = self.run(filename, include=['typedef']) target_dir = '%s/types' % (self.target_dir) if not os.path.exists(target_dir): os.makedirs(target_dir, 0o755) for t in result: obj = DocModel(**t) self.save(obj, self.templates, target_dir) def process_define_nodes(self): # run parser for define's filename = 'krb5_8hin.xml' result = self.run(filename, include=['define']) target_dir = '%s/macros' % (self.target_dir) if not os.path.exists(target_dir): os.makedirs(target_dir, 0o755) for t in result: obj = DocModel(**t) tmpl = {'composite': 'define_document.tmpl'} self.save(obj, tmpl, target_dir) if __name__ == '__main__': builder = DoxyBuilderTypes( xml_inpath, rst_outpath) builder.run_all() krb5-1.19.2/doc/kadm5-errmsg.txt0000644000704600001450000000474714076311657017673 0ustar ghudsonsystemd-journalProposed approach for passing more detailed error messages across the kadm5 API: We've already got too many init functions and too many options. Multiplying the number of init functions isn't feasible. Create an (opaque to application) init-options type, create/destroy functions for it, set-creds/set-keytab/set-password functions, and a kadm5-init-with-options function. (Optional: Reimplement the current init functions as wrappers around these.) Add a set-context function which saves away in the init-options object a krb5_context to be used in the new server handle instead of creating a new one. (Destroying a server handle with such a "borrowed" krb5 context should probably not destroy the context.) Calls within the library should store any error messages in the context contained in the server handle. Error messages produced during initialization should also be stored in this context. The caller of these functions can use krb5_get_error_message to extract the text of the error message from the supplied context. Unless we determine it's safe, we should probably assert (for now) that each server handle must have a different context. (That's aside from the thread safety issues.) These contexts should have been created with kadm5_init_krb5_context, which will decide whether to look at the KDC config file depending on whether you're using the client-side or server-side version of the library. (Same as for kadmin vs kadmin.local.) Notes: * The existing API must continue to work, without changes. There is external code we need to continue to support. * We considered a variant where the application could retrieve the error message from the server handle using a new kadm5_get_error_message function. However, the initialization code is one likely place where the errors would occur (can't authenticate, etc), and in that case, there is no server handle from which to extract the context. A function to retrieve the library-created krb5_context from the server handle would have the same problem. Using a separate approach to deal with errors at initialization time, in combination with the above, might work. But we still wind up either creating the init-with-options interface or adding error-message-return variants of multiple existing init functions. To do: * Write up specifics (including function names -- the names used here aren't meant to be definitive) and discuss on krbdev. * Implement library part. * Change kadmin and kdc to use it. krb5-1.19.2/doc/html/0000755000704600001450000000000014076312654015562 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/genindex.html0000644000704600001450000001263414076312553020255 0ustar ghudsonsystemd-journal Index — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | index | Search | feedback

Index

Index pages by letter:

A | C | E | K | L | M | P | R | S | T | V

Full index on one page (can be huge)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | index | Search | feedback
krb5-1.19.2/doc/html/_sources/0000755000704600001450000000000014076312552017401 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/_sources/basic/0000755000704600001450000000000014076312547020466 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/_sources/basic/stash_file_def.rst.txt0000644000704600001450000000202614076311665024775 0ustar ghudsonsystemd-journal.. _stash_definition: stash file ============ The stash file is a local copy of the master key that resides in encrypted form on the KDC's local disk. The stash file is used to authenticate the KDC to itself automatically before starting the :ref:`kadmind(8)` and :ref:`krb5kdc(8)` daemons (e.g., as part of the machine's boot sequence). The stash file, like the keytab file (see :ref:`keytab_file`) is a potential point-of-entry for a break-in, and if compromised, would allow unrestricted access to the Kerberos database. If you choose to install a stash file, it should be readable only by root, and should exist only on the KDC's local disk. The file should not be part of any backup of the machine, unless access to the backup data is secured as tightly as access to the master password itself. .. note:: If you choose not to install a stash file, the KDC will prompt you for the master key each time it starts up. This means that the KDC will not be able to start automatically, such as after a system reboot. krb5-1.19.2/doc/html/_sources/basic/rcache_def.rst.txt0000644000704600001450000001134114076311665024101 0ustar ghudsonsystemd-journal.. _rcache_definition: replay cache ============ A replay cache (or "rcache") keeps track of all authenticators recently presented to a service. If a duplicate authentication request is detected in the replay cache, an error message is sent to the application program. The replay cache interface, like the credential cache and :ref:`keytab_definition` interfaces, uses `type:residual` strings to indicate the type of replay cache and any associated cache naming data to use. Background information ---------------------- Some Kerberos or GSSAPI services use a simple authentication mechanism where a message is sent containing an authenticator, which establishes the encryption key that the client will use for talking to the service. But nothing about that prevents an eavesdropper from recording the messages sent by the client, establishing a new connection, and re-sending or "replaying" the same messages; the replayed authenticator will establish the same encryption key for the new session, and the following messages will be decrypted and processed. The attacker may not know what the messages say, and can't generate new messages under the same encryption key, but in some instances it may be harmful to the user (or helpful to the attacker) to cause the server to see the same messages again a second time. For example, if the legitimate client sends "delete first message in mailbox", a replay from an attacker may delete another, different "first" message. (Protocol design to guard against such problems has been discussed in :rfc:`4120#section-10`.) Even if one protocol uses further protection to verify that the client side of the connection actually knows the encryption keys (and thus is presumably a legitimate user), if another service uses the same service principal name, it may be possible to record an authenticator used with the first protocol and "replay" it against the second. The replay cache mitigates these attacks somewhat, by keeping track of authenticators that have been seen until their five-minute window expires. Different authenticators generated by multiple connections from the same legitimate client will generally have different timestamps, and thus will not be considered the same. This mechanism isn't perfect. If a message is sent to one application server but a man-in-the-middle attacker can prevent it from actually arriving at that server, the attacker could then use the authenticator (once!) against a different service on the same host. This could be a problem if the message from the client included something more than authentication in the first message that could be useful to the attacker (which is uncommon; in most protocols the server has to indicate a successful authentication before the client sends additional messages), or if the simple act of presenting the authenticator triggers some interesting action in the service being attacked. Replay cache types ------------------ Unlike the credential cache and keytab interfaces, replay cache types are in lowercase. The following types are defined: #. **none** disables the replay cache. The residual value is ignored. #. **file2** (new in release 1.18) uses a hash-based format to store replay records. The file may grow to accommodate hash collisions. The residual value is the filename. #. **dfl** is the default type if no environment variable or configuration specifies a different type. It stores replay data in a file2 replay cache with a filename based on the effective uid. The residual value is ignored. For the dfl type, the location of the replay cache file is determined as follows: #. The directory is taken from the **KRB5RCACHEDIR** environment variable, or the **TMPDIR** environment variable, or a temporary directory determined at configuration time such as ``/var/tmp``, in descending order of preference. #. The filename is ``krb5_EUID.rcache2`` where EUID is the effective uid of the process. #. The file is opened without following symbolic links, and ownership of the file is verified to match the effective uid. On Windows, the directory for the dfl type is the local appdata directory, unless overridden by the **KRB5RCACHEDIR** environment variable. The filename on Windows is ``krb5.rcache2``, and the file is opened normally. Default replay cache name ------------------------- The default replay cache name is determined by the following, in descending order of priority: #. The **KRB5RCACHENAME** environment variable (new in release 1.18). #. The **KRB5RCACHETYPE** environment variable. If this variable is set, the residual value is empty. #. The **default_rcache_name** profile variable in :ref:`libdefaults` (new in release 1.18). #. If none of the above are set, the default replay cache name is ``dfl:``. krb5-1.19.2/doc/html/_sources/basic/index.rst.txt0000644000704600001450000000025214076311665023144 0ustar ghudsonsystemd-journal.. _basic_concepts: Kerberos V5 concepts ==================== .. toctree:: :maxdepth: 1 ccache_def keytab_def rcache_def stash_file_def date_format krb5-1.19.2/doc/html/_sources/basic/date_format.rst.txt0000644000704600001450000001105014076311665024320 0ustar ghudsonsystemd-journal.. _datetime: Supported date and time formats =============================== .. _duration: Time duration ------------- This format is used to express a time duration in the Kerberos configuration files and user commands. The allowed formats are: ====================== ============== ============ Format Example Value ---------------------- -------------- ------------ h:m[:s] 36:00 36 hours NdNhNmNs 8h30s 8 hours 30 seconds N (number of seconds) 3600 1 hour ====================== ============== ============ Here *N* denotes a number, *d* - days, *h* - hours, *m* - minutes, *s* - seconds. .. note:: The time interval should not exceed 2147483647 seconds. Examples:: Request a ticket valid for one hour, five hours, 30 minutes and 10 days respectively: kinit -l 3600 kinit -l 5:00 kinit -l 30m kinit -l "10d 0h 0m 0s" .. _getdate: getdate time ------------ Some of the kadmin and kdb5_util commands take a date-time in a human-readable format. Some of the acceptable date-time strings are: +-----------+------------------+-----------------+ | | Format | Example | +===========+==================+=================+ | Date | mm/dd/yy | 07/27/12 | | +------------------+-----------------+ | | month dd, yyyy | Jul 27, 2012 | | +------------------+-----------------+ | | yyyy-mm-dd | 2012-07-27 | +-----------+------------------+-----------------+ | Absolute | HH:mm[:ss]pp | 08:30 PM | | time +------------------+-----------------+ | | hh:mm[:ss] | 20:30 | +-----------+------------------+-----------------+ | Relative | N tt | 30 sec | | time | | | +-----------+------------------+-----------------+ | Time zone | Z | EST | | +------------------+-----------------+ | | z | -0400 | +-----------+------------------+-----------------+ (See :ref:`abbreviation`.) Examples:: Create a principal that expires on the date indicated: addprinc test1 -expire "3/27/12 10:00:07 EST" addprinc test2 -expire "January 23, 2015 10:05pm" addprinc test3 -expire "22:00 GMT" Add a principal that will expire in 30 minutes: addprinc test4 -expire "30 minutes" .. _abstime: Absolute time ------------- This rarely used date-time format can be noted in one of the following ways: +------------------------+----------------------+--------------+ | Format | Example | Value | +========================+======================+==============+ | yyyymmddhhmmss | 20141231235900 | One minute | +------------------------+----------------------+ before 2015 | | yyyy.mm.dd.hh.mm.ss | 2014.12.31.23.59.00 | | +------------------------+----------------------+ | | yymmddhhmmss | 141231235900 | | +------------------------+----------------------+ | | yy.mm.dd.hh.mm.ss | 14.12.31.23.59.00 | | +------------------------+----------------------+ | | dd-month-yyyy:hh:mm:ss | 31-Dec-2014:23:59:00 | | +------------------------+----------------------+--------------+ | hh:mm:ss | 20:00:00 | 8 o'clock in | +------------------------+----------------------+ the evening | | hhmmss | 200000 | | +------------------------+----------------------+--------------+ (See :ref:`abbreviation`.) Example:: Set the default expiration date to July 27, 2012 at 20:30 default_principal_expiration = 20120727203000 .. _abbreviation: Abbreviations used in this document ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | *month* : locale’s month name or its abbreviation; | *dd* : day of month (01-31); | *HH* : hours (00-12); | *hh* : hours (00-23); | *mm* : in time - minutes (00-59); in date - month (01-12); | *N* : number; | *pp* : AM or PM; | *ss* : seconds (00-60); | *tt* : time units (hours, minutes, min, seconds, sec); | *yyyy* : year; | *yy* : last two digits of the year; | *Z* : alphabetic time zone abbreviation; | *z* : numeric time zone; .. note:: - If the date specification contains spaces, you may need to enclose it in double quotes; - All keywords are case-insensitive. krb5-1.19.2/doc/html/_sources/basic/keytab_def.rst.txt0000644000704600001450000000422414076311665024135 0ustar ghudsonsystemd-journal.. _keytab_definition: keytab ====== A keytab (short for "key table") stores long-term keys for one or more principals. Keytabs are normally represented by files in a standard format, although in rare cases they can be represented in other ways. Keytabs are used most often to allow server applications to accept authentications from clients, but can also be used to obtain initial credentials for client applications. Keytabs are named using the format *type*\ ``:``\ *value*. Usually *type* is ``FILE`` and *value* is the absolute pathname of the file. The other possible value for *type* is ``MEMORY``, which indicates a temporary keytab stored in the memory of the current process. A keytab contains one or more entries, where each entry consists of a timestamp (indicating when the entry was written to the keytab), a principal name, a key version number, an encryption type, and the encryption key itself. A keytab can be displayed using the :ref:`klist(1)` command with the ``-k`` option. Keytabs can be created or appended to by extracting keys from the KDC database using the :ref:`kadmin(1)` :ref:`ktadd` command. Keytabs can be manipulated using the :ref:`ktutil(1)` and :ref:`k5srvutil(1)` commands. Default keytab -------------- The default keytab is used by server applications if the application does not request a specific keytab. The name of the default keytab is determined by the following, in decreasing order of preference: #. The **KRB5_KTNAME** environment variable. #. The **default_keytab_name** profile variable in :ref:`libdefaults`. #. The hardcoded default, |keytab|. Default client keytab --------------------- The default client keytab is used, if it is present and readable, to automatically obtain initial credentials for GSSAPI client applications. The principal name of the first entry in the client keytab is used by default when obtaining initial credentials. The name of the default client keytab is determined by the following, in decreasing order of preference: #. The **KRB5_CLIENT_KTNAME** environment variable. #. The **default_client_keytab_name** profile variable in :ref:`libdefaults`. #. The hardcoded default, |ckeytab|. krb5-1.19.2/doc/html/_sources/basic/ccache_def.rst.txt0000644000704600001450000001516614076311665024073 0ustar ghudsonsystemd-journal.. _ccache_definition: Credential cache ================ A credential cache (or "ccache") holds Kerberos credentials while they remain valid and, generally, while the user's session lasts, so that authenticating to a service multiple times (e.g., connecting to a web or mail server more than once) doesn't require contacting the KDC every time. A credential cache usually contains one initial ticket which is obtained using a password or another form of identity verification. If this ticket is a ticket-granting ticket, it can be used to obtain additional credentials without the password. Because the credential cache does not store the password, less long-term damage can be done to the user's account if the machine is compromised. A credentials cache stores a default client principal name, set when the cache is created. This is the name shown at the top of the :ref:`klist(1)` *-A* output. Each normal cache entry includes a service principal name, a client principal name (which, in some ccache types, need not be the same as the default), lifetime information, and flags, along with the credential itself. There are also other entries, indicated by special names, that store additional information. ccache types ------------ The credential cache interface, like the :ref:`keytab_definition` and :ref:`rcache_definition` interfaces, uses `TYPE:value` strings to indicate the type of credential cache and any associated cache naming data to use. There are several kinds of credentials cache supported in the MIT Kerberos library. Not all are supported on every platform. In most cases, it should be correct to use the default type built into the library. #. **API** is only implemented on Windows. It communicates with a server process that holds the credentials in memory for the user, rather than writing them to disk. #. **DIR** points to the storage location of the collection of the credential caches in *FILE:* format. It is most useful when dealing with multiple Kerberos realms and KDCs. For release 1.10 the directory must already exist. In post-1.10 releases the requirement is for parent directory to exist and the current process must have permissions to create the directory if it does not exist. See :ref:`col_ccache` for details. New in release 1.10. The following residual forms are supported: * DIR:dirname * DIR::dirpath/filename - a single cache within the directory Switching to a ccache of the latter type causes it to become the primary for the directory. #. **FILE** caches are the simplest and most portable. A simple flat file format is used to store one credential after another. This is the default ccache type if no type is specified in a ccache name. #. **KCM** caches work by contacting a daemon process called ``kcm`` to perform cache operations. If the cache name is just ``KCM:``, the default cache as determined by the KCM daemon will be used. Newly created caches must generally be named ``KCM:uid:name``, where *uid* is the effective user ID of the running process. KCM client support is new in release 1.13. A KCM daemon has not yet been implemented in MIT krb5, but the client will interoperate with the KCM daemon implemented by Heimdal. macOS 10.7 and higher provides a KCM daemon as part of the operating system, and the **KCM** cache type is used as the default cache on that platform in a default build. #. **KEYRING** is Linux-specific, and uses the kernel keyring support to store credential data in unswappable kernel memory where only the current user should be able to access it. The following residual forms are supported: * KEYRING:name * KEYRING:process:name - process keyring * KEYRING:thread:name - thread keyring Starting with release 1.12 the *KEYRING* type supports collections. The following new residual forms were added: * KEYRING:session:name - session keyring * KEYRING:user:name - user keyring * KEYRING:persistent:uidnumber - persistent per-UID collection. Unlike the user keyring, this collection survives after the user logs out, until the cache credentials expire. This type of ccache requires support from the kernel; otherwise, it will fall back to the user keyring. See :ref:`col_ccache` for details. #. **MEMORY** caches are for storage of credentials that don't need to be made available outside of the current process. For example, a memory ccache is used by :ref:`kadmin(1)` to store the administrative ticket used to contact the admin server. Memory ccaches are faster than file ccaches and are automatically destroyed when the process exits. #. **MSLSA** is a Windows-specific cache type that accesses the Windows credential store. .. _col_ccache: Collections of caches --------------------- Some credential cache types can support collections of multiple caches. One of the caches in the collection is designated as the *primary* and will be used when the collection is resolved as a cache. When a collection-enabled cache type is the default cache for a process, applications can search the specified collection for a specific client principal, and GSSAPI applications will automatically select between the caches in the collection based on criteria such as the target service realm. Credential cache collections are new in release 1.10, with support from the **DIR** and **API** ccache types. Starting in release 1.12, collections are also supported by the **KEYRING** ccache type. Collections are supported by the **KCM** ccache type in release 1.13. Tool alterations to use cache collection ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ * :ref:`kdestroy(1)` *-A* will destroy all caches in the collection. * If the default cache type supports switching, :ref:`kinit(1)` *princname* will search the collection for a matching cache and store credentials there, or will store credentials in a new unique cache of the default type if no existing cache for the principal exists. Either way, kinit will switch to the selected cache. * :ref:`klist(1)` *-l* will list the caches in the collection. * :ref:`klist(1)` *-A* will show the content of all caches in the collection. * :ref:`kswitch(1)` *-p princname* will search the collection for a matching cache and switch to it. * :ref:`kswitch(1)` *-c cachename* will switch to a specified cache. Default ccache name ------------------- The default credential cache name is determined by the following, in descending order of priority: #. The **KRB5CCNAME** environment variable. For example, ``KRB5CCNAME=DIR:/mydir/``. #. The **default_ccache_name** profile variable in :ref:`libdefaults`. #. The hardcoded default, |ccache|. krb5-1.19.2/doc/html/_sources/build/0000755000704600001450000000000014076312547020504 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/_sources/build/directory_org.rst.txt0000644000704600001450000000616614076311665024740 0ustar ghudsonsystemd-journalOrganization of the source directory ==================================== Below is a brief overview of the organization of the complete source directory. More detailed descriptions follow. =============== ============================================== appl Kerberos application client and server programs ccapi Credential cache services clients Kerberos V5 user programs (See :ref:`user_commands`) config Configure scripts config-files Sample Kerberos configuration files include include files needed to build the Kerberos system kadmin Administrative interface to the Kerberos database: :ref:`kadmin(1)`, :ref:`kdb5_util(8)`, :ref:`ktutil(1)`. kdc Kerberos V5 Authentication Service and Key Distribution Center lib_ Libraries for use with/by Kerberos V5 plugins Kerberos plugins directory po Localization infrastructure prototype Templates files containing the MIT copyright message and a placeholder for the title and description of the file. kprop Utilities for propagating the database to replica KDCs :ref:`kprop(8)` and :ref:`kpropd(8)` tests Test suite util_ Various utilities for building/configuring the code, sending bug reports, etc. windows Source code for building Kerberos V5 on Windows (see windows/README) =============== ============================================== .. _lib: lib --- The lib directory contain several subdirectories as well as some definition and glue files. - The apputils directory contains the code for the generic network servicing. - The crypto subdirectory contains the Kerberos V5 encryption library. - The gssapi library contains the Generic Security Services API, which is a library of commands to be used in secure client-server communication. - The kadm5 directory contains the libraries for the KADM5 administration utilities. - The Kerberos 5 database libraries are contained in kdb. - The krb5 directory contains Kerberos 5 API. - The rpc directory contains the API for the Kerberos Remote Procedure Call protocol. .. _util: util ---- The util directory contains several utility programs and libraries. - the programs used to configure and build the code, such as autoconf, lndir, kbuild, reconf, and makedepend, are in this directory. - the profile directory contains most of the functions which parse the Kerberos configuration files (krb5.conf and kdc.conf). - the Kerberos error table library and utilities (et); - the Sub-system library and utilities (ss); - database utilities (db2); - pseudo-terminal utilities (pty); - bug-reporting program send-pr; - a generic support library support used by several of our other libraries; - the build infrastructure for building lightweight Kerberos client (collected-client-lib) - the tool for validating Kerberos configuration files (confvalidator); - the toolkit for kernel integrators for building krb5 code subsets (gss-kernel-lib); - source code for building Kerberos V5 on MacOS (mac) - Windows getopt operations (windows) krb5-1.19.2/doc/html/_sources/build/osconf.rst.txt0000644000704600001450000000156114076311665023346 0ustar ghudsonsystemd-journalosconf.hin ========== There is one configuration file which you may wish to edit to control various compile-time parameters in the Kerberos distribution:: include/osconf.hin The list that follows is by no means complete, just some of the more interesting variables. **DEFAULT_PROFILE_PATH** The pathname to the file which contains the profiles for the known realms, their KDCs, etc. The default value is |krb5conf|. **DEFAULT_KEYTAB_NAME** The type and pathname to the default server keytab file. The default is |keytab|. **DEFAULT_KDC_ENCTYPE** The default encryption type for the KDC database master key. The default value is |defmkey|. **RCTMPDIR** The directory which stores replay caches. The default is ``/var/tmp``. **DEFAULT_KDB_FILE** The location of the default database. The default value is |kdcdir|\ ``/principal``. krb5-1.19.2/doc/html/_sources/build/doing_build.rst.txt0000644000704600001450000001321514076311665024335 0ustar ghudsonsystemd-journalDoing the build =============== .. _do_build: Building within a single tree ----------------------------- If you only need to build Kerberos for one platform, using a single directory tree which contains both the source files and the object files is the simplest. However, if you need to maintain Kerberos for a large number of platforms, you will probably want to use separate build trees for each platform. We recommend that you look at OS Incompatibilities, for notes that we have on particular operating systems. If you don't want separate build trees for each architecture, then use the following abbreviated procedure:: cd /u1/krb5-VERSION/src ./configure make That's it! Building with separate build directories ---------------------------------------- If you wish to keep separate build directories for each platform, you can do so using the following procedure. (Note, this requires that your make program support VPATH. GNU's make will provide this functionality, for example.) If your make program does not support this, see the next section. For example, if you wish to store the binaries in ``tmpbuild`` build directory you might use the following procedure:: mkdir /u1/tmpbuild cd /u1/tmpbuild /u1/krb5-VERSION/src/configure make Building using lndir -------------------- If you wish to keep separate build directories for each platform, and you do not have access to a make program which supports VPATH, all is not lost. You can use the lndir program to create symbolic link trees in your build directory. For example, if you wish to create a build directory for solaris binaries you might use the following procedure:: mkdir /u1/krb5-VERSION/solaris cd /u1/krb5-VERSION/solaris /u1/krb5-VERSION/src/util/lndir `pwd`/../src ./configure make You must give an absolute pathname to lndir because it has a bug that makes it fail for relative pathnames. Note that this version differs from the latest version as distributed and installed by the XConsortium with X11R6. Either version should be acceptable. Installing the binaries ----------------------- Once you have built Kerberos, you should install the binaries. You can do this by running:: make install If you want to install the binaries into a destination directory that is not their final destination, which may be convenient if you want to build a binary distribution to be deployed on multiple hosts, you may use:: make install DESTDIR=/path/to/destdir This will install the binaries under *DESTDIR/PREFIX*, e.g., the user programs will install into *DESTDIR/PREFIX/bin*, the libraries into *DESTDIR/PREFIX/lib*, etc. *DESTDIR* must be an absolute path. Some implementations of make allow multiple commands to be run in parallel, for faster builds. We test our Makefiles in parallel builds with GNU make only; they may not be compatible with other parallel build implementations. Testing the build ----------------- The Kerberos V5 distribution comes with built-in regression tests. To run them, simply type the following command while in the top-level build directory (i.e., the directory where you sent typed make to start building Kerberos; see :ref:`do_build`):: make check However, there are several prerequisites that must be satisfied first: * Configure and build Kerberos with Tcl support. Tcl is used to drive the test suite. This often means passing **-**\ **-with-tcl** to configure to tell it the location of the Tcl configuration script. (See :ref:`options2configure`.) * In addition to Tcl, DejaGnu must be available on the system for some of the tests to run. The test suite will still run the other tests if DejaGnu is not present, but the test coverage will be reduced accordingly. * On some operating systems, you have to run ``make install`` before running ``make check``, or the test suite will pick up installed versions of Kerberos libraries rather than the newly built ones. You can install into a prefix that isn't in the system library search path, though. Alternatively, you can configure with **-**\ **-disable-rpath**, which renders the build tree less suitable for installation, but allows testing without interference from previously installed libraries. There are additional regression tests available, which are not run by ``make check``. These tests require manual setup and teardown of support infrastructure which is not easily automated, or require excessive resources for ordinary use. The procedure for running the manual tests is documented at https://k5wiki.kerberos.org/wiki/Manual_Testing. Cleaning up the build --------------------- * Use ``make clean`` to remove all files generated by running make command. * Use ``make distclean`` to remove all files generated by running ./configure script. After running ``make distclean`` your source tree (ideally) should look like the raw (just un-tarred) source tree. Using autoconf -------------- (If you are not a developer, you can ignore this section.) In the Kerberos V5 source directory, there is a configure script which automatically determines the compilation environment and creates the proper Makefiles for a particular platform. This configure script is generated using autoconf, which you should already have installed if you will be making changes to ``src/configure.in``. Normal users will not need to worry about running autoconf; the distribution comes with the configure script already prebuilt. The autoconf package comes with a script called ``autoreconf`` that will automatically run ``autoconf`` and ``autoheader`` as needed. You should run ``autoreconf`` from the top source directory, e.g.:: cd /u1/krb5-VERSION/src autoreconf --verbose krb5-1.19.2/doc/html/_sources/build/index.rst.txt0000644000704600001450000000413214076311665023163 0ustar ghudsonsystemd-journal.. _build_V5: Building Kerberos V5 ==================== This section details how to build and install MIT Kerberos software from the source. Prerequisites ------------- In order to build Kerberos V5, you will need approximately 60-70 megabytes of disk space. The exact amount will vary depending on the platform and whether the distribution is compiled with debugging symbol tables or not. Your C compiler must conform to ANSI C (ISO/IEC 9899:1990, "c89"). Some operating systems do not have an ANSI C compiler, or their default compiler requires extra command-line options to enable ANSI C conformance. If you wish to keep a separate build tree, which contains the compiled \*.o file and executables, separate from your source tree, you will need a make program which supports **VPATH**, or you will need to use a tool such as lndir to produce a symbolic link tree for your build tree. Obtaining the software ---------------------- The source code can be obtained from MIT Kerberos Distribution page, at https://kerberos.org/dist/index.html. The MIT Kerberos distribution comes in an archive file, generally named krb5-VERSION-signed.tar, where *VERSION* is a placeholder for the major and minor versions of MIT Kerberos. (For example, MIT Kerberos 1.9 has major version "1" and minor version "9".) The krb5-VERSION-signed.tar contains a compressed tar file consisting of the sources for all of Kerberos (generally named krb5-VERSION.tar.gz) and a PGP signature file for this source tree (generally named krb5-VERSION.tar.gz.asc). MIT highly recommends that you verify the integrity of the source code using this signature, e.g., by running:: tar xf krb5-VERSION-signed.tar gpg --verify krb5-VERSION.tar.gz.asc Unpack krb5-VERSION.tar.gz in some directory. In this section we will assume that you have chosen the top directory of the distribution the directory ``/u1/krb5-VERSION``. Review the README file for the license, copyright and other sprecific to the distribution information. Contents -------- .. toctree:: :maxdepth: 1 directory_org.rst doing_build.rst options2configure.rst osconf.rst krb5-1.19.2/doc/html/_sources/build/options2configure.rst.txt0000644000704600001450000003565014076311665025544 0ustar ghudsonsystemd-journal.. _options2configure: Options to *configure* ====================== There are a number of options to configure which you can use to control how the Kerberos distribution is built. Most commonly used options -------------------------- **-**\ **-help** Provides help to configure. This will list the set of commonly used options for building Kerberos. **-**\ **-prefix=**\ *PREFIX* By default, Kerberos will install the package's files rooted at ``/usr/local``. If you desire to place the binaries into the directory *PREFIX*, use this option. **-**\ **-exec-prefix=**\ *EXECPREFIX* This option allows one to separate the architecture independent programs from the host-dependent files (configuration files, manual pages). Use this option to install architecture-dependent programs in *EXECPREFIX*. The default location is the value of specified by **-**\ **-prefix** option. **-**\ **-localstatedir=**\ *LOCALSTATEDIR* This option sets the directory for locally modifiable single-machine data. In Kerberos, this mostly is useful for setting a location for the KDC data files, as they will be installed in ``LOCALSTATEDIR/krb5kdc``, which is by default ``PREFIX/var/krb5kdc``. **-**\ **-with-netlib**\ [=\ *libs*] Allows for suppression of or replacement of network libraries. By default, Kerberos V5 configuration will look for ``-lnsl`` and ``-lsocket``. If your operating system has a broken resolver library or fails to pass the tests in ``src/tests/resolv``, you will need to use this option. **-**\ **-with-tcl=**\ *TCLPATH* Some of the unit-tests in the build tree rely upon using a program in Tcl. The directory specified by *TCLPATH* specifies where the Tcl header file (TCLPATH/include/tcl.h) as well as where the Tcl library (TCLPATH/lib) should be found. **-**\ **-enable-dns-for-realm** Enable the use of DNS to look up a host's Kerberos realm, if the information is not provided in :ref:`krb5.conf(5)`. See :ref:`mapping_hostnames` for information about using DNS to determine the default realm. DNS lookups for realm names are disabled by default. **-**\ **-with-system-et** Use an installed version of the error-table (et) support software, the compile_et program, the com_err.h header file and the com_err library. If these are not in the default locations, you may wish to specify ``CPPFLAGS=-I/some/dir`` and ``LDFLAGS=-L/some/other/dir`` options at configuration time as well. If this option is not given, a version supplied with the Kerberos sources will be built and installed along with the rest of the Kerberos tree, for Kerberos applications to link against. **-**\ **-with-system-ss** Use an installed version of the subsystem command-line interface software, the mk_cmds program, the ``ss/ss.h`` header file and the ss library. If these are not in the default locations, you may wish to specify ``CPPFLAGS=-I/some/dir`` and ``LDFLAGS=-L/some/other/dir`` options at configuration time as well. See also the **SS_LIB** option. If this option is not given, the ss library supplied with the Kerberos sources will be compiled and linked into those programs that need it; it will not be installed separately. **-**\ **-with-system-db** Use an installed version of the Berkeley DB package, which must provide an API compatible with version 1.85. This option is unsupported and untested. In particular, we do not know if the database-rename code used in the dumpfile load operation will behave properly. If this option is not given, a version supplied with the Kerberos sources will be built and installed. (We are not updating this version at this time because of licensing issues with newer versions that we haven't investigated sufficiently yet.) Environment variables --------------------- **CC=**\ *COMPILER* Use *COMPILER* as the C compiler. **CFLAGS=**\ *FLAGS* Use *FLAGS* as the default set of C compiler flags. **CPP=**\ *CPP* C preprocessor to use. (e.g., ``CPP='gcc -E'``) **CPPFLAGS=**\ *CPPOPTS* Use *CPPOPTS* as the default set of C preprocessor flags. The most common use of this option is to select certain #define's for use with the operating system's include files. **DB_HEADER=**\ *headername* If db.h is not the correct header file to include to compile against the Berkeley DB 1.85 API, specify the correct header file name with this option. For example, ``DB_HEADER=db3/db_185.h``. **DB_LIB=**\ *libs*... If ``-ldb`` is not the correct library specification for the Berkeley DB library version to be used, override it with this option. For example, ``DB_LIB=-ldb-3.3``. **DEFCCNAME=**\ *ccachename* Override the built-in default credential cache name. For example, ``DEFCCNAME=DIR:/var/run/user/%{USERID}/ccache`` See :ref:`parameter_expansion` for information about supported parameter expansions. **DEFCKTNAME=**\ *keytabname* Override the built-in default client keytab name. The format is the same as for *DEFCCNAME*. **DEFKTNAME=**\ *keytabname* Override the built-in default keytab name. The format is the same as for *DEFCCNAME*. **LD=**\ *LINKER* Use *LINKER* as the default loader if it should be different from C compiler as specified above. **LDFLAGS=**\ *LDOPTS* This option informs the linker where to get additional libraries (e.g., ``-L``). **LIBS=**\ *LDNAME* This option allows one to specify libraries to be passed to the linker (e.g., ``-l``) **SS_LIB=**\ *libs*... If ``-lss`` is not the correct way to link in your installed ss library, for example if additional support libraries are needed, specify the correct link options here. Some variants of this library are around which allow for Emacs-like line editing, but different versions require different support libraries to be explicitly specified. This option is ignored if **-**\ **-with-system-ss** is not specified. **YACC** The 'Yet Another C Compiler' implementation to use. Defaults to the first program found out of: '`bison -y`', '`byacc`', '`yacc`'. **YFLAGS** The list of arguments that will be passed by default to $YACC. This script will default YFLAGS to the empty string to avoid a default value of ``-d`` given by some make applications. Fine tuning of the installation directories ------------------------------------------- **-**\ **-bindir=**\ *DIR* User executables. Defaults to ``EXECPREFIX/bin``, where *EXECPREFIX* is the path specified by **-**\ **-exec-prefix** configuration option. **-**\ **-sbindir=**\ *DIR* System admin executables. Defaults to ``EXECPREFIX/sbin``, where *EXECPREFIX* is the path specified by **-**\ **-exec-prefix** configuration option. **-**\ **-sysconfdir=**\ *DIR* Read-only single-machine data such as krb5.conf. Defaults to ``PREFIX/etc``, where *PREFIX* is the path specified by **-**\ **-prefix** configuration option. **-**\ **-libdir=**\ *DIR* Object code libraries. Defaults to ``EXECPREFIX/lib``, where *EXECPREFIX* is the path specified by **-**\ **-exec-prefix** configuration option. **-**\ **-includedir=**\ *DIR* C header files. Defaults to ``PREFIX/include``, where *PREFIX* is the path specified by **-**\ **-prefix** configuration option. **-**\ **-datarootdir=**\ *DATAROOTDIR* Read-only architecture-independent data root. Defaults to ``PREFIX/share``, where *PREFIX* is the path specified by **-**\ **-prefix** configuration option. **-**\ **-datadir=**\ *DIR* Read-only architecture-independent data. Defaults to path specified by **-**\ **-datarootdir** configuration option. **-**\ **-localedir=**\ *DIR* Locale-dependent data. Defaults to ``DATAROOTDIR/locale``, where *DATAROOTDIR* is the path specified by **-**\ **-datarootdir** configuration option. **-**\ **-mandir=**\ *DIR* Man documentation. Defaults to ``DATAROOTDIR/man``, where *DATAROOTDIR* is the path specified by **-**\ **-datarootdir** configuration option. Program names ------------- **-**\ **-program-prefix=**\ *PREFIX* Prepend *PREFIX* to the names of the programs when installing them. For example, specifying ``--program-prefix=mit-`` at the configure time will cause the program named ``abc`` to be installed as ``mit-abc``. **-**\ **-program-suffix=**\ *SUFFIX* Append *SUFFIX* to the names of the programs when installing them. For example, specifying ``--program-suffix=-mit`` at the configure time will cause the program named ``abc`` to be installed as ``abc-mit``. **-**\ **-program-transform-name=**\ *PROGRAM* Run ``sed -e PROGRAM`` on installed program names. (*PROGRAM* is a sed script). System types ------------ **-**\ **-build=**\ *BUILD* Configure for building on *BUILD* (e.g., ``--build=x86_64-linux-gnu``). **-**\ **-host=**\ *HOST* Cross-compile to build programs to run on *HOST* (e.g., ``--host=x86_64-linux-gnu``). By default, Kerberos V5 configuration will look for "build" option. Optional features ----------------- **-**\ **-disable-option-checking** Ignore unrecognized --enable/--with options. **-**\ **-disable-**\ *FEATURE* Do not include *FEATURE* (same as --enable-FEATURE=no). **-**\ **-enable-**\ *FEATURE*\ [=\ *ARG*] Include *FEATURE* [ARG=yes]. **-**\ **-enable-maintainer-mode** Enable rebuilding of source files, Makefiles, etc. **-**\ **-disable-delayed-initialization** Initialize library code when loaded. Defaults to delay until first use. **-**\ **-disable-thread-support** Don't enable thread support. Defaults to enabled. **-**\ **-disable-rpath** Suppress run path flags in link lines. **-**\ **-enable-athena** Build with MIT Project Athena configuration. **-**\ **-disable-kdc-lookaside-cache** Disable the cache which detects client retransmits. **-**\ **-disable-pkinit** Disable PKINIT plugin support. **-**\ **-disable-aesni** Disable support for using AES instructions on x86 platforms. **-**\ **-enable-asan**\ [=\ *ARG*] Enable building with asan memory error checking. If *ARG* is given, it controls the -fsanitize compilation flag value (the default is "address"). Optional packages ----------------- **-**\ **-with-**\ *PACKAGE*\ [=ARG\] Use *PACKAGE* (e.g., ``--with-imap``). The default value of *ARG* is ``yes``. **-**\ **-without-**\ *PACKAGE* Do not use *PACKAGE* (same as ``--with-PACKAGE=no``) (e.g., ``--without-libedit``). **-**\ **-with-size-optimizations** Enable a few optimizations to reduce code size possibly at some run-time cost. **-**\ **-with-system-et** Use the com_err library and compile_et utility that are already installed on the system, instead of building and installing local versions. **-**\ **-with-system-ss** Use the ss library and mk_cmds utility that are already installed on the system, instead of building and using private versions. **-**\ **-with-system-db** Use the berkeley db utility already installed on the system, instead of using a private version. This option is not recommended; enabling it may result in incompatibility with key databases originating on other systems. **-**\ **-with-netlib=**\ *LIBS* Use the resolver library specified in *LIBS*. Use this variable if the C library resolver is insufficient or broken. **-**\ **-with-hesiod=**\ *path* Compile with Hesiod support. The *path* points to the Hesiod directory. By default Hesiod is unsupported. **-**\ **-with-ldap** Compile OpenLDAP database backend module. **-**\ **-with-lmdb** Compile LMDB database backend module. **-**\ **-with-tcl=**\ *path* Specifies that *path* is the location of a Tcl installation. Tcl is needed for some of the tests run by 'make check'; such tests will be skipped if this option is not set. **-**\ **-with-vague-errors** Do not send helpful errors to client. For example, if the KDC should return only vague error codes to clients. **-**\ **-with-crypto-impl=**\ *IMPL* Use specified crypto implementation (e.g., **-**\ **-with-crypto-impl=**\ *openssl*). The default is the native MIT Kerberos implementation ``builtin``. The other currently implemented crypto backend is ``openssl``. (See :ref:`mitK5features`) **-**\ **-with-prng-alg=**\ *ALG* Use specified PRNG algorithm. For example, to use the OS native prng specify ``--with-prng-alg=os``. The default is ``fortuna``. (See :ref:`mitK5features`) **-**\ **-without-libedit** Do not compile and link against libedit. Some utilities will no longer offer command history or completion in interactive mode if libedit is disabled. **-**\ **-with-readline** Compile and link against GNU readline, as an alternative to libedit. Building with readline breaks the dejagnu test suite, which is a subset of the tests run by 'make check'. **-**\ **-with-system-verto** Use an installed version of libverto. If the libverto header and library are not in default locations, you may wish to specify ``CPPFLAGS=-I/some/dir`` and ``LDFLAGS=-L/some/other/dir`` options at configuration time as well. If this option is not given, the build system will try to detect an installed version of libverto and use it if it is found. Otherwise, a version supplied with the Kerberos sources will be built and installed. The built-in version does not contain the full set of back-end modules and is not a suitable general replacement for the upstream version, but will work for the purposes of Kerberos. Specifying **-**\ **-without-system-verto** will cause the built-in version of libverto to be used unconditionally. **-**\ **-with-krb5-config=**\ *PATH* Use the krb5-config program at *PATH* to obtain the build-time default credential cache, keytab, and client keytab names. The default is to use ``krb5-config`` from the program path. Specify ``--without-krb5-config`` to disable the use of krb5-config and use the usual built-in defaults. **-**\ **-without-keyutils** Build without libkeyutils support. This disables the KEYRING credential cache type. Examples -------- For example, in order to configure Kerberos on a Solaris machine using the suncc compiler with the optimizer turned on, run the configure script with the following options:: % ./configure CC=suncc CFLAGS=-O For a slightly more complicated example, consider a system where several packages to be used by Kerberos are installed in ``/usr/foobar``, including Berkeley DB 3.3, and an ss library that needs to link against the curses library. The configuration of Kerberos might be done thus:: ./configure CPPFLAGS=-I/usr/foobar/include LDFLAGS=-L/usr/foobar/lib \ --with-system-et --with-system-ss --with-system-db \ SS_LIB='-lss -lcurses' DB_HEADER=db3/db_185.h DB_LIB=-ldb-3.3 krb5-1.19.2/doc/html/_sources/mitK5defaults.rst.txt0000644000704600001450000001031114076311665023472 0ustar ghudsonsystemd-journal.. _mitK5defaults: MIT Kerberos defaults ===================== General defaults ---------------- ========================================== ============================= ==================== Description Default Environment ========================================== ============================= ==================== :ref:`keytab_definition` file |keytab| **KRB5_KTNAME** Client :ref:`keytab_definition` file |ckeytab| **KRB5_CLIENT_KTNAME** Kerberos config file :ref:`krb5.conf(5)` |krb5conf|\ ``:``\ **KRB5_CONFIG** |sysconfdir|\ ``/krb5.conf`` KDC config file :ref:`kdc.conf(5)` |kdcdir|\ ``/kdc.conf`` **KRB5_KDC_PROFILE** GSS mechanism config file |sysconfdir|\ ``/gss/mech`` **GSS_MECH_CONFIG** KDC database path (DB2) |kdcdir|\ ``/principal`` Master key :ref:`stash_definition` |kdcdir|\ ``/.k5.``\ *realm* Admin server ACL file :ref:`kadm5.acl(5)` |kdcdir|\ ``/kadm5.acl`` OTP socket directory |kdcrundir| Plugin base directory |libdir|\ ``/krb5/plugins`` :ref:`rcache_definition` directory ``/var/tmp`` **KRB5RCACHEDIR** Master key default enctype |defmkey| Default :ref:`keysalt list` |defkeysalts| Permitted enctypes |defetypes| KDC default port 88 Admin server port 749 Password change port 464 ========================================== ============================= ==================== Replica KDC propagation defaults -------------------------------- This table shows defaults used by the :ref:`kprop(8)` and :ref:`kpropd(8)` programs. ========================== ================================ =========== Description Default Environment ========================== ================================ =========== kprop database dump file |kdcdir|\ ``/replica_datatrans`` kpropd temporary dump file |kdcdir|\ ``/from_master`` kdb5_util location |sbindir|\ ``/kdb5_util`` kprop location |sbindir|\ ``/kprop`` kpropd ACL file |kdcdir|\ ``/kpropd.acl`` kprop port 754 KPROP_PORT ========================== ================================ =========== .. _paths: Default paths for Unix-like systems ----------------------------------- On Unix-like systems, some paths used by MIT krb5 depend on parameters chosen at build time. For a custom build, these paths default to subdirectories of ``/usr/local``. When MIT krb5 is integrated into an operating system, the paths are generally chosen to match the operating system's filesystem layout. ========================== ============= =========================== =========================== Description Symbolic name Custom build path Typical OS path ========================== ============= =========================== =========================== User programs BINDIR ``/usr/local/bin`` ``/usr/bin`` Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib`` Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var`` Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run`` Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin`` Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc`` Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}`` Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab`` ========================== ============= =========================== =========================== The default client keytab name (DEFCKTNAME) typically defaults to ``FILE:/usr/local/var/krb5/user/%{euid}/client.keytab`` for a custom build. A native build will typically use a path which will vary according to the operating system's layout of ``/var``. krb5-1.19.2/doc/html/_sources/copyright.rst.txt0000644000704600001450000000032414076311665022764 0ustar ghudsonsystemd-journalCopyright ========= Copyright |copy| 1985-2021 by the Massachusetts Institute of Technology and its contributors. All rights reserved. See :ref:`mitK5license` for additional copyright and license information. krb5-1.19.2/doc/html/_sources/user/0000755000704600001450000000000014076312553020360 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/_sources/user/pwd_mgmt.rst.txt0000644000704600001450000001012114076311665023544 0ustar ghudsonsystemd-journalPassword management =================== Your password is the only way Kerberos has of verifying your identity. If someone finds out your password, that person can masquerade as you---send email that comes from you, read, edit, or delete your files, or log into other hosts as you---and no one will be able to tell the difference. For this reason, it is important that you choose a good password, and keep it secret. If you need to give access to your account to someone else, you can do so through Kerberos (see :ref:`grant_access`). You should never tell your password to anyone, including your system administrator, for any reason. You should change your password frequently, particularly any time you think someone may have found out what it is. Changing your password ---------------------- To change your Kerberos password, use the :ref:`kpasswd(1)` command. It will ask you for your old password (to prevent someone else from walking up to your computer when you're not there and changing your password), and then prompt you for the new one twice. (The reason you have to type it twice is to make sure you have typed it correctly.) For example, user ``david`` would do the following:: shell% kpasswd Password for david: <- Type your old password. Enter new password: <- Type your new password. Enter it again: <- Type the new password again. Password changed. shell% If ``david`` typed the incorrect old password, he would get the following message:: shell% kpasswd Password for david: <- Type the incorrect old password. kpasswd: Password incorrect while getting initial ticket shell% If you make a mistake and don't type the new password the same way twice, kpasswd will ask you to try again:: shell% kpasswd Password for david: <- Type the old password. Enter new password: <- Type the new password. Enter it again: <- Type a different new password. kpasswd: Password mismatch while reading password shell% Once you change your password, it takes some time for the change to propagate through the system. Depending on how your system is set up, this might be anywhere from a few minutes to an hour or more. If you need to get new Kerberos tickets shortly after changing your password, try the new password. If the new password doesn't work, try again using the old one. .. _grant_access: Granting access to your account ------------------------------- If you need to give someone access to log into your account, you can do so through Kerberos, without telling the person your password. Simply create a file called :ref:`.k5login(5)` in your home directory. This file should contain the Kerberos principal of each person to whom you wish to give access. Each principal must be on a separate line. Here is a sample .k5login file:: jennifer@ATHENA.MIT.EDU david@EXAMPLE.COM This file would allow the users ``jennifer`` and ``david`` to use your user ID, provided that they had Kerberos tickets in their respective realms. If you will be logging into other hosts across a network, you will want to include your own Kerberos principal in your .k5login file on each of these hosts. Using a .k5login file is much safer than giving out your password, because: * You can take access away any time simply by removing the principal from your .k5login file. * Although the user has full access to your account on one particular host (or set of hosts if your .k5login file is shared, e.g., over NFS), that user does not inherit your network privileges. * Kerberos keeps a log of who obtains tickets, so a system administrator could find out, if necessary, who was capable of using your user ID at a particular time. One common application is to have a .k5login file in root's home directory, giving root access to that machine to the Kerberos principals listed. This allows system administrators to allow users to become root locally, or to log in remotely as root, without their having to give out the root password, and without anyone having to type the root password over the network. Password quality verification ----------------------------- TODO krb5-1.19.2/doc/html/_sources/user/index.rst.txt0000644000704600001450000000020714076311665023041 0ustar ghudsonsystemd-journalFor users ========= .. toctree:: :maxdepth: 2 pwd_mgmt.rst tkt_mgmt.rst user_config/index.rst user_commands/index.rst krb5-1.19.2/doc/html/_sources/user/user_commands/0000755000704600001450000000000014076312553023217 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/_sources/user/user_commands/kinit.rst.txt0000644000704600001450000001655414076311665025723 0ustar ghudsonsystemd-journal.. _kinit(1): kinit ===== SYNOPSIS -------- **kinit** [**-V**] [**-l** *lifetime*] [**-s** *start_time*] [**-r** *renewable_life*] [**-p** | -**P**] [**-f** | -**F**] [**-a**] [**-A**] [**-C**] [**-E**] [**-v**] [**-R**] [**-k** [**-i** | -**t** *keytab_file*]] [**-c** *cache_name*] [**-n**] [**-S** *service_name*] [**-I** *input_ccache*] [**-T** *armor_ccache*] [**-X** *attribute*\ [=\ *value*]] [**--request-pac** | **--no-request-pac**] [*principal*] DESCRIPTION ----------- kinit obtains and caches an initial ticket-granting ticket for *principal*. If *principal* is absent, kinit chooses an appropriate principal name based on existing credential cache contents or the local username of the user invoking kinit. Some options modify the choice of principal name. OPTIONS ------- **-V** display verbose output. **-l** *lifetime* (:ref:`duration` string.) Requests a ticket with the lifetime *lifetime*. For example, ``kinit -l 5:30`` or ``kinit -l 5h30m``. If the **-l** option is not specified, the default ticket lifetime (configured by each site) is used. Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum ticket lifetime. **-s** *start_time* (:ref:`duration` string.) Requests a postdated ticket. Postdated tickets are issued with the **invalid** flag set, and need to be resubmitted to the KDC for validation before use. *start_time* specifies the duration of the delay before the ticket can become valid. **-r** *renewable_life* (:ref:`duration` string.) Requests renewable tickets, with a total lifetime of *renewable_life*. **-f** requests forwardable tickets. **-F** requests non-forwardable tickets. **-p** requests proxiable tickets. **-P** requests non-proxiable tickets. **-a** requests tickets restricted to the host's local address[es]. **-A** requests tickets not restricted by address. **-C** requests canonicalization of the principal name, and allows the KDC to reply with a different client principal from the one requested. **-E** treats the principal name as an enterprise name. **-v** requests that the ticket-granting ticket in the cache (with the **invalid** flag set) be passed to the KDC for validation. If the ticket is within its requested time range, the cache is replaced with the validated ticket. **-R** requests renewal of the ticket-granting ticket. Note that an expired ticket cannot be renewed, even if the ticket is still within its renewable life. Note that renewable tickets that have expired as reported by :ref:`klist(1)` may sometimes be renewed using this option, because the KDC applies a grace period to account for client-KDC clock skew. See :ref:`krb5.conf(5)` **clockskew** setting. **-k** [**-i** | **-t** *keytab_file*] requests a ticket, obtained from a key in the local host's keytab. The location of the keytab may be specified with the **-t** *keytab_file* option, or with the **-i** option to specify the use of the default client keytab; otherwise the default keytab will be used. By default, a host ticket for the local host is requested, but any principal may be specified. On a KDC, the special keytab location ``KDB:`` can be used to indicate that kinit should open the KDC database and look up the key directly. This permits an administrator to obtain tickets as any principal that supports authentication based on the key. **-n** Requests anonymous processing. Two types of anonymous principals are supported. For fully anonymous Kerberos, configure pkinit on the KDC and configure **pkinit_anchors** in the client's :ref:`krb5.conf(5)`. Then use the **-n** option with a principal of the form ``@REALM`` (an empty principal name followed by the at-sign and a realm name). If permitted by the KDC, an anonymous ticket will be returned. A second form of anonymous tickets is supported; these realm-exposed tickets hide the identity of the client but not the client's realm. For this mode, use ``kinit -n`` with a normal principal name. If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal. As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation. **-I** *input_ccache* Specifies the name of a credentials cache that already contains a ticket. When obtaining that ticket, if information about how that ticket was obtained was also stored to the cache, that information will be used to affect how new credentials are obtained, including preselecting the same methods of authenticating to the KDC. **-T** *armor_ccache* Specifies the name of a credentials cache that already contains a ticket. If supported by the KDC, this cache will be used to armor the request, preventing offline dictionary attacks and allowing the use of additional preauthentication mechanisms. Armoring also makes sure that the response from the KDC is not modified in transit. **-c** *cache_name* use *cache_name* as the Kerberos 5 credentials (ticket) cache location. If this option is not used, the default cache location is used. The default cache location may vary between systems. If the **KRB5CCNAME** environment variable is set, its value is used to locate the default cache. If a principal name is specified and the type of the default cache supports a collection (such as the DIR type), an existing cache containing credentials for the principal is selected or a new one is created and becomes the new primary cache. Otherwise, any existing contents of the default cache are destroyed by kinit. **-S** *service_name* specify an alternate service name to use when getting initial tickets. **-X** *attribute*\ [=\ *value*] specify a pre-authentication *attribute* and *value* to be interpreted by pre-authentication modules. The acceptable attribute and value values vary from module to module. This option may be specified multiple times to specify multiple attributes. If no value is specified, it is assumed to be "yes". The following attributes are recognized by the PKINIT pre-authentication mechanism: **X509_user_identity**\ =\ *value* specify where to find user's X509 identity information **X509_anchors**\ =\ *value* specify where to find trusted X509 anchor information **flag_RSA_PROTOCOL**\ [**=yes**] specify use of RSA, rather than the default Diffie-Hellman protocol **disable_freshness**\ [**=yes**] disable sending freshness tokens (for testing purposes only) **--request-pac** | **--no-request-pac** mutually exclusive. If **--request-pac** is set, ask the KDC to include a PAC in authdata; if **--no-request-pac** is set, ask the KDC not to include a PAC; if neither are set, the KDC will follow its default, which is typically is to include a PAC if doing so is supported. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. FILES ----- |ccache| default location of Kerberos 5 credentials cache |keytab| default location for the local host's keytab. SEE ALSO -------- :ref:`klist(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` krb5-1.19.2/doc/html/_sources/user/user_commands/klist.rst.txt0000644000704600001450000000555714076311665025734 0ustar ghudsonsystemd-journal.. _klist(1): klist ===== SYNOPSIS -------- **klist** [**-e**] [[**-c**] [**-l**] [**-A**] [**-f**] [**-s**] [**-a** [**-n**]]] [**-C**] [**-k** [**-i**] [**-t**] [**-K**]] [**-V**] [**-d**] [*cache_name*\|\ *keytab_name*] DESCRIPTION ----------- klist lists the Kerberos principal and Kerberos tickets held in a credentials cache, or the keys held in a keytab file. OPTIONS ------- **-e** Displays the encryption types of the session key and the ticket for each credential in the credential cache, or each key in the keytab file. **-l** If a cache collection is available, displays a table summarizing the caches present in the collection. **-A** If a cache collection is available, displays the contents of all of the caches in the collection. **-c** List tickets held in a credentials cache. This is the default if neither **-c** nor **-k** is specified. **-f** Shows the flags present in the credentials, using the following abbreviations:: F Forwardable f forwarded P Proxiable p proxy D postDateable d postdated R Renewable I Initial i invalid H Hardware authenticated A preAuthenticated T Transit policy checked O Okay as delegate a anonymous **-s** Causes klist to run silently (produce no output). klist will exit with status 1 if the credentials cache cannot be read or is expired, and with status 0 otherwise. **-a** Display list of addresses in credentials. **-n** Show numeric addresses instead of reverse-resolving addresses. **-C** List configuration data that has been stored in the credentials cache when klist encounters it. By default, configuration data is not listed. **-k** List keys held in a keytab file. **-i** In combination with **-k**, defaults to using the default client keytab instead of the default acceptor keytab, if no name is given. **-t** Display the time entry timestamps for each keytab entry in the keytab file. **-K** Display the value of the encryption key in each keytab entry in the keytab file. **-d** Display the authdata types (if any) for each entry. **-V** Display the Kerberos version number and exit. If *cache_name* or *keytab_name* is not specified, klist will display the credentials in the default credentials cache or keytab file as appropriate. If the **KRB5CCNAME** environment variable is set, its value is used to locate the default ticket cache. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. FILES ----- |ccache| Default location of Kerberos 5 credentials cache |keytab| Default location for the local host's keytab file. SEE ALSO -------- :ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` krb5-1.19.2/doc/html/_sources/user/user_commands/kdestroy.rst.txt0000644000704600001450000000325614076311665026444 0ustar ghudsonsystemd-journal.. _kdestroy(1): kdestroy ======== SYNOPSIS -------- **kdestroy** [**-A**] [**-q**] [**-c** *cache_name*] [**-p** *princ_name*] DESCRIPTION ----------- The kdestroy utility destroys the user's active Kerberos authorization tickets by overwriting and deleting the credentials cache that contains them. If the credentials cache is not specified, the default credentials cache is destroyed. OPTIONS ------- **-A** Destroys all caches in the collection, if a cache collection is available. May be used with the **-c** option to specify the collection to be destroyed. **-q** Run quietly. Normally kdestroy beeps if it fails to destroy the user's tickets. The **-q** flag suppresses this behavior. **-c** *cache_name* Use *cache_name* as the credentials (ticket) cache name and location; if this option is not used, the default cache name and location are used. The default credentials cache may vary between systems. If the **KRB5CCNAME** environment variable is set, its value is used to name the default ticket cache. **-p** *princ_name* If a cache collection is available, destroy the cache for *princ_name* instead of the primary cache. May be used with the **-c** option to specify the collection to be searched. NOTE ---- Most installations recommend that you place the kdestroy command in your .logout file, so that your tickets are destroyed automatically when you log out. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. FILES ----- |ccache| Default location of Kerberos 5 credentials cache SEE ALSO -------- :ref:`kinit(1)`, :ref:`klist(1)`, :ref:`kerberos(7)` krb5-1.19.2/doc/html/_sources/user/user_commands/index.rst.txt0000644000704600001450000000032014076311665025674 0ustar ghudsonsystemd-journal.. _user_commands: User commands ============= .. toctree:: :maxdepth: 1 kdestroy.rst kinit.rst klist.rst kpasswd.rst krb5-config.rst ksu.rst kswitch.rst kvno.rst sclient.rst krb5-1.19.2/doc/html/_sources/user/user_commands/krb5-config.rst.txt0000644000704600001450000000456314076311665026710 0ustar ghudsonsystemd-journal.. _krb5-config(1): krb5-config =========== SYNOPSIS -------- **krb5-config** [**-**\ **-help** | **-**\ **-all** | **-**\ **-version** | **-**\ **-vendor** | **-**\ **-prefix** | **-**\ **-exec-prefix** | **-**\ **-defccname** | **-**\ **-defktname** | **-**\ **-defcktname** | **-**\ **-cflags** | **-**\ **-libs** [*libraries*]] DESCRIPTION ----------- krb5-config tells the application programmer what flags to use to compile and link programs against the installed Kerberos libraries. OPTIONS ------- **-**\ **-help** prints a usage message. This is the default behavior when no options are specified. **-**\ **-all** prints the version, vendor, prefix, and exec-prefix. **-**\ **-version** prints the version number of the Kerberos installation. **-**\ **-vendor** prints the name of the vendor of the Kerberos installation. **-**\ **-prefix** prints the prefix for which the Kerberos installation was built. **-**\ **-exec-prefix** prints the prefix for executables for which the Kerberos installation was built. **-**\ **-defccname** prints the built-in default credentials cache location. **-**\ **-defktname** prints the built-in default keytab location. **-**\ **-defcktname** prints the built-in default client (initiator) keytab location. **-**\ **-cflags** prints the compilation flags used to build the Kerberos installation. **-**\ **-libs** [*library*] prints the compiler options needed to link against *library*. Allowed values for *library* are: ============ =============================================== krb5 Kerberos 5 applications (default) gssapi GSSAPI applications with Kerberos 5 bindings kadm-client Kadmin client kadm-server Kadmin server kdb Applications that access the Kerberos database ============ =============================================== EXAMPLES -------- krb5-config is particularly useful for compiling against a Kerberos installation that was installed in a non-standard location. For example, a Kerberos installation that is installed in ``/opt/krb5/`` but uses libraries in ``/usr/local/lib/`` for text localization would produce the following output:: shell% krb5-config --libs krb5 -L/opt/krb5/lib -Wl,-rpath -Wl,/opt/krb5/lib -L/usr/local/lib -lkrb5 -lk5crypto -lcom_err SEE ALSO -------- :ref:`kerberos(7)`, cc(1) krb5-1.19.2/doc/html/_sources/user/user_commands/kswitch.rst.txt0000644000704600001450000000145014076311665026246 0ustar ghudsonsystemd-journal.. _kswitch(1): kswitch ======= SYNOPSIS -------- **kswitch** {**-c** *cachename*\|\ **-p** *principal*} DESCRIPTION ----------- kswitch makes the specified credential cache the primary cache for the collection, if a cache collection is available. OPTIONS ------- **-c** *cachename* Directly specifies the credential cache to be made primary. **-p** *principal* Causes the cache collection to be searched for a cache containing credentials for *principal*. If one is found, that collection is made primary. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. FILES ----- |ccache| Default location of Kerberos 5 credentials cache SEE ALSO -------- :ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`klist(1)`, :ref:`kerberos(7)` krb5-1.19.2/doc/html/_sources/user/user_commands/ksu.rst.txt0000644000704600001450000003740314076311665025403 0ustar ghudsonsystemd-journal.. _ksu(1): ksu === SYNOPSIS -------- **ksu** [ *target_user* ] [ **-n** *target_principal_name* ] [ **-c** *source_cache_name* ] [ **-k** ] [ **-r** time ] [ **-p** | **-P**] [ **-f** | **-F**] [ **-l** *lifetime* ] [ **-z | Z** ] [ **-q** ] [ **-e** *command* [ args ... ] ] [ **-a** [ args ... ] ] REQUIREMENTS ------------ Must have Kerberos version 5 installed to compile ksu. Must have a Kerberos version 5 server running to use ksu. DESCRIPTION ----------- ksu is a Kerberized version of the su program that has two missions: one is to securely change the real and effective user ID to that of the target user, and the other is to create a new security context. .. note:: For the sake of clarity, all references to and attributes of the user invoking the program will start with "source" (e.g., "source user", "source cache", etc.). Likewise, all references to and attributes of the target account will start with "target". AUTHENTICATION -------------- To fulfill the first mission, ksu operates in two phases: authentication and authorization. Resolving the target principal name is the first step in authentication. The user can either specify his principal name with the **-n** option (e.g., ``-n jqpublic@USC.EDU``) or a default principal name will be assigned using a heuristic described in the OPTIONS section (see **-n** option). The target user name must be the first argument to ksu; if not specified root is the default. If ``.`` is specified then the target user will be the source user (e.g., ``ksu .``). If the source user is root or the target user is the source user, no authentication or authorization takes place. Otherwise, ksu looks for an appropriate Kerberos ticket in the source cache. The ticket can either be for the end-server or a ticket granting ticket (TGT) for the target principal's realm. If the ticket for the end-server is already in the cache, it's decrypted and verified. If it's not in the cache but the TGT is, the TGT is used to obtain the ticket for the end-server. The end-server ticket is then verified. If neither ticket is in the cache, but ksu is compiled with the **GET_TGT_VIA_PASSWD** define, the user will be prompted for a Kerberos password which will then be used to get a TGT. If the user is logged in remotely and does not have a secure channel, the password may be exposed. If neither ticket is in the cache and **GET_TGT_VIA_PASSWD** is not defined, authentication fails. AUTHORIZATION ------------- This section describes authorization of the source user when ksu is invoked without the **-e** option. For a description of the **-e** option, see the OPTIONS section. Upon successful authentication, ksu checks whether the target principal is authorized to access the target account. In the target user's home directory, ksu attempts to access two authorization files: :ref:`.k5login(5)` and .k5users. In the .k5login file each line contains the name of a principal that is authorized to access the account. For example:: jqpublic@USC.EDU jqpublic/secure@USC.EDU jqpublic/admin@USC.EDU The format of .k5users is the same, except the principal name may be followed by a list of commands that the principal is authorized to execute (see the **-e** option in the OPTIONS section for details). Thus if the target principal name is found in the .k5login file the source user is authorized to access the target account. Otherwise ksu looks in the .k5users file. If the target principal name is found without any trailing commands or followed only by ``*`` then the source user is authorized. If either .k5login or .k5users exist but an appropriate entry for the target principal does not exist then access is denied. If neither file exists then the principal will be granted access to the account according to the aname->lname mapping rules. Otherwise, authorization fails. EXECUTION OF THE TARGET SHELL ----------------------------- Upon successful authentication and authorization, ksu proceeds in a similar fashion to su. The environment is unmodified with the exception of USER, HOME and SHELL variables. If the target user is not root, USER gets set to the target user name. Otherwise USER remains unchanged. Both HOME and SHELL are set to the target login's default values. In addition, the environment variable **KRB5CCNAME** gets set to the name of the target cache. The real and effective user ID are changed to that of the target user. The target user's shell is then invoked (the shell name is specified in the password file). Upon termination of the shell, ksu deletes the target cache (unless ksu is invoked with the **-k** option). This is implemented by first doing a fork and then an exec, instead of just exec, as done by su. CREATING A NEW SECURITY CONTEXT ------------------------------- ksu can be used to create a new security context for the target program (either the target shell, or command specified via the **-e** option). The target program inherits a set of credentials from the source user. By default, this set includes all of the credentials in the source cache plus any additional credentials obtained during authentication. The source user is able to limit the credentials in this set by using **-z** or **-Z** option. **-z** restricts the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name. The **-Z** option provides the target user with a fresh target cache (no creds in the cache). Note that for security reasons, when the source user is root and target user is non-root, **-z** option is the default mode of operation. While no authentication takes place if the source user is root or is the same as the target user, additional tickets can still be obtained for the target cache. If **-n** is specified and no credentials can be copied to the target cache, the source user is prompted for a Kerberos password (unless **-Z** specified or **GET_TGT_VIA_PASSWD** is undefined). If successful, a TGT is obtained from the Kerberos server and stored in the target cache. Otherwise, if a password is not provided (user hit return) ksu continues in a normal mode of operation (the target cache will not contain the desired TGT). If the wrong password is typed in, ksu fails. .. note:: During authentication, only the tickets that could be obtained without providing a password are cached in the source cache. OPTIONS ------- **-n** *target_principal_name* Specify a Kerberos target principal name. Used in authentication and authorization phases of ksu. If ksu is invoked without **-n**, a default principal name is assigned via the following heuristic: * Case 1: source user is non-root. If the target user is the source user the default principal name is set to the default principal of the source cache. If the cache does not exist then the default principal name is set to ``target_user@local_realm``. If the source and target users are different and neither ``~target_user/.k5users`` nor ``~target_user/.k5login`` exist then the default principal name is ``target_user_login_name@local_realm``. Otherwise, starting with the first principal listed below, ksu checks if the principal is authorized to access the target account and whether there is a legitimate ticket for that principal in the source cache. If both conditions are met that principal becomes the default target principal, otherwise go to the next principal. a) default principal of the source cache b) target_user\@local_realm c) source_user\@local_realm If a-c fails try any principal for which there is a ticket in the source cache and that is authorized to access the target account. If that fails select the first principal that is authorized to access the target account from the above list. If none are authorized and ksu is configured with **PRINC_LOOK_AHEAD** turned on, select the default principal as follows: For each candidate in the above list, select an authorized principal that has the same realm name and first part of the principal name equal to the prefix of the candidate. For example if candidate a) is ``jqpublic@ISI.EDU`` and ``jqpublic/secure@ISI.EDU`` is authorized to access the target account then the default principal is set to ``jqpublic/secure@ISI.EDU``. * Case 2: source user is root. If the target user is non-root then the default principal name is ``target_user@local_realm``. Else, if the source cache exists the default principal name is set to the default principal of the source cache. If the source cache does not exist, default principal name is set to ``root\@local_realm``. **-c** *source_cache_name* Specify source cache name (e.g., ``-c FILE:/tmp/my_cache``). If **-c** option is not used then the name is obtained from **KRB5CCNAME** environment variable. If **KRB5CCNAME** is not defined the source cache name is set to ``krb5cc_``. The target cache name is automatically set to ``krb5cc_.(gen_sym())``, where gen_sym generates a new number such that the resulting cache does not already exist. For example:: krb5cc_1984.2 **-k** Do not delete the target cache upon termination of the target shell or a command (**-e** command). Without **-k**, ksu deletes the target cache. **-z** Restrict the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name. Use the **-n** option if you want the tickets for other then the default principal. Note that the **-z** option is mutually exclusive with the **-Z** option. **-Z** Don't copy any tickets from the source cache to the target cache. Just create a fresh target cache, where the default principal name of the cache is initialized to the target principal name. Note that the **-Z** option is mutually exclusive with the **-z** option. **-q** Suppress the printing of status messages. Ticket granting ticket options: **-l** *lifetime* **-r** *time* **-p** **-P** **-f** **-F** The ticket granting ticket options only apply to the case where there are no appropriate tickets in the cache to authenticate the source user. In this case if ksu is configured to prompt users for a Kerberos password (**GET_TGT_VIA_PASSWD** is defined), the ticket granting ticket options that are specified will be used when getting a ticket granting ticket from the Kerberos server. **-l** *lifetime* (:ref:`duration` string.) Specifies the lifetime to be requested for the ticket; if this option is not specified, the default ticket lifetime (12 hours) is used instead. **-r** *time* (:ref:`duration` string.) Specifies that the **renewable** option should be requested for the ticket, and specifies the desired total lifetime of the ticket. **-p** specifies that the **proxiable** option should be requested for the ticket. **-P** specifies that the **proxiable** option should not be requested for the ticket, even if the default configuration is to ask for proxiable tickets. **-f** option specifies that the **forwardable** option should be requested for the ticket. **-F** option specifies that the **forwardable** option should not be requested for the ticket, even if the default configuration is to ask for forwardable tickets. **-e** *command* [*args* ...] ksu proceeds exactly the same as if it was invoked without the **-e** option, except instead of executing the target shell, ksu executes the specified command. Example of usage:: ksu bob -e ls -lag The authorization algorithm for **-e** is as follows: If the source user is root or source user == target user, no authorization takes place and the command is executed. If source user id != 0, and ``~target_user/.k5users`` file does not exist, authorization fails. Otherwise, ``~target_user/.k5users`` file must have an appropriate entry for target principal to get authorized. The .k5users file format: A single principal entry on each line that may be followed by a list of commands that the principal is authorized to execute. A principal name followed by a ``*`` means that the user is authorized to execute any command. Thus, in the following example:: jqpublic@USC.EDU ls mail /local/kerberos/klist jqpublic/secure@USC.EDU * jqpublic/admin@USC.EDU ``jqpublic@USC.EDU`` is only authorized to execute ``ls``, ``mail`` and ``klist`` commands. ``jqpublic/secure@USC.EDU`` is authorized to execute any command. ``jqpublic/admin@USC.EDU`` is not authorized to execute any command. Note, that ``jqpublic/admin@USC.EDU`` is authorized to execute the target shell (regular ksu, without the **-e** option) but ``jqpublic@USC.EDU`` is not. The commands listed after the principal name must be either a full path names or just the program name. In the second case, **CMD_PATH** specifying the location of authorized programs must be defined at the compilation time of ksu. Which command gets executed? If the source user is root or the target user is the source user or the user is authorized to execute any command (``*`` entry) then command can be either a full or a relative path leading to the target program. Otherwise, the user must specify either a full path or just the program name. **-a** *args* Specify arguments to be passed to the target shell. Note that all flags and parameters following -a will be passed to the shell, thus all options intended for ksu must precede **-a**. The **-a** option can be used to simulate the **-e** option if used as follows:: -a -c [command [arguments]]. **-c** is interpreted by the c-shell to execute the command. INSTALLATION INSTRUCTIONS ------------------------- ksu can be compiled with the following four flags: **GET_TGT_VIA_PASSWD** In case no appropriate tickets are found in the source cache, the user will be prompted for a Kerberos password. The password is then used to get a ticket granting ticket from the Kerberos server. The danger of configuring ksu with this macro is if the source user is logged in remotely and does not have a secure channel, the password may get exposed. **PRINC_LOOK_AHEAD** During the resolution of the default principal name, **PRINC_LOOK_AHEAD** enables ksu to find principal names in the .k5users file as described in the OPTIONS section (see **-n** option). **CMD_PATH** Specifies a list of directories containing programs that users are authorized to execute (via .k5users file). **HAVE_GETUSERSHELL** If the source user is non-root, ksu insists that the target user's shell to be invoked is a "legal shell". *getusershell(3)* is called to obtain the names of "legal shells". Note that the target user's shell is obtained from the passwd file. Sample configuration:: KSU_OPTS = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /usr/ucb /local/bin" ksu should be owned by root and have the set user id bit turned on. ksu attempts to get a ticket for the end server just as Kerberized telnet and rlogin. Thus, there must be an entry for the server in the Kerberos database (e.g., ``host/nii.isi.edu@ISI.EDU``). The keytab file must be in an appropriate location. SIDE EFFECTS ------------ ksu deletes all expired tickets from the source cache. AUTHOR OF KSU ------------- GENNADY (ARI) MEDVINSKY ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kerberos(7)`, :ref:`kinit(1)` krb5-1.19.2/doc/html/_sources/user/user_commands/kpasswd.rst.txt0000644000704600001450000000204314076311665026245 0ustar ghudsonsystemd-journal.. _kpasswd(1): kpasswd ======= SYNOPSIS -------- **kpasswd** [*principal*] DESCRIPTION ----------- The kpasswd command is used to change a Kerberos principal's password. kpasswd first prompts for the current Kerberos password, then prompts the user twice for the new password, and the password is changed. If the principal is governed by a policy that specifies the length and/or number of character classes required in the new password, the new password must conform to the policy. (The five character classes are lower case, upper case, numbers, punctuation, and all other characters.) OPTIONS ------- *principal* Change the password for the Kerberos principal principal. Otherwise, kpasswd uses the principal name from an existing ccache if there is one; if not, the principal is derived from the identity of the user invoking the kpasswd command. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kadmin(1)`, :ref:`kadmind(8)`, :ref:`kerberos(7)` krb5-1.19.2/doc/html/_sources/user/user_commands/kvno.rst.txt0000644000704600001450000000640214076311665025551 0ustar ghudsonsystemd-journal.. _kvno(1): kvno ==== SYNOPSIS -------- **kvno** [**-c** *ccache*] [**-e** *etype*] [**-k** *keytab*] [**-q**] [**-u** | **-S** *sname*] [**-P**] [**--cached-only**] [**--no-store**] [**--out-cache** *cache*] [[{**-F** *cert_file* | {**-I** | **-U**} *for_user*} [**-P**]] | **--u2u** *ccache*] *service1 service2* ... DESCRIPTION ----------- kvno acquires a service ticket for the specified Kerberos principals and prints out the key version numbers of each. OPTIONS ------- **-c** *ccache* Specifies the name of a credentials cache to use (if not the default) **-e** *etype* Specifies the enctype which will be requested for the session key of all the services named on the command line. This is useful in certain backward compatibility situations. **-k** *keytab* Decrypt the acquired tickets using *keytab* to confirm their validity. **-q** Suppress printing output when successful. If a service ticket cannot be obtained, an error message will still be printed and kvno will exit with nonzero status. **-u** Use the unknown name type in requested service principal names. This option Cannot be used with *-S*. **-P** Specifies that the *service1 service2* ... arguments are to be treated as services for which credentials should be acquired using constrained delegation. This option is only valid when used in conjunction with protocol transition. **-S** *sname* Specifies that the *service1 service2* ... arguments are interpreted as hostnames, and the service principals are to be constructed from those hostnames and the service name *sname*. The service hostnames will be canonicalized according to the usual rules for constructing service principals. **-I** *for_user* Specifies that protocol transition (S4U2Self) is to be used to acquire a ticket on behalf of *for_user*. If constrained delegation is not requested, the service name must match the credentials cache client principal. **-U** *for_user* Same as -I, but treats *for_user* as an enterprise name. **-F** *cert_file* Specifies that protocol transition is to be used, identifying the client principal with the X.509 certificate in *cert_file*. The certificate file must be in PEM format. **--cached-only** Only retrieve credentials already present in the cache, not from the KDC. (Added in release 1.19.) **--no-store** Do not store retrieved credentials in the cache. If **--out-cache** is also specified, credentials will still be stored into the output credential cache. (Added in release 1.19.) **--out-cache** *ccache* Initialize *ccache* and store all retrieved credentials into it. Do not store acquired credentials in the input cache. (Added in release 1.19.) **--u2u** *ccache* Requests a user-to-user ticket. *ccache* must contain a local krbtgt ticket for the server principal. The reported version number will typically be 0, as the resulting ticket is not encrypted in the server's long-term key. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. FILES ----- |ccache| Default location of the credentials cache SEE ALSO -------- :ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` krb5-1.19.2/doc/html/_sources/user/user_commands/sclient.rst.txt0000644000704600001450000000076114076311665026237 0ustar ghudsonsystemd-journal.. _sclient(1): sclient ======= SYNOPSIS -------- **sclient** *remotehost* DESCRIPTION ----------- sclient is a sample application, primarily useful for testing purposes. It contacts a sample server :ref:`sserver(8)` and authenticates to it using Kerberos version 5 tickets, then displays the server's response. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kinit(1)`, :ref:`sserver(8)`, :ref:`kerberos(7)` krb5-1.19.2/doc/html/_sources/user/user_config/0000755000704600001450000000000014076312553022663 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/_sources/user/user_config/k5login.rst.txt0000644000704600001450000000345414076311665025614 0ustar ghudsonsystemd-journal.. _.k5login(5): .k5login ======== DESCRIPTION ----------- The .k5login file, which resides in a user's home directory, contains a list of the Kerberos principals. Anyone with valid tickets for a principal in the file is allowed host access with the UID of the user in whose home directory the file resides. One common use is to place a .k5login file in root's home directory, thereby granting system administrators remote root access to the host via Kerberos. EXAMPLES -------- Suppose the user ``alice`` had a .k5login file in her home directory containing just the following line:: bob@FOOBAR.ORG This would allow ``bob`` to use Kerberos network applications, such as ssh(1), to access ``alice``'s account, using ``bob``'s Kerberos tickets. In a default configuration (with **k5login_authoritative** set to true in :ref:`krb5.conf(5)`), this .k5login file would not let ``alice`` use those network applications to access her account, since she is not listed! With no .k5login file, or with **k5login_authoritative** set to false, a default rule would permit the principal ``alice`` in the machine's default realm to access the ``alice`` account. Let us further suppose that ``alice`` is a system administrator. Alice and the other system administrators would have their principals in root's .k5login file on each host:: alice@BLEEP.COM joeadmin/root@BLEEP.COM This would allow either system administrator to log in to these hosts using their Kerberos tickets instead of having to type the root password. Note that because ``bob`` retains the Kerberos tickets for his own principal, ``bob@FOOBAR.ORG``, he would not have any of the privileges that require ``alice``'s tickets, such as root access to any of the site's hosts, or the ability to change ``alice``'s password. SEE ALSO -------- kerberos(1) krb5-1.19.2/doc/html/_sources/user/user_config/kerberos.rst.txt0000644000704600001450000001600514076311665026054 0ustar ghudsonsystemd-journal.. _kerberos(7): kerberos ======== DESCRIPTION ----------- The Kerberos system authenticates individual users in a network environment. After authenticating yourself to Kerberos, you can use Kerberos-enabled programs without having to present passwords or certificates to those programs. If you receive the following response from :ref:`kinit(1)`: kinit: Client not found in Kerberos database while getting initial credentials you haven't been registered as a Kerberos user. See your system administrator. A Kerberos name usually contains three parts. The first is the **primary**, which is usually a user's or service's name. The second is the **instance**, which in the case of a user is usually null. Some users may have privileged instances, however, such as ``root`` or ``admin``. In the case of a service, the instance is the fully qualified name of the machine on which it runs; i.e. there can be an ssh service running on the machine ABC (ssh/ABC@REALM), which is different from the ssh service running on the machine XYZ (ssh/XYZ@REALM). The third part of a Kerberos name is the **realm**. The realm corresponds to the Kerberos service providing authentication for the principal. Realms are conventionally all-uppercase, and often match the end of hostnames in the realm (for instance, host01.example.com might be in realm EXAMPLE.COM). When writing a Kerberos name, the principal name is separated from the instance (if not null) by a slash, and the realm (if not the local realm) follows, preceded by an "@" sign. The following are examples of valid Kerberos names:: david jennifer/admin joeuser@BLEEP.COM cbrown/root@FUBAR.ORG When you authenticate yourself with Kerberos you get an initial Kerberos **ticket**. (A Kerberos ticket is an encrypted protocol message that provides authentication.) Kerberos uses this ticket for network utilities such as ssh. The ticket transactions are done transparently, so you don't have to worry about their management. Note, however, that tickets expire. Administrators may configure more privileged tickets, such as those with service or instance of ``root`` or ``admin``, to expire in a few minutes, while tickets that carry more ordinary privileges may be good for several hours or a day. If your login session extends beyond the time limit, you will have to re-authenticate yourself to Kerberos to get new tickets using the :ref:`kinit(1)` command. Some tickets are **renewable** beyond their initial lifetime. This means that ``kinit -R`` can extend their lifetime without requiring you to re-authenticate. If you wish to delete your local tickets, use the :ref:`kdestroy(1)` command. Kerberos tickets can be forwarded. In order to forward tickets, you must request **forwardable** tickets when you kinit. Once you have forwardable tickets, most Kerberos programs have a command line option to forward them to the remote host. This can be useful for, e.g., running kinit on your local machine and then sshing into another to do work. Note that this should not be done on untrusted machines since they will then have your tickets. ENVIRONMENT VARIABLES --------------------- Several environment variables affect the operation of Kerberos-enabled programs. These include: **KRB5CCNAME** Default name for the credentials cache file, in the form *TYPE*:*residual*. The type of the default cache may determine the availability of a cache collection. ``FILE`` is not a collection type; ``KEYRING``, ``DIR``, and ``KCM`` are. If not set, the value of **default_ccache_name** from configuration files (see **KRB5_CONFIG**) will be used. If that is also not set, the default *type* is ``FILE``, and the *residual* is the path /tmp/krb5cc_*uid*, where *uid* is the decimal user ID of the user. **KRB5_KTNAME** Specifies the location of the default keytab file, in the form *TYPE*:*residual*. If no *type* is present, the **FILE** type is assumed and *residual* is the pathname of the keytab file. If unset, |keytab| will be used. **KRB5_CONFIG** Specifies the location of the Kerberos configuration file. The default is |sysconfdir|\ ``/krb5.conf``. Multiple filenames can be specified, separated by a colon; all files which are present will be read. **KRB5_KDC_PROFILE** Specifies the location of the KDC configuration file, which contains additional configuration directives for the Key Distribution Center daemon and associated programs. The default is |kdcdir|\ ``/kdc.conf``. **KRB5RCACHENAME** (New in release 1.18) Specifies the location of the default replay cache, in the form *type*:*residual*. The ``file2`` type with a pathname residual specifies a replay cache file in the version-2 format in the specified location. The ``none`` type (residual is ignored) disables the replay cache. The ``dfl`` type (residual is ignored) indicates the default, which uses a file2 replay cache in a temporary directory. The default is ``dfl:``. **KRB5RCACHETYPE** Specifies the type of the default replay cache, if **KRB5RCACHENAME** is unspecified. No residual can be specified, so ``none`` and ``dfl`` are the only useful types. **KRB5RCACHEDIR** Specifies the directory used by the ``dfl`` replay cache type. The default is the value of the **TMPDIR** environment variable, or ``/var/tmp`` if **TMPDIR** is not set. **KRB5_TRACE** Specifies a filename to write trace log output to. Trace logs can help illuminate decisions made internally by the Kerberos libraries. For example, ``env KRB5_TRACE=/dev/stderr kinit`` would send tracing information for :ref:`kinit(1)` to ``/dev/stderr``. The default is not to write trace log output anywhere. **KRB5_CLIENT_KTNAME** Default client keytab file name. If unset, |ckeytab| will be used). **KPROP_PORT** :ref:`kprop(8)` port to use. Defaults to 754. **GSS_MECH_CONFIG** Specifies a filename containing GSSAPI mechanism module configuration. The default is to read |sysconfdir|\ ``/gss/mech`` and files with a ``.conf`` suffix within the directory |sysconfdir|\ ``/gss/mech.d``. Most environment variables are disabled for certain programs, such as login system programs and setuid programs, which are designed to be secure when run within an untrusted process environment. SEE ALSO -------- :ref:`kdestroy(1)`, :ref:`kinit(1)`, :ref:`klist(1)`, :ref:`kswitch(1)`, :ref:`kpasswd(1)`, :ref:`ksu(1)`, :ref:`krb5.conf(5)`, :ref:`kdc.conf(5)`, :ref:`kadmin(1)`, :ref:`kadmind(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)` BUGS ---- AUTHORS ------- | Steve Miller, MIT Project Athena/Digital Equipment Corporation | Clifford Neuman, MIT Project Athena | Greg Hudson, MIT Kerberos Consortium | Robbie Harwood, Red Hat, Inc. HISTORY ------- The MIT Kerberos 5 implementation was developed at MIT, with contributions from many outside parties. It is currently maintained by the MIT Kerberos Consortium. RESTRICTIONS ------------ Copyright 1985, 1986, 1989-1996, 2002, 2011, 2018 Masachusetts Institute of Technology krb5-1.19.2/doc/html/_sources/user/user_config/index.rst.txt0000644000704600001450000000045514076311665025351 0ustar ghudsonsystemd-journalUser config files ================= The following files in your home directory can be used to control the behavior of Kerberos as it applies to your account (unless they have been disabled by your host's configuration): .. toctree:: :maxdepth: 1 kerberos.rst k5login.rst k5identity.rst krb5-1.19.2/doc/html/_sources/user/user_config/k5identity.rst.txt0000644000704600001450000000414314076311665026331 0ustar ghudsonsystemd-journal.. _.k5identity(5): .k5identity =========== DESCRIPTION ----------- The .k5identity file, which resides in a user's home directory, contains a list of rules for selecting a client principals based on the server being accessed. These rules are used to choose a credential cache within the cache collection when possible. Blank lines and lines beginning with ``#`` are ignored. Each line has the form: *principal* *field*\=\ *value* ... If the server principal meets all of the field constraints, then principal is chosen as the client principal. The following fields are recognized: **realm** If the realm of the server principal is known, it is matched against *value*, which may be a pattern using shell wildcards. For host-based server principals, the realm will generally only be known if there is a :ref:`domain_realm` section in :ref:`krb5.conf(5)` with a mapping for the hostname. **service** If the server principal is a host-based principal, its service component is matched against *value*, which may be a pattern using shell wildcards. **host** If the server principal is a host-based principal, its hostname component is converted to lower case and matched against *value*, which may be a pattern using shell wildcards. If the server principal matches the constraints of multiple lines in the .k5identity file, the principal from the first matching line is used. If no line matches, credentials will be selected some other way, such as the realm heuristic or the current primary cache. EXAMPLE ------- The following example .k5identity file selects the client principal ``alice@KRBTEST.COM`` if the server principal is within that realm, the principal ``alice/root@EXAMPLE.COM`` if the server host is within a servers subdomain, and the principal ``alice/mail@EXAMPLE.COM`` when accessing the IMAP service on ``mail.example.com``:: alice@KRBTEST.COM realm=KRBTEST.COM alice/root@EXAMPLE.COM host=*.servers.example.com alice/mail@EXAMPLE.COM host=mail.example.com service=imap SEE ALSO -------- kerberos(1), :ref:`krb5.conf(5)` krb5-1.19.2/doc/html/_sources/user/tkt_mgmt.rst.txt0000644000704600001450000003047714076311665023574 0ustar ghudsonsystemd-journalTicket management ================= On many systems, Kerberos is built into the login program, and you get tickets automatically when you log in. Other programs, such as ssh, can forward copies of your tickets to a remote host. Most of these programs also automatically destroy your tickets when they exit. However, MIT recommends that you explicitly destroy your Kerberos tickets when you are through with them, just to be sure. One way to help ensure that this happens is to add the :ref:`kdestroy(1)` command to your .logout file. Additionally, if you are going to be away from your machine and are concerned about an intruder using your permissions, it is safest to either destroy all copies of your tickets, or use a screensaver that locks the screen. Kerberos ticket properties -------------------------- There are various properties that Kerberos tickets can have: If a ticket is **forwardable**, then the KDC can issue a new ticket (with a different network address, if necessary) based on the forwardable ticket. This allows for authentication forwarding without requiring a password to be typed in again. For example, if a user with a forwardable TGT logs into a remote system, the KDC could issue a new TGT for that user with the network address of the remote system, allowing authentication on that host to work as though the user were logged in locally. When the KDC creates a new ticket based on a forwardable ticket, it sets the **forwarded** flag on that new ticket. Any tickets that are created based on a ticket with the forwarded flag set will also have their forwarded flags set. A **proxiable** ticket is similar to a forwardable ticket in that it allows a service to take on the identity of the client. Unlike a forwardable ticket, however, a proxiable ticket is only issued for specific services. In other words, a ticket-granting ticket cannot be issued based on a ticket that is proxiable but not forwardable. A **proxy** ticket is one that was issued based on a proxiable ticket. A **postdated** ticket is issued with the invalid flag set. After the starting time listed on the ticket, it can be presented to the KDC to obtain valid tickets. Ticket-granting tickets with the **postdateable** flag set can be used to obtain postdated service tickets. **Renewable** tickets can be used to obtain new session keys without the user entering their password again. A renewable ticket has two expiration times. The first is the time at which this particular ticket expires. The second is the latest possible expiration time for any ticket issued based on this renewable ticket. A ticket with the **initial flag** set was issued based on the authentication protocol, and not on a ticket-granting ticket. Application servers that wish to ensure that the user's key has been recently presented for verification could specify that this flag must be set to accept the ticket. An **invalid** ticket must be rejected by application servers. Postdated tickets are usually issued with this flag set, and must be validated by the KDC before they can be used. A **preauthenticated** ticket is one that was only issued after the client requesting the ticket had authenticated itself to the KDC. The **hardware authentication** flag is set on a ticket which required the use of hardware for authentication. The hardware is expected to be possessed only by the client which requested the tickets. If a ticket has the **transit policy** checked flag set, then the KDC that issued this ticket implements the transited-realm check policy and checked the transited-realms list on the ticket. The transited-realms list contains a list of all intermediate realms between the realm of the KDC that issued the first ticket and that of the one that issued the current ticket. If this flag is not set, then the application server must check the transited realms itself or else reject the ticket. The **okay as delegate** flag indicates that the server specified in the ticket is suitable as a delegate as determined by the policy of that realm. Some client applications may use this flag to decide whether to forward tickets to a remote host, although many applications do not honor it. An **anonymous** ticket is one in which the named principal is a generic principal for that realm; it does not actually specify the individual that will be using the ticket. This ticket is meant only to securely distribute a session key. .. _obtain_tkt: Obtaining tickets with kinit ---------------------------- If your site has integrated Kerberos V5 with the login system, you will get Kerberos tickets automatically when you log in. Otherwise, you may need to explicitly obtain your Kerberos tickets, using the :ref:`kinit(1)` program. Similarly, if your Kerberos tickets expire, use the kinit program to obtain new ones. To use the kinit program, simply type ``kinit`` and then type your password at the prompt. For example, Jennifer (whose username is ``jennifer``) works for Bleep, Inc. (a fictitious company with the domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU). She would type:: shell% kinit Password for jennifer@ATHENA.MIT.EDU: <-- [Type jennifer's password here.] shell% If you type your password incorrectly, kinit will give you the following error message:: shell% kinit Password for jennifer@ATHENA.MIT.EDU: <-- [Type the wrong password here.] kinit: Password incorrect shell% and you won't get Kerberos tickets. By default, kinit assumes you want tickets for your own username in your default realm. Suppose Jennifer's friend David is visiting, and he wants to borrow a window to check his mail. David needs to get tickets for himself in his own realm, EXAMPLE.COM. He would type:: shell% kinit david@EXAMPLE.COM Password for david@EXAMPLE.COM: <-- [Type david's password here.] shell% David would then have tickets which he could use to log onto his own machine. Note that he typed his password locally on Jennifer's machine, but it never went over the network. Kerberos on the local host performed the authentication to the KDC in the other realm. If you want to be able to forward your tickets to another host, you need to request forwardable tickets. You do this by specifying the **-f** option:: shell% kinit -f Password for jennifer@ATHENA.MIT.EDU: <-- [Type your password here.] shell% Note that kinit does not tell you that it obtained forwardable tickets; you can verify this using the :ref:`klist(1)` command (see :ref:`view_tkt`). Normally, your tickets are good for your system's default ticket lifetime, which is ten hours on many systems. You can specify a different ticket lifetime with the **-l** option. Add the letter **s** to the value for seconds, **m** for minutes, **h** for hours, or **d** for days. For example, to obtain forwardable tickets for ``david@EXAMPLE.COM`` that would be good for three hours, you would type:: shell% kinit -f -l 3h david@EXAMPLE.COM Password for david@EXAMPLE.COM: <-- [Type david's password here.] shell% .. note:: You cannot mix units; specifying a lifetime of 3h30m would result in an error. Note also that most systems specify a maximum ticket lifetime. If you request a longer ticket lifetime, it will be automatically truncated to the maximum lifetime. .. _view_tkt: Viewing tickets with klist -------------------------- The :ref:`klist(1)` command shows your tickets. When you first obtain tickets, you will have only the ticket-granting ticket. The listing would look like this:: shell% klist Ticket cache: /tmp/krb5cc_ttypa Default principal: jennifer@ATHENA.MIT.EDU Valid starting Expires Service principal 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU shell% The ticket cache is the location of your ticket file. In the above example, this file is named ``/tmp/krb5cc_ttypa``. The default principal is your Kerberos principal. The "valid starting" and "expires" fields describe the period of time during which the ticket is valid. The "service principal" describes each ticket. The ticket-granting ticket has a first component ``krbtgt``, and a second component which is the realm name. Now, if ``jennifer`` connected to the machine ``daffodil.mit.edu``, and then typed "klist" again, she would have gotten the following result:: shell% klist Ticket cache: /tmp/krb5cc_ttypa Default principal: jennifer@ATHENA.MIT.EDU Valid starting Expires Service principal 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU 06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU shell% Here's what happened: when ``jennifer`` used ssh to connect to the host ``daffodil.mit.edu``, the ssh program presented her ticket-granting ticket to the KDC and requested a host ticket for the host ``daffodil.mit.edu``. The KDC sent the host ticket, which ssh then presented to the host ``daffodil.mit.edu``, and she was allowed to log in without typing her password. Suppose your Kerberos tickets allow you to log into a host in another domain, such as ``trillium.example.com``, which is also in another Kerberos realm, ``EXAMPLE.COM``. If you ssh to this host, you will receive a ticket-granting ticket for the realm ``EXAMPLE.COM``, plus the new host ticket for ``trillium.example.com``. klist will now show:: shell% klist Ticket cache: /tmp/krb5cc_ttypa Default principal: jennifer@ATHENA.MIT.EDU Valid starting Expires Service principal 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU 06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU 06/07/04 20:24:18 06/08/04 05:49:19 krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU 06/07/04 20:24:18 06/08/04 05:49:19 host/trillium.example.com@EXAMPLE.COM shell% Depending on your host's and realm's configuration, you may also see a ticket with the service principal ``host/trillium.example.com@``. If so, this means that your host did not know what realm trillium.example.com is in, so it asked the ``ATHENA.MIT.EDU`` KDC for a referral. The next time you connect to ``trillium.example.com``, the odd-looking entry will be used to avoid needing to ask for a referral again. You can use the **-f** option to view the flags that apply to your tickets. The flags are: ===== ========================= F Forwardable f forwarded P Proxiable p proxy D postDateable d postdated R Renewable I Initial i invalid H Hardware authenticated A preAuthenticated T Transit policy checked O Okay as delegate a anonymous ===== ========================= Here is a sample listing. In this example, the user *jennifer* obtained her initial tickets (**I**), which are forwardable (**F**) and postdated (**d**) but not yet validated (**i**):: shell% klist -f Ticket cache: /tmp/krb5cc_320 Default principal: jennifer@ATHENA.MIT.EDU Valid starting Expires Service principal 31/07/05 19:06:25 31/07/05 19:16:25 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU Flags: FdiI shell% In the following example, the user *david*'s tickets were forwarded (**f**) to this host from another host. The tickets are reforwardable (**F**):: shell% klist -f Ticket cache: /tmp/krb5cc_p11795 Default principal: david@EXAMPLE.COM Valid starting Expires Service principal 07/31/05 11:52:29 07/31/05 21:11:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM Flags: Ff 07/31/05 12:03:48 07/31/05 21:11:23 host/trillium.example.com@EXAMPLE.COM Flags: Ff shell% Destroying tickets with kdestroy -------------------------------- Your Kerberos tickets are proof that you are indeed yourself, and tickets could be stolen if someone gains access to a computer where they are stored. If this happens, the person who has them can masquerade as you until they expire. For this reason, you should destroy your Kerberos tickets when you are away from your computer. Destroying your tickets is easy. Simply type kdestroy:: shell% kdestroy shell% If :ref:`kdestroy(1)` fails to destroy your tickets, it will beep and give an error message. For example, if kdestroy can't find any tickets to destroy, it will give the following message:: shell% kdestroy kdestroy: No credentials cache file found while destroying cache shell% krb5-1.19.2/doc/html/_sources/index.rst.txt0000644000704600001450000000047214076311665022067 0ustar ghudsonsystemd-journalMIT Kerberos Documentation (|release|) ====================================== .. toctree:: :maxdepth: 1 user/index.rst admin/index.rst appdev/index.rst plugindev/index.rst build/index.rst basic/index.rst formats/index.rst mitK5features.rst build_this.rst about.rst resources krb5-1.19.2/doc/html/_sources/formats/0000755000704600001450000000000014076312550021052 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/_sources/formats/freshness_token.rst.txt0000644000704600001450000000155614076311665025637 0ustar ghudsonsystemd-journalPKINIT freshness tokens ======================= :rfc:`8070` specifies a pa-data type PA_AS_FRESHNESS, which clients should reflect within signed PKINIT data to prove recent access to the client certificate private key. The contents of a freshness token are left to the KDC implementation. The MIT krb5 KDC uses the following format for freshness tokens (starting in release 1.17): * a four-byte big-endian POSIX timestamp * a four-byte big-endian key version number * an :rfc:`3961` checksum, with no ASN.1 wrapper The checksum is computed using the first key in the local krbtgt principal entry for the realm (e.g. ``krbtgt/KRBTEST.COM@KRBTEST.COM`` if the request is to the ``KRBTEST.COM`` realm) of the indicated key version. The checksum type must be the mandatory checksum type for the encryption type of the krbtgt key. The key usage value for the checksum is 514. krb5-1.19.2/doc/html/_sources/formats/ccache_file_format.rst.txt0000644000704600001450000001430414076311665026207 0ustar ghudsonsystemd-journal.. _ccache_file_format: Credential cache file format ============================ There are four versions of the file format used by the FILE credential cache type. The first byte of the file always has the value 5, and the value of the second byte contains the version number (1 through 4). Versions 1 and 2 of the file format use native byte order for integer representations. Versions 3 and 4 always use big-endian byte order. After the two-byte version indicator, the file has three parts: the header (in version 4 only), the default principal name, and a sequence of credentials. Header format ------------- The header appears only in format version 4. It begins with a 16-bit integer giving the length of the entire header, followed by a sequence of fields. Each field consists of a 16-bit tag, a 16-bit length, and a value of the given length. A file format implementation should ignore fields with unknown tags. At this time there is only one defined header field. Its tag value is 1, its length is always 8, and its contents are two 32-bit integers giving the seconds and microseconds of the time offset of the KDC relative to the client. Adding this offset to the current time on the client should give the current time on the KDC, if that offset has not changed since the initial authentication. .. _cache_principal_format: Principal format ---------------- The default principal is marshalled using the following informal grammar:: principal ::= name type (32 bits) [omitted in version 1] count of components (32 bits) [includes realm in version 1] realm (data) component1 (data) component2 (data) ... data ::= length (32 bits) value (length bytes) There is no external framing on the default principal, so it must be parsed according to the above grammar in order to find the sequence of credentials which follows. .. _ccache_credential_format: Credential format ----------------- The credential format uses the following informal grammar (referencing the ``principal`` and ``data`` types from the previous section):: credential ::= client (principal) server (principal) keyblock (keyblock) authtime (32 bits) starttime (32 bits) endtime (32 bits) renew_till (32 bits) is_skey (1 byte, 0 or 1) ticket_flags (32 bits) addresses (addresses) authdata (authdata) ticket (data) second_ticket (data) keyblock ::= enctype (16 bits) [repeated twice in version 3] data addresses ::= count (32 bits) address1 address2 ... address ::= addrtype (16 bits) data authdata ::= count (32 bits) authdata1 authdata2 ... authdata ::= ad_type (16 bits) data There is no external framing on a marshalled credential, so it must be parsed according to the above grammar in order to find the next credential. There is also no count of credentials or marker at the end of the sequence of credentials; the sequence ends when the file ends. Credential cache configuration entries -------------------------------------- Configuration entries are encoded as credential entries. The client principal of the entry is the default principal of the cache. The server principal has the realm ``X-CACHECONF:`` and two or three components, the first of which is ``krb5_ccache_conf_data``. The server principal's second component is the configuration key. The third component, if it exists, is a principal to which the configuration key is associated. The configuration value is stored in the ticket field of the entry. All other entry fields are zeroed. Programs using credential caches must be aware of configuration entries for several reasons: * A program which displays the contents of a cache should not generally display configuration entries. * The ticket field of a configuration entry is not (usually) a valid encoding of a Kerberos ticket. An implementation must not treat the cache file as malformed if it cannot decode the ticket field. * Configuration entries have an endtime field of 0 and might therefore always be considered expired, but they should not be treated as unimportant as a result. For instance, a program which copies credentials from one cache to another should not omit configuration entries because of the endtime. The following configuration keys are currently used in MIT krb5: fast_avail The presence of this key with a non-empty value indicates that the KDC asserted support for FAST (see :rfc:`6113`) during the initial authentication, using the negotiation method described in :rfc:`6806` section 11. This key is not associated with any principal. pa_config_data The value of this key contains a JSON object representation of parameters remembered by the preauthentication mechanism used during the initial authentication. These parameters may be used when refreshing credentials. This key is associated with the server principal of the initial authentication (usually the local krbtgt principal of the client realm). pa_type The value of this key is the ASCII decimal representation of the preauth type number used during the initial authentication. This key is associated with the server principal of the initial authentication. proxy_impersonator The presence of this key indicates that the cache is a synthetic delegated credential for use with S4U2Proxy. The value is the name of the intermediate service whose TGT can be used to make S4U2Proxy requests for target services. This key is not associated with any principal. refresh_time The presence of this key indicates that the cache was acquired by the GSS mechanism using a client keytab. The value is the ASCII decimal representation of a timestamp at which the GSS mechanism should attempt to refresh the credential cache from the client keytab. start_realm This key indicates the realm of the ticket-granting ticket to be used for TGS requests, when making a referrals request or beginning a cross-realm request. If it is not present, the client realm is used. krb5-1.19.2/doc/html/_sources/formats/index.rst.txt0000644000704600001450000000026414076311665023541 0ustar ghudsonsystemd-journalProtocols and file formats ========================== .. toctree:: :maxdepth: 1 ccache_file_format keytab_file_format rcache_file_format cookie freshness_token krb5-1.19.2/doc/html/_sources/formats/rcache_file_format.rst.txt0000644000704600001450000000455614076311665026236 0ustar ghudsonsystemd-journalReplay cache file format ======================== This section documents the second version of the replay cache file format, used by the "file2" replay cache type (new in release 1.18). The first version of the file replay cache format is not documented. All accesses to the replay cache file take place under an exclusive POSIX or Windows file lock, obtained when the file is opened and released when it is closed. Replay cache files are automatically created when first accessed. For each store operation, a tag is derived from the checksum part of the :RFC:`3961` ciphertext of the authenticator. The checksum is coerced to a fixed length of 12 bytes, either through truncation or right-padding with zero bytes. A four-byte timestamp is appended to the tag to produce a total record length of 16 bytes. Bytes 0 through 15 of the file contain a hash seed for the SipHash-2-4 algorithm (siphash_); this field is populated with random bytes when the file is first created. All remaining bytes are divided into a series of expanding hash tables: * Bytes 16-16383: hash table 1 (1023 slots) * Bytes 16384-49151: hash table 2 (2048 slots) * Bytes 49152-114687: hash table 3 (4096 slots) * ... Only some hash tables will be present in the file at any specific time, and the final table may be only partially filled. Replay cache files may be sparse if the filesystem supports it. For each table present in the file, the tag is hashed with SipHash-2-4 using the seed recorded in the file. The first byte of the seed is incremented by one (modulo 256) for each table after the first. The resulting hash value is taken modulo one less than the table size (1022 for the first hash table, 2047 for the second) to produce the index. The record may be found at the slot given by the index or at the next slot. All candidate locations for the record must be searched until a slot is found with a timestamp of zero (indicating a slot which has never been written to) or an offset is reached at or beyond the end of the file. Any candidate location with a timestamp value of zero, with a timestamp value less than the current time minus clockskew, or at or beyond the end of the file is available for writing. When all candidate locations have been searched without finding a match, the new entry is written to the earliest candidate available for writing. .. _siphash: https://131002.net/siphash/siphash.pdf krb5-1.19.2/doc/html/_sources/formats/keytab_file_format.rst.txt0000644000704600001450000000337514076311665026266 0ustar ghudsonsystemd-journal.. _keytab_file_format: Keytab file format ================== There are two versions of the file format used by the FILE keytab type. The first byte of the file always has the value 5, and the value of the second byte contains the version number (1 or 2). Version 1 of the file format uses native byte order for integer representations. Version 2 always uses big-endian byte order. After the two-byte version indicator, the file contains a sequence of signed 32-bit record lengths followed by key records or holes. A positive record length indicates a valid key entry whose size is equal to or less than the record length. A negative length indicates a zero-filled hole whose size is the inverse of the length. A length of 0 indicates the end of the file. Key entry format ---------------- A key entry may be smaller in size than the record length which precedes it, because it may have replaced a hole which is larger than the key entry. Key entries use the following informal grammar:: entry ::= principal timestamp (32 bits) key version (8 bits) enctype (16 bits) key length (16 bits) key contents key version (32 bits) [in release 1.14 and later] principal ::= count of components (16 bits) [includes realm in version 1] realm (data) component1 (data) component2 (data) ... name type (32 bits) [omitted in version 1] data ::= length (16 bits) value (length bytes) The 32-bit key version overrides the 8-bit key version. To determine if it is present, the implementation must check that at least 4 bytes remain in the record after the other fields are read, and that the value of the 32-bit integer contained in those bytes is non-zero. krb5-1.19.2/doc/html/_sources/formats/cookie.rst.txt0000644000704600001450000000743014076311665023705 0ustar ghudsonsystemd-journalKDC cookie format ================= :rfc:`6113` section 5.2 specifies a pa-data type PA-FX-COOKIE, which clients are required to reflect back to the KDC during pre-authentication. The MIT krb5 KDC uses the following formats for cookies. Trivial cookie (version 0) -------------------------- If there is no pre-authentication mechanism state information to save, a trivial cookie containing the value "MIT" is used. A trivial cookie is needed to indicate that the conversation can continue. Secure cookie (version 1) ------------------------- In release 1.14 and later, a secure cookie can be sent if there is any mechanism state to save for the next request. A secure cookie contains the concatenation of the following: * the four bytes "MIT1" * a four-byte big-endian kvno value * an :rfc:`3961` ciphertext The ciphertext is encrypted in the cookie key with key usage number 513. The cookie key is derived from a key in the local krbtgt principal entry for the realm (e.g. ``krbtgt/KRBTEST.COM@KRBTEST.COM`` if the request is to the ``KRBTEST.COM`` realm). The first krbtgt key for the indicated kvno value is combined with the client principal as follows:: cookie-key <- random-to-key(PRF+(tgt-key, "COOKIE" | client-princ)) where **random-to-key** is the :rfc:`3961` random-to-key operation for the krbtgt key's encryption type, **PRF+** is defined in :rfc:`6113`, and ``|`` denotes concatenation. *client-princ* is the request client principal name with realm, marshalled according to :rfc:`1964` section 2.1.1. The plain text of the encrypted part of a cookie is the DER encoding of the following ASN.1 type:: SecureCookie ::= SEQUENCE { time INTEGER, data SEQUENCE OF PA-DATA, ... } The time field represents the cookie creation time; for brevity, it is encoded as an integer giving the POSIX timestamp rather than as an ASN.1 GeneralizedTime value. The data field contains one element for each pre-authentication type which requires saved state. For mechanisms which have separate request and reply types, the request type is used; this allows the KDC to determine whether a cookie is relevant to a request by comparing the request pa-data types to the cookie data types. SPAKE cookie format (version 1) ------------------------------- Inside the SecureCookie wrapper, a data value of type 151 contains state for SPAKE pre-authentication. This data is the concatenation of the following: * a two-byte big-endian version number with the value 1 * a two-byte big-endian stage number * a four-byte big-endian group number * a four-byte big-endian length and data for the SPAKE value * a four-byte big-endian length and data for the transcript hash * zero or more second factor records, each consisting of: - a four-byte big-endian second-factor type - a four-byte big-endian length and data The stage value is 0 if the cookie was sent with a challenge message. Otherwise it is 1 for the first encdata message sent by the KDC during an exchange, 2 for the second, etc.. The group value indicates the group number used in the SPAKE challenge. For a stage-0 cookie, the SPAKE value is the KDC private key, represented in the scalar marshalling form of the group. For other cookies, the SPAKE value is the SPAKE result K, represented in the group element marshalling form. For a stage-0 cookie, the transcript hash is the intermediate hash after updating with the client support message (if one was sent) and challenge. For other cookies it is the final hash. For a stage-0 cookie, there may be any number of second-factor records, including none; a second-factor type need not create a state field if it does not need one, and no record is created for SF-NONE. For other cookies, there must be exactly one second-factor record corresponding to the factor type chosen by the client. krb5-1.19.2/doc/html/_sources/about.rst.txt0000644000704600001450000000345114076311665022072 0ustar ghudsonsystemd-journalContributing to the MIT Kerberos Documentation ============================================== We are looking for documentation writers and editors who could contribute towards improving the MIT KC documentation content. If you are an experienced Kerberos developer and/or administrator, please consider sharing your knowledge and experience with the Kerberos Community. You can suggest your own topic or write about any of the topics listed `here `__. If you have any questions, comments, or suggestions on the existing documents, please send your feedback via email to krb5-bugs@mit.edu. The HTML version of this documentation has a "FEEDBACK" link to the krb5-bugs@mit.edu email address with a pre-constructed subject line. Background ---------- Starting with release 1.11, the Kerberos documentation set is unified in a central form. Man pages, HTML documentation, and PDF documents are compiled from reStructuredText sources, and the application developer documentation incorporates Doxygen markup from the source tree. This project was undertaken along the outline described `here `__. Previous versions of Kerberos 5 attempted to maintain separate documentation in the texinfo format, with separate groff manual pages. Having the API documentation disjoint from the source code implementing that API resulted in the documentation becoming stale, and over time the documentation ceased to match reality. With a fresh start and a source format that is easier to use and maintain, reStructuredText-based documents should provide an improved experience for the user. Consolidating all the documentation formats into a single source document makes the documentation set easier to maintain. krb5-1.19.2/doc/html/_sources/admin/0000755000704600001450000000000014076311737020475 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/_sources/admin/https.rst.txt0000644000704600001450000000364614076311665023220 0ustar ghudsonsystemd-journal.. _https: HTTPS proxy configuration ========================= In addition to being able to use UDP or TCP to communicate directly with a KDC as is outlined in RFC4120, and with kpasswd services in a similar fashion, the client libraries can attempt to use an HTTPS proxy server to communicate with a KDC or kpasswd service, using the protocol outlined in [MS-KKDCP]. Communicating with a KDC through an HTTPS proxy allows clients to contact servers when network firewalls might otherwise prevent them from doing so. The use of TLS also encrypts all traffic between the clients and the KDC, preventing observers from conducting password dictionary attacks or from observing the client and server principals being authenticated, at additional computational cost to both clients and servers. An HTTPS proxy server is provided as a feature in some versions of Microsoft Windows Server, and a WSGI implementation named `kdcproxy` is available in the python package index. Configuring the clients ----------------------- To use an HTTPS proxy, a client host must trust the CA which issued that proxy's SSL certificate. If that CA's certificate is not in the system-wide default set of trusted certificates, configure the following relation in the client host's :ref:`krb5.conf(5)` file in the appropriate :ref:`realms` subsection:: http_anchors = FILE:/etc/krb5/cacert.pem Adjust the pathname to match the path of the file which contains a copy of the CA's certificate. The `http_anchors` option is documented more fully in :ref:`krb5.conf(5)`. Configure the client to access the KDC and kpasswd service by specifying their locations in its :ref:`krb5.conf(5)` file in the form of HTTPS URLs for the proxy server:: kdc = https://server.fqdn/KdcProxy kpasswd_server = https://server.fqdn/KdcProxy If the proxy and client are properly configured, client commands such as ``kinit``, ``kvno``, and ``kpasswd`` should all function normally. krb5-1.19.2/doc/html/_sources/admin/install_appl_srv.rst.txt0000644000704600001450000000717114076311665025427 0ustar ghudsonsystemd-journalUNIX Application Servers ======================== An application server is a host that provides one or more services over the network. Application servers can be "secure" or "insecure." A "secure" host is set up to require authentication from every client connecting to it. An "insecure" host will still provide Kerberos authentication, but will also allow unauthenticated clients to connect. If you have Kerberos V5 installed on all of your client machines, MIT recommends that you make your hosts secure, to take advantage of the security that Kerberos authentication affords. However, if you have some clients that do not have Kerberos V5 installed, you can run an insecure server, and still take advantage of Kerberos V5's single sign-on capability. .. _keytab_file: The keytab file --------------- All Kerberos server machines need a keytab file to authenticate to the KDC. By default on UNIX-like systems this file is named |keytab|. The keytab file is an local copy of the host's key. The keytab file is a potential point of entry for a break-in, and if compromised, would allow unrestricted access to its host. The keytab file should be readable only by root, and should exist only on the machine's local disk. The file should not be part of any backup of the machine, unless access to the backup data is secured as tightly as access to the machine's root password. In order to generate a keytab for a host, the host must have a principal in the Kerberos database. The procedure for adding hosts to the database is described fully in :ref:`add_mod_del_princs`. (See :ref:`replica_host_key` for a brief description.) The keytab is generated by running :ref:`kadmin(1)` and issuing the :ref:`ktadd` command. For example, to generate a keytab file to allow the host ``trillium.mit.edu`` to authenticate for the services host, ftp, and pop, the administrator ``joeadmin`` would issue the command (on ``trillium.mit.edu``):: trillium% kadmin Authenticating as principal root/admin@ATHENA.MIT.EDU with password. Password for root/admin@ATHENA.MIT.EDU: kadmin: ktadd host/trillium.mit.edu ftp/trillium.mit.edu pop/trillium.mit.edu Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. kadmin: quit trillium% If you generate the keytab file on another host, you need to get a copy of the keytab file onto the destination host (``trillium``, in the above example) without sending it unencrypted over the network. Some advice about secure hosts ------------------------------ Kerberos V5 can protect your host from certain types of break-ins, but it is possible to install Kerberos V5 and still leave your host vulnerable to attack. Obviously an installation guide is not the place to try to include an exhaustive list of countermeasures for every possible attack, but it is worth noting some of the larger holes and how to close them. We recommend that backups of secure machines exclude the keytab file (|keytab|). If this is not possible, the backups should at least be done locally, rather than over a network, and the backup tapes should be physically secured. The keytab file and any programs run by root, including the Kerberos V5 binaries, should be kept on local disk. The keytab file should be readable only by root. krb5-1.19.2/doc/html/_sources/admin/troubleshoot.rst.txt0000644000704600001450000001074714076311665024607 0ustar ghudsonsystemd-journal.. _troubleshoot: Troubleshooting =============== .. _trace_logging: Trace logging ------------- Most programs using MIT krb5 1.9 or later can be made to provide information about internal krb5 library operations using trace logging. To enable this, set the **KRB5_TRACE** environment variable to a filename before running the program. On many operating systems, the filename ``/dev/stdout`` can be used to send trace logging output to standard output. Some programs do not honor **KRB5_TRACE**, either because they use secure library contexts (this generally applies to setuid programs and parts of the login system) or because they take direct control of the trace logging system using the API. Here is a short example showing trace logging output for an invocation of the :ref:`kvno(1)` command:: shell% env KRB5_TRACE=/dev/stdout kvno krbtgt/KRBTEST.COM [9138] 1332348778.823276: Getting credentials user@KRBTEST.COM -> krbtgt/KRBTEST.COM@KRBTEST.COM using ccache FILE:/me/krb5/build/testdir/ccache [9138] 1332348778.823381: Retrieving user@KRBTEST.COM -> krbtgt/KRBTEST.COM@KRBTEST.COM from FILE:/me/krb5/build/testdir/ccache with result: 0/Unknown code 0 krbtgt/KRBTEST.COM@KRBTEST.COM: kvno = 1 List of errors -------------- Frequently seen errors ~~~~~~~~~~~~~~~~~~~~~~ #. :ref:`init_creds_ETYPE_NOSUPP` #. :ref:`cert_chain_ETYPE_NOSUPP` #. :ref:`err_cert_chain_cert_expired` Errors seen by admins ~~~~~~~~~~~~~~~~~~~~~ .. _prop_failed_start: #. :ref:`kprop_no_route` #. :ref:`kprop_con_refused` #. :ref:`kprop_sendauth_exchange` .. _prop_failed_end: ----- .. _init_creds_etype_nosupp: KDC has no support for encryption type while getting initial credentials ........................................................................ .. _cert_chain_etype_nosupp: credential verification failed: KDC has no support for encryption type ...................................................................... This most commonly happens when trying to use a principal with only DES keys, in a release (MIT krb5 1.7 or later) which disables DES by default. DES encryption is considered weak due to its inadequate key size. If you cannot migrate away from its use, you can re-enable DES by adding ``allow_weak_crypto = true`` to the :ref:`libdefaults` section of :ref:`krb5.conf(5)`. .. _err_cert_chain_cert_expired: Cannot create cert chain: certificate has expired ................................................. This error message indicates that PKINIT authentication failed because the client certificate, KDC certificate, or one of the certificates in the signing chain above them has expired. If the KDC certificate has expired, this message appears in the KDC log file, and the client will receive a "Preauthentication failed" error. (Prior to release 1.11, the KDC log file message erroneously appears as "Out of memory". Prior to release 1.12, the client will receive a "Generic error".) If the client or a signing certificate has expired, this message may appear in trace_logging_ output from :ref:`kinit(1)` or, starting in release 1.12, as an error message from kinit or another program which gets initial tickets. The error message is more likely to appear properly on the client if the principal entry has no long-term keys. .. _kprop_no_route: kprop: No route to host while connecting to server .................................................. Make sure that the hostname of the replica KDC (as given to kprop) is correct, and that any firewalls between the primary and the replica allow a connection on port 754. .. _kprop_con_refused: kprop: Connection refused while connecting to server .................................................... If the replica KDC is intended to run kpropd out of inetd, make sure that inetd is configured to accept krb5_prop connections. inetd may need to be restarted or sent a SIGHUP to recognize the new configuration. If the replica is intended to run kpropd in standalone mode, make sure that it is running. .. _kprop_sendauth_exchange: kprop: Server rejected authentication (during sendauth exchange) while authenticating to server ............................................................................................... Make sure that: #. The time is synchronized between the primary and replica KDCs. #. The master stash file was copied from the primary to the expected location on the replica. #. The replica has a keytab file in the default location containing a ``host`` principal for the replica's hostname. krb5-1.19.2/doc/html/_sources/admin/dictionary.rst.txt0000644000704600001450000001044614076311665024217 0ustar ghudsonsystemd-journal.. _dictionary: Addressing dictionary attack risks ================================== Kerberos initial authentication is normally secured using the client principal's long-term key, which for users is generally derived from a password. Using a pasword-derived long-term key carries the risk of a dictionary attack, where an attacker tries a sequence of possible passwords, possibly requiring much less effort than would be required to try all possible values of the key. Even if :ref:`password policy objects ` are used to force users not to pick trivial passwords, dictionary attacks can sometimes be successful against a significant fraction of the users in a realm. Dictionary attacks are not a concern for principals using random keys. A dictionary attack may be online or offline. An online dictionary attack is performed by trying each password in a separate request to the KDC, and is therefore visible to the KDC and also limited in speed by the KDC's processing power and the network capacity between the client and the KDC. Online dictionary attacks can be mitigated using :ref:`account lockout `. This measure is not totally satisfactory, as it makes it easy for an attacker to deny access to a client principal. An offline dictionary attack is performed by obtaining a ciphertext generated using the password-derived key, and trying each password against the ciphertext. This category of attack is invisible to the KDC and can be performed much faster than an online attack. The attack will generally take much longer with more recent encryption types (particularly the ones based on AES), because those encryption types use a much more expensive string-to-key function. However, the best defense is to deny the attacker access to a useful ciphertext. The required defensive measures depend on the attacker's level of network access. An off-path attacker has no access to packets sent between legitimate users and the KDC. An off-path attacker could gain access to an attackable ciphertext either by making an AS request for a client principal which does not have the **+requires_preauth** flag, or by making a TGS request (after authenticating as a different user) for a server principal which does not have the **-allow_svr** flag. To address off-path attackers, a KDC administrator should set those flags on principals with password-derived keys:: kadmin: add_principal +requires_preauth -allow_svr princname An attacker with passive network access (one who can monitor packets sent between legitimate users and the KDC, but cannot change them or insert their own packets) can gain access to an attackable ciphertext by observing an authentication by a user using the most common form of preauthentication, encrypted timestamp. Any of the following methods can prevent dictionary attacks by attackers with passive network access: * Enabling :ref:`SPAKE preauthentication ` (added in release 1.17) on the KDC, and ensuring that all clients are able to support it. * Using an :ref:`HTTPS proxy ` for communication with the KDC, if the attacker cannot monitor communication between the proxy server and the KDC. * Using FAST, protecting the initial authentication with either a random key (such as a host key) or with :ref:`anonymous PKINIT `. An attacker with active network access (one who can inject or modify packets sent between legitimate users and the KDC) can try to fool the client software into sending an attackable ciphertext using an encryption type and salt string of the attacker's choosing. Any of the following methods can prevent dictionary attacks by active attackers: * Enabling SPAKE preauthentication and setting the **disable_encrypted_timestamp** variable to ``true`` in the :ref:`realms` subsection of the client configuration. * Using an HTTPS proxy as described above, configured in the client's krb5.conf realm configuration. If :ref:`KDC discovery ` is used to locate a proxy server, an active attacker may be able to use DNS spoofing to cause the client to use a different HTTPS server or to not use HTTPS. * Using FAST as described above. If :ref:`PKINIT ` or :ref:`OTP ` are used for initial authentication, the principal's long-term keys are not used and dictionary attacks are usually not a concern. krb5-1.19.2/doc/html/_sources/admin/spake.rst.txt0000644000704600001450000000447414076311665023161 0ustar ghudsonsystemd-journal.. _spake: SPAKE Preauthentication ======================= SPAKE preauthentication (added in release 1.17) uses public key cryptography techniques to protect against :ref:`password dictionary attacks `. Unlike :ref:`PKINIT `, it does not require any additional infrastructure such as certificates; it simply needs to be turned on. Using SPAKE preauthentication may modestly increase the CPU and network load on the KDC. SPAKE preauthentication can use one of four elliptic curve groups for its password-authenticated key exchange. The recommended group is ``edwards25519``; three NIST curves (``P-256``, ``P-384``, and ``P-521``) are also supported. By default, SPAKE with the ``edwards25519`` group is enabled on clients, but the KDC does not offer SPAKE by default. To turn it on, set the **spake_preauth_groups** variable in :ref:`libdefaults` to a list of allowed groups. This variable affects both the client and the KDC. Simply setting it to ``edwards25519`` is recommended:: [libdefaults] spake_preauth_groups = edwards25519 Set the **+requires_preauth** and **-allow_svr** flags on client principal entries, as you would for any preauthentication mechanism:: kadmin: modprinc +requires_preauth -allow_svr PRINCNAME Clients which do not implement SPAKE preauthentication will fall back to encrypted timestamp. An active attacker can force a fallback to encrypted timestamp by modifying the initial KDC response, defeating the protection against dictionary attacks. To prevent this fallback on clients which do implement SPAKE preauthentication, set the **disable_encrypted_timestamp** variable to ``true`` in the :ref:`realms` subsection for realms whose KDCs offer SPAKE preauthentication. By default, SPAKE preauthentication requires an extra network round trip to the KDC during initial authentication. If most of the clients in a realm support SPAKE, this extra round trip can be eliminated using an optimistic challenge, by setting the **spake_preauth_kdc_challenge** variable in :ref:`kdcdefaults` to a single group name:: [kdcdefaults] spake_preauth_kdc_challenge = edwards25519 Using optimistic challenge will cause the KDC to do extra work for initial authentication requests that do not result in SPAKE preauthentication, but will save work when SPAKE preauthentication is used. krb5-1.19.2/doc/html/_sources/admin/realm_config.rst.txt0000644000704600001450000002571714076311665024506 0ustar ghudsonsystemd-journalRealm configuration decisions ============================= Before installing Kerberos V5, it is necessary to consider the following issues: * The name of your Kerberos realm (or the name of each realm, if you need more than one). * How you will assign your hostnames to Kerberos realms. * Which ports your KDC and and kadmind services will use, if they will not be using the default ports. * How many replica KDCs you need and where they should be located. * The hostnames of your primary and replica KDCs. * How frequently you will propagate the database from the primary KDC to the replica KDCs. Realm name ---------- Although your Kerberos realm can be any ASCII string, convention is to make it the same as your domain name, in upper-case letters. For example, hosts in the domain ``example.com`` would be in the Kerberos realm:: EXAMPLE.COM If you need multiple Kerberos realms, MIT recommends that you use descriptive names which end with your domain name, such as:: BOSTON.EXAMPLE.COM HOUSTON.EXAMPLE.COM .. _mapping_hostnames: Mapping hostnames onto Kerberos realms -------------------------------------- Mapping hostnames onto Kerberos realms is done in one of three ways. The first mechanism works through a set of rules in the :ref:`domain_realm` section of :ref:`krb5.conf(5)`. You can specify mappings for an entire domain or on a per-hostname basis. Typically you would do this by specifying the mappings for a given domain or subdomain and listing the exceptions. The second mechanism is to use KDC host-based service referrals. With this method, the KDC's krb5.conf has a full [domain_realm] mapping for hosts, but the clients do not, or have mappings for only a subset of the hosts they might contact. When a client needs to contact a server host for which it has no mapping, it will ask the client realm's KDC for the service ticket, and will receive a referral to the appropriate service realm. To use referrals, clients must be running MIT krb5 1.6 or later, and the KDC must be running MIT krb5 1.7 or later. The **host_based_services** and **no_host_referral** variables in the :ref:`kdc_realms` section of :ref:`kdc.conf(5)` can be used to fine-tune referral behavior on the KDC. It is also possible for clients to use DNS TXT records, if **dns_lookup_realm** is enabled in :ref:`krb5.conf(5)`. Such lookups are disabled by default because DNS is an insecure protocol and security holes could result if DNS records are spoofed. If enabled, the client will try to look up a TXT record formed by prepending the prefix ``_kerberos`` to the hostname in question. If that record is not found, the client will attempt a lookup by prepending ``_kerberos`` to the host's domain name, then its parent domain, up to the top-level domain. For the hostname ``boston.engineering.example.com``, the names looked up would be:: _kerberos.boston.engineering.example.com _kerberos.engineering.example.com _kerberos.example.com _kerberos.com The value of the first TXT record found is taken as the realm name. Even if you do not choose to use this mechanism within your site, you may wish to set it up anyway, for use when interacting with other sites. Ports for the KDC and admin services ------------------------------------ The default ports used by Kerberos are port 88 for the KDC and port 749 for the admin server. You can, however, choose to run on other ports, as long as they are specified in each host's :ref:`krb5.conf(5)` files or in DNS SRV records, and the :ref:`kdc.conf(5)` file on each KDC. For a more thorough treatment of port numbers used by the Kerberos V5 programs, refer to the :ref:`conf_firewall`. Replica KDCs ------------ Replica KDCs provide an additional source of Kerberos ticket-granting services in the event of inaccessibility of the primary KDC. The number of replica KDCs you need and the decision of where to place them, both physically and logically, depends on the specifics of your network. Kerberos authentication requires that each client be able to contact a KDC. Therefore, you need to anticipate any likely reason a KDC might be unavailable and have a replica KDC to take up the slack. Some considerations include: * Have at least one replica KDC as a backup, for when the primary KDC is down, is being upgraded, or is otherwise unavailable. * If your network is split such that a network outage is likely to cause a network partition (some segment or segments of the network to become cut off or isolated from other segments), have a replica KDC accessible to each segment. * If possible, have at least one replica KDC in a different building from the primary, in case of power outages, fires, or other localized disasters. .. _kdc_hostnames: Hostnames for KDCs ------------------ MIT recommends that your KDCs have a predefined set of CNAME records (DNS hostname aliases), such as ``kerberos`` for the primary KDC and ``kerberos-1``, ``kerberos-2``, ... for the replica KDCs. This way, if you need to swap a machine, you only need to change a DNS entry, rather than having to change hostnames. As of MIT krb5 1.4, clients can locate a realm's KDCs through DNS using SRV records (:rfc:`2782`), assuming the Kerberos realm name is also a DNS domain name. These records indicate the hostname and port number to contact for that service, optionally with weighting and prioritization. The domain name used in the SRV record name is the realm name. Several different Kerberos-related service names are used: _kerberos._udp This is for contacting any KDC by UDP. This entry will be used the most often. Normally you should list port 88 on each of your KDCs. _kerberos._tcp This is for contacting any KDC by TCP. Normally you should use port 88. This entry should be omitted if the KDC does not listen on TCP ports, as was the default prior to release 1.13. _kerberos-master._udp This entry should refer to those KDCs, if any, that will immediately see password changes to the Kerberos database. If a user is logging in and the password appears to be incorrect, the client will retry with the primary KDC before failing with an "incorrect password" error given. If you have only one KDC, or for whatever reason there is no accessible KDC that would get database changes faster than the others, you do not need to define this entry. _kerberos-adm._tcp This should list port 749 on your primary KDC. Support for it is not complete at this time, but it will eventually be used by the :ref:`kadmin(1)` program and related utilities. For now, you will also need the **admin_server** variable in :ref:`krb5.conf(5)`. _kerberos-master._tcp The corresponding TCP port for _kerberos-master._udp, assuming the primary KDC listens on a TCP port. _kpasswd._udp This entry should list port 464 on your primary KDC. It is used when a user changes her password. If this entry is not defined but a _kerberos-adm._tcp entry is defined, the client will use the _kerberos-adm._tcp entry with the port number changed to 464. _kpasswd._tcp The corresponding TCP port for _kpasswd._udp. The DNS SRV specification requires that the hostnames listed be the canonical names, not aliases. So, for example, you might include the following records in your (BIND-style) zone file:: $ORIGIN foobar.com. _kerberos TXT "FOOBAR.COM" kerberos CNAME daisy kerberos-1 CNAME use-the-force-luke kerberos-2 CNAME bunny-rabbit _kerberos._udp SRV 0 0 88 daisy SRV 0 0 88 use-the-force-luke SRV 0 0 88 bunny-rabbit _kerberos-master._udp SRV 0 0 88 daisy _kerberos-adm._tcp SRV 0 0 749 daisy _kpasswd._udp SRV 0 0 464 daisy Clients can also be configured with the explicit location of services using the **kdc**, **master_kdc**, **admin_server**, and **kpasswd_server** variables in the :ref:`realms` section of :ref:`krb5.conf(5)`. Even if some clients will be configured with explicit server locations, providing SRV records will still benefit unconfigured clients, and be useful for other sites. .. _kdc_discovery: KDC Discovery ------------- As of MIT krb5 1.15, clients can also locate KDCs in DNS through URI records (:rfc:`7553`). Limitations with the SRV record format may result in extra DNS queries in situations where a client must failover to other transport types, or find a primary server. The URI record can convey more information about a realm's KDCs with a single query. The client performs a query for the following URI records: * ``_kerberos.REALM`` for finding KDCs. * ``_kerberos-adm.REALM`` for finding kadmin services. * ``_kpasswd.REALM`` for finding password services. The URI record includes a priority, weight, and a URI string that consists of case-insensitive colon separated fields, in the form ``scheme:[flags]:transport:residual``. * *scheme* defines the registered URI type. It should always be ``krb5srv``. * *flags* contains zero or more flag characters. Currently the only valid flag is ``m``, which indicates that the record is for a primary server. * *transport* defines the transport type of the residual URL or address. Accepted values are ``tcp``, ``udp``, or ``kkdcp`` for the MS-KKDCP type. * *residual* contains the hostname, IP address, or URL to be contacted using the specified transport, with an optional port extension. The MS-KKDCP transport type uses a HTTPS URL, and can include a port and/or path extension. An example of URI records in a zone file:: _kerberos.EXAMPLE.COM URI 10 1 krb5srv:m:tcp:kdc1.example.com URI 20 1 krb5srv:m:udp:kdc2.example.com:89 URI 40 1 krb5srv::udp:10.10.0.23 URI 30 1 krb5srv::kkdcp:https://proxy:89/auth URI lookups are enabled by default, and can be disabled by setting **dns_uri_lookup** in the :ref:`libdefaults` section of :ref:`krb5.conf(5)` to False. When enabled, URI lookups take precedence over SRV lookups, falling back to SRV lookups if no URI records are found. .. _db_prop: Database propagation -------------------- The Kerberos database resides on the primary KDC, and must be propagated regularly (usually by a cron job) to the replica KDCs. In deciding how frequently the propagation should happen, you will need to balance the amount of time the propagation takes against the maximum reasonable amount of time a user should have to wait for a password change to take effect. If the propagation time is longer than this maximum reasonable time (e.g., you have a particularly large database, you have a lot of replicas, or you experience frequent network delays), you may wish to cut down on your propagation delay by performing the propagation in parallel. To do this, have the primary KDC propagate the database to one set of replicas, and then have each of these replicas propagate the database to additional replicas. See also :ref:`incr_db_prop` krb5-1.19.2/doc/html/_sources/admin/enctypes.rst.txt0000644000704600001450000002073514076311665023706 0ustar ghudsonsystemd-journal.. _enctypes: Encryption types ================ Kerberos can use a variety of cipher algorithms to protect data. A Kerberos **encryption type** (also known as an **enctype**) is a specific combination of a cipher algorithm with an integrity algorithm to provide both confidentiality and integrity to data. Enctypes in requests -------------------- Clients make two types of requests (KDC-REQ) to the KDC: AS-REQs and TGS-REQs. The client uses the AS-REQ to obtain initial tickets (typically a Ticket-Granting Ticket (TGT)), and uses the TGS-REQ to obtain service tickets. The KDC uses three different keys when issuing a ticket to a client: * The long-term key of the service: the KDC uses this to encrypt the actual service ticket. The KDC only uses the first long-term key in the most recent kvno for this purpose. * The session key: the KDC randomly chooses this key and places one copy inside the ticket and the other copy inside the encrypted part of the reply. * The reply-encrypting key: the KDC uses this to encrypt the reply it sends to the client. For AS replies, this is a long-term key of the client principal. For TGS replies, this is either the session key of the authenticating ticket, or a subsession key. Each of these keys is of a specific enctype. Each request type allows the client to submit a list of enctypes that it is willing to accept. For the AS-REQ, this list affects both the session key selection and the reply-encrypting key selection. For the TGS-REQ, this list only affects the session key selection. .. _session_key_selection: Session key selection --------------------- The KDC chooses the session key enctype by taking the intersection of its **permitted_enctypes** list, the list of long-term keys for the most recent kvno of the service, and the client's requested list of enctypes. Starting in krb5-1.11, it is possible to set a string attribute on a service principal to control what session key enctypes the KDC may issue for service tickets for that principal. See :ref:`set_string` in :ref:`kadmin(1)` for details. Choosing enctypes for a service ------------------------------- Generally, a service should have a key of the strongest enctype that both it and the KDC support. If the KDC is running a release earlier than krb5-1.11, it is also useful to generate an additional key for each enctype that the service can support. The KDC will only use the first key in the list of long-term keys for encrypting the service ticket, but the additional long-term keys indicate the other enctypes that the service supports. As noted above, starting with release krb5-1.11, there are additional configuration settings that control session key enctype selection independently of the set of long-term keys that the KDC has stored for a service principal. Configuration variables ----------------------- The following ``[libdefaults]`` settings in :ref:`krb5.conf(5)` will affect how enctypes are chosen. **allow_weak_crypto** defaults to *false* starting with krb5-1.8. When *false*, removes weak enctypes from **permitted_enctypes**, **default_tkt_enctypes**, and **default_tgs_enctypes**. Do not set this to *true* unless the use of weak enctypes is an acceptable risk for your environment and the weak enctypes are required for backward compatibility. **permitted_enctypes** controls the set of enctypes that a service will permit for session keys and for ticket and authenticator encryption. The KDC and other programs that access the Kerberos database will ignore keys of non-permitted enctypes. Starting in release 1.18, this setting also acts as the default for **default_tkt_enctypes** and **default_tgs_enctypes**. **default_tkt_enctypes** controls the default set of enctypes that the Kerberos client library requests when making an AS-REQ. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. **default_tgs_enctypes** controls the default set of enctypes that the Kerberos client library requests when making a TGS-REQ. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. The following per-realm setting in :ref:`kdc.conf(5)` affects the generation of long-term keys. **supported_enctypes** controls the default set of enctype-salttype pairs that :ref:`kadmind(8)` will use for generating long-term keys, either randomly or from passwords Enctype compatibility --------------------- See :ref:`Encryption_types` for additional information about enctypes. ========================== ========== ======== ======= enctype weak? krb5 Windows ========================== ========== ======== ======= des-cbc-crc weak <1.18 >=2000 des-cbc-md4 weak <1.18 ? des-cbc-md5 weak <1.18 >=2000 des3-cbc-sha1 deprecated >=1.1 none arcfour-hmac deprecated >=1.3 >=2000 arcfour-hmac-exp weak >=1.3 >=2000 aes128-cts-hmac-sha1-96 >=1.3 >=Vista aes256-cts-hmac-sha1-96 >=1.3 >=Vista aes128-cts-hmac-sha256-128 >=1.15 none aes256-cts-hmac-sha384-192 >=1.15 none camellia128-cts-cmac >=1.9 none camellia256-cts-cmac >=1.9 none ========================== ========== ======== ======= krb5 releases 1.18 and later do not support single-DES. krb5 releases 1.8 and later disable the single-DES enctypes by default. Microsoft Windows releases Windows 7 and later disable single-DES enctypes by default. krb5 releases 1.17 and later flag deprecated encryption types (including ``des3-cbc-sha1`` and ``arcfour-hmac``) in KDC logs and kadmin output. krb5 release 1.19 issues a warning during initial authentication if ``des3-cbc-sha1`` is used. Future releases will disable ``des3-cbc-sha1`` by default and eventually remove support for it. Migrating away from older encryption types ------------------------------------------ Administrator intervention may be required to migrate a realm away from legacy encryption types, especially if the realm was created using krb5 release 1.2 or earlier. This migration should be performed before upgrading to krb5 versions which disable or remove support for legacy encryption types. If there is a **supported_enctypes** setting in :ref:`kdc.conf(5)` on the KDC, make sure that it does not include weak or deprecated encryption types. This will ensure that newly created keys do not use those encryption types by default. Check the ``krbtgt/REALM`` principal using the :ref:`kadmin(1)` **getprinc** command. If it lists a weak or deprecated encryption type as the first key, it must be migrated using the procedure in :ref:`changing_krbtgt_key`. Check the ``kadmin/history`` principal, which should have only one key entry. If it uses a weak or deprecated encryption type, it should be upgraded following the notes in :ref:`updating_history_key`. Check the other kadmin principals: kadmin/changepw, kadmin/admin, and any kadmin/hostname principals that may exist. These principals can be upgraded with **change_password -randkey** in kadmin. Check the ``K/M`` entry. If it uses a weak or deprecated encryption type, it should be upgraded following the procedure in :ref:`updating_master_key`. User and service principals using legacy encryption types can be enumerated with the :ref:`kdb5_util(8)` **tabdump keyinfo** command. Service principals can be migrated with a keytab rotation on the service host, which can be accomplished using the :ref:`k5srvutil(1)` **change** and **delold** commands. Allow enough time for existing tickets to expire between the change and delold operations. User principals with password-based keys can be migrated with a password change. The realm administrator can set a password expiration date using the :ref:`kadmin(1)` **modify_principal -pwexpire** command to force a password change. If a legacy encryption type has not yet been disabled by default in the version of krb5 running on the KDC, it can be disabled administratively with the **permitted_enctypes** variable. For example, setting **permitted_enctypes** to ``DEFAULT -des3 -rc4`` will cause any database keys of the triple-DES and RC4 encryption types to be ignored. krb5-1.19.2/doc/html/_sources/admin/conf_files/0000755000704600001450000000000014076311735022602 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/_sources/admin/conf_files/kdc_conf.rst.txt0000644000704600001450000011514014076311665025724 0ustar ghudsonsystemd-journal.. _kdc.conf(5): kdc.conf ======== The kdc.conf file supplements :ref:`krb5.conf(5)` for programs which are typically only used on a KDC, such as the :ref:`krb5kdc(8)` and :ref:`kadmind(8)` daemons and the :ref:`kdb5_util(8)` program. Relations documented here may also be specified in krb5.conf; for the KDC programs mentioned, krb5.conf and kdc.conf will be merged into a single configuration profile. Normally, the kdc.conf file is found in the KDC state directory, |kdcdir|. You can override the default location by setting the environment variable **KRB5_KDC_PROFILE**. Please note that you need to restart the KDC daemon for any configuration changes to take effect. Structure --------- The kdc.conf file is set up in the same format as the :ref:`krb5.conf(5)` file. Sections -------- The kdc.conf file may contain the following sections: ==================== ================================================= :ref:`kdcdefaults` Default values for KDC behavior :ref:`kdc_realms` Realm-specific database configuration and settings :ref:`dbdefaults` Default database settings :ref:`dbmodules` Per-database settings :ref:`logging` Controls how Kerberos daemons perform logging ==================== ================================================= .. _kdcdefaults: [kdcdefaults] ~~~~~~~~~~~~~ Some relations in the [kdcdefaults] section specify default values for realm variables, to be used if the [realms] subsection does not contain a relation for the tag. See the :ref:`kdc_realms` section for the definitions of these relations. * **host_based_services** * **kdc_listen** * **kdc_ports** * **kdc_tcp_listen** * **kdc_tcp_ports** * **no_host_referral** * **restrict_anonymous_to_tgt** The following [kdcdefaults] variables have no per-realm equivalent: **kdc_max_dgram_reply_size** Specifies the maximum packet size that can be sent over UDP. The default value is 4096 bytes. **kdc_tcp_listen_backlog** (Integer.) Set the size of the listen queue length for the KDC daemon. The value may be limited by OS settings. The default value is 5. **spake_preauth_kdc_challenge** (String.) Specifies the group for a SPAKE optimistic challenge. See the **spake_preauth_groups** variable in :ref:`libdefaults` for possible values. The default is not to issue an optimistic challenge. (New in release 1.17.) .. _kdc_realms: [realms] ~~~~~~~~ Each tag in the [realms] section is the name of a Kerberos realm. The value of the tag is a subsection where the relations define KDC parameters for that particular realm. The following example shows how to define one parameter for the ATHENA.MIT.EDU realm:: [realms] ATHENA.MIT.EDU = { max_renewable_life = 7d 0h 0m 0s } The following tags may be specified in a [realms] subsection: **acl_file** (String.) Location of the access control list file that :ref:`kadmind(8)` uses to determine which principals are allowed which permissions on the Kerberos database. To operate without an ACL file, set this relation to the empty string with ``acl_file = ""``. The default value is |kdcdir|\ ``/kadm5.acl``. For more information on Kerberos ACL file see :ref:`kadm5.acl(5)`. **database_module** (String.) This relation indicates the name of the configuration section under :ref:`dbmodules` for database-specific parameters used by the loadable database library. The default value is the realm name. If this configuration section does not exist, default values will be used for all database parameters. **database_name** (String, deprecated.) This relation specifies the location of the Kerberos database for this realm, if the DB2 module is being used and the :ref:`dbmodules` configuration section does not specify a database name. The default value is |kdcdir|\ ``/principal``. **default_principal_expiration** (:ref:`abstime` string.) Specifies the default expiration date of principals created in this realm. The default value is 0, which means no expiration date. **default_principal_flags** (Flag string.) Specifies the default attributes of principals created in this realm. The format for this string is a comma-separated list of flags, with '+' before each flag that should be enabled and '-' before each flag that should be disabled. The **postdateable**, **forwardable**, **tgt-based**, **renewable**, **proxiable**, **dup-skey**, **allow-tickets**, and **service** flags default to enabled. There are a number of possible flags: **allow-tickets** Enabling this flag means that the KDC will issue tickets for this principal. Disabling this flag essentially deactivates the principal within this realm. **dup-skey** Enabling this flag allows the KDC to issue user-to-user service tickets for this principal. **forwardable** Enabling this flag allows the principal to obtain forwardable tickets. **hwauth** If this flag is enabled, then the principal is required to preauthenticate using a hardware device before receiving any tickets. **no-auth-data-required** Enabling this flag prevents PAC or AD-SIGNEDPATH data from being added to service tickets for the principal. **ok-as-delegate** If this flag is enabled, it hints the client that credentials can and should be delegated when authenticating to the service. **ok-to-auth-as-delegate** Enabling this flag allows the principal to use S4USelf tickets. **postdateable** Enabling this flag allows the principal to obtain postdateable tickets. **preauth** If this flag is enabled on a client principal, then that principal is required to preauthenticate to the KDC before receiving any tickets. On a service principal, enabling this flag means that service tickets for this principal will only be issued to clients with a TGT that has the preauthenticated bit set. **proxiable** Enabling this flag allows the principal to obtain proxy tickets. **pwchange** Enabling this flag forces a password change for this principal. **pwservice** If this flag is enabled, it marks this principal as a password change service. This should only be used in special cases, for example, if a user's password has expired, then the user has to get tickets for that principal without going through the normal password authentication in order to be able to change the password. **renewable** Enabling this flag allows the principal to obtain renewable tickets. **service** Enabling this flag allows the the KDC to issue service tickets for this principal. In release 1.17 and later, user-to-user service tickets are still allowed if the **dup-skey** flag is set. **tgt-based** Enabling this flag allows a principal to obtain tickets based on a ticket-granting-ticket, rather than repeating the authentication process that was used to obtain the TGT. **dict_file** (String.) Location of the dictionary file containing strings that are not allowed as passwords. The file should contain one string per line, with no additional whitespace. If none is specified or if there is no policy assigned to the principal, no dictionary checks of passwords will be performed. **encrypted_challenge_indicator** (String.) Specifies the authentication indicator value that the KDC asserts into tickets obtained using FAST encrypted challenge pre-authentication. New in 1.16. **host_based_services** (Whitespace- or comma-separated list.) Lists services which will get host-based referral processing even if the server principal is not marked as host-based by the client. **iprop_enable** (Boolean value.) Specifies whether incremental database propagation is enabled. The default value is false. **iprop_ulogsize** (Integer.) Specifies the maximum number of log entries to be retained for incremental propagation. The default value is 1000. Prior to release 1.11, the maximum value was 2500. New in release 1.19. **iprop_master_ulogsize** The name for **iprop_ulogsize** prior to release 1.19. Its value is used as a fallback if **iprop_ulogsize** is not specified. **iprop_replica_poll** (Delta time string.) Specifies how often the replica KDC polls for new updates from the primary. The default value is ``2m`` (that is, two minutes). New in release 1.17. **iprop_slave_poll** (Delta time string.) The name for **iprop_replica_poll** prior to release 1.17. Its value is used as a fallback if **iprop_replica_poll** is not specified. **iprop_listen** (Whitespace- or comma-separated list.) Specifies the iprop RPC listening addresses and/or ports for the :ref:`kadmind(8)` daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If kadmind fails to bind to any of the specified addresses, it will fail to start. The default (when **iprop_enable** is true) is to bind to the wildcard address at the port specified in **iprop_port**. New in release 1.15. **iprop_port** (Port number.) Specifies the port number to be used for incremental propagation. When **iprop_enable** is true, this relation is required in the replica KDC configuration file, and this relation or **iprop_listen** is required in the primary configuration file, as there is no default port number. Port numbers specified in **iprop_listen** entries will override this port number for the :ref:`kadmind(8)` daemon. **iprop_resync_timeout** (Delta time string.) Specifies the amount of time to wait for a full propagation to complete. This is optional in configuration files, and is used by replica KDCs only. The default value is 5 minutes (``5m``). New in release 1.11. **iprop_logfile** (File name.) Specifies where the update log file for the realm database is to be stored. The default is to use the **database_name** entry from the realms section of the krb5 config file, with ``.ulog`` appended. (NOTE: If **database_name** isn't specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the [dbmodules] section, then the hard-coded default for **database_name** is used. Determination of the **iprop_logfile** default value will not use values from the [dbmodules] section.) **kadmind_listen** (Whitespace- or comma-separated list.) Specifies the kadmin RPC listening addresses and/or ports for the :ref:`kadmind(8)` daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If kadmind fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address at the port specified in **kadmind_port**, or the standard kadmin port (749). New in release 1.15. **kadmind_port** (Port number.) Specifies the port on which the :ref:`kadmind(8)` daemon is to listen for this realm. Port numbers specified in **kadmind_listen** entries will override this port number. The assigned port for kadmind is 749, which is used by default. **key_stash_file** (String.) Specifies the location where the master key has been stored (via kdb5_util stash). The default is |kdcdir|\ ``/.k5.REALM``, where *REALM* is the Kerberos realm. **kdc_listen** (Whitespace- or comma-separated list.) Specifies the UDP listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If no port is specified, the standard port (88) is used. If the KDC daemon fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address on the standard port. New in release 1.15. **kdc_ports** (Whitespace- or comma-separated list, deprecated.) Prior to release 1.15, this relation lists the ports for the :ref:`krb5kdc(8)` daemon to listen on for UDP requests. In release 1.15 and later, it has the same meaning as **kdc_listen** if that relation is not defined. **kdc_tcp_listen** (Whitespace- or comma-separated list.) Specifies the TCP listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If no port is specified, the standard port (88) is used. To disable listening on TCP, set this relation to the empty string with ``kdc_tcp_listen = ""``. If the KDC daemon fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address on the standard port. New in release 1.15. **kdc_tcp_ports** (Whitespace- or comma-separated list, deprecated.) Prior to release 1.15, this relation lists the ports for the :ref:`krb5kdc(8)` daemon to listen on for UDP requests. In release 1.15 and later, it has the same meaning as **kdc_tcp_listen** if that relation is not defined. **kpasswd_listen** (Comma-separated list.) Specifies the kpasswd listening addresses and/or ports for the :ref:`kadmind(8)` daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard address is used. If kadmind fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address at the port specified in **kpasswd_port**, or the standard kpasswd port (464). New in release 1.15. **kpasswd_port** (Port number.) Specifies the port on which the :ref:`kadmind(8)` daemon is to listen for password change requests for this realm. Port numbers specified in **kpasswd_listen** entries will override this port number. The assigned port for password change requests is 464, which is used by default. **master_key_name** (String.) Specifies the name of the principal associated with the master key. The default is ``K/M``. **master_key_type** (Key type string.) Specifies the master key's key type. The default value for this is |defmkey|. For a list of all possible values, see :ref:`Encryption_types`. **max_life** (:ref:`duration` string.) Specifies the maximum time period for which a ticket may be valid in this realm. The default value is 24 hours. **max_renewable_life** (:ref:`duration` string.) Specifies the maximum time period during which a valid ticket may be renewed in this realm. The default value is 0. **no_host_referral** (Whitespace- or comma-separated list.) Lists services to block from getting host-based referral processing, even if the client marks the server principal as host-based or the service is also listed in **host_based_services**. ``no_host_referral = *`` will disable referral processing altogether. **reject_bad_transit** (Boolean value.) If set to true, the KDC will check the list of transited realms for cross-realm tickets against the transit path computed from the realm names and the capaths section of its :ref:`krb5.conf(5)` file; if the path in the ticket to be issued contains any realms not in the computed path, the ticket will not be issued, and an error will be returned to the client instead. If this value is set to false, such tickets will be issued anyways, and it will be left up to the application server to validate the realm transit path. If the disable-transited-check flag is set in the incoming request, this check is not performed at all. Having the **reject_bad_transit** option will cause such ticket requests to be rejected always. This transit path checking and config file option currently apply only to TGS requests. The default value is true. **restrict_anonymous_to_tgt** (Boolean value.) If set to true, the KDC will reject ticket requests from anonymous principals to service principals other than the realm's ticket-granting service. This option allows anonymous PKINIT to be enabled for use as FAST armor tickets without allowing anonymous authentication to services. The default value is false. New in release 1.9. **spake_preauth_indicator** (String.) Specifies an authentication indicator value that the KDC asserts into tickets obtained using SPAKE pre-authentication. The default is not to add any indicators. This option may be specified multiple times. New in release 1.17. **supported_enctypes** (List of *key*:*salt* strings.) Specifies the default key/salt combinations of principals for this realm. Any principals created through :ref:`kadmin(1)` will have keys of these types. The default value for this tag is |defkeysalts|. For lists of possible values, see :ref:`Keysalt_lists`. .. _dbdefaults: [dbdefaults] ~~~~~~~~~~~~ The [dbdefaults] section specifies default values for some database parameters, to be used if the [dbmodules] subsection does not contain a relation for the tag. See the :ref:`dbmodules` section for the definitions of these relations. * **ldap_kerberos_container_dn** * **ldap_kdc_dn** * **ldap_kdc_sasl_authcid** * **ldap_kdc_sasl_authzid** * **ldap_kdc_sasl_mech** * **ldap_kdc_sasl_realm** * **ldap_kadmind_dn** * **ldap_kadmind_sasl_authcid** * **ldap_kadmind_sasl_authzid** * **ldap_kadmind_sasl_mech** * **ldap_kadmind_sasl_realm** * **ldap_service_password_file** * **ldap_conns_per_server** .. _dbmodules: [dbmodules] ~~~~~~~~~~~ The [dbmodules] section contains parameters used by the KDC database library and database modules. Each tag in the [dbmodules] section is the name of a Kerberos realm or a section name specified by a realm's **database_module** parameter. The following example shows how to define one database parameter for the ATHENA.MIT.EDU realm:: [dbmodules] ATHENA.MIT.EDU = { disable_last_success = true } The following tags may be specified in a [dbmodules] subsection: **database_name** This DB2-specific tag indicates the location of the database in the filesystem. The default is |kdcdir|\ ``/principal``. **db_library** This tag indicates the name of the loadable database module. The value should be ``db2`` for the DB2 module, ``klmdb`` for the LMDB module, or ``kldap`` for the LDAP module. **disable_last_success** If set to ``true``, suppresses KDC updates to the "Last successful authentication" field of principal entries requiring preauthentication. Setting this flag may improve performance. (Principal entries which do not require preauthentication never update the "Last successful authentication" field.). First introduced in release 1.9. **disable_lockout** If set to ``true``, suppresses KDC updates to the "Last failed authentication" and "Failed password attempts" fields of principal entries requiring preauthentication. Setting this flag may improve performance, but also disables account lockout. First introduced in release 1.9. **ldap_conns_per_server** This LDAP-specific tag indicates the number of connections to be maintained per LDAP server. **ldap_kdc_dn** and **ldap_kadmind_dn** These LDAP-specific tags indicate the default DN for binding to the LDAP server. The :ref:`krb5kdc(8)` daemon uses **ldap_kdc_dn**, while the :ref:`kadmind(8)` daemon and other administrative programs use **ldap_kadmind_dn**. The kadmind DN must have the rights to read and write the Kerberos data in the LDAP database. The KDC DN must have the same rights, unless **disable_lockout** and **disable_last_success** are true, in which case it only needs to have rights to read the Kerberos data. These tags are ignored if a SASL mechanism is set with **ldap_kdc_sasl_mech** or **ldap_kadmind_sasl_mech**. **ldap_kdc_sasl_mech** and **ldap_kadmind_sasl_mech** These LDAP-specific tags specify the SASL mechanism (such as ``EXTERNAL``) to use when binding to the LDAP server. New in release 1.13. **ldap_kdc_sasl_authcid** and **ldap_kadmind_sasl_authcid** These LDAP-specific tags specify the SASL authentication identity to use when binding to the LDAP server. Not all SASL mechanisms require an authentication identity. If the SASL mechanism requires a secret (such as the password for ``DIGEST-MD5``), these tags also determine the name within the **ldap_service_password_file** where the secret is stashed. New in release 1.13. **ldap_kdc_sasl_authzid** and **ldap_kadmind_sasl_authzid** These LDAP-specific tags specify the SASL authorization identity to use when binding to the LDAP server. In most circumstances they do not need to be specified. New in release 1.13. **ldap_kdc_sasl_realm** and **ldap_kadmind_sasl_realm** These LDAP-specific tags specify the SASL realm to use when binding to the LDAP server. In most circumstances they do not need to be set. New in release 1.13. **ldap_kerberos_container_dn** This LDAP-specific tag indicates the DN of the container object where the realm objects will be located. **ldap_servers** This LDAP-specific tag indicates the list of LDAP servers that the Kerberos servers can connect to. The list of LDAP servers is whitespace-separated. The LDAP server is specified by a LDAP URI. It is recommended to use ``ldapi:`` or ``ldaps:`` URLs to connect to the LDAP server. **ldap_service_password_file** This LDAP-specific tag indicates the file containing the stashed passwords (created by ``kdb5_ldap_util stashsrvpw``) for the **ldap_kdc_dn** and **ldap_kadmind_dn** objects, or for the **ldap_kdc_sasl_authcid** or **ldap_kadmind_sasl_authcid** names for SASL authentication. This file must be kept secure. **mapsize** This LMDB-specific tag indicates the maximum size of the two database environments in megabytes. The default value is 128. Increase this value to address "Environment mapsize limit reached" errors. New in release 1.17. **max_readers** This LMDB-specific tag indicates the maximum number of concurrent reading processes for the databases. The default value is 128. New in release 1.17. **nosync** This LMDB-specific tag can be set to improve the throughput of kadmind and other administrative agents, at the expense of durability (recent database changes may not survive a power outage or other sudden reboot). It does not affect the throughput of the KDC. The default value is false. New in release 1.17. **unlockiter** If set to ``true``, this DB2-specific tag causes iteration operations to release the database lock while processing each principal. Setting this flag to ``true`` can prevent extended blocking of KDC or kadmin operations when dumps of large databases are in progress. First introduced in release 1.13. The following tag may be specified directly in the [dbmodules] section to control where database modules are loaded from: **db_module_dir** This tag controls where the plugin system looks for database modules. The value should be an absolute path. .. _logging: [logging] ~~~~~~~~~ The [logging] section indicates how :ref:`krb5kdc(8)` and :ref:`kadmind(8)` perform logging. It may contain the following relations: **admin_server** Specifies how :ref:`kadmind(8)` performs logging. **kdc** Specifies how :ref:`krb5kdc(8)` performs logging. **default** Specifies how either daemon performs logging in the absence of relations specific to the daemon. **debug** (Boolean value.) Specifies whether debugging messages are included in log outputs other than SYSLOG. Debugging messages are always included in the system log output because syslog performs its own priority filtering. The default value is false. New in release 1.15. Logging specifications may have the following forms: **FILE=**\ *filename* or **FILE:**\ *filename* This value causes the daemon's logging messages to go to the *filename*. If the ``=`` form is used, the file is overwritten. If the ``:`` form is used, the file is appended to. **STDERR** This value causes the daemon's logging messages to go to its standard error stream. **CONSOLE** This value causes the daemon's logging messages to go to the console, if the system supports it. **DEVICE=**\ ** This causes the daemon's logging messages to go to the specified device. **SYSLOG**\ [\ **:**\ *severity*\ [\ **:**\ *facility*\ ]] This causes the daemon's logging messages to go to the system log. For backward compatibility, a severity argument may be specified, and must be specified in order to specify a facility. This argument will be ignored. The facility argument specifies the facility under which the messages are logged. This may be any of the following facilities supported by the syslog(3) call minus the LOG\_ prefix: **KERN**, **USER**, **MAIL**, **DAEMON**, **AUTH**, **LPR**, **NEWS**, **UUCP**, **CRON**, and **LOCAL0** through **LOCAL7**. If no facility is specified, the default is **AUTH**. In the following example, the logging messages from the KDC will go to the console and to the system log under the facility LOG_DAEMON, and the logging messages from the administrative server will be appended to the file ``/var/adm/kadmin.log`` and sent to the device ``/dev/tty04``. :: [logging] kdc = CONSOLE kdc = SYSLOG:INFO:DAEMON admin_server = FILE:/var/adm/kadmin.log admin_server = DEVICE=/dev/tty04 If no logging specification is given, the default is to use syslog. To disable logging entirely, specify ``default = DEVICE=/dev/null``. .. _otp: [otp] ~~~~~ Each subsection of [otp] is the name of an OTP token type. The tags within the subsection define the configuration required to forward a One Time Password request to a RADIUS server. For each token type, the following tags may be specified: **server** This is the server to send the RADIUS request to. It can be a hostname with optional port, an ip address with optional port, or a Unix domain socket address. The default is |kdcdir|\ ``/.socket``. **secret** This tag indicates a filename (which may be relative to |kdcdir|) containing the secret used to encrypt the RADIUS packets. The secret should appear in the first line of the file by itself; leading and trailing whitespace on the line will be removed. If the value of **server** is a Unix domain socket address, this tag is optional, and an empty secret will be used if it is not specified. Otherwise, this tag is required. **timeout** An integer which specifies the time in seconds during which the KDC should attempt to contact the RADIUS server. This tag is the total time across all retries and should be less than the time which an OTP value remains valid for. The default is 5 seconds. **retries** This tag specifies the number of retries to make to the RADIUS server. The default is 3 retries (4 tries). **strip_realm** If this tag is ``true``, the principal without the realm will be passed to the RADIUS server. Otherwise, the realm will be included. The default value is ``true``. **indicator** This tag specifies an authentication indicator to be included in the ticket if this token type is used to authenticate. This option may be specified multiple times. (New in release 1.14.) In the following example, requests are sent to a remote server via UDP:: [otp] MyRemoteTokenType = { server = radius.mydomain.com:1812 secret = SEmfiajf42$ timeout = 15 retries = 5 strip_realm = true } An implicit default token type named ``DEFAULT`` is defined for when the per-principal configuration does not specify a token type. Its configuration is shown below. You may override this token type to something applicable for your situation:: [otp] DEFAULT = { strip_realm = false } PKINIT options -------------- .. note:: The following are pkinit-specific options. These values may be specified in [kdcdefaults] as global defaults, or within a realm-specific subsection of [realms]. Also note that a realm-specific value over-rides, does not add to, a generic [kdcdefaults] specification. The search order is: 1. realm-specific subsection of [realms]:: [realms] EXAMPLE.COM = { pkinit_anchors = FILE:/usr/local/example.com.crt } 2. generic value in the [kdcdefaults] section:: [kdcdefaults] pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ For information about the syntax of some of these options, see :ref:`Specifying PKINIT identity information ` in :ref:`krb5.conf(5)`. **pkinit_anchors** Specifies the location of trusted anchor (root) certificates which the KDC trusts to sign client certificates. This option is required if pkinit is to be supported by the KDC. This option may be specified multiple times. **pkinit_dh_min_bits** Specifies the minimum number of bits the KDC is willing to accept for a client's Diffie-Hellman key. The default is 2048. **pkinit_allow_upn** Specifies that the KDC is willing to accept client certificates with the Microsoft UserPrincipalName (UPN) Subject Alternative Name (SAN). This means the KDC accepts the binding of the UPN in the certificate to the Kerberos principal name. The default value is false. Without this option, the KDC will only accept certificates with the id-pkinit-san as defined in :rfc:`4556`. There is currently no option to disable SAN checking in the KDC. **pkinit_eku_checking** This option specifies what Extended Key Usage (EKU) values the KDC is willing to accept in client certificates. The values recognized in the kdc.conf file are: **kpClientAuth** This is the default value and specifies that client certificates must have the id-pkinit-KPClientAuth EKU as defined in :rfc:`4556`. **scLogin** If scLogin is specified, client certificates with the Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be accepted. **none** If none is specified, then client certificates will not be checked to verify they have an acceptable EKU. The use of this option is not recommended. **pkinit_identity** Specifies the location of the KDC's X.509 identity information. This option is required if pkinit is to be supported by the KDC. **pkinit_indicator** Specifies an authentication indicator to include in the ticket if pkinit is used to authenticate. This option may be specified multiple times. (New in release 1.14.) **pkinit_pool** Specifies the location of intermediate certificates which may be used by the KDC to complete the trust chain between a client's certificate and a trusted anchor. This option may be specified multiple times. **pkinit_revoke** Specifies the location of Certificate Revocation List (CRL) information to be used by the KDC when verifying the validity of client certificates. This option may be specified multiple times. **pkinit_require_crl_checking** The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, verification fails. If the certificate being verified is not listed in a CRL, or there is no CRL present for its issuing CA, and **pkinit_require_crl_checking** is false, then verification succeeds. However, if **pkinit_require_crl_checking** is true and there is no CRL information available for the issuing CA, then verification fails. **pkinit_require_crl_checking** should be set to true if the policy is such that up-to-date CRLs must be present for every CA. **pkinit_require_freshness** Specifies whether to require clients to include a freshness token in PKINIT requests. The default value is false. (New in release 1.17.) .. _Encryption_types: Encryption types ---------------- Any tag in the configuration files which requires a list of encryption types can be set to some combination of the following strings. Encryption types marked as "weak" and "deprecated" are available for compatibility but not recommended for use. ==================================================== ========================================================= des3-cbc-raw Triple DES cbc mode raw (weak) des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd Triple DES cbc mode with HMAC/sha1 (deprecated) aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1 AES-256 CTS mode with 96-bit SHA-1 HMAC aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1 AES-128 CTS mode with 96-bit SHA-1 HMAC aes256-cts-hmac-sha384-192 aes256-sha2 AES-256 CTS mode with 192-bit SHA-384 HMAC aes128-cts-hmac-sha256-128 aes128-sha2 AES-128 CTS mode with 128-bit SHA-256 HMAC arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5 (deprecated) arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak) camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with CMAC camellia128-cts-cmac camellia128-cts Camellia-128 CTS mode with CMAC des3 The triple DES family: des3-cbc-sha1 aes The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128 rc4 The RC4 family: arcfour-hmac camellia The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac ==================================================== ========================================================= The string **DEFAULT** can be used to refer to the default set of types for the variable in question. Types or families can be removed from the current list by prefixing them with a minus sign ("-"). Types or families can be prefixed with a plus sign ("+") for symmetry; it has the same meaning as just listing the type or family. For example, "``DEFAULT -rc4``" would be the default set of encryption types with RC4 types removed, and "``des3 DEFAULT``" would be the default set of encryption types with triple DES types moved to the front. While **aes128-cts** and **aes256-cts** are supported for all Kerberos operations, they are not supported by very old versions of our GSSAPI implementation (krb5-1.3.1 and earlier). Services running versions of krb5 without AES support must not be given keys of these encryption types in the KDC database. The **aes128-sha2** and **aes256-sha2** encryption types are new in release 1.15. Services running versions of krb5 without support for these newer encryption types must not be given keys of these encryption types in the KDC database. .. _Keysalt_lists: Keysalt lists ------------- Kerberos keys for users are usually derived from passwords. Kerberos commands and configuration parameters that affect generation of keys take lists of enctype-salttype ("keysalt") pairs, known as *keysalt lists*. Each keysalt pair is an enctype name followed by a salttype name, in the format *enc*:*salt*. Individual keysalt list members are separated by comma (",") characters or space characters. For example:: kadmin -e aes256-cts:normal,aes128-cts:normal would start up kadmin so that by default it would generate password-derived keys for the **aes256-cts** and **aes128-cts** encryption types, using a **normal** salt. To ensure that people who happen to pick the same password do not have the same key, Kerberos 5 incorporates more information into the key using something called a salt. The supported salt types are as follows: ================= ============================================ normal default for Kerberos Version 5 norealm same as the default, without using realm information onlyrealm uses only realm information as the salt special generate a random salt ================= ============================================ Sample kdc.conf File -------------------- Here's an example of a kdc.conf file:: [kdcdefaults] kdc_listen = 88 kdc_tcp_listen = 88 [realms] ATHENA.MIT.EDU = { kadmind_port = 749 max_life = 12h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = aes256-cts-hmac-sha1-96 supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal database_module = openldap_ldapconf } [logging] kdc = FILE:/usr/local/var/krb5kdc/kdc.log admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log [dbdefaults] ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu [dbmodules] openldap_ldapconf = { db_library = kldap disable_last_success = true ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu" # this object needs to have read rights on # the realm container and principal subtrees ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu" # this object needs to have read and write rights on # the realm container and principal subtrees ldap_service_password_file = /etc/kerberos/service.keyfile ldap_servers = ldaps://kerberos.mit.edu ldap_conns_per_server = 5 } FILES ------ |kdcdir|\ ``/kdc.conf`` SEE ALSO --------- :ref:`krb5.conf(5)`, :ref:`krb5kdc(8)`, :ref:`kadm5.acl(5)` krb5-1.19.2/doc/html/_sources/admin/conf_files/krb5_conf.rst.txt0000644000704600001450000013722214076311665026033 0ustar ghudsonsystemd-journal.. _krb5.conf(5): krb5.conf ========= The krb5.conf file contains Kerberos configuration information, including the locations of KDCs and admin servers for the Kerberos realms of interest, defaults for the current realm and for Kerberos applications, and mappings of hostnames onto Kerberos realms. Normally, you should install your krb5.conf file in the directory ``/etc``. You can override the default location by setting the environment variable **KRB5_CONFIG**. Multiple colon-separated filenames may be specified in **KRB5_CONFIG**; all files which are present will be read. Starting in release 1.14, directory names can also be specified in **KRB5_CONFIG**; all files within the directory whose names consist solely of alphanumeric characters, dashes, or underscores will be read. Structure --------- The krb5.conf file is set up in the style of a Windows INI file. Lines beginning with '#' or ';' (possibly after initial whitespace) are ignored as comments. Sections are headed by the section name, in square brackets. Each section may contain zero or more relations, of the form:: foo = bar or:: fubar = { foo = bar baz = quux } Placing a '\*' after the closing bracket of a section name indicates that the section is *final*, meaning that if the same section appears within a later file specified in **KRB5_CONFIG**, it will be ignored. A subsection can be marked as final by placing a '\*' after either the tag name or the closing brace. The krb5.conf file can include other files using either of the following directives at the beginning of a line:: include FILENAME includedir DIRNAME *FILENAME* or *DIRNAME* should be an absolute path. The named file or directory must exist and be readable. Including a directory includes all files within the directory whose names consist solely of alphanumeric characters, dashes, or underscores. Starting in release 1.15, files with names ending in ".conf" are also included, unless the name begins with ".". Included profile files are syntactically independent of their parents, so each included file must begin with a section header. Starting in release 1.17, files are read in alphanumeric order; in previous releases, they may be read in any order. The krb5.conf file can specify that configuration should be obtained from a loadable module, rather than the file itself, using the following directive at the beginning of a line before any section headers:: module MODULEPATH:RESIDUAL *MODULEPATH* may be relative to the library path of the krb5 installation, or it may be an absolute path. *RESIDUAL* is provided to the module at initialization time. If krb5.conf uses a module directive, :ref:`kdc.conf(5)` should also use one if it exists. Sections -------- The krb5.conf file may contain the following sections: =================== ======================================================= :ref:`libdefaults` Settings used by the Kerberos V5 library :ref:`realms` Realm-specific contact information and settings :ref:`domain_realm` Maps server hostnames to Kerberos realms :ref:`capaths` Authentication paths for non-hierarchical cross-realm :ref:`appdefaults` Settings used by some Kerberos V5 applications :ref:`plugins` Controls plugin module registration =================== ======================================================= Additionally, krb5.conf may include any of the relations described in :ref:`kdc.conf(5)`, but it is not a recommended practice. .. _libdefaults: [libdefaults] ~~~~~~~~~~~~~ The libdefaults section may contain any of the following relations: **allow_weak_crypto** If this flag is set to false, then weak encryption types (as noted in :ref:`Encryption_types` in :ref:`kdc.conf(5)`) will be filtered out of the lists **default_tgs_enctypes**, **default_tkt_enctypes**, and **permitted_enctypes**. The default value for this tag is false. **canonicalize** If this flag is set to true, initial ticket requests to the KDC will request canonicalization of the client principal name, and answers with different client principals than the requested principal will be accepted. The default value is false. **ccache_type** This parameter determines the format of credential cache types created by :ref:`kinit(1)` or other programs. The default value is 4, which represents the most current format. Smaller values can be used for compatibility with very old implementations of Kerberos which interact with credential caches on the same host. **clockskew** Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is invalid. The default value is 300 seconds, or five minutes. The clockskew setting is also used when evaluating ticket start and expiration times. For example, tickets that have reached their expiration time can still be used (and renewed if they are renewable tickets) if they have been expired for a shorter duration than the **clockskew** setting. **default_ccache_name** This relation specifies the name of the default credential cache. The default is |ccache|. This relation is subject to parameter expansion (see below). New in release 1.11. **default_client_keytab_name** This relation specifies the name of the default keytab for obtaining client credentials. The default is |ckeytab|. This relation is subject to parameter expansion (see below). New in release 1.11. **default_keytab_name** This relation specifies the default keytab name to be used by application servers such as sshd. The default is |keytab|. This relation is subject to parameter expansion (see below). **default_rcache_name** This relation specifies the name of the default replay cache. The default is ``dfl:``. This relation is subject to parameter expansion (see below). New in release 1.18. **default_realm** Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then a realm must be specified with every Kerberos principal when invoking programs such as :ref:`kinit(1)`. **default_tgs_enctypes** Identifies the supported list of session key encryption types that the client should request when making a TGS-REQ, in order of preference from highest to lowest. The list may be delimited with commas or whitespace. See :ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of the accepted values for this tag. Starting in release 1.18, the default value is the value of **permitted_enctypes**. For previous releases or if **permitted_enctypes** is not set, the default value is |defetypes|. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. **default_tkt_enctypes** Identifies the supported list of session key encryption types that the client should request when making an AS-REQ, in order of preference from highest to lowest. The format is the same as for default_tgs_enctypes. Starting in release 1.18, the default value is the value of **permitted_enctypes**. For previous releases or if **permitted_enctypes** is not set, the default value is |defetypes|. Do not set this unless required for specific backward compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. **dns_canonicalize_hostname** Indicate whether name lookups will be used to canonicalize hostnames for use in service principal names. Setting this flag to false can improve security by reducing reliance on DNS, but means that short hostnames will not be canonicalized to fully-qualified hostnames. If this option is set to ``fallback`` (new in release 1.18), DNS canonicalization will only be performed the server hostname is not found with the original name when requesting credentials. The default value is true. **dns_lookup_kdc** Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the krb5.conf information for the realm. (Note that the admin_server entry must be in the krb5.conf realm information in order to contact kadmind, because the DNS implementation for kadmin is incomplete.) Enabling this option does open up a type of denial-of-service attack, if someone spoofs the DNS records and redirects you to another server. However, it's no worse than a denial of service, because that fake KDC will be unable to decode anything you send it (besides the initial ticket request, which has no encrypted data), and anything the fake KDC sends will not be trusted without verification using some secret that it won't know. **dns_uri_lookup** Indicate whether DNS URI records should be used to locate the KDCs and other servers for a realm, if they are not listed in the krb5.conf information for the realm. SRV records are used as a fallback if no URI records were found. The default value is true. New in release 1.15. **enforce_ok_as_delegate** If this flag to true, GSSAPI credential delegation will be disabled when the ``ok-as-delegate`` flag is not set in the service ticket. If this flag is false, the ``ok-as-delegate`` ticket flag is only enforced when an application specifically requests enforcement. The default value is false. **err_fmt** This relation allows for custom error message formatting. If a value is set, error messages will be formatted by substituting a normal error message for %M and an error code for %C in the value. **extra_addresses** This allows a computer to use multiple local addresses, in order to allow Kerberos to work in a network that uses NATs while still using address-restricted tickets. The addresses should be in a comma-separated list. This option has no effect if **noaddresses** is true. **forwardable** If this flag is true, initial tickets will be forwardable by default, if allowed by the KDC. The default value is false. **ignore_acceptor_hostname** When accepting GSSAPI or krb5 security contexts for host-based service principals, ignore any hostname passed by the calling application, and allow clients to authenticate to any service principal in the keytab matching the service name and realm name (if given). This option can improve the administrative flexibility of server applications on multihomed hosts, but could compromise the security of virtual hosting environments. The default value is false. New in release 1.10. **k5login_authoritative** If this flag is true, principals must be listed in a local user's k5login file to be granted login access, if a :ref:`.k5login(5)` file exists. If this flag is false, a principal may still be granted login access through other mechanisms even if a k5login file exists but does not list the principal. The default value is true. **k5login_directory** If set, the library will look for a local user's k5login file within the named directory, with a filename corresponding to the local username. If not set, the library will look for k5login files in the user's home directory, with the filename .k5login. For security reasons, .k5login files must be owned by the local user or by root. **kcm_mach_service** On macOS only, determines the name of the bootstrap service used to contact the KCM daemon for the KCM credential cache type. If the value is ``-``, Mach RPC will not be used to contact the KCM daemon. The default value is ``org.h5l.kcm``. **kcm_socket** Determines the path to the Unix domain socket used to access the KCM daemon for the KCM credential cache type. If the value is ``-``, Unix domain sockets will not be used to contact the KCM daemon. The default value is ``/var/run/.heim_org.h5l.kcm-socket``. **kdc_default_options** Default KDC options (Xored for multiple values) when requesting initial tickets. By default it is set to 0x00000010 (KDC_OPT_RENEWABLE_OK). **kdc_timesync** Accepted values for this relation are 1 or 0. If it is nonzero, client machines will compute the difference between their time and the time returned by the KDC in the timestamps in the tickets and use this value to correct for an inaccurate system clock when requesting service tickets or authenticating to services. This corrective factor is only used by the Kerberos library; it is not used to change the system clock. The default value is 1. **noaddresses** If this flag is true, requests for initial tickets will not be made with address restrictions set, allowing the tickets to be used across NATs. The default value is true. **permitted_enctypes** Identifies the encryption types that servers will permit for session keys and for ticket and authenticator encryption, ordered by preference from highest to lowest. Starting in release 1.18, this tag also acts as the default value for **default_tgs_enctypes** and **default_tkt_enctypes**. The default value for this tag is |defetypes|. **plugin_base_dir** If set, determines the base directory where krb5 plugins are located. The default value is the ``krb5/plugins`` subdirectory of the krb5 library directory. This relation is subject to parameter expansion (see below) in release 1.17 and later. **preferred_preauth_types** This allows you to set the preferred preauthentication types which the client will attempt before others which may be advertised by a KDC. The default value for this setting is "17, 16, 15, 14", which forces libkrb5 to attempt to use PKINIT if it is supported. **proxiable** If this flag is true, initial tickets will be proxiable by default, if allowed by the KDC. The default value is false. **qualify_shortname** If this string is set, it determines the domain suffix for single-component hostnames when DNS canonicalization is not used (either because **dns_canonicalize_hostname** is false or because forward canonicalization failed). The default value is the first search domain of the system's DNS configuration. To disable qualification of shortnames, set this relation to the empty string with ``qualify_shortname = ""``. (New in release 1.18.) **rdns** If this flag is true, reverse name lookup will be used in addition to forward name lookup to canonicalizing hostnames for use in service principal names. If **dns_canonicalize_hostname** is set to false, this flag has no effect. The default value is true. **realm_try_domains** Indicate whether a host's domain components should be used to determine the Kerberos realm of the host. The value of this variable is an integer: -1 means not to search, 0 means to try the host's domain itself, 1 means to also try the domain's immediate parent, and so forth. The library's usual mechanism for locating Kerberos realms is used to determine whether a domain is a valid realm, which may involve consulting DNS if **dns_lookup_kdc** is set. The default is not to search domain components. **renew_lifetime** (:ref:`duration` string.) Sets the default renewable lifetime for initial ticket requests. The default value is 0. **spake_preauth_groups** A whitespace or comma-separated list of words which specifies the groups allowed for SPAKE preauthentication. The possible values are: ============ ================================ edwards25519 Edwards25519 curve (:rfc:`7748`) P-256 NIST P-256 curve (:rfc:`5480`) P-384 NIST P-384 curve (:rfc:`5480`) P-521 NIST P-521 curve (:rfc:`5480`) ============ ================================ The default value for the client is ``edwards25519``. The default value for the KDC is empty. New in release 1.17. **ticket_lifetime** (:ref:`duration` string.) Sets the default lifetime for initial ticket requests. The default value is 1 day. **udp_preference_limit** When sending a message to the KDC, the library will try using TCP before UDP if the size of the message is above **udp_preference_limit**. If the message is smaller than **udp_preference_limit**, then UDP will be tried before TCP. Regardless of the size, both protocols will be tried if the first attempt fails. **verify_ap_req_nofail** If this flag is true, then an attempt to verify initial credentials will fail if the client machine does not have a keytab. The default value is false. **client_aware_channel_bindings** If this flag is true, then all application protocol authentication requests will be flagged to indicate that the application supports channel bindings when operating over a secure channel. The default value is false. .. _realms: [realms] ~~~~~~~~ Each tag in the [realms] section of the file is the name of a Kerberos realm. The value of the tag is a subsection with relations that define the properties of that particular realm. For each realm, the following tags may be specified in the realm's subsection: **admin_server** Identifies the host where the administration server is running. Typically, this is the primary Kerberos server. This tag must be given a value in order to communicate with the :ref:`kadmind(8)` server for the realm. **auth_to_local** This tag allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated. The possible values are: **RULE:**\ *exp* The local name will be formulated from *exp*. The format for *exp* is **[**\ *n*\ **:**\ *string*\ **](**\ *regexp*\ **)s/**\ *pattern*\ **/**\ *replacement*\ **/g**. The integer *n* indicates how many components the target principal should have. If this matches, then a string will be formed from *string*, substituting the realm of the principal for ``$0`` and the *n*'th component of the principal for ``$n`` (e.g., if the principal was ``johndoe/admin`` then ``[2:$2$1foo]`` would result in the string ``adminjohndoefoo``). If this string matches *regexp*, then the ``s//[g]`` substitution command will be run over the string. The optional **g** will cause the substitution to be global over the *string*, instead of replacing only the first match in the *string*. **DEFAULT** The principal name will be used as the local user name. If the principal has more than one component or is not in the default realm, this rule is not applicable and the conversion will fail. For example:: [realms] ATHENA.MIT.EDU = { auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/ auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$// auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/ auth_to_local = DEFAULT } would result in any principal without ``root`` or ``admin`` as the second component to be translated with the default rule. A principal with a second component of ``admin`` will become its first component. ``root`` will be used as the local name for any principal with a second component of ``root``. The exception to these two rules are any principals ``johndoe/*``, which will always get the local name ``guest``. **auth_to_local_names** This subsection allows you to set explicit mappings from principal names to local user names. The tag is the mapping name, and the value is the corresponding local user name. **default_domain** This tag specifies the domain used to expand hostnames when translating Kerberos 4 service principals to Kerberos 5 principals (for example, when converting ``rcmd.hostname`` to ``host/hostname.domain``). **disable_encrypted_timestamp** If this flag is true, the client will not perform encrypted timestamp preauthentication if requested by the KDC. Setting this flag can help to prevent dictionary attacks by active attackers, if the realm's KDCs support SPAKE preauthentication or if initial authentication always uses another mechanism or always uses FAST. This flag persists across client referrals during initial authentication. This flag does not prevent the KDC from offering encrypted timestamp. New in release 1.17. **http_anchors** When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag can be used to specify the location of the CA certificate which should be trusted to issue the certificate for a proxy server. If left unspecified, the system-wide default set of CA certificates is used. The syntax for values is similar to that of values for the **pkinit_anchors** tag: **FILE:** *filename* *filename* is assumed to be the name of an OpenSSL-style ca-bundle file. **DIR:** *dirname* *dirname* is assumed to be an directory which contains CA certificates. All files in the directory will be examined; if they contain certificates (in PEM format), they will be used. **ENV:** *envvar* *envvar* specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For example, ``ENV:X509_PROXY_CA``, where environment variable ``X509_PROXY_CA`` has been set to ``FILE:/tmp/my_proxy.pem``. **kdc** The name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included. If the name or address contains colons (for example, if it is an IPv6 address), enclose it in square brackets to distinguish the colon from a port separator. For your computer to be able to communicate with the KDC for each realm, this tag must be given a value in each realm subsection in the configuration file, or there must be DNS SRV records specifying the KDCs. **kpasswd_server** Points to the server where all the password changes are performed. If there is no such entry, DNS will be queried (unless forbidden by **dns_lookup_kdc**). Finally, port 464 on the **admin_server** host will be tried. **master_kdc** The name for **primary_kdc** prior to release 1.19. Its value is used as a fallback if **primary_kdc** is not specified. **primary_kdc** Identifies the primary KDC(s). Currently, this tag is used in only one case: If an attempt to get credentials fails because of an invalid password, the client software will attempt to contact the primary KDC, in case the user's password has just been changed, and the updated database has not been propagated to the replica servers yet. New in release 1.19. **v4_instance_convert** This subsection allows the administrator to configure exceptions to the **default_domain** mapping rule. It contains V4 instances (the tag name) which should be translated to some specific hostname (the tag value) as the second component in a Kerberos V5 principal name. **v4_realm** This relation is used by the krb524 library routines when converting a V5 principal name to a V4 principal name. It is used when the V4 realm name and the V5 realm name are not the same, but still share the same principal names and passwords. The tag value is the Kerberos V4 realm name. .. _domain_realm: [domain_realm] ~~~~~~~~~~~~~~ The [domain_realm] section provides a translation from a domain name or hostname to a Kerberos realm name. The tag name can be a host name or domain name, where domain names are indicated by a prefix of a period (``.``). The value of the relation is the Kerberos realm name for that particular host or domain. A host name relation implicitly provides the corresponding domain name relation, unless an explicit domain name relation is provided. The Kerberos realm may be identified either in the realms_ section or using DNS SRV records. Host names and domain names should be in lower case. For example:: [domain_realm] crash.mit.edu = TEST.ATHENA.MIT.EDU .dev.mit.edu = TEST.ATHENA.MIT.EDU mit.edu = ATHENA.MIT.EDU maps the host with the name ``crash.mit.edu`` into the ``TEST.ATHENA.MIT.EDU`` realm. The second entry maps all hosts under the domain ``dev.mit.edu`` into the ``TEST.ATHENA.MIT.EDU`` realm, but not the host with the name ``dev.mit.edu``. That host is matched by the third entry, which maps the host ``mit.edu`` and all hosts under the domain ``mit.edu`` that do not match a preceding rule into the realm ``ATHENA.MIT.EDU``. If no translation entry applies to a hostname used for a service principal for a service ticket request, the library will try to get a referral to the appropriate realm from the client realm's KDC. If that does not succeed, the host's realm is considered to be the hostname's domain portion converted to uppercase, unless the **realm_try_domains** setting in [libdefaults] causes a different parent domain to be used. .. _capaths: [capaths] ~~~~~~~~~ In order to perform direct (non-hierarchical) cross-realm authentication, configuration is needed to determine the authentication paths between realms. A client will use this section to find the authentication path between its realm and the realm of the server. The server will use this section to verify the authentication path used by the client, by checking the transited field of the received ticket. There is a tag for each participating client realm, and each tag has subtags for each of the server realms. The value of the subtags is an intermediate realm which may participate in the cross-realm authentication. The subtags may be repeated if there is more then one intermediate realm. A value of "." means that the two realms share keys directly, and no intermediate realms should be allowed to participate. Only those entries which will be needed on the client or the server need to be present. A client needs a tag for its local realm with subtags for all the realms of servers it will need to authenticate to. A server needs a tag for each realm of the clients it will serve, with a subtag of the server realm. For example, ``ANL.GOV``, ``PNL.GOV``, and ``NERSC.GOV`` all wish to use the ``ES.NET`` realm as an intermediate realm. ANL has a sub realm of ``TEST.ANL.GOV`` which will authenticate with ``NERSC.GOV`` but not ``PNL.GOV``. The [capaths] section for ``ANL.GOV`` systems would look like this:: [capaths] ANL.GOV = { TEST.ANL.GOV = . PNL.GOV = ES.NET NERSC.GOV = ES.NET ES.NET = . } TEST.ANL.GOV = { ANL.GOV = . } PNL.GOV = { ANL.GOV = ES.NET } NERSC.GOV = { ANL.GOV = ES.NET } ES.NET = { ANL.GOV = . } The [capaths] section of the configuration file used on ``NERSC.GOV`` systems would look like this:: [capaths] NERSC.GOV = { ANL.GOV = ES.NET TEST.ANL.GOV = ES.NET TEST.ANL.GOV = ANL.GOV PNL.GOV = ES.NET ES.NET = . } ANL.GOV = { NERSC.GOV = ES.NET } PNL.GOV = { NERSC.GOV = ES.NET } ES.NET = { NERSC.GOV = . } TEST.ANL.GOV = { NERSC.GOV = ANL.GOV NERSC.GOV = ES.NET } When a subtag is used more than once within a tag, clients will use the order of values to determine the path. The order of values is not important to servers. .. _appdefaults: [appdefaults] ~~~~~~~~~~~~~ Each tag in the [appdefaults] section names a Kerberos V5 application or an option that is used by some Kerberos V5 application[s]. The value of the tag defines the default behaviors for that application. For example:: [appdefaults] telnet = { ATHENA.MIT.EDU = { option1 = false } } telnet = { option1 = true option2 = true } ATHENA.MIT.EDU = { option2 = false } option2 = true The above four ways of specifying the value of an option are shown in order of decreasing precedence. In this example, if telnet is running in the realm EXAMPLE.COM, it should, by default, have option1 and option2 set to true. However, a telnet program in the realm ``ATHENA.MIT.EDU`` should have ``option1`` set to false and ``option2`` set to true. Any other programs in ATHENA.MIT.EDU should have ``option2`` set to false by default. Any programs running in other realms should have ``option2`` set to true. The list of specifiable options for each application may be found in that application's man pages. The application defaults specified here are overridden by those specified in the realms_ section. .. _plugins: [plugins] ~~~~~~~~~ * pwqual_ interface * kadm5_hook_ interface * clpreauth_ and kdcpreauth_ interfaces Tags in the [plugins] section can be used to register dynamic plugin modules and to turn modules on and off. Not every krb5 pluggable interface uses the [plugins] section; the ones that do are documented here. New in release 1.9. Each pluggable interface corresponds to a subsection of [plugins]. All subsections support the same tags: **disable** This tag may have multiple values. If there are values for this tag, then the named modules will be disabled for the pluggable interface. **enable_only** This tag may have multiple values. If there are values for this tag, then only the named modules will be enabled for the pluggable interface. **module** This tag may have multiple values. Each value is a string of the form ``modulename:pathname``, which causes the shared object located at *pathname* to be registered as a dynamic module named *modulename* for the pluggable interface. If *pathname* is not an absolute path, it will be treated as relative to the **plugin_base_dir** value from :ref:`libdefaults`. For pluggable interfaces where module order matters, modules registered with a **module** tag normally come first, in the order they are registered, followed by built-in modules in the order they are documented below. If **enable_only** tags are used, then the order of those tags overrides the normal module order. The following subsections are currently supported within the [plugins] section: .. _ccselect: ccselect interface ################## The ccselect subsection controls modules for credential cache selection within a cache collection. In addition to any registered dynamic modules, the following built-in modules exist (and may be disabled with the disable tag): **k5identity** Uses a .k5identity file in the user's home directory to select a client principal **realm** Uses the service realm to guess an appropriate cache from the collection **hostname** If the service principal is host-based, uses the service hostname to guess an appropriate cache from the collection .. _pwqual: pwqual interface ################ The pwqual subsection controls modules for the password quality interface, which is used to reject weak passwords when passwords are changed. The following built-in modules exist for this interface: **dict** Checks against the realm dictionary file **empty** Rejects empty passwords **hesiod** Checks against user information stored in Hesiod (only if Kerberos was built with Hesiod support) **princ** Checks against components of the principal name .. _kadm5_hook: kadm5_hook interface #################### The kadm5_hook interface provides plugins with information on principal creation, modification, password changes and deletion. This interface can be used to write a plugin to synchronize MIT Kerberos with another database such as Active Directory. No plugins are built in for this interface. .. _kadm5_auth: kadm5_auth interface #################### The kadm5_auth section (introduced in release 1.16) controls modules for the kadmin authorization interface, which determines whether a client principal is allowed to perform a kadmin operation. The following built-in modules exist for this interface: **acl** This module reads the :ref:`kadm5.acl(5)` file, and authorizes operations which are allowed according to the rules in the file. **self** This module authorizes self-service operations including password changes, creation of new random keys, fetching the client's principal record or string attributes, and fetching the policy record associated with the client principal. .. _clpreauth: .. _kdcpreauth: clpreauth and kdcpreauth interfaces ################################### The clpreauth and kdcpreauth interfaces allow plugin modules to provide client and KDC preauthentication mechanisms. The following built-in modules exist for these interfaces: **pkinit** This module implements the PKINIT preauthentication mechanism. **encrypted_challenge** This module implements the encrypted challenge FAST factor. **encrypted_timestamp** This module implements the encrypted timestamp mechanism. .. _hostrealm: hostrealm interface ################### The hostrealm section (introduced in release 1.12) controls modules for the host-to-realm interface, which affects the local mapping of hostnames to realm names and the choice of default realm. The following built-in modules exist for this interface: **profile** This module consults the [domain_realm] section of the profile for authoritative host-to-realm mappings, and the **default_realm** variable for the default realm. **dns** This module looks for DNS records for fallback host-to-realm mappings and the default realm. It only operates if the **dns_lookup_realm** variable is set to true. **domain** This module applies heuristics for fallback host-to-realm mappings. It implements the **realm_try_domains** variable, and uses the uppercased parent domain of the hostname if that does not produce a result. .. _localauth: localauth interface ################### The localauth section (introduced in release 1.12) controls modules for the local authorization interface, which affects the relationship between Kerberos principals and local system accounts. The following built-in modules exist for this interface: **default** This module implements the **DEFAULT** type for **auth_to_local** values. **rule** This module implements the **RULE** type for **auth_to_local** values. **names** This module looks for an **auth_to_local_names** mapping for the principal name. **auth_to_local** This module processes **auth_to_local** values in the default realm's section, and applies the default method if no **auth_to_local** values exist. **k5login** This module authorizes a principal to a local account according to the account's :ref:`.k5login(5)` file. **an2ln** This module authorizes a principal to a local account if the principal name maps to the local account name. .. _certauth: certauth interface ################## The certauth section (introduced in release 1.16) controls modules for the certificate authorization interface, which determines whether a certificate is allowed to preauthenticate a user via PKINIT. The following built-in modules exist for this interface: **pkinit_san** This module authorizes the certificate if it contains a PKINIT Subject Alternative Name for the requested client principal, or a Microsoft UPN SAN matching the principal if **pkinit_allow_upn** is set to true for the realm. **pkinit_eku** This module rejects the certificate if it does not contain an Extended Key Usage attribute consistent with the **pkinit_eku_checking** value for the realm. **dbmatch** This module authorizes or rejects the certificate according to whether it matches the **pkinit_cert_match** string attribute on the client principal, if that attribute is present. PKINIT options -------------- .. note:: The following are PKINIT-specific options. These values may be specified in [libdefaults] as global defaults, or within a realm-specific subsection of [libdefaults], or may be specified as realm-specific values in the [realms] section. A realm-specific value overrides, not adds to, a generic [libdefaults] specification. The search order is: 1. realm-specific subsection of [libdefaults]:: [libdefaults] EXAMPLE.COM = { pkinit_anchors = FILE:/usr/local/example.com.crt } 2. realm-specific value in the [realms] section:: [realms] OTHERREALM.ORG = { pkinit_anchors = FILE:/usr/local/otherrealm.org.crt } 3. generic value in the [libdefaults] section:: [libdefaults] pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ .. _pkinit_identity: Specifying PKINIT identity information ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The syntax for specifying Public Key identity, trust, and revocation information for PKINIT is as follows: **FILE:**\ *filename*\ [**,**\ *keyfilename*] This option has context-specific behavior. In **pkinit_identity** or **pkinit_identities**, *filename* specifies the name of a PEM-format file containing the user's certificate. If *keyfilename* is not specified, the user's private key is expected to be in *filename* as well. Otherwise, *keyfilename* is the name of the file containing the private key. In **pkinit_anchors** or **pkinit_pool**, *filename* is assumed to be the name of an OpenSSL-style ca-bundle file. **DIR:**\ *dirname* This option has context-specific behavior. In **pkinit_identity** or **pkinit_identities**, *dirname* specifies a directory with files named ``*.crt`` and ``*.key`` where the first part of the file name is the same for matching pairs of certificate and private key files. When a file with a name ending with ``.crt`` is found, a matching file ending with ``.key`` is assumed to contain the private key. If no such file is found, then the certificate in the ``.crt`` is not used. In **pkinit_anchors** or **pkinit_pool**, *dirname* is assumed to be an OpenSSL-style hashed CA directory where each CA cert is stored in a file named ``hash-of-ca-cert.#``. This infrastructure is encouraged, but all files in the directory will be examined and if they contain certificates (in PEM format), they will be used. In **pkinit_revoke**, *dirname* is assumed to be an OpenSSL-style hashed CA directory where each revocation list is stored in a file named ``hash-of-ca-cert.r#``. This infrastructure is encouraged, but all files in the directory will be examined and if they contain a revocation list (in PEM format), they will be used. **PKCS12:**\ *filename* *filename* is the name of a PKCS #12 format file, containing the user's certificate and private key. **PKCS11:**\ [**module_name=**]\ *modname*\ [**:slotid=**\ *slot-id*][**:token=**\ *token-label*][**:certid=**\ *cert-id*][**:certlabel=**\ *cert-label*] All keyword/values are optional. *modname* specifies the location of a library implementing PKCS #11. If a value is encountered with no keyword, it is assumed to be the *modname*. If no module-name is specified, the default is ``opensc-pkcs11.so``. ``slotid=`` and/or ``token=`` may be specified to force the use of a particular smard card reader or token if there is more than one available. ``certid=`` and/or ``certlabel=`` may be specified to force the selection of a particular certificate on the device. See the **pkinit_cert_match** configuration option for more ways to select a particular certificate to use for PKINIT. **ENV:**\ *envvar* *envvar* specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For example, ``ENV:X509_PROXY``, where environment variable ``X509_PROXY`` has been set to ``FILE:/tmp/my_proxy.pem``. PKINIT krb5.conf options ~~~~~~~~~~~~~~~~~~~~~~~~ **pkinit_anchors** Specifies the location of trusted anchor (root) certificates which the client trusts to sign KDC certificates. This option may be specified multiple times. These values from the config file are not used if the user specifies X509_anchors on the command line. **pkinit_cert_match** Specifies matching rules that the client certificate must match before it is used to attempt PKINIT authentication. If a user has multiple certificates available (on a smart card, or via other media), there must be exactly one certificate chosen before attempting PKINIT authentication. This option may be specified multiple times. All the available certificates are checked against each rule in order until there is a match of exactly one certificate. The Subject and Issuer comparison strings are the :rfc:`2253` string representations from the certificate Subject DN and Issuer DN values. The syntax of the matching rules is: [*relation-operator*\ ]\ *component-rule* ... where: *relation-operator* can be either ``&&``, meaning all component rules must match, or ``||``, meaning only one component rule must match. The default is ``&&``. *component-rule* can be one of the following. Note that there is no punctuation or whitespace between component rules. | ****\ *regular-expression* | ****\ *regular-expression* | ****\ *regular-expression* | ****\ *extended-key-usage-list* | ****\ *key-usage-list* *extended-key-usage-list* is a comma-separated list of required Extended Key Usage values. All values in the list must be present in the certificate. Extended Key Usage values can be: * pkinit * msScLogin * clientAuth * emailProtection *key-usage-list* is a comma-separated list of required Key Usage values. All values in the list must be present in the certificate. Key Usage values can be: * digitalSignature * keyEncipherment Examples:: pkinit_cert_match = ||.*DoE.*.*@EXAMPLE.COM pkinit_cert_match = &&msScLogin,clientAuth.*DoE.* pkinit_cert_match = msScLogin,clientAuthdigitalSignature **pkinit_eku_checking** This option specifies what Extended Key Usage value the KDC certificate presented to the client must contain. (Note that if the KDC certificate has the pkinit SubjectAlternativeName encoded as the Kerberos TGS name, EKU checking is not necessary since the issuing CA has certified this as a KDC certificate.) The values recognized in the krb5.conf file are: **kpKDC** This is the default value and specifies that the KDC must have the id-pkinit-KPKdc EKU as defined in :rfc:`4556`. **kpServerAuth** If **kpServerAuth** is specified, a KDC certificate with the id-kp-serverAuth EKU will be accepted. This key usage value is used in most commercially issued server certificates. **none** If **none** is specified, then the KDC certificate will not be checked to verify it has an acceptable EKU. The use of this option is not recommended. **pkinit_dh_min_bits** Specifies the size of the Diffie-Hellman key the client will attempt to use. The acceptable values are 1024, 2048, and 4096. The default is 2048. **pkinit_identities** Specifies the location(s) to be used to find the user's X.509 identity information. If this option is specified multiple times, each value is attempted in order until certificates are found. Note that these values are not used if the user specifies **X509_user_identity** on the command line. **pkinit_kdc_hostname** The presence of this option indicates that the client is willing to accept a KDC certificate with a dNSName SAN (Subject Alternative Name) rather than requiring the id-pkinit-san as defined in :rfc:`4556`. This option may be specified multiple times. Its value should contain the acceptable hostname for the KDC (as contained in its certificate). **pkinit_pool** Specifies the location of intermediate certificates which may be used by the client to complete the trust chain between a KDC certificate and a trusted anchor. This option may be specified multiple times. **pkinit_require_crl_checking** The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, verification fails. If the certificate being verified is not listed in a CRL, or there is no CRL present for its issuing CA, and **pkinit_require_crl_checking** is false, then verification succeeds. However, if **pkinit_require_crl_checking** is true and there is no CRL information available for the issuing CA, then verification fails. **pkinit_require_crl_checking** should be set to true if the policy is such that up-to-date CRLs must be present for every CA. **pkinit_revoke** Specifies the location of Certificate Revocation List (CRL) information to be used by the client when verifying the validity of the KDC certificate presented. This option may be specified multiple times. .. _parameter_expansion: Parameter expansion ------------------- Starting with release 1.11, several variables, such as **default_keytab_name**, allow parameters to be expanded. Valid parameters are: ================= =================================================== %{TEMP} Temporary directory %{uid} Unix real UID or Windows SID %{euid} Unix effective user ID or Windows SID %{USERID} Same as %{uid} %{null} Empty string %{LIBDIR} Installation library directory %{BINDIR} Installation binary directory %{SBINDIR} Installation admin binary directory %{username} (Unix) Username of effective user ID %{APPDATA} (Windows) Roaming application data for current user %{COMMON_APPDATA} (Windows) Application data for all users %{LOCAL_APPDATA} (Windows) Local application data for current user %{SYSTEM} (Windows) Windows system folder %{WINDOWS} (Windows) Windows folder %{USERCONFIG} (Windows) Per-user MIT krb5 config file directory %{COMMONCONFIG} (Windows) Common MIT krb5 config file directory ================= =================================================== Sample krb5.conf file --------------------- Here is an example of a generic krb5.conf file:: [libdefaults] default_realm = ATHENA.MIT.EDU dns_lookup_kdc = true dns_lookup_realm = false [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu kdc = kerberos-1.mit.edu kdc = kerberos-2.mit.edu admin_server = kerberos.mit.edu primary_kdc = kerberos.mit.edu } EXAMPLE.COM = { kdc = kerberos.example.com kdc = kerberos-1.example.com admin_server = kerberos.example.com } [domain_realm] mit.edu = ATHENA.MIT.EDU [capaths] ATHENA.MIT.EDU = { EXAMPLE.COM = . } EXAMPLE.COM = { ATHENA.MIT.EDU = . } FILES ----- |krb5conf| SEE ALSO -------- syslog(3) krb5-1.19.2/doc/html/_sources/admin/conf_files/index.rst.txt0000644000704600001450000000120114076311665025255 0ustar ghudsonsystemd-journalConfiguration Files =================== Kerberos uses configuration files to allow administrators to specify settings on a per-machine basis. :ref:`krb5.conf(5)` applies to all applications using the Kerboros library, on clients and servers. For KDC-specific applications, additional settings can be specified in :ref:`kdc.conf(5)`; the two files are merged into a configuration profile used by applications accessing the KDC database directly. :ref:`kadm5.acl(5)` is also only used on the KDC, it controls permissions for modifying the KDC database. Contents -------- .. toctree:: :maxdepth: 1 krb5_conf kdc_conf kadm5_acl krb5-1.19.2/doc/html/_sources/admin/conf_files/kadm5_acl.rst.txt0000644000704600001450000001437714076311665026010 0ustar ghudsonsystemd-journal.. _kadm5.acl(5): kadm5.acl ========= DESCRIPTION ----------- The Kerberos :ref:`kadmind(8)` daemon uses an Access Control List (ACL) file to manage access rights to the Kerberos database. For operations that affect principals, the ACL file also controls which principals can operate on which other principals. The default location of the Kerberos ACL file is |kdcdir|\ ``/kadm5.acl`` unless this is overridden by the *acl_file* variable in :ref:`kdc.conf(5)`. SYNTAX ------ Empty lines and lines starting with the sharp sign (``#``) are ignored. Lines containing ACL entries have the format:: principal permissions [target_principal [restrictions] ] .. note:: Line order in the ACL file is important. The first matching entry will control access for an actor principal on a target principal. *principal* (Partially or fully qualified Kerberos principal name.) Specifies the principal whose permissions are to be set. Each component of the name may be wildcarded using the ``*`` character. *permissions* Specifies what operations may or may not be performed by a *principal* matching a particular entry. This is a string of one or more of the following list of characters or their upper-case counterparts. If the character is *upper-case*, then the operation is disallowed. If the character is *lower-case*, then the operation is permitted. == ====================================================== a [Dis]allows the addition of principals or policies c [Dis]allows the changing of passwords for principals d [Dis]allows the deletion of principals or policies e [Dis]allows the extraction of principal keys i [Dis]allows inquiries about principals or policies l [Dis]allows the listing of all principals or policies m [Dis]allows the modification of principals or policies p [Dis]allows the propagation of the principal database (used in :ref:`incr_db_prop`) s [Dis]allows the explicit setting of the key for a principal x Short for admcilsp. All privileges (except ``e``) \* Same as x. == ====================================================== .. note:: The ``extract`` privilege is not included in the wildcard privilege; it must be explicitly assigned. This privilege allows the user to extract keys from the database, and must be handled with great care to avoid disclosure of important keys like those of the kadmin/* or krbtgt/* principals. The **lockdown_keys** principal attribute can be used to prevent key extraction from specific principals regardless of the granted privilege. *target_principal* (Optional. Partially or fully qualified Kerberos principal name.) Specifies the principal on which *permissions* may be applied. Each component of the name may be wildcarded using the ``*`` character. *target_principal* can also include back-references to *principal*, in which ``*number`` matches the corresponding wildcard in *principal*. *restrictions* (Optional) A string of flags. Allowed restrictions are: {+\|-}\ *flagname* flag is forced to the indicated value. The permissible flags are the same as those for the **default_principal_flags** variable in :ref:`kdc.conf(5)`. *-clearpolicy* policy is forced to be empty. *-policy pol* policy is forced to be *pol*. -{*expire, pwexpire, maxlife, maxrenewlife*} *time* (:ref:`getdate` string) associated value will be forced to MIN(*time*, requested value). The above flags act as restrictions on any add or modify operation which is allowed due to that ACL line. .. warning:: If the kadmind ACL file is modified, the kadmind daemon needs to be restarted for changes to take effect. EXAMPLE ------- Here is an example of a kadm5.acl file:: */admin@ATHENA.MIT.EDU * # line 1 joeadmin@ATHENA.MIT.EDU ADMCIL # line 2 joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3 */root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4 */root@ATHENA.MIT.EDU l * # line 5 sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6 (line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with an ``admin`` instance has all administrative privileges except extracting keys. (lines 1-3) The user ``joeadmin`` has all permissions except extracting keys with his ``admin`` instance, ``joeadmin/admin@ATHENA.MIT.EDU`` (matches line 1). He has no permissions at all with his null instance, ``joeadmin@ATHENA.MIT.EDU`` (matches line 2). His ``root`` and other non-``admin``, non-null instances (e.g., ``extra`` or ``dbadmin``) have inquire permissions with any principal that has the instance ``root`` (matches line 3). (line 4) Any ``root`` principal in ``ATHENA.MIT.EDU`` can inquire or change the password of their null instance, but not any other null instance. (Here, ``*1`` denotes a back-reference to the component matching the first wildcard in the actor principal.) (line 5) Any ``root`` principal in ``ATHENA.MIT.EDU`` can generate the list of principals in the database, and the list of policies in the database. This line is separate from line 4, because list permission can only be granted globally, not to specific target principals. (line 6) Finally, the Service Management System principal ``sms@ATHENA.MIT.EDU`` has all permissions except extracting keys, but any principal that it creates or modifies will not be able to get postdateable tickets or tickets with a life of longer than 9 hours. MODULE BEHAVIOR --------------- The ACL file can coexist with other authorization modules in release 1.16 and later, as configured in the :ref:`kadm5_auth` section of :ref:`krb5.conf(5)`. The ACL file will positively authorize operations according to the rules above, but will never authoritatively deny an operation, so other modules can authorize operations in addition to those authorized by the ACL file. To operate without an ACL file, set the *acl_file* variable in :ref:`kdc.conf(5)` to the empty string with ``acl_file = ""``. SEE ALSO -------- :ref:`kdc.conf(5)`, :ref:`kadmind(8)` krb5-1.19.2/doc/html/_sources/admin/admin_commands/0000755000704600001450000000000014076311734023443 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/_sources/admin/admin_commands/kadmin_local.rst.txt0000644000704600001450000007410014076311665027435 0ustar ghudsonsystemd-journal.. _kadmin(1): kadmin ====== SYNOPSIS -------- .. _kadmin_synopsis: **kadmin** [**-O**\|\ **-N**] [**-r** *realm*] [**-p** *principal*] [**-q** *query*] [[**-c** *cache_name*]\|[**-k** [**-t** *keytab*]]\|\ **-n**] [**-w** *password*] [**-s** *admin_server*\ [:*port*]] [command args...] **kadmin.local** [**-r** *realm*] [**-p** *principal*] [**-q** *query*] [**-d** *dbname*] [**-e** *enc*:*salt* ...] [**-m**] [**-x** *db_args*] [command args...] .. _kadmin_synopsis_end: DESCRIPTION ----------- kadmin and kadmin.local are command-line interfaces to the Kerberos V5 administration system. They provide nearly identical functionalities; the difference is that kadmin.local directly accesses the KDC database, while kadmin performs operations using :ref:`kadmind(8)`. Except as explicitly noted otherwise, this man page will use "kadmin" to refer to both versions. kadmin provides for the maintenance of Kerberos principals, password policies, and service key tables (keytabs). The remote kadmin client uses Kerberos to authenticate to kadmind using the service principal ``kadmin/admin`` or ``kadmin/ADMINHOST`` (where *ADMINHOST* is the fully-qualified hostname of the admin server). If the credentials cache contains a ticket for one of these principals, and the **-c** credentials_cache option is specified, that ticket is used to authenticate to kadmind. Otherwise, the **-p** and **-k** options are used to specify the client Kerberos principal name used to authenticate. Once kadmin has determined the principal name, it requests a service ticket from the KDC, and uses that service ticket to authenticate to kadmind. Since kadmin.local directly accesses the KDC database, it usually must be run directly on the primary KDC with sufficient permissions to read the KDC database. If the KDC database uses the LDAP database module, kadmin.local can be run on any host which can access the LDAP server. OPTIONS ------- .. _kadmin_options: **-r** *realm* Use *realm* as the default database realm. **-p** *principal* Use *principal* to authenticate. Otherwise, kadmin will append ``/admin`` to the primary principal name of the default ccache, the value of the **USER** environment variable, or the username as obtained with getpwuid, in order of preference. **-k** Use a keytab to decrypt the KDC response instead of prompting for a password. In this case, the default principal will be ``host/hostname``. If there is no keytab specified with the **-t** option, then the default keytab will be used. **-t** *keytab* Use *keytab* to decrypt the KDC response. This can only be used with the **-k** option. **-n** Requests anonymous processing. Two types of anonymous principals are supported. For fully anonymous Kerberos, configure PKINIT on the KDC and configure **pkinit_anchors** in the client's :ref:`krb5.conf(5)`. Then use the **-n** option with a principal of the form ``@REALM`` (an empty principal name followed by the at-sign and a realm name). If permitted by the KDC, an anonymous ticket will be returned. A second form of anonymous tickets is supported; these realm-exposed tickets hide the identity of the client but not the client's realm. For this mode, use ``kinit -n`` with a normal principal name. If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal. As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation. **-c** *credentials_cache* Use *credentials_cache* as the credentials cache. The cache should contain a service ticket for the ``kadmin/admin`` or ``kadmin/ADMINHOST`` (where *ADMINHOST* is the fully-qualified hostname of the admin server) service; it can be acquired with the :ref:`kinit(1)` program. If this option is not specified, kadmin requests a new service ticket from the KDC, and stores it in its own temporary ccache. **-w** *password* Use *password* instead of prompting for one. Use this option with care, as it may expose the password to other users on the system via the process list. **-q** *query* Perform the specified query and then exit. **-d** *dbname* Specifies the name of the KDC database. This option does not apply to the LDAP database module. **-s** *admin_server*\ [:*port*] Specifies the admin server which kadmin should contact. **-m** If using kadmin.local, prompt for the database master password instead of reading it from a stash file. **-e** "*enc*:*salt* ..." Sets the keysalt list to be used for any new keys created. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible values. **-O** Force use of old AUTH_GSSAPI authentication flavor. **-N** Prevent fallback to AUTH_GSSAPI authentication flavor. **-x** *db_args* Specifies the database specific arguments. See the next section for supported options. .. _kadmin_options_end: Starting with release 1.14, if any command-line arguments remain after the options, they will be treated as a single query to be executed. This mode of operation is intended for scripts and behaves differently from the interactive mode in several respects: * Query arguments are split by the shell, not by kadmin. * Informational and warning messages are suppressed. Error messages and query output (e.g. for **get_principal**) will still be displayed. * Confirmation prompts are disabled (as if **-force** was given). Password prompts will still be issued as required. * The exit status will be non-zero if the query fails. The **-q** option does not carry these behavior differences; the query will be processed as if it was entered interactively. The **-q** option cannot be used in combination with a query in the remaining arguments. .. _dboptions: DATABASE OPTIONS ---------------- Database options can be used to override database-specific defaults. Supported options for the DB2 module are: **-x dbname=**\ \*filename* Specifies the base filename of the DB2 database. **-x lockiter** Make iteration operations hold the lock for the duration of the entire operation, rather than temporarily releasing the lock while handling each principal. This is the default behavior, but this option exists to allow command line override of a [dbmodules] setting. First introduced in release 1.13. **-x unlockiter** Make iteration operations unlock the database for each principal, instead of holding the lock for the duration of the entire operation. First introduced in release 1.13. Supported options for the LDAP module are: **-x host=**\ *ldapuri* Specifies the LDAP server to connect to by a LDAP URI. **-x binddn=**\ *bind_dn* Specifies the DN used to bind to the LDAP server. **-x bindpwd=**\ *password* Specifies the password or SASL secret used to bind to the LDAP server. Using this option may expose the password to other users on the system via the process list; to avoid this, instead stash the password using the **stashsrvpw** command of :ref:`kdb5_ldap_util(8)`. **-x sasl_mech=**\ *mechanism* Specifies the SASL mechanism used to bind to the LDAP server. The bind DN is ignored if a SASL mechanism is used. New in release 1.13. **-x sasl_authcid=**\ *name* Specifies the authentication name used when binding to the LDAP server with a SASL mechanism, if the mechanism requires one. New in release 1.13. **-x sasl_authzid=**\ *name* Specifies the authorization name used when binding to the LDAP server with a SASL mechanism. New in release 1.13. **-x sasl_realm=**\ *realm* Specifies the realm used when binding to the LDAP server with a SASL mechanism, if the mechanism uses one. New in release 1.13. **-x debug=**\ *level* sets the OpenLDAP client library debug level. *level* is an integer to be interpreted by the library. Debugging messages are printed to standard error. New in release 1.12. COMMANDS -------- When using the remote client, available commands may be restricted according to the privileges specified in the :ref:`kadm5.acl(5)` file on the admin server. .. _add_principal: add_principal ~~~~~~~~~~~~~ **add_principal** [*options*] *newprinc* Creates the principal *newprinc*, prompting twice for a password. If no password policy is specified with the **-policy** option, and the policy named ``default`` is assigned to the principal if it exists. However, creating a policy named ``default`` will not automatically assign this policy to previously existing principals. This policy assignment can be suppressed with the **-clearpolicy** option. This command requires the **add** privilege. Aliases: **addprinc**, **ank** Options: **-expire** *expdate* (:ref:`getdate` string) The expiration date of the principal. **-pwexpire** *pwexpdate* (:ref:`getdate` string) The password expiration date. **-maxlife** *maxlife* (:ref:`duration` or :ref:`getdate` string) The maximum ticket life for the principal. **-maxrenewlife** *maxrenewlife* (:ref:`duration` or :ref:`getdate` string) The maximum renewable life of tickets for the principal. **-kvno** *kvno* The initial key version number. **-policy** *policy* The password policy used by this principal. If not specified, the policy ``default`` is used if it exists (unless **-clearpolicy** is specified). **-clearpolicy** Prevents any policy from being assigned when **-policy** is not specified. {-\|+}\ **allow_postdated** **-allow_postdated** prohibits this principal from obtaining postdated tickets. **+allow_postdated** clears this flag. {-\|+}\ **allow_forwardable** **-allow_forwardable** prohibits this principal from obtaining forwardable tickets. **+allow_forwardable** clears this flag. {-\|+}\ **allow_renewable** **-allow_renewable** prohibits this principal from obtaining renewable tickets. **+allow_renewable** clears this flag. {-\|+}\ **allow_proxiable** **-allow_proxiable** prohibits this principal from obtaining proxiable tickets. **+allow_proxiable** clears this flag. {-\|+}\ **allow_dup_skey** **-allow_dup_skey** disables user-to-user authentication for this principal by prohibiting others from obtaining a service ticket encrypted in this principal's TGT session key. **+allow_dup_skey** clears this flag. {-\|+}\ **requires_preauth** **+requires_preauth** requires this principal to preauthenticate before being allowed to kinit. **-requires_preauth** clears this flag. When **+requires_preauth** is set on a service principal, the KDC will only issue service tickets for that service principal if the client's initial authentication was performed using preauthentication. {-\|+}\ **requires_hwauth** **+requires_hwauth** requires this principal to preauthenticate using a hardware device before being allowed to kinit. **-requires_hwauth** clears this flag. When **+requires_hwauth** is set on a service principal, the KDC will only issue service tickets for that service principal if the client's initial authentication was performed using a hardware device to preauthenticate. {-\|+}\ **ok_as_delegate** **+ok_as_delegate** sets the **okay as delegate** flag on tickets issued with this principal as the service. Clients may use this flag as a hint that credentials should be delegated when authenticating to the service. **-ok_as_delegate** clears this flag. {-\|+}\ **allow_svr** **-allow_svr** prohibits the issuance of service tickets for this principal. In release 1.17 and later, user-to-user service tickets are still allowed unless the **-allow_dup_skey** flag is also set. **+allow_svr** clears this flag. {-\|+}\ **allow_tgs_req** **-allow_tgs_req** specifies that a Ticket-Granting Service (TGS) request for a service ticket for this principal is not permitted. **+allow_tgs_req** clears this flag. {-\|+}\ **allow_tix** **-allow_tix** forbids the issuance of any tickets for this principal. **+allow_tix** clears this flag. {-\|+}\ **needchange** **+needchange** forces a password change on the next initial authentication to this principal. **-needchange** clears this flag. {-\|+}\ **password_changing_service** **+password_changing_service** marks this principal as a password change service principal. {-\|+}\ **ok_to_auth_as_delegate** **+ok_to_auth_as_delegate** allows this principal to acquire forwardable tickets to itself from arbitrary users, for use with constrained delegation. {-\|+}\ **no_auth_data_required** **+no_auth_data_required** prevents PAC or AD-SIGNEDPATH data from being added to service tickets for the principal. {-\|+}\ **lockdown_keys** **+lockdown_keys** prevents keys for this principal from leaving the KDC via kadmind. The chpass and extract operations are denied for a principal with this attribute. The chrand operation is allowed, but will not return the new keys. The delete and rename operations are also denied if this attribute is set, in order to prevent a malicious administrator from replacing principals like krbtgt/* or kadmin/* with new principals without the attribute. This attribute can be set via the network protocol, but can only be removed using kadmin.local. **-randkey** Sets the key of the principal to a random value. **-nokey** Causes the principal to be created with no key. New in release 1.12. **-pw** *password* Sets the password of the principal to the specified string and does not prompt for a password. Note: using this option in a shell script may expose the password to other users on the system via the process list. **-e** *enc*:*salt*,... Uses the specified keysalt list for setting the keys of the principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible values. **-x** *db_princ_args* Indicates database-specific options. The options for the LDAP database module are: **-x dn=**\ *dn* Specifies the LDAP object that will contain the Kerberos principal being created. **-x linkdn=**\ *dn* Specifies the LDAP object to which the newly created Kerberos principal object will point. **-x containerdn=**\ *container_dn* Specifies the container object under which the Kerberos principal is to be created. **-x tktpolicy=**\ *policy* Associates a ticket policy to the Kerberos principal. .. note:: - The **containerdn** and **linkdn** options cannot be specified with the **dn** option. - If the *dn* or *containerdn* options are not specified while adding the principal, the principals are created under the principal container configured in the realm or the realm container. - *dn* and *containerdn* should be within the subtrees or principal container configured in the realm. Example:: kadmin: addprinc jennifer No policy specified for "jennifer@ATHENA.MIT.EDU"; defaulting to no policy. Enter password for principal jennifer@ATHENA.MIT.EDU: Re-enter password for principal jennifer@ATHENA.MIT.EDU: Principal "jennifer@ATHENA.MIT.EDU" created. kadmin: .. _add_principal_end: .. _modify_principal: modify_principal ~~~~~~~~~~~~~~~~ **modify_principal** [*options*] *principal* Modifies the specified principal, changing the fields as specified. The options to **add_principal** also apply to this command, except for the **-randkey**, **-pw**, and **-e** options. In addition, the option **-clearpolicy** will clear the current policy of a principal. This command requires the *modify* privilege. Alias: **modprinc** Options (in addition to the **addprinc** options): **-unlock** Unlocks a locked principal (one which has received too many failed authentication attempts without enough time between them according to its password policy) so that it can successfully authenticate. .. _modify_principal_end: .. _rename_principal: rename_principal ~~~~~~~~~~~~~~~~ **rename_principal** [**-force**] *old_principal* *new_principal* Renames the specified *old_principal* to *new_principal*. This command prompts for confirmation, unless the **-force** option is given. This command requires the **add** and **delete** privileges. Alias: **renprinc** .. _rename_principal_end: .. _delete_principal: delete_principal ~~~~~~~~~~~~~~~~ **delete_principal** [**-force**] *principal* Deletes the specified *principal* from the database. This command prompts for deletion, unless the **-force** option is given. This command requires the **delete** privilege. Alias: **delprinc** .. _delete_principal_end: .. _change_password: change_password ~~~~~~~~~~~~~~~ **change_password** [*options*] *principal* Changes the password of *principal*. Prompts for a new password if neither **-randkey** or **-pw** is specified. This command requires the **changepw** privilege, or that the principal running the program is the same as the principal being changed. Alias: **cpw** The following options are available: **-randkey** Sets the key of the principal to a random value. **-pw** *password* Set the password to the specified string. Using this option in a script may expose the password to other users on the system via the process list. **-e** *enc*:*salt*,... Uses the specified keysalt list for setting the keys of the principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible values. **-keepold** Keeps the existing keys in the database. This flag is usually not necessary except perhaps for ``krbtgt`` principals. Example:: kadmin: cpw systest Enter password for principal systest@BLEEP.COM: Re-enter password for principal systest@BLEEP.COM: Password for systest@BLEEP.COM changed. kadmin: .. _change_password_end: .. _purgekeys: purgekeys ~~~~~~~~~ **purgekeys** [**-all**\|\ **-keepkvno** *oldest_kvno_to_keep*] *principal* Purges previously retained old keys (e.g., from **change_password -keepold**) from *principal*. If **-keepkvno** is specified, then only purges keys with kvnos lower than *oldest_kvno_to_keep*. If **-all** is specified, then all keys are purged. The **-all** option is new in release 1.12. This command requires the **modify** privilege. .. _purgekeys_end: .. _get_principal: get_principal ~~~~~~~~~~~~~ **get_principal** [**-terse**] *principal* Gets the attributes of principal. With the **-terse** option, outputs fields as quoted tab-separated strings. This command requires the **inquire** privilege, or that the principal running the the program to be the same as the one being listed. Alias: **getprinc** Examples:: kadmin: getprinc tlyu/admin Principal: tlyu/admin@BLEEP.COM Expiration date: [never] Last password change: Mon Aug 12 14:16:47 EDT 1996 Password expiration date: [never] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 1, aes256-cts-hmac-sha384-192 MKey: vno 1 Attributes: Policy: [none] kadmin: getprinc -terse systest systest@BLEEP.COM 3 86400 604800 1 785926535 753241234 785900000 tlyu/admin@BLEEP.COM 786100034 0 0 kadmin: .. _get_principal_end: .. _list_principals: list_principals ~~~~~~~~~~~~~~~ **list_principals** [*expression*] Retrieves all or some principal names. *expression* is a shell-style glob expression that can contain the wild-card characters ``?``, ``*``, and ``[]``. All principal names matching the expression are printed. If no expression is provided, all principal names are printed. If the expression does not contain an ``@`` character, an ``@`` character followed by the local realm is appended to the expression. This command requires the **list** privilege. Alias: **listprincs**, **get_principals**, **getprincs** Example:: kadmin: listprincs test* test3@SECURE-TEST.OV.COM test2@SECURE-TEST.OV.COM test1@SECURE-TEST.OV.COM testuser@SECURE-TEST.OV.COM kadmin: .. _list_principals_end: .. _get_strings: get_strings ~~~~~~~~~~~ **get_strings** *principal* Displays string attributes on *principal*. This command requires the **inquire** privilege. Alias: **getstrs** .. _get_strings_end: .. _set_string: set_string ~~~~~~~~~~ **set_string** *principal* *name* *value* Sets a string attribute on *principal*. String attributes are used to supply per-principal configuration to the KDC and some KDC plugin modules. The following string attribute names are recognized by the KDC: **require_auth** Specifies an authentication indicator which is required to authenticate to the principal as a service. Multiple indicators can be specified, separated by spaces; in this case any of the specified indicators will be accepted. (New in release 1.14.) **session_enctypes** Specifies the encryption types supported for session keys when the principal is authenticated to as a server. See :ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of the accepted values. **otp** Enables One Time Passwords (OTP) preauthentication for a client *principal*. The *value* is a JSON string representing an array of objects, each having optional ``type`` and ``username`` fields. **pkinit_cert_match** Specifies a matching expression that defines the certificate attributes required for the client certificate used by the principal during PKINIT authentication. The matching expression is in the same format as those used by the **pkinit_cert_match** option in :ref:`krb5.conf(5)`. (New in release 1.16.) This command requires the **modify** privilege. Alias: **setstr** Example:: set_string host/foo.mit.edu session_enctypes aes128-cts set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]" .. _set_string_end: .. _del_string: del_string ~~~~~~~~~~ **del_string** *principal* *key* Deletes a string attribute from *principal*. This command requires the **delete** privilege. Alias: **delstr** .. _del_string_end: .. _add_policy: add_policy ~~~~~~~~~~ **add_policy** [*options*] *policy* Adds a password policy named *policy* to the database. This command requires the **add** privilege. Alias: **addpol** The following options are available: **-maxlife** *time* (:ref:`duration` or :ref:`getdate` string) Sets the maximum lifetime of a password. **-minlife** *time* (:ref:`duration` or :ref:`getdate` string) Sets the minimum lifetime of a password. **-minlength** *length* Sets the minimum length of a password. **-minclasses** *number* Sets the minimum number of character classes required in a password. The five character classes are lower case, upper case, numbers, punctuation, and whitespace/unprintable characters. **-history** *number* Sets the number of past keys kept for a principal. This option is not supported with the LDAP KDC database module. .. _policy_maxfailure: **-maxfailure** *maxnumber* Sets the number of authentication failures before the principal is locked. Authentication failures are only tracked for principals which require preauthentication. The counter of failed attempts resets to 0 after a successful attempt to authenticate. A *maxnumber* value of 0 (the default) disables lockout. .. _policy_failurecountinterval: **-failurecountinterval** *failuretime* (:ref:`duration` or :ref:`getdate` string) Sets the allowable time between authentication failures. If an authentication failure happens after *failuretime* has elapsed since the previous failure, the number of authentication failures is reset to 1. A *failuretime* value of 0 (the default) means forever. .. _policy_lockoutduration: **-lockoutduration** *lockouttime* (:ref:`duration` or :ref:`getdate` string) Sets the duration for which the principal is locked from authenticating if too many authentication failures occur without the specified failure count interval elapsing. A duration of 0 (the default) means the principal remains locked out until it is administratively unlocked with ``modprinc -unlock``. **-allowedkeysalts** Specifies the key/salt tuples supported for long-term keys when setting or changing a principal's password/keys. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of the accepted values, but note that key/salt tuples must be separated with commas (',') only. To clear the allowed key/salt policy use a value of '-'. Example:: kadmin: add_policy -maxlife "2 days" -minlength 5 guests kadmin: .. _add_policy_end: .. _modify_policy: modify_policy ~~~~~~~~~~~~~ **modify_policy** [*options*] *policy* Modifies the password policy named *policy*. Options are as described for **add_policy**. This command requires the **modify** privilege. Alias: **modpol** .. _modify_policy_end: .. _delete_policy: delete_policy ~~~~~~~~~~~~~ **delete_policy** [**-force**] *policy* Deletes the password policy named *policy*. Prompts for confirmation before deletion. The command will fail if the policy is in use by any principals. This command requires the **delete** privilege. Alias: **delpol** Example:: kadmin: del_policy guests Are you sure you want to delete the policy "guests"? (yes/no): yes kadmin: .. _delete_policy_end: .. _get_policy: get_policy ~~~~~~~~~~ **get_policy** [ **-terse** ] *policy* Displays the values of the password policy named *policy*. With the **-terse** flag, outputs the fields as quoted strings separated by tabs. This command requires the **inquire** privilege. Alias: **getpol** Examples:: kadmin: get_policy admin Policy: admin Maximum password life: 180 days 00:00:00 Minimum password life: 00:00:00 Minimum password length: 6 Minimum number of password character classes: 2 Number of old keys kept: 5 Reference count: 17 kadmin: get_policy -terse admin admin 15552000 0 6 2 5 17 kadmin: The "Reference count" is the number of principals using that policy. With the LDAP KDC database module, the reference count field is not meaningful. .. _get_policy_end: .. _list_policies: list_policies ~~~~~~~~~~~~~ **list_policies** [*expression*] Retrieves all or some policy names. *expression* is a shell-style glob expression that can contain the wild-card characters ``?``, ``*``, and ``[]``. All policy names matching the expression are printed. If no expression is provided, all existing policy names are printed. This command requires the **list** privilege. Aliases: **listpols**, **get_policies**, **getpols**. Examples:: kadmin: listpols test-pol dict-only once-a-min test-pol-nopw kadmin: listpols t* test-pol test-pol-nopw kadmin: .. _list_policies_end: .. _ktadd: ktadd ~~~~~ | **ktadd** [options] *principal* | **ktadd** [options] **-glob** *princ-exp* Adds a *principal*, or all principals matching *princ-exp*, to a keytab file. Each principal's keys are randomized in the process. The rules for *princ-exp* are described in the **list_principals** command. This command requires the **inquire** and **changepw** privileges. With the **-glob** form, it also requires the **list** privilege. The options are: **-k[eytab]** *keytab* Use *keytab* as the keytab file. Otherwise, the default keytab is used. **-e** *enc*:*salt*,... Uses the specified keysalt list for setting the new keys of the principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible values. **-q** Display less verbose information. **-norandkey** Do not randomize the keys. The keys and their version numbers stay unchanged. This option cannot be specified in combination with the **-e** option. An entry for each of the principal's unique encryption types is added, ignoring multiple keys with the same encryption type but different salt types. Alias: **xst** Example:: kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/tmp/foo-new-keytab kadmin: .. _ktadd_end: .. _ktremove: ktremove ~~~~~~~~ **ktremove** [options] *principal* [*kvno* | *all* | *old*] Removes entries for the specified *principal* from a keytab. Requires no permissions, since this does not require database access. If the string "all" is specified, all entries for that principal are removed; if the string "old" is specified, all entries for that principal except those with the highest kvno are removed. Otherwise, the value specified is parsed as an integer, and all entries whose kvno match that integer are removed. The options are: **-k[eytab]** *keytab* Use *keytab* as the keytab file. Otherwise, the default keytab is used. **-q** Display less verbose information. Alias: **ktrem** Example:: kadmin: ktremove kadmin/admin all Entry for principal kadmin/admin with kvno 3 removed from keytab FILE:/etc/krb5.keytab kadmin: .. _ktremove_end: lock ~~~~ Lock database exclusively. Use with extreme caution! This command only works with the DB2 KDC database module. unlock ~~~~~~ Release the exclusive database lock. list_requests ~~~~~~~~~~~~~ Lists available for kadmin requests. Aliases: **lr**, **?** quit ~~~~ Exit program. If the database was locked, the lock is released. Aliases: **exit**, **q** HISTORY ------- The kadmin program was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kpasswd(1)`, :ref:`kadmind(8)`, :ref:`kerberos(7)` krb5-1.19.2/doc/html/_sources/admin/admin_commands/kprop.rst.txt0000644000704600001450000000207514076311665026155 0ustar ghudsonsystemd-journal.. _kprop(8): kprop ===== SYNOPSIS -------- **kprop** [**-r** *realm*] [**-f** *file*] [**-d**] [**-P** *port*] [**-s** *keytab*] *replica_host* DESCRIPTION ----------- kprop is used to securely propagate a Kerberos V5 database dump file from the primary Kerberos server to a replica Kerberos server, which is specified by *replica_host*. The dump file must be created by :ref:`kdb5_util(8)`. OPTIONS ------- **-r** *realm* Specifies the realm of the primary server. **-f** *file* Specifies the filename where the dumped principal database file is to be found; by default the dumped database file is normally |kdcdir|\ ``/replica_datatrans``. **-P** *port* Specifies the port to use to contact the :ref:`kpropd(8)` server on the remote host. **-d** Prints debugging information. **-s** *keytab* Specifies the location of the keytab file. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kpropd(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`, :ref:`kerberos(7)` krb5-1.19.2/doc/html/_sources/admin/admin_commands/kdb5_ldap_util.rst.txt0000644000704600001450000002656114076311665027712 0ustar ghudsonsystemd-journal.. _kdb5_ldap_util(8): kdb5_ldap_util =============== SYNOPSIS -------- .. _kdb5_ldap_util_synopsis: **kdb5_ldap_util** [**-D** *user_dn* [**-w** *passwd*]] [**-H** *ldapuri*] **command** [*command_options*] .. _kdb5_ldap_util_synopsis_end: DESCRIPTION ----------- kdb5_ldap_util allows an administrator to manage realms, Kerberos services and ticket policies. COMMAND-LINE OPTIONS -------------------- .. _kdb5_ldap_util_options: **-r** *realm* Specifies the realm to be operated on. **-D** *user_dn* Specifies the Distinguished Name (DN) of the user who has sufficient rights to perform the operation on the LDAP server. **-w** *passwd* Specifies the password of *user_dn*. This option is not recommended. **-H** *ldapuri* Specifies the URI of the LDAP server. By default, kdb5_ldap_util operates on the default realm (as specified in :ref:`krb5.conf(5)`) and connects and authenticates to the LDAP server in the same manner as :ref:kadmind(8)` would given the parameters in :ref:`dbdefaults` in :ref:`kdc.conf(5)`. .. _kdb5_ldap_util_options_end: COMMANDS -------- create ~~~~~~ .. _kdb5_ldap_util_create: **create** [**-subtrees** *subtree_dn_list*] [**-sscope** *search_scope*] [**-containerref** *container_reference_dn*] [**-k** *mkeytype*] [**-kv** *mkeyVNO*] [**-M** *mkeyname*] [**-m|-P** *password*\|\ **-sf** *stashfilename*] [**-s**] [**-maxtktlife** *max_ticket_life*] [**-maxrenewlife** *max_renewable_ticket_life*] [*ticket_flags*] Creates realm in directory. Options: **-subtrees** *subtree_dn_list* Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (``:``). **-sscope** *search_scope* Specifies the scope for searching the principals under the subtree. The possible values are 1 or one (one level), 2 or sub (subtrees). **-containerref** *container_reference_dn* Specifies the DN of the container object in which the principals of a realm will be created. If the container reference is not configured for a realm, the principals will be created in the realm container. **-k** *mkeytype* Specifies the key type of the master key in the database. The default is given by the **master_key_type** variable in :ref:`kdc.conf(5)`. **-kv** *mkeyVNO* Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. **-M** *mkeyname* Specifies the principal name for the master key in the database. If not specified, the name is determined by the **master_key_name** variable in :ref:`kdc.conf(5)`. **-m** Specifies that the master database password should be read from the TTY rather than fetched from a file on the disk. **-P** *password* Specifies the master database password. This option is not recommended. **-sf** *stashfilename* Specifies the stash file of the master database password. **-s** Specifies that the stash file is to be created. **-maxtktlife** *max_ticket_life* (:ref:`getdate` string) Specifies maximum ticket life for principals in this realm. **-maxrenewlife** *max_renewable_ticket_life* (:ref:`getdate` string) Specifies maximum renewable life of tickets for principals in this realm. *ticket_flags* Specifies global ticket flags for the realm. Allowable flags are documented in the description of the **add_principal** command in :ref:`kadmin(1)`. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU create -subtrees o=org -sscope SUB Password for "cn=admin,o=org": Initializing database for realm 'ATHENA.MIT.EDU' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: Re-enter KDC database master key to verify: .. _kdb5_ldap_util_create_end: modify ~~~~~~ .. _kdb5_ldap_util_modify: **modify** [**-subtrees** *subtree_dn_list*] [**-sscope** *search_scope*] [**-containerref** *container_reference_dn*] [**-maxtktlife** *max_ticket_life*] [**-maxrenewlife** *max_renewable_ticket_life*] [*ticket_flags*] Modifies the attributes of a realm. Options: **-subtrees** *subtree_dn_list* Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (``:``). This list replaces the existing list. **-sscope** *search_scope* Specifies the scope for searching the principals under the subtrees. The possible values are 1 or one (one level), 2 or sub (subtrees). **-containerref** *container_reference_dn* Specifies the DN of the container object in which the principals of a realm will be created. **-maxtktlife** *max_ticket_life* (:ref:`getdate` string) Specifies maximum ticket life for principals in this realm. **-maxrenewlife** *max_renewable_ticket_life* (:ref:`getdate` string) Specifies maximum renewable life of tickets for principals in this realm. *ticket_flags* Specifies global ticket flags for the realm. Allowable flags are documented in the description of the **add_principal** command in :ref:`kadmin(1)`. Example:: shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify +requires_preauth Password for "cn=admin,o=org": shell% .. _kdb5_ldap_util_modify_end: view ~~~~ .. _kdb5_ldap_util_view: **view** Displays the attributes of a realm. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU view Password for "cn=admin,o=org": Realm Name: ATHENA.MIT.EDU Subtree: ou=users,o=org Subtree: ou=servers,o=org SearchScope: ONE Maximum ticket life: 0 days 01:00:00 Maximum renewable life: 0 days 10:00:00 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE .. _kdb5_ldap_util_view_end: destroy ~~~~~~~ .. _kdb5_ldap_util_destroy: **destroy** [**-f**] Destroys an existing realm. Options: **-f** If specified, will not prompt the user for confirmation. Example:: shell% kdb5_ldap_util -r ATHENA.MIT.EDU -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy Password for "cn=admin,o=org": Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? (type 'yes' to confirm)? yes OK, deleting database of 'ATHENA.MIT.EDU'... shell% .. _kdb5_ldap_util_destroy_end: list ~~~~ .. _kdb5_ldap_util_list: **list** Lists the names of realms under the container. Example:: shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list Password for "cn=admin,o=org": ATHENA.MIT.EDU OPENLDAP.MIT.EDU MEDIA-LAB.MIT.EDU shell% .. _kdb5_ldap_util_list_end: stashsrvpw ~~~~~~~~~~ .. _kdb5_ldap_util_stashsrvpw: **stashsrvpw** [**-f** *filename*] *name* Allows an administrator to store the password for service object in a file so that KDC and Administration server can use it to authenticate to the LDAP server. Options: **-f** *filename* Specifies the complete path of the service password file. By default, ``/usr/local/var/service_passwd`` is used. *name* Specifies the name of the object whose password is to be stored. If :ref:`krb5kdc(8)` or :ref:`kadmind(8)` are configured for simple binding, this should be the distinguished name it will use as given by the **ldap_kdc_dn** or **ldap_kadmind_dn** variable in :ref:`kdc.conf(5)`. If the KDC or kadmind is configured for SASL binding, this should be the authentication name it will use as given by the **ldap_kdc_sasl_authcid** or **ldap_kadmind_sasl_authcid** variable. Example:: kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org Password for "cn=service-kdc,o=org": Re-enter password for "cn=service-kdc,o=org": .. _kdb5_ldap_util_stashsrvpw_end: create_policy ~~~~~~~~~~~~~ .. _kdb5_ldap_util_create_policy: **create_policy** [**-maxtktlife** *max_ticket_life*] [**-maxrenewlife** *max_renewable_ticket_life*] [*ticket_flags*] *policy_name* Creates a ticket policy in the directory. Options: **-maxtktlife** *max_ticket_life* (:ref:`getdate` string) Specifies maximum ticket life for principals. **-maxrenewlife** *max_renewable_ticket_life* (:ref:`getdate` string) Specifies maximum renewable life of tickets for principals. *ticket_flags* Specifies the ticket flags. If this option is not specified, by default, no restriction will be set by the policy. Allowable flags are documented in the description of the **add_principal** command in :ref:`kadmin(1)`. *policy_name* Specifies the name of the ticket policy. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU create_policy -maxtktlife "1 day" -maxrenewlife "1 week" -allow_postdated +needchange -allow_forwardable tktpolicy Password for "cn=admin,o=org": .. _kdb5_ldap_util_create_policy_end: modify_policy ~~~~~~~~~~~~~ .. _kdb5_ldap_util_modify_policy: **modify_policy** [**-maxtktlife** *max_ticket_life*] [**-maxrenewlife** *max_renewable_ticket_life*] [*ticket_flags*] *policy_name* Modifies the attributes of a ticket policy. Options are same as for **create_policy**. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU modify_policy -maxtktlife "60 minutes" -maxrenewlife "10 hours" +allow_postdated -requires_preauth tktpolicy Password for "cn=admin,o=org": .. _kdb5_ldap_util_modify_policy_end: view_policy ~~~~~~~~~~~ .. _kdb5_ldap_util_view_policy: **view_policy** *policy_name* Displays the attributes of the named ticket policy. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU view_policy tktpolicy Password for "cn=admin,o=org": Ticket policy: tktpolicy Maximum ticket life: 0 days 01:00:00 Maximum renewable life: 0 days 10:00:00 Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE .. _kdb5_ldap_util_view_policy_end: destroy_policy ~~~~~~~~~~~~~~ .. _kdb5_ldap_util_destroy_policy: **destroy_policy** [**-force**] *policy_name* Destroys an existing ticket policy. Options: **-force** Forces the deletion of the policy object. If not specified, the user will be prompted for confirmation before deleting the policy. *policy_name* Specifies the name of the ticket policy. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU destroy_policy tktpolicy Password for "cn=admin,o=org": This will delete the policy object 'tktpolicy', are you sure? (type 'yes' to confirm)? yes ** policy object 'tktpolicy' deleted. .. _kdb5_ldap_util_destroy_policy_end: list_policy ~~~~~~~~~~~ .. _kdb5_ldap_util_list_policy: **list_policy** Lists ticket policies. Example:: kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu -r ATHENA.MIT.EDU list_policy Password for "cn=admin,o=org": tktpolicy tmppolicy userpolicy .. _kdb5_ldap_util_list_policy_end: ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kadmin(1)`, :ref:`kerberos(7)` krb5-1.19.2/doc/html/_sources/admin/admin_commands/kpropd.rst.txt0000644000704600001450000001104214076311665026313 0ustar ghudsonsystemd-journal.. _kpropd(8): kpropd ====== SYNOPSIS -------- **kpropd** [**-r** *realm*] [**-A** *admin_server*] [**-a** *acl_file*] [**-f** *replica_dumpfile*] [**-F** *principal_database*] [**-p** *kdb5_util_prog*] [**-P** *port*] [**--pid-file**\ =\ *pid_file*] [**-D**] [**-d**] [**-s** *keytab_file*] DESCRIPTION ----------- The *kpropd* command runs on the replica KDC server. It listens for update requests made by the :ref:`kprop(8)` program. If incremental propagation is enabled, it periodically requests incremental updates from the primary KDC. When the replica receives a kprop request from the primary, kpropd accepts the dumped KDC database and places it in a file, and then runs :ref:`kdb5_util(8)` to load the dumped database into the active database which is used by :ref:`krb5kdc(8)`. This allows the primary Kerberos server to use :ref:`kprop(8)` to propagate its database to the replica servers. Upon a successful download of the KDC database file, the replica Kerberos server will have an up-to-date KDC database. Where incremental propagation is not used, kpropd is commonly invoked out of inetd(8) as a nowait service. This is done by adding a line to the ``/etc/inetd.conf`` file which looks like this:: kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd kpropd can also run as a standalone daemon, backgrounding itself and waiting for connections on port 754 (or the port specified with the **-P** option if given). Standalone mode is required for incremental propagation. Starting in release 1.11, kpropd automatically detects whether it was run from inetd and runs in standalone mode if it is not. Prior to release 1.11, the **-S** option is required to run kpropd in standalone mode; this option is now accepted for backward compatibility but does nothing. Incremental propagation may be enabled with the **iprop_enable** variable in :ref:`kdc.conf(5)`. If incremental propagation is enabled, the replica periodically polls the primary KDC for updates, at an interval determined by the **iprop_replica_poll** variable. If the replica receives updates, kpropd updates its log file with any updates from the primary. :ref:`kproplog(8)` can be used to view a summary of the update entry log on the replica KDC. If incremental propagation is enabled, the principal ``kiprop/replicahostname@REALM`` (where *replicahostname* is the name of the replica KDC host, and *REALM* is the name of the Kerberos realm) must be present in the replica's keytab file. :ref:`kproplog(8)` can be used to force full replication when iprop is enabled. OPTIONS -------- **-r** *realm* Specifies the realm of the primary server. **-A** *admin_server* Specifies the server to be contacted for incremental updates; by default, the primary admin server is contacted. **-f** *file* Specifies the filename where the dumped principal database file is to be stored; by default the dumped database file is |kdcdir|\ ``/from_master``. **-F** *kerberos_db* Path to the Kerberos database file, if not the default. **-p** Allows the user to specify the pathname to the :ref:`kdb5_util(8)` program; by default the pathname used is |sbindir|\ ``/kdb5_util``. **-D** In this mode, kpropd will not detach itself from the current job and run in the background. Instead, it will run in the foreground. **-d** Turn on debug mode. kpropd will print out debugging messages during the database propogation and will run in the foreground (implies **-D**). **-P** Allow for an alternate port number for kpropd to listen on. This is only useful in combination with the **-S** option. **-a** *acl_file* Allows the user to specify the path to the kpropd.acl file; by default the path used is |kdcdir|\ ``/kpropd.acl``. **--pid-file**\ =\ *pid_file* In standalone mode, write the process ID of the daemon into *pid_file*. **-s** *keytab_file* Path to a keytab to use for acquiring acceptor credentials. **-x** *db_args* Database-specific arguments. See :ref:`Database Options ` in :ref:`kadmin(1)` for supported arguments. FILES ----- kpropd.acl Access file for kpropd; the default location is ``/usr/local/var/krb5kdc/kpropd.acl``. Each entry is a line containing the principal of a host from which the local machine will allow Kerberos database propagation via :ref:`kprop(8)`. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kprop(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`, :ref:`kerberos(7)`, inetd(8) krb5-1.19.2/doc/html/_sources/admin/admin_commands/kadmind.rst.txt0000644000704600001450000001041214076311665026423 0ustar ghudsonsystemd-journal.. _kadmind(8): kadmind ======= SYNOPSIS -------- **kadmind** [**-x** *db_args*] [**-r** *realm*] [**-m**] [**-nofork**] [**-proponly**] [**-port** *port-number*] [**-P** *pid_file*] [**-p** *kdb5_util_path*] [**-K** *kprop_path*] [**-k** *kprop_port*] [**-F** *dump_file*] DESCRIPTION ----------- kadmind starts the Kerberos administration server. kadmind typically runs on the primary Kerberos server, which stores the KDC database. If the KDC database uses the LDAP module, the administration server and the KDC server need not run on the same machine. kadmind accepts remote requests from programs such as :ref:`kadmin(1)` and :ref:`kpasswd(1)` to administer the information in these database. kadmind requires a number of configuration files to be set up in order for it to work: :ref:`kdc.conf(5)` The KDC configuration file contains configuration information for the KDC and admin servers. kadmind uses settings in this file to locate the Kerberos database, and is also affected by the **acl_file**, **dict_file**, **kadmind_port**, and iprop-related settings. :ref:`kadm5.acl(5)` kadmind's ACL (access control list) tells it which principals are allowed to perform administration actions. The pathname to the ACL file can be specified with the **acl_file** :ref:`kdc.conf(5)` variable; by default, it is |kdcdir|\ ``/kadm5.acl``. After the server begins running, it puts itself in the background and disassociates itself from its controlling terminal. kadmind can be configured for incremental database propagation. Incremental propagation allows replica KDC servers to receive principal and policy updates incrementally instead of receiving full dumps of the database. This facility can be enabled in the :ref:`kdc.conf(5)` file with the **iprop_enable** option. Incremental propagation requires the principal ``kiprop/PRIMARY\@REALM`` (where PRIMARY is the primary KDC's canonical host name, and REALM the realm name). In release 1.13, this principal is automatically created and registered into the datebase. OPTIONS ------- **-r** *realm* specifies the realm that kadmind will serve; if it is not specified, the default realm of the host is used. **-m** causes the master database password to be fetched from the keyboard (before the server puts itself in the background, if not invoked with the **-nofork** option) rather than from a file on disk. **-nofork** causes the server to remain in the foreground and remain associated to the terminal. **-proponly** causes the server to only listen and respond to Kerberos replica incremental propagation polling requests. This option can be used to set up a hierarchical propagation topology where a replica KDC provides incremental updates to other Kerberos replicas. **-port** *port-number* specifies the port on which the administration server listens for connections. The default port is determined by the **kadmind_port** configuration variable in :ref:`kdc.conf(5)`. **-P** *pid_file* specifies the file to which the PID of kadmind process should be written after it starts up. This file can be used to identify whether kadmind is still running and to allow init scripts to stop the correct process. **-p** *kdb5_util_path* specifies the path to the kdb5_util command to use when dumping the KDB in response to full resync requests when iprop is enabled. **-K** *kprop_path* specifies the path to the kprop command to use to send full dumps to replicas in response to full resync requests. **-k** *kprop_port* specifies the port by which the kprop process that is spawned by kadmind connects to the replica kpropd, in order to transfer the dump file during an iprop full resync request. **-F** *dump_file* specifies the file path to be used for dumping the KDB in response to full resync requests when iprop is enabled. **-x** *db_args* specifies database-specific arguments. See :ref:`Database Options ` in :ref:`kadmin(1)` for supported arguments. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kpasswd(1)`, :ref:`kadmin(1)`, :ref:`kdb5_util(8)`, :ref:`kdb5_ldap_util(8)`, :ref:`kadm5.acl(5)`, :ref:`kerberos(7)` krb5-1.19.2/doc/html/_sources/admin/admin_commands/kproplog.rst.txt0000644000704600001450000000504314076311665026655 0ustar ghudsonsystemd-journal.. _kproplog(8): kproplog ======== SYNOPSIS -------- **kproplog** [**-h**] [**-e** *num*] [-v] **kproplog** [-R] DESCRIPTION ----------- The kproplog command displays the contents of the KDC database update log to standard output. It can be used to keep track of incremental updates to the principal database. The update log file contains the update log maintained by the :ref:`kadmind(8)` process on the primary KDC server and the :ref:`kpropd(8)` process on the replica KDC servers. When updates occur, they are logged to this file. Subsequently any KDC replica configured for incremental updates will request the current data from the primary KDC and update their log file with any updates returned. The kproplog command requires read access to the update log file. It will display update entries only for the KDC it runs on. If no options are specified, kproplog displays a summary of the update log. If invoked on the primary, kproplog also displays all of the update entries. If invoked on a replica KDC server, kproplog displays only a summary of the updates, which includes the serial number of the last update received and the associated time stamp of the last update. OPTIONS ------- **-R** Reset the update log. This forces full resynchronization. If used on a replica then that replica will request a full resync. If used on the primary then all replicas will request full resyncs. **-h** Display a summary of the update log. This information includes the database version number, state of the database, the number of updates in the log, the time stamp of the first and last update, and the version number of the first and last update entry. **-e** *num* Display the last *num* update entries in the log. This is useful when debugging synchronization between KDC servers. **-v** Display individual attributes per update. An example of the output generated for one entry:: Update Entry Update serial # : 4 Update operation : Add Update principal : test@EXAMPLE.COM Update size : 424 Update committed : True Update time stamp : Fri Feb 20 23:37:42 2004 Attributes changed : 6 Principal Key data Password last changed Modifying principal Modification time TL data ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kpropd(8)`, :ref:`kerberos(7)` krb5-1.19.2/doc/html/_sources/admin/admin_commands/index.rst.txt0000644000704600001450000000040314076311665026122 0ustar ghudsonsystemd-journalAdministration programs ======================== .. toctree:: :maxdepth: 1 kadmin_local.rst kadmind.rst kdb5_util.rst kdb5_ldap_util.rst krb5kdc.rst kprop.rst kpropd.rst kproplog.rst ktutil.rst k5srvutil.rst sserver.rst krb5-1.19.2/doc/html/_sources/admin/admin_commands/k5srvutil.rst.txt0000644000704600001450000000401214076311665026763 0ustar ghudsonsystemd-journal.. _k5srvutil(1): k5srvutil ========= SYNOPSIS -------- **k5srvutil** *operation* [**-i**] [**-f** *filename*] [**-e** *keysalts*] DESCRIPTION ----------- k5srvutil allows an administrator to list keys currently in a keytab, to obtain new keys for a principal currently in a keytab, or to delete non-current keys from a keytab. *operation* must be one of the following: **list** Lists the keys in a keytab, showing version number and principal name. **change** Uses the kadmin protocol to update the keys in the Kerberos database to new randomly-generated keys, and updates the keys in the keytab to match. If a key's version number doesn't match the version number stored in the Kerberos server's database, then the operation will fail. If the **-i** flag is given, k5srvutil will prompt for confirmation before changing each key. If the **-k** option is given, the old and new keys will be displayed. Ordinarily, keys will be generated with the default encryption types and key salts. This can be overridden with the **-e** option. Old keys are retained in the keytab so that existing tickets continue to work, but **delold** should be used after such tickets expire, to prevent attacks against the old keys. **delold** Deletes keys that are not the most recent version from the keytab. This operation should be used some time after a change operation to remove old keys, after existing tickets issued for the service have expired. If the **-i** flag is given, then k5srvutil will prompt for confirmation for each principal. **delete** Deletes particular keys in the keytab, interactively prompting for each key. In all cases, the default keytab is used unless this is overridden by the **-f** option. k5srvutil uses the :ref:`kadmin(1)` program to edit the keytab in place. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kadmin(1)`, :ref:`ktutil(1)`, :ref:`kerberos(7)` krb5-1.19.2/doc/html/_sources/admin/admin_commands/ktutil.rst.txt0000644000704600001450000000425614076311665026341 0ustar ghudsonsystemd-journal.. _ktutil(1): ktutil ====== SYNOPSIS -------- **ktutil** DESCRIPTION ----------- The ktutil command invokes a command interface from which an administrator can read, write, or edit entries in a keytab. (Kerberos V4 srvtab files are no longer supported.) COMMANDS -------- list ~~~~ **list** [**-t**] [**-k**] [**-e**] Displays the current keylist. If **-t**, **-k**, and/or **-e** are specified, also display the timestamp, key contents, or enctype (respectively). Alias: **l** read_kt ~~~~~~~ **read_kt** *keytab* Read the Kerberos V5 keytab file *keytab* into the current keylist. Alias: **rkt** write_kt ~~~~~~~~ **write_kt** *keytab* Write the current keylist into the Kerberos V5 keytab file *keytab*. Alias: **wkt** clear_list ~~~~~~~~~~ **clear_list** Clear the current keylist. Alias: **clear** delete_entry ~~~~~~~~~~~~ **delete_entry** *slot* Delete the entry in slot number *slot* from the current keylist. Alias: **delent** add_entry ~~~~~~~~~ **add_entry** {**-key**\|\ **-password**} **-p** *principal* **-k** *kvno* [**-e** *enctype*] [**-f**\|\ **-s** *salt*] Add *principal* to keylist using key or password. If the **-f** flag is specified, salt information will be fetched from the KDC; in this case the **-e** flag may be omitted, or it may be supplied to force a particular enctype. If the **-f** flag is not specified, the **-e** flag must be specified, and the default salt will be used unless overridden with the **-s** option. Alias: **addent** list_requests ~~~~~~~~~~~~~ **list_requests** Displays a listing of available commands. Aliases: **lr**, **?** quit ~~~~ **quit** Quits ktutil. Aliases: **exit**, **q** EXAMPLE ------- :: ktutil: add_entry -password -p alice@BLEEP.COM -k 1 -e aes128-cts-hmac-sha1-96 Password for alice@BLEEP.COM: ktutil: add_entry -password -p alice@BLEEP.COM -k 1 -e aes256-cts-hmac-sha1-96 Password for alice@BLEEP.COM: ktutil: write_kt keytab ktutil: ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kadmin(1)`, :ref:`kdb5_util(8)`, :ref:`kerberos(7)` krb5-1.19.2/doc/html/_sources/admin/admin_commands/sserver.rst.txt0000644000704600001450000000623514076311665026515 0ustar ghudsonsystemd-journal.. _sserver(8): sserver ======= SYNOPSIS -------- **sserver** [ **-p** *port* ] [ **-S** *keytab* ] [ *server_port* ] DESCRIPTION ----------- sserver and :ref:`sclient(1)` are a simple demonstration client/server application. When sclient connects to sserver, it performs a Kerberos authentication, and then sserver returns to sclient the Kerberos principal which was used for the Kerberos authentication. It makes a good test that Kerberos has been successfully installed on a machine. The service name used by sserver and sclient is sample. Hence, sserver will require that there be a keytab entry for the service ``sample/hostname.domain.name@REALM.NAME``. This keytab is generated using the :ref:`kadmin(1)` program. The keytab file is usually installed as |keytab|. The **-S** option allows for a different keytab than the default. sserver is normally invoked out of inetd(8), using a line in ``/etc/inetd.conf`` that looks like this:: sample stream tcp nowait root /usr/local/sbin/sserver sserver Since ``sample`` is normally not a port defined in ``/etc/services``, you will usually have to add a line to ``/etc/services`` which looks like this:: sample 13135/tcp When using sclient, you will first have to have an entry in the Kerberos database, by using :ref:`kadmin(1)`, and then you have to get Kerberos tickets, by using :ref:`kinit(1)`. Also, if you are running the sclient program on a different host than the sserver it will be connecting to, be sure that both hosts have an entry in /etc/services for the sample tcp port, and that the same port number is in both files. When you run sclient you should see something like this:: sendauth succeeded, reply is: reply len 32, contents: You are nlgilman@JIMI.MIT.EDU COMMON ERROR MESSAGES --------------------- 1) kinit returns the error:: kinit: Client not found in Kerberos database while getting initial credentials This means that you didn't create an entry for your username in the Kerberos database. 2) sclient returns the error:: unknown service sample/tcp; check /etc/services This means that you don't have an entry in /etc/services for the sample tcp port. 3) sclient returns the error:: connect: Connection refused This probably means you didn't edit /etc/inetd.conf correctly, or you didn't restart inetd after editing inetd.conf. 4) sclient returns the error:: sclient: Server not found in Kerberos database while using sendauth This means that the ``sample/hostname@LOCAL.REALM`` service was not defined in the Kerberos database; it should be created using :ref:`kadmin(1)`, and a keytab file needs to be generated to make the key for that service principal available for sclient. 5) sclient returns the error:: sendauth rejected, error reply is: "No such file or directory" This probably means sserver couldn't find the keytab file. It was probably not installed in the proper directory. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`sclient(1)`, :ref:`kerberos(7)`, services(5), inetd(8) krb5-1.19.2/doc/html/_sources/admin/admin_commands/kdb5_util.rst.txt0000644000704600001450000003526314076311665026711 0ustar ghudsonsystemd-journal.. _kdb5_util(8): kdb5_util ========= SYNOPSIS -------- .. _kdb5_util_synopsis: **kdb5_util** [**-r** *realm*] [**-d** *dbname*] [**-k** *mkeytype*] [**-kv** *mkeyVNO*] [**-M** *mkeyname*] [**-m**] [**-sf** *stashfilename*] [**-P** *password*] [**-x** *db_args*] *command* [*command_options*] .. _kdb5_util_synopsis_end: DESCRIPTION ----------- kdb5_util allows an administrator to perform maintenance procedures on the KDC database. Databases can be created, destroyed, and dumped to or loaded from ASCII files. kdb5_util can create a Kerberos master key stash file or perform live rollover of the master key. When kdb5_util is run, it attempts to acquire the master key and open the database. However, execution continues regardless of whether or not kdb5_util successfully opens the database, because the database may not exist yet or the stash file may be corrupt. Note that some KDC database modules may not support all kdb5_util commands. COMMAND-LINE OPTIONS -------------------- .. _kdb5_util_options: **-r** *realm* specifies the Kerberos realm of the database. **-d** *dbname* specifies the name under which the principal database is stored; by default the database is that listed in :ref:`kdc.conf(5)`. The password policy database and lock files are also derived from this value. **-k** *mkeytype* specifies the key type of the master key in the database. The default is given by the **master_key_type** variable in :ref:`kdc.conf(5)`. **-kv** *mkeyVNO* Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. **-M** *mkeyname* principal name for the master key in the database. If not specified, the name is determined by the **master_key_name** variable in :ref:`kdc.conf(5)`. **-m** specifies that the master database password should be read from the keyboard rather than fetched from a file on disk. **-sf** *stash_file* specifies the stash filename of the master database password. If not specified, the filename is determined by the **key_stash_file** variable in :ref:`kdc.conf(5)`. **-P** *password* specifies the master database password. Using this option may expose the password to other users on the system via the process list. **-x** *db_args* specifies database-specific options. See :ref:`kadmin(1)` for supported options. .. _kdb5_util_options_end: COMMANDS -------- create ~~~~~~ .. _kdb5_util_create: **create** [**-s**] Creates a new database. If the **-s** option is specified, the stash file is also created. This command fails if the database already exists. If the command is successful, the database is opened just as if it had already existed when the program was first run. .. _kdb5_util_create_end: destroy ~~~~~~~ .. _kdb5_util_destroy: **destroy** [**-f**] Destroys the database, first overwriting the disk sectors and then unlinking the files, after prompting the user for confirmation. With the **-f** argument, does not prompt the user. .. _kdb5_util_destroy_end: stash ~~~~~ .. _kdb5_util_stash: **stash** [**-f** *keyfile*] Stores the master principal's keys in a stash file. The **-f** argument can be used to override the *keyfile* specified in :ref:`kdc.conf(5)`. .. _kdb5_util_stash_end: dump ~~~~ .. _kdb5_util_dump: **dump** [**-b7**\|\ **-r13**\|\ **-r18**] [**-verbose**] [**-mkey_convert**] [**-new_mkey_file** *mkey_file*] [**-rev**] [**-recurse**] [*filename* [*principals*...]] Dumps the current Kerberos and KADM5 database into an ASCII file. By default, the database is dumped in current format, "kdb5_util load_dump version 7". If filename is not specified, or is the string "-", the dump is sent to standard output. Options: **-b7** causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util load_dump version 4"). This was the dump format produced on releases prior to 1.2.2. **-r13** causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util load_dump version 5"). This was the dump format produced on releases prior to 1.8. **-r18** causes the dump to be in the Kerberos 5 1.8 format ("kdb5_util load_dump version 6"). This was the dump format produced on releases prior to 1.11. **-verbose** causes the name of each principal and policy to be printed as it is dumped. **-mkey_convert** prompts for a new master key. This new master key will be used to re-encrypt principal key data in the dumpfile. The principal keys themselves will not be changed. **-new_mkey_file** *mkey_file* the filename of a stash file. The master key in this stash file will be used to re-encrypt the key data in the dumpfile. The key data in the database will not be changed. **-rev** dumps in reverse order. This may recover principals that do not dump normally, in cases where database corruption has occurred. **-recurse** causes the dump to walk the database recursively (btree only). This may recover principals that do not dump normally, in cases where database corruption has occurred. In cases of such corruption, this option will probably retrieve more principals than the **-rev** option will. .. versionchanged:: 1.15 Release 1.15 restored the functionality of the **-recurse** option. .. versionchanged:: 1.5 The **-recurse** option ceased working until release 1.15, doing a normal dump instead of a recursive traversal. .. _kdb5_util_dump_end: load ~~~~ .. _kdb5_util_load: **load** [**-b7**\|\ **-r13**\|\ **-r18**] [**-hash**] [**-verbose**] [**-update**] *filename* Loads a database dump from the named file into the named database. If no option is given to determine the format of the dump file, the format is detected automatically and handled as appropriate. Unless the **-update** option is given, **load** creates a new database containing only the data in the dump file, overwriting the contents of any previously existing database. Note that when using the LDAP KDC database module, the **-update** flag is required. Options: **-b7** requires the database to be in the Kerberos 5 Beta 7 format ("kdb5_util load_dump version 4"). This was the dump format produced on releases prior to 1.2.2. **-r13** requires the database to be in Kerberos 5 1.3 format ("kdb5_util load_dump version 5"). This was the dump format produced on releases prior to 1.8. **-r18** requires the database to be in Kerberos 5 1.8 format ("kdb5_util load_dump version 6"). This was the dump format produced on releases prior to 1.11. **-hash** stores the database in hash format, if using the DB2 database type. If this option is not specified, the database will be stored in btree format. This option is not recommended, as databases stored in hash format are known to corrupt data and lose principals. **-verbose** causes the name of each principal and policy to be printed as it is dumped. **-update** records from the dump file are added to or updated in the existing database. Otherwise, a new database is created containing only what is in the dump file and the old one destroyed upon successful completion. .. _kdb5_util_load_end: ark ~~~ **ark** [**-e** *enc*:*salt*,...] *principal* Adds new random keys to *principal* at the next available key version number. Keys for the current highest key version number will be preserved. The **-e** option specifies the list of encryption and salt types to be used for the new keys. add_mkey ~~~~~~~~ **add_mkey** [**-e** *etype*] [**-s**] Adds a new master key to the master key principal, but does not mark it as active. Existing master keys will remain. The **-e** option specifies the encryption type of the new master key; see :ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of possible values. The **-s** option stashes the new master key in the stash file, which will be created if it doesn't already exist. After a new master key is added, it should be propagated to replica servers via a manual or periodic invocation of :ref:`kprop(8)`. Then, the stash files on the replica servers should be updated with the kdb5_util **stash** command. Once those steps are complete, the key is ready to be marked active with the kdb5_util **use_mkey** command. use_mkey ~~~~~~~~ **use_mkey** *mkeyVNO* [*time*] Sets the activation time of the master key specified by *mkeyVNO*. Once a master key becomes active, it will be used to encrypt newly created principal keys. If no *time* argument is given, the current time is used, causing the specified master key version to become active immediately. The format for *time* is :ref:`getdate` string. After a new master key becomes active, the kdb5_util **update_princ_encryption** command can be used to update all principal keys to be encrypted in the new master key. list_mkeys ~~~~~~~~~~ **list_mkeys** List all master keys, from most recent to earliest, in the master key principal. The output will show the kvno, enctype, and salt type for each mkey, similar to the output of :ref:`kadmin(1)` **getprinc**. A ``*`` following an mkey denotes the currently active master key. purge_mkeys ~~~~~~~~~~~ **purge_mkeys** [**-f**] [**-n**] [**-v**] Delete master keys from the master key principal that are not used to protect any principals. This command can be used to remove old master keys all principal keys are protected by a newer master key. **-f** does not prompt for confirmation. **-n** performs a dry run, showing master keys that would be purged, but not actually purging any keys. **-v** gives more verbose output. update_princ_encryption ~~~~~~~~~~~~~~~~~~~~~~~ **update_princ_encryption** [**-f**] [**-n**] [**-v**] [*princ-pattern*] Update all principal records (or only those matching the *princ-pattern* glob pattern) to re-encrypt the key data using the active database master key, if they are encrypted using a different version, and give a count at the end of the number of principals updated. If the **-f** option is not given, ask for confirmation before starting to make changes. The **-v** option causes each principal processed to be listed, with an indication as to whether it needed updating or not. The **-n** option performs a dry run, only showing the actions which would have been taken. tabdump ~~~~~~~ **tabdump** [**-H**] [**-c**] [**-e**] [**-n**] [**-o** *outfile*] *dumptype* Dump selected fields of the database in a tabular format suitable for reporting (e.g., using traditional Unix text processing tools) or importing into relational databases. The data format is tab-separated (default), or optionally comma-separated (CSV), with a fixed number of columns. The output begins with a header line containing field names, unless suppression is requested using the **-H** option. The *dumptype* parameter specifies the name of an output table (see below). Options: **-H** suppress writing the field names in a header line **-c** use comma separated values (CSV) format, with minimal quoting, instead of the default tab-separated (unquoted, unescaped) format **-e** write empty hexadecimal string fields as empty fields instead of as "-1". **-n** produce numeric output for fields that normally have symbolic output, such as enctypes and flag names. Also requests output of time stamps as decimal POSIX time_t values. **-o** *outfile* write the dump to the specified output file instead of to standard output Dump types: **keydata** principal encryption key information, including actual key data (which is still encrypted in the master key) **name** principal name **keyindex** index of this key in the principal's key list **kvno** key version number **enctype** encryption type **key** key data as a hexadecimal string **salttype** salt type **salt** salt data as a hexadecimal string **keyinfo** principal encryption key information (as in **keydata** above), excluding actual key data **princ_flags** principal boolean attributes. Flag names print as hexadecimal numbers if the **-n** option is specified, and all flag positions are printed regardless of whether or not they are set. If **-n** is not specified, print all known flag names for each principal, but only print hexadecimal flag names if the corresponding flag is set. **name** principal name **flag** flag name **value** boolean value (0 for clear, or 1 for set) **princ_lockout** state information used for tracking repeated password failures **name** principal name **last_success** time stamp of most recent successful authentication **last_failed** time stamp of most recent failed authentication **fail_count** count of failed attempts **princ_meta** principal metadata **name** principal name **modby** name of last principal to modify this principal **modtime** timestamp of last modification **lastpwd** timestamp of last password change **policy** policy object name **mkvno** key version number of the master key that encrypts this principal's key data **hist_kvno** key version number of the history key that encrypts the key history data for this principal **princ_stringattrs** string attributes (key/value pairs) **name** principal name **key** attribute name **value** attribute value **princ_tktpolicy** per-principal ticket policy data, including maximum ticket lifetimes **name** principal name **expiration** principal expiration date **pw_expiration** password expiration date **max_life** maximum ticket lifetime **max_renew_life** maximum renewable ticket lifetime Examples:: $ kdb5_util tabdump -o keyinfo.txt keyinfo $ cat keyinfo.txt name keyindex kvno enctype salttype salt K/M@EXAMPLE.COM 0 1 aes256-cts-hmac-sha384-192 normal -1 foo@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 bar@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 $ sqlite3 sqlite> .mode tabs sqlite> .import keyinfo.txt keyinfo sqlite> select * from keyinfo where enctype like 'aes256-%'; K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 sqlite> .quit $ awk -F'\t' '$4 ~ /aes256-/ { print }' keyinfo.txt K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1 ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kadmin(1)`, :ref:`kerberos(7)` krb5-1.19.2/doc/html/_sources/admin/admin_commands/krb5kdc.rst.txt0000644000704600001450000000722714076311665026353 0ustar ghudsonsystemd-journal.. _krb5kdc(8): krb5kdc ======= SYNOPSIS -------- **krb5kdc** [**-x** *db_args*] [**-d** *dbname*] [**-k** *keytype*] [**-M** *mkeyname*] [**-p** *portnum*] [**-m**] [**-r** *realm*] [**-n**] [**-w** *numworkers*] [**-P** *pid_file*] [**-T** *time_offset*] DESCRIPTION ----------- krb5kdc is the Kerberos version 5 Authentication Service and Key Distribution Center (AS/KDC). OPTIONS ------- The **-r** *realm* option specifies the realm for which the server should provide service. This option may be specified multiple times to serve multiple realms. If no **-r** option is given, the default realm (as specified in :ref:`krb5.conf(5)`) will be served. The **-d** *dbname* option specifies the name under which the principal database can be found. This option does not apply to the LDAP database. The **-k** *keytype* option specifies the key type of the master key to be entered manually as a password when **-m** is given; the default is |defmkey|. The **-M** *mkeyname* option specifies the principal name for the master key in the database (usually ``K/M`` in the KDC's realm). The **-m** option specifies that the master database password should be fetched from the keyboard rather than from a stash file. The **-n** option specifies that the KDC does not put itself in the background and does not disassociate itself from the terminal. The **-P** *pid_file* option tells the KDC to write its PID into *pid_file* after it starts up. This can be used to identify whether the KDC is still running and to allow init scripts to stop the correct process. The **-p** *portnum* option specifies the default UDP and TCP port numbers which the KDC should listen on for Kerberos version 5 requests, as a comma-separated list. This value overrides the port numbers specified in the :ref:`kdcdefaults` section of :ref:`kdc.conf(5)`, but may be overridden by realm-specific values. If no value is given from any source, the default port is 88. The **-w** *numworkers* option tells the KDC to fork *numworkers* processes to listen to the KDC ports and process requests in parallel. The top level KDC process (whose pid is recorded in the pid file if the **-P** option is also given) acts as a supervisor. The supervisor will relay SIGHUP signals to the worker subprocesses, and will terminate the worker subprocess if the it is itself terminated or if any other worker process exits. The **-x** *db_args* option specifies database-specific arguments. See :ref:`Database Options ` in :ref:`kadmin(1)` for supported arguments. The **-T** *offset* option specifies a time offset, in seconds, which the KDC will operate under. It is intended only for testing purposes. EXAMPLE ------- The KDC may service requests for multiple realms (maximum 32 realms). The realms are listed on the command line. Per-realm options that can be specified on the command line pertain for each realm that follows it and are superseded by subsequent definitions of the same option. For example:: krb5kdc -p 2001 -r REALM1 -p 2002 -r REALM2 -r REALM3 specifies that the KDC listen on port 2001 for REALM1 and on port 2002 for REALM2 and REALM3. Additionally, per-realm parameters may be specified in the :ref:`kdc.conf(5)` file. The location of this file may be specified by the **KRB5_KDC_PROFILE** environment variable. Per-realm parameters specified in this file take precedence over options specified on the command line. See the :ref:`kdc.conf(5)` description for further details. ENVIRONMENT ----------- See :ref:`kerberos(7)` for a description of Kerberos environment variables. SEE ALSO -------- :ref:`kdb5_util(8)`, :ref:`kdc.conf(5)`, :ref:`krb5.conf(5)`, :ref:`kdb5_ldap_util(8)`, :ref:`kerberos(7)` krb5-1.19.2/doc/html/_sources/admin/index.rst.txt0000644000704600001450000000103314076311665023151 0ustar ghudsonsystemd-journalFor administrators ================== .. toctree:: :maxdepth: 1 install.rst conf_files/index.rst realm_config.rst database.rst dbtypes.rst lockout.rst conf_ldap.rst appl_servers.rst host_config.rst backup_host.rst pkinit.rst otp.rst spake.rst dictionary.rst princ_dns.rst enctypes.rst https.rst auth_indicator.rst .. toctree:: :maxdepth: 1 admin_commands/index.rst ../mitK5defaults.rst env_variables.rst troubleshoot.rst advanced/index.rst various_envs.rst krb5-1.19.2/doc/html/_sources/admin/appl_servers.rst.txt0000644000704600001450000001620414076311665024555 0ustar ghudsonsystemd-journalApplication servers =================== If you need to install the Kerberos V5 programs on an application server, please refer to the Kerberos V5 Installation Guide. Once you have installed the software, you need to add that host to the Kerberos database (see :ref:`add_mod_del_princs`), and generate a keytab for that host, that contains the host's key. You also need to make sure the host's clock is within your maximum clock skew of the KDCs. Keytabs ------- A keytab is a host's copy of its own keylist, which is analogous to a user's password. An application server that needs to authenticate itself to the KDC has to have a keytab that contains its own principal and key. Just as it is important for users to protect their passwords, it is equally important for hosts to protect their keytabs. You should always store keytab files on local disk, and make them readable only by root, and you should never send a keytab file over a network in the clear. Ideally, you should run the :ref:`kadmin(1)` command to extract a keytab on the host on which the keytab is to reside. .. _add_princ_kt: Adding principals to keytabs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To generate a keytab, or to add a principal to an existing keytab, use the **ktadd** command from kadmin. .. include:: admin_commands/kadmin_local.rst :start-after: _ktadd: :end-before: _ktadd_end: Examples ######## Here is a sample session, using configuration files that enable only AES encryption:: kadmin: ktadd host/daffodil.mit.edu@ATHENA.MIT.EDU Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab kadmin: Removing principals from keytabs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To remove a principal from an existing keytab, use the kadmin **ktremove** command. .. include:: admin_commands/kadmin_local.rst :start-after: _ktremove: :end-before: _ktremove_end: Using a keytab to acquire client credentials ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ While keytabs are ordinarily used to accept credentials from clients, they can also be used to acquire initial credentials, allowing one service to authenticate to another. To manually obtain credentials using a keytab, use the :ref:`kinit(1)` **-k** option, together with the **-t** option if the keytab is not in the default location. Beginning with release 1.11, GSSAPI applications can be configured to automatically obtain initial credentials from a keytab as needed. The recommended configuration is as follows: #. Create a keytab containing a single entry for the desired client identity. #. Place the keytab in a location readable by the service, and set the **KRB5_CLIENT_KTNAME** environment variable to its filename. Alternatively, use the **default_client_keytab_name** profile variable in :ref:`libdefaults`, or use the default location of |ckeytab|. #. Set **KRB5CCNAME** to a filename writable by the service, which will not be used for any other purpose. Do not manually obtain credentials at this location. (Another credential cache type besides **FILE** can be used if desired, as long the cache will not conflict with another use. A **MEMORY** cache can be used if the service runs as a long-lived process. See :ref:`ccache_definition` for details.) #. Start the service. When it authenticates using GSSAPI, it will automatically obtain credentials from the client keytab into the specified credential cache, and refresh them before they expire. Clock Skew ---------- A Kerberos application server host must keep its clock synchronized or it will reject authentication requests from clients. Modern operating systems typically provide a facility to maintain the correct time; make sure it is enabled. This is especially important on virtual machines, where clocks tend to drift more rapidly than normal machine clocks. The default allowable clock skew is controlled by the **clockskew** variable in :ref:`libdefaults`. Getting DNS information correct ------------------------------- Several aspects of Kerberos rely on name service. When a hostname is used to name a service, clients may canonicalize the hostname using forward and possibly reverse name resolution. The result of this canonicalization must match the principal entry in the host's keytab, or authentication will fail. To work with all client canonicalization configurations, each host's canonical name must be the fully-qualified host name (including the domain), and each host's IP address must reverse-resolve to the canonical name. Configuration of hostnames varies by operating system. On the application server itself, canonicalization will typically use the ``/etc/hosts`` file rather than the DNS. Ensure that the line for the server's hostname is in the following form:: IP address fully-qualified hostname aliases Here is a sample ``/etc/hosts`` file:: # this is a comment 127.0.0.1 localhost localhost.mit.edu 10.0.0.6 daffodil.mit.edu daffodil trillium wake-robin The output of ``klist -k`` for this example host should look like:: viola# klist -k Keytab name: /etc/krb5.keytab KVNO Principal ---- ------------------------------------------------------------ 2 host/daffodil.mit.edu@ATHENA.MIT.EDU If you were to ssh to this host with a fresh credentials cache (ticket file), and then :ref:`klist(1)`, the output should list a service principal of ``host/daffodil.mit.edu@ATHENA.MIT.EDU``. .. _conf_firewall: Configuring your firewall to work with Kerberos V5 -------------------------------------------------- If you need off-site users to be able to get Kerberos tickets in your realm, they must be able to get to your KDC. This requires either that you have a replica KDC outside your firewall, or that you configure your firewall to allow UDP requests into at least one of your KDCs, on whichever port the KDC is running. (The default is port 88; other ports may be specified in the KDC's :ref:`kdc.conf(5)` file.) Similarly, if you need off-site users to be able to change their passwords in your realm, they must be able to get to your Kerberos admin server on the kpasswd port (which defaults to 464). If you need off-site users to be able to administer your Kerberos realm, they must be able to get to your Kerberos admin server on the administrative port (which defaults to 749). If your on-site users inside your firewall will need to get to KDCs in other realms, you will also need to configure your firewall to allow outgoing TCP and UDP requests to port 88, and to port 464 to allow password changes. If your on-site users inside your firewall will need to get to Kerberos admin servers in other realms, you will also need to allow outgoing TCP and UDP requests to port 749. If any of your KDCs are outside your firewall, you will need to allow kprop requests to get through to the remote KDC. :ref:`kprop(8)` uses the ``krb5_prop`` service on port 754 (tcp). The book *UNIX System Security*, by David Curry, is a good starting point for learning to configure firewalls. krb5-1.19.2/doc/html/_sources/admin/advanced/0000755000704600001450000000000014076311734022237 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/_sources/admin/advanced/index.rst.txt0000644000704600001450000000012414076311665024716 0ustar ghudsonsystemd-journalAdvanced topics =============== .. toctree:: :maxdepth: 1 retiring-des.rst krb5-1.19.2/doc/html/_sources/admin/advanced/retiring-des.rst.txt0000644000704600001450000005045314076311665026215 0ustar ghudsonsystemd-journal.. _retiring-des: Retiring DES ======================= Version 5 of the Kerberos protocol was originally implemented using the Data Encryption Standard (DES) as a block cipher for encryption. While it was considered secure at the time, advancements in computational ability have rendered DES vulnerable to brute force attacks on its 56-bit keyspace. As such, it is now considered insecure and should not be used (:rfc:`6649`). History ------- DES was used in the original Kerberos implementation, and was the only cryptosystem in krb5 1.0. Partial support for triple-DES (3DES) was added in version 1.1, with full support following in version 1.2. The Advanced Encryption Standard (AES), which supersedes DES, gained partial support in version 1.3.0 of krb5 and full support in version 1.3.2. However, deployments of krb5 using Kerberos databases created with older versions of krb5 will not necessarily start using strong crypto for ordinary operation without administrator intervention. MIT krb5 began flagging deprecated encryption types with release 1.17, and removed DES (single-DES) support in release 1.18. As a consequence, a release prior to 1.18 is required to perform these migrations. Types of keys ------------- * The database master key: This key is not exposed to user requests, but is used to encrypt other key material stored in the kerberos database. The database master key is currently stored as ``K/M`` by default. * Password-derived keys: User principals frequently have keys derived from a password. When a new password is set, the KDC uses various string2key functions to generate keys in the database for that principal. * Keytab keys: Application server principals generally use random keys which are not derived from a password. When the database entry is created, the KDC generates random keys of various enctypes to enter in the database, which are conveyed to the application server and stored in a keytab. * Session keys: These are short-term keys generated by the KDC while processing client requests, with an enctype selected by the KDC. For details on the various enctypes and how enctypes are selected by the KDC for session keys and client/server long-term keys, see :ref:`enctypes`. When using the :ref:`kadmin(1)` interface to generate new long-term keys, the **-e** argument can be used to force a particular set of enctypes, overriding the KDC default values. .. note:: When the KDC is selecting a session key, it has no knowledge about the kerberos installation on the server which will receive the service ticket, only what keys are in the database for the service principal. In order to allow uninterrupted operation to clients while migrating away from DES, care must be taken to ensure that kerberos installations on application server machines are configured to support newer encryption types before keys of those new encryption types are created in the Kerberos database for those server principals. Upgrade procedure ----------------- This procedure assumes that the KDC software has already been upgraded to a modern version of krb5 that supports non-DES keys, so that the only remaining task is to update the actual keys used to service requests. The realm used for demonstrating this procedure, ZONE.MIT.EDU, is an example of the worst-case scenario, where all keys in the realm are DES. The realm was initially created with a very old version of krb5, and **supported_enctypes** in :ref:`kdc.conf(5)` was set to a value appropriate when the KDC was installed, but was not updated as the KDC was upgraded: :: [realms] ZONE.MIT.EDU = { [...] master_key_type = des-cbc-crc supported_enctypes = des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 } This resulted in the keys for all principals in the realm being forced to DES-only, unless specifically requested using :ref:`kadmin(1)`. Before starting the upgrade, all KDCs were running krb5 1.11, and the database entries for some "high-value" principals were: :: [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU' [...] Number of keys: 1 Key: vno 1, des-cbc-crc:v4 [...] [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/admin' [...] Number of keys: 1 Key: vno 15, des-cbc-crc [...] [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/changepw' [...] Number of keys: 1 Key: vno 14, des-cbc-crc [...] The ``krbtgt/REALM`` key appears to have never been changed since creation (its kvno is 1), and all three database entries have only a des-cbc-crc key. The krbtgt key and KDC keys ~~~~~~~~~~~~~~~~~~~~~~~~~~~ Perhaps the biggest single-step improvement in the security of the cell is gained by strengthening the key of the ticket-granting service principal, ``krbtgt/REALM``---if this principal's key is compromised, so is the entire realm. Since the server that will handle service tickets for this principal is the KDC itself, it is easy to guarantee that it will be configured to support any encryption types which might be selected. However, the default KDC behavior when creating new keys is to remove the old keys, which would invalidate all existing tickets issued against that principal, rendering the TGTs cached by clients useless. Instead, a new key can be created with the old key retained, so that existing tickets will still function until their scheduled expiry (see :ref:`changing_krbtgt_key`). :: [root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\ > aes128-cts-hmac-sha1-96:normal,des3-hmac-sha1:normal,des-cbc-crc:normal [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \ > -keepold krbtgt/ZONE.MIT.EDU" Authenticating as principal root/admin@ZONE.MIT.EDU with password. Key for "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" randomized. .. note:: The new ``krbtgt@REALM`` key should be propagated to replica KDCs immediately so that TGTs issued by the primary KDC can be used to issue service tickets on replica KDCs. Replica KDCs will refuse requests using the new TGT kvno until the new krbtgt entry has been propagated to them. It is necessary to explicitly specify the enctypes for the new database entry, since **supported_enctypes** has not been changed. Leaving **supported_enctypes** unchanged makes a potential rollback operation easier, since all new keys of new enctypes are the result of explicit administrator action and can be easily enumerated. Upgrading the krbtgt key should have minimal user-visible disruption other than that described in the note above, since only clients which list the new enctypes as supported will use them, per the procedure in :ref:`session_key_selection`. Once the krbtgt key is updated, the session and ticket keys for user TGTs will be strong keys, but subsequent requests for service tickets will still get DES keys until the service principals have new keys generated. Application service remains uninterrupted due to the key-selection procedure on the KDC. After the change, the database entry is now: :: [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU' [...] Number of keys: 5 Key: vno 2, aes256-cts-hmac-sha1-96 Key: vno 2, aes128-cts-hmac-sha1-96 Key: vno 2, des3-cbc-sha1 Key: vno 2, des-cbc-crc Key: vno 1, des-cbc-crc:v4 [...] Since the expected disruptions from rekeying the krbtgt principal are minor, after a short testing period, it is appropriate to rekey the other high-value principals, ``kadmin/admin@REALM`` and ``kadmin/changepw@REALM``. These are the service principals used for changing user passwords and updating application keytabs. The kadmin and password-changing services are regular kerberized services, so the session-key-selection algorithm described in :ref:`session_key_selection` applies. It is particularly important to have strong session keys for these services, since user passwords and new long-term keys are conveyed over the encrypted channel. :: [root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\ > aes128-cts-hmac-sha1-96:normal,des3-hmac-sha1:normal [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \ > kadmin/admin" Authenticating as principal root/admin@ZONE.MIT.EDU with password. Key for "kadmin/admin@ZONE.MIT.EDU" randomized. [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \ > kadmin/changepw" Authenticating as principal root/admin@ZONE.MIT.EDU with password. Key for "kadmin/changepw@ZONE.MIT.EDU" randomized. It is not necessary to retain a single-DES key for these services, since password changes are not part of normal daily workflow, and disruption from a client failure is likely to be minimal. Furthermore, if a kerberos client experiences failure changing a user password or keytab key, this indicates that that client will become inoperative once services are rekeyed to non-DES enctypes. Such problems can be detected early at this stage, giving more time for corrective action. Adding strong keys to application servers ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Before switching the default enctypes for new keys over to strong enctypes, it may be desired to test upgrading a handful of services with the new configuration before flipping the switch for the defaults. This still requires using the **-e** argument in :ref:`kadmin(1)` to get non-default enctypes: :: [root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\ > aes128-cts-hmac-sha1-96:normal,des3-cbc-sha1:normal,des-cbc-crc:normal [root@casio krb5kdc]# kadmin -r ZONE.MIT.EDU -p zephyr/zephyr@ZONE.MIT.EDU -k -t \ > /etc/zephyr/krb5.keytab -q "ktadd -e ${enctypes} \ > -k /etc/zephyr/krb5.keytab zephyr/zephyr@ZONE.MIT.EDU" Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab. Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/zephyr/krb5.keytab. Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/zephyr/krb5.keytab. Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/zephyr/krb5.keytab. Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des-cbc-crc added to keytab WRFILE:/etc/zephyr/krb5.keytab. Be sure to remove the old keys from the application keytab, per best practice. :: [root@casio krb5kdc]# k5srvutil -f /etc/zephyr/krb5.keytab delold Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab. Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 3 removed from keytab WRFILE:/etc/zephyr/krb5.keytab. Adding strong keys by default ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Once the high-visibility services have been rekeyed, it is probably appropriate to change :ref:`kdc.conf(5)` to generate keys with the new encryption types by default. This enables server administrators to generate new enctypes with the **change** subcommand of :ref:`k5srvutil(1)`, and causes user password changes to add new encryption types for their entries. It will probably be necessary to implement administrative controls to cause all user principal keys to be updated in a reasonable period of time, whether by forcing password changes or a password synchronization service that has access to the current password and can add the new keys. :: [realms] ZONE.MIT.EDU = { supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-hmac-sha1:normal des-cbc-crc:normal .. note:: The krb5kdc process must be restarted for these changes to take effect. At this point, all service administrators can update their services and the servers behind them to take advantage of strong cryptography. If necessary, the server's krb5 installation should be configured and/or upgraded to a version supporting non-DES keys. See :ref:`enctypes` for krb5 version and configuration settings. Only when the service is configured to accept non-DES keys should the key version number be incremented and new keys generated (``k5srvutil change && k5srvutil delold``). :: root@dr-willy:~# k5srvutil change Authenticating as principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab. Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. root@dr-willy:~# klist -e -k -t /etc/krb5.keytab Keytab name: WRFILE:/etc/krb5.keytab KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 2 10/10/12 17:03:59 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC-32) 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (AES-256 CTS mode with 96-bit SHA-1 HMAC) 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (AES-128 CTS mode with 96-bit SHA-1 HMAC) 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (Triple DES cbc mode with HMAC/sha1) 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC-32) root@dr-willy:~# k5srvutil delold Authenticating as principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab. Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 2 removed from keytab WRFILE:/etc/krb5.keytab. When a single service principal is shared by multiple backend servers in a load-balanced environment, it may be necessary to schedule downtime or adjust the population in the load-balanced pool in order to propagate the updated keytab to all hosts in the pool with minimal service interruption. Removing DES keys from usage ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This situation remains something of a testing or transitory state, as new DES keys are still being generated, and will be used if requested by a client. To make more progress removing DES from the realm, the KDC should be configured to not generate such keys by default. .. note:: An attacker posing as a client can implement a brute force attack against a DES key for any principal, if that key is in the current (highest-kvno) key list. This attack is only possible if **allow_weak_crypto = true** is enabled on the KDC. Setting the **+requires_preauth** flag on a principal forces this attack to be an online attack, much slower than the offline attack otherwise available to the attacker. However, setting this flag on a service principal is not always advisable; see the entry in :ref:`add_principal` for details. The following KDC configuration will not generate DES keys by default: :: [realms] ZONE.MIT.EDU = { supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-hmac-sha1:normal .. note:: As before, the KDC process must be restarted for this change to take effect. It is best practice to update kdc.conf on all KDCs, not just the primary, to avoid unpleasant surprises should the primary fail and a replica need to be promoted. It is now appropriate to remove the legacy single-DES key from the ``krbtgt/REALM`` entry: :: [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -randkey -keepold \ > krbtgt/ZONE.MIT.EDU" Authenticating as principal host/admin@ATHENA.MIT.EDU with password. Key for "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" randomized. After the maximum ticket lifetime has passed, the old database entry should be removed. :: [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'purgekeys krbtgt/ZONE.MIT.EDU' Authenticating as principal root/admin@ZONE.MIT.EDU with password. Old keys for principal "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" purged. After the KDC is restarted with the new **supported_enctypes**, all user password changes and application keytab updates will not generate DES keys by default. :: contents-vnder-pressvre:~> kpasswd zonetest@ZONE.MIT.EDU Password for zonetest@ZONE.MIT.EDU: [enter old password] Enter new password: [enter new password] Enter it again: [enter new password] Password changed. contents-vnder-pressvre:~> kadmin -r ZONE.MIT.EDU -q 'getprinc zonetest' [...] Number of keys: 3 Key: vno 9, aes256-cts-hmac-sha1-96 Key: vno 9, aes128-cts-hmac-sha1-96 Key: vno 9, des3-cbc-sha1 [...] [kaduk@glossolalia ~]$ kadmin -p kaduk@ZONE.MIT.EDU -r ZONE.MIT.EDU -k \ > -t kaduk-zone.keytab -q 'ktadd -k kaduk-zone.keytab kaduk@ZONE.MIT.EDU' Authenticating as principal kaduk@ZONE.MIT.EDU with keytab kaduk-zone.keytab. Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:kaduk-zone.keytab. Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:kaduk-zone.keytab. Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type des3-cbc-sha1 added to keytab WRFILE:kaduk-zone.keytab. Once all principals have been re-keyed, DES support can be disabled on the KDC (**allow_weak_crypto = false**), and client machines can remove **allow_weak_crypto = true** from their :ref:`krb5.conf(5)` configuration files, completing the migration. **allow_weak_crypto** takes precedence over all places where DES enctypes could be explicitly configured. DES keys will not be used, even if they are present, when **allow_weak_crypto = false**. Support for legacy services ~~~~~~~~~~~~~~~~~~~~~~~~~~~ If there remain legacy services which do not support non-DES enctypes (such as older versions of AFS), **allow_weak_crypto** must remain enabled on the KDC. Client machines need not have this setting, though---applications which require DES can use API calls to allow weak crypto on a per-request basis, overriding the system krb5.conf. However, having **allow_weak_crypto** set on the KDC means that any principals which have a DES key in the database could still use those keys. To minimize the use of DES in the realm and restrict it to just legacy services which require DES, it is necessary to remove all other DES keys. The realm has been configured such that at password and keytab change, no DES keys will be generated by default. The task then reduces to requiring user password changes and having server administrators update their service keytabs. Administrative outreach will be necessary, and if the desire to eliminate DES is sufficiently strong, the KDC administrators may choose to randkey any principals which have not been rekeyed after some timeout period, forcing the user to contact the helpdesk for access. The Database Master Key ----------------------- This procedure does not alter ``K/M@REALM``, the key used to encrypt key material in the Kerberos database. (This is the key stored in the stash file on the KDC if stash files are used.) However, the security risk of a single-DES key for ``K/M`` is minimal, given that access to material encrypted in ``K/M`` (the Kerberos database) is generally tightly controlled. If an attacker can gain access to the encrypted database, they likely have access to the stash file as well, rendering the weak cryptography broken by non-cryptographic means. As such, upgrading ``K/M`` to a stronger encryption type is unlikely to be a high-priority task. Is is possible to upgrade the master key used for the database, if desired. Using :ref:`kdb5_util(8)`'s **add_mkey**, **use_mkey**, and **update_princ_encryption** commands, a new master key can be added and activated for use on new key material, and the existing entries converted to the new master key. krb5-1.19.2/doc/html/_sources/admin/install_clients.rst.txt0000644000704600001450000000544214076311665025241 0ustar ghudsonsystemd-journalInstalling and configuring UNIX client machines =============================================== The Kerberized client programs include :ref:`kinit(1)`, :ref:`klist(1)`, :ref:`kdestroy(1)`, and :ref:`kpasswd(1)`. All of these programs are in the directory |bindir|. You can often integrate Kerberos with the login system on client machines, typically through the use of PAM. The details vary by operating system, and should be covered in your operating system's documentation. If you do this, you will need to make sure your users know to use their Kerberos passwords when they log in. You will also need to educate your users to use the ticket management programs kinit, klist, and kdestroy. If you do not have Kerberos password changing integrated into the native password program (again, typically through PAM), you will need to educate users to use kpasswd in place of its non-Kerberos counterparts passwd. Client machine configuration files ---------------------------------- Each machine running Kerberos should have a :ref:`krb5.conf(5)` file. At a minimum, it should define a **default_realm** setting in :ref:`libdefaults`. If you are not using DNS SRV records (:ref:`kdc_hostnames`) or URI records (:ref:`kdc_discovery`), it must also contain a :ref:`realms` section containing information for your realm's KDCs. Consider setting **rdns** to false in order to reduce your dependence on precisely correct DNS information for service hostnames. Turning this flag off means that service hostnames will be canonicalized through forward name resolution (which adds your domain name to unqualified hostnames, and resolves CNAME records in DNS), but not through reverse address lookup. The default value of this flag is true for historical reasons only. If you anticipate users frequently logging into remote hosts (e.g., using ssh) using forwardable credentials, consider setting **forwardable** to true so that users obtain forwardable tickets by default. Otherwise users will need to use ``kinit -f`` to get forwardable tickets. Consider adjusting the **ticket_lifetime** setting to match the likely length of sessions for your users. For instance, if most of your users will be logging in for an eight-hour workday, you could set the default to ten hours so that tickets obtained in the morning expire shortly after the end of the workday. Users can still manually request longer tickets when necessary, up to the maximum allowed by each user's principal record on the KDC. If a client host may access services in different realms, it may be useful to define a :ref:`domain_realm` mapping so that clients know which hosts belong to which realms. However, if your clients and KDC are running release 1.7 or later, it is also reasonable to leave this section out on client machines and just define it in the KDC's krb5.conf. krb5-1.19.2/doc/html/_sources/admin/conf_ldap.rst.txt0000644000704600001450000001302114076311665023767 0ustar ghudsonsystemd-journal.. _conf_ldap: Configuring Kerberos with OpenLDAP back-end =========================================== 1. Make sure the LDAP server is using local authentication (``ldapi://``) or TLS (``ldaps``). See https://www.openldap.org/doc/admin24/tls.html for instructions on configuring TLS support in OpenLDAP. 2. Add the Kerberos schema file to the LDAP Server using the OpenLDAP LDIF file from the krb5 source directory (``src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif``). The following example uses local authentication:: ldapadd -Y EXTERNAL -H ldapi:/// -f /path/to/kerberos.openldap.ldif 3. Choose DNs for the :ref:`krb5kdc(8)` and :ref:`kadmind(8)` servers to bind to the LDAP server, and create them if necessary. Specify these DNs with the **ldap_kdc_dn** and **ldap_kadmind_dn** directives in :ref:`kdc.conf(5)`. The kadmind DN will also be used for administrative commands such as :ref:`kdb5_util(8)`. Alternatively, you may configure krb5kdc and kadmind to use SASL authentication to access the LDAP server; see the :ref:`dbmodules` relations **ldap_kdc_sasl_mech** and similar. 4. Specify a location for the LDAP service password file by setting **ldap_service_password_file**. Use ``kdb5_ldap_util stashsrvpw`` to stash passwords for the KDC and kadmind DNs chosen above. For example:: kdb5_ldap_util stashsrvpw -f /path/to/service.keyfile cn=krbadmin,dc=example,dc=com Skip this step if you are using SASL authentication and the mechanism does not require a password. 5. Choose a DN for the global Kerberos container entry (but do not create the entry at this time). Specify this DN with the **ldap_kerberos_container_dn** directive in :ref:`kdc.conf(5)`. Realm container entries will be created underneath this DN. Principal entries may exist either underneath the realm container (the default) or in separate trees referenced from the realm container. 6. Configure the LDAP server ACLs to enable the KDC and kadmin server DNs to read and write the Kerberos data. If **disable_last_success** and **disable_lockout** are both set to true in the :ref:`dbmodules` subsection for the realm, then the KDC DN only requires read access to the Kerberos data. Sample access control information:: access to dn.base="" by * read access to dn.base="cn=Subschema" by * read # Provide access to the realm container. access to dn.subtree= "cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com" by dn.exact="cn=kdc-service,dc=example,dc=com" write by dn.exact="cn=adm-service,dc=example,dc=com" write by * none # Provide access to principals, if not underneath the realm container. access to dn.subtree= "ou=users,dc=example,dc=com" by dn.exact="cn=kdc-service,dc=example,dc=com" write by dn.exact="cn=adm-service,dc=example,dc=com" write by * none access to * by * read If the locations of the container and principals or the DNs of the service objects for a realm are changed then this information should be updated. 7. In :ref:`kdc.conf(5)`, make sure the following relations are set in the :ref:`dbmodules` subsection for the realm:: db_library (set to ``kldap``) ldap_kerberos_container_dn ldap_kdc_dn ldap_kadmind_dn ldap_service_password_file ldap_servers 8. Create the realm using :ref:`kdb5_ldap_util(8)` (see :ref:`ldap_create_realm`):: kdb5_ldap_util create -subtrees ou=users,dc=example,dc=com -s Use the **-subtrees** option if the principals are to exist in a separate subtree from the realm container. Before executing the command, make sure that the subtree mentioned above ``(ou=users,dc=example,dc=com)`` exists. If the principals will exist underneath the realm container, omit the **-subtrees** option and do not worry about creating the principal subtree. For more information, refer to the section :ref:`ops_on_ldap`. The realm object is created under the **ldap_kerberos_container_dn** specified in the configuration file. This operation will also create the Kerberos container, if not present already. This container can be used to store information related to multiple realms. 9. Add an ``eq`` index for ``krbPrincipalName`` to speed up principal lookup operations. See https://www.openldap.org/doc/admin24/tuning.html#Indexes for details. With the LDAP back end it is possible to provide aliases for principal entries. Currently we provide no administrative utilities for creating aliases, so it must be done by direct manipulation of the LDAP entries. An entry with aliases contains multiple values of the *krbPrincipalName* attribute. Since LDAP attribute values are not ordered, it is necessary to specify which principal name is canonical, by using the *krbCanonicalName* attribute. Therefore, to create aliases for an entry, first set the *krbCanonicalName* attribute of the entry to the canonical principal name (which should be identical to the pre-existing *krbPrincipalName* value), and then add additional *krbPrincipalName* attributes for the aliases. Principal aliases are only returned by the KDC when the client requests canonicalization. Canonicalization is normally requested for service principals; for client principals, an explicit flag is often required (e.g., ``kinit -C``) and canonicalization is only performed for initial ticket requests. krb5-1.19.2/doc/html/_sources/admin/install.rst.txt0000644000704600001450000000065014076311665023514 0ustar ghudsonsystemd-journalInstallation guide ================== Contents -------- .. toctree:: :maxdepth: 2 install_kdc.rst install_clients.rst install_appl_srv.rst Additional references --------------------- #. Debian: `Setting up MIT Kerberos 5 `_ #. Solaris: `Configuring the Kerberos Service `_ krb5-1.19.2/doc/html/_sources/admin/auth_indicator.rst.txt0000644000704600001450000000443514076311665025050 0ustar ghudsonsystemd-journal.. _auth_indicator: Authentication indicators ========================= As of release 1.14, the KDC can be configured to annotate tickets if the client authenticated using a stronger preauthentication mechanism such as :ref:`PKINIT ` or :ref:`OTP `. These annotations are called "authentication indicators." Service principals can be configured to require particular authentication indicators in order to authenticate to that service. An authentication indicator value can be any string chosen by the KDC administrator; there are no pre-set values. To use authentication indicators with PKINIT or OTP, first configure the KDC to include an indicator when that preauthentication mechanism is used. For PKINIT, use the **pkinit_indicator** variable in :ref:`kdc.conf(5)`. For OTP, use the **indicator** variable in the token type definition, or specify the indicators in the **otp** user string as described in :ref:`otp_preauth`. To require an indicator to be present in order to authenticate to a service principal, set the **require_auth** string attribute on the principal to the indicator value to be required. If you wish to allow one of several indicators to be accepted, you can specify multiple indicator values separated by spaces. For example, a realm could be configured to set the authentication indicator value "strong" when PKINIT is used to authenticate, using a setting in the :ref:`kdc_realms` subsection:: pkinit_indicator = strong A service principal could be configured to require the "strong" authentication indicator value:: $ kadmin setstr host/high.value.server require_auth strong Password for user/admin@KRBTEST.COM: A user who authenticates with PKINIT would be able to obtain a ticket for the service principal:: $ kinit -X X509_user_identity=FILE:/my/cert.pem,/my/key.pem user $ kvno host/high.value.server host/high.value.server@KRBTEST.COM: kvno = 1 but a user who authenticates with a password would not:: $ kinit user Password for user@KRBTEST.COM: $ kvno host/high.value.server kvno: KDC policy rejects request while getting credentials for host/high.value.server@KRBTEST.COM GSSAPI server applications can inspect authentication indicators through the :ref:`auth-indicators ` name attribute. krb5-1.19.2/doc/html/_sources/admin/princ_dns.rst.txt0000644000704600001450000001155614076311665024034 0ustar ghudsonsystemd-journalPrincipal names and DNS ======================= Kerberos clients can do DNS lookups to canonicalize service principal names. This can cause difficulties when setting up Kerberos application servers, especially when the client's name for the service is different from what the service thinks its name is. Service principal names ----------------------- A frequently used kind of principal name is the host-based service principal name. This kind of principal name has two components: a service name and a hostname. For example, ``imap/imap.example.com`` is the principal name of the "imap" service on the host "imap.example.com". Other possible service names for the first component include "host" (remote login services such as ssh), "HTTP", and "nfs" (Network File System). Service administrators often publish well-known hostname aliases that they would prefer users to use instead of the canonical name of the service host. This gives service administrators more flexibility in deploying services. For example, a shell login server might be named "long-vanity-hostname.example.com", but users will naturally prefer to type something like "login.example.com". Hostname aliases also allow for administrators to set up load balancing for some sorts of services based on rotating ``CNAME`` records in DNS. Service principal canonicalization ---------------------------------- In the MIT krb5 client library, canonicalization of host-based service principals is controlled by the **dns_canonicalize_hostname**, **rnds**, and **qualify_shortname** variables in :ref:`libdefaults`. If **dns_canonicalize_hostname** is set to ``true`` (the default value), the client performs forward resolution by looking up the IPv4 and/or IPv6 addresses of the hostname using ``getaddrinfo()``. This process will typically add a domain suffix to the hostname if needed, and follow CNAME records in the DNS. If **rdns** is also set to ``true`` (the default), the client will then perform a reverse lookup of the first returned Internet address using ``getnameinfo()``, finding the name associated with the PTR record. If **dns_canonicalize_hostname** is set to ``false``, the hostname is not canonicalized using DNS. If the hostname has only one component (i.e. it contains no "." characters), the host's primary DNS search domain will be appended, if there is one. The **qualify_shortname** variable can be used to override or disable this suffix. If **dns_canonicalize_hostname** is set to ``fallback`` (added in release 1.18), the hostname is initially treated according to the rules for ``dns_canonicalize_hostname=false``. If a ticket request fails because the service principal is unknown, the hostname will be canonicalized according to the rules for ``dns_canonicalize_hostname=true`` and the request will be retried. In all cases, the hostname is converted to lowercase, and any trailing dot is removed. Reverse DNS mismatches ---------------------- Sometimes, an enterprise will have control over its forward DNS but not its reverse DNS. The reverse DNS is sometimes under the control of the Internet service provider of the enterprise, and the enterprise may not have much influence in setting up reverse DNS records for its address space. If there are difficulties with getting forward and reverse DNS to match, it is best to set ``rdns = false`` on client machines. Overriding application behavior ------------------------------- Applications can choose to use a default hostname component in their service principal name when accepting authentication, which avoids some sorts of hostname mismatches. Because not all relevant applications do this yet, using the :ref:`krb5.conf(5)` setting:: [libdefaults] ignore_acceptor_hostname = true will allow the Kerberos library to override the application's choice of service principal hostname and will allow a server program to accept incoming authentications using any key in its keytab that matches the service name and realm name (if given). This setting defaults to "false" and is available in releases krb5-1.10 and later. Provisioning keytabs -------------------- One service principal entry that should be in the keytab is a principal whose hostname component is the canonical hostname that ``getaddrinfo()`` reports for all known aliases for the host. If the reverse DNS information does not match this canonical hostname, an additional service principal entry should be in the keytab for this different hostname. Specific application advice --------------------------- Secure shell (ssh) ~~~~~~~~~~~~~~~~~~ Setting ``GSSAPIStrictAcceptorCheck = no`` in the configuration file of modern versions of the openssh daemon will allow the daemon to try any key in its keytab when accepting a connection, rather than looking for the keytab entry that matches the host's own idea of its name (typically the name that ``gethostname()`` returns). This requires krb5-1.10 or later. krb5-1.19.2/doc/html/_sources/admin/install_kdc.rst.txt0000644000704600001450000004656514076311665024354 0ustar ghudsonsystemd-journalInstalling KDCs =============== When setting up Kerberos in a production environment, it is best to have multiple replica KDCs alongside with a primary KDC to ensure the continued availability of the Kerberized services. Each KDC contains a copy of the Kerberos database. The primary KDC contains the writable copy of the realm database, which it replicates to the replica KDCs at regular intervals. All database changes (such as password changes) are made on the primary KDC. Replica KDCs provide Kerberos ticket-granting services, but not database administration, when the primary KDC is unavailable. MIT recommends that you install all of your KDCs to be able to function as either the primary or one of the replicas. This will enable you to easily switch your primary KDC with one of the replicas if necessary (see :ref:`switch_primary_replica`). This installation procedure is based on that recommendation. .. warning:: - The Kerberos system relies on the availability of correct time information. Ensure that the primary and all replica KDCs have properly synchronized clocks. - It is best to install and run KDCs on secured and dedicated hardware with limited access. If your KDC is also a file server, FTP server, Web server, or even just a client machine, someone who obtained root access through a security hole in any of those areas could potentially gain access to the Kerberos database. Install and configure the primary KDC ------------------------------------- Install Kerberos either from the OS-provided packages or from the source (See :ref:`do_build`). .. note:: For the purpose of this document we will use the following names:: kerberos.mit.edu - primary KDC kerberos-1.mit.edu - replica KDC ATHENA.MIT.EDU - realm name .k5.ATHENA.MIT.EDU - stash file admin/admin - admin principal See :ref:`mitK5defaults` for the default names and locations of the relevant to this topic files. Adjust the names and paths to your system environment. Edit KDC configuration files ---------------------------- Modify the configuration files, :ref:`krb5.conf(5)` and :ref:`kdc.conf(5)`, to reflect the correct information (such as domain-realm mappings and Kerberos servers names) for your realm. (See :ref:`mitK5defaults` for the recommended default locations for these files). Most of the tags in the configuration have default values that will work well for most sites. There are some tags in the :ref:`krb5.conf(5)` file whose values must be specified, and this section will explain those. If the locations for these configuration files differs from the default ones, set **KRB5_CONFIG** and **KRB5_KDC_PROFILE** environment variables to point to the krb5.conf and kdc.conf respectively. For example:: export KRB5_CONFIG=/yourdir/krb5.conf export KRB5_KDC_PROFILE=/yourdir/kdc.conf krb5.conf ~~~~~~~~~ If you are not using DNS TXT records (see :ref:`mapping_hostnames`), you must specify the **default_realm** in the :ref:`libdefaults` section. If you are not using DNS URI or SRV records (see :ref:`kdc_hostnames` and :ref:`kdc_discovery`), you must include the **kdc** tag for each *realm* in the :ref:`realms` section. To communicate with the kadmin server in each realm, the **admin_server** tag must be set in the :ref:`realms` section. An example krb5.conf file:: [libdefaults] default_realm = ATHENA.MIT.EDU [realms] ATHENA.MIT.EDU = { kdc = kerberos.mit.edu kdc = kerberos-1.mit.edu admin_server = kerberos.mit.edu } kdc.conf ~~~~~~~~ The kdc.conf file can be used to control the listening ports of the KDC and kadmind, as well as realm-specific defaults, the database type and location, and logging. An example kdc.conf file:: [kdcdefaults] kdc_listen = 88 kdc_tcp_listen = 88 [realms] ATHENA.MIT.EDU = { kadmind_port = 749 max_life = 12h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = aes256-cts supported_enctypes = aes256-cts:normal aes128-cts:normal # If the default location does not suit your setup, # explicitly configure the following values: # database_name = /var/krb5kdc/principal # key_stash_file = /var/krb5kdc/.k5.ATHENA.MIT.EDU # acl_file = /var/krb5kdc/kadm5.acl } [logging] # By default, the KDC and kadmind will log output using # syslog. You can instead send log output to files like this: kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log Replace ``ATHENA.MIT.EDU`` and ``kerberos.mit.edu`` with the name of your Kerberos realm and server respectively. .. note:: You have to have write permission on the target directories (these directories must exist) used by **database_name**, **key_stash_file**, and **acl_file**. .. _create_db: Create the KDC database ----------------------- You will use the :ref:`kdb5_util(8)` command on the primary KDC to create the Kerberos database and the optional :ref:`stash_definition`. .. note:: If you choose not to install a stash file, the KDC will prompt you for the master key each time it starts up. This means that the KDC will not be able to start automatically, such as after a system reboot. :ref:`kdb5_util(8)` will prompt you for the master password for the Kerberos database. This password can be any string. A good password is one you can remember, but that no one else can guess. Examples of bad passwords are words that can be found in a dictionary, any common or popular name, especially a famous person (or cartoon character), your username in any form (e.g., forward, backward, repeated twice, etc.), and any of the sample passwords that appear in this manual. One example of a password which might be good if it did not appear in this manual is "MITiys4K5!", which represents the sentence "MIT is your source for Kerberos 5!" (It's the first letter of each word, substituting the numeral "4" for the word "for", and includes the punctuation mark at the end.) The following is an example of how to create a Kerberos database and stash file on the primary KDC, using the :ref:`kdb5_util(8)` command. Replace ``ATHENA.MIT.EDU`` with the name of your Kerberos realm:: shell% kdb5_util create -r ATHENA.MIT.EDU -s Initializing database '/usr/local/var/krb5kdc/principal' for realm 'ATHENA.MIT.EDU', master key name 'K/M@ATHENA.MIT.EDU' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: <= Type the master password. Re-enter KDC database master key to verify: <= Type it again. shell% This will create five files in |kdcdir| (or at the locations specified in :ref:`kdc.conf(5)`): * two Kerberos database files, ``principal``, and ``principal.ok`` * the Kerberos administrative database file, ``principal.kadm5`` * the administrative database lock file, ``principal.kadm5.lock`` * the stash file, in this example ``.k5.ATHENA.MIT.EDU``. If you do not want a stash file, run the above command without the **-s** option. For more information on administrating Kerberos database see :ref:`db_operations`. .. _admin_acl: Add administrators to the ACL file ---------------------------------- Next, you need create an Access Control List (ACL) file and put the Kerberos principal of at least one of the administrators into it. This file is used by the :ref:`kadmind(8)` daemon to control which principals may view and make privileged modifications to the Kerberos database files. The ACL filename is determined by the **acl_file** variable in :ref:`kdc.conf(5)`; the default is |kdcdir|\ ``/kadm5.acl``. For more information on Kerberos ACL file see :ref:`kadm5.acl(5)`. .. _addadmin_kdb: Add administrators to the Kerberos database ------------------------------------------- Next you need to add administrative principals (i.e., principals who are allowed to administer Kerberos database) to the Kerberos database. You *must* add at least one principal now to allow communication between the Kerberos administration daemon kadmind and the kadmin program over the network for further administration. To do this, use the kadmin.local utility on the primary KDC. kadmin.local is designed to be run on the primary KDC host without using Kerberos authentication to an admin server; instead, it must have read and write access to the Kerberos database on the local filesystem. The administrative principals you create should be the ones you added to the ACL file (see :ref:`admin_acl`). In the following example, the administrative principal ``admin/admin`` is created:: shell% kadmin.local kadmin.local: addprinc admin/admin@ATHENA.MIT.EDU No policy specified for "admin/admin@ATHENA.MIT.EDU"; assigning "default". Enter password for principal admin/admin@ATHENA.MIT.EDU: <= Enter a password. Re-enter password for principal admin/admin@ATHENA.MIT.EDU: <= Type it again. Principal "admin/admin@ATHENA.MIT.EDU" created. kadmin.local: .. _start_kdc_daemons: Start the Kerberos daemons on the primary KDC --------------------------------------------- At this point, you are ready to start the Kerberos KDC (:ref:`krb5kdc(8)`) and administrative daemons on the primary KDC. To do so, type:: shell% krb5kdc shell% kadmind Each server daemon will fork and run in the background. .. note:: Assuming you want these daemons to start up automatically at boot time, you can add them to the KDC's ``/etc/rc`` or ``/etc/inittab`` file. You need to have a :ref:`stash_definition` in order to do this. You can verify that they started properly by checking for their startup messages in the logging locations you defined in :ref:`krb5.conf(5)` (see :ref:`logging`). For example:: shell% tail /var/log/krb5kdc.log Dec 02 12:35:47 beeblebrox krb5kdc[3187](info): commencing operation shell% tail /var/log/kadmin.log Dec 02 12:35:52 beeblebrox kadmind[3189](info): starting Any errors the daemons encounter while starting will also be listed in the logging output. As an additional verification, check if :ref:`kinit(1)` succeeds against the principals that you have created on the previous step (:ref:`addadmin_kdb`). Run:: shell% kinit admin/admin@ATHENA.MIT.EDU Install the replica KDCs ------------------------ You are now ready to start configuring the replica KDCs. .. note:: Assuming you are setting the KDCs up so that you can easily switch the primary KDC with one of the replicas, you should perform each of these steps on the primary KDC as well as the replica KDCs, unless these instructions specify otherwise. .. _replica_host_key: Create host keytabs for replica KDCs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Each KDC needs a ``host`` key in the Kerberos database. These keys are used for mutual authentication when propagating the database dump file from the primary KDC to the secondary KDC servers. On the primary KDC, connect to administrative interface and create the host principal for each of the KDCs' ``host`` services. For example, if the primary KDC were called ``kerberos.mit.edu``, and you had a replica KDC named ``kerberos-1.mit.edu``, you would type the following:: shell% kadmin kadmin: addprinc -randkey host/kerberos.mit.edu No policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU"; assigning "default" Principal "host/kerberos.mit.edu@ATHENA.MIT.EDU" created. kadmin: addprinc -randkey host/kerberos-1.mit.edu No policy specified for "host/kerberos-1.mit.edu@ATHENA.MIT.EDU"; assigning "default" Principal "host/kerberos-1.mit.edu@ATHENA.MIT.EDU" created. It is not strictly necessary to have the primary KDC server in the Kerberos database, but it can be handy if you want to be able to swap the primary KDC with one of the replicas. Next, extract ``host`` random keys for all participating KDCs and store them in each host's default keytab file. Ideally, you should extract each keytab locally on its own KDC. If this is not feasible, you should use an encrypted session to send them across the network. To extract a keytab directly on a replica KDC called ``kerberos-1.mit.edu``, you would execute the following command:: kadmin: ktadd host/kerberos-1.mit.edu Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type aes256-cts-hmac-sha384-192 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. If you are instead extracting a keytab for the replica KDC called ``kerberos-1.mit.edu`` on the primary KDC, you should use a dedicated temporary keytab file for that machine's keytab:: kadmin: ktadd -k /tmp/kerberos-1.keytab host/kerberos-1.mit.edu Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. The file ``/tmp/kerberos-1.keytab`` can then be installed as ``/etc/krb5.keytab`` on the host ``kerberos-1.mit.edu``. Configure replica KDCs ~~~~~~~~~~~~~~~~~~~~~~ Database propagation copies the contents of the primary's database, but does not propagate configuration files, stash files, or the kadm5 ACL file. The following files must be copied by hand to each replica (see :ref:`mitK5defaults` for the default locations for these files): * krb5.conf * kdc.conf * kadm5.acl * master key stash file Move the copied files into their appropriate directories, exactly as on the primary KDC. kadm5.acl is only needed to allow a replica to swap with the primary KDC. The database is propagated from the primary KDC to the replica KDCs via the :ref:`kpropd(8)` daemon. You must explicitly specify the principals which are allowed to provide Kerberos dump updates on the replica machine with a new database. Create a file named kpropd.acl in the KDC state directory containing the ``host`` principals for each of the KDCs:: host/kerberos.mit.edu@ATHENA.MIT.EDU host/kerberos-1.mit.edu@ATHENA.MIT.EDU .. note:: If you expect that the primary and replica KDCs will be switched at some point of time, list the host principals from all participating KDC servers in kpropd.acl files on all of the KDCs. Otherwise, you only need to list the primary KDC's host principal in the kpropd.acl files of the replica KDCs. Then, add the following line to ``/etc/inetd.conf`` on each KDC (adjust the path to kpropd):: krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd You also need to add the following line to ``/etc/services`` on each KDC, if it is not already present (assuming that the default port is used):: krb5_prop 754/tcp # Kerberos replica propagation Restart inetd daemon. Alternatively, start :ref:`kpropd(8)` as a stand-alone daemon. This is required when incremental propagation is enabled. Now that the replica KDC is able to accept database propagation, you’ll need to propagate the database from the primary server. NOTE: Do not start the replica KDC yet; you still do not have a copy of the primary's database. .. _kprop_to_replicas: Propagate the database to each replica KDC ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ First, create a dump file of the database on the primary KDC, as follows:: shell% kdb5_util dump /usr/local/var/krb5kdc/replica_datatrans Then, manually propagate the database to each replica KDC, as in the following example:: shell% kprop -f /usr/local/var/krb5kdc/replica_datatrans kerberos-1.mit.edu Database propagation to kerberos-1.mit.edu: SUCCEEDED You will need a script to dump and propagate the database. The following is an example of a Bourne shell script that will do this. .. note:: Remember that you need to replace ``/usr/local/var/krb5kdc`` with the name of the KDC state directory. :: #!/bin/sh kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu" kdb5_util dump /usr/local/var/krb5kdc/replica_datatrans for kdc in $kdclist do kprop -f /usr/local/var/krb5kdc/replica_datatrans $kdc done You will need to set up a cron job to run this script at the intervals you decided on earlier (see :ref:`db_prop`). Now that the replica KDC has a copy of the Kerberos database, you can start the krb5kdc daemon:: shell% krb5kdc As with the primary KDC, you will probably want to add this command to the KDCs' ``/etc/rc`` or ``/etc/inittab`` files, so they will start the krb5kdc daemon automatically at boot time. Propagation failed? ################### You may encounter the following error messages. For a more detailed discussion on possible causes and solutions click on the error link to be redirected to :ref:`troubleshoot` section. .. include:: ./troubleshoot.rst :start-after: _prop_failed_start: :end-before: _prop_failed_end: Add Kerberos principals to the database --------------------------------------- Once your KDCs are set up and running, you are ready to use :ref:`kadmin(1)` to load principals for your users, hosts, and other services into the Kerberos database. This procedure is described fully in :ref:`add_mod_del_princs`. You may occasionally want to use one of your replica KDCs as the primary. This might happen if you are upgrading the primary KDC, or if your primary KDC has a disk crash. See the following section for the instructions. .. _switch_primary_replica: Switching primary and replica KDCs ---------------------------------- You may occasionally want to use one of your replica KDCs as the primary. This might happen if you are upgrading the primary KDC, or if your primary KDC has a disk crash. Assuming you have configured all of your KDCs to be able to function as either the primary KDC or a replica KDC (as this document recommends), all you need to do to make the changeover is: If the primary KDC is still running, do the following on the *old* primary KDC: #. Kill the kadmind process. #. Disable the cron job that propagates the database. #. Run your database propagation script manually, to ensure that the replicas all have the latest copy of the database (see :ref:`kprop_to_replicas`). On the *new* primary KDC: #. Start the :ref:`kadmind(8)` daemon (see :ref:`start_kdc_daemons`). #. Set up the cron job to propagate the database (see :ref:`kprop_to_replicas`). #. Switch the CNAMEs of the old and new primary KDCs. If you can't do this, you'll need to change the :ref:`krb5.conf(5)` file on every client machine in your Kerberos realm. Incremental database propagation -------------------------------- If you expect your Kerberos database to become large, you may wish to set up incremental propagation to replica KDCs. See :ref:`incr_db_prop` for details. krb5-1.19.2/doc/html/_sources/admin/lockout.rst.txt0000644000704600001450000001324214076311665023527 0ustar ghudsonsystemd-journal.. _lockout: Account lockout =============== As of release 1.8, the KDC can be configured to lock out principals after a number of failed authentication attempts within a period of time. Account lockout can make it more difficult to attack a principal's password by brute force, but also makes it easy for an attacker to deny access to a principal. Configuring account lockout --------------------------- Account lockout only works for principals with the **+requires_preauth** flag set. Without this flag, the KDC cannot know whether or not a client successfully decrypted the ticket it issued. It is also important to set the **-allow_svr** flag on a principal to protect its password from an off-line dictionary attack through a TGS request. You can set these flags on a principal with :ref:`kadmin(1)` as follows:: kadmin: modprinc +requires_preauth -allow_svr PRINCNAME Account lockout parameters are configured via :ref:`policy objects `. There may be an existing policy associated with user principals (such as the "default" policy), or you may need to create a new one and associate it with each user principal. The policy parameters related to account lockout are: * :ref:`maxfailure `: the number of failed attempts before the principal is locked out * :ref:`failurecountinterval `: the allowable interval between failed attempts * :ref:`lockoutduration `: the amount of time a principal is locked out for Here is an example of setting these parameters on a new policy and associating it with a principal:: kadmin: addpol -maxfailure 10 -failurecountinterval 180 -lockoutduration 60 lockout_policy kadmin: modprinc -policy lockout_policy PRINCNAME Testing account lockout ----------------------- To test that account lockout is working, try authenticating as the principal (hopefully not one that might be in use) multiple times with the wrong password. For instance, if **maxfailure** is set to 2, you might see:: $ kinit user Password for user@KRBTEST.COM: kinit: Password incorrect while getting initial credentials $ kinit user Password for user@KRBTEST.COM: kinit: Password incorrect while getting initial credentials $ kinit user kinit: Client's credentials have been revoked while getting initial credentials Account lockout principal state ------------------------------- A principal entry keeps three pieces of state related to account lockout: * The time of last successful authentication * The time of last failed authentication * A counter of failed attempts The time of last successful authentication is not actually needed for the account lockout system to function, but may be of administrative interest. These fields can be observed with the **getprinc** kadmin command. For example:: kadmin: getprinc user Principal: user@KRBTEST.COM ... Last successful authentication: [never] Last failed authentication: Mon Dec 03 12:30:33 EST 2012 Failed password attempts: 2 ... A principal which has been locked out can be administratively unlocked with the **-unlock** option to the **modprinc** kadmin command:: kadmin: modprinc -unlock PRINCNAME This command will reset the number of failed attempts to 0. KDC replication and account lockout ----------------------------------- The account lockout state of a principal is not replicated by either traditional :ref:`kprop(8)` or incremental propagation. Because of this, the number of attempts an attacker can make within a time period is multiplied by the number of KDCs. For instance, if the **maxfailure** parameter on a policy is 10 and there are four KDCs in the environment (a primary and three replicas), an attacker could make as many as 40 attempts before the principal is locked out on all four KDCs. An administrative unlock is propagated from the primary to the replica KDCs during the next propagation. Propagation of an administrative unlock will cause the counter of failed attempts on each replica to reset to 1 on the next failure. If a KDC environment uses a replication strategy other than kprop or incremental propagation, such as the LDAP KDB module with multi-master LDAP replication, then account lockout state may be replicated between KDCs and the concerns of this section may not apply. .. _disable_lockout: KDC performance and account lockout ----------------------------------- In order to fully track account lockout state, the KDC must write to the the database on each successful and failed authentication. Writing to the database is generally more expensive than reading from it, so these writes may have a significant impact on KDC performance. As of release 1.9, it is possible to turn off account lockout state tracking in order to improve performance, by setting the **disable_last_success** and **disable_lockout** variables in the database module subsection of :ref:`kdc.conf(5)`. For example:: [dbmodules] DB = { disable_last_success = true disable_lockout = true } Of the two variables, setting **disable_last_success** will usually have the largest positive impact on performance, and will still allow account lockout policies to operate. However, it will make it impossible to observe the last successful authentication time with kadmin. KDC setup and account lockout ----------------------------- To update the account lockout state on principals, the KDC must be able to write to the principal database. For the DB2 module, no special setup is required. For the LDAP module, the KDC DN must be granted write access to the principal objects. If the KDC DN has only read access, account lockout will not function. krb5-1.19.2/doc/html/_sources/admin/env_variables.rst.txt0000644000704600001450000000013314076311665024662 0ustar ghudsonsystemd-journalEnvironment variables ===================== This content has moved to :ref:`kerberos(7)`. krb5-1.19.2/doc/html/_sources/admin/backup_host.rst.txt0000644000704600001450000000340114076311665024345 0ustar ghudsonsystemd-journalBackups of secure hosts ======================= When you back up a secure host, you should exclude the host's keytab file from the backup. If someone obtained a copy of the keytab from a backup, that person could make any host masquerade as the host whose keytab was compromised. In many configurations, knowledge of the host's keytab also allows root access to the host. This could be particularly dangerous if the compromised keytab was from one of your KDCs. If the machine has a disk crash and the keytab file is lost, it is easy to generate another keytab file. (See :ref:`add_princ_kt`.) If you are unable to exclude particular files from backups, you should ensure that the backups are kept as secure as the host's root password. Backing up the Kerberos database -------------------------------- As with any file, it is possible that your Kerberos database could become corrupted. If this happens on one of the replica KDCs, you might never notice, since the next automatic propagation of the database would install a fresh copy. However, if it happens to the primary KDC, the corrupted database would be propagated to all of the replicas during the next propagation. For this reason, MIT recommends that you back up your Kerberos database regularly. Because the primary KDC is continuously dumping the database to a file in order to propagate it to the replica KDCs, it is a simple matter to have a cron job periodically copy the dump file to a secure machine elsewhere on your network. (Of course, it is important to make the host where these backups are stored as secure as your KDCs, and to encrypt its transmission across your network.) Then if your database becomes corrupted, you can load the most recent dump onto the primary KDC. (See :ref:`restore_from_dump`.) krb5-1.19.2/doc/html/_sources/admin/database.rst.txt0000644000704600001450000007607114076311665023624 0ustar ghudsonsystemd-journalDatabase administration ======================= A Kerberos database contains all of a realm's Kerberos principals, their passwords, and other administrative information about each principal. For the most part, you will use the :ref:`kdb5_util(8)` program to manipulate the Kerberos database as a whole, and the :ref:`kadmin(1)` program to make changes to the entries in the database. (One notable exception is that users will use the :ref:`kpasswd(1)` program to change their own passwords.) The kadmin program has its own command-line interface, to which you type the database administrating commands. :ref:`kdb5_util(8)` provides a means to create, delete, load, or dump a Kerberos database. It also contains commands to roll over the database master key, and to stash a copy of the key so that the :ref:`kadmind(8)` and :ref:`krb5kdc(8)` daemons can use the database without manual input. :ref:`kadmin(1)` provides for the maintenance of Kerberos principals, password policies, and service key tables (keytabs). Normally it operates as a network client using Kerberos authentication to communicate with :ref:`kadmind(8)`, but there is also a variant, named kadmin.local, which directly accesses the Kerberos database on the local filesystem (or through LDAP). kadmin.local is necessary to set up enough of the database to be able to use the remote version. kadmin can authenticate to the admin server using the service principal ``kadmin/admin`` or ``kadmin/HOST`` (where *HOST* is the hostname of the admin server). If the credentials cache contains a ticket for either service principal and the **-c** ccache option is specified, that ticket is used to authenticate to KADM5. Otherwise, the **-p** and **-k** options are used to specify the client Kerberos principal name used to authenticate. Once kadmin has determined the principal name, it requests a ``kadmin/admin`` Kerberos service ticket from the KDC, and uses that service ticket to authenticate to KADM5. See :ref:`kadmin(1)` for the available kadmin and kadmin.local commands and options. kadmin options -------------- You can invoke :ref:`kadmin(1)` or kadmin.local with any of the following options: .. include:: admin_commands/kadmin_local.rst :start-after: kadmin_synopsis: :end-before: kadmin_synopsis_end: **OPTIONS** .. include:: admin_commands/kadmin_local.rst :start-after: _kadmin_options: :end-before: _kadmin_options_end: Date Format ----------- For the supported date-time formats see :ref:`getdate` section in :ref:`datetime`. Principals ---------- Each entry in the Kerberos database contains a Kerberos principal and the attributes and policies associated with that principal. .. _add_mod_del_princs: Adding, modifying and deleting principals ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To add a principal to the database, use the :ref:`kadmin(1)` **add_principal** command. To modify attributes of a principal, use the kadmin **modify_principal** command. To delete a principal, use the kadmin **delete_principal** command. .. include:: admin_commands/kadmin_local.rst :start-after: _add_principal: :end-before: _add_principal_end: .. include:: admin_commands/kadmin_local.rst :start-after: _modify_principal: :end-before: _modify_principal_end: .. include:: admin_commands/kadmin_local.rst :start-after: _delete_principal: :end-before: _delete_principal_end: Examples ######## If you want to create a principal which is contained by a LDAP object, all you need to do is:: kadmin: addprinc -x dn=cn=jennifer,dc=example,dc=com jennifer No policy specified for "jennifer@ATHENA.MIT.EDU"; defaulting to no policy. Enter password for principal jennifer@ATHENA.MIT.EDU: <= Type the password. Re-enter password for principal jennifer@ATHENA.MIT.EDU: <=Type it again. Principal "jennifer@ATHENA.MIT.EDU" created. kadmin: If you want to create a principal under a specific LDAP container and link to an existing LDAP object, all you need to do is:: kadmin: addprinc -x containerdn=dc=example,dc=com -x linkdn=cn=david,dc=example,dc=com david No policy specified for "david@ATHENA.MIT.EDU"; defaulting to no policy. Enter password for principal david@ATHENA.MIT.EDU: <= Type the password. Re-enter password for principal david@ATHENA.MIT.EDU: <=Type it again. Principal "david@ATHENA.MIT.EDU" created. kadmin: If you want to associate a ticket policy to a principal, all you need to do is:: kadmin: modprinc -x tktpolicy=userpolicy david Principal "david@ATHENA.MIT.EDU" modified. kadmin: If, on the other hand, you want to set up an account that expires on January 1, 2000, that uses a policy called "stduser", with a temporary password (which you want the user to change immediately), you would type the following:: kadmin: addprinc david -expire "1/1/2000 12:01am EST" -policy stduser +needchange Enter password for principal david@ATHENA.MIT.EDU: <= Type the password. Re-enter password for principal david@ATHENA.MIT.EDU: <= Type it again. Principal "david@ATHENA.MIT.EDU" created. kadmin: If you want to delete a principal:: kadmin: delprinc jennifer Are you sure you want to delete the principal "jennifer@ATHENA.MIT.EDU"? (yes/no): yes Principal "jennifer@ATHENA.MIT.EDU" deleted. Make sure that you have removed this principal from all ACLs before reusing. kadmin: Retrieving information about a principal ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To retrieve a listing of the attributes and/or policies associated with a principal, use the :ref:`kadmin(1)` **get_principal** command. To generate a listing of principals, use the kadmin **list_principals** command. .. include:: admin_commands/kadmin_local.rst :start-after: _get_principal: :end-before: _get_principal_end: .. include:: admin_commands/kadmin_local.rst :start-after: _list_principals: :end-before: _list_principals_end: Changing passwords ~~~~~~~~~~~~~~~~~~ To change a principal's password use the :ref:`kadmin(1)` **change_password** command. .. include:: admin_commands/kadmin_local.rst :start-after: _change_password: :end-before: _change_password_end: .. note:: Password changes through kadmin are subject to the same password policies as would apply to password changes through :ref:`kpasswd(1)`. .. _policies: Policies -------- A policy is a set of rules governing passwords. Policies can dictate minimum and maximum password lifetimes, minimum number of characters and character classes a password must contain, and the number of old passwords kept in the database. Adding, modifying and deleting policies ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To add a new policy, use the :ref:`kadmin(1)` **add_policy** command. To modify attributes of a principal, use the kadmin **modify_policy** command. To delete a policy, use the kadmin **delete_policy** command. .. include:: admin_commands/kadmin_local.rst :start-after: _add_policy: :end-before: _add_policy_end: .. include:: admin_commands/kadmin_local.rst :start-after: _modify_policy: :end-before: _modify_policy_end: .. include:: admin_commands/kadmin_local.rst :start-after: _delete_policy: :end-before: _delete_policy_end: .. note:: You must cancel the policy from *all* principals before deleting it. The *delete_policy* command will fail if the policy is in use by any principals. Retrieving policies ~~~~~~~~~~~~~~~~~~~ To retrieve a policy, use the :ref:`kadmin(1)` **get_policy** command. You can retrieve the list of policies with the kadmin **list_policies** command. .. include:: admin_commands/kadmin_local.rst :start-after: _get_policy: :end-before: _get_policy_end: .. include:: admin_commands/kadmin_local.rst :start-after: _list_policies: :end-before: _list_policies_end: Policies and principals ~~~~~~~~~~~~~~~~~~~~~~~ Policies can be applied to principals as they are created by using the **-policy** flag to :ref:`add_principal`. Existing principals can be modified by using the **-policy** or **-clearpolicy** flag to :ref:`modify_principal`. .. _updating_history_key: Updating the history key ~~~~~~~~~~~~~~~~~~~~~~~~ If a policy specifies a number of old keys kept of two or more, the stored old keys are encrypted in a history key, which is found in the key data of the ``kadmin/history`` principal. Currently there is no support for proper rollover of the history key, but you can change the history key (for example, to use a better encryption type) at the cost of invalidating currently stored old keys. To change the history key, run:: kadmin: change_password -randkey kadmin/history This command will fail if you specify the **-keepold** flag. Only one new history key will be created, even if you specify multiple key/salt combinations. In the future, we plan to migrate towards encrypting old keys in the master key instead of the history key, and implementing proper rollover support for stored old keys. .. _privileges: Privileges ---------- Administrative privileges for the Kerberos database are stored in the file :ref:`kadm5.acl(5)`. .. note:: A common use of an admin instance is so you can grant separate permissions (such as administrator access to the Kerberos database) to a separate Kerberos principal. For example, the user ``joeadmin`` might have a principal for his administrative use, called ``joeadmin/admin``. This way, ``joeadmin`` would obtain ``joeadmin/admin`` tickets only when he actually needs to use those permissions. .. _db_operations: Operations on the Kerberos database ----------------------------------- The :ref:`kdb5_util(8)` command is the primary tool for administrating the Kerberos database. .. include:: admin_commands/kdb5_util.rst :start-after: _kdb5_util_synopsis: :end-before: _kdb5_util_synopsis_end: **OPTIONS** .. include:: admin_commands/kdb5_util.rst :start-after: _kdb5_util_options: :end-before: _kdb5_util_options_end: .. toctree:: :maxdepth: 1 Dumping a Kerberos database to a file ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To dump a Kerberos database into a file, use the :ref:`kdb5_util(8)` **dump** command on one of the KDCs. .. include:: admin_commands/kdb5_util.rst :start-after: _kdb5_util_dump: :end-before: _kdb5_util_dump_end: Examples ######## :: shell% kdb5_util dump dumpfile shell% shell% kbd5_util dump -verbose dumpfile kadmin/admin@ATHENA.MIT.EDU krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU kadmin/history@ATHENA.MIT.EDU K/M@ATHENA.MIT.EDU kadmin/changepw@ATHENA.MIT.EDU shell% If you specify which principals to dump, you must use the full principal, as in the following example:: shell% kdb5_util dump -verbose dumpfile K/M@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU K/M@ATHENA.MIT.EDU shell% Otherwise, the principals will not match those in the database and will not be dumped:: shell% kdb5_util dump -verbose dumpfile K/M kadmin/admin shell% If you do not specify a dump file, kdb5_util will dump the database to the standard output. .. _restore_from_dump: Restoring a Kerberos database from a dump file ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ To restore a Kerberos database dump from a file, use the :ref:`kdb5_util(8)` **load** command on one of the KDCs. .. include:: admin_commands/kdb5_util.rst :start-after: _kdb5_util_load: :end-before: _kdb5_util_load_end: Examples ######## To dump a single principal and later load it, updating the database: :: shell% kdb5_util dump dumpfile principal@REALM shell% shell% kdb5_util load -update dumpfile shell% .. note:: If the database file exists, and the *-update* flag was not given, *kdb5_util* will overwrite the existing database. .. note:: Using kdb5_util to dump and reload the principal database is only necessary when upgrading from versions of krb5 prior to 1.2.0---newer versions will use the existing database as-is. .. _create_stash: Creating a stash file ~~~~~~~~~~~~~~~~~~~~~ A stash file allows a KDC to authenticate itself to the database utilities, such as :ref:`kadmind(8)`, :ref:`krb5kdc(8)`, and :ref:`kdb5_util(8)`. To create a stash file, use the :ref:`kdb5_util(8)` **stash** command. .. include:: admin_commands/kdb5_util.rst :start-after: _kdb5_util_stash: :end-before: _kdb5_util_stash_end: Example ####### shell% kdb5_util stash kdb5_util: Cannot find/read stored master key while reading master key kdb5_util: Warning: proceeding without master key Enter KDC database master key: <= Type the KDC database master password. shell% If you do not specify a stash file, kdb5_util will stash the key in the file specified in your :ref:`kdc.conf(5)` file. Creating and destroying a Kerberos database ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you need to create a new Kerberos database, use the :ref:`kdb5_util(8)` **create** command. .. include:: admin_commands/kdb5_util.rst :start-after: _kdb5_util_create: :end-before: _kdb5_util_create_end: If you need to destroy the current Kerberos database, use the :ref:`kdb5_util(8)` **destroy** command. .. include:: admin_commands/kdb5_util.rst :start-after: _kdb5_util_destroy: :end-before: _kdb5_util_destroy_end: Examples ######## :: shell% kdb5_util -r ATHENA.MIT.EDU create -s Loading random data Initializing database '/usr/local/var/krb5kdc/principal' for realm 'ATHENA.MIT.EDU', master key name 'K/M@ATHENA.MIT.EDU' You will be prompted for the database Master Password. It is important that you NOT FORGET this password. Enter KDC database master key: <= Type the master password. Re-enter KDC database master key to verify: <= Type it again. shell% shell% kdb5_util -r ATHENA.MIT.EDU destroy Deleting KDC database stored in '/usr/local/var/krb5kdc/principal', are you sure? (type 'yes' to confirm)? <= yes OK, deleting database '/usr/local/var/krb5kdc/principal'... ** Database '/usr/local/var/krb5kdc/principal' destroyed. shell% .. _updating_master_key: Updating the master key ~~~~~~~~~~~~~~~~~~~~~~~ Starting with release 1.7, :ref:`kdb5_util(8)` allows the master key to be changed using a rollover process, with minimal loss of availability. To roll over the master key, follow these steps: #. On the primary KDC, run ``kdb5_util list_mkeys`` to view the current master key version number (KVNO). If you have never rolled over the master key before, this will likely be version 1:: $ kdb5_util list_mkeys Master keys for Principal: K/M@KRBTEST.COM KVNO: 1, Enctype: aes256-cts-hmac-sha384-192, Active on: Thu Jan 01 00:00:00 UTC 1970 * #. On the primary KDC, run ``kdb5_util use_mkey 1`` to ensure that a master key activation list is present in the database. This step is unnecessary in release 1.11.4 or later, or if the database was initially created with release 1.7 or later. #. On the primary KDC, run ``kdb5_util add_mkey -s`` to create a new master key and write it to the stash file. Enter a secure password when prompted. If this is the first time you are changing the master key, the new key will have version 2. The new master key will not be used until you make it active. #. Propagate the database to all replica KDCs, either manually or by waiting until the next scheduled propagation. If you do not have any replica KDCs, you can skip this and the next step. #. On each replica KDC, run ``kdb5_util list_mkeys`` to verify that the new master key is present, and then ``kdb5_util stash`` to write the new master key to the replica KDC's stash file. #. On the primary KDC, run ``kdb5_util use_mkey 2`` to begin using the new master key. Replace ``2`` with the version of the new master key, as appropriate. You can optionally specify a date for the new master key to become active; by default, it will become active immediately. Prior to release 1.12, :ref:`kadmind(8)` must be restarted for this change to take full effect. #. On the primary KDC, run ``kdb5_util update_princ_encryption``. This command will iterate over the database and re-encrypt all keys in the new master key. If the database is large and uses DB2, the primary KDC will become unavailable while this command runs, but clients should fail over to replica KDCs (if any are present) during this time period. In release 1.13 and later, you can instead run ``kdb5_util -x unlockiter update_princ_encryption`` to use unlocked iteration; this variant will take longer, but will keep the database available to the KDC and kadmind while it runs. #. Wait until the above changes have propagated to all replica KDCs and until all running KDC and kadmind processes have serviced requests using updated principal entries. #. On the primary KDC, run ``kdb5_util purge_mkeys`` to clean up the old master key. .. _ops_on_ldap: Operations on the LDAP database ------------------------------- The :ref:`kdb5_ldap_util(8)` is the primary tool for administrating the Kerberos LDAP database. It allows an administrator to manage realms, Kerberos services (KDC and Admin Server) and ticket policies. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_synopsis: :end-before: _kdb5_ldap_util_synopsis_end: **OPTIONS** .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_options: :end-before: _kdb5_ldap_util_options_end: .. _ldap_create_realm: Creating a Kerberos realm ~~~~~~~~~~~~~~~~~~~~~~~~~ If you need to create a new realm, use the :ref:`kdb5_ldap_util(8)` **create** command as follows. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_create: :end-before: _kdb5_ldap_util_create_end: .. _ldap_mod_realm: Modifying a Kerberos realm ~~~~~~~~~~~~~~~~~~~~~~~~~~ If you need to modify a realm, use the :ref:`kdb5_ldap_util(8)` **modify** command as follows. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_modify: :end-before: _kdb5_ldap_util_modify_end: Destroying a Kerberos realm ~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you need to destroy a Kerberos realm, use the :ref:`kdb5_ldap_util(8)` **destroy** command as follows. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_destroy: :end-before: _kdb5_ldap_util_destroy_end: Retrieving information about a Kerberos realm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you need to display the attributes of a realm, use the :ref:`kdb5_ldap_util(8)` **view** command as follows. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_view: :end-before: _kdb5_ldap_util_view_end: Listing available Kerberos realms ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ If you need to display the list of the realms, use the :ref:`kdb5_ldap_util(8)` **list** command as follows. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_list: :end-before: _kdb5_ldap_util_list_end: .. _stash_ldap: Stashing service object's password ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ The :ref:`kdb5_ldap_util(8)` **stashsrvpw** command allows an administrator to store the password of service object in a file. The KDC and Administration server uses this password to authenticate to the LDAP server. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_stashsrvpw: :end-before: _kdb5_ldap_util_stashsrvpw_end: Ticket Policy operations ~~~~~~~~~~~~~~~~~~~~~~~~ Creating a Ticket Policy ######################## To create a new ticket policy in directory , use the :ref:`kdb5_ldap_util(8)` **create_policy** command. Ticket policy objects are created under the realm container. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_create_policy: :end-before: _kdb5_ldap_util_create_policy_end: Modifying a Ticket Policy ######################### To modify a ticket policy in directory, use the :ref:`kdb5_ldap_util(8)` **modify_policy** command. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_modify_policy: :end-before: _kdb5_ldap_util_modify_policy_end: Retrieving Information About a Ticket Policy ############################################ To display the attributes of a ticket policy, use the :ref:`kdb5_ldap_util(8)` **view_policy** command. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_view_policy: :end-before: _kdb5_ldap_util_view_policy_end: Destroying a Ticket Policy ########################## To destroy an existing ticket policy, use the :ref:`kdb5_ldap_util(8)` **destroy_policy** command. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_destroy_policy: :end-before: _kdb5_ldap_util_destroy_policy_end: Listing available Ticket Policies ################################# To list the name of ticket policies in a realm, use the :ref:`kdb5_ldap_util(8)` **list_policy** command. .. include:: admin_commands/kdb5_ldap_util.rst :start-after: _kdb5_ldap_util_list_policy: :end-before: _kdb5_ldap_util_list_policy_end: .. _xrealm_authn: Cross-realm authentication -------------------------- In order for a KDC in one realm to authenticate Kerberos users in a different realm, it must share a key with the KDC in the other realm. In both databases, there must be krbtgt service principals for both realms. For example, if you need to do cross-realm authentication between the realms ``ATHENA.MIT.EDU`` and ``EXAMPLE.COM``, you would need to add the principals ``krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU`` and ``krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM`` to both databases. These principals must all have the same passwords, key version numbers, and encryption types; this may require explicitly setting the key version number with the **-kvno** option. In the ATHENA.MIT.EDU and EXAMPLE.COM cross-realm case, the administrators would run the following commands on the KDCs in both realms:: shell%: kadmin.local -e "aes256-cts:normal" kadmin: addprinc -requires_preauth krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM Enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM: Re-enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM: kadmin: addprinc -requires_preauth krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU: Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU: kadmin: .. note:: Even if most principals in a realm are generally created with the **requires_preauth** flag enabled, this flag is not desirable on cross-realm authentication keys because doing so makes it impossible to disable preauthentication on a service-by-service basis. Disabling it as in the example above is recommended. .. note:: It is very important that these principals have good passwords. MIT recommends that TGT principal passwords be at least 26 characters of random ASCII text. .. _changing_krbtgt_key: Changing the krbtgt key ----------------------- A Kerberos Ticket Granting Ticket (TGT) is a service ticket for the principal ``krbtgt/REALM``. The key for this principal is created when the Kerberos database is initialized and need not be changed. However, it will only have the encryption types supported by the KDC at the time of the initial database creation. To allow use of newer encryption types for the TGT, this key has to be changed. Changing this key using the normal :ref:`kadmin(1)` **change_password** command would invalidate any previously issued TGTs. Therefore, when changing this key, normally one should use the **-keepold** flag to change_password to retain the previous key in the database as well as the new key. For example:: kadmin: change_password -randkey -keepold krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU .. warning:: After issuing this command, the old key is still valid and is still vulnerable to (for instance) brute force attacks. To completely retire an old key or encryption type, run the kadmin **purgekeys** command to delete keys with older kvnos, ideally first making sure that all tickets issued with the old keys have expired. Only the first krbtgt key of the newest key version is used to encrypt ticket-granting tickets. However, the set of encryption types present in the krbtgt keys is used by default to determine the session key types supported by the krbtgt service (see :ref:`session_key_selection`). Because non-MIT Kerberos clients sometimes send a limited set of encryption types when making AS requests, it can be important for the krbtgt service to support multiple encryption types. This can be accomplished by giving the krbtgt principal multiple keys, which is usually as simple as not specifying any **-e** option when changing the krbtgt key, or by setting the **session_enctypes** string attribute on the krbtgt principal (see :ref:`set_string`). Due to a bug in releases 1.8 through 1.13, renewed and forwarded tickets may not work if the original ticket was obtained prior to a krbtgt key change and the modified ticket is obtained afterwards. Upgrading the KDC to release 1.14 or later will correct this bug. .. _incr_db_prop: Incremental database propagation -------------------------------- Overview ~~~~~~~~ At some very large sites, dumping and transmitting the database can take more time than is desirable for changes to propagate from the primary KDC to the replica KDCs. The incremental propagation support added in the 1.7 release is intended to address this. With incremental propagation enabled, all programs on the primary KDC that change the database also write information about the changes to an "update log" file, maintained as a circular buffer of a certain size. A process on each replica KDC connects to a service on the primary KDC (currently implemented in the :ref:`kadmind(8)` server) and periodically requests the changes that have been made since the last check. By default, this check is done every two minutes. Incremental propagation uses the following entries in the per-realm data in the KDC config file (See :ref:`kdc.conf(5)`): ====================== =============== =========================================== iprop_enable *boolean* If *true*, then incremental propagation is enabled, and (as noted below) normal kprop propagation is disabled. The default is *false*. iprop_master_ulogsize *integer* Indicates the number of entries that should be retained in the update log. The default is 1000; the maximum number is 2500. iprop_replica_poll *time interval* Indicates how often the replica should poll the primary KDC for changes to the database. The default is two minutes. iprop_port *integer* Specifies the port number to be used for incremental propagation. This is required in both primary and replica configuration files. iprop_resync_timeout *integer* Specifies the number of seconds to wait for a full propagation to complete. This is optional on replica configurations. Defaults to 300 seconds (5 minutes). iprop_logfile *file name* Specifies where the update log file for the realm database is to be stored. The default is to use the *database_name* entry from the realms section of the config file :ref:`kdc.conf(5)`, with *.ulog* appended. (NOTE: If database_name isn't specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the *dbmodules* section, then the hard-coded default for *database_name* is used. Determination of the *iprop_logfile* default value will not use values from the *dbmodules* section.) ====================== =============== =========================================== Both primary and replica sides must have a principal named ``kiprop/hostname`` (where *hostname* is the lowercase, fully-qualified, canonical name for the host) registered in the Kerberos database, and have keys for that principal stored in the default keytab file (|keytab|). The ``kiprop/hostname`` principal may have been created automatically for the primary KDC, but it must always be created for replica KDCs. On the primary KDC side, the ``kiprop/hostname`` principal must be listed in the kadmind ACL file :ref:`kadm5.acl(5)`, and given the **p** privilege (see :ref:`privileges`). On the replica KDC side, :ref:`kpropd(8)` should be run. When incremental propagation is enabled, it will connect to the kadmind on the primary KDC and start requesting updates. The normal kprop mechanism is disabled by the incremental propagation support. However, if the replica has been unable to fetch changes from the primary KDC for too long (network problems, perhaps), the log on the primary may wrap around and overwrite some of the updates that the replica has not yet retrieved. In this case, the replica will instruct the primary KDC to dump the current database out to a file and invoke a one-time kprop propagation, with special options to also convey the point in the update log at which the replica should resume fetching incremental updates. Thus, all the keytab and ACL setup previously described for kprop propagation is still needed. If an environment has a large number of replicas, it may be desirable to arrange them in a hierarchy instead of having the primary serve updates to every replica. To do this, run ``kadmind -proponly`` on each intermediate replica, and ``kpropd -A upstreamhostname`` on downstream replicas to direct each one to the appropriate upstream replica. There are several known restrictions in the current implementation: - The incremental update protocol does not transport changes to policy objects. Any policy changes on the primary will result in full resyncs to all replicas. - The replica's KDB module must support locking; it cannot be using the LDAP KDB module. - The primary and replica must be able to initiate TCP connections in both directions, without an intervening NAT. Sun/MIT incremental propagation differences ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Sun donated the original code for supporting incremental database propagation to MIT. Some changes have been made in the MIT source tree that will be visible to administrators. (These notes are based on Sun's patches. Changes to Sun's implementation since then may not be reflected here.) The Sun config file support looks for ``sunw_dbprop_enable``, ``sunw_dbprop_master_ulogsize``, and ``sunw_dbprop_slave_poll``. The incremental propagation service is implemented as an ONC RPC service. In the Sun implementation, the service is registered with rpcbind (also known as portmapper) and the client looks up the port number to contact. In the MIT implementation, where interaction with some modern versions of rpcbind doesn't always work well, the port number must be specified in the config file on both the primary and replica sides. The Sun implementation hard-codes pathnames in ``/var/krb5`` for the update log and the per-replica kprop dump files. In the MIT implementation, the pathname for the update log is specified in the config file, and the per-replica dump files are stored in |kdcdir|\ ``/replica_datatrans_hostname``. krb5-1.19.2/doc/html/_sources/admin/various_envs.rst.txt0000644000704600001450000000115114076311665024566 0ustar ghudsonsystemd-journalVarious links ============= Whitepapers ----------- #. https://kerberos.org/software/whitepapers.html Tutorials --------- #. Fulvio Ricciardi _ Troubleshooting --------------- #. https://wiki.ncsa.illinois.edu/display/ITS/Windows+Kerberos+Troubleshooting #. https://www.shrubbery.net/solaris9ab/SUNWaadm/SYSADV6/p27.html #. https://docs.oracle.com/cd/E19253-01/816-4557/trouble-1/index.html #. https://docs.microsoft.com/en-us/previous-versions/tn-archive/bb463167(v=technet.10)#EBAA #. https://bugs.launchpad.net/ubuntu/+source/libpam-heimdal/+bug/86528 krb5-1.19.2/doc/html/_sources/admin/otp.rst.txt0000644000704600001450000000663414076311665022660 0ustar ghudsonsystemd-journal.. _otp_preauth: OTP Preauthentication ===================== OTP is a preauthentication mechanism for Kerberos 5 which uses One Time Passwords (OTP) to authenticate the client to the KDC. The OTP is passed to the KDC over an encrypted FAST channel in clear-text. The KDC uses the password along with per-user configuration to proxy the request to a third-party RADIUS system. This enables out-of-the-box compatibility with a large number of already widely deployed proprietary systems. Additionally, our implementation of the OTP system allows for the passing of RADIUS requests over a UNIX domain stream socket. This permits the use of a local companion daemon which can handle the details of authentication. Defining token types -------------------- Token types are defined in either :ref:`krb5.conf(5)` or :ref:`kdc.conf(5)` according to the following format:: [otp] = { server = (default: see below) secret = timeout = (default: 5 [seconds]) retries = (default: 3) strip_realm = (default: true) indicator = (default: none) } If the server field begins with '/', it will be interpreted as a UNIX socket. Otherwise, it is assumed to be in the format host:port. When a UNIX domain socket is specified, the secret field is optional and an empty secret is used by default. If the server field is not specified, it defaults to |kdcrundir|\ ``/.socket``. When forwarding the request over RADIUS, by default the principal is used in the User-Name attribute of the RADIUS packet. The strip_realm parameter controls whether the principal is forwarded with or without the realm portion. If an indicator field is present, tickets issued using this token type will be annotated with the specified authentication indicator (see :ref:`auth_indicator`). This key may be specified multiple times to add multiple indicators. The default token type ---------------------- A default token type is used internally when no token type is specified for a given user. It is defined as follows:: [otp] DEFAULT = { strip_realm = false } The administrator may override the internal ``DEFAULT`` token type simply by defining a configuration with the same name. Token instance configuration ---------------------------- To enable OTP for a client principal, the administrator must define the **otp** string attribute for that principal. (See :ref:`set_string`.) The **otp** user string is a JSON string of the format: .. code-block:: xml [{ "type": , "username": , "indicators": [, ...] }, ...] This is an array of token objects. Both fields of token objects are optional. The **type** field names the token type of this token; if not specified, it defaults to ``DEFAULT``. The **username** field specifies the value to be sent in the User-Name RADIUS attribute. If not specified, the principal name is sent, with or without realm as defined in the token type. The **indicators** field specifies a list of authentication indicators to annotate tickets with, overriding any indicators specified in the token type. For ease of configuration, an empty array (``[]``) is treated as equivalent to one DEFAULT token (``[{}]``). Other considerations -------------------- #. FAST is required for OTP to work. krb5-1.19.2/doc/html/_sources/admin/host_config.rst.txt0000644000704600001450000002222214076311665024347 0ustar ghudsonsystemd-journalHost configuration ================== All hosts running Kerberos software, whether they are clients, application servers, or KDCs, can be configured using :ref:`krb5.conf(5)`. Here we describe some of the behavior changes you might want to make. Default realm ------------- In the :ref:`libdefaults` section, the **default_realm** realm relation sets the default Kerberos realm. For example:: [libdefaults] default_realm = ATHENA.MIT.EDU The default realm affects Kerberos behavior in the following ways: * When a principal name is parsed from text, the default realm is used if no ``@REALM`` component is specified. * The default realm affects login authorization as described below. * For programs which operate on a Kerberos database, the default realm is used to determine which database to operate on, unless the **-r** parameter is given to specify a realm. * A server program may use the default realm when looking up its key in a :ref:`keytab file `, if its realm is not determined by :ref:`domain_realm` configuration or by the server program itself. * If :ref:`kinit(1)` is passed the **-n** flag, it requests anonymous tickets from the default realm. In some situations, these uses of the default realm might conflict. For example, it might be desirable for principal name parsing to use one realm by default, but for login authorization to use a second realm. In this situation, the first realm can be configured as the default realm, and **auth_to_local** relations can be used as described below to use the second realm for login authorization. .. _login_authorization: Login authorization ------------------- If a host runs a Kerberos-enabled login service such as OpenSSH with GSSAPIAuthentication enabled, login authorization rules determine whether a Kerberos principal is allowed to access a local account. By default, a Kerberos principal is allowed access to an account if its realm matches the default realm and its name matches the account name. (For historical reasons, access is also granted by default if the name has two components and the second component matches the default realm; for instance, ``alice/ATHENA.MIT.EDU@ATHENA.MIT.EDU`` is granted access to the ``alice`` account if ``ATHENA.MIT.EDU`` is the default realm.) The simplest way to control local access is using :ref:`.k5login(5)` files. To use these, place a ``.k5login`` file in the home directory of each account listing the principal names which should have login access to that account. If it is not desirable to use ``.k5login`` files located in account home directories, the **k5login_directory** relation in the :ref:`libdefaults` section can specify a directory containing one file per account uname. By default, if a ``.k5login`` file is present, it controls authorization both positively and negatively--any principal name contained in the file is granted access and any other principal name is denied access, even if it would have had access if the ``.k5login`` file didn't exist. The **k5login_authoritative** relation in the :ref:`libdefaults` section can be set to false to make ``.k5login`` files provide positive authorization only. The **auth_to_local** relation in the :ref:`realms` section for the default realm can specify pattern-matching rules to control login authorization. For example, the following configuration allows access to principals from a different realm than the default realm:: [realms] DEFAULT.REALM = { # Allow access to principals from OTHER.REALM. # # [1:$1@$0] matches single-component principal names and creates # a selection string containing the principal name and realm. # # (.*@OTHER\.REALM) matches against the selection string, so that # only principals in OTHER.REALM are matched. # # s/@OTHER\.REALM$// removes the realm name, leaving behind the # principal name as the account name. auth_to_local = RULE:[1:$1@$0](.*@OTHER\.REALM)s/@OTHER\.REALM$// # Also allow principals from the default realm. Omit this line # to only allow access to principals in OTHER.REALM. auth_to_local = DEFAULT } The **auth_to_local_names** subsection of the :ref:`realms` section for the default realm can specify explicit mappings from principal names to local accounts. The key used in this subsection is the principal name without realm, so it is only safe to use in a Kerberos environment with a single realm or a tightly controlled set of realms. An example use of **auth_to_local_names** might be:: [realms] ATHENA.MIT.EDU = { auth_to_local_names = { # Careful, these match principals in any realm! host/example.com = hostaccount fred = localfred } } Local authorization behavior can also be modified using plugin modules; see :ref:`hostrealm_plugin` for details. .. _plugin_config: Plugin module configuration --------------------------- Many aspects of Kerberos behavior, such as client preauthentication and KDC service location, can be modified through the use of plugin modules. For most of these behaviors, you can use the :ref:`plugins` section of krb5.conf to register third-party modules, and to switch off registered or built-in modules. A plugin module takes the form of a Unix shared object (``modname.so``) or Windows DLL (``modname.dll``). If you have installed a third-party plugin module and want to register it, you do so using the **module** relation in the appropriate subsection of the [plugins] section. The value for **module** must give the module name and the path to the module, separated by a colon. The module name will often be the same as the shared object's name, but in unusual cases (such as a shared object which implements multiple modules for the same interface) it might not be. For example, to register a client preauthentication module named ``mypreauth`` installed at ``/path/to/mypreauth.so``, you could write:: [plugins] clpreauth = { module = mypreauth:/path/to/mypreauth.so } Many of the pluggable behaviors in MIT krb5 contain built-in modules which can be switched off. You can disable a built-in module (or one you have registered) using the **disable** directive in the appropriate subsection of the [plugins] section. For example, to disable the use of .k5identity files to select credential caches, you could write:: [plugins] ccselect = { disable = k5identity } If you want to disable multiple modules, specify the **disable** directive multiple times, giving one module to disable each time. Alternatively, you can explicitly specify which modules you want to be enabled for that behavior using the **enable_only** directive. For example, to make :ref:`kadmind(8)` check password quality using only a module you have registered, and no other mechanism, you could write:: [plugins] pwqual = { module = mymodule:/path/to/mymodule.so enable_only = mymodule } Again, if you want to specify multiple modules, specify the **enable_only** directive multiple times, giving one module to enable each time. Some Kerberos interfaces use different mechanisms to register plugin modules. KDC location modules ~~~~~~~~~~~~~~~~~~~~ For historical reasons, modules to control how KDC servers are located are registered simply by placing the shared object or DLL into the "libkrb5" subdirectory of the krb5 plugin directory, which defaults to |libdir|\ ``/krb5/plugins``. For example, Samba's winbind krb5 locator plugin would be registered by placing its shared object in |libdir|\ ``/krb5/plugins/libkrb5/winbind_krb5_locator.so``. .. _gssapi_plugin_config: GSSAPI mechanism modules ~~~~~~~~~~~~~~~~~~~~~~~~ GSSAPI mechanism modules are registered using the file |sysconfdir|\ ``/gss/mech`` or configuration files in the |sysconfdir|\ ``/gss/mech.d`` directory with a ``.conf`` suffix. Each line in these files has the form:: name oid pathname [options] Only the name, oid, and pathname are required. *name* is the mechanism name, which may be used for debugging or logging purposes. *oid* is the object identifier of the GSSAPI mechanism to be registered. *pathname* is a path to the module shared object or DLL. *options* (if present) are options provided to the plugin module, surrounded in square brackets. *type* (if present) can be used to indicate a special type of module. Currently the only special module type is "interposer", for a module designed to intercept calls to other mechanisms. If the environment variable **GSS_MECH_CONFIG** is set, its value is used as the sole mechanism configuration filename. .. _profile_plugin_config: Configuration profile modules ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A configuration profile module replaces the information source for :ref:`krb5.conf(5)` itself. To use a profile module, begin krb5.conf with the line:: module PATHNAME:STRING where *PATHNAME* is a path to the module shared object or DLL, and *STRING* is a string to provide to the module. The module will then take over, and the rest of krb5.conf will be ignored. krb5-1.19.2/doc/html/_sources/admin/dbtypes.rst.txt0000644000704600001450000001472414076311665023527 0ustar ghudsonsystemd-journalDatabase types ============== A Kerberos database can be implemented with one of three built-in database providers, called KDB modules. Software which incorporates the MIT krb5 KDC may also provide its own KDB module. The following subsections describe the three built-in KDB modules and the configuration specific to them. The database type can be configured with the **db_library** variable in the :ref:`dbmodules` subsection for the realm. For example:: [dbmodules] ATHENA.MIT.EDU = { db_library = db2 } If the ``ATHENA.MIT.EDU`` realm subsection contains a **database_module** setting, then the subsection within ``[dbmodules]`` should use that name instead of ``ATHENA.MIT.EDU``. To transition from one database type to another, stop the :ref:`kadmind(8)` service, use ``kdb5_util dump`` to create a dump file, change the **db_library** value and set any appropriate configuration for the new database type, and use ``kdb5_util load`` to create and populate the new database. If the new database type is LDAP, create the new database using ``kdb5_ldap_util`` and populate it from the dump file using ``kdb5_util load -update``. Then restart the :ref:`krb5kdc(8)` and :ref:`kadmind(8)` services. Berkeley database module (db2) ------------------------------ The default KDB module is ``db2``, which uses a version of the Berkeley DB library. It creates four files based on the database pathname. If the pathname ends with ``principal`` then the four files are: * ``principal``, containing principal entry data * ``principal.ok``, a lock file for the principal database * ``principal.kadm5``, containing policy object data * ``principal.kadm5.lock``, a lock file for the policy database For large databases, the :ref:`kdb5_util(8)` **dump** command (perhaps invoked by :ref:`kprop(8)` or by :ref:`kadmind(8)` for incremental propagation) may cause :ref:`krb5kdc(8)` to stop for a noticeable period of time while it iterates over the database. This delay can be avoided by disabling account lockout features so that the KDC does not perform database writes (see :ref:`disable_lockout`). Alternatively, a slower form of iteration can be enabled by setting the **unlockiter** variable to ``true``. For example:: [dbmodules] ATHENA.MIT.EDU = { db_library = db2 unlockiter = true } In rare cases, a power failure or other unclean system shutdown may cause inconsistencies in the internal pointers within a database file, such that ``kdb5_util dump`` cannot retrieve all principal entries in the database. In this situation, it may be possible to retrieve all of the principal data by running ``kdb5_util dump -recurse`` to iterate over the database using the tree pointers instead of the iteration pointers. Running ``kdb5_util dump -rev`` to iterate over the database backwards may also retrieve some of the data which is not retrieved by a normal dump operation. Lightning Memory-Mapped Database module (klmdb) ----------------------------------------------- The klmdb module was added in release 1.17. It uses the LMDB library, and may offer better performance and reliability than the db2 module. It creates four files based on the database pathname. If the pathname ends with ``principal``, then the four files are: * ``principal.mdb``, containing policy object data and most principal entry data * ``principal.mdb-lock``, a lock file for the primary database * ``principal.lockout.mdb``, containing the account lockout attributes (last successful authentication time, last failed authentication time, and number of failed attempts) for each principal entry * ``principal.lockout.mdb-lock``, a lock file for the lockout database Separating out the lockout attributes ensures that the KDC will never block on an administrative operation such as a database dump or load. It also allows the KDC to operate without write access to the primary database. If both account lockout features are disabled (see :ref:`disable_lockout`), the lockout database files will be created but will not subsequently be opened, and the account lockout attributes will always have zero values. Because LMDB creates a memory map to the database files, it requires a configured memory map size which also determines the maximum size of the database. This size is applied equally to the two databases, so twice the configured size will be consumed in the process address space; this is primarily a limitation on 32-bit platforms. The default value of 128 megabytes should be sufficient for several hundred thousand principal entries. If the limit is reached, kadmin operations will fail and the error message "Environment mapsize limit reached" will appear in the kadmind log file. In this case, the **mapsize** variable can be used to increase the map size. The following example sets the map size to 512 megabytes:: [dbmodules] ATHENA.MIT.EDU = { db_library = klmdb mapsize = 512 } LMDB has a configurable maximum number of readers. The default value of 128 should be sufficient for most deployments. If you are going to use a large number of KDC worker processes, it may be necessary to set the **max_readers** variable to a larger number. By default, LMDB synchronizes database files to disk after each write transaction to ensure durability in the case of an unclean system shutdown. The klmdb module always turns synchronization off for the lockout database to ensure reasonable KDC performance, but leaves it on for the primary database. If high throughput for administrative operations (including password changes) is required, the **nosync** variable can be set to "true" to disable synchronization for the primary database. The klmdb module does not support explicit locking with the :ref:`kadmin(1)` **lock** command. LDAP module (kldap) ------------------- The kldap module stores principal and policy data using an LDAP server. To use it you must configure an LDAP server to use the Kerberos schema. See :ref:`conf_ldap` for details. Because :ref:`krb5kdc(8)` is single-threaded, latency in LDAP database accesses may limit KDC operation throughput. If the LDAP server is located on the same server host as the KDC and accessed through an ``ldapi://`` URL, latency should be minimal. If this is not possible, consider starting multiple KDC worker processes with the :ref:`krb5kdc(8)` **-w** option to enable concurrent processing of KDC requests. The kldap module does not support explicit locking with the :ref:`kadmin(1)` **lock** command. krb5-1.19.2/doc/html/_sources/admin/pkinit.rst.txt0000644000704600001450000003434314076311665023352 0ustar ghudsonsystemd-journal.. _pkinit: PKINIT configuration ==================== PKINIT is a preauthentication mechanism for Kerberos 5 which uses X.509 certificates to authenticate the KDC to clients and vice versa. PKINIT can also be used to enable anonymity support, allowing clients to communicate securely with the KDC or with application servers without authenticating as a particular client principal. Creating certificates --------------------- PKINIT requires an X.509 certificate for the KDC and one for each client principal which will authenticate using PKINIT. For anonymous PKINIT, a KDC certificate is required, but client certificates are not. A commercially issued server certificate can be used for the KDC certificate, but generally cannot be used for client certificates. The instruction in this section describe how to establish a certificate authority and create standard PKINIT certificates. Skip this section if you are using a commercially issued server certificate as the KDC certificate for anonymous PKINIT, or if you are configuring a client to use an Active Directory KDC. Generating a certificate authority certificate ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ You can establish a new certificate authority (CA) for use with a PKINIT deployment with the commands:: openssl genrsa -out cakey.pem 2048 openssl req -key cakey.pem -new -x509 -out cacert.pem -days 3650 The second command will ask for the values of several certificate fields. These fields can be set to any values. You can adjust the expiration time of the CA certificate by changing the number after ``-days``. Since the CA certificate must be deployed to client machines each time it changes, it should normally have an expiration time far in the future; however, expiration times after 2037 may cause interoperability issues in rare circumstances. The result of these commands will be two files, cakey.pem and cacert.pem. cakey.pem will contain a 2048-bit RSA private key, which must be carefully protected. cacert.pem will contain the CA certificate, which must be placed in the filesystems of the KDC and each client host. cakey.pem will be required to create KDC and client certificates. Generating a KDC certificate ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A KDC certificate for use with PKINIT is required to have some unusual fields, which makes generating them with OpenSSL somewhat complicated. First, you will need a file containing the following:: [kdc_cert] basicConstraints=CA:FALSE keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement extendedKeyUsage=1.3.6.1.5.2.3.5 subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer issuerAltName=issuer:copy subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name [kdc_princ_name] realm=EXP:0,GeneralString:${ENV::REALM} principal_name=EXP:1,SEQUENCE:kdc_principal_seq [kdc_principal_seq] name_type=EXP:0,INTEGER:2 name_string=EXP:1,SEQUENCE:kdc_principals [kdc_principals] princ1=GeneralString:krbtgt princ2=GeneralString:${ENV::REALM} If the above contents are placed in extensions.kdc, you can generate and sign a KDC certificate with the following commands:: openssl genrsa -out kdckey.pem 2048 openssl req -new -out kdc.req -key kdckey.pem env REALM=YOUR_REALMNAME openssl x509 -req -in kdc.req \ -CAkey cakey.pem -CA cacert.pem -out kdc.pem -days 365 \ -extfile extensions.kdc -extensions kdc_cert -CAcreateserial rm kdc.req The second command will ask for the values of certificate fields, which can be set to any values. In the third command, substitute your KDC's realm name for YOUR_REALMNAME. You can adjust the certificate's expiration date by changing the number after ``-days``. Remember to create a new KDC certificate before the old one expires. The result of this operation will be in two files, kdckey.pem and kdc.pem. Both files must be placed in the KDC's filesystem. kdckey.pem, which contains the KDC's private key, must be carefully protected. If you examine the KDC certificate with ``openssl x509 -in kdc.pem -text -noout``, OpenSSL will not know how to display the KDC principal name in the Subject Alternative Name extension, so it will appear as ``othername:``. This is normal and does not mean anything is wrong with the KDC certificate. Generating client certificates ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ PKINIT client certificates also must have some unusual certificate fields. To generate a client certificate with OpenSSL for a single-component principal name, you will need an extensions file (different from the KDC extensions file above) containing:: [client_cert] basicConstraints=CA:FALSE keyUsage=digitalSignature,keyEncipherment,keyAgreement extendedKeyUsage=1.3.6.1.5.2.3.4 subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer issuerAltName=issuer:copy subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name [princ_name] realm=EXP:0,GeneralString:${ENV::REALM} principal_name=EXP:1,SEQUENCE:principal_seq [principal_seq] name_type=EXP:0,INTEGER:1 name_string=EXP:1,SEQUENCE:principals [principals] princ1=GeneralString:${ENV::CLIENT} If the above contents are placed in extensions.client, you can generate and sign a client certificate with the following commands:: openssl genrsa -out clientkey.pem 2048 openssl req -new -key clientkey.pem -out client.req env REALM=YOUR_REALMNAME CLIENT=YOUR_PRINCNAME openssl x509 \ -CAkey cakey.pem -CA cacert.pem -req -in client.req \ -extensions client_cert -extfile extensions.client \ -days 365 -out client.pem rm client.req Normally, the first two commands should be run on the client host, and the resulting client.req file transferred to the certificate authority host for the third command. As in the previous steps, the second command will ask for the values of certificate fields, which can be set to any values. In the third command, substitute your realm's name for YOUR_REALMNAME and the client's principal name (without realm) for YOUR_PRINCNAME. You can adjust the certificate's expiration date by changing the number after ``-days``. The result of this operation will be two files, clientkey.pem and client.pem. Both files must be present on the client's host; clientkey.pem, which contains the client's private key, must be protected from access by others. As in the KDC certificate, OpenSSL will display the client principal name as ``othername:`` in the Subject Alternative Name extension of a PKINIT client certificate. If the client principal name contains more than one component (e.g. ``host/example.com@REALM``), the ``[principals]`` section of ``extensions.client`` must be altered to contain multiple entries. (Simply setting ``CLIENT`` to ``host/example.com`` would generate a certificate for ``host\/example.com@REALM`` which would not match the multi-component principal name.) For a two-component principal, the section should read:: [principals] princ1=GeneralString:${ENV::CLIENT1} princ2=GeneralString:${ENV::CLIENT2} The environment variables ``CLIENT1`` and ``CLIENT2`` must then be set to the first and second components when running ``openssl x509``. Configuring the KDC ------------------- The KDC must have filesystem access to the KDC certificate (kdc.pem) and the KDC private key (kdckey.pem). Configure the following relation in the KDC's :ref:`kdc.conf(5)` file, either in the :ref:`kdcdefaults` section or in a :ref:`kdc_realms` subsection (with appropriate pathnames):: pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem If any clients will authenticate using regular (as opposed to anonymous) PKINIT, the KDC must also have filesystem access to the CA certificate (cacert.pem), and the following configuration (with the appropriate pathname):: pkinit_anchors = FILE:/var/lib/krb5kdc/cacert.pem Because of the larger size of requests and responses using PKINIT, you may also need to allow TCP access to the KDC:: kdc_tcp_listen = 88 Restart the :ref:`krb5kdc(8)` daemon to pick up the configuration changes. The principal entry for each PKINIT-using client must be configured to require preauthentication. Ensure this with the command:: kadmin -q 'modprinc +requires_preauth YOUR_PRINCNAME' Starting with release 1.12, it is possible to remove the long-term keys of a principal entry, which can save some space in the database and help to clarify some PKINIT-related error conditions by not asking for a password:: kadmin -q 'purgekeys -all YOUR_PRINCNAME' These principal options can also be specified at principal creation time as follows:: kadmin -q 'add_principal +requires_preauth -nokey YOUR_PRINCNAME' By default, the KDC requires PKINIT client certificates to have the standard Extended Key Usage and Subject Alternative Name attributes for PKINIT. Starting in release 1.16, it is possible to authorize client certificates based on the subject or other criteria instead of the standard PKINIT Subject Alternative Name, by setting the **pkinit_cert_match** string attribute on each client principal entry. For example:: kadmin set_string user@REALM pkinit_cert_match "CN=user@REALM$" The **pkinit_cert_match** string attribute follows the syntax used by the :ref:`krb5.conf(5)` **pkinit_cert_match** relation. To allow the use of non-PKINIT client certificates, it will also be necessary to disable key usage checking using the **pkinit_eku_checking** relation; for example:: [kdcdefaults] pkinit_eku_checking = none Configuring the clients ----------------------- Client hosts must be configured to trust the issuing authority for the KDC certificate. For a newly established certificate authority, the client host must have filesystem access to the CA certificate (cacert.pem) and the following relation in :ref:`krb5.conf(5)` in the appropriate :ref:`realms` subsection (with appropriate pathnames):: pkinit_anchors = FILE:/etc/krb5/cacert.pem If the KDC certificate is a commercially issued server certificate, the issuing certificate is most likely included in a system directory. You can specify it by filename as above, or specify the whole directory like so:: pkinit_anchors = DIR:/etc/ssl/certs A commercially issued server certificate will usually not have the standard PKINIT principal name or Extended Key Usage extensions, so the following additional configuration is required:: pkinit_eku_checking = kpServerAuth pkinit_kdc_hostname = hostname.of.kdc.certificate Multiple **pkinit_kdc_hostname** relations can be configured to recognize multiple KDC certificates. If the KDC is an Active Directory domain controller, setting **pkinit_kdc_hostname** is necessary, but it should not be necessary to set **pkinit_eku_checking**. To perform regular (as opposed to anonymous) PKINIT authentication, a client host must have filesystem access to a client certificate (client.pem), and the corresponding private key (clientkey.pem). Configure the following relations in the client host's :ref:`krb5.conf(5)` file in the appropriate :ref:`realms` subsection (with appropriate pathnames):: pkinit_identities = FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem If the KDC and client are properly configured, it should now be possible to run ``kinit username`` without entering a password. .. _anonymous_pkinit: Anonymous PKINIT ---------------- Anonymity support in Kerberos allows a client to obtain a ticket without authenticating as any particular principal. Such a ticket can be used as a FAST armor ticket, or to securely communicate with an application server anonymously. To configure anonymity support, you must generate or otherwise procure a KDC certificate and configure the KDC host, but you do not need to generate any client certificates. On the KDC, you must set the **pkinit_identity** variable to provide the KDC certificate, but do not need to set the **pkinit_anchors** variable or store the issuing certificate if you won't have any client certificates to verify. On client hosts, you must set the **pkinit_anchors** variable (and possibly **pkinit_kdc_hostname** and **pkinit_eku_checking**) in order to trust the issuing authority for the KDC certificate, but do not need to set the **pkinit_identities** variable. Anonymity support is not enabled by default. To enable it, you must create the principal ``WELLKNOWN/ANONYMOUS`` using the command:: kadmin -q 'addprinc -randkey WELLKNOWN/ANONYMOUS' Some Kerberos deployments include application servers which lack proper access control, and grant some level of access to any user who can authenticate. In such an environment, enabling anonymity support on the KDC would present a security issue. If you need to enable anonymity support for TGTs (for use as FAST armor tickets) without enabling anonymous authentication to application servers, you can set the variable **restrict_anonymous_to_tgt** to ``true`` in the appropriate :ref:`kdc_realms` subsection of the KDC's :ref:`kdc.conf(5)` file. To obtain anonymous credentials on a client, run ``kinit -n``, or ``kinit -n @REALMNAME`` to specify a realm. The resulting tickets will have the client name ``WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS``. Freshness tokens ---------------- Freshness tokens can ensure that the client has recently had access to its certificate private key. If freshness tokens are not required by the KDC, a client program with temporary possession of the private key can compose requests for future timestamps and use them later. In release 1.17 and later, freshness tokens are supported by the client and are sent by the KDC when the client indicates support for them. Because not all clients support freshness tokens yet, they are not required by default. To check if freshness tokens are supported by a realm's clients, look in the KDC logs for the lines:: PKINIT: freshness token received from PKINIT: no freshness token received from To require freshness tokens for all clients in a realm (except for clients authenticating anonymously), set the **pkinit_require_freshness** variable to ``true`` in the appropriate :ref:`kdc_realms` subsection of the KDC's :ref:`kdc.conf(5)` file. To test that this option is in effect, run ``kinit -X disable_freshness`` and verify that authentication is unsuccessful. krb5-1.19.2/doc/html/_sources/appdev/0000755000704600001450000000000014076312547020664 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/_sources/appdev/init_creds.rst.txt0000644000704600001450000003116614076311665024366 0ustar ghudsonsystemd-journalInitial credentials =================== Software that performs tasks such as logging users into a computer when they type their Kerberos password needs to get initial credentials (usually ticket granting tickets) from Kerberos. Such software shares some behavior with the :ref:`kinit(1)` program. Whenever a program grants access to a resource (such as a local login session on a desktop computer) based on a user successfully getting initial Kerberos credentials, it must verify those credentials against a secure shared secret (e.g., a host keytab) to ensure that the user credentials actually originate from a legitimate KDC. Failure to perform this verification is a critical vulnerability, because a malicious user can execute the "Zanarotti attack": the user constructs a fake response that appears to come from the legitimate KDC, but whose contents come from an attacker-controlled KDC. Some applications read a Kerberos password over the network (ideally over a secure channel), which they then verify against the KDC. While this technique may be the only practical way to integrate Kerberos into some existing legacy systems, its use is contrary to the original design goals of Kerberos. The function :c:func:`krb5_get_init_creds_password` will get initial credentials for a client using a password. An application that needs to verify the credentials can call :c:func:`krb5_verify_init_creds`. Here is an example of code to obtain and verify TGT credentials, given strings *princname* and *password* for the client principal name and password:: krb5_error_code ret; krb5_creds creds; krb5_principal client_princ = NULL; memset(&creds, 0, sizeof(creds)); ret = krb5_parse_name(context, princname, &client_princ); if (ret) goto cleanup; ret = krb5_get_init_creds_password(context, &creds, client_princ, password, NULL, NULL, 0, NULL, NULL); if (ret) goto cleanup; ret = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, NULL); cleanup: krb5_free_principal(context, client_princ); krb5_free_cred_contents(context, &creds); return ret; Options for get_init_creds -------------------------- The function :c:func:`krb5_get_init_creds_password` takes an options parameter (which can be a null pointer). Use the function :c:func:`krb5_get_init_creds_opt_alloc` to allocate an options structure, and :c:func:`krb5_get_init_creds_opt_free` to free it. For example:: krb5_error_code ret; krb5_get_init_creds_opt *opt = NULL; krb5_creds creds; memset(&creds, 0, sizeof(creds)); ret = krb5_get_init_creds_opt_alloc(context, &opt); if (ret) goto cleanup; krb5_get_init_creds_opt_set_tkt_life(opt, 24 * 60 * 60); ret = krb5_get_init_creds_password(context, &creds, client_princ, password, NULL, NULL, 0, NULL, opt); if (ret) goto cleanup; cleanup: krb5_get_init_creds_opt_free(context, opt); krb5_free_cred_contents(context, &creds); return ret; Getting anonymous credentials ----------------------------- As of release 1.8, it is possible to obtain fully anonymous or partially anonymous (realm-exposed) credentials, if the KDC supports it. The MIT KDC supports issuing fully anonymous credentials as of release 1.8 if configured appropriately (see :ref:`anonymous_pkinit`), but does not support issuing realm-exposed anonymous credentials at this time. To obtain fully anonymous credentials, call :c:func:`krb5_get_init_creds_opt_set_anonymous` on the options structure to set the anonymous flag, and specify a client principal with the KDC's realm and a single empty data component (the principal obtained by parsing ``@``\ *realmname*). Authentication will take place using anonymous PKINIT; if successful, the client principal of the resulting tickets will be ``WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS``. Here is an example:: krb5_get_init_creds_opt_set_anonymous(opt, 1); ret = krb5_build_principal(context, &client_princ, strlen(myrealm), myrealm, "", (char *)NULL); if (ret) goto cleanup; ret = krb5_get_init_creds_password(context, &creds, client_princ, password, NULL, NULL, 0, NULL, opt); if (ret) goto cleanup; To obtain realm-exposed anonymous credentials, set the anonymous flag on the options structure as above, but specify a normal client principal in order to prove membership in the realm. Authentication will take place as it normally does; if successful, the client principal of the resulting tickets will be ``WELLKNOWN/ANONYMOUS@``\ *realmname*. User interaction ---------------- Authenticating a user usually requires the entry of secret information, such as a password. A password can be supplied directly to :c:func:`krb5_get_init_creds_password` via the *password* parameter, or the application can supply prompter and/or responder callbacks instead. If callbacks are used, the user can also be queried for other secret information such as a PIN, informed of impending password expiration, or prompted to change a password which has expired. Prompter callback ~~~~~~~~~~~~~~~~~ A prompter callback can be specified via the *prompter* and *data* parameters to :c:func:`krb5_get_init_creds_password`. The prompter will be invoked each time the krb5 library has a question to ask or information to present. When the prompter callback is invoked, the *banner* argument (if not null) is intended to be displayed to the user, and the questions to be answered are specified in the *prompts* array. Each prompt contains a text question in the *prompt* field, a *hidden* bit to indicate whether the answer should be hidden from display, and a storage area for the answer in the *reply* field. The callback should fill in each question's ``reply->data`` with the answer, up to a maximum number of ``reply->length`` bytes, and then reset ``reply->length`` to the length of the answer. A prompter callback can call :c:func:`krb5_get_prompt_types` to get an array of type constants corresponding to the prompts, to get programmatic information about the semantic meaning of the questions. :c:func:`krb5_get_prompt_types` may return a null pointer if no prompt type information is available. Text-based applications can use a built-in text prompter implementation by supplying :c:func:`krb5_prompter_posix` as the *prompter* parameter and a null pointer as the *data* parameter. For example:: ret = krb5_get_init_creds_password(context, &creds, client_princ, NULL, krb5_prompter_posix, NULL, 0, NULL, NULL); Responder callback ~~~~~~~~~~~~~~~~~~ A responder callback can be specified through the init_creds options using the :c:func:`krb5_get_init_creds_opt_set_responder` function. Responder callbacks can present a more sophisticated user interface for authentication secrets. The responder callback is usually invoked only once per authentication, with a list of questions produced by all of the allowed preauthentication mechanisms. When the responder callback is invoked, the *rctx* argument can be accessed to obtain the list of questions and to answer them. The :c:func:`krb5_responder_list_questions` function retrieves an array of question types. For each question type, the :c:func:`krb5_responder_get_challenge` function retrieves additional information about the question, if applicable, and the :c:func:`krb5_responder_set_answer` function sets the answer. Responder question types, challenges, and answers are UTF-8 strings. The question type is a well-known string; the meaning of the challenge and answer depend on the question type. If an application does not understand a question type, it cannot interpret the challenge or provide an answer. Failing to answer a question typically results in the prompter callback being used as a fallback. Password question ################# The :c:macro:`KRB5_RESPONDER_QUESTION_PASSWORD` (or ``"password"``) question type requests the user's password. This question does not have a challenge, and the response is simply the password string. One-time password question ########################## The :c:macro:`KRB5_RESPONDER_QUESTION_OTP` (or ``"otp"``) question type requests a choice among one-time password tokens and the PIN and value for the chosen token. The challenge and answer are JSON-encoded strings, but an application can use convenience functions to avoid doing any JSON processing itself. The :c:func:`krb5_responder_otp_get_challenge` function decodes the challenge into a krb5_responder_otp_challenge structure. The :c:func:`krb5_responder_otp_set_answer` function selects one of the token information elements from the challenge and supplies the value and pin for that token. PKINIT password or PIN question ############################### The :c:macro:`KRB5_RESPONDER_QUESTION_PKINIT` (or ``"pkinit"``) question type requests PINs for hardware devices and/or passwords for encrypted credentials which are stored on disk, potentially also supplying information about the state of the hardware devices. The challenge and answer are JSON-encoded strings, but an application can use convenience functions to avoid doing any JSON processing itself. The :c:func:`krb5_responder_pkinit_get_challenge` function decodes the challenges into a krb5_responder_pkinit_challenge structure. The :c:func:`krb5_responder_pkinit_set_answer` function can be used to supply the PIN or password for a particular client credential, and can be called multiple times. Example ####### Here is an example of using a responder callback:: static krb5_error_code my_responder(krb5_context context, void *data, krb5_responder_context rctx) { krb5_error_code ret; krb5_responder_otp_challenge *chl; if (krb5_responder_get_challenge(context, rctx, KRB5_RESPONDER_QUESTION_PASSWORD)) { ret = krb5_responder_set_answer(context, rctx, KRB5_RESPONDER_QUESTION_PASSWORD, "open sesame"); if (ret) return ret; } ret = krb5_responder_otp_get_challenge(context, rctx, &chl); if (ret == 0 && chl != NULL) { ret = krb5_responder_otp_set_answer(context, rctx, 0, "1234", NULL); krb5_responder_otp_challenge_free(context, rctx, chl); if (ret) return ret; } return 0; } static krb5_error_code get_creds(krb5_context context, krb5_principal client_princ) { krb5_error_code ret; krb5_get_init_creds_opt *opt = NULL; krb5_creds creds; memset(&creds, 0, sizeof(creds)); ret = krb5_get_init_creds_opt_alloc(context, &opt); if (ret) goto cleanup; ret = krb5_get_init_creds_opt_set_responder(context, opt, my_responder, NULL); if (ret) goto cleanup; ret = krb5_get_init_creds_password(context, &creds, client_princ, NULL, NULL, NULL, 0, NULL, opt); cleanup: krb5_get_init_creds_opt_free(context, opt); krb5_free_cred_contents(context, &creds); return ret; } Verifying initial credentials ----------------------------- Use the function :c:func:`krb5_verify_init_creds` to verify initial credentials. It takes an options structure (which can be a null pointer). Use :c:func:`krb5_verify_init_creds_opt_init` to initialize the caller-allocated options structure, and :c:func:`krb5_verify_init_creds_opt_set_ap_req_nofail` to set the "nofail" option. For example:: krb5_verify_init_creds_opt vopt; krb5_verify_init_creds_opt_init(&vopt); krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, 1); ret = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, &vopt); The confusingly named "nofail" option, when set, means that the verification must actually succeed in order for :c:func:`krb5_verify_init_creds` to indicate success. The default state of this option (cleared) means that if there is no key material available to verify the user credentials, the verification will succeed anyway. (The default can be changed by a configuration file setting.) This accommodates a use case where a large number of unkeyed shared desktop workstations need to allow users to log in using Kerberos. The security risks from this practice are mitigated by the absence of valuable state on the shared workstations---any valuable resources that the users would access reside on networked servers. krb5-1.19.2/doc/html/_sources/appdev/index.rst.txt0000644000704600001450000000033614076311665023345 0ustar ghudsonsystemd-journalFor application developers ========================== .. toctree:: :maxdepth: 1 gssapi.rst y2038.rst h5l_mit_apidiff.rst init_creds.rst princ_handle.rst .. toctree:: :maxdepth: 1 refs/index.rst krb5-1.19.2/doc/html/_sources/appdev/princ_handle.rst.txt0000644000704600001450000000175614076311665024673 0ustar ghudsonsystemd-journalPrincipal manipulation and parsing ================================== Kerberos principal structure .. :c:type:`krb5_principal_data` :c:type:`krb5_principal` .. Create and free principal .. :c:func:`krb5_build_principal()` :c:func:`krb5_build_principal_alloc_va()` :c:func:`krb5_build_principal_ext()` :c:func:`krb5_copy_principal()` :c:func:`krb5_free_principal()` :c:func:`krb5_cc_get_principal()` .. Comparing .. :c:func:`krb5_principal_compare()` :c:func:`krb5_principal_compare_flags()` :c:func:`krb5_principal_compare_any_realm()` :c:func:`krb5_sname_match()` :c:func:`krb5_sname_to_principal()` .. Parsing: .. :c:func:`krb5_parse_name()` :c:func:`krb5_parse_name_flags()` :c:func:`krb5_unparse_name()` :c:func:`krb5_unparse_name_flags()` .. Utilities: .. :c:func:`krb5_is_config_principal()` :c:func:`krb5_kuserok()` :c:func:`krb5_set_password()` :c:func:`krb5_set_password_using_ccache()` :c:func:`krb5_set_principal_realm()` :c:func:`krb5_realm_compare()` .. krb5-1.19.2/doc/html/_sources/appdev/h5l_mit_apidiff.rst.txt0000644000704600001450000000354614076311665025267 0ustar ghudsonsystemd-journalDifferences between Heimdal and MIT Kerberos API ================================================ .. tabularcolumns:: |l|l| .. table:: ======================================== ================================================= :c:func:`krb5_auth_con_getaddrs()` H5l: If either of the pointers to local_addr and remote_addr is not NULL, it is freed first and then reallocated before being populated with the content of corresponding address from authentication context. :c:func:`krb5_auth_con_setaddrs()` H5l: If either address is NULL, the previous address remains in place :c:func:`krb5_auth_con_setports()` H5l: Not implemented as of version 1.3.3 :c:func:`krb5_auth_con_setrecvsubkey()` H5l: If either port is NULL, the previous port remains in place :c:func:`krb5_auth_con_setsendsubkey()` H5l: Not implemented as of version 1.3.3 :c:func:`krb5_cc_set_config()` MIT: Before version 1.10 it was assumed that the last argument *data* is ALWAYS non-zero. :c:func:`krb5_cccol_last_change_time()` MIT: not implemented :c:func:`krb5_set_default_realm()` H5l: Caches the computed default realm context field. If the second argument is NULL, it tries to retrieve it from libdefaults or DNS. MIT: Computes the default realm each time if it wasn't explicitly set in the context ======================================== ================================================= krb5-1.19.2/doc/html/_sources/appdev/gssapi.rst.txt0000644000704600001450000007750014076311665023533 0ustar ghudsonsystemd-journalDeveloping with GSSAPI ====================== The GSSAPI (Generic Security Services API) allows applications to communicate securely using Kerberos 5 or other security mechanisms. We recommend using the GSSAPI (or a higher-level framework which encompasses GSSAPI, such as SASL) for secure network communication over using the libkrb5 API directly. GSSAPIv2 is specified in :rfc:`2743` and :rfc:`2744`. Also see :rfc:`7546` for a description of how to use the GSSAPI in a client or server program. This documentation will describe how various ways of using the GSSAPI will behave with the krb5 mechanism as implemented in MIT krb5, as well as krb5-specific extensions to the GSSAPI. Name types ---------- A GSSAPI application can name a local or remote entity by calling gss_import_name_, specifying a name type and a value. The following name types are supported by the krb5 mechanism: * **GSS_C_NT_HOSTBASED_SERVICE**: The value should be a string of the form ``service`` or ``service@hostname``. This is the most common way to name target services when initiating a security context, and is the most likely name type to work across multiple mechanisms. * **GSS_KRB5_NT_PRINCIPAL_NAME**: The value should be a principal name string. This name type only works with the krb5 mechanism, and is defined in the ```` header. * **GSS_C_NT_USER_NAME** or **GSS_C_NULL_OID**: The value is treated as an unparsed principal name string, as above. These name types may work with mechanisms other than krb5, but will have different interpretations in those mechanisms. **GSS_C_NT_USER_NAME** is intended to be used with a local username, which will parse into a single-component principal in the default realm. * **GSS_C_NT_ANONYMOUS**: The value is ignored. The anonymous principal is used, allowing a client to authenticate to a server without asserting a particular identity (which may or may not be allowed by a particular server or Kerberos realm). * **GSS_C_NT_MACHINE_UID_NAME**: The value is uid_t object. On Unix-like systems, the username of the uid is looked up in the system user database and the resulting username is parsed as a principal name. * **GSS_C_NT_STRING_UID_NAME**: As above, but the value is a decimal string representation of the uid. * **GSS_C_NT_EXPORT_NAME**: The value must be the result of a gss_export_name_ call. * **GSS_KRB5_NT_ENTERPRISE_NAME**: The value should be a krb5 enterprise name string (see :rfc:`6806` section 5), in the form ``user@suffix``. This name type is used to convey alias names, and is defined in the ```` header. (New in release 1.17.) * **GSS_KRB5_NT_X509_CERT**: The value should be an X.509 certificate encoded according to :rfc:`5280`. This name form can be used for the desired_name parameter of gss_acquire_cred_impersonate_name(), to identify the S4U2Self user by certificate. (New in release 1.19.) Initiator credentials --------------------- A GSSAPI client application uses gss_init_sec_context_ to establish a security context. The *initiator_cred_handle* parameter determines what tickets are used to establish the connection. An application can either pass **GSS_C_NO_CREDENTIAL** to use the default client credential, or it can use gss_acquire_cred_ beforehand to acquire an initiator credential. The call to gss_acquire_cred_ may include a *desired_name* parameter, or it may pass **GSS_C_NO_NAME** if it does not have a specific name preference. If the desired name for a krb5 initiator credential is a host-based name, it is converted to a principal name of the form ``service/hostname`` in the local realm, where *hostname* is the local hostname if not specified. The hostname will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the **rdns** variable in :ref:`libdefaults`. If a desired name is specified in the call to gss_acquire_cred_, the krb5 mechanism will attempt to find existing tickets for that client principal name in the default credential cache or collection. If the default cache type does not support a collection, and the default cache contains credentials for a different principal than the desired name, a **GSS_S_CRED_UNAVAIL** error will be returned with a minor code indicating a mismatch. If no existing tickets are available for the desired name, but the name has an entry in the default client :ref:`keytab_definition`, the krb5 mechanism will acquire initial tickets for the name using the default client keytab. If no desired name is specified, credential acquisition will be deferred until the credential is used in a call to gss_init_sec_context_ or gss_inquire_cred_. If the call is to gss_init_sec_context_, the target name will be used to choose a client principal name using the credential cache selection facility. (This facility might, for instance, try to choose existing tickets for a client principal in the same realm as the target service). If there are no existing tickets for the chosen principal, but it is present in the default client keytab, the krb5 mechanism will acquire initial tickets using the keytab. If the target name cannot be used to select a client principal (because the credentials are used in a call to gss_inquire_cred_), or if the credential cache selection facility cannot choose a principal for it, the default credential cache will be selected if it exists and contains tickets. If the default credential cache does not exist, but the default client keytab does, the krb5 mechanism will try to acquire initial tickets for the first principal in the default client keytab. If the krb5 mechanism acquires initial tickets using the default client keytab, the resulting tickets will be stored in the default cache or collection, and will be refreshed by future calls to gss_acquire_cred_ as they approach their expire time. Acceptor names -------------- A GSSAPI server application uses gss_accept_sec_context_ to establish a security context based on tokens provided by the client. The *acceptor_cred_handle* parameter determines what :ref:`keytab_definition` entries may be authenticated to by the client, if the krb5 mechanism is used. The simplest choice is to pass **GSS_C_NO_CREDENTIAL** as the acceptor credential. In this case, clients may authenticate to any service principal in the default keytab (typically |keytab|, or the value of the **KRB5_KTNAME** environment variable). This is the recommended approach if the server application has no specific requirements to the contrary. A server may acquire an acceptor credential with gss_acquire_cred_ and a *cred_usage* of **GSS_C_ACCEPT** or **GSS_C_BOTH**. If the *desired_name* parameter is **GSS_C_NO_NAME**, then clients will be allowed to authenticate to any service principal in the default keytab, just as if no acceptor credential was supplied. If a server wishes to specify a *desired_name* to gss_acquire_cred_, the most common choice is a host-based name. If the host-based *desired_name* contains just a *service*, then clients will be allowed to authenticate to any host-based service principal (that is, a principal of the form ``service/hostname@REALM``) for the named service, regardless of hostname or realm, as long as it is present in the default keytab. If the input name contains both a *service* and a *hostname*, clients will be allowed to authenticate to any host-based principal for the named service and hostname, regardless of realm. .. note:: If a *hostname* is specified, it will be canonicalized using forward name resolution, and possibly also using reverse name resolution depending on the value of the **rdns** variable in :ref:`libdefaults`. .. note:: If the **ignore_acceptor_hostname** variable in :ref:`libdefaults` is enabled, then *hostname* will be ignored even if one is specified in the input name. .. note:: In MIT krb5 versions prior to 1.10, and in Heimdal's implementation of the krb5 mechanism, an input name with just a *service* is treated like an input name of ``service@localhostname``, where *localhostname* is the string returned by gethostname(). If the *desired_name* is a krb5 principal name or a local system name type which is mapped to a krb5 principal name, clients will only be allowed to authenticate to that principal in the default keytab. Name Attributes --------------- In release 1.8 or later, the gss_inquire_name_ and gss_get_name_attribute_ functions, specified in :rfc:`6680`, can be used to retrieve name attributes from the *src_name* returned by gss_accept_sec_context_. The following attributes are defined when the krb5 mechanism is used: .. _gssapi_authind_attr: * "auth-indicators" attribute: This attribute will be included in the gss_inquire_name_ output if the ticket contains :ref:`authentication indicators `. One indicator is returned per invocation of gss_get_name_attribute_, so multiple invocations may be necessary to retrieve all of the indicators from the ticket. (New in release 1.15.) Credential store extensions --------------------------- Beginning with release 1.11, the following GSSAPI extensions declared in ```` can be used to specify how credentials are acquired or stored:: struct gss_key_value_element_struct { const char *key; const char *value; }; typedef struct gss_key_value_element_struct gss_key_value_element_desc; struct gss_key_value_set_struct { OM_uint32 count; gss_key_value_element_desc *elements; }; typedef const struct gss_key_value_set_struct gss_key_value_set_desc; typedef const gss_key_value_set_desc *gss_const_key_value_set_t; OM_uint32 gss_acquire_cred_from(OM_uint32 *minor_status, const gss_name_t desired_name, OM_uint32 time_req, const gss_OID_set desired_mechs, gss_cred_usage_t cred_usage, gss_const_key_value_set_t cred_store, gss_cred_id_t *output_cred_handle, gss_OID_set *actual_mechs, OM_uint32 *time_rec); OM_uint32 gss_store_cred_into(OM_uint32 *minor_status, gss_cred_id_t input_cred_handle, gss_cred_usage_t cred_usage, const gss_OID desired_mech, OM_uint32 overwrite_cred, OM_uint32 default_cred, gss_const_key_value_set_t cred_store, gss_OID_set *elements_stored, gss_cred_usage_t *cred_usage_stored); The additional *cred_store* parameter allows the caller to specify information about how the credentials should be obtained and stored. The following options are supported by the krb5 mechanism: * **ccache**: For acquiring initiator credentials, the name of the :ref:`credential cache ` to which the handle will refer. For storing credentials, the name of the cache where the credentials should be stored. If a collection name is given, the primary cache of the collection will be used; this behavior may change in future releases to select a cache from the collection. * **client_keytab**: For acquiring initiator credentials, the name of the :ref:`keytab ` which will be used, if necessary, to refresh the credentials in the cache. * **keytab**: For acquiring acceptor credentials, the name of the :ref:`keytab ` to which the handle will refer. In release 1.19 and later, this option also determines the keytab to be used for verification when initiator credentials are acquired using a password and verified. * **password**: For acquiring initiator credentials, this option instructs the mechanism to acquire fresh credentials into a unique memory credential cache. This option may not be used with the **ccache** or **client_keytab** options, and a *desired_name* must be specified. (New in release 1.19.) * **rcache**: For acquiring acceptor credentials, the name of the :ref:`replay cache ` to be used when processing the initiator tokens. (New in release 1.13.) * **verify**: For acquiring initiator credentials, this option instructs the mechanism to verify the credentials by obtaining a ticket to a service with a known key. The service key is obtained from the keytab specified with the **keytab** option or the default keytab. The value may be the name of a principal in the keytab, or the empty string. If the empty string is given, any ``host`` service principal in the keytab may be used. (New in release 1.19.) Importing and exporting credentials ----------------------------------- The following GSSAPI extensions can be used to import and export credentials (declared in ````):: OM_uint32 gss_export_cred(OM_uint32 *minor_status, gss_cred_id_t cred_handle, gss_buffer_t token); OM_uint32 gss_import_cred(OM_uint32 *minor_status, gss_buffer_t token, gss_cred_id_t *cred_handle); The first function serializes a GSSAPI credential handle into a buffer; the second unseralizes a buffer into a GSSAPI credential handle. Serializing a credential does not destroy it. If any of the mechanisms used in *cred_handle* do not support serialization, gss_export_cred will return **GSS_S_UNAVAILABLE**. As with other GSSAPI serialization functions, these extensions are only intended to work with a matching implementation on the other side; they do not serialize credentials in a standardized format. A serialized credential may contain secret information such as ticket session keys. The serialization format does not protect this information from eavesdropping or tampering. The calling application must take care to protect the serialized credential when communicating it over an insecure channel or to an untrusted party. A krb5 GSSAPI credential may contain references to a credential cache, a client keytab, an acceptor keytab, and a replay cache. These resources are normally serialized as references to their external locations (such as the filename of the credential cache). Because of this, a serialized krb5 credential can only be imported by a process with similar privileges to the exporter. A serialized credential should not be trusted if it originates from a source with lower privileges than the importer, as it may contain references to external credential cache, keytab, or replay cache resources not accessible to the originator. An exception to the above rule applies when a krb5 GSSAPI credential refers to a memory credential cache, as is normally the case for delegated credentials received by gss_accept_sec_context_. In this case, the contents of the credential cache are serialized, so that the resulting token may be imported even if the original memory credential cache no longer exists. Constrained delegation (S4U) ---------------------------- The Microsoft S4U2Self and S4U2Proxy Kerberos protocol extensions allow an intermediate service to acquire credentials from a client to a target service without requiring the client to delegate a ticket-granting ticket, if the KDC is configured to allow it. To perform a constrained delegation operation, the intermediate service must submit to the KDC an "evidence ticket" from the client to the intermediate service. An evidence ticket can be acquired when the client authenticates to the intermediate service with Kerberos, or with an S4U2Self request if the KDC allows it. The MIT krb5 GSSAPI library represents an evidence ticket using a "proxy credential", which is a special kind of gss_cred_id_t object whose underlying credential cache contains the evidence ticket and a krbtgt ticket for the intermediate service. To acquire a proxy credential during client authentication, the service should first create an acceptor credential using the **GSS_C_BOTH** usage. The application should then pass this credential as the *acceptor_cred_handle* to gss_accept_sec_context_, and also pass a *delegated_cred_handle* output parameter to receive a proxy credential containing the evidence ticket. The output value of *delegated_cred_handle* may be a delegated ticket-granting ticket if the client sent one, or a proxy credential if not. If the library can determine that the client's ticket is not a valid evidence ticket, it will place **GSS_C_NO_CREDENTIAL** in *delegated_cred_handle*. To acquire a proxy credential using an S4U2Self request, the service can use the following GSSAPI extension:: OM_uint32 gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, gss_cred_id_t icred, gss_name_t desired_name, OM_uint32 time_req, gss_OID_set desired_mechs, gss_cred_usage_t cred_usage, gss_cred_id_t *output_cred, gss_OID_set *actual_mechs, OM_uint32 *time_rec); The parameters to this function are similar to those of gss_acquire_cred_, except that *icred* is used to make an S4U2Self request to the KDC for a ticket from *desired_name* to the intermediate service. Both *icred* and *desired_name* are required for this function; passing **GSS_C_NO_CREDENTIAL** or **GSS_C_NO_NAME** will cause the call to fail. *icred* must contain a krbtgt ticket for the intermediate service. The result of this operation is a proxy credential. (Prior to release 1.18, the result of this operation may be a regular credential for *desired_name*, if the KDC issues a non-forwardable ticket.) Once the intermediate service has a proxy credential, it can simply pass it to gss_init_sec_context_ as the *initiator_cred_handle* parameter, and the desired service as the *target_name* parameter. The GSSAPI library will present the krbtgt ticket and evidence ticket in the proxy credential to the KDC in an S4U2Proxy request; if the intermediate service has the appropriate permissions, the KDC will issue a ticket from the client to the target service. The GSSAPI library will then use this ticket to authenticate to the target service. If an application needs to find out whether a credential it holds is a proxy credential and the name of the intermediate service, it can query the credential with the **GSS_KRB5_GET_CRED_IMPERSONATOR** OID (new in release 1.16, declared in ````) using the gss_inquire_cred_by_oid extension (declared in ````):: OM_uint32 gss_inquire_cred_by_oid(OM_uint32 *minor_status, const gss_cred_id_t cred_handle, gss_OID desired_object, gss_buffer_set_t *data_set); If the call succeeds and *cred_handle* is a proxy credential, *data_set* will be set to a single-element buffer set containing the unparsed principal name of the intermediate service. If *cred_handle* is not a proxy credential, *data_set* will be set to an empty buffer set. If the library does not support the query, gss_inquire_cred_by_oid will return **GSS_S_UNAVAILABLE**. AEAD message wrapping --------------------- The following GSSAPI extensions (declared in ````) can be used to wrap and unwrap messages with additional "associated data" which is integrity-checked but is not included in the output buffer:: OM_uint32 gss_wrap_aead(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int conf_req_flag, gss_qop_t qop_req, gss_buffer_t input_assoc_buffer, gss_buffer_t input_payload_buffer, int *conf_state, gss_buffer_t output_message_buffer); OM_uint32 gss_unwrap_aead(OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_buffer_t input_message_buffer, gss_buffer_t input_assoc_buffer, gss_buffer_t output_payload_buffer, int *conf_state, gss_qop_t *qop_state); Wrap tokens created with gss_wrap_aead will successfully unwrap only if the same *input_assoc_buffer* contents are presented to gss_unwrap_aead. IOV message wrapping -------------------- The following extensions (declared in ````) can be used for in-place encryption, fine-grained control over wrap token layout, and for constructing wrap tokens compatible with Microsoft DCE RPC:: typedef struct gss_iov_buffer_desc_struct { OM_uint32 type; gss_buffer_desc buffer; } gss_iov_buffer_desc, *gss_iov_buffer_t; OM_uint32 gss_wrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int conf_req_flag, gss_qop_t qop_req, int *conf_state, gss_iov_buffer_desc *iov, int iov_count); OM_uint32 gss_unwrap_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int *conf_state, gss_qop_t *qop_state, gss_iov_buffer_desc *iov, int iov_count); OM_uint32 gss_wrap_iov_length(OM_uint32 *minor_status, gss_ctx_id_t context_handle, int conf_req_flag, gss_qop_t qop_req, int *conf_state, gss_iov_buffer_desc *iov, int iov_count); OM_uint32 gss_release_iov_buffer(OM_uint32 *minor_status, gss_iov_buffer_desc *iov, int iov_count); The caller of gss_wrap_iov provides an array of gss_iov_buffer_desc structures, each containing a type and a gss_buffer_desc structure. Valid types include: * **GSS_C_BUFFER_TYPE_DATA**: A data buffer to be included in the token, and to be encrypted or decrypted in-place if the token is confidentiality-protected. * **GSS_C_BUFFER_TYPE_HEADER**: The GSSAPI wrap token header and underlying cryptographic header. * **GSS_C_BUFFER_TYPE_TRAILER**: The cryptographic trailer, if one is required. * **GSS_C_BUFFER_TYPE_PADDING**: Padding to be combined with the data during encryption and decryption. (The implementation may choose to place padding in the trailer buffer, in which case it will set the padding buffer length to 0.) * **GSS_C_BUFFER_TYPE_STREAM**: For unwrapping only, a buffer containing a complete wrap token in standard format to be unwrapped. * **GSS_C_BUFFER_TYPE_SIGN_ONLY**: A buffer to be included in the token's integrity protection checksum, but not to be encrypted or included in the token itself. For gss_wrap_iov, the IOV list should contain one HEADER buffer, followed by zero or more SIGN_ONLY buffers, followed by one or more DATA buffers, followed by a TRAILER buffer. The memory pointed to by the buffers is not required to be contiguous or in any particular order. If *conf_req_flag* is true, DATA buffers will be encrypted in-place, while SIGN_ONLY buffers will not be modified. The type of an output buffer may be combined with **GSS_C_BUFFER_FLAG_ALLOCATE** to request that gss_wrap_iov allocate the buffer contents. If gss_wrap_iov allocates a buffer, it sets the **GSS_C_BUFFER_FLAG_ALLOCATED** flag on the buffer type. gss_release_iov_buffer can be used to release all allocated buffers within an iov list and unset their allocated flags. Here is an example of how gss_wrap_iov can be used with allocation requested (*ctx* is assumed to be a previously established gss_ctx_id_t):: OM_uint32 major, minor; gss_iov_buffer_desc iov[4]; char str[] = "message"; iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_FLAG_ALLOCATE; iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; iov[1].buffer.value = str; iov[1].buffer.length = strlen(str); iov[2].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_FLAG_ALLOCATE; iov[3].type = GSS_IOV_BUFFER_TYPE_TRAILER | GSS_IOV_BUFFER_FLAG_ALLOCATE; major = gss_wrap_iov(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL, iov, 4); if (GSS_ERROR(major)) handle_error(major, minor); /* Transmit or otherwise use resulting buffers. */ (void)gss_release_iov_buffer(&minor, iov, 4); If the caller does not choose to request buffer allocation by gss_wrap_iov, it should first call gss_wrap_iov_length to query the lengths of the HEADER, PADDING, and TRAILER buffers. DATA buffers must be provided in the iov list so that padding length can be computed correctly, but the output buffers need not be initialized. Here is an example of using gss_wrap_iov_length and gss_wrap_iov:: OM_uint32 major, minor; gss_iov_buffer_desc iov[4]; char str[1024] = "message", *ptr; iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER; iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; iov[1].buffer.value = str; iov[1].buffer.length = strlen(str); iov[2].type = GSS_IOV_BUFFER_TYPE_PADDING; iov[3].type = GSS_IOV_BUFFER_TYPE_TRAILER; major = gss_wrap_iov_length(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL, iov, 4); if (GSS_ERROR(major)) handle_error(major, minor); if (strlen(str) + iov[0].buffer.length + iov[2].buffer.length + iov[3].buffer.length > sizeof(str)) handle_out_of_space_error(); ptr = str + strlen(str); iov[0].buffer.value = ptr; ptr += iov[0].buffer.length; iov[2].buffer.value = ptr; ptr += iov[2].buffer.length; iov[3].buffer.value = ptr; major = gss_wrap_iov(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL, iov, 4); if (GSS_ERROR(major)) handle_error(major, minor); If the context was established using the **GSS_C_DCE_STYLE** flag (described in :rfc:`4757`), wrap tokens compatible with Microsoft DCE RPC can be constructed. In this case, the IOV list must include a SIGN_ONLY buffer, a DATA buffer, a second SIGN_ONLY buffer, and a HEADER buffer in that order (the order of the buffer contents remains arbitrary). The application must pad the DATA buffer to a multiple of 16 bytes as no padding or trailer buffer is used. gss_unwrap_iov may be called with an IOV list just like one which would be provided to gss_wrap_iov. DATA buffers will be decrypted in-place if they were encrypted, and SIGN_ONLY buffers will not be modified. Alternatively, gss_unwrap_iov may be called with a single STREAM buffer, zero or more SIGN_ONLY buffers, and a single DATA buffer. The STREAM buffer is interpreted as a complete wrap token. The STREAM buffer will be modified in-place to decrypt its contents. The DATA buffer will be initialized to point to the decrypted data within the STREAM buffer, unless it has the **GSS_C_BUFFER_FLAG_ALLOCATE** flag set, in which case it will be initialized with a copy of the decrypted data. Here is an example (*token* and *token_len* are assumed to be a pre-existing pointer and length for a modifiable region of data):: OM_uint32 major, minor; gss_iov_buffer_desc iov[2]; iov[0].type = GSS_IOV_BUFFER_TYPE_STREAM; iov[0].buffer.value = token; iov[0].buffer.length = token_len; iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 2); if (GSS_ERROR(major)) handle_error(major, minor); /* Decrypted data is in iov[1].buffer, pointing to a subregion of * token. */ .. _gssapi_mic_token: IOV MIC tokens -------------- The following extensions (declared in ````) can be used in release 1.12 or later to construct and verify MIC tokens using an IOV list:: OM_uint32 gss_get_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_qop_t qop_req, gss_iov_buffer_desc *iov, int iov_count); OM_uint32 gss_get_mic_iov_length(OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_qop_t qop_req, gss_iov_buffer_desc *iov, iov_count); OM_uint32 gss_verify_mic_iov(OM_uint32 *minor_status, gss_ctx_id_t context_handle, gss_qop_t *qop_state, gss_iov_buffer_desc *iov, int iov_count); The caller of gss_get_mic_iov provides an array of gss_iov_buffer_desc structures, each containing a type and a gss_buffer_desc structure. Valid types include: * **GSS_C_BUFFER_TYPE_DATA** and **GSS_C_BUFFER_TYPE_SIGN_ONLY**: The corresponding buffer for each of these types will be signed for the MIC token, in the order provided. * **GSS_C_BUFFER_TYPE_MIC_TOKEN**: The GSSAPI MIC token. The type of the MIC_TOKEN buffer may be combined with **GSS_C_BUFFER_FLAG_ALLOCATE** to request that gss_get_mic_iov allocate the buffer contents. If gss_get_mic_iov allocates the buffer, it sets the **GSS_C_BUFFER_FLAG_ALLOCATED** flag on the buffer type. gss_release_iov_buffer can be used to release all allocated buffers within an iov list and unset their allocated flags. Here is an example of how gss_get_mic_iov can be used with allocation requested (*ctx* is assumed to be a previously established gss_ctx_id_t):: OM_uint32 major, minor; gss_iov_buffer_desc iov[3]; iov[0].type = GSS_IOV_BUFFER_TYPE_DATA; iov[0].buffer.value = "sign1"; iov[0].buffer.length = 5; iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; iov[1].buffer.value = "sign2"; iov[1].buffer.length = 5; iov[2].type = GSS_IOV_BUFFER_TYPE_MIC_TOKEN | GSS_IOV_BUFFER_FLAG_ALLOCATE; major = gss_get_mic_iov(&minor, ctx, GSS_C_QOP_DEFAULT, iov, 3); if (GSS_ERROR(major)) handle_error(major, minor); /* Transmit or otherwise use iov[2].buffer. */ (void)gss_release_iov_buffer(&minor, iov, 3); If the caller does not choose to request buffer allocation by gss_get_mic_iov, it should first call gss_get_mic_iov_length to query the length of the MIC_TOKEN buffer. Here is an example of using gss_get_mic_iov_length and gss_get_mic_iov:: OM_uint32 major, minor; gss_iov_buffer_desc iov[2]; char data[1024]; iov[0].type = GSS_IOV_BUFFER_TYPE_MIC_TOKEN; iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; iov[1].buffer.value = "message"; iov[1].buffer.length = 7; major = gss_get_mic_iov_length(&minor, ctx, GSS_C_QOP_DEFAULT, iov, 2); if (GSS_ERROR(major)) handle_error(major, minor); if (iov[0].buffer.length > sizeof(data)) handle_out_of_space_error(); iov[0].buffer.value = data; major = gss_get_mic_iov(&minor, ctx, GSS_C_QOP_DEFAULT, iov, 2); if (GSS_ERROR(major)) handle_error(major, minor); .. _gss_accept_sec_context: https://tools.ietf.org/html/rfc2744.html#section-5.1 .. _gss_acquire_cred: https://tools.ietf.org/html/rfc2744.html#section-5.2 .. _gss_export_name: https://tools.ietf.org/html/rfc2744.html#section-5.13 .. _gss_get_name_attribute: https://tools.ietf.org/html/6680.html#section-7.5 .. _gss_import_name: https://tools.ietf.org/html/rfc2744.html#section-5.16 .. _gss_init_sec_context: https://tools.ietf.org/html/rfc2744.html#section-5.19 .. _gss_inquire_name: https://tools.ietf.org/html/rfc6680.txt#section-7.4 .. _gss_inquire_cred: https://tools.ietf.org/html/rfc2744.html#section-5.21 krb5-1.19.2/doc/html/_sources/appdev/refs/0000755000704600001450000000000014076312527021621 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/_sources/appdev/refs/api/0000755000704600001450000000000014076312224022364 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_mk_req.rst.txt0000644000704600001450000000247114076311665026151 0ustar ghudsonsystemd-journalkrb5_mk_req - Create a KRB_AP_REQ message. ============================================ .. .. c:function:: krb5_error_code krb5_mk_req(krb5_context context, krb5_auth_context * auth_context, krb5_flags ap_req_options, const char * service, const char * hostname, krb5_data * in_data, krb5_ccache ccache, krb5_data * outbuf) .. :param: **[in]** **context** - Library context **[inout]** **auth_context** - Pre-existing or newly created auth context **[in]** **ap_req_options** - :data:`AP_OPTS` options **[in]** **service** - Service name, or NULL to use **"host"** **[in]** **hostname** - Host name, or NULL to use local hostname **[in]** **in_data** - Application data to be checksummed in the authenticator, or NULL **[in]** **ccache** - Credential cache used to obtain credentials for the desired service. **[out]** **outbuf** - **AP-REQ** message .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function is similar to :c:func:`krb5_mk_req_extended()` except that it uses a given *hostname* , *service* , and *ccache* to construct a service principal name and obtain credentials. Use :c:func:`krb5_free_data_contents()` to free *outbuf* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_tgt_creds.rst.txt0000644000704600001450000000072514076311665027652 0ustar ghudsonsystemd-journalkrb5_free_tgt_creds - Free an array of credential structures. =============================================================== .. .. c:function:: void krb5_free_tgt_creds(krb5_context context, krb5_creds ** tgts) .. :param: **[in]** **context** - Library context **[in]** **tgts** - Null-terminated array of credentials to free .. .. .. .. note:: The last entry in the array *tgts* must be a NULL pointer. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_pa.rst.txt0000644000704600001450000000146314076311665032072 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_set_pa - Supply options for preauthentication in initial credential options. ====================================================================================================== .. .. c:function:: krb5_error_code krb5_get_init_creds_opt_set_pa(krb5_context context, krb5_get_init_creds_opt * opt, const char * attr, const char * value) .. :param: **[in]** **context** - Library context **[in]** **opt** - Options structure **[in]** **attr** - Preauthentication option name **[in]** **value** - Preauthentication option value .. .. This function allows the caller to supply options for preauthentication. The values of *attr* and *value* are supplied to each preauthentication module available within *context* . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_derive_prfplus.rst.txt0000644000704600001450000000152614076311665030226 0ustar ghudsonsystemd-journalkrb5_c_derive_prfplus - Derive a key using some input data (via RFC 6113 PRF+). ================================================================================= .. .. c:function:: krb5_error_code krb5_c_derive_prfplus(krb5_context context, const krb5_keyblock * k, const krb5_data * input, krb5_enctype enctype, krb5_keyblock ** out) .. :param: **[in]** **context** - Library context **[in]** **k** - KDC contribution key **[in]** **input** - Input string **[in]** **enctype** - Output key enctype (or **ENCTYPE_NULL** ) **[out]** **out** - Derived keyblock .. .. This function uses PRF+ as defined in RFC 6113 to derive a key from another key and an input string. If *enctype* is **ENCTYPE_NULL** , the output key will have the same enctype as the input key. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_valid_enctype.rst.txt0000644000704600001450000000066314076311665030024 0ustar ghudsonsystemd-journalkrb5_c_valid_enctype - Verify that a specified encryption type is a valid Kerberos encryption type. ===================================================================================================== .. .. c:function:: krb5_boolean krb5_c_valid_enctype(krb5_enctype ktype) .. :param: **[in]** **ktype** - Encryption type .. :return: - TRUE if ktype is valid, FALSE if not .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_get_full_name.rst.txt0000644000704600001450000000112414076311665030133 0ustar ghudsonsystemd-journalkrb5_cc_get_full_name - Retrieve the full name of a credential cache. ======================================================================= .. .. c:function:: krb5_error_code krb5_cc_get_full_name(krb5_context context, krb5_ccache cache, char ** fullname_out) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle **[out]** **fullname_out** - Full name of cache .. .. Use :c:func:`krb5_free_string()` to free *fullname_out* when it is no longer needed. .. .. note:: New in 1.10 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_unparse_name_flags_ext.rst.txt0000644000704600001450000000141614076311665031402 0ustar ghudsonsystemd-journalkrb5_unparse_name_flags_ext - Convert krb5_principal structure to string format with flags. ============================================================================================= .. .. c:function:: krb5_error_code krb5_unparse_name_flags_ext(krb5_context context, krb5_const_principal principal, int flags, char ** name, unsigned int * size) .. :param: **[in]** **context** - Library context **[in]** **principal** - Principal **[in]** **flags** - Flags **[out]** **name** - Single string format of principal name **[out]** **size** - Size of unparsed name buffer .. :retval: - 0 Success :return: - Kerberos error codes. On failure name is set to NULL .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_mk_error.rst.txt0000644000704600001450000000124714076311665026513 0ustar ghudsonsystemd-journalkrb5_mk_error - Format and encode a KRB_ERROR message. ======================================================== .. .. c:function:: krb5_error_code krb5_mk_error(krb5_context context, const krb5_error * dec_err, krb5_data * enc_err) .. :param: **[in]** **context** - Library context **[in]** **dec_err** - Error structure to be encoded **[out]** **enc_err** - Encoded error structure .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a **KRB_ERROR** message in *enc_err* . Use :c:func:`krb5_free_data_contents()` to free *enc_err* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_deltat_to_string.rst.txt0000644000704600001450000000105214076311665030232 0ustar ghudsonsystemd-journalkrb5_deltat_to_string - Convert a relative time value to a string. ==================================================================== .. .. c:function:: krb5_error_code krb5_deltat_to_string(krb5_deltat deltat, char * buffer, size_t buflen) .. :param: **[in]** **deltat** - Relative time value to convert **[out]** **buffer** - Buffer to hold time string **[in]** **buflen** - Storage available in *buffer* .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_keytab_entry_contents.rst.txt0000644000704600001450000000106214076311665032304 0ustar ghudsonsystemd-journalkrb5_free_keytab_entry_contents - Free the contents of a key table entry. =========================================================================== .. .. c:function:: krb5_error_code krb5_free_keytab_entry_contents(krb5_context context, krb5_keytab_entry * entry) .. :param: **[in]** **context** - Library context **[in]** **entry** - Key table entry whose contents are to be freed .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. .. note:: The pointer is not freed. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_copy_keyblock.rst.txt0000644000704600001450000000117314076311665027526 0ustar ghudsonsystemd-journalkrb5_copy_keyblock - Copy a keyblock. ======================================= .. .. c:function:: krb5_error_code krb5_copy_keyblock(krb5_context context, const krb5_keyblock * from, krb5_keyblock ** to) .. :param: **[in]** **context** - Library context **[in]** **from** - Keyblock to be copied **[out]** **to** - Copy of keyblock *from* .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a new keyblock with the same contents as *from* . Use :c:func:`krb5_free_keyblock()` to free *to* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_alloc.rst.txt0000644000704600001450000000135614076311665031712 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_alloc - Allocate a new initial credential options structure. ====================================================================================== .. .. c:function:: krb5_error_code krb5_get_init_creds_opt_alloc(krb5_context context, krb5_get_init_creds_opt ** opt) .. :param: **[in]** **context** - Library context **[out]** **opt** - New options structure .. :retval: - 0 - Success; Kerberos errors otherwise. .. This function is the preferred way to create an options structure for getting initial credentials, and is required to make use of certain options. Use :c:func:`krb5_get_init_creds_opt_free()` to free *opt* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_copy_addresses.rst.txt0000644000704600001450000000126714076311665027704 0ustar ghudsonsystemd-journalkrb5_copy_addresses - Copy an array of addresses. =================================================== .. .. c:function:: krb5_error_code krb5_copy_addresses(krb5_context context, krb5_address *const * inaddr, krb5_address *** outaddr) .. :param: **[in]** **context** - Library context **[in]** **inaddr** - Array of addresses to be copied **[out]** **outaddr** - Copy of array of addresses .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a new address array containing a copy of *inaddr* . Use :c:func:`krb5_free_addresses()` to free *outaddr* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_checksum_size.rst.txt0000644000704600001450000000041014076311665027516 0ustar ghudsonsystemd-journalkrb5_checksum_size ================== .. .. c:function:: size_t krb5_checksum_size(krb5_context context, krb5_cksumtype ctype) .. :param: **context** **ctype** .. .. DEPRECATED See krb5_c_checksum_length() .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_eblock_enctype.rst.txt0000644000704600001450000000044314076311665027656 0ustar ghudsonsystemd-journalkrb5_eblock_enctype =================== .. .. c:function:: krb5_enctype krb5_eblock_enctype(krb5_context context, const krb5_encrypt_block * eblock) .. :param: **context** **eblock** .. .. DEPRECATED Replaced by krb5_c_* API family. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_responder_otp_get_challenge.rst.txt0000644000704600001450000000157214076311665032420 0ustar ghudsonsystemd-journalkrb5_responder_otp_get_challenge - Decode the KRB5_RESPONDER_QUESTION_OTP to a C struct. ========================================================================================== .. .. c:function:: krb5_error_code krb5_responder_otp_get_challenge(krb5_context ctx, krb5_responder_context rctx, krb5_responder_otp_challenge ** chl) .. :param: **[in]** **ctx** - Library context **[in]** **rctx** - Responder context **[out]** **chl** - Challenge structure .. .. A convenience function which parses the KRB5_RESPONDER_QUESTION_OTP question challenge data, making it available in native C. The main feature of this function is the ability to interact with OTP tokens without parsing the JSON. The returned value must be passed to :c:func:`krb5_responder_otp_challenge_free()` to be freed. .. .. note:: New in 1.11 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_prf.rst.txt0000644000704600001450000000152214076311665025760 0ustar ghudsonsystemd-journalkrb5_c_prf - Generate enctype-specific pseudo-random bytes. ============================================================= .. .. c:function:: krb5_error_code krb5_c_prf(krb5_context context, const krb5_keyblock * keyblock, krb5_data * input, krb5_data * output) .. :param: **[in]** **context** - Library context **[in]** **keyblock** - Key **[in]** **input** - Input data **[out]** **output** - Output data .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function selects a pseudo-random function based on *keyblock* and computes its value over *input* , placing the result into *output* . The caller must preinitialize *output* and allocate space for the result, using :c:func:`krb5_c_prf_length()` to determine the required length. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_verify_checksum.rst.txt0000644000704600001450000000077614076311665030067 0ustar ghudsonsystemd-journalkrb5_verify_checksum ==================== .. .. c:function:: krb5_error_code krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, const krb5_checksum * cksum, krb5_const_pointer in, size_t in_length, krb5_const_pointer seed, size_t seed_length) .. :param: **context** **ctype** **cksum** **in** **in_length** **seed** **seed_length** .. .. DEPRECATED See krb5_c_verify_checksum() .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_responder_get_challenge.rst.txt0000644000704600001450000000166014076311665031534 0ustar ghudsonsystemd-journalkrb5_responder_get_challenge - Retrieve the challenge data for a given question in the responder context. =========================================================================================================== .. .. c:function:: const char * krb5_responder_get_challenge(krb5_context ctx, krb5_responder_context rctx, const char * question) .. :param: **[in]** **ctx** - Library context **[in]** **rctx** - Responder context **[in]** **question** - Question name .. .. Return a pointer to a C string containing the challenge for *question* within *rctx* , or NULL if the question is not present in *rctx* . The structure of the question depends on the question name, but will always be printable UTF-8 text. The returned pointer is an alias, valid only as long as the lifetime of *rctx* , and should not be modified or freed by the caller. .. .. note:: New in 1.11 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_vwrap_error_message.rst.txt0000644000704600001450000000142014076311665030740 0ustar ghudsonsystemd-journalkrb5_vwrap_error_message - Add a prefix to a different error code's message using a va_list. ============================================================================================== .. .. c:function:: void krb5_vwrap_error_message(krb5_context ctx, krb5_error_code old_code, krb5_error_code code, const char * fmt, va_list args) .. :param: **[in]** **ctx** - Library context **[in]** **old_code** - Previous error code **[in]** **code** - Error code **[in]** **fmt** - Format string for error message prefix **[in]** **args** - List of vprintf(3) style arguments .. .. This function is similar to :c:func:`krb5_wrap_error_message()` , but uses a va_list instead of variadic arguments. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_padding_length.rst.txt0000644000704600001450000000131514076311665030140 0ustar ghudsonsystemd-journalkrb5_c_padding_length - Return a number of padding octets. ============================================================ .. .. c:function:: krb5_error_code krb5_c_padding_length(krb5_context context, krb5_enctype enctype, size_t data_length, unsigned int * size) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[in]** **data_length** - Length of the plaintext to pad **[out]** **size** - Number of padding octets .. :retval: - 0 Success; otherwise - KRB5_BAD_ENCTYPE .. This function returns the number of the padding octets required to pad *data_length* octets of plaintext. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cccol_cursor_free.rst.txt0000644000704600001450000000105214076311665030346 0ustar ghudsonsystemd-journalkrb5_cccol_cursor_free - Free a credential cache collection cursor. ===================================================================== .. .. c:function:: krb5_error_code krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor * cursor) .. :param: **[in]** **context** - Library context **[in]** **cursor** - Cursor .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. .. seealso:: :c:func:`krb5_cccol_cursor_new()` , :c:func:`krb5_cccol_cursor_next()` krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_get_flags.rst.txt0000644000704600001450000000114714076311665027272 0ustar ghudsonsystemd-journalkrb5_cc_get_flags - Retrieve flags from a credential cache structure. ======================================================================= .. .. c:function:: krb5_error_code krb5_cc_get_flags(krb5_context context, krb5_ccache cache, krb5_flags * flags) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle **[out]** **flags** - Flag bit mask .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. .. warning:: For memory credential cache always returns a flag mask of 0. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_enctype_to_string.rst.txt0000644000704600001450000000104614076311665030427 0ustar ghudsonsystemd-journalkrb5_enctype_to_string - Convert an encryption type to a string. ================================================================== .. .. c:function:: krb5_error_code krb5_enctype_to_string(krb5_enctype enctype, char * buffer, size_t buflen) .. :param: **[in]** **enctype** - Encryption type **[out]** **buffer** - Buffer to hold encryption type string **[in]** **buflen** - Storage available in *buffer* .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_default_name.rst.txt0000644000704600001450000000252014076311665027757 0ustar ghudsonsystemd-journalkrb5_cc_default_name - Return the name of the default credential cache. ========================================================================= .. .. c:function:: const char * krb5_cc_default_name(krb5_context context) .. :param: **[in]** **context** - Library context .. :return: - Name of default credential cache for the current user. .. Return a pointer to the default credential cache name for *context* , as determined by a prior call to :c:func:`krb5_cc_set_default_name()` , by the KRB5CCNAME environment variable, by the default_ccache_name profile variable, or by the operating system or build-time default value. The returned value must not be modified or freed by the caller. The returned value becomes invalid when *context* is destroyed :c:func:`krb5_free_context()` or if a subsequent call to :c:func:`krb5_cc_set_default_name()` is made on *context* . The default credential cache name is cached in *context* between calls to this function, so if the value of KRB5CCNAME changes in the process environment after the first call to this function on, that change will not be reflected in later calls with the same context. The caller can invoke :c:func:`krb5_cc_set_default_name()` with a NULL value of *name* to clear the cached value and force the default name to be recomputed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_kt_get_entry.rst.txt0000644000704600001450000000233714076311665027372 0ustar ghudsonsystemd-journalkrb5_kt_get_entry - Get an entry from a key table. ==================================================== .. .. c:function:: krb5_error_code krb5_kt_get_entry(krb5_context context, krb5_keytab keytab, krb5_const_principal principal, krb5_kvno vno, krb5_enctype enctype, krb5_keytab_entry * entry) .. :param: **[in]** **context** - Library context **[in]** **keytab** - Key table handle **[in]** **principal** - Principal name **[in]** **vno** - Key version number (0 for highest available) **[in]** **enctype** - Encryption type (0 zero for any enctype) **[out]** **entry** - Returned entry from key table .. :retval: - 0 Success - Kerberos error codes on failure .. Retrieve an entry from a key table which matches the *keytab* , *principal* , *vno* , and *enctype* . If *vno* is zero, retrieve the highest-numbered kvno matching the other fields. If *enctype* is 0, match any enctype. Use :c:func:`krb5_free_keytab_entry_contents()` to free *entry* when it is no longer needed. .. .. note:: If *vno* is zero, the function retrieves the highest-numbered-kvno entry that matches the specified principal. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_string_to_key.rst.txt0000644000704600001450000000065214076311665027552 0ustar ghudsonsystemd-journalkrb5_string_to_key ================== .. .. c:function:: krb5_error_code krb5_string_to_key(krb5_context context, const krb5_encrypt_block * eblock, krb5_keyblock * keyblock, const krb5_data * data, const krb5_data * salt) .. :param: **context** **eblock** **keyblock** **data** **salt** .. .. DEPRECATED See krb5_c_string_to_key() .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_string_to_key_with_params.rst.txt0000644000704600001450000000213514076311665032450 0ustar ghudsonsystemd-journalkrb5_c_string_to_key_with_params - Convert a string (such as a password) to a key with additional parameters. =============================================================================================================== .. .. c:function:: krb5_error_code krb5_c_string_to_key_with_params(krb5_context context, krb5_enctype enctype, const krb5_data * string, const krb5_data * salt, const krb5_data * params, krb5_keyblock * key) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[in]** **string** - String to be converted **[in]** **salt** - Salt value **[in]** **params** - Parameters **[out]** **key** - Generated key .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function is similar to :c:func:`krb5_c_string_to_key()` , but also takes parameters which may affect the algorithm in an enctype-dependent way. The newly created *key* must be released by calling :c:func:`krb5_free_keyblock_contents()` when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_getrecvsubkey.rst.txt0000644000704600001450000000140314076311665031427 0ustar ghudsonsystemd-journalkrb5_auth_con_getrecvsubkey - Retrieve the receiving subkey from an auth context as a keyblock. ================================================================================================= .. .. c:function:: krb5_error_code krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock ** keyblock) .. :param: **[in]** **ctx** - Library context **[in]** **ac** - Authentication context **[out]** **keyblock** - Receiving subkey .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a keyblock containing the receiving subkey from *auth_context* . Use :c:func:`krb5_free_keyblock()` to free *keyblock* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_k_make_checksum.rst.txt0000644000704600001450000000272314076311665030004 0ustar ghudsonsystemd-journalkrb5_k_make_checksum - Compute a checksum (operates on opaque key). ===================================================================== .. .. c:function:: krb5_error_code krb5_k_make_checksum(krb5_context context, krb5_cksumtype cksumtype, krb5_key key, krb5_keyusage usage, const krb5_data * input, krb5_checksum * cksum) .. :param: **[in]** **context** - Library context **[in]** **cksumtype** - Checksum type (0 for mandatory type) **[in]** **key** - Encryption key for a keyed checksum **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) **[in]** **input** - Input data **[out]** **cksum** - Generated checksum .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function computes a checksum of type *cksumtype* over *input* , using *key* if the checksum type is a keyed checksum. If *cksumtype* is 0 and *key* is non-null, the checksum type will be the mandatory-to-implement checksum type for the key's encryption type. The actual checksum key will be derived from *key* and *usage* if key derivation is specified for the checksum type. The newly created *cksum* must be released by calling :c:func:`krb5_free_checksum_contents()` when it is no longer needed. .. .. seealso:: :c:func:`krb5_c_verify_checksum()` .. note:: This function is similar to :c:func:`krb5_c_make_checksum()` , but operates on opaque *key* . krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags.rst.txt0000644000704600001450000000123714076311665033602 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_set_fast_flags - Set FAST flags in initial credential options. ======================================================================================== .. .. c:function:: krb5_error_code krb5_get_init_creds_opt_set_fast_flags(krb5_context context, krb5_get_init_creds_opt * opt, krb5_flags flags) .. :param: **[in]** **context** - Library context **[in]** **opt** - Options **[in]** **flags** - FAST flags .. :retval: - 0 - Success; Kerberos errors otherwise. .. The following flag values are valid: - :data:`KRB5_FAST_REQUIRED` - Require FAST to be used .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_init_state.rst.txt0000644000704600001450000000111414076311665027331 0ustar ghudsonsystemd-journalkrb5_c_init_state - Initialize a new cipher state. ==================================================== .. .. c:function:: krb5_error_code krb5_c_init_state(krb5_context context, const krb5_keyblock * key, krb5_keyusage usage, krb5_data * new_state) .. :param: **[in]** **context** - Library context **[in]** **key** - Key **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) **[out]** **new_state** - New cipher state .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_getsendsubkey.rst.txt0000644000704600001450000000135714076311665031431 0ustar ghudsonsystemd-journalkrb5_auth_con_getsendsubkey - Retrieve the send subkey from an auth context as a keyblock. ============================================================================================ .. .. c:function:: krb5_error_code krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock ** keyblock) .. :param: **[in]** **ctx** - Library context **[in]** **ac** - Authentication context **[out]** **keyblock** - Send subkey .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a keyblock containing the send subkey from *auth_context* . Use :c:func:`krb5_free_keyblock()` to free *keyblock* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_set_error_message.rst.txt0000644000704600001450000000072114076311665030377 0ustar ghudsonsystemd-journalkrb5_set_error_message - Set an extended error message for an error code. =========================================================================== .. .. c:function:: void krb5_set_error_message(krb5_context ctx, krb5_error_code code, const char * fmt, ... ) .. :param: **[in]** **ctx** - Library context **[in]** **code** - Error code **[in]** **fmt** - Error string for the error code .. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_init_creds_free.rst.txt0000644000704600001450000000076214076311665030020 0ustar ghudsonsystemd-journalkrb5_init_creds_free - Free an initial credentials context. ============================================================= .. .. c:function:: void krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx) .. :param: **[in]** **context** - Library context **[in]** **ctx** - Initial credentials context .. .. *context* must be the same as the one passed to :c:func:`krb5_init_creds_init()` for this initial credentials context. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_getlocalsubkey.rst.txt0000644000704600001450000000060314076311665031563 0ustar ghudsonsystemd-journalkrb5_auth_con_getlocalsubkey ============================ .. .. c:function:: krb5_error_code krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock ** keyblock) .. :param: **context** **auth_context** **keyblock** .. .. DEPRECATED Replaced by krb5_auth_con_getsendsubkey() . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_k_key_enctype.rst.txt0000644000704600001450000000047314076311665027524 0ustar ghudsonsystemd-journalkrb5_k_key_enctype - Retrieve the enctype of a krb5_key structure. ==================================================================== .. .. c:function:: krb5_enctype krb5_k_key_enctype(krb5_context context, krb5_key key) .. :param: **context** **key** .. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_timestamp_to_string.rst.txt0000644000704600001450000000117214076311665030763 0ustar ghudsonsystemd-journalkrb5_timestamp_to_string - Convert a timestamp to a string. ============================================================= .. .. c:function:: krb5_error_code krb5_timestamp_to_string(krb5_timestamp timestamp, char * buffer, size_t buflen) .. :param: **[in]** **timestamp** - Timestamp to convert **[out]** **buffer** - Buffer to hold converted timestamp **[in]** **buflen** - Storage available in *buffer* .. :retval: - 0 Success; otherwise - Kerberos error codes .. The string is returned in the locale's appropriate date and time representation. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_free_state.rst.txt0000644000704600001450000000105714076311665027315 0ustar ghudsonsystemd-journalkrb5_c_free_state - Free a cipher state previously allocated by krb5_c_init_state() . ======================================================================================= .. .. c:function:: krb5_error_code krb5_c_free_state(krb5_context context, const krb5_keyblock * key, krb5_data * state) .. :param: **[in]** **context** - Library context **[in]** **key** - Key **[in]** **state** - Cipher state to be freed .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_crypto_length.rst.txt0000644000704600001450000000130114076311665030045 0ustar ghudsonsystemd-journalkrb5_c_crypto_length - Return a length of a message field specific to the encryption type. ============================================================================================ .. .. c:function:: krb5_error_code krb5_c_crypto_length(krb5_context context, krb5_enctype enctype, krb5_cryptotype type, unsigned int * size) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[in]** **type** - Type field (See :data:`KRB5_CRYPTO_TYPE` types) **[out]** **size** - Length of the *type* specific to *enctype* .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_build_principal_alloc_va.rst.txt0000644000704600001450000000175114076311665031673 0ustar ghudsonsystemd-journalkrb5_build_principal_alloc_va - Build a principal name, using a precomputed variable argument list. ===================================================================================================== .. .. c:function:: krb5_error_code krb5_build_principal_alloc_va(krb5_context context, krb5_principal * princ, unsigned int rlen, const char * realm, va_list ap) .. :param: **[in]** **context** - Library context **[out]** **princ** - Principal structure **[in]** **rlen** - Realm name length **[in]** **realm** - Realm name **[in]** **ap** - List of char * components, ending with NULL .. :retval: - 0 Success :return: - Kerberos error codes .. Similar to :c:func:`krb5_build_principal()` , this function builds a principal name, but its name components are specified as a va_list. Use :c:func:`krb5_free_principal()` to deallocate *princ* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_process_key.rst.txt0000644000704600001450000000050614076311665027216 0ustar ghudsonsystemd-journalkrb5_process_key ================ .. .. c:function:: krb5_error_code krb5_process_key(krb5_context context, krb5_encrypt_block * eblock, const krb5_keyblock * key) .. :param: **context** **eblock** **key** .. .. DEPRECATED Replaced by krb5_c_* API family. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_pac_get_client_info.rst.txt0000644000704600001450000000054314076311665030644 0ustar ghudsonsystemd-journalkrb5_pac_get_client_info ======================== .. .. c:function:: krb5_error_code krb5_pac_get_client_info(krb5_context context, const krb5_pac pac, krb5_timestamp * authtime_out, char ** princname_out) .. :param: **context** **pac** **authtime_out** **princname_out** .. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_free.rst.txt0000644000704600001450000000101214076311665027462 0ustar ghudsonsystemd-journalkrb5_auth_con_free - Free a krb5_auth_context structure. ========================================================== .. .. c:function:: krb5_error_code krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context to be freed .. :retval: - 0 (always) .. This function frees an auth context allocated by :c:func:`krb5_auth_con_init()` . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_rd_cred.rst.txt0000644000704600001450000000224014076311665026267 0ustar ghudsonsystemd-journalkrb5_rd_cred - Read and validate a KRB-CRED message. ====================================================== .. .. c:function:: krb5_error_code krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, krb5_data * creddata, krb5_creds *** creds_out, krb5_replay_data * rdata_out) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **creddata** - **KRB-CRED** message **[out]** **creds_out** - Null-terminated array of forwarded credentials **[out]** **rdata_out** - Replay data (NULL if not needed) .. :retval: - 0 Success; otherwise - Kerberos error codes .. *creddata* will be decrypted using the receiving subkey if it is present in *auth_context* , or the session key if the receiving subkey is not present or fails to decrypt the message. Use :c:func:`krb5_free_tgt_creds()` to free *creds_out* when it is no longer needed. .. .. note:: The *rdata_out* argument is required if the :data:`KRB5_AUTH_CONTEXT_RET_TIME` or :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` flag is set in *auth_context* .` krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_crypto_length_iov.rst.txt0000644000704600001450000000160714076311665030733 0ustar ghudsonsystemd-journalkrb5_c_crypto_length_iov - Fill in lengths for header, trailer and padding in a IOV array. ============================================================================================ .. .. c:function:: krb5_error_code krb5_c_crypto_length_iov(krb5_context context, krb5_enctype enctype, krb5_crypto_iov * data, size_t num_data) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[inout]** **data** - IOV array **[in]** **num_data** - Size of *data* .. :retval: - 0 Success; otherwise - Kerberos error codes .. Padding is set to the actual padding required based on the provided *data* buffers. Typically this API is used after setting up the data buffers and :data:`KRB5_CRYPTO_TYPE_SIGN_ONLY` buffers, but before actually allocating header, trailer and padding. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_forwardable.rst.txt0000644000704600001450000000077514076311665033767 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_set_forwardable - Set or unset the forwardable flag in initial credential options. ============================================================================================================ .. .. c:function:: void krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt * opt, int forwardable) .. :param: **[in]** **opt** - Options structure **[in]** **forwardable** - Whether credentials should be forwardable .. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_responder_pkinit_set_answer.rst.txt0000644000704600001450000000126214076311665032501 0ustar ghudsonsystemd-journalkrb5_responder_pkinit_set_answer - Answer the KRB5_RESPONDER_QUESTION_PKINIT question for one identity. ========================================================================================================= .. .. c:function:: krb5_error_code krb5_responder_pkinit_set_answer(krb5_context ctx, krb5_responder_context rctx, const char * identity, const char * pin) .. :param: **[in]** **ctx** - Library context **[in]** **rctx** - Responder context **[in]** **identity** - The identity for which a PIN is being supplied **[in]** **pin** - The provided PIN, or NULL for none .. .. .. .. note:: New in 1.12 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_k_reference_key.rst.txt0000644000704600001450000000045514076311665030013 0ustar ghudsonsystemd-journalkrb5_k_reference_key - Increment the reference count on a key. ================================================================ .. .. c:function:: void krb5_k_reference_key(krb5_context context, krb5_key key) .. :param: **context** **key** .. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_timeofday.rst.txt0000644000704600001450000000115014076311665026645 0ustar ghudsonsystemd-journalkrb5_timeofday - Retrieve the current time with context specific time offset adjustment. ========================================================================================== .. .. c:function:: krb5_error_code krb5_timeofday(krb5_context context, krb5_timestamp * timeret) .. :param: **[in]** **context** - Library context **[out]** **timeret** - Timestamp to fill in .. :retval: - 0 Success :return: - Kerberos error codes .. This function retrieves the system time of day with the context specific time offset adjustment. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_mk_priv.rst.txt0000644000704600001450000000410314076311665026334 0ustar ghudsonsystemd-journalkrb5_mk_priv - Format a KRB-PRIV message. =========================================== .. .. c:function:: krb5_error_code krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, const krb5_data * userdata, krb5_data * der_out, krb5_replay_data * rdata_out) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **userdata** - User data for **KRB-PRIV** message **[out]** **der_out** - Formatted **KRB-PRIV** message **[out]** **rdata_out** - Replay data (NULL if not needed) .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function is similar to :c:func:`krb5_mk_safe()` , but the message is encrypted and integrity-protected, not just integrity-protected. The local address in *auth_context* must be set, and is used to form the sender address used in the KRB-PRIV message. The remote address is optional; if specified, it will be used to form the receiver address used in the message. If the :data:`KRB5_AUTH_CONTEXT_DO_TIME` flag is set in *auth_context* , a timestamp is included in the KRB-PRIV message, and an entry for the message is entered in an in-memory replay cache to detect if the message is reflected by an attacker. If :data:`KRB5_AUTH_CONTEXT_DO_TIME` is not set, no replay cache is used. If :data:`KRB5_AUTH_CONTEXT_RET_TIME` is set in *auth_context* , a timestamp is included in the KRB-PRIV message and is stored in *rdata_out* . If either :data:`KRB5_AUTH_CONTEXT_DO_SEQUENCE` or :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` is set, the *auth_context* local sequence number is included in the KRB-PRIV message and then incremented. If :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` is set, the sequence number used is stored in *rdata_out* . Use :c:func:`krb5_free_data_contents()` to free *der_out* when it is no longer needed. .. .. note:: The *rdata_out* argument is required if the :data:`KRB5_AUTH_CONTEXT_RET_TIME` or :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` flag is set in *auth_context* . krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_copy_data.rst.txt0000644000704600001450000000120714076311665026632 0ustar ghudsonsystemd-journalkrb5_copy_data - Copy a krb5_data object. =========================================== .. .. c:function:: krb5_error_code krb5_copy_data(krb5_context context, const krb5_data * indata, krb5_data ** outdata) .. :param: **[in]** **context** - Library context **[in]** **indata** - Data object to be copied **[out]** **outdata** - Copy of *indata* .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a new krb5_data object with the contents of *indata* . Use :c:func:`krb5_free_data()` to free *outdata* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_k_create_key.rst.txt0000644000704600001450000000124014076311665027311 0ustar ghudsonsystemd-journalkrb5_k_create_key - Create a krb5_key from the enctype and key data in a keyblock. ==================================================================================== .. .. c:function:: krb5_error_code krb5_k_create_key(krb5_context context, const krb5_keyblock * key_data, krb5_key * out) .. :param: **[in]** **context** - Library context **[in]** **key_data** - Keyblock **[out]** **out** - Opaque key .. :retval: - 0 Success; otherwise - KRB5_BAD_ENCTYPE .. The reference count on a key *out* is set to 1. Use :c:func:`krb5_k_free_key()` to free *out* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_get_principal.rst.txt0000644000704600001450000000137114076311665030156 0ustar ghudsonsystemd-journalkrb5_cc_get_principal - Get the default principal of a credential cache. ========================================================================== .. .. c:function:: krb5_error_code krb5_cc_get_principal(krb5_context context, krb5_ccache cache, krb5_principal * principal) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle **[out]** **principal** - Primary principal .. :retval: - 0 Success :return: - Kerberos error codes .. Returns the default client principal of a credential cache as set by :c:func:`krb5_cc_initialize()` . Use :c:func:`krb5_free_principal()` to free *principal* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_remove_cred.rst.txt0000644000704600001450000000154514076311665027633 0ustar ghudsonsystemd-journalkrb5_cc_remove_cred - Remove credentials from a credential cache. =================================================================== .. .. c:function:: krb5_error_code krb5_cc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, krb5_creds * creds) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle **[in]** **flags** - Bitwise-ORed search flags **[in]** **creds** - Credentials to be matched .. :retval: - KRB5_CC_NOSUPP Not implemented for this cache type :return: - No matches found; Data cannot be deleted; Kerberos error codes .. This function accepts the same flag values as :c:func:`krb5_cc_retrieve_cred()` . .. .. warning:: This function is not implemented for some cache types. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_k_prf.rst.txt0000644000704600001450000000161114076311665025767 0ustar ghudsonsystemd-journalkrb5_k_prf - Generate enctype-specific pseudo-random bytes (operates on opaque key). ====================================================================================== .. .. c:function:: krb5_error_code krb5_k_prf(krb5_context context, krb5_key key, krb5_data * input, krb5_data * output) .. :param: **[in]** **context** - Library context **[in]** **key** - Key **[in]** **input** - Input data **[out]** **output** - Output data .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function selects a pseudo-random function based on *key* and computes its value over *input* , placing the result into *output* . The caller must preinitialize *output* and allocate space for the result. .. .. note:: This function is similar to :c:func:`krb5_c_prf()` , but operates on opaque *key* . krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_password.rst.txt0000644000704600001450000000126114076311665031607 0ustar ghudsonsystemd-journalkrb5_init_creds_set_password - Set a password for acquiring initial credentials. ================================================================================== .. .. c:function:: krb5_error_code krb5_init_creds_set_password(krb5_context context, krb5_init_creds_context ctx, const char * password) .. :param: **[in]** **context** - Library context **[in]** **ctx** - Initial credentials context **[in]** **password** - Password .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function supplies a password to be used to construct the client key for an initial credentials request. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_encode_authdata_container.rst.txt0000644000704600001450000000152414076311665032043 0ustar ghudsonsystemd-journalkrb5_encode_authdata_container - Wrap authorization data in a container. ========================================================================== .. .. c:function:: krb5_error_code krb5_encode_authdata_container(krb5_context context, krb5_authdatatype type, krb5_authdata *const * authdata, krb5_authdata *** container) .. :param: **[in]** **context** - Library context **[in]** **type** - :data:`KRB5_AUTHDATA` type of *container* **[in]** **authdata** - List of authorization data to be encoded **[out]** **container** - List of encoded authorization data .. :retval: - 0 Success; otherwise - Kerberos error codes .. The result is returned in *container* as a single-element list. .. .. seealso:: :c:func:`krb5_decode_authdata_container()` krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_k_encrypt.rst.txt0000644000704600001450000000263414076311665026672 0ustar ghudsonsystemd-journalkrb5_k_encrypt - Encrypt data using a key (operates on opaque key). ===================================================================== .. .. c:function:: krb5_error_code krb5_k_encrypt(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data * cipher_state, const krb5_data * input, krb5_enc_data * output) .. :param: **[in]** **context** - Library context **[in]** **key** - Encryption key **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) **[inout]** **cipher_state** - Cipher state; specify NULL if not needed **[in]** **input** - Data to be encrypted **[out]** **output** - Encrypted data .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function encrypts the data block *input* and stores the output into *output* . The actual encryption key will be derived from *key* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. .. .. note:: The caller must initialize *output* and allocate at least enough space for the result (using :c:func:`krb5_c_encrypt_length()` to determine the amount of space needed). *output->length* will be set to the actual length of the ciphertext. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_checksum_length.rst.txt0000644000704600001450000000105014076311665030330 0ustar ghudsonsystemd-journalkrb5_c_checksum_length - Return the length of checksums for a checksum type. ============================================================================== .. .. c:function:: krb5_error_code krb5_c_checksum_length(krb5_context context, krb5_cksumtype cksumtype, size_t * length) .. :param: **[in]** **context** - Library context **[in]** **cksumtype** - Checksum type **[out]** **length** - Checksum length .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_responder_pkinit_get_challenge.rst.txt0000644000704600001450000000162414076311665033112 0ustar ghudsonsystemd-journalkrb5_responder_pkinit_get_challenge - Decode the KRB5_RESPONDER_QUESTION_PKINIT to a C struct. ================================================================================================ .. .. c:function:: krb5_error_code krb5_responder_pkinit_get_challenge(krb5_context ctx, krb5_responder_context rctx, krb5_responder_pkinit_challenge ** chl_out) .. :param: **[in]** **ctx** - Library context **[in]** **rctx** - Responder context **[out]** **chl_out** - Challenge structure .. .. A convenience function which parses the KRB5_RESPONDER_QUESTION_PKINIT question challenge data, making it available in native C. The main feature of this function is the ability to read the challenge without parsing the JSON. The returned value must be passed to :c:func:`krb5_responder_pkinit_challenge_free()` to be freed. .. .. note:: New in 1.12 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_pac_request.rst.txt0000644000704600001450000000161614076311665034005 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_set_pac_request - Ask the KDC to include or not include a PAC in the ticket. ====================================================================================================== .. .. c:function:: krb5_error_code krb5_get_init_creds_opt_set_pac_request(krb5_context context, krb5_get_init_creds_opt * opt, krb5_boolean req_pac) .. :param: **[in]** **context** - Library context **[in]** **opt** - Options structure **[in]** **req_pac** - Whether to request a PAC or not .. .. If this option is set, the AS request will include a PAC-REQUEST pa-data item explicitly asking the KDC to either include or not include a privilege attribute certificate in the ticket authorization data. By default, no request is made; typically the KDC will default to including a PAC if it supports them. .. .. note:: New in 1.15 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_switch.rst.txt0000644000704600001450000000122114076311665026631 0ustar ghudsonsystemd-journalkrb5_cc_switch - Make a credential cache the primary cache for its collection. ================================================================================ .. .. c:function:: krb5_error_code krb5_cc_switch(krb5_context context, krb5_ccache cache) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle .. :retval: - 0 Success, or the type of cache doesn't support switching :return: - Kerberos error codes .. If the type of *cache* supports it, set *cache* to be the primary credential cache for the collection it belongs to. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_setrecvsubkey_k.rst.txt0000644000704600001450000000123114076311665031754 0ustar ghudsonsystemd-journalkrb5_auth_con_setrecvsubkey_k - Set the receiving subkey in an auth context. ============================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_setrecvsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key key) .. :param: **[in]** **ctx** - Library context **[in]** **ac** - Authentication context **[in]** **key** - Receiving subkey .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function sets the receiving subkey in *ac* to *key* , incrementing its reference count. .. .. note:: New in 1.9 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_get_name.rst.txt0000644000704600001450000000132714076311665027116 0ustar ghudsonsystemd-journalkrb5_cc_get_name - Retrieve the name, but not type of a credential cache. =========================================================================== .. .. c:function:: const char * krb5_cc_get_name(krb5_context context, krb5_ccache cache) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle .. :return: - On success - the name of the credential cache. .. .. .. warning:: Returns the name of the credential cache. The result is an alias into *cache* and should not be freed or modified by the caller. This name does not include the cache type, so should not be used as input to :c:func:`krb5_cc_resolve()` . krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_unparse_name_flags.rst.txt0000644000704600001450000000217314076311665030523 0ustar ghudsonsystemd-journalkrb5_unparse_name_flags - Convert krb5_principal structure to a string with flags. ==================================================================================== .. .. c:function:: krb5_error_code krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal, int flags, char ** name) .. :param: **[in]** **context** - Library context **[in]** **principal** - Principal **[in]** **flags** - Flags **[out]** **name** - String representation of principal name .. :retval: - 0 Success :return: - Kerberos error codes. On failure name is set to NULL .. Similar to :c:func:`krb5_unparse_name()` , this function converts a krb5_principal structure to a string representation. The following flags are valid: - :data:`KRB5_PRINCIPAL_UNPARSE_SHORT` - omit realm if it is the local realm - :data:`KRB5_PRINCIPAL_UNPARSE_NO_REALM` - omit realm - :data:`KRB5_PRINCIPAL_UNPARSE_DISPLAY` - do not quote special characters Use :c:func:`krb5_free_unparsed_name()` to free *name* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_cache_match.rst.txt0000644000704600001450000000135214076311665027554 0ustar ghudsonsystemd-journalkrb5_cc_cache_match - Find a credential cache with a specified client principal. ================================================================================== .. .. c:function:: krb5_error_code krb5_cc_cache_match(krb5_context context, krb5_principal client, krb5_ccache * cache_out) .. :param: **[in]** **context** - Library context **[in]** **client** - Client principal **[out]** **cache_out** - Credential cache handle .. :retval: - 0 Success - KRB5_CC_NOTFOUND None .. Find a cache within the collection whose default principal is *client* . Use *krb5_cc_close* to close *ccache* when it is no longer needed. .. .. note:: New in 1.10 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_set_kdc_recv_hook.rst.txt0000644000704600001450000000144714076311665030350 0ustar ghudsonsystemd-journalkrb5_set_kdc_recv_hook - Set a KDC post-receive hook function. ================================================================ .. .. c:function:: void krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook, void * data) .. :param: **[in]** **context** - The library context. **[in]** **recv_hook** - Hook function (or NULL to disable the hook) **[in]** **data** - Callback data to be passed to *recv_hook* .. .. *recv_hook* will be called after a reply is received from a KDC during a call to a library function such as :c:func:`krb5_get_credentials()` . The hook function may inspect or override the reply. This hook will not be executed if the pre-send hook returns a synthetic reply. .. .. note:: New in 1.15 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_rd_error.rst.txt0000644000704600001450000000132714076311665026510 0ustar ghudsonsystemd-journalkrb5_rd_error - Decode a KRB-ERROR message. ============================================= .. .. c:function:: krb5_error_code krb5_rd_error(krb5_context context, const krb5_data * enc_errbuf, krb5_error ** dec_error) .. :param: **[in]** **context** - Library context **[in]** **enc_errbuf** - Encoded error message **[out]** **dec_error** - Decoded error message .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function processes **KRB-ERROR** message *enc_errbuf* and returns an allocated structure *dec_error* containing the error message. Use :c:func:`krb5_free_error()` to free *dec_error* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_mk_ncred.rst.txt0000644000704600001450000000464314076311665026460 0ustar ghudsonsystemd-journalkrb5_mk_ncred - Format a KRB-CRED message for an array of credentials. ======================================================================== .. .. c:function:: krb5_error_code krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, krb5_creds ** creds, krb5_data ** der_out, krb5_replay_data * rdata_out) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **creds** - Null-terminated array of credentials **[out]** **der_out** - Encoded credentials **[out]** **rdata_out** - Replay cache information (NULL if not needed) .. :retval: - 0 Success - ENOMEM Insufficient memory - KRB5_RC_REQUIRED Message replay detection requires rcache parameter :return: - Kerberos error codes .. This function takes an array of credentials *creds* and formats a **KRB-CRED** message *der_out* to pass to :c:func:`krb5_rd_cred()` . The local and remote addresses in *auth_context* are optional; if either is specified, they are used to form the sender and receiver addresses in the KRB-CRED message. If the :data:`KRB5_AUTH_CONTEXT_DO_TIME` flag is set in *auth_context* , an entry for the message is entered in an in-memory replay cache to detect if the message is reflected by an attacker. If :data:`KRB5_AUTH_CONTEXT_DO_TIME` is not set, no replay cache is used. If :data:`KRB5_AUTH_CONTEXT_RET_TIME` is set in *auth_context* , the timestamp used for the KRB-CRED message is stored in *rdata_out* . If either :data:`KRB5_AUTH_CONTEXT_DO_SEQUENCE` or :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` is set, the *auth_context* local sequence number is included in the KRB-CRED message and then incremented. If :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` is set, the sequence number used is stored in *rdata_out* . Use :c:func:`krb5_free_data_contents()` to free *der_out* when it is no longer needed. The message will be encrypted using the send subkey of *auth_context* if it is present, or the session key otherwise. If neither key is present, the credentials will not be encrypted, and the message should only be sent over a secure channel. No replay cache entry is used in this case. .. .. note:: The *rdata_out* argument is required if the :data:`KRB5_AUTH_CONTEXT_RET_TIME` or :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` flag is set in *auth_context* . krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_in_tkt_with_password.rst.txt0000644000704600001450000000124514076311665031775 0ustar ghudsonsystemd-journalkrb5_get_in_tkt_with_password ============================= .. .. c:function:: krb5_error_code krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options, krb5_address *const * addrs, krb5_enctype * ktypes, krb5_preauthtype * pre_auth_types, const char * password, krb5_ccache ccache, krb5_creds * creds, krb5_kdc_rep ** ret_as_reply) .. :param: **context** **options** **addrs** **ktypes** **pre_auth_types** **password** **ccache** **creds** **ret_as_reply** .. .. DEPRECATED Replaced by krb5_get_init_creds_password() . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_step.rst.txt0000644000704600001450000000300714076311665027704 0ustar ghudsonsystemd-journalkrb5_tkt_creds_step - Get the next KDC request in a TGS exchange. =================================================================== .. .. c:function:: krb5_error_code krb5_tkt_creds_step(krb5_context context, krb5_tkt_creds_context ctx, krb5_data * in, krb5_data * out, krb5_data * realm, unsigned int * flags) .. :param: **[in]** **context** - Library context **[in]** **ctx** - TGS request context **[in]** **in** - KDC response (empty on the first call) **[out]** **out** - Next KDC request **[out]** **realm** - Realm for next KDC request **[out]** **flags** - Output flags .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function constructs the next KDC request for a TGS exchange, allowing the caller to control the transport of KDC requests and replies. On the first call, *in* should be set to an empty buffer; on subsequent calls, it should be set to the KDC's reply to the previous request. If more requests are needed, *flags* will be set to :data:`KRB5_TKT_CREDS_STEP_FLAG_CONTINUE` and the next request will be placed in *out* . If no more requests are needed, *flags* will not contain :data:`KRB5_TKT_CREDS_STEP_FLAG_CONTINUE` and *out* will be empty. If this function returns **KRB5KRB_ERR_RESPONSE_TOO_BIG** , the caller should transmit the next request using TCP rather than UDP. If this function returns any other error, the TGS exchange has failed. .. .. note:: New in 1.9 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_error_message.rst.txt0000644000704600001450000000165014076311665030365 0ustar ghudsonsystemd-journalkrb5_get_error_message - Get the (possibly extended) error message for a code. ================================================================================ .. .. c:function:: const char * krb5_get_error_message(krb5_context ctx, krb5_error_code code) .. :param: **[in]** **ctx** - Library context **[in]** **code** - Error code .. .. The behavior of :c:func:`krb5_get_error_message()` is only defined the first time it is called after a failed call to a krb5 function using the same context, and only when the error code passed in is the same as that returned by the krb5 function. This function never returns NULL, so its result may be used unconditionally as a C string. The string returned by this function must be freed using :c:func:`krb5_free_error_message()` .. .. note:: Future versions may return the same string for the second and following calls. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_pac_init.rst.txt0000644000704600001450000000103314076311665026452 0ustar ghudsonsystemd-journalkrb5_pac_init - Create an empty Privilege Attribute Certificate (PAC) handle. =============================================================================== .. .. c:function:: krb5_error_code krb5_pac_init(krb5_context context, krb5_pac * pac) .. :param: **[in]** **context** - Library context **[out]** **pac** - New PAC handle .. :retval: - 0 Success; otherwise - Kerberos error codes .. Use :c:func:`krb5_pac_free()` to free *pac* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_rd_safe.rst.txt0000644000704600001450000000354314076311665026277 0ustar ghudsonsystemd-journalkrb5_rd_safe - Process KRB-SAFE message. ========================================== .. .. c:function:: krb5_error_code krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, const krb5_data * inbuf, krb5_data * userdata_out, krb5_replay_data * rdata_out) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **inbuf** - **KRB-SAFE** message to be parsed **[out]** **userdata_out** - Data parsed from **KRB-SAFE** message **[out]** **rdata_out** - Replay data. Specify NULL if not needed .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function parses a **KRB-SAFE** message, verifies its integrity, and stores its data into *userdata_out* . If *auth_context* has a remote address set, the address will be used to verify the sender address in the KRB-SAFE message. If *auth_context* has a local address set, it will be used to verify the receiver address in the KRB-SAFE message if the message contains one. If the :data:`KRB5_AUTH_CONTEXT_DO_SEQUENCE` flag is set in *auth_context* , the sequence number of the KRB-SAFE message is checked against the remote sequence number field of *auth_context* . Otherwise, the sequence number is not used. If the :data:`KRB5_AUTH_CONTEXT_DO_TIME` flag is set in *auth_context* , then the timestamp in the message is verified to be within the permitted clock skew of the current time, and the message is checked against an in-memory replay cache to detect reflections or replays. Use :c:func:`krb5_free_data_contents()` to free *userdata_out* when it is no longer needed. .. .. note:: The *rdata_out* argument is required if the :data:`KRB5_AUTH_CONTEXT_RET_TIME` or :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` flag is set in *auth_context* . krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_prepend_error_message.rst.txt0000644000704600001450000000115514076311665031243 0ustar ghudsonsystemd-journalkrb5_prepend_error_message - Add a prefix to the message for an error code. ============================================================================= .. .. c:function:: void krb5_prepend_error_message(krb5_context ctx, krb5_error_code code, const char * fmt, ... ) .. :param: **[in]** **ctx** - Library context **[in]** **code** - Error code **[in]** **fmt** - Format string for error message prefix .. .. Format a message and prepend it to the current message for *code* . The prefix will be separated from the old message with a colon and space. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_block_size.rst.txt0000644000704600001450000000076014076311665027320 0ustar ghudsonsystemd-journalkrb5_c_block_size - Return cipher block size. =============================================== .. .. c:function:: krb5_error_code krb5_c_block_size(krb5_context context, krb5_enctype enctype, size_t * blocksize) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[out]** **blocksize** - Block size for *enctype* .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_encrypt_iov.rst.txt0000644000704600001450000000321314076311665027531 0ustar ghudsonsystemd-journalkrb5_c_encrypt_iov - Encrypt data in place supporting AEAD (operates on keyblock). ==================================================================================== .. .. c:function:: krb5_error_code krb5_c_encrypt_iov(krb5_context context, const krb5_keyblock * keyblock, krb5_keyusage usage, const krb5_data * cipher_state, krb5_crypto_iov * data, size_t num_data) .. :param: **[in]** **context** - Library context **[in]** **keyblock** - Encryption key **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) **[in]** **cipher_state** - Cipher state; specify NULL if not needed **[inout]** **data** - IOV array. Modified in-place. **[in]** **num_data** - Size of *data* .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function encrypts the data block *data* and stores the output in-place. The actual encryption key will be derived from *keyblock* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5_crypto_iov structures before calling into this API. .. .. seealso:: :c:func:`krb5_c_decrypt_iov()` .. note:: On return from a :c:func:`krb5_c_encrypt_iov()` call, the *data->length* in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_kt_remove_entry.rst.txt0000644000704600001450000000111214076311665030076 0ustar ghudsonsystemd-journalkrb5_kt_remove_entry - Remove an entry from a key table. ========================================================== .. .. c:function:: krb5_error_code krb5_kt_remove_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry * entry) .. :param: **[in]** **context** - Library context **[in]** **id** - Key table handle **[in]** **entry** - Entry to remove from key table .. :retval: - 0 Success - KRB5_KT_NOWRITE Key table is not writable :return: - Kerberos error codes .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_appdefault_string.rst.txt0000644000704600001450000000165314076311665030407 0ustar ghudsonsystemd-journalkrb5_appdefault_string - Retrieve a string value from the appdefaults section of krb5.conf. ============================================================================================= .. .. c:function:: void krb5_appdefault_string(krb5_context context, const char * appname, const krb5_data * realm, const char * option, const char * default_value, char ** ret_value) .. :param: **[in]** **context** - Library context **[in]** **appname** - Application name **[in]** **realm** - Realm name **[in]** **option** - Option to be checked **[in]** **default_value** - Default value to return if no match is found **[out]** **ret_value** - String value of *option* .. .. This function gets the application defaults for *option* based on the given *appname* and/or *realm* . .. .. seealso:: :c:func:`krb5_appdefault_boolean()` krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_wrap_error_message.rst.txt0000644000704600001450000000137514076311665030563 0ustar ghudsonsystemd-journalkrb5_wrap_error_message - Add a prefix to a different error code's message. ============================================================================= .. .. c:function:: void krb5_wrap_error_message(krb5_context ctx, krb5_error_code old_code, krb5_error_code code, const char * fmt, ... ) .. :param: **[in]** **ctx** - Library context **[in]** **old_code** - Previous error code **[in]** **code** - Error code **[in]** **fmt** - Format string for error message prefix .. .. Format a message and prepend it to the message for *old_code* . The prefix will be separated from the old message with a colon and space. Set the resulting message as the extended error message for *code* . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_encrypt.rst.txt0000644000704600001450000000066114076311665026356 0ustar ghudsonsystemd-journalkrb5_encrypt ============ .. .. c:function:: krb5_error_code krb5_encrypt(krb5_context context, krb5_const_pointer inptr, krb5_pointer outptr, size_t size, krb5_encrypt_block * eblock, krb5_pointer ivec) .. :param: **context** **inptr** **outptr** **size** **eblock** **ivec** .. .. DEPRECATED Replaced by krb5_c_* API family. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_build_principal_va.rst.txt0000644000704600001450000000064214076311665030517 0ustar ghudsonsystemd-journalkrb5_build_principal_va ======================= .. .. c:function:: krb5_error_code krb5_build_principal_va(krb5_context context, krb5_principal princ, unsigned int rlen, const char * realm, va_list ap) .. :param: **context** **princ** **rlen** **realm** **ap** .. .. DEPRECATED Replaced by krb5_build_principal_alloc_va() . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_kuserok.rst.txt0000644000704600001450000000121414076311665026350 0ustar ghudsonsystemd-journalkrb5_kuserok - Determine if a principal is authorized to log in as a local user. ================================================================================== .. .. c:function:: krb5_boolean krb5_kuserok(krb5_context context, krb5_principal principal, const char * luser) .. :param: **[in]** **context** - Library context **[in]** **principal** - Principal name **[in]** **luser** - Local username .. :retval: - TRUE Principal is authorized to log in as user; FALSE otherwise. .. Determine whether *principal* is authorized to log in as a local user *luser* . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_decrypt.rst.txt0000644000704600001450000000066114076311665026344 0ustar ghudsonsystemd-journalkrb5_decrypt ============ .. .. c:function:: krb5_error_code krb5_decrypt(krb5_context context, krb5_const_pointer inptr, krb5_pointer outptr, size_t size, krb5_encrypt_block * eblock, krb5_pointer ivec) .. :param: **context** **inptr** **outptr** **size** **eblock** **ivec** .. .. DEPRECATED Replaced by krb5_c_* API family. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_addresses.rst.txt0000644000704600001450000000101314076311665027640 0ustar ghudsonsystemd-journalkrb5_free_addresses - Free the data stored in array of addresses. =================================================================== .. .. c:function:: void krb5_free_addresses(krb5_context context, krb5_address ** val) .. :param: **[in]** **context** - Library context **[in]** **val** - Array of addresses to be freed .. .. This function frees the contents of *val* and the array itself. .. .. note:: The last entry in the array must be a NULL pointer. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache.rst.txt0000644000704600001450000000154114076311665033564 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_set_out_ccache - Set an output credential cache in initial credential options. ======================================================================================================== .. .. c:function:: krb5_error_code krb5_get_init_creds_opt_set_out_ccache(krb5_context context, krb5_get_init_creds_opt * opt, krb5_ccache ccache) .. :param: **[in]** **context** - Library context **[in]** **opt** - Options **[in]** **ccache** - Credential cache handle .. .. If an output credential cache is set, then the krb5_get_init_creds family of APIs will write credentials to it. Setting an output ccache is desirable both because it simplifies calling code and because it permits the krb5_get_init_creds APIs to write out configuration information about the realm to the ccache. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_set_password.rst.txt0000644000704600001450000000312014076311665027400 0ustar ghudsonsystemd-journalkrb5_set_password - Set a password for a principal using specified credentials. ================================================================================= .. .. c:function:: krb5_error_code krb5_set_password(krb5_context context, krb5_creds * creds, const char * newpw, krb5_principal change_password_for, int * result_code, krb5_data * result_code_string, krb5_data * result_string) .. :param: **[in]** **context** - Library context **[in]** **creds** - Credentials for kadmin/changepw service **[in]** **newpw** - New password **[in]** **change_password_for** - Change the password for this principal **[out]** **result_code** - Numeric error code from server **[out]** **result_code_string** - String equivalent to *result_code* **[out]** **result_string** - Data returned from the remote system .. :retval: - 0 Success and result_code is set to KRB5_KPASSWD_SUCCESS . :return: - Kerberos error codes. .. This function uses the credentials *creds* to set the password *newpw* for the principal *change_password_for* . It implements the set password operation of RFC 3244, for interoperability with Microsoft Windows implementations. The error code and strings are returned in *result_code* , *result_code_string* and *result_string* . .. .. note:: If *change_password_for* is NULL, the change is performed on the current principal. If *change_password_for* is non-null, the change is performed on the principal name passed in *change_password_for* . krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_default.rst.txt0000644000704600001450000000133414076311665026761 0ustar ghudsonsystemd-journalkrb5_cc_default - Resolve the default credential cache name. ============================================================== .. .. c:function:: krb5_error_code krb5_cc_default(krb5_context context, krb5_ccache * ccache) .. :param: **[in]** **context** - Library context **[out]** **ccache** - Pointer to credential cache name .. :retval: - 0 Success - KV5M_CONTEXT Bad magic number for _krb5_context structure - KRB5_FCC_INTERNAL The name of the default credential cache cannot be obtained :return: - Kerberos error codes .. Create a handle to the default credential cache as given by :c:func:`krb5_cc_default_name()` . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_init_creds_init.rst.txt0000644000704600001450000000252114076311665030035 0ustar ghudsonsystemd-journalkrb5_init_creds_init - Create a context for acquiring initial credentials. ============================================================================ .. .. c:function:: krb5_error_code krb5_init_creds_init(krb5_context context, krb5_principal client, krb5_prompter_fct prompter, void * data, krb5_deltat start_time, krb5_get_init_creds_opt * options, krb5_init_creds_context * ctx) .. :param: **[in]** **context** - Library context **[in]** **client** - Client principal to get initial creds for **[in]** **prompter** - Prompter callback **[in]** **data** - Prompter callback argument **[in]** **start_time** - Time when credentials become valid (0 for now) **[in]** **options** - Options structure (NULL for default) **[out]** **ctx** - New initial credentials context .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a new context for acquiring initial credentials. Use :c:func:`krb5_init_creds_free()` to free *ctx* when it is no longer needed. Any subsequent calls to :c:func:`krb5_init_creds_step()` , :c:func:`krb5_init_creds_get()` , or :c:func:`krb5_init_creds_free()` for this initial credentials context must use the same *context* argument as the one passed to this function. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_principal.rst.txt0000644000704600001450000000056314076311665027655 0ustar ghudsonsystemd-journalkrb5_free_principal - Free the storage assigned to a principal. ================================================================= .. .. c:function:: void krb5_free_principal(krb5_context context, krb5_principal val) .. :param: **[in]** **context** - Library context **[in]** **val** - Principal to be freed .. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback.rst.txt0000644000704600001450000000401714076311665034600 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_set_expire_callback - Set an expiration callback in initial credential options. ========================================================================================================= .. .. c:function:: krb5_error_code krb5_get_init_creds_opt_set_expire_callback(krb5_context context, krb5_get_init_creds_opt * opt, krb5_expire_callback_func cb, void * data) .. :param: **[in]** **context** - Library context **[in]** **opt** - Options structure **[in]** **cb** - Callback function **[in]** **data** - Callback argument .. .. Set a callback to receive password and account expiration times. *cb* will be invoked if and only if credentials are successfully acquired. The callback will receive the *context* from the calling function and the *data* argument supplied with this API. The remaining arguments should be interpreted as follows: If *is_last_req* is true, then the KDC reply contained last-req entries which unambiguously indicated the password expiration, account expiration, or both. (If either value was not present, the corresponding argument will be 0.) Furthermore, a non-zero *password_expiration* should be taken as a suggestion from the KDC that a warning be displayed. If *is_last_req* is false, then *account_expiration* will be 0 and *password_expiration* will contain the expiration time of either the password or account, or 0 if no expiration time was indicated in the KDC reply. The callback should independently decide whether to display a password expiration warning. Note that *cb* may be invoked even if credentials are being acquired for the kadmin/changepw service in order to change the password. It is the caller's responsibility to avoid displaying a password expiry warning in this case. .. .. warning:: Setting an expire callback with this API will cause :c:func:`krb5_get_init_creds_password()` not to send password expiry warnings to the prompter, as it ordinarily may. .. note:: New in 1.9 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_resolve.rst.txt0000644000704600001450000000141214076311665027011 0ustar ghudsonsystemd-journalkrb5_cc_resolve - Resolve a credential cache name. ==================================================== .. .. c:function:: krb5_error_code krb5_cc_resolve(krb5_context context, const char * name, krb5_ccache * cache) .. :param: **[in]** **context** - Library context **[in]** **name** - Credential cache name to be resolved **[out]** **cache** - Credential cache handle .. :retval: - 0 Success :return: - Kerberos error codes .. Fills in *cache* with a *cache* handle that corresponds to the name in *name* . *name* should be of the form **type:residual** , and *type* must be a type known to the library. If the *name* does not contain a colon, interpret it as a file name. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_change_password.rst.txt0000644000704600001450000000244614076311665030044 0ustar ghudsonsystemd-journalkrb5_change_password - Change a password for an existing Kerberos account. ============================================================================ .. .. c:function:: krb5_error_code krb5_change_password(krb5_context context, krb5_creds * creds, const char * newpw, int * result_code, krb5_data * result_code_string, krb5_data * result_string) .. :param: **[in]** **context** - Library context **[in]** **creds** - Credentials for kadmin/changepw service **[in]** **newpw** - New password **[out]** **result_code** - Numeric error code from server **[out]** **result_code_string** - String equivalent to *result_code* **[out]** **result_string** - Change password response from the KDC .. :retval: - 0 Success; otherwise - Kerberos error codes .. Change the password for the existing principal identified by *creds* . The possible values of the output *result_code* are: - :data:`KRB5_KPASSWD_SUCCESS` (0) - success - :data:`KRB5_KPASSWD_MALFORMED` (1) - Malformed request error - :data:`KRB5_KPASSWD_HARDERROR` (2) - Server error - :data:`KRB5_KPASSWD_AUTHERROR` (3) - Authentication error - :data:`KRB5_KPASSWD_SOFTERROR` (4) - Password change rejected .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_k_encrypt_iov.rst.txt0000644000704600001450000000316314076311665027545 0ustar ghudsonsystemd-journalkrb5_k_encrypt_iov - Encrypt data in place supporting AEAD (operates on opaque key). ====================================================================================== .. .. c:function:: krb5_error_code krb5_k_encrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data * cipher_state, krb5_crypto_iov * data, size_t num_data) .. :param: **[in]** **context** - Library context **[in]** **key** - Encryption key **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) **[in]** **cipher_state** - Cipher state; specify NULL if not needed **[inout]** **data** - IOV array. Modified in-place. **[in]** **num_data** - Size of *data* .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function encrypts the data block *data* and stores the output in-place. The actual encryption key will be derived from *key* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5_crypto_iov structures before calling into this API. .. .. seealso:: :c:func:`krb5_k_decrypt_iov()` .. note:: On return from a :c:func:`krb5_c_encrypt_iov()` call, the *data->length* in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_getkey_k.rst.txt0000644000704600001450000000123214076311665030347 0ustar ghudsonsystemd-journalkrb5_auth_con_getkey_k - Retrieve the session key from an auth context. ========================================================================= .. .. c:function:: krb5_error_code krb5_auth_con_getkey_k(krb5_context context, krb5_auth_context auth_context, krb5_key * key) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[out]** **key** - Session key .. :retval: - 0 (always) .. This function sets *key* to the session key from *auth_context* . Use :c:func:`krb5_k_free_key()` to release *key* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_make_random_key.rst.txt0000644000704600001450000000130214076311665030312 0ustar ghudsonsystemd-journalkrb5_c_make_random_key - Generate an enctype-specific random encryption key. ============================================================================== .. .. c:function:: krb5_error_code krb5_c_make_random_key(krb5_context context, krb5_enctype enctype, krb5_keyblock * k5_random_key) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type of the generated key **[out]** **k5_random_key** - An allocated and initialized keyblock .. :retval: - 0 Success; otherwise - Kerberos error codes .. Use :c:func:`krb5_free_keyblock_contents()` to free *k5_random_key* when no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_verify_authdata_kdc_issued.rst.txt0000644000704600001450000000175714076311665032255 0ustar ghudsonsystemd-journalkrb5_verify_authdata_kdc_issued - Unwrap and verify AD-KDCIssued authorization data. ====================================================================================== .. .. c:function:: krb5_error_code krb5_verify_authdata_kdc_issued(krb5_context context, const krb5_keyblock * key, const krb5_authdata * ad_kdcissued, krb5_principal * issuer, krb5_authdata *** authdata) .. :param: **[in]** **context** - Library context **[in]** **key** - Session key **[in]** **ad_kdcissued** - AD-KDCIssued authorization data to be unwrapped **[out]** **issuer** - Name of issuing principal (or NULL) **[out]** **authdata** - Unwrapped list of authorization data .. .. This function unwraps an AD-KDCIssued authdatum (see RFC 4120 section 5.2.6.2) and verifies its signature against *key* . The issuer field of the authdatum element is returned in *issuer* , and the unwrapped list of authdata is returned in *authdata* . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_principal_compare.rst.txt0000644000704600001450000000100414076311665030351 0ustar ghudsonsystemd-journalkrb5_principal_compare - Compare two principals. ================================================== .. .. c:function:: krb5_boolean krb5_principal_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) .. :param: **[in]** **context** - Library context **[in]** **princ1** - First principal **[in]** **princ2** - Second principal .. :retval: - TRUE if the principals are the same; FALSE otherwise .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_string_to_cksumtype.rst.txt0000644000704600001450000000072214076311665031004 0ustar ghudsonsystemd-journalkrb5_string_to_cksumtype - Convert a string to a checksum type. ================================================================= .. .. c:function:: krb5_error_code krb5_string_to_cksumtype(char * string, krb5_cksumtype * cksumtypep) .. :param: **[in]** **string** - String to be converted **[out]** **cksumtypep** - Checksum type to be filled in .. :retval: - 0 Success; otherwise - EINVAL .. .. ././@LongLink0000644000000000000000000000015100000000000011600 Lustar rootrootkrb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.rst.txtkrb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.rst0000644000704600001450000000134314076311665035421 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_set_change_password_prompt - Set or unset change-password-prompt flag in initial credential options. ============================================================================================================================== .. .. c:function:: void krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt * opt, int prompt) .. :param: **[in]** **opt** - Options structure **[in]** **prompt** - Whether to prompt to change password .. .. This flag is on by default. It controls whether :c:func:`krb5_get_init_creds_password()` will react to an expired-password error by prompting for a new password and attempting to change the old one. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_copy_principal.rst.txt0000644000704600001450000000123414076311665027702 0ustar ghudsonsystemd-journalkrb5_copy_principal - Copy a principal. ========================================= .. .. c:function:: krb5_error_code krb5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_principal * outprinc) .. :param: **[in]** **context** - Library context **[in]** **inprinc** - Principal to be copied **[out]** **outprinc** - Copy of *inprinc* .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a new principal structure with the contents of *inprinc* . Use :c:func:`krb5_free_principal()` to free *outprinc* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_authdata.rst.txt0000644000704600001450000000106114076311665027461 0ustar ghudsonsystemd-journalkrb5_free_authdata - Free the storage assigned to array of authentication data. ================================================================================= .. .. c:function:: void krb5_free_authdata(krb5_context context, krb5_authdata ** val) .. :param: **[in]** **context** - Library context **[in]** **val** - Array of authentication data to be freed .. .. This function frees the contents of *val* and the array itself. .. .. note:: The last entry in the array must be a NULL pointer. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_pac_sign_ext.rst.txt0000644000704600001450000000232014076311665027327 0ustar ghudsonsystemd-journalkrb5_pac_sign_ext - Sign a PAC, possibly with a specified realm. ================================================================== .. .. c:function:: krb5_error_code krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime, krb5_const_principal principal, const krb5_keyblock * server_key, const krb5_keyblock * privsvr_key, krb5_boolean with_realm, krb5_data * data) .. :param: **[in]** **context** - Library context **[in]** **pac** - PAC handle **[in]** **authtime** - Expected timestamp **[in]** **principal** - Principal name (or NULL) **[in]** **server_key** - Key for server checksum **[in]** **privsvr_key** - Key for KDC checksum **[in]** **with_realm** - If true, include the realm of *principal* **[out]** **data** - Signed PAC encoding .. .. This function is similar to :c:func:`krb5_pac_sign()` , but adds a parameter *with_realm* . If *with_realm* is true, the PAC_CLIENT_INFO field of the signed PAC will include the realm of *principal* as well as the name. This flag is necessary to generate PACs for cross-realm S4U2Self referrals. .. .. note:: New in 1.17 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_pac_verify_ext.rst.txt0000644000704600001450000000226014076311665027676 0ustar ghudsonsystemd-journalkrb5_pac_verify_ext - Verify a PAC, possibly from a specified realm. ====================================================================== .. .. c:function:: krb5_error_code krb5_pac_verify_ext(krb5_context context, const krb5_pac pac, krb5_timestamp authtime, krb5_const_principal principal, const krb5_keyblock * server, const krb5_keyblock * privsvr, krb5_boolean with_realm) .. :param: **[in]** **context** - Library context **[in]** **pac** - PAC handle **[in]** **authtime** - Expected timestamp **[in]** **principal** - Expected principal name (or NULL) **[in]** **server** - Key to validate server checksum (or NULL) **[in]** **privsvr** - Key to validate KDC checksum (or NULL) **[in]** **with_realm** - If true, expect the realm of *principal* .. .. This function is similar to :c:func:`krb5_pac_verify()` , but adds a parameter *with_realm* . If *with_realm* is true, the PAC_CLIENT_INFO field is expected to include the realm of *principal* as well as the name. This flag is necessary to verify PACs in cross-realm S4U2Self referral TGTs. .. .. note:: New in 1.17 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_start_seq_get.rst.txt0000644000704600001450000000164314076311665030204 0ustar ghudsonsystemd-journalkrb5_cc_start_seq_get - Prepare to sequentially read every credential in a credential cache. ============================================================================================== .. .. c:function:: krb5_error_code krb5_cc_start_seq_get(krb5_context context, krb5_ccache cache, krb5_cc_cursor * cursor) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle **[out]** **cursor** - Cursor .. :retval: - 0 Success; otherwise - Kerberos error codes .. :c:func:`krb5_cc_end_seq_get()` must be called to complete the retrieve operation. .. .. note:: If the cache represented by *cache* is modified between the time of the call to this function and the time of the final :c:func:`krb5_cc_end_seq_get()` , these changes may not be reflected in the results of :c:func:`krb5_cc_next_cred()` calls. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_enctypes.rst.txt0000644000704600001450000000060514076311665027523 0ustar ghudsonsystemd-journalkrb5_free_enctypes - Free an array of encryption types. ========================================================= .. .. c:function:: void krb5_free_enctypes(krb5_context context, krb5_enctype * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Array of enctypes to be freed .. .. .. .. note:: New in 1.12 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_keytab.rst.txt0000644000704600001450000000126114076311665031224 0ustar ghudsonsystemd-journalkrb5_init_creds_set_keytab - Specify a keytab to use for acquiring initial credentials. ========================================================================================= .. .. c:function:: krb5_error_code krb5_init_creds_set_keytab(krb5_context context, krb5_init_creds_context ctx, krb5_keytab keytab) .. :param: **[in]** **context** - Library context **[in]** **ctx** - Initial credentials context **[in]** **keytab** - Key table handle .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function supplies a keytab containing the client key for an initial credentials request. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_chpw_message.rst.txt0000644000704600001450000000205714076311665027340 0ustar ghudsonsystemd-journalkrb5_chpw_message - Get a result message for changing or setting a password. ============================================================================== .. .. c:function:: krb5_error_code krb5_chpw_message(krb5_context context, const krb5_data * server_string, char ** message_out) .. :param: **[in]** **context** - Library context **[in]** **server_string** - Data returned from the remote system **[out]** **message_out** - A message displayable to the user .. :retval: - 0 Success :return: - Kerberos error codes .. This function processes the *server_string* returned in the *result_string* parameter of :c:func:`krb5_change_password()` , :c:func:`krb5_set_password()` , and related functions, and returns a displayable string. If *server_string* contains Active Directory structured policy information, it will be converted into human-readable text. Use :c:func:`krb5_free_string()` to free *message_out* when it is no longer needed. .. .. note:: New in 1.11 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_ticket.rst.txt0000644000704600001450000000056314076311665027157 0ustar ghudsonsystemd-journalkrb5_free_ticket - Free a ticket. =================================== .. .. c:function:: void krb5_free_ticket(krb5_context context, krb5_ticket * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Ticket to be freed .. .. This function frees the contents of *val* and the structure itself. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_host_realm.rst.txt0000644000704600001450000000077614076311665030037 0ustar ghudsonsystemd-journalkrb5_free_host_realm - Free the memory allocated by krb5_get_host_realm() . ============================================================================= .. .. c:function:: krb5_error_code krb5_free_host_realm(krb5_context context, char *const * realmlist) .. :param: **[in]** **context** - Library context **[in]** **realmlist** - List of realm names to be released .. :retval: - 0 Success :return: - Kerberos error codes .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_set_default_name.rst.txt0000644000704600001450000000161114076311665030632 0ustar ghudsonsystemd-journalkrb5_cc_set_default_name - Set the default credential cache name. =================================================================== .. .. c:function:: krb5_error_code krb5_cc_set_default_name(krb5_context context, const char * name) .. :param: **[in]** **context** - Library context **[in]** **name** - Default credential cache name or NULL .. :retval: - 0 Success - KV5M_CONTEXT Bad magic number for _krb5_context structure :return: - Kerberos error codes .. Set the default credential cache name to *name* for future operations using *context* . If *name* is NULL, clear any previous application-set default name and forget any cached value of the default name for *context* . Calls to this function invalidate the result of any previous calls to :c:func:`krb5_cc_default_name()` using *context* . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_k_decrypt_iov.rst.txt0000644000704600001450000000316314076311665027533 0ustar ghudsonsystemd-journalkrb5_k_decrypt_iov - Decrypt data in place supporting AEAD (operates on opaque key). ====================================================================================== .. .. c:function:: krb5_error_code krb5_k_decrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data * cipher_state, krb5_crypto_iov * data, size_t num_data) .. :param: **[in]** **context** - Library context **[in]** **key** - Encryption key **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) **[in]** **cipher_state** - Cipher state; specify NULL if not needed **[inout]** **data** - IOV array. Modified in-place. **[in]** **num_data** - Size of *data* .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function decrypts the data block *data* and stores the output in-place. The actual decryption key will be derived from *key* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5_crypto_iov structures before calling into this API. .. .. seealso:: :c:func:`krb5_k_encrypt_iov()` .. note:: On return from a :c:func:`krb5_c_decrypt_iov()` call, the *data->length* in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_get_type.rst.txt0000644000704600001450000000074714076311665027164 0ustar ghudsonsystemd-journalkrb5_cc_get_type - Retrieve the type of a credential cache. ============================================================= .. .. c:function:: const char * krb5_cc_get_type(krb5_context context, krb5_ccache cache) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle .. :return: - The type of a credential cache as an alias that must not be modified or freed by the caller. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_random_to_key.rst.txt0000644000704600001450000000171514076311665030027 0ustar ghudsonsystemd-journalkrb5_c_random_to_key - Generate an enctype-specific key from random data. =========================================================================== .. .. c:function:: krb5_error_code krb5_c_random_to_key(krb5_context context, krb5_enctype enctype, krb5_data * random_data, krb5_keyblock * k5_random_key) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[in]** **random_data** - Random input data **[out]** **k5_random_key** - Resulting key .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function takes random input data *random_data* and produces a valid key *k5_random_key* for a given *enctype* . .. .. seealso:: :c:func:`krb5_c_keylengths()` .. note:: It is assumed that *k5_random_key* has already been initialized and *k5_random_key->contents* has been allocated with the correct length. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_in_tkt_with_skey.rst.txt0000644000704600001450000000121614076311665031104 0ustar ghudsonsystemd-journalkrb5_get_in_tkt_with_skey ========================= .. .. c:function:: krb5_error_code krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options, krb5_address *const * addrs, krb5_enctype * ktypes, krb5_preauthtype * pre_auth_types, const krb5_keyblock * key, krb5_ccache ccache, krb5_creds * creds, krb5_kdc_rep ** ret_as_reply) .. :param: **context** **options** **addrs** **ktypes** **pre_auth_types** **key** **ccache** **creds** **ret_as_reply** .. .. DEPRECATED Replaced by krb5_get_init_creds(). .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_kt_read_service_key.rst.txt0000644000704600001450000000232514076311665030672 0ustar ghudsonsystemd-journalkrb5_kt_read_service_key - Retrieve a service key from a key table. ===================================================================== .. .. c:function:: krb5_error_code krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg, krb5_principal principal, krb5_kvno vno, krb5_enctype enctype, krb5_keyblock ** key) .. :param: **[in]** **context** - Library context **[in]** **keyprocarg** - Name of a key table (NULL to use default name) **[in]** **principal** - Service principal **[in]** **vno** - Key version number (0 for highest available) **[in]** **enctype** - Encryption type (0 for any type) **[out]** **key** - Service key from key table .. :retval: - 0 Success :return: - Kerberos error code if not found or keyprocarg is invalid. .. Open and search the specified key table for the entry identified by *principal* , *enctype* , and *vno* . If no key is found, return an error code. The default key table is used, unless *keyprocarg* is non-null. *keyprocarg* designates a specific key table. Use :c:func:`krb5_free_keyblock()` to free *key* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_host_realm.rst.txt0000644000704600001450000000163014076311665027663 0ustar ghudsonsystemd-journalkrb5_get_host_realm - Get the Kerberos realm names for a host. ================================================================ .. .. c:function:: krb5_error_code krb5_get_host_realm(krb5_context context, const char * host, char *** realmsp) .. :param: **[in]** **context** - Library context **[in]** **host** - Host name (or NULL) **[out]** **realmsp** - Null-terminated list of realm names .. :retval: - 0 Success - ENOMEM Insufficient memory :return: - Kerberos error codes .. Fill in *realmsp* with a pointer to a null-terminated list of realm names. If there are no known realms for the host, a list containing the referral (empty) realm is returned. If *host* is NULL, the local host's realms are determined. Use :c:func:`krb5_free_host_realm()` to release *realmsp* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_responder_list_questions.rst.txt0000644000704600001450000000151014076311665032032 0ustar ghudsonsystemd-journalkrb5_responder_list_questions - List the question names contained in the responder context. ============================================================================================= .. .. c:function:: const char *const * krb5_responder_list_questions(krb5_context ctx, krb5_responder_context rctx) .. :param: **[in]** **ctx** - Library context **[in]** **rctx** - Responder context .. .. Return a pointer to a null-terminated list of question names which are present in *rctx* . The pointer is an alias, valid only as long as the lifetime of *rctx* , and should not be modified or freed by the caller. A question's challenge can be retrieved using :c:func:`krb5_responder_get_challenge()` and answered using :c:func:`krb5_responder_set_answer()` . .. .. note:: New in 1.11 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_make_checksum.rst.txt0000644000704600001450000000273614076311665030000 0ustar ghudsonsystemd-journalkrb5_c_make_checksum - Compute a checksum (operates on keyblock). =================================================================== .. .. c:function:: krb5_error_code krb5_c_make_checksum(krb5_context context, krb5_cksumtype cksumtype, const krb5_keyblock * key, krb5_keyusage usage, const krb5_data * input, krb5_checksum * cksum) .. :param: **[in]** **context** - Library context **[in]** **cksumtype** - Checksum type (0 for mandatory type) **[in]** **key** - Encryption key for a keyed checksum **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) **[in]** **input** - Input data **[out]** **cksum** - Generated checksum .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function computes a checksum of type *cksumtype* over *input* , using *key* if the checksum type is a keyed checksum. If *cksumtype* is 0 and *key* is non-null, the checksum type will be the mandatory-to-implement checksum type for the key's encryption type. The actual checksum key will be derived from *key* and *usage* if key derivation is specified for the checksum type. The newly created *cksum* must be released by calling :c:func:`krb5_free_checksum_contents()` when it is no longer needed. .. .. seealso:: :c:func:`krb5_c_verify_checksum()` .. note:: This function is similar to :c:func:`krb5_k_make_checksum()` , but operates on keyblock *key* . krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_prf_length.rst.txt0000644000704600001450000000107614076311665027325 0ustar ghudsonsystemd-journalkrb5_c_prf_length - Get the output length of pseudo-random functions for an encryption type. ============================================================================================== .. .. c:function:: krb5_error_code krb5_c_prf_length(krb5_context context, krb5_enctype enctype, size_t * len) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[out]** **len** - Length of PRF output .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_find_authdata.rst.txt0000644000704600001450000000216314076311665027464 0ustar ghudsonsystemd-journalkrb5_find_authdata - Find authorization data elements. ======================================================== .. .. c:function:: krb5_error_code krb5_find_authdata(krb5_context context, krb5_authdata *const * ticket_authdata, krb5_authdata *const * ap_req_authdata, krb5_authdatatype ad_type, krb5_authdata *** results) .. :param: **[in]** **context** - Library context **[in]** **ticket_authdata** - Authorization data list from ticket **[in]** **ap_req_authdata** - Authorization data list from AP request **[in]** **ad_type** - Authorization data type to find **[out]** **results** - List of matching entries .. .. This function searches *ticket_authdata* and *ap_req_authdata* for elements of type *ad_type* . Either input list may be NULL, in which case it will not be searched; otherwise, the input lists must be terminated by NULL entries. This function will search inside AD-IF-RELEVANT containers if found in either list. Use :c:func:`krb5_free_authdata()` to free *results* when it is no longer needed. .. .. note:: New in 1.10 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_credentials_validate.rst.txt0000644000704600001450000000071114076311665031673 0ustar ghudsonsystemd-journalkrb5_get_credentials_validate ============================= .. .. c:function:: krb5_error_code krb5_get_credentials_validate(krb5_context context, krb5_flags options, krb5_ccache ccache, krb5_creds * in_creds, krb5_creds ** out_creds) .. :param: **context** **options** **ccache** **in_creds** **out_creds** .. .. DEPRECATED Replaced by krb5_get_validated_creds. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_build_principal_ext.rst.txt0000644000704600001450000000175414076311665030716 0ustar ghudsonsystemd-journalkrb5_build_principal_ext - Build a principal name using length-counted strings. ================================================================================= .. .. c:function:: krb5_error_code krb5_build_principal_ext(krb5_context context, krb5_principal * princ, unsigned int rlen, const char * realm, ... ) .. :param: **[in]** **context** - Library context **[out]** **princ** - Principal name **[in]** **rlen** - Realm name length **[in]** **realm** - Realm name .. :retval: - 0 Success :return: - Kerberos error codes .. This function creates a principal from a length-counted string and a variable-length list of length-counted components. The list of components ends with the first 0 length argument (so it is not possible to specify an empty component with this function). Call :c:func:`krb5_free_principal()` to free allocated memory for principal when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_is_keyed_cksum.rst.txt0000644000704600001450000000057614076311665030177 0ustar ghudsonsystemd-journalkrb5_c_is_keyed_cksum - Test whether a checksum type is keyed. ================================================================ .. .. c:function:: krb5_boolean krb5_c_is_keyed_cksum(krb5_cksumtype ctype) .. :param: **[in]** **ctype** - Checksum type .. :return: - TRUE if ctype is a keyed checksum type, FALSE otherwise. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_calculate_checksum.rst.txt0000644000704600001450000000100514076311665030502 0ustar ghudsonsystemd-journalkrb5_calculate_checksum ======================= .. .. c:function:: krb5_error_code krb5_calculate_checksum(krb5_context context, krb5_cksumtype ctype, krb5_const_pointer in, size_t in_length, krb5_const_pointer seed, size_t seed_length, krb5_checksum * outcksum) .. :param: **context** **ctype** **in** **in_length** **seed** **seed_length** **outcksum** .. .. DEPRECATED See krb5_c_make_checksum() .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_init_creds_get_error.rst.txt0000644000704600001450000000116614076311665031066 0ustar ghudsonsystemd-journalkrb5_init_creds_get_error - Get the last error from KDC from an initial credentials context. ============================================================================================== .. .. c:function:: krb5_error_code krb5_init_creds_get_error(krb5_context context, krb5_init_creds_context ctx, krb5_error ** error) .. :param: **[in]** **context** - Library context **[in]** **ctx** - Initial credentials context **[out]** **error** - Error from KDC, or NULL if none was received .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_string.rst.txt0000644000704600001450000000057614076311665027206 0ustar ghudsonsystemd-journalkrb5_free_string - Free a string allocated by a krb5 function. ================================================================ .. .. c:function:: void krb5_free_string(krb5_context context, char * val) .. :param: **[in]** **context** - Library context **[in]** **val** - String to be freed .. .. .. .. note:: New in 1.10 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_getrcache.rst.txt0000644000704600001450000000120414076311665030471 0ustar ghudsonsystemd-journalkrb5_auth_con_getrcache - Retrieve the replay cache from an auth context. =========================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_getrcache(krb5_context context, krb5_auth_context auth_context, krb5_rcache * rcache) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[out]** **rcache** - Replay cache handle .. :retval: - 0 (always) .. This function fetches the replay cache from *auth_context* . The caller should not close *rcache* . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_init_creds_get_times.rst.txt0000644000704600001450000000140714076311665031054 0ustar ghudsonsystemd-journalkrb5_init_creds_get_times - Retrieve ticket times from an initial credentials context. ======================================================================================== .. .. c:function:: krb5_error_code krb5_init_creds_get_times(krb5_context context, krb5_init_creds_context ctx, krb5_ticket_times * times) .. :param: **[in]** **context** - Library context **[in]** **ctx** - Initial credentials context **[out]** **times** - Ticket times for acquired credentials .. :retval: - 0 Success; otherwise - Kerberos error codes .. The initial credentials context must have completed obtaining credentials via either :c:func:`krb5_init_creds_get()` or :c:func:`krb5_init_creds_step()` . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_keyed_checksum_types.rst.txt0000644000704600001450000000145614076311665031406 0ustar ghudsonsystemd-journalkrb5_c_keyed_checksum_types - Return a list of keyed checksum types usable with an encryption type. ===================================================================================================== .. .. c:function:: krb5_error_code krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype, unsigned int * count, krb5_cksumtype ** cksumtypes) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[out]** **count** - Count of allowable checksum types **[out]** **cksumtypes** - Array of allowable checksum types .. :retval: - 0 Success; otherwise - Kerberos error codes .. Use :c:func:`krb5_free_cksumtypes()` to free *cksumtypes* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_responder_otp_challenge_free.rst.txt0000644000704600001450000000107314076311665032556 0ustar ghudsonsystemd-journalkrb5_responder_otp_challenge_free - Free the value returned by krb5_responder_otp_get_challenge() . ===================================================================================================== .. .. c:function:: void krb5_responder_otp_challenge_free(krb5_context ctx, krb5_responder_context rctx, krb5_responder_otp_challenge * chl) .. :param: **[in]** **ctx** - Library context **[in]** **rctx** - Responder context **[in]** **chl** - The challenge to free .. .. .. .. note:: New in 1.11 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_kt_free_entry.rst.txt0000644000704600001450000000044614076311665027533 0ustar ghudsonsystemd-journalkrb5_kt_free_entry ================== .. .. c:function:: krb5_error_code krb5_kt_free_entry(krb5_context context, krb5_keytab_entry * entry) .. :param: **context** **entry** .. .. DEPRECATED Use krb5_free_keytab_entry_contents instead. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_expand_hostname.rst.txt0000644000704600001450000000130714076311665030045 0ustar ghudsonsystemd-journalkrb5_expand_hostname - Canonicalize a hostname, possibly using name service. ============================================================================== .. .. c:function:: krb5_error_code krb5_expand_hostname(krb5_context context, const char * host, char ** canonhost_out) .. :param: **[in]** **context** - Library context **[in]** **host** - Input hostname **[out]** **canonhost_out** - Canonicalized hostname .. .. This function canonicalizes orig_hostname, possibly using name service lookups if configuration permits. Use :c:func:`krb5_free_string()` to free *canonhost_out* when it is no longer needed. .. .. note:: New in 1.15 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_set_req_cksumtype.rst.txt0000644000704600001450000000131014076311665032310 0ustar ghudsonsystemd-journalkrb5_auth_con_set_req_cksumtype - Set checksum type in an an auth context. ============================================================================ .. .. c:function:: krb5_error_code krb5_auth_con_set_req_cksumtype(krb5_context context, krb5_auth_context auth_context, krb5_cksumtype cksumtype) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **cksumtype** - Checksum type .. :retval: - 0 Success. Otherwise - Kerberos error codes .. This function sets the checksum type in *auth_context* to be used by :c:func:`krb5_mk_req()` for the authenticator checksum. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_sname_to_principal.rst.txt0000644000704600001450000000253714076311665030544 0ustar ghudsonsystemd-journalkrb5_sname_to_principal - Generate a full principal name from a service name. =============================================================================== .. .. c:function:: krb5_error_code krb5_sname_to_principal(krb5_context context, const char * hostname, const char * sname, krb5_int32 type, krb5_principal * ret_princ) .. :param: **[in]** **context** - Library context **[in]** **hostname** - Host name, or NULL to use local host **[in]** **sname** - Service name, or NULL to use **"host"** **[in]** **type** - Principal type **[out]** **ret_princ** - Generated principal .. :retval: - 0 Success :return: - Kerberos error codes .. This function converts a *hostname* and *sname* into *krb5_principal* structure *ret_princ* . The returned principal will be of the form *sname\/hostname@REALM* where REALM is determined by :c:func:`krb5_get_host_realm()` . In some cases this may be the referral (empty) realm. The *type* can be one of the following: - :data:`KRB5_NT_SRV_HST` canonicalizes the host name before looking up the realm and generating the principal. - :data:`KRB5_NT_UNKNOWN` accepts the hostname as given, and does not canonicalize it. Use krb5_free_principal to free *ret_princ* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_error.rst.txt0000644000704600001450000000074314076311665027025 0ustar ghudsonsystemd-journalkrb5_free_error - Free an error allocated by krb5_read_error() or krb5_sendauth() . ===================================================================================== .. .. c:function:: void krb5_free_error(krb5_context context, krb5_error * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Error data structure to be freed .. .. This function frees the contents of *val* and the structure itself. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_524_convert_creds.rst.txt0000644000704600001450000000100114076311665030111 0ustar ghudsonsystemd-journalkrb5_524_convert_creds - Convert a Kerberos V5 credentials to a Kerberos V4 credentials. ========================================================================================== .. .. c:function:: int krb5_524_convert_creds(krb5_context context, krb5_creds * v5creds, struct credentials * v4creds) .. :param: **context** **v5creds** **v4creds** .. :retval: - KRB524_KRB4_DISABLED (always) .. .. .. note:: Not implemented krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_responder_pkinit_challenge_free.rst.txt0000644000704600001450000000111514076311665033247 0ustar ghudsonsystemd-journalkrb5_responder_pkinit_challenge_free - Free the value returned by krb5_responder_pkinit_get_challenge() . =========================================================================================================== .. .. c:function:: void krb5_responder_pkinit_challenge_free(krb5_context ctx, krb5_responder_context rctx, krb5_responder_pkinit_challenge * chl) .. :param: **[in]** **ctx** - Library context **[in]** **rctx** - Responder context **[in]** **chl** - The challenge to free .. .. .. .. note:: New in 1.12 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_encrypt_size.rst.txt0000644000704600001450000000040114076311665027400 0ustar ghudsonsystemd-journalkrb5_encrypt_size ================= .. .. c:function:: size_t krb5_encrypt_size(size_t length, krb5_enctype crypto) .. :param: **length** **crypto** .. .. DEPRECATED Replaced by krb5_c_* API family. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_verify_checksum_iov.rst.txt0000644000704600001450000000250514076311665031236 0ustar ghudsonsystemd-journalkrb5_c_verify_checksum_iov - Validate a checksum element in IOV array (operates on keyblock). =============================================================================================== .. .. c:function:: krb5_error_code krb5_c_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, const krb5_keyblock * key, krb5_keyusage usage, const krb5_crypto_iov * data, size_t num_data, krb5_boolean * valid) .. :param: **[in]** **context** - Library context **[in]** **cksumtype** - Checksum type (0 for mandatory type) **[in]** **key** - Encryption key for a keyed checksum **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) **[in]** **data** - IOV array **[in]** **num_data** - Size of *data* **[out]** **valid** - Non-zero for success, zero for failure .. :retval: - 0 Success; otherwise - Kerberos error codes .. Confirm that the checksum in the :data:`KRB5_CRYPTO_TYPE_CHECKSUM` element is a valid checksum of the :data:`KRB5_CRYPTO_TYPE_DATA` and :data:`KRB5_CRYPTO_TYPE_SIGN_ONLY` regions in the iov. .. .. seealso:: :c:func:`krb5_c_make_checksum_iov()` .. note:: This function is similar to :c:func:`krb5_k_verify_checksum_iov()` , but operates on keyblock *key* . krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_support_switch.rst.txt0000644000704600001450000000111514076311665030427 0ustar ghudsonsystemd-journalkrb5_cc_support_switch - Determine whether a credential cache type supports switching. ======================================================================================== .. .. c:function:: krb5_boolean krb5_cc_support_switch(krb5_context context, const char * type) .. :param: **[in]** **context** - Library context **[in]** **type** - Credential cache type .. :retval: - TRUE if type supports switching - FALSE if it does not or is not a valid credential cache type. .. .. .. note:: New in 1.10 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_cksumtypes.rst.txt0000644000704600001450000000056414076311665030104 0ustar ghudsonsystemd-journalkrb5_free_cksumtypes - Free an array of checksum types. ========================================================= .. .. c:function:: void krb5_free_cksumtypes(krb5_context context, krb5_cksumtype * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Array of checksum types to be freed .. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_error_message.rst.txt0000644000704600001450000000064014076311665030525 0ustar ghudsonsystemd-journalkrb5_free_error_message - Free an error message generated by krb5_get_error_message() . ========================================================================================= .. .. c:function:: void krb5_free_error_message(krb5_context ctx, const char * msg) .. :param: **[in]** **ctx** - Library context **[in]** **msg** - Pointer to error message .. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_parse_name.rst.txt0000644000704600001450000000264514076311665027010 0ustar ghudsonsystemd-journalkrb5_parse_name - Convert a string principal name to a krb5_principal structure. ================================================================================== .. .. c:function:: krb5_error_code krb5_parse_name(krb5_context context, const char * name, krb5_principal * principal_out) .. :param: **[in]** **context** - Library context **[in]** **name** - String representation of a principal name **[out]** **principal_out** - New principal .. :retval: - 0 Success :return: - Kerberos error codes .. Convert a string representation of a principal name to a krb5_principal structure. A string representation of a Kerberos name consists of one or more principal name components, separated by slashes, optionally followed by the @ character and a realm name. If the realm name is not specified, the local realm is used. To use the slash and @ symbols as part of a component (quoted) instead of using them as a component separator or as a realm prefix), put a backslash () character in front of the symbol. Similarly, newline, tab, backspace, and NULL characters can be included in a component by using **n** , **t** , **b** or **0** , respectively. Use :c:func:`krb5_free_principal()` to free *principal_out* when it is no longer needed. .. .. note:: The realm in a Kerberos *name* cannot contain slash, colon, or NULL characters. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_pac_sign.rst.txt0000644000704600001450000000200414076311665026446 0ustar ghudsonsystemd-journalkrb5_pac_sign - Sign a PAC. ============================= .. .. c:function:: krb5_error_code krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, krb5_const_principal principal, const krb5_keyblock * server_key, const krb5_keyblock * privsvr_key, krb5_data * data) .. :param: **[in]** **context** - Library context **[in]** **pac** - PAC handle **[in]** **authtime** - Expected timestamp **[in]** **principal** - Expected principal name (or NULL) **[in]** **server_key** - Key for server checksum **[in]** **privsvr_key** - Key for KDC checksum **[out]** **data** - Signed PAC encoding .. .. This function signs *pac* using the keys *server_key* and *privsvr_key* and returns the signed encoding in *data* . *pac* is modified to include the server and KDC checksum buffers. Use :c:func:`krb5_free_data_contents()` to free *data* when it is no longer needed. .. .. note:: New in 1.10 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_mk_rep_dce.rst.txt0000644000704600001450000000120614076311665026756 0ustar ghudsonsystemd-journalkrb5_mk_rep_dce - Format and encrypt a KRB_AP_REP message for DCE RPC. ======================================================================== .. .. c:function:: krb5_error_code krb5_mk_rep_dce(krb5_context context, krb5_auth_context auth_context, krb5_data * outbuf) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[out]** **outbuf** - **AP-REP** message .. :retval: - 0 Success; otherwise - Kerberos error codes .. Use :c:func:`krb5_free_data_contents()` to free *outbuf* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_recvauth_version.rst.txt0000644000704600001450000000221414076311665030254 0ustar ghudsonsystemd-journalkrb5_recvauth_version - Server function for sendauth protocol with version parameter. ======================================================================================= .. .. c:function:: krb5_error_code krb5_recvauth_version(krb5_context context, krb5_auth_context * auth_context, krb5_pointer fd, krb5_principal server, krb5_int32 flags, krb5_keytab keytab, krb5_ticket ** ticket, krb5_data * version) .. :param: **[in]** **context** - Library context **[inout]** **auth_context** - Pre-existing or newly created auth context **[in]** **fd** - File descriptor **[in]** **server** - Server principal (NULL for any in *keytab* ) **[in]** **flags** - Additional specifications **[in]** **keytab** - Decryption key **[out]** **ticket** - Ticket (NULL if not needed) **[out]** **version** - sendauth protocol version (NULL if not needed) .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function is similar to :c:func:`krb5_recvauth()` with the additional output information place into *version* . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_copy_authdata.rst.txt0000644000704600001450000000151014076311665027511 0ustar ghudsonsystemd-journalkrb5_copy_authdata - Copy an authorization data list. ======================================================= .. .. c:function:: krb5_error_code krb5_copy_authdata(krb5_context context, krb5_authdata *const * in_authdat, krb5_authdata *** out) .. :param: **[in]** **context** - Library context **[in]** **in_authdat** - List of *krb5_authdata* structures **[out]** **out** - New array of *krb5_authdata* structures .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a new authorization data list containing a copy of *in_authdat* , which must be null-terminated. Use :c:func:`krb5_free_authdata()` to free *out* when it is no longer needed. .. .. note:: The last array entry in *in_authdat* must be a NULL pointer. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_finish_key.rst.txt0000644000704600001450000000042414076311665027017 0ustar ghudsonsystemd-journalkrb5_finish_key =============== .. .. c:function:: krb5_error_code krb5_finish_key(krb5_context context, krb5_encrypt_block * eblock) .. :param: **context** **eblock** .. .. DEPRECATED Replaced by krb5_c_* API family. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_default_realm.rst.txt0000644000704600001450000000065314076311665030500 0ustar ghudsonsystemd-journalkrb5_free_default_realm - Free a default realm string returned by krb5_get_default_realm() . ============================================================================================== .. .. c:function:: void krb5_free_default_realm(krb5_context context, char * lrealm) .. :param: **[in]** **context** - Library context **[in]** **lrealm** - Realm to be freed .. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_setrcache.rst.txt0000644000704600001450000000133714076311665030514 0ustar ghudsonsystemd-journalkrb5_auth_con_setrcache - Set the replay cache in an auth context. ==================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_setrcache(krb5_context context, krb5_auth_context auth_context, krb5_rcache rcache) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **rcache** - Replay cache haddle .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function sets the replay cache in *auth_context* to *rcache* . *rcache* will be closed when *auth_context* is freed, so the caller should relinquish that responsibility. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/index.rst.txt0000644000704600001450000002643314076311665025063 0ustar ghudsonsystemd-journalkrb5 API ======== Frequently used public interfaces ---------------------------------- .. toctree:: :maxdepth: 1 krb5_build_principal.rst krb5_build_principal_alloc_va.rst krb5_build_principal_ext.rst krb5_cc_close.rst krb5_cc_default.rst krb5_cc_default_name.rst krb5_cc_destroy.rst krb5_cc_dup.rst krb5_cc_get_name.rst krb5_cc_get_principal.rst krb5_cc_get_type.rst krb5_cc_initialize.rst krb5_cc_new_unique.rst krb5_cc_resolve.rst krb5_change_password.rst krb5_chpw_message.rst krb5_expand_hostname.rst krb5_free_context.rst krb5_free_error_message.rst krb5_free_principal.rst krb5_fwd_tgt_creds.rst krb5_get_default_realm.rst krb5_get_error_message.rst krb5_get_host_realm.rst krb5_get_credentials.rst krb5_get_fallback_host_realm.rst krb5_get_init_creds_keytab.rst krb5_get_init_creds_opt_alloc.rst krb5_get_init_creds_opt_free.rst krb5_get_init_creds_opt_get_fast_flags.rst krb5_get_init_creds_opt_set_address_list.rst krb5_get_init_creds_opt_set_anonymous.rst krb5_get_init_creds_opt_set_canonicalize.rst krb5_get_init_creds_opt_set_change_password_prompt.rst krb5_get_init_creds_opt_set_etype_list.rst krb5_get_init_creds_opt_set_expire_callback.rst krb5_get_init_creds_opt_set_fast_ccache.rst krb5_get_init_creds_opt_set_fast_ccache_name.rst krb5_get_init_creds_opt_set_fast_flags.rst krb5_get_init_creds_opt_set_forwardable.rst krb5_get_init_creds_opt_set_in_ccache.rst krb5_get_init_creds_opt_set_out_ccache.rst krb5_get_init_creds_opt_set_pa.rst krb5_get_init_creds_opt_set_pac_request.rst krb5_get_init_creds_opt_set_preauth_list.rst krb5_get_init_creds_opt_set_proxiable.rst krb5_get_init_creds_opt_set_renew_life.rst krb5_get_init_creds_opt_set_responder.rst krb5_get_init_creds_opt_set_salt.rst krb5_get_init_creds_opt_set_tkt_life.rst krb5_get_init_creds_password.rst krb5_get_profile.rst krb5_get_prompt_types.rst krb5_get_renewed_creds.rst krb5_get_validated_creds.rst krb5_init_context.rst krb5_init_secure_context.rst krb5_is_config_principal.rst krb5_is_thread_safe.rst krb5_kt_close.rst krb5_kt_client_default.rst krb5_kt_default.rst krb5_kt_default_name.rst krb5_kt_dup.rst krb5_kt_get_name.rst krb5_kt_get_type.rst krb5_kt_resolve.rst krb5_kuserok.rst krb5_parse_name.rst krb5_parse_name_flags.rst krb5_principal_compare.rst krb5_principal_compare_any_realm.rst krb5_principal_compare_flags.rst krb5_prompter_posix.rst krb5_realm_compare.rst krb5_responder_get_challenge.rst krb5_responder_list_questions.rst krb5_responder_set_answer.rst krb5_responder_otp_get_challenge.rst krb5_responder_otp_set_answer.rst krb5_responder_otp_challenge_free.rst krb5_responder_pkinit_get_challenge.rst krb5_responder_pkinit_set_answer.rst krb5_responder_pkinit_challenge_free.rst krb5_set_default_realm.rst krb5_set_password.rst krb5_set_password_using_ccache.rst krb5_set_principal_realm.rst krb5_set_trace_callback.rst krb5_set_trace_filename.rst krb5_sname_match.rst krb5_sname_to_principal.rst krb5_unparse_name.rst krb5_unparse_name_ext.rst krb5_unparse_name_flags.rst krb5_unparse_name_flags_ext.rst krb5_us_timeofday.rst krb5_verify_authdata_kdc_issued.rst Rarely used public interfaces -------------------------------- .. toctree:: :maxdepth: 1 krb5_425_conv_principal.rst krb5_524_conv_principal.rst krb5_address_compare.rst krb5_address_order.rst krb5_address_search.rst krb5_allow_weak_crypto.rst krb5_aname_to_localname.rst krb5_anonymous_principal.rst krb5_anonymous_realm.rst krb5_appdefault_boolean.rst krb5_appdefault_string.rst krb5_auth_con_free.rst krb5_auth_con_genaddrs.rst krb5_auth_con_get_checksum_func.rst krb5_auth_con_getaddrs.rst krb5_auth_con_getauthenticator.rst krb5_auth_con_getflags.rst krb5_auth_con_getkey.rst krb5_auth_con_getkey_k.rst krb5_auth_con_getlocalseqnumber.rst krb5_auth_con_getrcache.rst krb5_auth_con_getrecvsubkey.rst krb5_auth_con_getrecvsubkey_k.rst krb5_auth_con_getremoteseqnumber.rst krb5_auth_con_getsendsubkey.rst krb5_auth_con_getsendsubkey_k.rst krb5_auth_con_init.rst krb5_auth_con_set_checksum_func.rst krb5_auth_con_set_req_cksumtype.rst krb5_auth_con_setaddrs.rst krb5_auth_con_setflags.rst krb5_auth_con_setports.rst krb5_auth_con_setrcache.rst krb5_auth_con_setrecvsubkey.rst krb5_auth_con_setrecvsubkey_k.rst krb5_auth_con_setsendsubkey.rst krb5_auth_con_setsendsubkey_k.rst krb5_auth_con_setuseruserkey.rst krb5_cc_cache_match.rst krb5_cc_copy_creds.rst krb5_cc_end_seq_get.rst krb5_cc_get_config.rst krb5_cc_get_flags.rst krb5_cc_get_full_name.rst krb5_cc_move.rst krb5_cc_next_cred.rst krb5_cc_remove_cred.rst krb5_cc_retrieve_cred.rst krb5_cc_select.rst krb5_cc_set_config.rst krb5_cc_set_default_name.rst krb5_cc_set_flags.rst krb5_cc_start_seq_get.rst krb5_cc_store_cred.rst krb5_cc_support_switch.rst krb5_cc_switch.rst krb5_cccol_cursor_free.rst krb5_cccol_cursor_new.rst krb5_cccol_cursor_next.rst krb5_cccol_have_content.rst krb5_clear_error_message.rst krb5_check_clockskew.rst krb5_copy_addresses.rst krb5_copy_authdata.rst krb5_copy_authenticator.rst krb5_copy_checksum.rst krb5_copy_context.rst krb5_copy_creds.rst krb5_copy_data.rst krb5_copy_error_message.rst krb5_copy_keyblock.rst krb5_copy_keyblock_contents.rst krb5_copy_principal.rst krb5_copy_ticket.rst krb5_find_authdata.rst krb5_free_addresses.rst krb5_free_ap_rep_enc_part.rst krb5_free_authdata.rst krb5_free_authenticator.rst krb5_free_cred_contents.rst krb5_free_creds.rst krb5_free_data.rst krb5_free_data_contents.rst krb5_free_default_realm.rst krb5_free_enctypes.rst krb5_free_error.rst krb5_free_host_realm.rst krb5_free_keyblock.rst krb5_free_keyblock_contents.rst krb5_free_keytab_entry_contents.rst krb5_free_string.rst krb5_free_ticket.rst krb5_free_unparsed_name.rst krb5_get_etype_info.rst krb5_get_permitted_enctypes.rst krb5_get_server_rcache.rst krb5_get_time_offsets.rst krb5_init_context_profile.rst krb5_init_creds_free.rst krb5_init_creds_get.rst krb5_init_creds_get_creds.rst krb5_init_creds_get_error.rst krb5_init_creds_get_times.rst krb5_init_creds_init.rst krb5_init_creds_set_keytab.rst krb5_init_creds_set_password.rst krb5_init_creds_set_service.rst krb5_init_creds_step.rst krb5_init_keyblock.rst krb5_is_referral_realm.rst krb5_kt_add_entry.rst krb5_kt_end_seq_get.rst krb5_kt_get_entry.rst krb5_kt_have_content.rst krb5_kt_next_entry.rst krb5_kt_read_service_key.rst krb5_kt_remove_entry.rst krb5_kt_start_seq_get.rst krb5_make_authdata_kdc_issued.rst krb5_merge_authdata.rst krb5_mk_1cred.rst krb5_mk_error.rst krb5_mk_ncred.rst krb5_mk_priv.rst krb5_mk_rep.rst krb5_mk_rep_dce.rst krb5_mk_req.rst krb5_mk_req_extended.rst krb5_mk_safe.rst krb5_os_localaddr.rst krb5_pac_add_buffer.rst krb5_pac_free.rst krb5_pac_get_buffer.rst krb5_pac_get_types.rst krb5_pac_init.rst krb5_pac_parse.rst krb5_pac_sign.rst krb5_pac_sign_ext.rst krb5_pac_verify.rst krb5_pac_verify_ext.rst krb5_pac_get_client_info.rst krb5_prepend_error_message.rst krb5_principal2salt.rst krb5_rd_cred.rst krb5_rd_error.rst krb5_rd_priv.rst krb5_rd_rep.rst krb5_rd_rep_dce.rst krb5_rd_req.rst krb5_rd_safe.rst krb5_read_password.rst krb5_salttype_to_string.rst krb5_server_decrypt_ticket_keytab.rst krb5_set_default_tgs_enctypes.rst krb5_set_error_message.rst krb5_set_kdc_recv_hook.rst krb5_set_kdc_send_hook.rst krb5_set_real_time.rst krb5_string_to_cksumtype.rst krb5_string_to_deltat.rst krb5_string_to_enctype.rst krb5_string_to_salttype.rst krb5_string_to_timestamp.rst krb5_timeofday.rst krb5_timestamp_to_sfstring.rst krb5_timestamp_to_string.rst krb5_tkt_creds_free.rst krb5_tkt_creds_get.rst krb5_tkt_creds_get_creds.rst krb5_tkt_creds_get_times.rst krb5_tkt_creds_init.rst krb5_tkt_creds_step.rst krb5_verify_init_creds.rst krb5_verify_init_creds_opt_init.rst krb5_verify_init_creds_opt_set_ap_req_nofail.rst krb5_vprepend_error_message.rst krb5_vset_error_message.rst krb5_vwrap_error_message.rst krb5_wrap_error_message.rst Public interfaces that should not be called directly ------------------------------------------------------- .. toctree:: :maxdepth: 1 krb5_c_block_size.rst krb5_c_checksum_length.rst krb5_c_crypto_length.rst krb5_c_crypto_length_iov.rst krb5_c_decrypt.rst krb5_c_decrypt_iov.rst krb5_c_derive_prfplus.rst krb5_c_encrypt.rst krb5_c_encrypt_iov.rst krb5_c_encrypt_length.rst krb5_c_enctype_compare.rst krb5_c_free_state.rst krb5_c_fx_cf2_simple.rst krb5_c_init_state.rst krb5_c_is_coll_proof_cksum.rst krb5_c_is_keyed_cksum.rst krb5_c_keyed_checksum_types.rst krb5_c_keylengths.rst krb5_c_make_checksum.rst krb5_c_make_checksum_iov.rst krb5_c_make_random_key.rst krb5_c_padding_length.rst krb5_c_prf.rst krb5_c_prfplus.rst krb5_c_prf_length.rst krb5_c_random_add_entropy.rst krb5_c_random_make_octets.rst krb5_c_random_os_entropy.rst krb5_c_random_to_key.rst krb5_c_string_to_key.rst krb5_c_string_to_key_with_params.rst krb5_c_valid_cksumtype.rst krb5_c_valid_enctype.rst krb5_c_verify_checksum.rst krb5_c_verify_checksum_iov.rst krb5_cksumtype_to_string.rst krb5_decode_authdata_container.rst krb5_decode_ticket.rst krb5_deltat_to_string.rst krb5_encode_authdata_container.rst krb5_enctype_to_name.rst krb5_enctype_to_string.rst krb5_free_checksum.rst krb5_free_checksum_contents.rst krb5_free_cksumtypes.rst krb5_free_tgt_creds.rst krb5_k_create_key.rst krb5_k_decrypt.rst krb5_k_decrypt_iov.rst krb5_k_encrypt.rst krb5_k_encrypt_iov.rst krb5_k_free_key.rst krb5_k_key_enctype.rst krb5_k_key_keyblock.rst krb5_k_make_checksum.rst krb5_k_make_checksum_iov.rst krb5_k_prf.rst krb5_k_reference_key.rst krb5_k_verify_checksum.rst krb5_k_verify_checksum_iov.rst Legacy convenience interfaces ------------------------------ .. toctree:: :maxdepth: 1 krb5_recvauth.rst krb5_recvauth_version.rst krb5_sendauth.rst Deprecated public interfaces ------------------------------ .. toctree:: :maxdepth: 1 krb5_524_convert_creds.rst krb5_auth_con_getlocalsubkey.rst krb5_auth_con_getremotesubkey.rst krb5_auth_con_initivector.rst krb5_build_principal_va.rst krb5_c_random_seed.rst krb5_calculate_checksum.rst krb5_checksum_size.rst krb5_encrypt.rst krb5_decrypt.rst krb5_eblock_enctype.rst krb5_encrypt_size.rst krb5_finish_key.rst krb5_finish_random_key.rst krb5_cc_gen_new.rst krb5_get_credentials_renew.rst krb5_get_credentials_validate.rst krb5_get_in_tkt_with_password.rst krb5_get_in_tkt_with_skey.rst krb5_get_in_tkt_with_keytab.rst krb5_get_init_creds_opt_init.rst krb5_init_random_key.rst krb5_kt_free_entry.rst krb5_random_key.rst krb5_process_key.rst krb5_string_to_key.rst krb5_use_enctype.rst krb5_verify_checksum.rst krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_in_tkt_with_keytab.rst.txt0000644000704600001450000000124014076311665031405 0ustar ghudsonsystemd-journalkrb5_get_in_tkt_with_keytab =========================== .. .. c:function:: krb5_error_code krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options, krb5_address *const * addrs, krb5_enctype * ktypes, krb5_preauthtype * pre_auth_types, krb5_keytab arg_keytab, krb5_ccache ccache, krb5_creds * creds, krb5_kdc_rep ** ret_as_reply) .. :param: **context** **options** **addrs** **ktypes** **pre_auth_types** **arg_keytab** **ccache** **creds** **ret_as_reply** .. .. DEPRECATED Replaced by krb5_get_init_creds_keytab() . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_make_authdata_kdc_issued.rst.txt0000644000704600001450000000167214076311665031662 0ustar ghudsonsystemd-journalkrb5_make_authdata_kdc_issued - Encode and sign AD-KDCIssued authorization data. ================================================================================== .. .. c:function:: krb5_error_code krb5_make_authdata_kdc_issued(krb5_context context, const krb5_keyblock * key, krb5_const_principal issuer, krb5_authdata *const * authdata, krb5_authdata *** ad_kdcissued) .. :param: **[in]** **context** - Library context **[in]** **key** - Session key **[in]** **issuer** - The name of the issuing principal **[in]** **authdata** - List of authorization data to be signed **[out]** **ad_kdcissued** - List containing AD-KDCIssued authdata .. .. This function wraps a list of authorization data entries *authdata* in an AD-KDCIssued container (see RFC 4120 section 5.2.6.2) signed with *key* . The result is returned in *ad_kdcissued* as a single-element list. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_encrypt.rst.txt0000644000704600001450000000264514076311665026664 0ustar ghudsonsystemd-journalkrb5_c_encrypt - Encrypt data using a key (operates on keyblock). =================================================================== .. .. c:function:: krb5_error_code krb5_c_encrypt(krb5_context context, const krb5_keyblock * key, krb5_keyusage usage, const krb5_data * cipher_state, const krb5_data * input, krb5_enc_data * output) .. :param: **[in]** **context** - Library context **[in]** **key** - Encryption key **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) **[inout]** **cipher_state** - Cipher state; specify NULL if not needed **[in]** **input** - Data to be encrypted **[out]** **output** - Encrypted data .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function encrypts the data block *input* and stores the output into *output* . The actual encryption key will be derived from *key* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. .. .. note:: The caller must initialize *output* and allocate at least enough space for the result (using :c:func:`krb5_c_encrypt_length()` to determine the amount of space needed). *output->length* will be set to the actual length of the ciphertext. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_copy_ticket.rst.txt0000644000704600001450000000121714076311665027205 0ustar ghudsonsystemd-journalkrb5_copy_ticket - Copy a krb5_ticket structure. ================================================== .. .. c:function:: krb5_error_code krb5_copy_ticket(krb5_context context, const krb5_ticket * from, krb5_ticket ** pto) .. :param: **[in]** **context** - Library context **[in]** **from** - Ticket to be copied **[out]** **pto** - Copy of ticket .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a new krb5_ticket structure containing the contents of *from* . Use :c:func:`krb5_free_ticket()` to free *pto* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_finish_random_key.rst.txt0000644000704600001450000000052714076311665030363 0ustar ghudsonsystemd-journalkrb5_finish_random_key ====================== .. .. c:function:: krb5_error_code krb5_finish_random_key(krb5_context context, const krb5_encrypt_block * eblock, krb5_pointer * ptr) .. :param: **context** **eblock** **ptr** .. .. DEPRECATED Replaced by krb5_c_* API family. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cccol_cursor_new.rst.txt0000644000704600001450000000137514076311665030226 0ustar ghudsonsystemd-journalkrb5_cccol_cursor_new - Prepare to iterate over the collection of known credential caches. ============================================================================================ .. .. c:function:: krb5_error_code krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor * cursor) .. :param: **[in]** **context** - Library context **[out]** **cursor** - Cursor .. :retval: - 0 Success; otherwise - Kerberos error codes .. Get a new cache iteration *cursor* that will iterate over all known credential caches independent of type. Use :c:func:`krb5_cccol_cursor_free()` to release *cursor* when it is no longer needed. .. .. seealso:: :c:func:`krb5_cccol_cursor_next()` krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_getauthenticator.rst.txt0000644000704600001450000000130514076311665032120 0ustar ghudsonsystemd-journalkrb5_auth_con_getauthenticator - Retrieve the authenticator from an auth context. =================================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_getauthenticator(krb5_context context, krb5_auth_context auth_context, krb5_authenticator ** authenticator) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[out]** **authenticator** - Authenticator .. :retval: - 0 Success. Otherwise - Kerberos error codes .. Use :c:func:`krb5_free_authenticator()` to free *authenticator* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_get.rst.txt0000644000704600001450000000133314076311665027510 0ustar ghudsonsystemd-journalkrb5_tkt_creds_get - Synchronously obtain credentials using a TGS request context. ==================================================================================== .. .. c:function:: krb5_error_code krb5_tkt_creds_get(krb5_context context, krb5_tkt_creds_context ctx) .. :param: **[in]** **context** - Library context **[in]** **ctx** - TGS request context .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function synchronously obtains credentials using a context created by :c:func:`krb5_tkt_creds_init()` . On successful return, the credentials can be retrieved with :c:func:`krb5_tkt_creds_get_creds()` . .. .. note:: New in 1.9 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_appdefault_boolean.rst.txt0000644000704600001450000000164514076311665030521 0ustar ghudsonsystemd-journalkrb5_appdefault_boolean - Retrieve a boolean value from the appdefaults section of krb5.conf. =============================================================================================== .. .. c:function:: void krb5_appdefault_boolean(krb5_context context, const char * appname, const krb5_data * realm, const char * option, int default_value, int * ret_value) .. :param: **[in]** **context** - Library context **[in]** **appname** - Application name **[in]** **realm** - Realm name **[in]** **option** - Option to be checked **[in]** **default_value** - Default value to return if no match is found **[out]** **ret_value** - Boolean value of *option* .. .. This function gets the application defaults for *option* based on the given *appname* and/or *realm* . .. .. seealso:: :c:func:`krb5_appdefault_string()` krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_store_cred.rst.txt0000644000704600001450000000141614076311665027467 0ustar ghudsonsystemd-journalkrb5_cc_store_cred - Store credentials in a credential cache. =============================================================== .. .. c:function:: krb5_error_code krb5_cc_store_cred(krb5_context context, krb5_ccache cache, krb5_creds * creds) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle **[in]** **creds** - Credentials to be stored in cache .. :retval: - 0 Success :return: - Permission errors; storage failure errors; Kerberos error codes .. This function stores *creds* into *cache* . If *creds->server* and the server in the decoded ticket *creds->ticket* differ, the credentials will be stored under both server principal names. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_retrieve_cred.rst.txt0000644000704600001450000000350414076311665030160 0ustar ghudsonsystemd-journalkrb5_cc_retrieve_cred - Retrieve a specified credentials from a credential cache. =================================================================================== .. .. c:function:: krb5_error_code krb5_cc_retrieve_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, krb5_creds * mcreds, krb5_creds * creds) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle **[in]** **flags** - Flags bit mask **[in]** **mcreds** - Credentials to match **[out]** **creds** - Credentials matching the requested value .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function searches a credential cache for credentials matching *mcreds* and returns it if found. Valid values for *flags* are: - :data:`KRB5_TC_MATCH_TIMES` The requested lifetime must be at least as great as in *mcreds* . - :data:`KRB5_TC_MATCH_IS_SKEY` The *is_skey* field much match exactly. - :data:`KRB5_TC_MATCH_FLAGS` Flags set in *mcreds* must be set. - :data:`KRB5_TC_MATCH_TIMES_EXACT` The requested lifetime must match exactly. - :data:`KRB5_TC_MATCH_FLAGS_EXACT` Flags must match exactly. - :data:`KRB5_TC_MATCH_AUTHDATA` The authorization data must match. - :data:`KRB5_TC_MATCH_SRV_NAMEONLY` Only the name portion of the principal name must match, not the realm. - :data:`KRB5_TC_MATCH_2ND_TKT` The second tickets must match. - :data:`KRB5_TC_MATCH_KTYPE` The encryption key types must match. - :data:`KRB5_TC_SUPPORTED_KTYPES` Check all matching entries that have any supported encryption type and return the one with the encryption type listed earliest. Use :c:func:`krb5_free_cred_contents()` to free *creds* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_genaddrs.rst.txt0000644000704600001450000000222414076311665030336 0ustar ghudsonsystemd-journalkrb5_auth_con_genaddrs - Generate auth context addresses from a connected socket. =================================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_genaddrs(krb5_context context, krb5_auth_context auth_context, int infd, int flags) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **infd** - Connected socket descriptor **[in]** **flags** - Flags .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function sets the local and/or remote addresses in *auth_context* based on the local and remote endpoints of the socket *infd* . The following flags determine the operations performed: - :data:`KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR` Generate local address. - :data:`KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR` Generate remote address. - :data:`KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR` Generate local address and port. - :data:`KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR` Generate remote address and port. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_free.rst.txt0000644000704600001450000000071614076311665031540 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_free - Free initial credential options. ================================================================= .. .. c:function:: void krb5_get_init_creds_opt_free(krb5_context context, krb5_get_init_creds_opt * opt) .. :param: **[in]** **context** - Library context **[in]** **opt** - Options structure to free .. .. .. .. seealso:: :c:func:`krb5_get_init_creds_opt_alloc()` krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_etype_info.rst.txt0000644000704600001450000000327314076311665027674 0ustar ghudsonsystemd-journalkrb5_get_etype_info - Retrieve enctype, salt and s2kparams from KDC. ====================================================================== .. .. c:function:: krb5_error_code krb5_get_etype_info(krb5_context context, krb5_principal principal, krb5_get_init_creds_opt * opt, krb5_enctype * enctype_out, krb5_data * salt_out, krb5_data * s2kparams_out) .. :param: **[in]** **context** - Library context **[in]** **principal** - Principal whose information is requested **[in]** **opt** - Initial credential options **[out]** **enctype_out** - The enctype chosen by KDC **[out]** **salt_out** - Salt returned from KDC **[out]** **s2kparams_out** - String-to-key parameters returned from KDC .. :retval: - 0 Success :return: - A Kerberos error code .. Send an initial ticket request for *principal* and extract the encryption type, salt type, and string-to-key parameters from the KDC response. If the KDC provides no etype-info, set *enctype_out* to **ENCTYPE_NULL** and set *salt_out* and *s2kparams_out* to empty. If the KDC etype-info provides no salt, compute the default salt and place it in *salt_out* . If the KDC etype-info provides no string-to-key parameters, set *s2kparams_out* to empty. *opt* may be used to specify options which affect the initial request, such as request encryption types or a FAST armor cache (see :c:func:`krb5_get_init_creds_opt_set_etype_list()` and :c:func:`krb5_get_init_creds_opt_set_fast_ccache_name()` ). Use :c:func:`krb5_free_data_contents()` to free *salt_out* and *s2kparams_out* when they are no longer needed. .. .. note:: New in 1.17 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_salt.rst.txt0000644000704600001450000000135014076311665032430 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_set_salt - Set salt for optimistic preauthentication in initial credential options. ============================================================================================================= .. .. c:function:: void krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt * opt, krb5_data * salt) .. :param: **[in]** **opt** - Options structure **[in]** **salt** - Salt data .. .. When getting initial credentials with a password, a salt string it used to convert the password to a key. Normally this salt is obtained from the first KDC reply, but when performing optimistic preauthentication, the client may need to supply the salt string with this function. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_mk_rep.rst.txt0000644000704600001450000000174514076311665026153 0ustar ghudsonsystemd-journalkrb5_mk_rep - Format and encrypt a KRB_AP_REP message. ======================================================== .. .. c:function:: krb5_error_code krb5_mk_rep(krb5_context context, krb5_auth_context auth_context, krb5_data * outbuf) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[out]** **outbuf** - **AP-REP** message .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function fills in *outbuf* with an AP-REP message using information from *auth_context* . If the flags in *auth_context* indicate that a sequence number should be used (either :data:`KRB5_AUTH_CONTEXT_DO_SEQUENCE` or :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` ) and the local sequence number in *auth_context* is 0, a new number will be generated with krb5_generate_seq_number(). Use :c:func:`krb5_free_data_contents()` to free *outbuf* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_kt_client_default.rst.txt0000644000704600001450000000106614076311665030352 0ustar ghudsonsystemd-journalkrb5_kt_client_default - Resolve the default client key table. ================================================================ .. .. c:function:: krb5_error_code krb5_kt_client_default(krb5_context context, krb5_keytab * keytab_out) .. :param: **[in]** **context** - Library context **[out]** **keytab_out** - Key table handle .. :retval: - 0 Success :return: - Kerberos error codes .. Fill *keytab_out* with a handle to the default client key table. .. .. note:: New in 1.11 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_setports.rst.txt0000644000704600001450000000160114076311665030430 0ustar ghudsonsystemd-journalkrb5_auth_con_setports - Set local and remote port fields in an auth context. =============================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_setports(krb5_context context, krb5_auth_context auth_context, krb5_address * local_port, krb5_address * remote_port) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **local_port** - Local port **[in]** **remote_port** - Remote port .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function releases the storage assigned to the contents of the local and remote ports of *auth_context* and then sets them to *local_port* and *remote_port* respectively. .. .. seealso:: :c:func:`krb5_auth_con_genaddrs()` krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_set_checksum_func.rst.txt0000644000704600001450000000143714076311665032244 0ustar ghudsonsystemd-journalkrb5_auth_con_set_checksum_func - Set a checksum callback in an auth context. =============================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_set_checksum_func(krb5_context context, krb5_auth_context auth_context, krb5_mk_req_checksum_func func, void * data) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **func** - Checksum callback **[in]** **data** - Callback argument .. :retval: - 0 (always) .. Set a callback to obtain checksum data in :c:func:`krb5_mk_req()` . The callback will be invoked after the subkey and local sequence number are stored in *auth_context* . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_setrecvsubkey.rst.txt0000644000704600001450000000122714076311665031447 0ustar ghudsonsystemd-journalkrb5_auth_con_setrecvsubkey - Set the receiving subkey in an auth context with a keyblock. ============================================================================================ .. .. c:function:: krb5_error_code krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock * keyblock) .. :param: **[in]** **ctx** - Library context **[in]** **ac** - Authentication context **[in]** **keyblock** - Receiving subkey .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function sets the receiving subkey in *ac* to a copy of *keyblock* . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_vset_error_message.rst.txt0000644000704600001450000000107714076311665030572 0ustar ghudsonsystemd-journalkrb5_vset_error_message - Set an extended error message for an error code using a va_list. ============================================================================================ .. .. c:function:: void krb5_vset_error_message(krb5_context ctx, krb5_error_code code, const char * fmt, va_list args) .. :param: **[in]** **ctx** - Library context **[in]** **code** - Error code **[in]** **fmt** - Error string for the error code **[in]** **args** - List of vprintf(3) style arguments .. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_init_context.rst.txt0000644000704600001450000000120714076311665027376 0ustar ghudsonsystemd-journalkrb5_init_context - Create a krb5 library context. ==================================================== .. .. c:function:: krb5_error_code krb5_init_context(krb5_context * context) .. :param: **[out]** **context** - Library context .. :retval: - 0 Success :return: - Kerberos error codes .. The *context* must be released by calling :c:func:`krb5_free_context()` when it is no longer needed. .. .. warning:: Any program or module that needs the Kerberos code to not trust the environment must use :c:func:`krb5_init_secure_context()` , or clean out the environment. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_init_secure_context.rst.txt0000644000704600001450000000126114076311665030744 0ustar ghudsonsystemd-journalkrb5_init_secure_context - Create a krb5 library context using only configuration files. ========================================================================================== .. .. c:function:: krb5_error_code krb5_init_secure_context(krb5_context * context) .. :param: **[out]** **context** - Library context .. :retval: - 0 Success :return: - Kerberos error codes .. Create a context structure, using only system configuration files. All information passed through the environment variables is ignored. The *context* must be released by calling :c:func:`krb5_free_context()` when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_context.rst.txt0000644000704600001450000000060514076311665027355 0ustar ghudsonsystemd-journalkrb5_free_context - Free a krb5 library context. ================================================== .. .. c:function:: void krb5_free_context(krb5_context context) .. :param: **[in]** **context** - Library context .. .. This function frees a *context* that was created by :c:func:`krb5_init_context()` or :c:func:`krb5_init_secure_context()` . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_use_enctype.rst.txt0000644000704600001450000000050514076311665027212 0ustar ghudsonsystemd-journalkrb5_use_enctype ================ .. .. c:function:: krb5_error_code krb5_use_enctype(krb5_context context, krb5_encrypt_block * eblock, krb5_enctype enctype) .. :param: **context** **eblock** **enctype** .. .. DEPRECATED Replaced by krb5_c_* API family. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_anonymous_principal.rst.txt0000644000704600001450000000060314076311665030757 0ustar ghudsonsystemd-journalkrb5_anonymous_principal - Build an anonymous principal. ========================================================== .. .. c:function:: krb5_const_principal krb5_anonymous_principal(void None) .. :param: **None** .. .. This function returns constant storage that must not be freed. .. .. seealso:: :data:`KRB5_ANONYMOUS_PRINCSTR` krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_free.rst.txt0000644000704600001450000000056714076311665027662 0ustar ghudsonsystemd-journalkrb5_tkt_creds_free - Free a TGS request context. =================================================== .. .. c:function:: void krb5_tkt_creds_free(krb5_context context, krb5_tkt_creds_context ctx) .. :param: **[in]** **context** - Library context **[in]** **ctx** - TGS request context .. .. .. .. note:: New in 1.9 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_keyblock.rst.txt0000644000704600001450000000063714076311665027501 0ustar ghudsonsystemd-journalkrb5_free_keyblock - Free a krb5_keyblock structure. ====================================================== .. .. c:function:: void krb5_free_keyblock(krb5_context context, krb5_keyblock * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Keyblock to be freed .. .. This function frees the contents of *val* and the structure itself. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_pac_get_buffer.rst.txt0000644000704600001450000000121014076311665027614 0ustar ghudsonsystemd-journalkrb5_pac_get_buffer - Retrieve a buffer value from a PAC. =========================================================== .. .. c:function:: krb5_error_code krb5_pac_get_buffer(krb5_context context, krb5_pac pac, krb5_ui_4 type, krb5_data * data) .. :param: **[in]** **context** - Library context **[in]** **pac** - PAC handle **[in]** **type** - Type of buffer to retrieve **[out]** **data** - Buffer value .. :retval: - 0 Success; otherwise - Kerberos error codes .. Use :c:func:`krb5_free_data_contents()` to free *data* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_copy_authenticator.rst.txt0000644000704600001450000000141014076311665030567 0ustar ghudsonsystemd-journalkrb5_copy_authenticator - Copy a krb5_authenticator structure. ================================================================ .. .. c:function:: krb5_error_code krb5_copy_authenticator(krb5_context context, const krb5_authenticator * authfrom, krb5_authenticator ** authto) .. :param: **[in]** **context** - Library context **[in]** **authfrom** - krb5_authenticator structure to be copied **[out]** **authto** - Copy of krb5_authenticator structure .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a new krb5_authenticator structure with the content of *authfrom* . Use :c:func:`krb5_free_authenticator()` to free *authto* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life.rst.txt0000644000704600001450000000071014076311665033265 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_set_tkt_life - Set the ticket lifetime in initial credential options. =============================================================================================== .. .. c:function:: void krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt * opt, krb5_deltat tkt_life) .. :param: **[in]** **opt** - Options structure **[in]** **tkt_life** - Ticket lifetime .. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_set_real_time.rst.txt0000644000704600001450000000133714076311665027507 0ustar ghudsonsystemd-journalkrb5_set_real_time - Set time offset field in a krb5_context structure. ========================================================================= .. .. c:function:: krb5_error_code krb5_set_real_time(krb5_context context, krb5_timestamp seconds, krb5_int32 microseconds) .. :param: **[in]** **context** - Library context **[in]** **seconds** - Real time, seconds portion **[in]** **microseconds** - Real time, microseconds portion .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function sets the time offset in *context* to the difference between the system time and the real time as determined by *seconds* and *microseconds* . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_creds.rst.txt0000644000704600001450000000063214076311665026771 0ustar ghudsonsystemd-journalkrb5_free_creds - Free a krb5_creds structure. ================================================ .. .. c:function:: void krb5_free_creds(krb5_context context, krb5_creds * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Credential structure to be freed. .. .. This function frees the contents of *val* and the structure itself. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_set_trace_filename.rst.txt0000644000704600001450000000134114076311665030477 0ustar ghudsonsystemd-journalkrb5_set_trace_filename - Specify a file name for directing trace events. =========================================================================== .. .. c:function:: krb5_error_code krb5_set_trace_filename(krb5_context context, const char * filename) .. :param: **[in]** **context** - Library context **[in]** **filename** - File name .. :retval: - KRB5_TRACE_NOSUPP Tracing is not supported in the library. .. Open *filename* for appending (creating it, if necessary) and set up a callback to write trace events to it. .. .. note:: This function overrides the information passed through the *KRB5_TRACE* environment variable. .. note:: New in 1.9 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_init_keyblock.rst.txt0000644000704600001450000000160714076311665027521 0ustar ghudsonsystemd-journalkrb5_init_keyblock - Initialize an empty krb5_keyblock . ========================================================== .. .. c:function:: krb5_error_code krb5_init_keyblock(krb5_context context, krb5_enctype enctype, size_t length, krb5_keyblock ** out) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[in]** **length** - Length of keyblock (or 0) **[out]** **out** - New keyblock structure .. :retval: - 0 Success; otherwise - Kerberos error codes .. Initialize a new keyblock and allocate storage for the contents of the key. It is legal to pass in a length of 0, in which case contents are left unallocated. Use :c:func:`krb5_free_keyblock()` to free *out* when it is no longer needed. .. .. note:: If *length* is set to 0, contents are left unallocated. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_get_times.rst.txt0000644000704600001450000000137114076311665030713 0ustar ghudsonsystemd-journalkrb5_tkt_creds_get_times - Retrieve ticket times from a TGS request context. ============================================================================== .. .. c:function:: krb5_error_code krb5_tkt_creds_get_times(krb5_context context, krb5_tkt_creds_context ctx, krb5_ticket_times * times) .. :param: **[in]** **context** - Library context **[in]** **ctx** - TGS request context **[out]** **times** - Ticket times for acquired credentials .. :retval: - 0 Success; otherwise - Kerberos error codes .. The TGS request context must have completed obtaining credentials via either :c:func:`krb5_tkt_creds_get()` or :c:func:`krb5_tkt_creds_step()` . .. .. note:: New in 1.9 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_pac_verify.rst.txt0000644000704600001450000000267314076311665027026 0ustar ghudsonsystemd-journalkrb5_pac_verify - Verify a PAC. ================================= .. .. c:function:: krb5_error_code krb5_pac_verify(krb5_context context, const krb5_pac pac, krb5_timestamp authtime, krb5_const_principal principal, const krb5_keyblock * server, const krb5_keyblock * privsvr) .. :param: **[in]** **context** - Library context **[in]** **pac** - PAC handle **[in]** **authtime** - Expected timestamp **[in]** **principal** - Expected principal name (or NULL) **[in]** **server** - Key to validate server checksum (or NULL) **[in]** **privsvr** - Key to validate KDC checksum (or NULL) .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function validates *pac* against the supplied *server* , *privsvr* , *principal* and *authtime* . If *principal* is NULL, the principal and authtime are not verified. If *server* or *privsvr* is NULL, the corresponding checksum is not verified. If successful, *pac* is marked as verified. .. .. note:: A checksum mismatch can occur if the PAC was copied from a cross-realm TGT by an ignorant KDC; also macOS Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non-verified. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_enctype_to_name.rst.txt0000644000704600001450000000151114076311665030036 0ustar ghudsonsystemd-journalkrb5_enctype_to_name - Convert an encryption type to a name or alias. ======================================================================= .. .. c:function:: krb5_error_code krb5_enctype_to_name(krb5_enctype enctype, krb5_boolean shortest, char * buffer, size_t buflen) .. :param: **[in]** **enctype** - Encryption type **[in]** **shortest** - Flag **[out]** **buffer** - Buffer to hold encryption type string **[in]** **buflen** - Storage available in *buffer* .. :retval: - 0 Success; otherwise - Kerberos error codes .. If *shortest* is FALSE, this function returns the enctype's canonical name (like"aes128-cts-hmac-sha1-96"). If *shortest* is TRUE, it return the enctype's shortest alias (like"aes128-cts"). .. .. note:: New in 1.9 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_sendauth.rst.txt0000644000704600001450000000533714076311665026512 0ustar ghudsonsystemd-journalkrb5_sendauth - Client function for sendauth protocol. ======================================================== .. .. c:function:: krb5_error_code krb5_sendauth(krb5_context context, krb5_auth_context * auth_context, krb5_pointer fd, char * appl_version, krb5_principal client, krb5_principal server, krb5_flags ap_req_options, krb5_data * in_data, krb5_creds * in_creds, krb5_ccache ccache, krb5_error ** error, krb5_ap_rep_enc_part ** rep_result, krb5_creds ** out_creds) .. :param: **[in]** **context** - Library context **[inout]** **auth_context** - Pre-existing or newly created auth context **[in]** **fd** - File descriptor that describes network socket **[in]** **appl_version** - Application protocol version to be matched with the receiver's application version **[in]** **client** - Client principal **[in]** **server** - Server principal **[in]** **ap_req_options** - :data:`AP_OPTS` options **[in]** **in_data** - Data to be sent to the server **[in]** **in_creds** - Input credentials, or NULL to use *ccache* **[in]** **ccache** - Credential cache **[out]** **error** - If non-null, contains KRB_ERROR message returned from server **[out]** **rep_result** - If non-null and *ap_req_options* is :data:`AP_OPTS_MUTUAL_REQUIRED` , contains the result of mutual authentication exchange **[out]** **out_creds** - If non-null, the retrieved credentials .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function performs the client side of a sendauth/recvauth exchange by sending and receiving messages over *fd* . Credentials may be specified in three ways: - If *in_creds* is NULL, credentials are obtained with :c:func:`krb5_get_credentials()` using the principals *client* and *server* . *server* must be non-null; *client* may NULL to use the default principal of *ccache* . - If *in_creds* is non-null, but does not contain a ticket, credentials for the exchange are obtained with :c:func:`krb5_get_credentials()` using *in_creds* . In this case, the values of *client* and *server* are unused. - If *in_creds* is a complete credentials structure, it used directly. In this case, the values of *client* , *server* , and *ccache* are unused. If the server is using a different application protocol than that specified in *appl_version* , an error will be returned. Use :c:func:`krb5_free_creds()` to free *out_creds* , :c:func:`krb5_free_ap_rep_enc_part()` to free *rep_result* , and :c:func:`krb5_free_error()` to free *error* when they are no longer needed. .. .. seealso:: :c:func:`krb5_recvauth()` krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_prfplus.rst.txt0000644000704600001450000000203714076311665026666 0ustar ghudsonsystemd-journalkrb5_c_prfplus - Generate pseudo-random bytes using RFC 6113 PRF+. ==================================================================== .. .. c:function:: krb5_error_code krb5_c_prfplus(krb5_context context, const krb5_keyblock * k, const krb5_data * input, krb5_data * output) .. :param: **[in]** **context** - Library context **[in]** **k** - KDC contribution key **[in]** **input** - Input data **[out]** **output** - Pseudo-random output buffer .. :return: - 0 on success, E2BIG if output->length is too large for PRF+ to generate, ENOMEM on allocation failure, or an error code from krb5_c_prf() .. This function fills *output* with PRF+(k, input) as defined in RFC 6113 section 5.1. The caller must preinitialize *output* and allocate the desired amount of space. The length of the pseudo-random output will match the length of *output* . .. .. note:: RFC 4402 defines a different PRF+ operation. This function does not implement that operation. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_425_conv_principal.rst.txt0000644000704600001450000000154714076311665030276 0ustar ghudsonsystemd-journalkrb5_425_conv_principal - Convert a Kerberos V4 principal to a Kerberos V5 principal. ======================================================================================= .. .. c:function:: krb5_error_code krb5_425_conv_principal(krb5_context context, const char * name, const char * instance, const char * realm, krb5_principal * princ) .. :param: **[in]** **context** - Library context **[in]** **name** - V4 name **[in]** **instance** - V4 instance **[in]** **realm** - Realm **[out]** **princ** - V5 principal .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function builds a *princ* from V4 specification based on given input *name.instance@realm* . Use :c:func:`krb5_free_principal()` to free *princ* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_unparsed_name.rst.txt0000644000704600001450000000057714076311665030522 0ustar ghudsonsystemd-journalkrb5_free_unparsed_name - Free a string representation of a principal. ======================================================================== .. .. c:function:: void krb5_free_unparsed_name(krb5_context context, char * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Name string to be freed .. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.rst.txt0000644000704600001450000000326414076311665030052 0ustar ghudsonsystemd-journalkrb5_init_creds_step - Get the next KDC request for acquiring initial credentials. ==================================================================================== .. .. c:function:: krb5_error_code krb5_init_creds_step(krb5_context context, krb5_init_creds_context ctx, krb5_data * in, krb5_data * out, krb5_data * realm, unsigned int * flags) .. :param: **[in]** **context** - Library context **[in]** **ctx** - Initial credentials context **[in]** **in** - KDC response (empty on the first call) **[out]** **out** - Next KDC request **[out]** **realm** - Realm for next KDC request **[out]** **flags** - Output flags .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function constructs the next KDC request in an initial credential exchange, allowing the caller to control the transport of KDC requests and replies. On the first call, *in* should be set to an empty buffer; on subsequent calls, it should be set to the KDC's reply to the previous request. If more requests are needed, *flags* will be set to :data:`KRB5_INIT_CREDS_STEP_FLAG_CONTINUE` and the next request will be placed in *out* . If no more requests are needed, *flags* will not contain :data:`KRB5_INIT_CREDS_STEP_FLAG_CONTINUE` and *out* will be empty. If this function returns **KRB5KRB_ERR_RESPONSE_TOO_BIG** , the caller should transmit the next request using TCP rather than UDP. If this function returns any other error, the initial credential exchange has failed. *context* must be the same as the one passed to :c:func:`krb5_init_creds_init()` for this initial credentials context. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_unparse_name.rst.txt0000644000704600001450000000144014076311665027343 0ustar ghudsonsystemd-journalkrb5_unparse_name - Convert a krb5_principal structure to a string representation. ==================================================================================== .. .. c:function:: krb5_error_code krb5_unparse_name(krb5_context context, krb5_const_principal principal, char ** name) .. :param: **[in]** **context** - Library context **[in]** **principal** - Principal **[out]** **name** - String representation of principal name .. :retval: - 0 Success :return: - Kerberos error codes .. The resulting string representation uses the format and quoting conventions described for :c:func:`krb5_parse_name()` . Use :c:func:`krb5_free_unparsed_name()` to free *name* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_fallback_host_realm.rst.txt0000644000704600001450000000134014076311665031500 0ustar ghudsonsystemd-journalkrb5_get_fallback_host_realm ============================ .. .. c:function:: krb5_error_code krb5_get_fallback_host_realm(krb5_context context, krb5_data * hdata, char *** realmsp) .. :param: **[in]** **context** - Library context **[in]** **hdata** - Host name (or NULL) **[out]** **realmsp** - Null-terminated list of realm names .. .. Fill in *realmsp* with a pointer to a null-terminated list of realm names obtained through heuristics or insecure resolution methods which have lower priority than KDC referrals. If *host* is NULL, the local host's realms are determined. Use :c:func:`krb5_free_host_realm()` to release *realmsp* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_credentials.rst.txt0000644000704600001450000000334614076311665030031 0ustar ghudsonsystemd-journalkrb5_get_credentials - Get an additional ticket. ================================================== .. .. c:function:: krb5_error_code krb5_get_credentials(krb5_context context, krb5_flags options, krb5_ccache ccache, krb5_creds * in_creds, krb5_creds ** out_creds) .. :param: **[in]** **context** - Library context **[in]** **options** - Options **[in]** **ccache** - Credential cache handle **[in]** **in_creds** - Input credentials **[out]** **out_creds** - Output updated credentials .. :retval: - 0 Success :return: - Kerberos error codes .. Use *ccache* or a TGS exchange to get a service ticket matching *in_creds* . Valid values for *options* are: - :data:`KRB5_GC_CACHED` Search only credential cache for the ticket - :data:`KRB5_GC_USER_USER` Return a user to user authentication ticket *in_creds* must be non-null. *in_creds->client* and *in_creds->server* must be filled in to specify the client and the server respectively. If any authorization data needs to be requested for the service ticket (such as restrictions on how the ticket can be used), specify it in *in_creds->authdata* ; otherwise set *in_creds->authdata* to NULL. The session key type is specified in *in_creds->keyblock.enctype* , if it is nonzero. The expiration date is specified in *in_creds->times.endtime* . The KDC may return tickets with an earlier expiration date. If *in_creds->times.endtime* is set to 0, the latest possible expiration date will be requested. Any returned ticket and intermediate ticket-granting tickets are stored in *ccache* . Use :c:func:`krb5_free_creds()` to free *out_creds* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_is_thread_safe.rst.txt0000644000704600001450000000061514076311665027631 0ustar ghudsonsystemd-journalkrb5_is_thread_safe - Test whether the Kerberos library was built with multithread support. ============================================================================================= .. .. c:function:: krb5_boolean krb5_is_thread_safe(void None) .. :param: **None** .. :retval: - TRUE if the library is threadsafe; FALSE otherwise .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_decode_authdata_container.rst.txt0000644000704600001450000000135614076311665032034 0ustar ghudsonsystemd-journalkrb5_decode_authdata_container - Unwrap authorization data. ============================================================= .. .. c:function:: krb5_error_code krb5_decode_authdata_container(krb5_context context, krb5_authdatatype type, const krb5_authdata * container, krb5_authdata *** authdata) .. :param: **[in]** **context** - Library context **[in]** **type** - :data:`KRB5_AUTHDATA` type of *container* **[in]** **container** - Authorization data to be decoded **[out]** **authdata** - List of decoded authorization data .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. .. seealso:: :c:func:`krb5_encode_authdata_container()` krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_prompt_types.rst.txt0000644000704600001450000000110614076311665030271 0ustar ghudsonsystemd-journalkrb5_get_prompt_types - Get prompt types array from a context. ================================================================ .. .. c:function:: krb5_prompt_type * krb5_get_prompt_types(krb5_context context) .. :param: **[in]** **context** - Library context .. :return: - Pointer to an array of prompt types corresponding to the prompter's prompts arguments. Each type has one of the following values: KRB5_PROMPT_TYPE_PASSWORD KRB5_PROMPT_TYPE_NEW_PASSWORD KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN KRB5_PROMPT_TYPE_PREAUTH .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_address_list.rst.txt0000644000704600001450000000075714076311665034157 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_set_address_list - Set address restrictions in initial credential options. ==================================================================================================== .. .. c:function:: void krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt * opt, krb5_address ** addresses) .. :param: **[in]** **opt** - Options structure **[in]** **addresses** - Null-terminated array of addresses .. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize.rst.txt0000644000704600001450000000100314076311665034117 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_set_canonicalize - Set or unset the canonicalize flag in initial credential options. ============================================================================================================== .. .. c:function:: void krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt * opt, int canonicalize) .. :param: **[in]** **opt** - Options structure **[in]** **canonicalize** - Whether to canonicalize client principal .. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_valid_cksumtype.rst.txt0000644000704600001450000000065514076311665030402 0ustar ghudsonsystemd-journalkrb5_c_valid_cksumtype - Verify that specified checksum type is a valid Kerberos checksum type. ================================================================================================= .. .. c:function:: krb5_boolean krb5_c_valid_cksumtype(krb5_cksumtype ctype) .. :param: **[in]** **ctype** - Checksum type .. :return: - TRUE if ctype is valid, FALSE if not .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_kt_start_seq_get.rst.txt0000644000704600001450000000130314076311665030226 0ustar ghudsonsystemd-journalkrb5_kt_start_seq_get - Start a sequential retrieval of key table entries. ============================================================================ .. .. c:function:: krb5_error_code krb5_kt_start_seq_get(krb5_context context, krb5_keytab keytab, krb5_kt_cursor * cursor) .. :param: **[in]** **context** - Library context **[in]** **keytab** - Key table handle **[out]** **cursor** - Cursor .. :retval: - 0 Success :return: - Kerberos error codes .. Prepare to read sequentially every key in the specified key table. Use :c:func:`krb5_kt_end_seq_get()` to release the cursor when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cksumtype_to_string.rst.txt0000644000704600001450000000105314076311665031002 0ustar ghudsonsystemd-journalkrb5_cksumtype_to_string - Convert a checksum type to a string. ================================================================= .. .. c:function:: krb5_error_code krb5_cksumtype_to_string(krb5_cksumtype cksumtype, char * buffer, size_t buflen) .. :param: **[in]** **cksumtype** - Checksum type **[out]** **buffer** - Buffer to hold converted checksum type **[in]** **buflen** - Storage available in *buffer* .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_is_config_principal.rst.txt0000644000704600001450000000107114076311665030667 0ustar ghudsonsystemd-journalkrb5_is_config_principal - Test whether a principal is a configuration principal. =================================================================================== .. .. c:function:: krb5_boolean krb5_is_config_principal(krb5_context context, krb5_const_principal principal) .. :param: **[in]** **context** - Library context **[in]** **principal** - Principal to check .. :return: - TRUE if the principal is a configuration principal (generated part of krb5_cc_set_config() ); FALSE otherwise. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags.rst.txt0000644000704600001450000000112414076311665033561 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_get_fast_flags - Retrieve FAST flags from initial credential options. =============================================================================================== .. .. c:function:: krb5_error_code krb5_get_init_creds_opt_get_fast_flags(krb5_context context, krb5_get_init_creds_opt * opt, krb5_flags * out_flags) .. :param: **[in]** **context** - Library context **[in]** **opt** - Options **[out]** **out_flags** - FAST flags .. :retval: - 0 - Success; Kerberos errors otherwise. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_validated_creds.rst.txt0000644000704600001450000000260114076311665030642 0ustar ghudsonsystemd-journalkrb5_get_validated_creds - Get validated credentials from the KDC. ==================================================================== .. .. c:function:: krb5_error_code krb5_get_validated_creds(krb5_context context, krb5_creds * creds, krb5_principal client, krb5_ccache ccache, const char * in_tkt_service) .. :param: **[in]** **context** - Library context **[out]** **creds** - Validated credentials **[in]** **client** - Client principal name **[in]** **ccache** - Credential cache **[in]** **in_tkt_service** - Server principal string (or NULL) .. :retval: - 0 Success - KRB5_NO_2ND_TKT Request missing second ticket - KRB5_NO_TKT_SUPPLIED Request did not supply a ticket - KRB5_PRINC_NOMATCH Requested principal and ticket do not match - KRB5_KDCREP_MODIFIED KDC reply did not match expectations - KRB5_KDCREP_SKEW Clock skew too great in KDC reply :return: - Kerberos error codes .. This function gets a validated credential using a postdated credential from *ccache* . If *in_tkt_service* is specified, it is parsed (with the realm part ignored) and used as the server principal of the credential; otherwise, the ticket-granting service is used. If successful, the validated credential is placed in *creds* . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_kt_end_seq_get.rst.txt0000644000704600001450000000112314076311665027637 0ustar ghudsonsystemd-journalkrb5_kt_end_seq_get - Release a keytab cursor. ================================================ .. .. c:function:: krb5_error_code krb5_kt_end_seq_get(krb5_context context, krb5_keytab keytab, krb5_kt_cursor * cursor) .. :param: **[in]** **context** - Library context **[in]** **keytab** - Key table handle **[out]** **cursor** - Cursor .. :retval: - 0 Success :return: - Kerberos error codes .. This function should be called to release the cursor created by :c:func:`krb5_kt_start_seq_get()` . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_verify_init_creds_opt_init.rst.txt0000644000704600001450000000062714076311665032310 0ustar ghudsonsystemd-journalkrb5_verify_init_creds_opt_init - Initialize a credential verification options structure. =========================================================================================== .. .. c:function:: void krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt * k5_vic_options) .. :param: **[in]** **k5_vic_options** - Verification options structure .. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_524_conv_principal.rst.txt0000644000704600001450000000175514076311665030277 0ustar ghudsonsystemd-journalkrb5_524_conv_principal - Convert a Kerberos V5 principal to a Kerberos V4 principal. ======================================================================================= .. .. c:function:: krb5_error_code krb5_524_conv_principal(krb5_context context, krb5_const_principal princ, char * name, char * inst, char * realm) .. :param: **[in]** **context** - Library context **[in]** **princ** - V5 Principal **[out]** **name** - V4 principal's name to be filled in **[out]** **inst** - V4 principal's instance name to be filled in **[out]** **realm** - Principal's realm name to be filled in .. :retval: - 0 Success - KRB5_INVALID_PRINCIPAL Invalid principal name - KRB5_CONFIG_CANTOPEN Can't open or find Kerberos configuration file :return: - Kerberos error codes .. This function separates a V5 principal *princ* into *name* , *instance* , and *realm* . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_set_password_using_ccache.rst.txt0000644000704600001450000000306514076311665032103 0ustar ghudsonsystemd-journalkrb5_set_password_using_ccache - Set a password for a principal using cached credentials. =========================================================================================== .. .. c:function:: krb5_error_code krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache, const char * newpw, krb5_principal change_password_for, int * result_code, krb5_data * result_code_string, krb5_data * result_string) .. :param: **[in]** **context** - Library context **[in]** **ccache** - Credential cache **[in]** **newpw** - New password **[in]** **change_password_for** - Change the password for this principal **[out]** **result_code** - Numeric error code from server **[out]** **result_code_string** - String equivalent to *result_code* **[out]** **result_string** - Data returned from the remote system .. :retval: - 0 Success :return: - Kerberos error codes .. This function uses the cached credentials from *ccache* to set the password *newpw* for the principal *change_password_for* . It implements RFC 3244 set password operation (interoperable with MS Windows implementations) using the credential cache. The error code and strings are returned in *result_code* , *result_code_string* and *result_string* . .. .. note:: If *change_password_for* is set to NULL, the change is performed on the default principal in *ccache* . If *change_password_for* is non null, the change is performed on the specified principal. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_k_verify_checksum.rst.txt0000644000704600001450000000252314076311665030371 0ustar ghudsonsystemd-journalkrb5_k_verify_checksum - Verify a checksum (operates on opaque key). ====================================================================== .. .. c:function:: krb5_error_code krb5_k_verify_checksum(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data * data, const krb5_checksum * cksum, krb5_boolean * valid) .. :param: **[in]** **context** - Library context **[in]** **key** - Encryption key for a keyed checksum **[in]** **usage** - *key* usage **[in]** **data** - Data to be used to compute a new checksum using *key* to compare *cksum* against **[in]** **cksum** - Checksum to be verified **[out]** **valid** - Non-zero for success, zero for failure .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function verifies that *cksum* is a valid checksum for *data* . If the checksum type of *cksum* is a keyed checksum, *key* is used to verify the checksum. If the checksum type in *cksum* is 0 and *key* is not NULL, the mandatory checksum type for *key* will be used. The actual checksum key will be derived from *key* and *usage* if key derivation is specified for the checksum type. .. .. note:: This function is similar to :c:func:`krb5_c_verify_checksum()` , but operates on opaque *key* . krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_initialize.rst.txt0000644000704600001450000000122514076311665027475 0ustar ghudsonsystemd-journalkrb5_cc_initialize - Initialize a credential cache. ===================================================== .. .. c:function:: krb5_error_code krb5_cc_initialize(krb5_context context, krb5_ccache cache, krb5_principal principal) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle **[in]** **principal** - Default principal name .. :retval: - 0 Success :return: - System errors; Permission errors; Kerberos error codes .. Destroy any existing contents of *cache* and initialize it for the default principal *principal* . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_random_os_entropy.rst.txt0000644000704600001450000000144614076311665030737 0ustar ghudsonsystemd-journalkrb5_c_random_os_entropy - Collect entropy from the OS if possible. ===================================================================== .. .. c:function:: krb5_error_code krb5_c_random_os_entropy(krb5_context context, int strong, int * success) .. :param: **[in]** **context** - Library context **[in]** **strong** - Strongest available source of entropy **[out]** **success** - 1 if OS provides entropy, 0 otherwise .. :retval: - 0 Success; otherwise - Kerberos error codes .. If *strong* is non-zero, this function attempts to use the strongest available source of entropy. Setting this flag may cause the function to block on some operating systems. Good uses include seeding the PRNG for kadmind and realm setup. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_password.rst.txt0000644000704600001450000000401214076311665031570 0ustar ghudsonsystemd-journalkrb5_get_init_creds_password - Get initial credentials using a password. ========================================================================== .. .. c:function:: krb5_error_code krb5_get_init_creds_password(krb5_context context, krb5_creds * creds, krb5_principal client, const char * password, krb5_prompter_fct prompter, void * data, krb5_deltat start_time, const char * in_tkt_service, krb5_get_init_creds_opt * k5_gic_options) .. :param: **[in]** **context** - Library context **[out]** **creds** - New credentials **[in]** **client** - Client principal **[in]** **password** - Password (or NULL) **[in]** **prompter** - Prompter function **[in]** **data** - Prompter callback data **[in]** **start_time** - Time when ticket becomes valid (0 for now) **[in]** **in_tkt_service** - Service name of initial credentials (or NULL) **[in]** **k5_gic_options** - Initial credential options .. :retval: - 0 Success - EINVAL Invalid argument - KRB5_KDC_UNREACH Cannot contact any KDC for requested realm - KRB5_PREAUTH_FAILED Generic Pre-athentication failure - KRB5_LIBOS_PWDINTR Password read interrupted - KRB5_REALM_CANT_RESOLVE Cannot resolve network address for KDC in requested realm - KRB5KDC_ERR_KEY_EXP Password has expired - KRB5_LIBOS_BADPWDMATCH Password mismatch - KRB5_CHPW_PWDNULL New password cannot be zero length - KRB5_CHPW_FAIL Password change failed :return: - Kerberos error codes .. This function requests KDC for an initial credentials for *client* using *password* . If *password* is NULL, a password will be prompted for using *prompter* if necessary. If *in_tkt_service* is specified, it is parsed as a principal name (with the realm ignored) and used as the service principal for the request; otherwise the ticket-granting service is used. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_mk_safe.rst.txt0000644000704600001450000000435214076311665026300 0ustar ghudsonsystemd-journalkrb5_mk_safe - Format a KRB-SAFE message. =========================================== .. .. c:function:: krb5_error_code krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, const krb5_data * userdata, krb5_data * der_out, krb5_replay_data * rdata_out) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **userdata** - User data in the message **[out]** **der_out** - Formatted **KRB-SAFE** buffer **[out]** **rdata_out** - Replay data. Specify NULL if not needed .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates an integrity protected **KRB-SAFE** message using data supplied by the application. Fields in *auth_context* specify the checksum type, the keyblock that can be used to seed the checksum, full addresses (host and port) for the sender and receiver, and :data:`KRB5_AUTH_CONTEXT` flags. The local address in *auth_context* must be set, and is used to form the sender address used in the KRB-SAFE message. The remote address is optional; if specified, it will be used to form the receiver address used in the message. If the :data:`KRB5_AUTH_CONTEXT_DO_TIME` flag is set in *auth_context* , a timestamp is included in the KRB-SAFE message, and an entry for the message is entered in an in-memory replay cache to detect if the message is reflected by an attacker. If :data:`KRB5_AUTH_CONTEXT_DO_TIME` is not set, no replay cache is used. If :data:`KRB5_AUTH_CONTEXT_RET_TIME` is set in *auth_context* , a timestamp is included in the KRB-SAFE message and is stored in *rdata_out* . If either :data:`KRB5_AUTH_CONTEXT_DO_SEQUENCE` or :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` is set, the *auth_context* local sequence number is included in the KRB-SAFE message and then incremented. If :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` is set, the sequence number used is stored in *rdata_out* . Use :c:func:`krb5_free_data_contents()` to free *der_out* when it is no longer needed. .. .. note:: The *rdata_out* argument is required if the :data:`KRB5_AUTH_CONTEXT_RET_TIME` or :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` flag is set in *auth_context* . krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_init_creds_get.rst.txt0000644000704600001450000000150214076311665027647 0ustar ghudsonsystemd-journalkrb5_init_creds_get - Acquire credentials using an initial credentials context. ================================================================================= .. .. c:function:: krb5_error_code krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx) .. :param: **[in]** **context** - Library context **[in]** **ctx** - Initial credentials context .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function synchronously obtains credentials using a context created by :c:func:`krb5_init_creds_init()` . On successful return, the credentials can be retrieved with :c:func:`krb5_init_creds_get_creds()` . *context* must be the same as the one passed to :c:func:`krb5_init_creds_init()` for this initial credentials context. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_init.rst.txt0000644000704600001450000000041514076311665031556 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_init ============================ .. .. c:function:: void krb5_get_init_creds_opt_init(krb5_get_init_creds_opt * opt) .. :param: **opt** .. .. DEPRECATED Use krb5_get_init_creds_opt_alloc() instead. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_address_compare.rst.txt0000644000704600001450000000104114076311665030016 0ustar ghudsonsystemd-journalkrb5_address_compare - Compare two Kerberos addresses. ======================================================== .. .. c:function:: krb5_boolean krb5_address_compare(krb5_context context, const krb5_address * addr1, const krb5_address * addr2) .. :param: **[in]** **context** - Library context **[in]** **addr1** - First address to be compared **[in]** **addr2** - Second address to be compared .. :return: - TRUE if the addresses are the same, FALSE otherwise .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_verify_checksum.rst.txt0000644000704600001450000000253614076311665030365 0ustar ghudsonsystemd-journalkrb5_c_verify_checksum - Verify a checksum (operates on keyblock). ==================================================================== .. .. c:function:: krb5_error_code krb5_c_verify_checksum(krb5_context context, const krb5_keyblock * key, krb5_keyusage usage, const krb5_data * data, const krb5_checksum * cksum, krb5_boolean * valid) .. :param: **[in]** **context** - Library context **[in]** **key** - Encryption key for a keyed checksum **[in]** **usage** - *key* usage **[in]** **data** - Data to be used to compute a new checksum using *key* to compare *cksum* against **[in]** **cksum** - Checksum to be verified **[out]** **valid** - Non-zero for success, zero for failure .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function verifies that *cksum* is a valid checksum for *data* . If the checksum type of *cksum* is a keyed checksum, *key* is used to verify the checksum. If the checksum type in *cksum* is 0 and *key* is not NULL, the mandatory checksum type for *key* will be used. The actual checksum key will be derived from *key* and *usage* if key derivation is specified for the checksum type. .. .. note:: This function is similar to :c:func:`krb5_k_verify_checksum()` , but operates on keyblock *key* . krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_sname_match.rst.txt0000644000704600001450000000202414076311665027144 0ustar ghudsonsystemd-journalkrb5_sname_match - Test whether a principal matches a matching principal. =========================================================================== .. .. c:function:: krb5_boolean krb5_sname_match(krb5_context context, krb5_const_principal matching, krb5_const_principal princ) .. :param: **[in]** **context** - Library context **[in]** **matching** - Matching principal **[in]** **princ** - Principal to test .. :return: - TRUE if princ matches matching , FALSE otherwise. .. If *matching* is NULL, return TRUE. If *matching* is not a matching principal, return the value of krb5_principal_compare(context, matching, princ). .. .. note:: A matching principal is a host-based principal with an empty realm and/or second data component (hostname). Profile configuration may cause the hostname to be ignored even if it is present. A principal matches a matching principal if the former has the same non-empty (and non-ignored) components of the latter. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_kt_have_content.rst.txt0000644000704600001450000000104214076311665030037 0ustar ghudsonsystemd-journalkrb5_kt_have_content - Check if a keytab exists and contains entries. ======================================================================= .. .. c:function:: krb5_error_code krb5_kt_have_content(krb5_context context, krb5_keytab keytab) .. :param: **[in]** **context** - Library context **[in]** **keytab** - Key table handle .. :retval: - 0 Keytab exists and contains entries - KRB5_KT_NOTFOUND Keytab does not contain entries .. .. .. note:: New in 1.11 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_rd_req.rst.txt0000644000704600001450000000565014076311665026151 0ustar ghudsonsystemd-journalkrb5_rd_req - Parse and decrypt a KRB_AP_REQ message. ======================================================= .. .. c:function:: krb5_error_code krb5_rd_req(krb5_context context, krb5_auth_context * auth_context, const krb5_data * inbuf, krb5_const_principal server, krb5_keytab keytab, krb5_flags * ap_req_options, krb5_ticket ** ticket) .. :param: **[in]** **context** - Library context **[inout]** **auth_context** - Pre-existing or newly created auth context **[in]** **inbuf** - AP-REQ message to be parsed **[in]** **server** - Matching principal for server, or NULL to allow any principal in keytab **[in]** **keytab** - Key table, or NULL to use the default **[out]** **ap_req_options** - If non-null, the AP-REQ flags on output **[out]** **ticket** - If non-null, ticket from the AP-REQ message .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function parses, decrypts and verifies a AP-REQ message from *inbuf* and stores the authenticator in *auth_context* . If a keyblock was specified in *auth_context* using :c:func:`krb5_auth_con_setuseruserkey()` , that key is used to decrypt the ticket in AP-REQ message and *keytab* is ignored. In this case, *server* should be specified as a complete principal name to allow for proper transited-path checking and replay cache selection. Otherwise, the decryption key is obtained from *keytab* , or from the default keytab if it is NULL. In this case, *server* may be a complete principal name, a matching principal (see :c:func:`krb5_sname_match()` ), or NULL to match any principal name. The keys tried against the encrypted part of the ticket are determined as follows: - If *server* is a complete principal name, then its entry in *keytab* is tried. - Otherwise, if *keytab* is iterable, then all entries in *keytab* which match *server* are tried. - Otherwise, the server principal in the ticket must match *server* , and its entry in *keytab* is tried. The client specified in the decrypted authenticator must match the client specified in the decrypted ticket. If the *remote_addr* field of *auth_context* is set, the request must come from that address. If a replay cache handle is provided in the *auth_context* , the authenticator and ticket are verified against it. If no conflict is found, the new authenticator is then stored in the replay cache of *auth_context* . Various other checks are performed on the decoded data, including cross-realm policy, clockskew, and ticket validation times. On success the authenticator, subkey, and remote sequence number of the request are stored in *auth_context* . If the :data:`AP_OPTS_MUTUAL_REQUIRED` bit is set, the local sequence number is XORed with the remote sequence number in the request. Use :c:func:`krb5_free_ticket()` to free *ticket* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_new_unique.rst.txt0000644000704600001450000000121614076311665027513 0ustar ghudsonsystemd-journalkrb5_cc_new_unique - Create a new credential cache of the specified type with a unique name. ============================================================================================== .. .. c:function:: krb5_error_code krb5_cc_new_unique(krb5_context context, const char * type, const char * hint, krb5_ccache * id) .. :param: **[in]** **context** - Library context **[in]** **type** - Credential cache type name **[in]** **hint** - Unused **[out]** **id** - Credential cache handle .. :retval: - 0 Success :return: - Kerberos error codes .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_init.rst.txt0000644000704600001450000000175414076311665027521 0ustar ghudsonsystemd-journalkrb5_auth_con_init - Create and initialize an authentication context. ======================================================================= .. .. c:function:: krb5_error_code krb5_auth_con_init(krb5_context context, krb5_auth_context * auth_context) .. :param: **[in]** **context** - Library context **[out]** **auth_context** - Authentication context .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates an authentication context to hold configuration and state relevant to krb5 functions for authenticating principals and protecting messages once authentication has occurred. By default, flags for the context are set to enable the use of the replay cache ( :data:`KRB5_AUTH_CONTEXT_DO_TIME` ), but not sequence numbers. Use :c:func:`krb5_auth_con_setflags()` to change the flags. The allocated *auth_context* must be freed with :c:func:`krb5_auth_con_free()` when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_rd_rep.rst.txt0000644000704600001450000000154614076311665026150 0ustar ghudsonsystemd-journalkrb5_rd_rep - Parse and decrypt a KRB_AP_REP message. ======================================================= .. .. c:function:: krb5_error_code krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, const krb5_data * inbuf, krb5_ap_rep_enc_part ** repl) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **inbuf** - AP-REP message **[out]** **repl** - Decrypted reply message .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function parses, decrypts and verifies a message from *inbuf* and fills in *repl* with a pointer to allocated memory containing the fields from the encrypted response. Use :c:func:`krb5_free_ap_rep_enc_part()` to free *repl* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_setsendsubkey_k.rst.txt0000644000704600001450000000120614076311665031750 0ustar ghudsonsystemd-journalkrb5_auth_con_setsendsubkey_k - Set the send subkey in an auth context. ========================================================================= .. .. c:function:: krb5_error_code krb5_auth_con_setsendsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key key) .. :param: **[in]** **ctx** - Library context **[in]** **ac** - Authentication context **[out]** **key** - Send subkey .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function sets the send subkey in *ac* to *key* , incrementing its reference count. .. .. note:: New in 1.9 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_kt_default.rst.txt0000644000704600001450000000076314076311665027017 0ustar ghudsonsystemd-journalkrb5_kt_default - Resolve the default key table. ================================================== .. .. c:function:: krb5_error_code krb5_kt_default(krb5_context context, krb5_keytab * id) .. :param: **[in]** **context** - Library context **[out]** **id** - Key table handle .. :retval: - 0 Success :return: - Kerberos error codes .. Set *id* to a handle to the default key table. The key table is not opened. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_pac_parse.rst.txt0000644000704600001450000000115114076311665026622 0ustar ghudsonsystemd-journalkrb5_pac_parse - Unparse an encoded PAC into a new handle. ============================================================ .. .. c:function:: krb5_error_code krb5_pac_parse(krb5_context context, const void * ptr, size_t len, krb5_pac * pac) .. :param: **[in]** **context** - Library context **[in]** **ptr** - PAC buffer **[in]** **len** - Length of *ptr* **[out]** **pac** - PAC handle .. :retval: - 0 Success; otherwise - Kerberos error codes .. Use :c:func:`krb5_pac_free()` to free *pac* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_data.rst.txt0000644000704600001450000000061514076311665026603 0ustar ghudsonsystemd-journalkrb5_free_data - Free a krb5_data structure. ============================================== .. .. c:function:: void krb5_free_data(krb5_context context, krb5_data * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Data structure to be freed .. .. This function frees the contents of *val* and the structure itself. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_copy_creds.rst.txt0000644000704600001450000000123114076311665027016 0ustar ghudsonsystemd-journalkrb5_copy_creds - Copy a krb5_creds structure. ================================================ .. .. c:function:: krb5_error_code krb5_copy_creds(krb5_context context, const krb5_creds * incred, krb5_creds ** outcred) .. :param: **[in]** **context** - Library context **[in]** **incred** - Credentials structure to be copied **[out]** **outcred** - Copy of *incred* .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a new credential with the contents of *incred* . Use :c:func:`krb5_free_creds()` to free *outcred* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_random_seed.rst.txt0000644000704600001450000000042014076311665027445 0ustar ghudsonsystemd-journalkrb5_c_random_seed ================== .. .. c:function:: krb5_error_code krb5_c_random_seed(krb5_context context, krb5_data * data) .. :param: **context** **data** .. .. DEPRECATED Replaced by krb5_c_* API family. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_copy_keyblock_contents.rst.txt0000644000704600001450000000123214076311665031437 0ustar ghudsonsystemd-journalkrb5_copy_keyblock_contents - Copy the contents of a keyblock. ================================================================ .. .. c:function:: krb5_error_code krb5_copy_keyblock_contents(krb5_context context, const krb5_keyblock * from, krb5_keyblock * to) .. :param: **[in]** **context** - Library context **[in]** **from** - Key to be copied **[out]** **to** - Output key .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function copies the contents of *from* to *to* . Use :c:func:`krb5_free_keyblock_contents()` to free *to* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_dup.rst.txt0000644000704600001450000000101314076311665026117 0ustar ghudsonsystemd-journalkrb5_cc_dup - Duplicate ccache handle. ======================================== .. .. c:function:: krb5_error_code krb5_cc_dup(krb5_context context, krb5_ccache in, krb5_ccache * out) .. :param: **[in]** **context** - Library context **[in]** **in** - Credential cache handle to be duplicated **[out]** **out** - Credential cache handle .. .. Create a new handle referring to the same cache as *in* . The new handle and *in* can be closed independently. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_parse_name_flags.rst.txt0000644000704600001450000000300314076311665030151 0ustar ghudsonsystemd-journalkrb5_parse_name_flags - Convert a string principal name to a krb5_principal with flags. ========================================================================================= .. .. c:function:: krb5_error_code krb5_parse_name_flags(krb5_context context, const char * name, int flags, krb5_principal * principal_out) .. :param: **[in]** **context** - Library context **[in]** **name** - String representation of a principal name **[in]** **flags** - Flag **[out]** **principal_out** - New principal .. :retval: - 0 Success :return: - Kerberos error codes .. Similar to :c:func:`krb5_parse_name()` , this function converts a single-string representation of a principal name to a krb5_principal structure. The following flags are valid: - :data:`KRB5_PRINCIPAL_PARSE_NO_REALM` - no realm must be present in *name* - :data:`KRB5_PRINCIPAL_PARSE_REQUIRE_REALM` - realm must be present in *name* - :data:`KRB5_PRINCIPAL_PARSE_ENTERPRISE` - create single-component enterprise principal - :data:`KRB5_PRINCIPAL_PARSE_IGNORE_REALM` - ignore realm if present in *name* If **KRB5_PRINCIPAL_PARSE_NO_REALM** or **KRB5_PRINCIPAL_PARSE_IGNORE_REALM** is specified in *flags* , the realm of the new principal will be empty. Otherwise, the default realm for *context* will be used if *name* does not specify a realm. Use :c:func:`krb5_free_principal()` to free *principal_out* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_gen_new.rst.txt0000644000704600001450000000033214076311665026754 0ustar ghudsonsystemd-journalkrb5_cc_gen_new =============== .. .. c:function:: krb5_error_code krb5_cc_gen_new(krb5_context context, krb5_ccache * cache) .. :param: **context** **cache** .. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_read_password.rst.txt0000644000704600001450000000271014076311665027524 0ustar ghudsonsystemd-journalkrb5_read_password - Read a password from keyboard input. =========================================================== .. .. c:function:: krb5_error_code krb5_read_password(krb5_context context, const char * prompt, const char * prompt2, char * return_pwd, unsigned int * size_return) .. :param: **[in]** **context** - Library context **[in]** **prompt** - First user prompt when reading password **[in]** **prompt2** - Second user prompt (NULL to prompt only once) **[out]** **return_pwd** - Returned password **[inout]** **size_return** - On input, maximum size of password; on output, size of password read .. :retval: - 0 Success :return: - Error in reading or verifying the password - Kerberos error codes .. This function reads a password from keyboard input and stores it in *return_pwd* . *size_return* should be set by the caller to the amount of storage space available in *return_pwd* ; on successful return, it will be set to the length of the password read. *prompt* is printed to the terminal, followed by":", and then a password is read from the keyboard. If *prompt2* is NULL, the password is read only once. Otherwise, *prompt2* is printed to the terminal and a second password is read. If the two passwords entered are not identical, KRB5_LIBOS_BADPWDMATCH is returned. Echoing is turned off when the password is read. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_renewed_creds.rst.txt0000644000704600001450000000210014076311665030330 0ustar ghudsonsystemd-journalkrb5_get_renewed_creds - Get renewed credential from KDC using an existing credential. ======================================================================================== .. .. c:function:: krb5_error_code krb5_get_renewed_creds(krb5_context context, krb5_creds * creds, krb5_principal client, krb5_ccache ccache, const char * in_tkt_service) .. :param: **[in]** **context** - Library context **[out]** **creds** - Renewed credentials **[in]** **client** - Client principal name **[in]** **ccache** - Credential cache **[in]** **in_tkt_service** - Server principal string (or NULL) .. :retval: - 0 Success :return: - Kerberos error codes .. This function gets a renewed credential using an existing one from *ccache* . If *in_tkt_service* is specified, it is parsed (with the realm part ignored) and used as the server principal of the credential; otherwise, the ticket-granting service is used. If successful, the renewed credential is placed in *creds* . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_checksum.rst.txt0000644000704600001450000000065114076311665027474 0ustar ghudsonsystemd-journalkrb5_free_checksum - Free a krb5_checksum structure. ====================================================== .. .. c:function:: void krb5_free_checksum(krb5_context context, krb5_checksum * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Checksum structure to be freed .. .. This function frees the contents of *val* and the structure itself. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_encrypt_length.rst.txt0000644000704600001450000000135014076311665030215 0ustar ghudsonsystemd-journalkrb5_c_encrypt_length - Compute encrypted data length. ======================================================== .. .. c:function:: krb5_error_code krb5_c_encrypt_length(krb5_context context, krb5_enctype enctype, size_t inputlen, size_t * length) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[in]** **inputlen** - Length of the data to be encrypted **[out]** **length** - Length of the encrypted data .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function computes the length of the ciphertext produced by encrypting *inputlen* bytes including padding, confounder, and checksum. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_fx_cf2_simple.rst.txt0000644000704600001450000000215314076311665027712 0ustar ghudsonsystemd-journalkrb5_c_fx_cf2_simple - Compute the KRB-FX-CF2 combination of two keys and pepper strings. =========================================================================================== .. .. c:function:: krb5_error_code krb5_c_fx_cf2_simple(krb5_context context, const krb5_keyblock * k1, const char * pepper1, const krb5_keyblock * k2, const char * pepper2, krb5_keyblock ** out) .. :param: **[in]** **context** - Library context **[in]** **k1** - KDC contribution key **[in]** **pepper1** - String"PKINIT" **[in]** **k2** - Reply key **[in]** **pepper2** - String"KeyExchange" **[out]** **out** - Output key .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function computes the KRB-FX-CF2 function over its inputs and places the results in a newly allocated keyblock. This function is simple in that it assumes that *pepper1* and *pepper2* are C strings with no internal nulls and that the enctype of the result will be the same as that of *k1* . *k1* and *k2* may be of different enctypes. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_anonymous.rst.txt0000644000704600001450000000132614076311665033520 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_set_anonymous - Set or unset the anonymous flag in initial credential options. ======================================================================================================== .. .. c:function:: void krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt * opt, int anonymous) .. :param: **[in]** **opt** - Options structure **[in]** **anonymous** - Whether to make an anonymous request .. .. This function may be used to request anonymous credentials from the KDC by setting *anonymous* to non-zero. Note that anonymous credentials are only a request; clients must verify that credentials are anonymous if that is a requirement. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache.rst.txt0000644000704600001450000000173014076311665033363 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_set_in_ccache - Set an input credential cache in initial credential options. ====================================================================================================== .. .. c:function:: krb5_error_code krb5_get_init_creds_opt_set_in_ccache(krb5_context context, krb5_get_init_creds_opt * opt, krb5_ccache ccache) .. :param: **[in]** **context** - Library context **[in]** **opt** - Options **[in]** **ccache** - Credential cache handle .. .. If an input credential cache is set, then the krb5_get_init_creds family of APIs will read settings from it. Setting an input ccache is desirable when the application wishes to perform authentication in the same way (using the same preauthentication mechanisms, and making the same non-security- sensitive choices) as the previous authentication attempt, which stored information in the passed-in ccache. .. .. note:: New in 1.11 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_copy_creds.rst.txt0000644000704600001450000000100314076311665027460 0ustar ghudsonsystemd-journalkrb5_cc_copy_creds - Copy a credential cache. =============================================== .. .. c:function:: krb5_error_code krb5_cc_copy_creds(krb5_context context, krb5_ccache incc, krb5_ccache outcc) .. :param: **[in]** **context** - Library context **[in]** **incc** - Credential cache to be copied **[out]** **outcc** - Copy of credential cache to be filled in .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_pac_add_buffer.rst.txt0000644000704600001450000000224614076311665027577 0ustar ghudsonsystemd-journalkrb5_pac_add_buffer - Add a buffer to a PAC handle. ===================================================== .. .. c:function:: krb5_error_code krb5_pac_add_buffer(krb5_context context, krb5_pac pac, krb5_ui_4 type, const krb5_data * data) .. :param: **[in]** **context** - Library context **[in]** **pac** - PAC handle **[in]** **type** - Buffer type **[in]** **data** - contents .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function adds a buffer of type *type* and contents *data* to *pac* if there isn't already a buffer of this type present. The valid values of *type* is one of the following: - :data:`KRB5_PAC_LOGON_INFO` - Logon information - :data:`KRB5_PAC_CREDENTIALS_INFO` - Credentials information - :data:`KRB5_PAC_SERVER_CHECKSUM` - Server checksum - :data:`KRB5_PAC_PRIVSVR_CHECKSUM` - KDC checksum - :data:`KRB5_PAC_CLIENT_INFO` - Client name and ticket information - :data:`KRB5_PAC_DELEGATION_INFO` - Constrained delegation information - :data:`KRB5_PAC_UPN_DNS_INFO` - User principal name and DNS information .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_unparse_name_ext.rst.txt0000644000704600001450000000234614076311665030231 0ustar ghudsonsystemd-journalkrb5_unparse_name_ext - Convert krb5_principal structure to string and length. ================================================================================ .. .. c:function:: krb5_error_code krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal, char ** name, unsigned int * size) .. :param: **[in]** **context** - Library context **[in]** **principal** - Principal **[inout]** **name** - String representation of principal name **[inout]** **size** - Size of unparsed name .. :retval: - 0 Success :return: - Kerberos error codes. On failure name is set to NULL .. This function is similar to :c:func:`krb5_unparse_name()` , but allows the use of an existing buffer for the result. If size is not NULL, then *name* must point to either NULL or an existing buffer of at least the size pointed to by *size* . The buffer will be allocated or resized if necessary, with the new pointer stored into *name* . Whether or not the buffer is resized, the necessary space for the result, including null terminator, will be stored into *size* . If size is NULL, this function behaves exactly as :c:func:`krb5_unparse_name()` . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_data_contents.rst.txt0000644000704600001450000000115414076311665030517 0ustar ghudsonsystemd-journalkrb5_free_data_contents - Free the contents of a krb5_data structure and zero the data field. =============================================================================================== .. .. c:function:: void krb5_free_data_contents(krb5_context context, krb5_data * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Data structure to free contents of .. .. This function frees the contents of *val* , but not the structure itself. It sets the structure's data pointer to null and (beginning in release 1.19) sets its length to zero. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_move.rst.txt0000644000704600001450000000130214076311665026276 0ustar ghudsonsystemd-journalkrb5_cc_move - Move a credential cache. ========================================= .. .. c:function:: krb5_error_code krb5_cc_move(krb5_context context, krb5_ccache src, krb5_ccache dst) .. :param: **[in]** **context** - Library context **[in]** **src** - The credential cache to move the content from **[in]** **dst** - The credential cache to move the content to .. :retval: - 0 Success; src is closed. :return: - Kerberos error codes; src is still allocated. .. This function reinitializes *dst* and populates it with the credentials and default principal of *src* ; then, if successful, destroys *src* . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_end_seq_get.rst.txt0000644000704600001450000000131514076311665027611 0ustar ghudsonsystemd-journalkrb5_cc_end_seq_get - Finish a series of sequential processing credential cache entries. ========================================================================================== .. .. c:function:: krb5_error_code krb5_cc_end_seq_get(krb5_context context, krb5_ccache cache, krb5_cc_cursor * cursor) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle **[in]** **cursor** - Cursor .. :retval: - 0 (always) .. This function finishes processing credential cache entries and invalidates *cursor* . .. .. seealso:: :c:func:`krb5_cc_start_seq_get()` , :c:func:`krb5_cc_next_cred()` krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_set_config.rst.txt0000644000704600001450000000164414076311665027461 0ustar ghudsonsystemd-journalkrb5_cc_set_config - Store a configuration value in a credential cache. ========================================================================= .. .. c:function:: krb5_error_code krb5_cc_set_config(krb5_context context, krb5_ccache id, krb5_const_principal principal, const char * key, krb5_data * data) .. :param: **[in]** **context** - Library context **[in]** **id** - Credential cache handle **[in]** **principal** - Configuration for a specific principal; if NULL, global for the whole cache **[in]** **key** - Name of config variable **[in]** **data** - Data to store, or NULL to remove .. :retval: - 0 Success :return: - Kerberos error codes .. .. .. warning:: Before version 1.10 *data* was assumed to be always non-null. .. note:: Existing configuration under the same key is over-written. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_string_to_timestamp.rst.txt0000644000704600001450000000070114076311665030760 0ustar ghudsonsystemd-journalkrb5_string_to_timestamp - Convert a string to a timestamp. ============================================================= .. .. c:function:: krb5_error_code krb5_string_to_timestamp(char * string, krb5_timestamp * timestampp) .. :param: **[in]** **string** - String to be converted **[out]** **timestampp** - Pointer to timestamp .. :retval: - 0 Success; otherwise - EINVAL .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_vprepend_error_message.rst.txt0000644000704600001450000000130414076311665031425 0ustar ghudsonsystemd-journalkrb5_vprepend_error_message - Add a prefix to the message for an error code using a va_list. ============================================================================================== .. .. c:function:: void krb5_vprepend_error_message(krb5_context ctx, krb5_error_code code, const char * fmt, va_list args) .. :param: **[in]** **ctx** - Library context **[in]** **code** - Error code **[in]** **fmt** - Format string for error message prefix **[in]** **args** - List of vprintf(3) style arguments .. .. This function is similar to :c:func:`krb5_prepend_error_message()` , but uses a va_list instead of variadic arguments. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_set_trace_callback.rst.txt0000644000704600001450000000225414076311665030457 0ustar ghudsonsystemd-journalkrb5_set_trace_callback - Specify a callback function for trace events. ========================================================================= .. .. c:function:: krb5_error_code krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn, void * cb_data) .. :param: **[in]** **context** - Library context **[in]** **fn** - Callback function **[in]** **cb_data** - Callback data .. :return: - Returns KRB5_TRACE_NOSUPP if tracing is not supported in the library (unless fn is NULL). .. Specify a callback for trace events occurring in krb5 operations performed within *context* . *fn* will be invoked with *context* as the first argument, *cb_data* as the last argument, and a pointer to a krb5_trace_info as the second argument. If the trace callback is reset via this function or *context* is destroyed, *fn* will be invoked with a NULL second argument so it can clean up *cb_data* . Supply a NULL value for *fn* to disable trace callbacks within *context* . .. .. note:: This function overrides the information passed through the *KRB5_TRACE* environment variable. .. note:: New in 1.9 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_authenticator.rst.txt0000644000704600001450000000071414076311665030544 0ustar ghudsonsystemd-journalkrb5_free_authenticator - Free a krb5_authenticator structure. ================================================================ .. .. c:function:: void krb5_free_authenticator(krb5_context context, krb5_authenticator * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Authenticator structure to be freed .. .. This function frees the contents of *val* and the structure itself. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_rd_priv.rst.txt0000644000704600001450000000356514076311665026345 0ustar ghudsonsystemd-journalkrb5_rd_priv - Process a KRB-PRIV message. ============================================ .. .. c:function:: krb5_error_code krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, const krb5_data * inbuf, krb5_data * userdata_out, krb5_replay_data * rdata_out) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication structure **[in]** **inbuf** - **KRB-PRIV** message to be parsed **[out]** **userdata_out** - Data parsed from **KRB-PRIV** message **[out]** **rdata_out** - Replay data. Specify NULL if not needed .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function parses a **KRB-PRIV** message, verifies its integrity, and stores its unencrypted data into *userdata_out* . If *auth_context* has a remote address set, the address will be used to verify the sender address in the KRB-PRIV message. If *auth_context* has a local address set, it will be used to verify the receiver address in the KRB-PRIV message if the message contains one. If the :data:`KRB5_AUTH_CONTEXT_DO_SEQUENCE` flag is set in *auth_context* , the sequence number of the KRB-PRIV message is checked against the remote sequence number field of *auth_context* . Otherwise, the sequence number is not used. If the :data:`KRB5_AUTH_CONTEXT_DO_TIME` flag is set in *auth_context* , then the timestamp in the message is verified to be within the permitted clock skew of the current time, and the message is checked against an in-memory replay cache to detect reflections or replays. Use :c:func:`krb5_free_data_contents()` to free *userdata_out* when it is no longer needed. .. .. note:: The *rdata_out* argument is required if the :data:`KRB5_AUTH_CONTEXT_RET_TIME` or :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` flag is set in *auth_context* . krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cccol_cursor_next.rst.txt0000644000704600001450000000150714076311665030410 0ustar ghudsonsystemd-journalkrb5_cccol_cursor_next - Get the next credential cache in the collection. =========================================================================== .. .. c:function:: krb5_error_code krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor, krb5_ccache * ccache) .. :param: **[in]** **context** - Library context **[in]** **cursor** - Cursor **[out]** **ccache** - Credential cache handle .. :retval: - 0 Success; otherwise - Kerberos error codes .. Use :c:func:`krb5_cc_close()` to close *ccache* when it is no longer needed. .. .. seealso:: :c:func:`krb5_cccol_cursor_new()` , :c:func:`krb5_cccol_cursor_free()` .. note:: When all caches are iterated over and the end of the list is reached, *ccache* is set to NULL. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_keyblock_contents.rst.txt0000644000704600001450000000074014076311665031411 0ustar ghudsonsystemd-journalkrb5_free_keyblock_contents - Free the contents of a krb5_keyblock structure. =============================================================================== .. .. c:function:: void krb5_free_keyblock_contents(krb5_context context, krb5_keyblock * key) .. :param: **[in]** **context** - Library context **[in]** **key** - Keyblock to be freed .. .. This function frees the contents of *key* , but not the structure itself. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_etype_list.rst.txt0000644000704600001450000000111014076311665033640 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_set_etype_list - Set allowable encryption types in initial credential options. ======================================================================================================== .. .. c:function:: void krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt * opt, krb5_enctype * etype_list, int etype_list_length) .. :param: **[in]** **opt** - Options structure **[in]** **etype_list** - Array of encryption types **[in]** **etype_list_length** - Length of *etype_list* .. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_kt_get_type.rst.txt0000644000704600001450000000071114076311665027204 0ustar ghudsonsystemd-journalkrb5_kt_get_type - Return the type of a key table. ==================================================== .. .. c:function:: const char * krb5_kt_get_type(krb5_context context, krb5_keytab keytab) .. :param: **[in]** **context** - Library context **[in]** **keytab** - Key table handle .. :return: - The type of a key table as an alias that must not be modified or freed by the caller. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_init_random_key.rst.txt0000644000704600001450000000061214076311665030041 0ustar ghudsonsystemd-journalkrb5_init_random_key ==================== .. .. c:function:: krb5_error_code krb5_init_random_key(krb5_context context, const krb5_encrypt_block * eblock, const krb5_keyblock * keyblock, krb5_pointer * ptr) .. :param: **context** **eblock** **keyblock** **ptr** .. .. DEPRECATED Replaced by krb5_c_* API family. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_getaddrs.rst.txt0000644000704600001450000000127114076311665030345 0ustar ghudsonsystemd-journalkrb5_auth_con_getaddrs - Retrieve address fields from an auth context. ======================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_getaddrs(krb5_context context, krb5_auth_context auth_context, krb5_address ** local_addr, krb5_address ** remote_addr) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[out]** **local_addr** - Local address (NULL if not needed) **[out]** **remote_addr** - Remote address (NULL if not needed) .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_responder.rst.txt0000644000704600001450000000122014076311665033462 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_set_responder - Set the responder function in initial credential options. =================================================================================================== .. .. c:function:: krb5_error_code krb5_get_init_creds_opt_set_responder(krb5_context context, krb5_get_init_creds_opt * opt, krb5_responder_fn responder, void * data) .. :param: **[in]** **context** - Library context **[in]** **opt** - Options structure **[in]** **responder** - Responder function **[in]** **data** - Responder data argument .. .. .. .. note:: New in 1.11 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_principal_compare_any_realm.rst.txt0000644000704600001450000000130414076311665032403 0ustar ghudsonsystemd-journalkrb5_principal_compare_any_realm - Compare two principals ignoring realm components. ====================================================================================== .. .. c:function:: krb5_boolean krb5_principal_compare_any_realm(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) .. :param: **[in]** **context** - Library context **[in]** **princ1** - First principal **[in]** **princ2** - Second principal .. :retval: - TRUE if the principals are the same; FALSE otherwise .. Similar to :c:func:`krb5_principal_compare()` , but do not compare the realm components of the principals. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.rst.txt0000644000704600001450000000145114076311665031406 0ustar ghudsonsystemd-journalkrb5_init_creds_set_service - Specify a service principal for acquiring initial credentials. ============================================================================================== .. .. c:function:: krb5_error_code krb5_init_creds_set_service(krb5_context context, krb5_init_creds_context ctx, const char * service) .. :param: **[in]** **context** - Library context **[in]** **ctx** - Initial credentials context **[in]** **service** - Service principal string .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function supplies a service principal string to acquire initial credentials for instead of the default krbtgt service. *service* is parsed as a principal name; any realm part is ignored. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_principal_compare_flags.rst.txt0000644000704600001450000000175214076311665031537 0ustar ghudsonsystemd-journalkrb5_principal_compare_flags - Compare two principals with additional flags. ============================================================================== .. .. c:function:: krb5_boolean krb5_principal_compare_flags(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2, int flags) .. :param: **[in]** **context** - Library context **[in]** **princ1** - First principal **[in]** **princ2** - Second principal **[in]** **flags** - Flags .. :retval: - TRUE if the principal names are the same; FALSE otherwise .. Valid flags are: - :data:`KRB5_PRINCIPAL_COMPARE_IGNORE_REALM` - ignore realm component - :data:`KRB5_PRINCIPAL_COMPARE_ENTERPRISE` - UPNs as real principals - :data:`KRB5_PRINCIPAL_COMPARE_CASEFOLD` case-insensitive - :data:`KRB5_PRINCIPAL_COMPARE_UTF8` - treat principals as UTF-8 .. .. seealso:: :c:func:`krb5_principal_compare()` krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_merge_authdata.rst.txt0000644000704600001450000000175114076311665027645 0ustar ghudsonsystemd-journalkrb5_merge_authdata - Merge two authorization data lists into a new list. =========================================================================== .. .. c:function:: krb5_error_code krb5_merge_authdata(krb5_context context, krb5_authdata *const * inauthdat1, krb5_authdata *const * inauthdat2, krb5_authdata *** outauthdat) .. :param: **[in]** **context** - Library context **[in]** **inauthdat1** - First list of *krb5_authdata* structures **[in]** **inauthdat2** - Second list of *krb5_authdata* structures **[out]** **outauthdat** - Merged list of *krb5_authdata* structures .. :retval: - 0 Success; otherwise - Kerberos error codes .. Merge two authdata arrays, such as the array from a ticket and authenticator. Use :c:func:`krb5_free_authdata()` to free *outauthdat* when it is no longer needed. .. .. note:: The last array entry in *inauthdat1* and *inauthdat2* must be a NULL pointer. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_kt_close.rst.txt0000644000704600001450000000055214076311665026474 0ustar ghudsonsystemd-journalkrb5_kt_close - Close a key table handle. =========================================== .. .. c:function:: krb5_error_code krb5_kt_close(krb5_context context, krb5_keytab keytab) .. :param: **[in]** **context** - Library context **[in]** **keytab** - Key table handle .. :retval: - 0 None .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list.rst.txt0000644000704600001450000000146214076311665034174 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_set_preauth_list - Set preauthentication types in initial credential options. ======================================================================================================= .. .. c:function:: void krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt * opt, krb5_preauthtype * preauth_list, int preauth_list_length) .. :param: **[in]** **opt** - Options structure **[in]** **preauth_list** - Array of preauthentication types **[in]** **preauth_list_length** - Length of *preauth_list* .. .. This function can be used to perform optimistic preauthentication when getting initial credentials, in combination with :c:func:`krb5_get_init_creds_opt_set_salt()` and :c:func:`krb5_get_init_creds_opt_set_pa()` . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_setsendsubkey.rst.txt0000644000704600001450000000120314076311665031433 0ustar ghudsonsystemd-journalkrb5_auth_con_setsendsubkey - Set the send subkey in an auth context with a keyblock. ======================================================================================= .. .. c:function:: krb5_error_code krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock * keyblock) .. :param: **[in]** **ctx** - Library context **[in]** **ac** - Authentication context **[in]** **keyblock** - Send subkey .. :retval: - 0 Success. Otherwise - Kerberos error codes .. This function sets the send subkey in *ac* to a copy of *keyblock* . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_init_creds_get_creds.rst.txt0000644000704600001450000000156214076311665031035 0ustar ghudsonsystemd-journalkrb5_init_creds_get_creds - Retrieve acquired credentials from an initial credentials context. ================================================================================================ .. .. c:function:: krb5_error_code krb5_init_creds_get_creds(krb5_context context, krb5_init_creds_context ctx, krb5_creds * creds) .. :param: **[in]** **context** - Library context **[in]** **ctx** - Initial credentials context **[out]** **creds** - Acquired credentials .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function copies the acquired initial credentials from *ctx* into *creds* , after the successful completion of :c:func:`krb5_init_creds_get()` or :c:func:`krb5_init_creds_step()` . Use :c:func:`krb5_free_cred_contents()` to free *creds* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_init.rst.txt0000644000704600001450000000247014076311665027677 0ustar ghudsonsystemd-journalkrb5_tkt_creds_init - Create a context to get credentials from a KDC's Ticket Granting Service. ================================================================================================= .. .. c:function:: krb5_error_code krb5_tkt_creds_init(krb5_context context, krb5_ccache ccache, krb5_creds * creds, krb5_flags options, krb5_tkt_creds_context * ctx) .. :param: **[in]** **context** - Library context **[in]** **ccache** - Credential cache handle **[in]** **creds** - Input credentials **[in]** **options** - :data:`KRB5_GC` options for this request. **[out]** **ctx** - New TGS request context .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function prepares to obtain credentials matching *creds* , either by retrieving them from *ccache* or by making requests to ticket-granting services beginning with a ticket-granting ticket for the client principal's realm. The resulting TGS acquisition context can be used asynchronously with :c:func:`krb5_tkt_creds_step()` or synchronously with :c:func:`krb5_tkt_creds_get()` . See also :c:func:`krb5_get_credentials()` for synchronous use. Use :c:func:`krb5_tkt_creds_free()` to free *ctx* when it is no longer needed. .. .. note:: New in 1.9 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_check_clockskew.rst.txt0000644000704600001450000000130414076311665030007 0ustar ghudsonsystemd-journalkrb5_check_clockskew - Check if a timestamp is within the allowed clock skew of the current time. =================================================================================================== .. .. c:function:: krb5_error_code krb5_check_clockskew(krb5_context context, krb5_timestamp date) .. :param: **[in]** **context** - Library context **[in]** **date** - Timestamp to check .. :retval: - 0 Success - KRB5KRB_AP_ERR_SKEW date is not within allowable clock skew .. This function checks if *date* is close enough to the current time according to the configured allowable clock skew. .. .. note:: New in 1.10 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_realm_compare.rst.txt0000644000704600001450000000102514076311665027473 0ustar ghudsonsystemd-journalkrb5_realm_compare - Compare the realms of two principals. ============================================================ .. .. c:function:: krb5_boolean krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) .. :param: **[in]** **context** - Library context **[in]** **princ1** - First principal **[in]** **princ2** - Second principal .. :retval: - TRUE if the realm names are the same; FALSE otherwise .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_time_offsets.rst.txt0000644000704600001450000000120014076311665030206 0ustar ghudsonsystemd-journalkrb5_get_time_offsets - Return the time offsets from the os context. ====================================================================== .. .. c:function:: krb5_error_code krb5_get_time_offsets(krb5_context context, krb5_timestamp * seconds, krb5_int32 * microseconds) .. :param: **[in]** **context** - Library context **[out]** **seconds** - Time offset, seconds portion **[out]** **microseconds** - Time offset, microseconds portion .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function returns the time offsets in *context* . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_decode_ticket.rst.txt0000644000704600001450000000067414076311665027464 0ustar ghudsonsystemd-journalkrb5_decode_ticket - Decode an ASN.1-formatted ticket. ======================================================== .. .. c:function:: krb5_error_code krb5_decode_ticket(const krb5_data * code, krb5_ticket ** rep) .. :param: **[in]** **code** - ASN.1-formatted ticket **[out]** **rep** - Decoded ticket information .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_init_context_profile.rst.txt0000644000704600001450000000176714076311665031131 0ustar ghudsonsystemd-journalkrb5_init_context_profile - Create a krb5 library context using a specified profile. ====================================================================================== .. .. c:function:: krb5_error_code krb5_init_context_profile(struct _profile_t * profile, krb5_flags flags, krb5_context * context) .. :param: **[in]** **profile** - Profile object (NULL to create default profile) **[in]** **flags** - Context initialization flags **[out]** **context** - Library context .. .. Create a context structure, optionally using a specified profile and initialization flags. If *profile* is NULL, the default profile will be created from config files. If *profile* is non-null, a copy of it will be made for the new context; the caller should still clean up its copy. Valid flag values are: - :data:`KRB5_INIT_CONTEXT_SECURE` Ignore environment variables - :data:`KRB5_INIT_CONTEXT_KDC` Use KDC configuration if creating profile .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_getrecvsubkey_k.rst.txt0000644000704600001450000000134414076311665031745 0ustar ghudsonsystemd-journalkrb5_auth_con_getrecvsubkey_k - Retrieve the receiving subkey from an auth context as a keyblock. =================================================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_getrecvsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key * key) .. :param: **[in]** **ctx** - Library context **[in]** **ac** - Authentication context **[out]** **key** - Receiving subkey .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function sets *key* to the receiving subkey from *auth_context* . Use :c:func:`krb5_k_free_key()` to release *key* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_setflags.rst.txt0000644000704600001450000000146314076311665030363 0ustar ghudsonsystemd-journalkrb5_auth_con_setflags - Set a flags field in a krb5_auth_context structure. ============================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_setflags(krb5_context context, krb5_auth_context auth_context, krb5_int32 flags) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **flags** - Flags bit mask .. :retval: - 0 (always) .. Valid values for *flags* are: - :data:`KRB5_AUTH_CONTEXT_DO_TIME` Use timestamps - :data:`KRB5_AUTH_CONTEXT_RET_TIME` Save timestamps - :data:`KRB5_AUTH_CONTEXT_DO_SEQUENCE` Use sequence numbers - :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` Save sequence numbers .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_checksum_contents.rst.txt0000644000704600001450000000112714076311665031410 0ustar ghudsonsystemd-journalkrb5_free_checksum_contents - Free the contents of a krb5_checksum structure. =============================================================================== .. .. c:function:: void krb5_free_checksum_contents(krb5_context context, krb5_checksum * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Checksum structure to free contents of .. .. This function frees the contents of *val* , but not the structure itself. It sets the checksum's data pointer to null and (beginning in release 1.19) sets its length to zero. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_copy_checksum.rst.txt0000644000704600001450000000126714076311665027531 0ustar ghudsonsystemd-journalkrb5_copy_checksum - Copy a krb5_checksum structure. ====================================================== .. .. c:function:: krb5_error_code krb5_copy_checksum(krb5_context context, const krb5_checksum * ckfrom, krb5_checksum ** ckto) .. :param: **[in]** **context** - Library context **[in]** **ckfrom** - Checksum to be copied **[out]** **ckto** - Copy of krb5_checksum structure .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a new krb5_checksum structure with the contents of *ckfrom* . Use :c:func:`krb5_free_checksum()` to free *ckto* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_k_free_key.rst.txt0000644000704600001450000000052614076311665026775 0ustar ghudsonsystemd-journalkrb5_k_free_key - Decrement the reference count on a key and free it if it hits zero. ======================================================================================= .. .. c:function:: void krb5_k_free_key(krb5_context context, krb5_key key) .. :param: **context** **key** .. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_responder_set_answer.rst.txt0000644000704600001450000000145614076311665031130 0ustar ghudsonsystemd-journalkrb5_responder_set_answer - Answer a named question in the responder context. =============================================================================== .. .. c:function:: krb5_error_code krb5_responder_set_answer(krb5_context ctx, krb5_responder_context rctx, const char * question, const char * answer) .. :param: **[in]** **ctx** - Library context **[in]** **rctx** - Responder context **[in]** **question** - Question name **[in]** **answer** - The string to set (MUST be printable UTF-8) .. :retval: - EINVAL question is not present within rctx .. This function supplies an answer to *question* within *rctx* . The appropriate form of the answer depends on the question name. .. .. note:: New in 1.11 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_default_realm.rst.txt0000644000704600001450000000114314076311665030331 0ustar ghudsonsystemd-journalkrb5_get_default_realm - Retrieve the default realm. ====================================================== .. .. c:function:: krb5_error_code krb5_get_default_realm(krb5_context context, char ** lrealm) .. :param: **[in]** **context** - Library context **[out]** **lrealm** - Default realm name .. :retval: - 0 Success :return: - Kerberos error codes .. Retrieves the default realm to be used if no user-specified realm is available. Use :c:func:`krb5_free_default_realm()` to free *lrealm* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_getkey.rst.txt0000644000704600001450000000136514076311665030044 0ustar ghudsonsystemd-journalkrb5_auth_con_getkey - Retrieve the session key from an auth context as a keyblock. ===================================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock ** keyblock) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[out]** **keyblock** - Session key .. :retval: - 0 Success. Otherwise - Kerberos error codes .. This function creates a keyblock containing the session key from *auth_context* . Use :c:func:`krb5_free_keyblock()` to free *keyblock* when it is no longer needed .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_address_search.rst.txt0000644000704600001450000000131114076311665027635 0ustar ghudsonsystemd-journalkrb5_address_search - Search a list of addresses for a specified address. =========================================================================== .. .. c:function:: krb5_boolean krb5_address_search(krb5_context context, const krb5_address * addr, krb5_address *const * addrlist) .. :param: **[in]** **context** - Library context **[in]** **addr** - Address to search for **[in]** **addrlist** - Address list to be searched (or NULL) .. :return: - TRUE if addr is listed in addrlist , or addrlist is NULL; FALSE otherwise .. .. .. note:: If *addrlist* contains only a NetBIOS addresses, it will be treated as a null list. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_k_make_checksum_iov.rst.txt0000644000704600001450000000235614076311665030663 0ustar ghudsonsystemd-journalkrb5_k_make_checksum_iov - Fill in a checksum element in IOV array (operates on opaque key) ============================================================================================= .. .. c:function:: krb5_error_code krb5_k_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, krb5_key key, krb5_keyusage usage, krb5_crypto_iov * data, size_t num_data) .. :param: **[in]** **context** - Library context **[in]** **cksumtype** - Checksum type (0 for mandatory type) **[in]** **key** - Encryption key for a keyed checksum **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) **[inout]** **data** - IOV array **[in]** **num_data** - Size of *data* .. :retval: - 0 Success; otherwise - Kerberos error codes .. Create a checksum in the :data:`KRB5_CRYPTO_TYPE_CHECKSUM` element over :data:`KRB5_CRYPTO_TYPE_DATA` and :data:`KRB5_CRYPTO_TYPE_SIGN_ONLY` chunks in *data* . Only the :data:`KRB5_CRYPTO_TYPE_CHECKSUM` region is modified. .. .. seealso:: :c:func:`krb5_k_verify_checksum_iov()` .. note:: This function is similar to :c:func:`krb5_c_make_checksum_iov()` , but operates on opaque *key* . krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_random_make_octets.rst.txt0000644000704600001450000000111614076311665031026 0ustar ghudsonsystemd-journalkrb5_c_random_make_octets - Generate pseudo-random bytes. =========================================================== .. .. c:function:: krb5_error_code krb5_c_random_make_octets(krb5_context context, krb5_data * data) .. :param: **[in]** **context** - Library context **[out]** **data** - Random data .. :retval: - 0 Success; otherwise - Kerberos error codes .. Fills in *data* with bytes from the PRNG used by krb5 crypto operations. The caller must preinitialize *data* and allocate the desired amount of space. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_mk_req_extended.rst.txt0000644000704600001450000000372414076311665030033 0ustar ghudsonsystemd-journalkrb5_mk_req_extended - Create a KRB_AP_REQ message using supplied credentials. ================================================================================ .. .. c:function:: krb5_error_code krb5_mk_req_extended(krb5_context context, krb5_auth_context * auth_context, krb5_flags ap_req_options, krb5_data * in_data, krb5_creds * in_creds, krb5_data * outbuf) .. :param: **[in]** **context** - Library context **[inout]** **auth_context** - Pre-existing or newly created auth context **[in]** **ap_req_options** - :data:`AP_OPTS` options **[in]** **in_data** - Application data to be checksummed in the authenticator, or NULL **[in]** **in_creds** - Credentials for the service with valid ticket and key **[out]** **outbuf** - **AP-REQ** message .. :retval: - 0 Success; otherwise - Kerberos error codes .. Valid *ap_req_options* are: - :data:`AP_OPTS_USE_SESSION_KEY` - Use the session key when creating the request used for user to user authentication. - :data:`AP_OPTS_MUTUAL_REQUIRED` - Request a mutual authentication packet from the receiver. - :data:`AP_OPTS_USE_SUBKEY` - Generate a subsession key from the current session key obtained from the credentials. This function creates a KRB_AP_REQ message using supplied credentials *in_creds* . *auth_context* may point to an existing auth context or to NULL, in which case a new one will be created. If *in_data* is non-null, a checksum of it will be included in the authenticator contained in the KRB_AP_REQ message. Use :c:func:`krb5_free_data_contents()` to free *outbuf* when it is no longer needed. On successful return, the authenticator is stored in *auth_context* with the *client* and *checksum* fields nulled out. (This is to prevent pointer-sharing problems; the caller should not need these fields anyway, since the caller supplied them.) .. .. seealso:: :c:func:`krb5_mk_req()` krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_get_checksum_func.rst.txt0000644000704600001450000000117614076311665032230 0ustar ghudsonsystemd-journalkrb5_auth_con_get_checksum_func - Get the checksum callback from an auth context. =================================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_get_checksum_func(krb5_context context, krb5_auth_context auth_context, krb5_mk_req_checksum_func * func, void ** data) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[out]** **func** - Checksum callback **[out]** **data** - Callback argument .. :retval: - 0 (always) .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_set_flags.rst.txt0000644000704600001450000000106214076311665027302 0ustar ghudsonsystemd-journalkrb5_cc_set_flags - Set options flags on a credential cache. ============================================================== .. .. c:function:: krb5_error_code krb5_cc_set_flags(krb5_context context, krb5_ccache cache, krb5_flags flags) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle **[in]** **flags** - Flag bit mask .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function resets *cache* flags to *flags* . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_get_creds.rst.txt0000644000704600001450000000155414076311665030675 0ustar ghudsonsystemd-journalkrb5_tkt_creds_get_creds - Retrieve acquired credentials from a TGS request context. ====================================================================================== .. .. c:function:: krb5_error_code krb5_tkt_creds_get_creds(krb5_context context, krb5_tkt_creds_context ctx, krb5_creds * creds) .. :param: **[in]** **context** - Library context **[in]** **ctx** - TGS request context **[out]** **creds** - Acquired credentials .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function copies the acquired initial credentials from *ctx* into *creds* , after the successful completion of :c:func:`krb5_tkt_creds_get()` or :c:func:`krb5_tkt_creds_step()` . Use :c:func:`krb5_free_cred_contents()` to free *creds* when it is no longer needed. .. .. note:: New in 1.9 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_us_timeofday.rst.txt0000644000704600001450000000133314076311665027357 0ustar ghudsonsystemd-journalkrb5_us_timeofday - Retrieve the system time of day, in sec and ms, since the epoch. ====================================================================================== .. .. c:function:: krb5_error_code krb5_us_timeofday(krb5_context context, krb5_timestamp * seconds, krb5_int32 * microseconds) .. :param: **[in]** **context** - Library context **[out]** **seconds** - System timeofday, seconds portion **[out]** **microseconds** - System timeofday, microseconds portion .. :retval: - 0 Success :return: - Kerberos error codes .. This function retrieves the system time of day with the context specific time offset adjustment. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_anonymous_realm.rst.txt0000644000704600001450000000057014076311665030101 0ustar ghudsonsystemd-journalkrb5_anonymous_realm - Return an anonymous realm data. ======================================================== .. .. c:function:: const krb5_data * krb5_anonymous_realm(void None) .. :param: **None** .. .. This function returns constant storage that must not be freed. .. .. seealso:: :data:`KRB5_ANONYMOUS_REALMSTR` krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_principal2salt.rst.txt0000644000704600001450000000111114076311665027610 0ustar ghudsonsystemd-journalkrb5_principal2salt - Convert a principal name into the default salt for that principal. ========================================================================================== .. .. c:function:: krb5_error_code krb5_principal2salt(krb5_context context, krb5_const_principal pr, krb5_data * ret) .. :param: **[in]** **context** - Library context **[in]** **pr** - Principal name **[out]** **ret** - Default salt for *pr* to be filled in .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_address_order.rst.txt0000644000704600001450000000102114076311665027501 0ustar ghudsonsystemd-journalkrb5_address_order - Return an ordering of the specified addresses. ===================================================================== .. .. c:function:: int krb5_address_order(krb5_context context, const krb5_address * addr1, const krb5_address * addr2) .. :param: **[in]** **context** - Library context **[in]** **addr1** - First address **[in]** **addr2** - Second address .. :retval: - 0 The two addresses are the same - .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_aname_to_localname.rst.txt0000644000704600001450000000174014076311665030467 0ustar ghudsonsystemd-journalkrb5_aname_to_localname - Convert a principal name to a local name. ===================================================================== .. .. c:function:: krb5_error_code krb5_aname_to_localname(krb5_context context, krb5_const_principal aname, int lnsize_in, char * lname) .. :param: **[in]** **context** - Library context **[in]** **aname** - Principal name **[in]** **lnsize_in** - Space available in *lname* **[out]** **lname** - Local name buffer to be filled in .. :retval: - 0 Success - System errors :return: - Kerberos error codes .. If *aname* does not correspond to any local account, KRB5_LNAME_NOTRANS is returned. If *lnsize_in* is too small for the local name, KRB5_CONFIG_NOTENUFSPACE is returned. Local names, rather than principal names, can be used by programs that translate to an environment-specific name (for example, a user account name). .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_string_to_salttype.rst.txt0000644000704600001450000000071614076311665030630 0ustar ghudsonsystemd-journalkrb5_string_to_salttype - Convert a string to a salt type. ============================================================ .. .. c:function:: krb5_error_code krb5_string_to_salttype(char * string, krb5_int32 * salttypep) .. :param: **[in]** **string** - String to convert to an encryption type **[out]** **salttypep** - Salt type to be filled in .. :retval: - 0 Success; otherwise - EINVAL .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_os_localaddr.rst.txt0000644000704600001450000000107014076311665027313 0ustar ghudsonsystemd-journalkrb5_os_localaddr - Return all interface addresses for this host. =================================================================== .. .. c:function:: krb5_error_code krb5_os_localaddr(krb5_context context, krb5_address *** addr) .. :param: **[in]** **context** - Library context **[out]** **addr** - Array of krb5_address pointers, ending with NULL .. :retval: - 0 Success; otherwise - Kerberos error codes .. Use :c:func:`krb5_free_addresses()` to free *addr* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_random_key.rst.txt0000644000704600001450000000056414076311665027024 0ustar ghudsonsystemd-journalkrb5_random_key =============== .. .. c:function:: krb5_error_code krb5_random_key(krb5_context context, const krb5_encrypt_block * eblock, krb5_pointer ptr, krb5_keyblock ** keyblock) .. :param: **context** **eblock** **ptr** **keyblock** .. .. DEPRECATED Replaced by krb5_c_* API family. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_get_config.rst.txt0000644000704600001450000000151214076311665027437 0ustar ghudsonsystemd-journalkrb5_cc_get_config - Get a configuration value from a credential cache. ========================================================================= .. .. c:function:: krb5_error_code krb5_cc_get_config(krb5_context context, krb5_ccache id, krb5_const_principal principal, const char * key, krb5_data * data) .. :param: **[in]** **context** - Library context **[in]** **id** - Credential cache handle **[in]** **principal** - Configuration for this principal; if NULL, global for the whole cache **[in]** **key** - Name of config variable **[out]** **data** - Data to be fetched .. :retval: - 0 Success :return: - Kerberos error codes .. Use :c:func:`krb5_free_data_contents()` to free *data* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_select.rst.txt0000644000704600001450000000320514076311665026613 0ustar ghudsonsystemd-journalkrb5_cc_select - Select a credential cache to use with a server principal. ============================================================================ .. .. c:function:: krb5_error_code krb5_cc_select(krb5_context context, krb5_principal server, krb5_ccache * cache_out, krb5_principal * princ_out) .. :param: **[in]** **context** - Library context **[in]** **server** - Server principal **[out]** **cache_out** - Credential cache handle **[out]** **princ_out** - Client principal .. :return: - If an appropriate cache is found, 0 is returned, cache_out is set to the selected cache, and princ_out is set to the default principal of that cache. .. Select a cache within the collection containing credentials most appropriate for use with *server* , according to configured rules and heuristics. Use :c:func:`krb5_cc_close()` to release *cache_out* when it is no longer needed. Use :c:func:`krb5_free_principal()` to release *princ_out* when it is no longer needed. Note that *princ_out* is set in some error conditions. If the appropriate client principal can be authoritatively determined but the cache collection contains no credentials for that principal, then KRB5_CC_NOTFOUND is returned, *cache_out* is set to NULL, and *princ_out* is set to the appropriate client principal. If no configured mechanism can determine the appropriate cache or principal, KRB5_CC_NOTFOUND is returned and *cache_out* and *princ_out* are set to NULL. Any other error code indicates a fatal error in the processing of a cache selection mechanism. .. .. note:: New in 1.10 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_recvauth.rst.txt0000644000704600001450000000241014076311665026505 0ustar ghudsonsystemd-journalkrb5_recvauth - Server function for sendauth protocol. ======================================================== .. .. c:function:: krb5_error_code krb5_recvauth(krb5_context context, krb5_auth_context * auth_context, krb5_pointer fd, char * appl_version, krb5_principal server, krb5_int32 flags, krb5_keytab keytab, krb5_ticket ** ticket) .. :param: **[in]** **context** - Library context **[inout]** **auth_context** - Pre-existing or newly created auth context **[in]** **fd** - File descriptor **[in]** **appl_version** - Application protocol version to be matched against the client's application version **[in]** **server** - Server principal (NULL for any in *keytab* ) **[in]** **flags** - Additional specifications **[in]** **keytab** - Key table containing service keys **[out]** **ticket** - Ticket (NULL if not needed) .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function performs the server side of a sendauth/recvauth exchange by sending and receiving messages over *fd* . Use :c:func:`krb5_free_ticket()` to free *ticket* when it is no longer needed. .. .. seealso:: :c:func:`krb5_sendauth()` krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_getremoteseqnumber.rst.txt0000644000704600001450000000147414076311665032472 0ustar ghudsonsystemd-journalkrb5_auth_con_getremoteseqnumber - Retrieve the remote sequence number from an auth context. ============================================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_getremoteseqnumber(krb5_context context, krb5_auth_context auth_context, krb5_int32 * seqnumber) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[out]** **seqnumber** - Remote sequence number .. :retval: - 0 Success; otherwise - Kerberos error codes .. Retrieve the remote sequence number from *auth_context* and return it in *seqnumber* . The :data:`KRB5_AUTH_CONTEXT_DO_SEQUENCE` flag must be set in *auth_context* for this function to be useful. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_k_verify_checksum_iov.rst.txt0000644000704600001450000000247214076311665031251 0ustar ghudsonsystemd-journalkrb5_k_verify_checksum_iov - Validate a checksum element in IOV array (operates on opaque key). ================================================================================================= .. .. c:function:: krb5_error_code krb5_k_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, krb5_key key, krb5_keyusage usage, const krb5_crypto_iov * data, size_t num_data, krb5_boolean * valid) .. :param: **[in]** **context** - Library context **[in]** **cksumtype** - Checksum type (0 for mandatory type) **[in]** **key** - Encryption key for a keyed checksum **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) **[in]** **data** - IOV array **[in]** **num_data** - Size of *data* **[out]** **valid** - Non-zero for success, zero for failure .. :retval: - 0 Success; otherwise - Kerberos error codes .. Confirm that the checksum in the :data:`KRB5_CRYPTO_TYPE_CHECKSUM` element is a valid checksum of the :data:`KRB5_CRYPTO_TYPE_DATA` and :data:`KRB5_CRYPTO_TYPE_SIGN_ONLY` regions in the iov. .. .. seealso:: :c:func:`krb5_k_make_checksum_iov()` .. note:: This function is similar to :c:func:`krb5_c_verify_checksum_iov()` , but operates on opaque *key* . krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_allow_weak_crypto.rst.txt0000644000704600001450000000113414076311665030413 0ustar ghudsonsystemd-journalkrb5_allow_weak_crypto - Allow the application to override the profile's allow_weak_crypto setting. ===================================================================================================== .. .. c:function:: krb5_error_code krb5_allow_weak_crypto(krb5_context context, krb5_boolean enable) .. :param: **[in]** **context** - Library context **[in]** **enable** - Boolean flag .. :retval: - 0 (always) .. This function allows an application to override the allow_weak_crypto setting. It is primarily for use by aklog. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_kt_get_name.rst.txt0000644000704600001450000000131314076311665027142 0ustar ghudsonsystemd-journalkrb5_kt_get_name - Get a key table name. ========================================== .. .. c:function:: krb5_error_code krb5_kt_get_name(krb5_context context, krb5_keytab keytab, char * name, unsigned int namelen) .. :param: **[in]** **context** - Library context **[in]** **keytab** - Key table handle **[out]** **name** - Key table name **[in]** **namelen** - Maximum length to fill in name .. :retval: - 0 Success - KRB5_KT_NAME_TOOLONG Key table name does not fit in namelen bytes :return: - Kerberos error codes .. Fill *name* with the name of *keytab* including the type and delimiter. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_ap_rep_enc_part.rst.txt0000644000704600001450000000072014076311665031010 0ustar ghudsonsystemd-journalkrb5_free_ap_rep_enc_part - Free a krb5_ap_rep_enc_part structure. ==================================================================== .. .. c:function:: void krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part * val) .. :param: **[in]** **context** - Library context **[in]** **val** - AP-REP enc part to be freed .. .. This function frees the contents of *val* and the structure itself. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_keytab.rst.txt0000644000704600001450000000236714076311665031220 0ustar ghudsonsystemd-journalkrb5_get_init_creds_keytab - Get initial credentials using a key table. ========================================================================= .. .. c:function:: krb5_error_code krb5_get_init_creds_keytab(krb5_context context, krb5_creds * creds, krb5_principal client, krb5_keytab arg_keytab, krb5_deltat start_time, const char * in_tkt_service, krb5_get_init_creds_opt * k5_gic_options) .. :param: **[in]** **context** - Library context **[out]** **creds** - New credentials **[in]** **client** - Client principal **[in]** **arg_keytab** - Key table handle **[in]** **start_time** - Time when ticket becomes valid (0 for now) **[in]** **in_tkt_service** - Service name of initial credentials (or NULL) **[in]** **k5_gic_options** - Initial credential options .. :retval: - 0 Success :return: - Kerberos error codes .. This function requests KDC for an initial credentials for *client* using a client key stored in *arg_keytab* . If *in_tkt_service* is specified, it is parsed as a principal name (with the realm ignored) and used as the service principal for the request; otherwise the ticket-granting service is used. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_set_principal_realm.rst.txt0000644000704600001450000000115414076311665030704 0ustar ghudsonsystemd-journalkrb5_set_principal_realm - Set the realm field of a principal. ================================================================ .. .. c:function:: krb5_error_code krb5_set_principal_realm(krb5_context context, krb5_principal principal, const char * realm) .. :param: **[in]** **context** - Library context **[in]** **principal** - Principal name **[in]** **realm** - Realm name .. :retval: - 0 Success :return: - Kerberos error codes .. Set the realm name part of *principal* to *realm* , overwriting the previous realm. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_pac_get_types.rst.txt0000644000704600001450000000112414076311665027513 0ustar ghudsonsystemd-journalkrb5_pac_get_types - Return an array of buffer types in a PAC handle. ======================================================================= .. .. c:function:: krb5_error_code krb5_pac_get_types(krb5_context context, krb5_pac pac, size_t * len, krb5_ui_4 ** types) .. :param: **[in]** **context** - Library context **[in]** **pac** - PAC handle **[out]** **len** - Number of entries in *types* **[out]** **types** - Array of buffer types .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_string_to_enctype.rst.txt0000644000704600001450000000071714076311665030433 0ustar ghudsonsystemd-journalkrb5_string_to_enctype - Convert a string to an encryption type. ================================================================== .. .. c:function:: krb5_error_code krb5_string_to_enctype(char * string, krb5_enctype * enctypep) .. :param: **[in]** **string** - String to convert to an encryption type **[out]** **enctypep** - Encryption type .. :retval: - 0 Success; otherwise - EINVAL .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache.rst.txt0000644000704600001450000000130314076311665033706 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_set_fast_ccache - Set FAST armor cache in initial credential options. =============================================================================================== .. .. c:function:: krb5_error_code krb5_get_init_creds_opt_set_fast_ccache(krb5_context context, krb5_get_init_creds_opt * opt, krb5_ccache ccache) .. :param: **[in]** **context** - Library context **[in]** **opt** - Options **[in]** **ccache** - Credential cache handle .. .. This function is similar to :c:func:`krb5_get_init_creds_opt_set_fast_ccache_name()` , but uses a credential cache handle instead of a name. .. .. note:: New in 1.9 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_setuseruserkey.rst.txt0000644000704600001450000000106714076311665031655 0ustar ghudsonsystemd-journalkrb5_auth_con_setuseruserkey - Set the session key in an auth context. ======================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock * keyblock) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **keyblock** - User key .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_salttype_to_string.rst.txt0000644000704600001450000000104014076311665030617 0ustar ghudsonsystemd-journalkrb5_salttype_to_string - Convert a salt type to a string. ============================================================ .. .. c:function:: krb5_error_code krb5_salttype_to_string(krb5_int32 salttype, char * buffer, size_t buflen) .. :param: **[in]** **salttype** - Salttype to convert **[out]** **buffer** - Buffer to receive the converted string **[in]** **buflen** - Storage available in *buffer* .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_close.rst.txt0000644000704600001450000000102314076311665026435 0ustar ghudsonsystemd-journalkrb5_cc_close - Close a credential cache handle. ================================================== .. .. c:function:: krb5_error_code krb5_cc_close(krb5_context context, krb5_ccache cache) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle .. :retval: - 0 Success :return: - Kerberos error codes .. This function closes a credential cache handle *cache* without affecting the contents of the cache. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_getflags.rst.txt0000644000704600001450000000146414076311665030350 0ustar ghudsonsystemd-journalkrb5_auth_con_getflags - Retrieve flags from a krb5_auth_context structure. ============================================================================= .. .. c:function:: krb5_error_code krb5_auth_con_getflags(krb5_context context, krb5_auth_context auth_context, krb5_int32 * flags) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[out]** **flags** - Flags bit mask .. :retval: - 0 (always) .. Valid values for *flags* are: - :data:`KRB5_AUTH_CONTEXT_DO_TIME` Use timestamps - :data:`KRB5_AUTH_CONTEXT_RET_TIME` Save timestamps - :data:`KRB5_AUTH_CONTEXT_DO_SEQUENCE` Use sequence numbers - :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` Save sequence numbers .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_is_coll_proof_cksum.rst.txt0000644000704600001450000000071314076311665031225 0ustar ghudsonsystemd-journalkrb5_c_is_coll_proof_cksum - Test whether a checksum type is collision-proof. =============================================================================== .. .. c:function:: krb5_boolean krb5_c_is_coll_proof_cksum(krb5_cksumtype ctype) .. :param: **[in]** **ctype** - Checksum type .. :return: - TRUE if ctype is collision-proof, FALSE if it is not collision-proof or not a valid checksum type. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.rst.txt0000644000704600001450000000266614076311665027517 0ustar ghudsonsystemd-journalkrb5_fwd_tgt_creds - Get a forwarded TGT and format a KRB-CRED message. ========================================================================= .. .. c:function:: krb5_error_code krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, const char * rhost, krb5_principal client, krb5_principal server, krb5_ccache cc, int forwardable, krb5_data * outbuf) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **rhost** - Remote host **[in]** **client** - Client principal of TGT **[in]** **server** - Principal of server to receive TGT **[in]** **cc** - Credential cache handle (NULL to use default) **[in]** **forwardable** - Whether TGT should be forwardable **[out]** **outbuf** - KRB-CRED message .. :retval: - 0 Success - ENOMEM Insufficient memory - KRB5_PRINC_NOMATCH Requested principal and ticket do not match - KRB5_NO_TKT_SUPPLIED Request did not supply a ticket - KRB5_CC_BADNAME Credential cache name or principal name malformed :return: - Kerberos error codes .. Get a TGT for use at the remote host *rhost* and format it into a KRB-CRED message. If *rhost* is NULL and *server* is of type :data:`KRB5_NT_SRV_HST` , the second component of *server* will be used. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_server_rcache.rst.txt0000644000704600001450000000152514076311665030344 0ustar ghudsonsystemd-journalkrb5_get_server_rcache - Generate a replay cache object for server use and open it. ===================================================================================== .. .. c:function:: krb5_error_code krb5_get_server_rcache(krb5_context context, const krb5_data * piece, krb5_rcache * rcptr) .. :param: **[in]** **context** - Library context **[in]** **piece** - Unused (replay cache identifier) **[out]** **rcptr** - Handle to an open rcache .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function creates a handle to the default replay cache. Use krb5_rc_close() to close *rcptr* when it is no longer needed. .. .. note:: Prior to release 1.18, this function creates a handle to a different replay cache for each unique value of *piece* . krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name.rst.txt0000644000704600001450000000177314076311665034721 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_set_fast_ccache_name - Set location of FAST armor ccache in initial credential options. ================================================================================================================= .. .. c:function:: krb5_error_code krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context, krb5_get_init_creds_opt * opt, const char * fast_ccache_name) .. :param: **[in]** **context** - Library context **[in]** **opt** - Options **[in]** **fast_ccache_name** - Credential cache name .. .. Sets the location of a credential cache containing an armor ticket to protect an initial credential exchange using the FAST protocol extension. In version 1.7, setting an armor ccache requires that FAST be used for the exchange. In version 1.8 or later, setting the armor ccache causes FAST to be used if the KDC supports it; :c:func:`krb5_get_init_creds_opt_set_fast_flags()` must be used to require that FAST be used. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_clear_error_message.rst.txt0000644000704600001450000000072214076311665030673 0ustar ghudsonsystemd-journalkrb5_clear_error_message - Clear the extended error message in a context. =========================================================================== .. .. c:function:: void krb5_clear_error_message(krb5_context ctx) .. :param: **[in]** **ctx** - Library context .. .. This function unsets the extended error message in a context, to ensure that it is not mistakenly applied to another occurrence of the same error code. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_permitted_enctypes.rst.txt0000644000704600001450000000147214076311665031441 0ustar ghudsonsystemd-journalkrb5_get_permitted_enctypes - Return a list of encryption types permitted for session keys. ============================================================================================= .. .. c:function:: krb5_error_code krb5_get_permitted_enctypes(krb5_context context, krb5_enctype ** ktypes) .. :param: **[in]** **context** - Library context **[out]** **ktypes** - Zero-terminated list of encryption types .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function returns the list of encryption types permitted for session keys within *context* , as determined by configuration or by a previous call to :c:func:`krb5_set_default_tgs_enctypes()` . Use :c:func:`krb5_free_enctypes()` to free *ktypes* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_k_key_keyblock.rst.txt0000644000704600001450000000061714076311665027660 0ustar ghudsonsystemd-journalkrb5_k_key_keyblock - Retrieve a copy of the keyblock from a krb5_key structure. ================================================================================== .. .. c:function:: krb5_error_code krb5_k_key_keyblock(krb5_context context, krb5_key key, krb5_keyblock ** key_data) .. :param: **context** **key** **key_data** .. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_timestamp_to_sfstring.rst.txt0000644000704600001450000000147014076311665031315 0ustar ghudsonsystemd-journalkrb5_timestamp_to_sfstring - Convert a timestamp to a string, with optional output padding. ============================================================================================= .. .. c:function:: krb5_error_code krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char * buffer, size_t buflen, char * pad) .. :param: **[in]** **timestamp** - Timestamp to convert **[out]** **buffer** - Buffer to hold the converted timestamp **[in]** **buflen** - Length of buffer **[in]** **pad** - Optional value to pad *buffer* if converted timestamp does not fill it .. :retval: - 0 Success; otherwise - Kerberos error codes .. If *pad* is not NULL, *buffer* is padded out to *buflen* - 1 characters with the value of * *pad* . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_proxiable.rst.txt0000644000704600001450000000075514076311665033462 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_set_proxiable - Set or unset the proxiable flag in initial credential options. ======================================================================================================== .. .. c:function:: void krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt * opt, int proxiable) .. :param: **[in]** **opt** - Options structure **[in]** **proxiable** - Whether credentials should be proxiable .. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_copy_context.rst.txt0000644000704600001450000000105014076311665027401 0ustar ghudsonsystemd-journalkrb5_copy_context - Copy a krb5_context structure. ==================================================== .. .. c:function:: krb5_error_code krb5_copy_context(krb5_context ctx, krb5_context * nctx_out) .. :param: **[in]** **ctx** - Library context **[out]** **nctx_out** - New context structure .. :retval: - 0 Success :return: - Kerberos error codes .. The newly created context must be released by calling :c:func:`krb5_free_context()` when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_credentials_renew.rst.txt0000644000704600001450000000067614076311665031234 0ustar ghudsonsystemd-journalkrb5_get_credentials_renew ========================== .. .. c:function:: krb5_error_code krb5_get_credentials_renew(krb5_context context, krb5_flags options, krb5_ccache ccache, krb5_creds * in_creds, krb5_creds ** out_creds) .. :param: **context** **options** **ccache** **in_creds** **out_creds** .. .. DEPRECATED Replaced by krb5_get_renewed_creds. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_k_decrypt.rst.txt0000644000704600001450000000272514076311665026661 0ustar ghudsonsystemd-journalkrb5_k_decrypt - Decrypt data using a key (operates on opaque key). ===================================================================== .. .. c:function:: krb5_error_code krb5_k_decrypt(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data * cipher_state, const krb5_enc_data * input, krb5_data * output) .. :param: **[in]** **context** - Library context **[in]** **key** - Encryption key **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) **[inout]** **cipher_state** - Cipher state; specify NULL if not needed **[in]** **input** - Encrypted data **[out]** **output** - Decrypted data .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function decrypts the data block *input* and stores the output into *output* . The actual decryption key will be derived from *key* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. .. .. note:: The caller must initialize *output* and allocate at least enough space for the result. The usual practice is to allocate an output buffer as long as the ciphertext, and let :c:func:`krb5_c_decrypt()` trim *output->length* . For some enctypes, the resulting *output->length* may include padding bytes. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_next_cred.rst.txt0000644000704600001450000000154614076311665027315 0ustar ghudsonsystemd-journalkrb5_cc_next_cred - Retrieve the next entry from the credential cache. ======================================================================== .. .. c:function:: krb5_error_code krb5_cc_next_cred(krb5_context context, krb5_ccache cache, krb5_cc_cursor * cursor, krb5_creds * creds) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle **[in]** **cursor** - Cursor **[out]** **creds** - Next credential cache entry .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function fills in *creds* with the next entry in *cache* and advances *cursor* . Use :c:func:`krb5_free_cred_contents()` to free *creds* when it is no longer needed. .. .. seealso:: :c:func:`krb5_cc_start_seq_get()` , krb5_end_seq_get() krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_string_to_deltat.rst.txt0000644000704600001450000000072214076311665030235 0ustar ghudsonsystemd-journalkrb5_string_to_deltat - Convert a string to a delta time value. ================================================================= .. .. c:function:: krb5_error_code krb5_string_to_deltat(char * string, krb5_deltat * deltatp) .. :param: **[in]** **string** - String to be converted **[out]** **deltatp** - Delta time to be filled in .. :retval: - 0 Success; otherwise - KRB5_DELTAT_BADFORMAT .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_set_default_realm.rst.txt0000644000704600001450000000106614076311665030351 0ustar ghudsonsystemd-journalkrb5_set_default_realm - Override the default realm for the specified context. ================================================================================ .. .. c:function:: krb5_error_code krb5_set_default_realm(krb5_context context, const char * lrealm) .. :param: **[in]** **context** - Library context **[in]** **lrealm** - Realm name for the default realm .. :retval: - 0 Success :return: - Kerberos error codes .. If *lrealm* is NULL, clear the default realm setting. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_setaddrs.rst.txt0000644000704600001450000000161714076311665030365 0ustar ghudsonsystemd-journalkrb5_auth_con_setaddrs - Set the local and remote addresses in an auth context. ================================================================================= .. .. c:function:: krb5_error_code krb5_auth_con_setaddrs(krb5_context context, krb5_auth_context auth_context, krb5_address * local_addr, krb5_address * remote_addr) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **local_addr** - Local address **[in]** **remote_addr** - Remote address .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function releases the storage assigned to the contents of the local and remote addresses of *auth_context* and then sets them to *local_addr* and *remote_addr* respectively. .. .. seealso:: :c:func:`krb5_auth_con_genaddrs()` krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_profile.rst.txt0000644000704600001450000000132214076311665027164 0ustar ghudsonsystemd-journalkrb5_get_profile - Retrieve configuration profile from the context. ===================================================================== .. .. c:function:: krb5_error_code krb5_get_profile(krb5_context context, struct _profile_t ** profile) .. :param: **[in]** **context** - Library context **[out]** **profile** - Pointer to data read from a configuration file .. :retval: - 0 Success :return: - Kerberos error codes .. This function creates a new *profile* object that reflects profile in the supplied *context* . The *profile* object may be freed with profile_release() function. See profile.h and profile API for more details. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_renew_life.rst.txt0000644000704600001450000000076314076311665033613 0ustar ghudsonsystemd-journalkrb5_get_init_creds_opt_set_renew_life - Set the ticket renewal lifetime in initial credential options. ========================================================================================================= .. .. c:function:: void krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt * opt, krb5_deltat renew_life) .. :param: **[in]** **opt** - Pointer to *options* field **[in]** **renew_life** - Ticket renewal lifetime .. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_kt_add_entry.rst.txt0000644000704600001450000000113314076311665027334 0ustar ghudsonsystemd-journalkrb5_kt_add_entry - Add a new entry to a key table. ===================================================== .. .. c:function:: krb5_error_code krb5_kt_add_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry * entry) .. :param: **[in]** **context** - Library context **[in]** **id** - Key table handle **[in]** **entry** - Entry to be added .. :retval: - 0 Success - ENOMEM Insufficient memory - KRB5_KT_NOWRITE Key table is not writeable :return: - Kerberos error codes .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.rst.txt0000644000704600001450000000115614076311665031111 0ustar ghudsonsystemd-journalkrb5_auth_con_initivector - Cause an auth context to use cipher state. ======================================================================== .. .. c:function:: krb5_error_code krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context .. :retval: - 0 Success; otherwise - Kerberos error codes .. Prepare *auth_context* to use cipher state when :c:func:`krb5_mk_priv()` or :c:func:`krb5_rd_priv()` encrypt or decrypt data. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_kt_default_name.rst.txt0000644000704600001450000000121014076311665030003 0ustar ghudsonsystemd-journalkrb5_kt_default_name - Get the default key table name. ======================================================== .. .. c:function:: krb5_error_code krb5_kt_default_name(krb5_context context, char * name, int name_size) .. :param: **[in]** **context** - Library context **[out]** **name** - Default key table name **[in]** **name_size** - Space available in *name* .. :retval: - 0 Success - KRB5_CONFIG_NOTENUFSPACE Buffer is too short :return: - Kerberos error codes .. Fill *name* with the name of the default key table for *context* . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_getsendsubkey_k.rst.txt0000644000704600001450000000126414076311665031740 0ustar ghudsonsystemd-journalkrb5_auth_con_getsendsubkey_k - Retrieve the send subkey from an auth context. ================================================================================ .. .. c:function:: krb5_error_code krb5_auth_con_getsendsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key * key) .. :param: **[in]** **ctx** - Library context **[in]** **ac** - Authentication context **[out]** **key** - Send subkey .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function sets *key* to the send subkey from *auth_context* . Use :c:func:`krb5_k_free_key()` to release *key* when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_getlocalseqnumber.rst.txt0000644000704600001450000000146514076311665032271 0ustar ghudsonsystemd-journalkrb5_auth_con_getlocalseqnumber - Retrieve the local sequence number from an auth context. ============================================================================================ .. .. c:function:: krb5_error_code krb5_auth_con_getlocalseqnumber(krb5_context context, krb5_auth_context auth_context, krb5_int32 * seqnumber) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[out]** **seqnumber** - Local sequence number .. :retval: - 0 Success; otherwise - Kerberos error codes .. Retrieve the local sequence number from *auth_context* and return it in *seqnumber* . The :data:`KRB5_AUTH_CONTEXT_DO_SEQUENCE` flag must be set in *auth_context* for this function to be useful. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_build_principal.rst.txt0000644000704600001450000000172214076311665030031 0ustar ghudsonsystemd-journalkrb5_build_principal - Build a principal name using null-terminated strings. ============================================================================== .. .. c:function:: krb5_error_code krb5_build_principal(krb5_context context, krb5_principal * princ, unsigned int rlen, const char * realm, ... ) .. :param: **[in]** **context** - Library context **[out]** **princ** - Principal name **[in]** **rlen** - Realm name length **[in]** **realm** - Realm name .. :retval: - 0 Success :return: - Kerberos error codes .. Call :c:func:`krb5_free_principal()` to free *princ* when it is no longer needed. .. .. note:: :c:func:`krb5_build_principal()` and :c:func:`krb5_build_principal_alloc_va()` perform the same task. :c:func:`krb5_build_principal()` takes variadic arguments. :c:func:`krb5_build_principal_alloc_va()` takes a pre-computed *varargs* pointer. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_copy_error_message.rst.txt0000644000704600001450000000074714076311665030566 0ustar ghudsonsystemd-journalkrb5_copy_error_message - Copy the most recent extended error message from one context to another. ==================================================================================================== .. .. c:function:: void krb5_copy_error_message(krb5_context dest_ctx, krb5_context src_ctx) .. :param: **[in]** **dest_ctx** - Library context to copy message to **[in]** **src_ctx** - Library context with current message .. .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_server_decrypt_ticket_keytab.rst.txt0000644000704600001450000000130314076311665032626 0ustar ghudsonsystemd-journalkrb5_server_decrypt_ticket_keytab - Decrypt a ticket using the specified key table. ===================================================================================== .. .. c:function:: krb5_error_code krb5_server_decrypt_ticket_keytab(krb5_context context, const krb5_keytab kt, krb5_ticket * ticket) .. :param: **[in]** **context** - Library context **[in]** **kt** - Key table **[in]** **ticket** - Ticket to be decrypted .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function takes a *ticket* as input and decrypts it using key data from *kt* . The result is placed into *ticket->enc_part2* . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_keylengths.rst.txt0000644000704600001450000000116014076311665027344 0ustar ghudsonsystemd-journalkrb5_c_keylengths - Return length of the specified key in bytes. ================================================================== .. .. c:function:: krb5_error_code krb5_c_keylengths(krb5_context context, krb5_enctype enctype, size_t * keybytes, size_t * keylength) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[out]** **keybytes** - Number of bytes required to make a key **[out]** **keylength** - Length of final key .. :retval: - 0 Success; otherwise - Kerberos error codes .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_pac_free.rst.txt0000644000704600001450000000055214076311665026435 0ustar ghudsonsystemd-journalkrb5_pac_free - Free a PAC handle. ==================================== .. .. c:function:: void krb5_pac_free(krb5_context context, krb5_pac pac) .. :param: **[in]** **context** - Library context **[in]** **pac** - PAC to be freed .. .. This function frees the contents of *pac* and the structure itself. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_decrypt_iov.rst.txt0000644000704600001450000000321314076311665027517 0ustar ghudsonsystemd-journalkrb5_c_decrypt_iov - Decrypt data in place supporting AEAD (operates on keyblock). ==================================================================================== .. .. c:function:: krb5_error_code krb5_c_decrypt_iov(krb5_context context, const krb5_keyblock * keyblock, krb5_keyusage usage, const krb5_data * cipher_state, krb5_crypto_iov * data, size_t num_data) .. :param: **[in]** **context** - Library context **[in]** **keyblock** - Encryption key **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) **[in]** **cipher_state** - Cipher state; specify NULL if not needed **[inout]** **data** - IOV array. Modified in-place. **[in]** **num_data** - Size of *data* .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function decrypts the data block *data* and stores the output in-place. The actual decryption key will be derived from *keyblock* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5_crypto_iov structures before calling into this API. .. .. seealso:: :c:func:`krb5_c_decrypt_iov()` .. note:: On return from a :c:func:`krb5_c_decrypt_iov()` call, the *data->length* in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail.rst.txt0000644000704600001450000000202214076311665035006 0ustar ghudsonsystemd-journalkrb5_verify_init_creds_opt_set_ap_req_nofail - Set whether credential verification is required. ================================================================================================= .. .. c:function:: void krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt * k5_vic_options, int ap_req_nofail) .. :param: **[in]** **k5_vic_options** - Verification options structure **[in]** **ap_req_nofail** - Whether to require successful verification .. .. This function determines how :c:func:`krb5_verify_init_creds()` behaves if no keytab information is available. If *ap_req_nofail* is **FALSE** , verification will be skipped in this case and :c:func:`krb5_verify_init_creds()` will return successfully. If *ap_req_nofail* is **TRUE** , :c:func:`krb5_verify_init_creds()` will not return successfully unless verification can be performed. If this function is not used, the behavior of :c:func:`krb5_verify_init_creds()` is determined through configuration. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_make_checksum_iov.rst.txt0000644000704600001450000000237114076311665030650 0ustar ghudsonsystemd-journalkrb5_c_make_checksum_iov - Fill in a checksum element in IOV array (operates on keyblock) =========================================================================================== .. .. c:function:: krb5_error_code krb5_c_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, const krb5_keyblock * key, krb5_keyusage usage, krb5_crypto_iov * data, size_t num_data) .. :param: **[in]** **context** - Library context **[in]** **cksumtype** - Checksum type (0 for mandatory type) **[in]** **key** - Encryption key for a keyed checksum **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) **[inout]** **data** - IOV array **[in]** **num_data** - Size of *data* .. :retval: - 0 Success; otherwise - Kerberos error codes .. Create a checksum in the :data:`KRB5_CRYPTO_TYPE_CHECKSUM` element over :data:`KRB5_CRYPTO_TYPE_DATA` and :data:`KRB5_CRYPTO_TYPE_SIGN_ONLY` chunks in *data* . Only the :data:`KRB5_CRYPTO_TYPE_CHECKSUM` region is modified. .. .. seealso:: :c:func:`krb5_c_verify_checksum_iov()` .. note:: This function is similar to :c:func:`krb5_k_make_checksum_iov()` , but operates on keyblock *key* . krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_kt_next_entry.rst.txt0000644000704600001450000000147614076311665027574 0ustar ghudsonsystemd-journalkrb5_kt_next_entry - Retrieve the next entry from the key table. ================================================================== .. .. c:function:: krb5_error_code krb5_kt_next_entry(krb5_context context, krb5_keytab keytab, krb5_keytab_entry * entry, krb5_kt_cursor * cursor) .. :param: **[in]** **context** - Library context **[in]** **keytab** - Key table handle **[out]** **entry** - Returned key table entry **[in]** **cursor** - Key table cursor .. :retval: - 0 Success - KRB5_KT_END - if the last entry was reached :return: - Kerberos error codes .. Return the next sequential entry in *keytab* and advance *cursor* . Callers must release the returned entry with :c:func:`krb5_kt_free_entry()` . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_decrypt.rst.txt0000644000704600001450000000273614076311665026653 0ustar ghudsonsystemd-journalkrb5_c_decrypt - Decrypt data using a key (operates on keyblock). =================================================================== .. .. c:function:: krb5_error_code krb5_c_decrypt(krb5_context context, const krb5_keyblock * key, krb5_keyusage usage, const krb5_data * cipher_state, const krb5_enc_data * input, krb5_data * output) .. :param: **[in]** **context** - Library context **[in]** **key** - Encryption key **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) **[inout]** **cipher_state** - Cipher state; specify NULL if not needed **[in]** **input** - Encrypted data **[out]** **output** - Decrypted data .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function decrypts the data block *input* and stores the output into *output* . The actual decryption key will be derived from *key* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. .. .. note:: The caller must initialize *output* and allocate at least enough space for the result. The usual practice is to allocate an output buffer as long as the ciphertext, and let :c:func:`krb5_c_decrypt()` trim *output->length* . For some enctypes, the resulting *output->length* may include padding bytes. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_enctype_compare.rst.txt0000644000704600001450000000126614076311665030353 0ustar ghudsonsystemd-journalkrb5_c_enctype_compare - Compare two encryption types. ======================================================== .. .. c:function:: krb5_error_code krb5_c_enctype_compare(krb5_context context, krb5_enctype e1, krb5_enctype e2, krb5_boolean * similar) .. :param: **[in]** **context** - Library context **[in]** **e1** - First encryption type **[in]** **e2** - Second encryption type **[out]** **similar** - **TRUE** if types are similar, **FALSE** if not .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function determines whether two encryption types use the same kind of keys. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_rd_rep_dce.rst.txt0000644000704600001450000000141314076311665026754 0ustar ghudsonsystemd-journalkrb5_rd_rep_dce - Parse and decrypt a KRB_AP_REP message for DCE RPC. ======================================================================= .. .. c:function:: krb5_error_code krb5_rd_rep_dce(krb5_context context, krb5_auth_context auth_context, const krb5_data * inbuf, krb5_ui_4 * nonce) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **inbuf** - AP-REP message **[out]** **nonce** - Sequence number from the decrypted reply .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function parses, decrypts and verifies a message from *inbuf* and fills in *nonce* with a decrypted reply sequence number. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_set_kdc_send_hook.rst.txt0000644000704600001450000000132714076311665030337 0ustar ghudsonsystemd-journalkrb5_set_kdc_send_hook - Set a KDC pre-send hook function. ============================================================ .. .. c:function:: void krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook, void * data) .. :param: **[in]** **context** - Library context **[in]** **send_hook** - Hook function (or NULL to disable the hook) **[in]** **data** - Callback data to be passed to *send_hook* .. .. *send_hook* will be called before messages are sent to KDCs by library functions such as :c:func:`krb5_get_credentials()` . The hook function may inspect, override, or synthesize its own reply to the message. .. .. note:: New in 1.15 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_responder_otp_set_answer.rst.txt0000644000704600001450000000127214076311665032006 0ustar ghudsonsystemd-journalkrb5_responder_otp_set_answer - Answer the KRB5_RESPONDER_QUESTION_OTP question. ================================================================================== .. .. c:function:: krb5_error_code krb5_responder_otp_set_answer(krb5_context ctx, krb5_responder_context rctx, size_t ti, const char * value, const char * pin) .. :param: **[in]** **ctx** - Library context **[in]** **rctx** - Responder context **[in]** **ti** - The index of the tokeninfo selected **[in]** **value** - The value to set, or NULL for none **[in]** **pin** - The pin to set, or NULL for none .. .. .. .. note:: New in 1.11 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_random_add_entropy.rst.txt0000644000704600001450000000134114076311665031040 0ustar ghudsonsystemd-journalkrb5_c_random_add_entropy - Add entropy to the pseudo-random number generator. ================================================================================ .. .. c:function:: krb5_error_code krb5_c_random_add_entropy(krb5_context context, unsigned int randsource, const krb5_data * data) .. :param: **[in]** **context** - Library context **[in]** **randsource** - Entropy source (see KRB5_RANDSOURCE types) **[in]** **data** - Data .. :retval: - 0 Success; otherwise - Kerberos error codes .. Contribute entropy to the PRNG used by krb5 crypto operations. This may or may not affect the output of the next crypto operation requiring random data. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_free_cred_contents.rst.txt0000644000704600001450000000073714076311665030531 0ustar ghudsonsystemd-journalkrb5_free_cred_contents - Free the contents of a krb5_creds structure. ======================================================================== .. .. c:function:: void krb5_free_cred_contents(krb5_context context, krb5_creds * val) .. :param: **[in]** **context** - Library context **[in]** **val** - Credential structure to free contents of .. .. This function frees the contents of *val* , but not the structure itself. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_mk_1cred.rst.txt0000644000704600001450000000173614076311665026363 0ustar ghudsonsystemd-journalkrb5_mk_1cred - Format a KRB-CRED message for a single set of credentials. ============================================================================ .. .. c:function:: krb5_error_code krb5_mk_1cred(krb5_context context, krb5_auth_context auth_context, krb5_creds * creds, krb5_data ** der_out, krb5_replay_data * rdata_out) .. :param: **[in]** **context** - Library context **[in]** **auth_context** - Authentication context **[in]** **creds** - Pointer to credentials **[out]** **der_out** - Encoded credentials **[out]** **rdata_out** - Replay cache data (NULL if not needed) .. :retval: - 0 Success - ENOMEM Insufficient memory - KRB5_RC_REQUIRED Message replay detection requires rcache parameter :return: - Kerberos error codes .. This is a convenience function that calls :c:func:`krb5_mk_ncred()` with a single set of credentials. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_kt_dup.rst.txt0000644000704600001450000000104014076311665026150 0ustar ghudsonsystemd-journalkrb5_kt_dup - Duplicate keytab handle. ======================================== .. .. c:function:: krb5_error_code krb5_kt_dup(krb5_context context, krb5_keytab in, krb5_keytab * out) .. :param: **[in]** **context** - Library context **[in]** **in** - Key table handle to be duplicated **[out]** **out** - Key table handle .. .. Create a new handle referring to the same key table as *in* . The new handle and *in* can be closed independently. .. .. note:: New in 1.12 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_prompter_posix.rst.txt0000644000704600001450000000227414076311665027766 0ustar ghudsonsystemd-journalkrb5_prompter_posix - Prompt user for password. ================================================= .. .. c:function:: krb5_error_code krb5_prompter_posix(krb5_context context, void * data, const char * name, const char * banner, int num_prompts, krb5_prompt prompts) .. :param: **[in]** **context** - Library context **data** - Unused (callback argument) **[in]** **name** - Name to output during prompt **[in]** **banner** - Banner to output during prompt **[in]** **num_prompts** - Number of prompts in *prompts* **[in]** **prompts** - Array of prompts and replies .. :retval: - 0 Success :return: - Kerberos error codes .. This function is intended to be used as a prompter callback for :c:func:`krb5_get_init_creds_password()` or :c:func:`krb5_init_creds_init()` . Writes *name* and *banner* to stdout, each followed by a newline, then writes each prompt field in the *prompts* array, followed by":", and sets the reply field of the entry to a line of input read from stdin. If the hidden flag is set for a prompt, then terminal echoing is turned off when input is read. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_c_string_to_key.rst.txt0000644000704600001450000000161014076311665030047 0ustar ghudsonsystemd-journalkrb5_c_string_to_key - Convert a string (such a password) to a key. ===================================================================== .. .. c:function:: krb5_error_code krb5_c_string_to_key(krb5_context context, krb5_enctype enctype, const krb5_data * string, const krb5_data * salt, krb5_keyblock * key) .. :param: **[in]** **context** - Library context **[in]** **enctype** - Encryption type **[in]** **string** - String to be converted **[in]** **salt** - Salt value **[out]** **key** - Generated key .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function converts *string* to a *key* of encryption type *enctype* , using the specified *salt* . The newly created *key* must be released by calling :c:func:`krb5_free_keyblock_contents()` when it is no longer needed. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_verify_init_creds.rst.txt0000644000704600001450000000365114076311665030403 0ustar ghudsonsystemd-journalkrb5_verify_init_creds - Verify initial credentials against a keytab. ======================================================================= .. .. c:function:: krb5_error_code krb5_verify_init_creds(krb5_context context, krb5_creds * creds, krb5_principal server, krb5_keytab keytab, krb5_ccache * ccache, krb5_verify_init_creds_opt * options) .. :param: **[in]** **context** - Library context **[in]** **creds** - Initial credentials to be verified **[in]** **server** - Server principal (or NULL) **[in]** **keytab** - Key table (NULL to use default keytab) **[in]** **ccache** - Credential cache for fetched creds (or NULL) **[in]** **options** - Verification options (NULL for default options) .. :retval: - 0 Success; otherwise - Kerberos error codes .. This function attempts to verify that *creds* were obtained from a KDC with knowledge of a key in *keytab* , or the default keytab if *keytab* is NULL. If *server* is provided, the highest-kvno key entry for that principal name is used to verify the credentials; otherwise, all unique"host"service principals in the keytab are tried. If the specified keytab does not exist, or is empty, or cannot be read, or does not contain an entry for *server* , then credential verification may be skipped unless configuration demands that it succeed. The caller can control this behavior by providing a verification options structure; see :c:func:`krb5_verify_init_creds_opt_init()` and :c:func:`krb5_verify_init_creds_opt_set_ap_req_nofail()` . If *ccache* is NULL, any additional credentials fetched during the verification process will be destroyed. If *ccache* points to NULL, a memory ccache will be created for the additional credentials and returned in *ccache* . If *ccache* points to a valid credential cache handle, the additional credentials will be stored in that cache. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_kt_resolve.rst.txt0000644000704600001450000000170514076311665027047 0ustar ghudsonsystemd-journalkrb5_kt_resolve - Get a handle for a key table. ================================================= .. .. c:function:: krb5_error_code krb5_kt_resolve(krb5_context context, const char * name, krb5_keytab * ktid) .. :param: **[in]** **context** - Library context **[in]** **name** - Name of the key table **[out]** **ktid** - Key table handle .. :retval: - 0 Success :return: - Kerberos error codes .. Resolve the key table name *name* and set *ktid* to a handle identifying the key table. Use :c:func:`krb5_kt_close()` to free *ktid* when it is no longer needed. *name* must be of the form **type:residual** , where *type* must be a type known to the library and *residual* portion should be specific to the particular keytab type. If no *type* is given, the default is **FILE** . If *name* is of type **FILE** , the keytab file is not opened by this call. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_auth_con_getremotesubkey.rst.txt0000644000704600001450000000060614076311665031767 0ustar ghudsonsystemd-journalkrb5_auth_con_getremotesubkey ============================= .. .. c:function:: krb5_error_code krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock ** keyblock) .. :param: **context** **auth_context** **keyblock** .. .. DEPRECATED Replaced by krb5_auth_con_getrecvsubkey() . .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cccol_have_content.rst.txt0000644000704600001450000000103414076311665030505 0ustar ghudsonsystemd-journalkrb5_cccol_have_content - Check if the credential cache collection contains any credentials. ============================================================================================== .. .. c:function:: krb5_error_code krb5_cccol_have_content(krb5_context context) .. :param: **[in]** **context** - Library context .. :retval: - 0 Credentials are available in the collection - KRB5_CC_NOTFOUND The collection contains no credentials .. .. .. note:: New in 1.11 krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_is_referral_realm.rst.txt0000644000704600001450000000057014076311665030346 0ustar ghudsonsystemd-journalkrb5_is_referral_realm - Check for a match with KRB5_REFERRAL_REALM. ====================================================================== .. .. c:function:: krb5_boolean krb5_is_referral_realm(const krb5_data * r) .. :param: **[in]** **r** - Realm to check .. :return: - TRUE if r is zero-length, FALSE otherwise .. .. krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_set_default_tgs_enctypes.rst.txt0000644000704600001450000000145114076311665031756 0ustar ghudsonsystemd-journalkrb5_set_default_tgs_enctypes - Set default TGS encryption types in a krb5_context structure. =============================================================================================== .. .. c:function:: krb5_error_code krb5_set_default_tgs_enctypes(krb5_context context, const krb5_enctype * etypes) .. :param: **[in]** **context** - Library context **[in]** **etypes** - Encryption type(s) to set .. :retval: - 0 Success - KRB5_PROG_ETYPE_NOSUPP Program lacks support for encryption type :return: - Kerberos error codes .. This function sets the default enctype list for TGS requests made using *context* to *etypes* . .. .. note:: This overrides the default list (from config file or built-in). krb5-1.19.2/doc/html/_sources/appdev/refs/api/krb5_cc_destroy.rst.txt0000644000704600001450000000077514076311665027036 0ustar ghudsonsystemd-journalkrb5_cc_destroy - Destroy a credential cache. =============================================== .. .. c:function:: krb5_error_code krb5_cc_destroy(krb5_context context, krb5_ccache cache) .. :param: **[in]** **context** - Library context **[in]** **cache** - Credential cache handle .. :retval: - 0 Success :return: - Permission errors .. This function destroys any existing contents of *cache* and closes the handle to it. .. krb5-1.19.2/doc/html/_sources/appdev/refs/index.rst.txt0000644000704600001450000000024514076311665024303 0ustar ghudsonsystemd-journalComplete reference - API and datatypes ====================================== .. toctree:: :maxdepth: 1 api/index.rst types/index.rst macros/index.rst krb5-1.19.2/doc/html/_sources/appdev/refs/types/0000755000704600001450000000000014076312547022767 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_keytab_entry.rst.txt0000644000704600001450000000205014076311665027757 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-keytab-entry-struct: krb5_keytab_entry ================= .. .. c:type:: krb5_keytab_entry .. A key table entry. Declaration ------------ typedef struct krb5_keytab_entry_st krb5_keytab_entry Members --------- .. c:member:: krb5_magic krb5_keytab_entry.magic .. c:member:: krb5_principal krb5_keytab_entry.principal Principal of this key. .. c:member:: krb5_timestamp krb5_keytab_entry.timestamp Time entry written to keytable. .. c:member:: krb5_kvno krb5_keytab_entry.vno Key version number. .. c:member:: krb5_keyblock krb5_keytab_entry.key The secret key. krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_ap_rep_enc_part.rst.txt0000644000704600001450000000220014076311665030375 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-ap-rep-enc-part-struct: krb5_ap_rep_enc_part ==================== .. .. c:type:: krb5_ap_rep_enc_part .. Cleartext that is encrypted and put into :c:type:`_krb5_ap_rep` . Declaration ------------ typedef struct _krb5_ap_rep_enc_part krb5_ap_rep_enc_part Members --------- .. c:member:: krb5_magic krb5_ap_rep_enc_part.magic .. c:member:: krb5_timestamp krb5_ap_rep_enc_part.ctime Client time, seconds portion. .. c:member:: krb5_int32 krb5_ap_rep_enc_part.cusec Client time, microseconds portion. .. c:member:: krb5_keyblock * krb5_ap_rep_enc_part.subkey Subkey (optional) .. c:member:: krb5_ui_4 krb5_ap_rep_enc_part.seq_number Sequence number. krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_gic_opt_pa_data.rst.txt0000644000704600001450000000107614076311665030363 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-gic-opt-pa-data-struct: krb5_gic_opt_pa_data ==================== .. .. c:type:: krb5_gic_opt_pa_data .. Generic preauth option attribute/value pairs. Declaration ------------ typedef struct _krb5_gic_opt_pa_data krb5_gic_opt_pa_data Members --------- .. c:member:: char * krb5_gic_opt_pa_data.attr .. c:member:: char * krb5_gic_opt_pa_data.value krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_kt_cursor.rst.txt0000644000704600001450000000026214076311665027275 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-kt-cursor-struct: krb5_kt_cursor ============== .. .. c:type:: krb5_kt_cursor .. Declaration ------------ typedef krb5_pointer krb5_kt_cursor krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_trace_info.rst.txt0000644000704600001450000000113514076311665027373 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-trace-info-struct: krb5_trace_info =============== .. .. c:type:: krb5_trace_info .. A wrapper for passing information to a *krb5_trace_callback* . Currently, it only contains the formatted message as determined the the format string and arguments of the tracing macro, but it may be extended to contain more fields in the future. Declaration ------------ typedef struct _krb5_trace_info krb5_trace_info Members --------- .. c:member:: const char * krb5_trace_info.message krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_authdatatype.rst.txt0000644000704600001450000000027714076311665027765 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-authdatatype-struct: krb5_authdatatype ================= .. .. c:type:: krb5_authdatatype .. Declaration ------------ typedef krb5_int32 krb5_authdatatype krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_keyusage.rst.txt0000644000704600001450000000025314076311665027077 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-keyusage-struct: krb5_keyusage ============= .. .. c:type:: krb5_keyusage .. Declaration ------------ typedef krb5_int32 krb5_keyusage krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_prompter_fct.rst.txt0000644000704600001450000000054614076311665027773 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-prompter-fct-struct: krb5_prompter_fct ================= .. .. c:type:: krb5_prompter_fct .. Pointer to a prompter callback function. Declaration ------------ typedef krb5_error_code( \* krb5_prompter_fct) (krb5_context context, void \*data, const char \*name, const char \*banner, int num_prompts, krb5_prompt prompts[]) krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_const_pointer.rst.txt0000644000704600001450000000030614076311665030147 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-const-pointer-struct: krb5_const_pointer ================== .. .. c:type:: krb5_const_pointer .. Declaration ------------ typedef void const\* krb5_const_pointer krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_principal_data.rst.txt0000644000704600001450000000172714076311665030243 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-principal-data-struct: krb5_principal_data =================== .. .. c:type:: krb5_principal_data .. Declaration ------------ typedef struct krb5_principal_data krb5_principal_data Members --------- .. c:member:: krb5_magic krb5_principal_data.magic .. c:member:: krb5_data krb5_principal_data.realm .. c:member:: krb5_data * krb5_principal_data.data An array of strings. .. c:member:: krb5_int32 krb5_principal_data.length .. c:member:: krb5_int32 krb5_principal_data.type krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_address.rst.txt0000644000704600001450000000142214076311665026706 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-address-struct: krb5_address ============ .. .. c:type:: krb5_address .. Structure for address. Declaration ------------ typedef struct _krb5_address krb5_address Members --------- .. c:member:: krb5_magic krb5_address.magic .. c:member:: krb5_addrtype krb5_address.addrtype .. c:member:: unsigned int krb5_address.length .. c:member:: krb5_octet * krb5_address.contents krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_enctype.rst.txt0000644000704600001450000000024614076311665026733 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-enctype-struct: krb5_enctype ============ .. .. c:type:: krb5_enctype .. Declaration ------------ typedef krb5_int32 krb5_enctype krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_deltat.rst.txt0000644000704600001450000000024114076311665026534 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-deltat-struct: krb5_deltat =========== .. .. c:type:: krb5_deltat .. Declaration ------------ typedef krb5_int32 krb5_deltat krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_cc_cursor.rst.txt0000644000704600001450000000032014076311665027237 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-cc-cursor-struct: krb5_cc_cursor ============== .. .. c:type:: krb5_cc_cursor .. Cursor for sequential lookup. Declaration ------------ typedef krb5_pointer krb5_cc_cursor krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_authdata.rst.txt0000644000704600001450000000147414076311665027063 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-authdata-struct: krb5_authdata ============= .. .. c:type:: krb5_authdata .. Structure for auth data. Declaration ------------ typedef struct _krb5_authdata krb5_authdata Members --------- .. c:member:: krb5_magic krb5_authdata.magic .. c:member:: krb5_authdatatype krb5_authdata.ad_type ADTYPE. .. c:member:: unsigned int krb5_authdata.length Length of data. .. c:member:: krb5_octet * krb5_authdata.contents Data. krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_verify_init_creds_opt.rst.txt0000644000704600001450000000112114076311665031646 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-verify-init-creds-opt-struct: krb5_verify_init_creds_opt ========================== .. .. c:type:: krb5_verify_init_creds_opt .. Declaration ------------ typedef struct _krb5_verify_init_creds_opt krb5_verify_init_creds_opt Members --------- .. c:member:: krb5_flags krb5_verify_init_creds_opt.flags .. c:member:: int krb5_verify_init_creds_opt.ap_req_nofail boolean krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_cred_enc_part.rst.txt0000644000704600001450000000265714076311665030064 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-cred-enc-part-struct: krb5_cred_enc_part ================== .. .. c:type:: krb5_cred_enc_part .. Cleartext credentials information. Declaration ------------ typedef struct _krb5_cred_enc_part krb5_cred_enc_part Members --------- .. c:member:: krb5_magic krb5_cred_enc_part.magic .. c:member:: krb5_int32 krb5_cred_enc_part.nonce Nonce (optional) .. c:member:: krb5_timestamp krb5_cred_enc_part.timestamp Generation time, seconds portion. .. c:member:: krb5_int32 krb5_cred_enc_part.usec Generation time, microseconds portion. .. c:member:: krb5_address * krb5_cred_enc_part.s_address Sender address (optional) .. c:member:: krb5_address * krb5_cred_enc_part.r_address Recipient address (optional) .. c:member:: krb5_cred_info ** krb5_cred_enc_part.ticket_info krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_pre_send_fn.rst.txt0000644000704600001450000000164214076311665027547 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-pre-send-fn-struct: krb5_pre_send_fn ================ .. .. c:type:: krb5_pre_send_fn .. Hook function for inspecting or modifying messages sent to KDCs. If the hook function sets *reply_out* , *message* will not be sent to the KDC, and the given reply will used instead. If the hook function sets *new_message_out* , the given message will be sent to the KDC in place of *message* . If the hook function returns successfully without setting either output, *message* will be sent to the KDC normally. The hook function should use :c:func:`krb5_copy_data()` to construct the value for *new_message_out* or *reply_out* , to ensure that it can be freed correctly by the library. Declaration ------------ typedef krb5_error_code( \* krb5_pre_send_fn) (krb5_context context, void \*data, const krb5_data \*realm, const krb5_data \*message, krb5_data \*\*new_message_out, krb5_data \*\*new_reply_out) krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_encrypt_block.rst.txt0000644000704600001450000000124614076311665030123 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-encrypt-block-struct: krb5_encrypt_block ================== .. .. c:type:: krb5_encrypt_block .. Declaration ------------ typedef struct _krb5_encrypt_block krb5_encrypt_block Members --------- .. c:member:: krb5_magic krb5_encrypt_block.magic .. c:member:: krb5_enctype krb5_encrypt_block.crypto_entry .. c:member:: krb5_keyblock * krb5_encrypt_block.key krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_timestamp.rst.txt0000644000704600001450000000100114076311665027255 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-timestamp-struct: krb5_timestamp ============== .. .. c:type:: krb5_timestamp .. Represents a timestamp in seconds since the POSIX epoch. This legacy type is used frequently in the ABI, but cannot represent timestamps after 2038 as a positive number. Code which uses this type should cast values of it to uint32_t so that negative values are treated as timestamps between 2038 and 2106 on platforms with 64-bit time_t. Declaration ------------ typedef krb5_int32 krb5_timestamp krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_ticket_times.rst.txt0000644000704600001450000000207214076311665027747 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-ticket-times-struct: krb5_ticket_times ================= .. .. c:type:: krb5_ticket_times .. Ticket start time, end time, and renewal duration. Declaration ------------ typedef struct _krb5_ticket_times krb5_ticket_times Members --------- .. c:member:: krb5_timestamp krb5_ticket_times.authtime Time at which KDC issued the initial ticket that corresponds to this ticket. .. c:member:: krb5_timestamp krb5_ticket_times.starttime optional in ticket, if not present, use *authtime* .. c:member:: krb5_timestamp krb5_ticket_times.endtime Ticket expiration time. .. c:member:: krb5_timestamp krb5_ticket_times.renew_till Latest time at which renewal of ticket can be valid. krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_kdc_req.rst.txt0000644000704600001450000000560314076311665026676 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-kdc-req-struct: krb5_kdc_req ============ .. .. c:type:: krb5_kdc_req .. C representation of KDC-REQ protocol message, including KDC-REQ-BODY. Declaration ------------ typedef struct _krb5_kdc_req krb5_kdc_req Members --------- .. c:member:: krb5_magic krb5_kdc_req.magic .. c:member:: krb5_msgtype krb5_kdc_req.msg_type KRB5_AS_REQ or KRB5_TGS_REQ. .. c:member:: krb5_pa_data ** krb5_kdc_req.padata Preauthentication data. .. c:member:: krb5_flags krb5_kdc_req.kdc_options Requested options. .. c:member:: krb5_principal krb5_kdc_req.client Client principal and realm. .. c:member:: krb5_principal krb5_kdc_req.server Server principal and realm. .. c:member:: krb5_timestamp krb5_kdc_req.from Requested start time. .. c:member:: krb5_timestamp krb5_kdc_req.till Requested end time. .. c:member:: krb5_timestamp krb5_kdc_req.rtime Requested renewable end time. .. c:member:: krb5_int32 krb5_kdc_req.nonce Nonce to match request and response. .. c:member:: int krb5_kdc_req.nktypes Number of enctypes. .. c:member:: krb5_enctype * krb5_kdc_req.ktype Requested enctypes. .. c:member:: krb5_address ** krb5_kdc_req.addresses Requested addresses (optional) .. c:member:: krb5_enc_data krb5_kdc_req.authorization_data Encrypted authz data (optional) .. c:member:: krb5_authdata ** krb5_kdc_req.unenc_authdata Unencrypted authz data. .. c:member:: krb5_ticket ** krb5_kdc_req.second_ticket Second ticket array (optional) krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_ap_rep.rst.txt0000644000704600001450000000113314076311665026526 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-ap-rep-struct: krb5_ap_rep =========== .. .. c:type:: krb5_ap_rep .. C representaton of AP-REP message. The server's response to a client's request for mutual authentication. Declaration ------------ typedef struct _krb5_ap_rep krb5_ap_rep Members --------- .. c:member:: krb5_magic krb5_ap_rep.magic .. c:member:: krb5_enc_data krb5_ap_rep.enc_part Ciphertext of ApRepEncPart. krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_kvno.rst.txt0000644000704600001450000000023114076311665026233 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-kvno-struct: krb5_kvno ========= .. .. c:type:: krb5_kvno .. Declaration ------------ typedef unsigned int krb5_kvno krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_responder_pkinit_challenge.rst.txt0000644000704600001450000000076114076311665032647 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-responder-pkinit-challenge-struct: krb5_responder_pkinit_challenge =============================== .. .. c:type:: krb5_responder_pkinit_challenge .. Declaration ------------ typedef struct _krb5_responder_pkinit_challenge krb5_responder_pkinit_challenge Members --------- .. c:member:: krb5_responder_pkinit_identity ** krb5_responder_pkinit_challenge.identities krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_responder_fn.rst.txt0000644000704600001450000000057614076311665027756 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-responder-fn-struct: krb5_responder_fn ================= .. .. c:type:: krb5_responder_fn .. Responder function for an initial credential exchange. If a required question is unanswered, the prompter may be called. Declaration ------------ typedef krb5_error_code( \* krb5_responder_fn) (krb5_context ctx, void \*data, krb5_responder_context rctx) krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_response.rst.txt0000644000704600001450000000163714076311665027127 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-response-struct: krb5_response ============= .. .. c:type:: krb5_response .. Declaration ------------ typedef struct _krb5_response krb5_response Members --------- .. c:member:: krb5_magic krb5_response.magic .. c:member:: krb5_octet krb5_response.message_type .. c:member:: krb5_data krb5_response.response .. c:member:: krb5_int32 krb5_response.expected_nonce .. c:member:: krb5_timestamp krb5_response.request_time krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_preauthtype.rst.txt0000644000704600001450000000027214076311665027635 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-preauthtype-struct: krb5_preauthtype ================ .. .. c:type:: krb5_preauthtype .. Declaration ------------ typedef krb5_int32 krb5_preauthtype krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_enc_data.rst.txt0000644000704600001450000000137514076311665027026 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-enc-data-struct: krb5_enc_data ============= .. .. c:type:: krb5_enc_data .. Declaration ------------ typedef struct _krb5_enc_data krb5_enc_data Members --------- .. c:member:: krb5_magic krb5_enc_data.magic .. c:member:: krb5_enctype krb5_enc_data.enctype .. c:member:: krb5_kvno krb5_enc_data.kvno .. c:member:: krb5_data krb5_enc_data.ciphertext krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_ticket.rst.txt0000644000704600001450000000172714076311665026554 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-ticket-struct: krb5_ticket =========== .. .. c:type:: krb5_ticket .. Ticket structure. The C representation of the ticket message, with a pointer to the C representation of the encrypted part. Declaration ------------ typedef struct _krb5_ticket krb5_ticket Members --------- .. c:member:: krb5_magic krb5_ticket.magic .. c:member:: krb5_principal krb5_ticket.server server name/realm .. c:member:: krb5_enc_data krb5_ticket.enc_part encryption type, kvno, encrypted encoding .. c:member:: krb5_enc_tkt_part * krb5_ticket.enc_part2 ptr to decrypted version, if available krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_cred_info.rst.txt0000644000704600001450000000264614076311665027222 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-cred-info-struct: krb5_cred_info ============== .. .. c:type:: krb5_cred_info .. Credentials information inserted into *EncKrbCredPart* . Declaration ------------ typedef struct _krb5_cred_info krb5_cred_info Members --------- .. c:member:: krb5_magic krb5_cred_info.magic .. c:member:: krb5_keyblock * krb5_cred_info.session Session key used to encrypt ticket. .. c:member:: krb5_principal krb5_cred_info.client Client principal and realm. .. c:member:: krb5_principal krb5_cred_info.server Server principal and realm. .. c:member:: krb5_flags krb5_cred_info.flags Ticket flags. .. c:member:: krb5_ticket_times krb5_cred_info.times Auth, start, end, renew_till. .. c:member:: krb5_address ** krb5_cred_info.caddrs Array of pointers to addrs (optional) krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_pa_server_referral_data.rst.txt0000644000704600001450000000216514076311665032127 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-pa-server-referral-data-struct: krb5_pa_server_referral_data ============================ .. .. c:type:: krb5_pa_server_referral_data .. Declaration ------------ typedef struct _krb5_pa_server_referral_data krb5_pa_server_referral_data Members --------- .. c:member:: krb5_data * krb5_pa_server_referral_data.referred_realm .. c:member:: krb5_principal krb5_pa_server_referral_data.true_principal_name .. c:member:: krb5_principal krb5_pa_server_referral_data.requested_principal_name .. c:member:: krb5_timestamp krb5_pa_server_referral_data.referral_valid_until .. c:member:: krb5_checksum krb5_pa_server_referral_data.rep_cksum krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_mk_req_checksum_func.rst.txt0000644000704600001450000000056614076311665031444 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-mk-req-checksum-func-struct: krb5_mk_req_checksum_func ========================= .. .. c:type:: krb5_mk_req_checksum_func .. Type of function used as a callback to generate checksum data for mk_req. Declaration ------------ typedef krb5_error_code( \* krb5_mk_req_checksum_func) (krb5_context, krb5_auth_context, void \*, krb5_data \*\*) krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_data.rst.txt0000644000704600001450000000110614076311665026171 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-data-struct: krb5_data ========= .. .. c:type:: krb5_data .. Declaration ------------ typedef struct _krb5_data krb5_data Members --------- .. c:member:: krb5_magic krb5_data.magic .. c:member:: unsigned int krb5_data.length .. c:member:: char * krb5_data.data krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_magic.rst.txt0000644000704600001450000000024114076311665026337 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-magic-struct: krb5_magic ========== .. .. c:type:: krb5_magic .. Declaration ------------ typedef krb5_error_code krb5_magic krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_keyblock.rst.txt0000644000704600001450000000143614076311665027071 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-keyblock-struct: krb5_keyblock ============= .. .. c:type:: krb5_keyblock .. Exposed contents of a key. Declaration ------------ typedef struct _krb5_keyblock krb5_keyblock Members --------- .. c:member:: krb5_magic krb5_keyblock.magic .. c:member:: krb5_enctype krb5_keyblock.enctype .. c:member:: unsigned int krb5_keyblock.length .. c:member:: krb5_octet * krb5_keyblock.contents krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_keytab.rst.txt0000644000704600001450000000025014076311665026536 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-keytab-struct: krb5_keytab =========== .. .. c:type:: krb5_keytab .. Declaration ------------ typedef struct _krb5_kt\* krb5_keytab krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_int16.rst.txt0000644000704600001450000000023114076311665026217 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-int16-struct: krb5_int16 ========== .. .. c:type:: krb5_int16 .. Declaration ------------ typedef int16_t krb5_int16 krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_pa_svr_referral_data.rst.txt0000644000704600001450000000073014076311665031427 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-pa-svr-referral-data-struct: krb5_pa_svr_referral_data ========================= .. .. c:type:: krb5_pa_svr_referral_data .. Declaration ------------ typedef struct _krb5_pa_svr_referral_data krb5_pa_svr_referral_data Members --------- .. c:member:: krb5_principal krb5_pa_svr_referral_data.principal Referred name, only realm is required. krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_init_creds_context.rst.txt0000644000704600001450000000036414076311665031154 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-init-creds-context-struct: krb5_init_creds_context ======================= .. .. c:type:: krb5_init_creds_context .. Declaration ------------ typedef struct _krb5_init_creds_context\* krb5_init_creds_context krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_prompt.rst.txt0000644000704600001450000000140514076311665026603 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-prompt-struct: krb5_prompt =========== .. .. c:type:: krb5_prompt .. Text for prompt used in prompter callback function. Declaration ------------ typedef struct _krb5_prompt krb5_prompt Members --------- .. c:member:: char * krb5_prompt.prompt The prompt to show to the user. .. c:member:: int krb5_prompt.hidden Boolean; informative prompt or hidden (e.g. PIN) .. c:member:: krb5_data * krb5_prompt.reply Must be allocated before call to prompt routine. krb5-1.19.2/doc/html/_sources/appdev/refs/types/index.rst.txt0000644000704600001450000000436614076311665025457 0ustar ghudsonsystemd-journalkrb5 types and structures ========================= Public ------- .. toctree:: :maxdepth: 1 krb5_address.rst krb5_addrtype.rst krb5_ap_req.rst krb5_ap_rep.rst krb5_ap_rep_enc_part.rst krb5_authdata.rst krb5_authdatatype.rst krb5_authenticator.rst krb5_boolean.rst krb5_checksum.rst krb5_const_pointer.rst krb5_const_principal.rst krb5_cred.rst krb5_cred_enc_part.rst krb5_cred_info.rst krb5_creds.rst krb5_crypto_iov.rst krb5_cryptotype.rst krb5_data.rst krb5_deltat.rst krb5_enc_data.rst krb5_enc_kdc_rep_part.rst krb5_enc_tkt_part.rst krb5_encrypt_block.rst krb5_enctype.rst krb5_error.rst krb5_error_code.rst krb5_expire_callback_func.rst krb5_flags.rst krb5_get_init_creds_opt.rst krb5_gic_opt_pa_data.rst krb5_int16.rst krb5_int32.rst krb5_kdc_rep.rst krb5_kdc_req.rst krb5_keyblock.rst krb5_keytab_entry.rst krb5_keyusage.rst krb5_kt_cursor.rst krb5_kvno.rst krb5_last_req_entry.rst krb5_magic.rst krb5_mk_req_checksum_func.rst krb5_msgtype.rst krb5_octet.rst krb5_pa_pac_req.rst krb5_pa_server_referral_data.rst krb5_pa_svr_referral_data.rst krb5_pa_data.rst krb5_pointer.rst krb5_post_recv_fn.rst krb5_pre_send_fn.rst krb5_preauthtype.rst krb5_principal.rst krb5_principal_data.rst krb5_prompt.rst krb5_prompt_type.rst krb5_prompter_fct.rst krb5_pwd_data.rst krb5_responder_context.rst krb5_responder_fn.rst krb5_responder_otp_challenge.rst krb5_responder_otp_tokeninfo.rst krb5_responder_pkinit_challenge.rst krb5_responder_pkinit_identity.rst krb5_response.rst krb5_replay_data.rst krb5_ticket.rst krb5_ticket_times.rst krb5_timestamp.rst krb5_tkt_authent.rst krb5_trace_callback.rst krb5_trace_info.rst krb5_transited.rst krb5_typed_data.rst krb5_ui_2.rst krb5_ui_4.rst krb5_verify_init_creds_opt.rst passwd_phrase_element.rst Internal --------- .. toctree:: :maxdepth: 1 krb5_auth_context.rst krb5_cksumtype krb5_context.rst krb5_cc_cursor.rst krb5_ccache.rst krb5_cccol_cursor.rst krb5_init_creds_context.rst krb5_key.rst krb5_keytab.rst krb5_pac.rst krb5_rcache.rst krb5_tkt_creds_context.rst krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_ap_req.rst.txt0000644000704600001450000000150014076311665026525 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-ap-req-struct: krb5_ap_req =========== .. .. c:type:: krb5_ap_req .. Authentication header. Declaration ------------ typedef struct _krb5_ap_req krb5_ap_req Members --------- .. c:member:: krb5_magic krb5_ap_req.magic .. c:member:: krb5_flags krb5_ap_req.ap_options Requested options. .. c:member:: krb5_ticket * krb5_ap_req.ticket Ticket. .. c:member:: krb5_enc_data krb5_ap_req.authenticator Encrypted authenticator. krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_pac.rst.txt0000644000704600001450000000032614076311665026026 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-pac-struct: krb5_pac ======== .. .. c:type:: krb5_pac .. PAC data structure to convey authorization information. Declaration ------------ typedef struct krb5_pac_data\* krb5_pac krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_cryptotype.rst.txt0000644000704600001450000000026514076311665027507 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-cryptotype-struct: krb5_cryptotype =============== .. .. c:type:: krb5_cryptotype .. Declaration ------------ typedef krb5_int32 krb5_cryptotype krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_last_req_entry.rst.txt0000644000704600001450000000131614076311665030316 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-last-req-entry-struct: krb5_last_req_entry =================== .. .. c:type:: krb5_last_req_entry .. Last request entry. Declaration ------------ typedef struct _krb5_last_req_entry krb5_last_req_entry Members --------- .. c:member:: krb5_magic krb5_last_req_entry.magic .. c:member:: krb5_int32 krb5_last_req_entry.lr_type LR type. .. c:member:: krb5_timestamp krb5_last_req_entry.value Timestamp. krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_cccol_cursor.rst.txt0000644000704600001450000000036714076311665027750 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-cccol-cursor-struct: krb5_cccol_cursor ================= .. .. c:type:: krb5_cccol_cursor .. Cursor for iterating over all ccaches. Declaration ------------ typedef struct _krb5_cccol_cursor\* krb5_cccol_cursor krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_authenticator.rst.txt0000644000704600001450000000317514076311665030142 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-authenticator-struct: krb5_authenticator ================== .. .. c:type:: krb5_authenticator .. Ticket authenticator. The C representation of an unencrypted authenticator. Declaration ------------ typedef struct _krb5_authenticator krb5_authenticator Members --------- .. c:member:: krb5_magic krb5_authenticator.magic .. c:member:: krb5_principal krb5_authenticator.client client name/realm .. c:member:: krb5_checksum * krb5_authenticator.checksum checksum, includes type, optional .. c:member:: krb5_int32 krb5_authenticator.cusec client usec portion .. c:member:: krb5_timestamp krb5_authenticator.ctime client sec portion .. c:member:: krb5_keyblock * krb5_authenticator.subkey true session key, optional .. c:member:: krb5_ui_4 krb5_authenticator.seq_number sequence #, optional .. c:member:: krb5_authdata ** krb5_authenticator.authorization_data authoriazation data krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_pointer.rst.txt0000644000704600001450000000024214076311665026740 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-pointer-struct: krb5_pointer ============ .. .. c:type:: krb5_pointer .. Declaration ------------ typedef void\* krb5_pointer krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_cksumtype.rst.txt0000644000704600001450000000026014076311665027304 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-cksumtype-struct: krb5_cksumtype ============== .. .. c:type:: krb5_cksumtype .. Declaration ------------ typedef krb5_int32 krb5_cksumtype krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_trace_callback.rst.txt0000644000704600001450000000041514076311665030174 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-trace-callback-struct: krb5_trace_callback =================== .. .. c:type:: krb5_trace_callback .. Declaration ------------ typedef void( \* krb5_trace_callback) (krb5_context context, const krb5_trace_info \*info, void \*cb_data) krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_msgtype.rst.txt0000644000704600001450000000025014076311665026747 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-msgtype-struct: krb5_msgtype ============ .. .. c:type:: krb5_msgtype .. Declaration ------------ typedef unsigned int krb5_msgtype krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_ui_2.rst.txt0000644000704600001450000000022514076311665026117 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-ui-2-struct: krb5_ui_2 ========= .. .. c:type:: krb5_ui_2 .. Declaration ------------ typedef uint16_t krb5_ui_2 krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_pwd_data.rst.txt0000644000704600001450000000117714076311665027053 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-pwd-data-struct: krb5_pwd_data ============= .. .. c:type:: krb5_pwd_data .. Declaration ------------ typedef struct _krb5_pwd_data krb5_pwd_data Members --------- .. c:member:: krb5_magic krb5_pwd_data.magic .. c:member:: int krb5_pwd_data.sequence_count .. c:member:: passwd_phrase_element ** krb5_pwd_data.element krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_pa_data.rst.txt0000644000704600001450000000150614076311665026655 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-pa-data-struct: krb5_pa_data ============ .. .. c:type:: krb5_pa_data .. Pre-authentication data. Declaration ------------ typedef struct _krb5_pa_data krb5_pa_data Members --------- .. c:member:: krb5_magic krb5_pa_data.magic .. c:member:: krb5_preauthtype krb5_pa_data.pa_type Preauthentication data type. .. c:member:: unsigned int krb5_pa_data.length Length of data. .. c:member:: krb5_octet * krb5_pa_data.contents Data. krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_get_init_creds_opt.rst.txt0000644000704600001450000000372114076311665031131 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-get-init-creds-opt-struct: krb5_get_init_creds_opt ======================= .. .. c:type:: krb5_get_init_creds_opt .. Store options for *_krb5_get_init_creds* . Declaration ------------ typedef struct _krb5_get_init_creds_opt krb5_get_init_creds_opt Members --------- .. c:member:: krb5_flags krb5_get_init_creds_opt.flags .. c:member:: krb5_deltat krb5_get_init_creds_opt.tkt_life .. c:member:: krb5_deltat krb5_get_init_creds_opt.renew_life .. c:member:: int krb5_get_init_creds_opt.forwardable .. c:member:: int krb5_get_init_creds_opt.proxiable .. c:member:: krb5_enctype * krb5_get_init_creds_opt.etype_list .. c:member:: int krb5_get_init_creds_opt.etype_list_length .. c:member:: krb5_address ** krb5_get_init_creds_opt.address_list .. c:member:: krb5_preauthtype * krb5_get_init_creds_opt.preauth_list .. c:member:: int krb5_get_init_creds_opt.preauth_list_length .. c:member:: krb5_data * krb5_get_init_creds_opt.salt krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_octet.rst.txt0000644000704600001450000000023114076311665026374 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-octet-struct: krb5_octet ========== .. .. c:type:: krb5_octet .. Declaration ------------ typedef uint8_t krb5_octet krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_replay_data.rst.txt0000644000704600001450000000151514076311665027551 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-replay-data-struct: krb5_replay_data ================ .. .. c:type:: krb5_replay_data .. Replay data. Sequence number and timestamp information output by :c:func:`krb5_rd_priv()` and :c:func:`krb5_rd_safe()` . Declaration ------------ typedef struct krb5_replay_data krb5_replay_data Members --------- .. c:member:: krb5_timestamp krb5_replay_data.timestamp Timestamp, seconds portion. .. c:member:: krb5_int32 krb5_replay_data.usec Timestamp, microseconds portion. .. c:member:: krb5_ui_4 krb5_replay_data.seq Sequence number. krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_addrtype.rst.txt0000644000704600001450000000025314076311665027076 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-addrtype-struct: krb5_addrtype ============= .. .. c:type:: krb5_addrtype .. Declaration ------------ typedef krb5_int32 krb5_addrtype krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_transited.rst.txt0000644000704600001450000000127714076311665027266 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-transited-struct: krb5_transited ============== .. .. c:type:: krb5_transited .. Structure for transited encoding. Declaration ------------ typedef struct _krb5_transited krb5_transited Members --------- .. c:member:: krb5_magic krb5_transited.magic .. c:member:: krb5_octet krb5_transited.tr_type Transited encoding type. .. c:member:: krb5_data krb5_transited.tr_contents Contents. krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_ui_4.rst.txt0000644000704600001450000000022514076311665026121 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-ui-4-struct: krb5_ui_4 ========= .. .. c:type:: krb5_ui_4 .. Declaration ------------ typedef uint32_t krb5_ui_4 krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_pa_pac_req.rst.txt0000644000704600001450000000063014076311665027353 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-pa-pac-req-struct: krb5_pa_pac_req =============== .. .. c:type:: krb5_pa_pac_req .. Declaration ------------ typedef struct _krb5_pa_pac_req krb5_pa_pac_req Members --------- .. c:member:: krb5_boolean krb5_pa_pac_req.include_pac TRUE if a PAC should be included in TGS-REP. krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_post_recv_fn.rst.txt0000644000704600001450000000143614076311665027755 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-post-recv-fn-struct: krb5_post_recv_fn ================= .. .. c:type:: krb5_post_recv_fn .. Hook function for inspecting or overriding KDC replies. If *code* is non-zero, KDC communication failed and *reply* should be ignored. The hook function may return *code* or a different error code, or may synthesize a reply by setting *new_reply_out* and return successfully. The hook function should use :c:func:`krb5_copy_data()` to construct the value for *new_reply_out* , to ensure that it can be freed correctly by the library. Declaration ------------ typedef krb5_error_code( \* krb5_post_recv_fn) (krb5_context context, void \*data, krb5_error_code code, const krb5_data \*realm, const krb5_data \*message, const krb5_data \*reply, krb5_data \*\*new_reply_out) krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_error.rst.txt0000644000704600001450000000343214076311665026415 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-error-struct: krb5_error ========== .. .. c:type:: krb5_error .. Error message structure. Declaration ------------ typedef struct _krb5_error krb5_error Members --------- .. c:member:: krb5_magic krb5_error.magic .. c:member:: krb5_timestamp krb5_error.ctime Client sec portion; optional. .. c:member:: krb5_int32 krb5_error.cusec Client usec portion; optional. .. c:member:: krb5_int32 krb5_error.susec Server usec portion. .. c:member:: krb5_timestamp krb5_error.stime Server sec portion. .. c:member:: krb5_ui_4 krb5_error.error Error code (protocol error #'s) .. c:member:: krb5_principal krb5_error.client Client principal and realm. .. c:member:: krb5_principal krb5_error.server Server principal and realm. .. c:member:: krb5_data krb5_error.text Descriptive text. .. c:member:: krb5_data krb5_error.e_data Additional error-describing data. krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_tkt_creds_context.rst.txt0000644000704600001450000000035614076311665031014 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-tkt-creds-context-struct: krb5_tkt_creds_context ====================== .. .. c:type:: krb5_tkt_creds_context .. Declaration ------------ typedef struct _krb5_tkt_creds_context\* krb5_tkt_creds_context krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_auth_context.rst.txt0000644000704600001450000000032014076311665027762 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-auth-context-struct: krb5_auth_context ================= .. .. c:type:: krb5_auth_context .. Declaration ------------ typedef struct _krb5_auth_context\* krb5_auth_context krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_responder_otp_challenge.rst.txt0000644000704600001450000000116114076311665032146 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-responder-otp-challenge-struct: krb5_responder_otp_challenge ============================ .. .. c:type:: krb5_responder_otp_challenge .. Declaration ------------ typedef struct _krb5_responder_otp_challenge krb5_responder_otp_challenge Members --------- .. c:member:: char * krb5_responder_otp_challenge.service .. c:member:: krb5_responder_otp_tokeninfo ** krb5_responder_otp_challenge.tokeninfo krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_responder_otp_tokeninfo.rst.txt0000644000704600001450000000252614076311665032226 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-responder-otp-tokeninfo-struct: krb5_responder_otp_tokeninfo ============================ .. .. c:type:: krb5_responder_otp_tokeninfo .. Declaration ------------ typedef struct _krb5_responder_otp_tokeninfo krb5_responder_otp_tokeninfo Members --------- .. c:member:: krb5_flags krb5_responder_otp_tokeninfo.flags .. c:member:: krb5_int32 krb5_responder_otp_tokeninfo.format .. c:member:: krb5_int32 krb5_responder_otp_tokeninfo.length .. c:member:: char * krb5_responder_otp_tokeninfo.vendor .. c:member:: char * krb5_responder_otp_tokeninfo.challenge .. c:member:: char * krb5_responder_otp_tokeninfo.token_id .. c:member:: char * krb5_responder_otp_tokeninfo.alg_id krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_principal.rst.txt0000644000704600001450000000163714076311665027252 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-principal-struct: krb5_principal ============== .. .. c:type:: krb5_principal .. Declaration ------------ typedef krb5_principal_data\* krb5_principal Members --------- .. c:member:: krb5_magic krb5_principal.magic .. c:member:: krb5_data krb5_principal.realm .. c:member:: krb5_data * krb5_principal.data An array of strings. .. c:member:: krb5_int32 krb5_principal.length .. c:member:: krb5_int32 krb5_principal.type krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_int32.rst.txt0000644000704600001450000000023114076311665026215 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-int32-struct: krb5_int32 ========== .. .. c:type:: krb5_int32 .. Declaration ------------ typedef int32_t krb5_int32 krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_creds.rst.txt0000644000704600001450000000407314076311665026366 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-creds-struct: krb5_creds ========== .. .. c:type:: krb5_creds .. Credentials structure including ticket, session key, and lifetime info. Declaration ------------ typedef struct _krb5_creds krb5_creds Members --------- .. c:member:: krb5_magic krb5_creds.magic .. c:member:: krb5_principal krb5_creds.client client's principal identifier .. c:member:: krb5_principal krb5_creds.server server's principal identifier .. c:member:: krb5_keyblock krb5_creds.keyblock session encryption key info .. c:member:: krb5_ticket_times krb5_creds.times lifetime info .. c:member:: krb5_boolean krb5_creds.is_skey true if ticket is encrypted in another ticket's skey .. c:member:: krb5_flags krb5_creds.ticket_flags flags in ticket .. c:member:: krb5_address ** krb5_creds.addresses addrs in ticket .. c:member:: krb5_data krb5_creds.ticket ticket string itself .. c:member:: krb5_data krb5_creds.second_ticket second ticket, if related to ticket (via DUPLICATE-SKEY or ENC-TKT-IN-SKEY) .. c:member:: krb5_authdata ** krb5_creds.authdata authorization data krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_error_code.rst.txt0000644000704600001450000000055314076311665027410 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-error-code-struct: krb5_error_code =============== .. .. c:type:: krb5_error_code .. Used to convey an operation status. The value 0 indicates success; any other values are com_err codes. Use :c:func:`krb5_get_error_message()` to obtain a string describing the error. Declaration ------------ typedef krb5_int32 krb5_error_code krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_tkt_authent.rst.txt0000644000704600001450000000151614076311665027617 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-tkt-authent-struct: krb5_tkt_authent ================ .. .. c:type:: krb5_tkt_authent .. Ticket authentication data. Declaration ------------ typedef struct _krb5_tkt_authent krb5_tkt_authent Members --------- .. c:member:: krb5_magic krb5_tkt_authent.magic .. c:member:: krb5_ticket * krb5_tkt_authent.ticket .. c:member:: krb5_authenticator * krb5_tkt_authent.authenticator .. c:member:: krb5_flags krb5_tkt_authent.ap_options krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_ccache.rst.txt0000644000704600001450000000025414076311665026471 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-ccache-struct: krb5_ccache =========== .. .. c:type:: krb5_ccache .. Declaration ------------ typedef struct _krb5_ccache\* krb5_ccache krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_enc_kdc_rep_part.rst.txt0000644000704600001450000000434614076311665030553 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-enc-kdc-rep-part-struct: krb5_enc_kdc_rep_part ===================== .. .. c:type:: krb5_enc_kdc_rep_part .. C representation of *EncKDCRepPart* protocol message. This is the cleartext message that is encrypted and inserted in *KDC-REP* . Declaration ------------ typedef struct _krb5_enc_kdc_rep_part krb5_enc_kdc_rep_part Members --------- .. c:member:: krb5_magic krb5_enc_kdc_rep_part.magic .. c:member:: krb5_msgtype krb5_enc_kdc_rep_part.msg_type krb5 message type .. c:member:: krb5_keyblock * krb5_enc_kdc_rep_part.session Session key. .. c:member:: krb5_last_req_entry ** krb5_enc_kdc_rep_part.last_req Array of pointers to entries. .. c:member:: krb5_int32 krb5_enc_kdc_rep_part.nonce Nonce from request. .. c:member:: krb5_timestamp krb5_enc_kdc_rep_part.key_exp Expiration date. .. c:member:: krb5_flags krb5_enc_kdc_rep_part.flags Ticket flags. .. c:member:: krb5_ticket_times krb5_enc_kdc_rep_part.times Lifetime info. .. c:member:: krb5_principal krb5_enc_kdc_rep_part.server Server's principal identifier. .. c:member:: krb5_address ** krb5_enc_kdc_rep_part.caddrs Array of ptrs to addrs, optional. .. c:member:: krb5_pa_data ** krb5_enc_kdc_rep_part.enc_padata Encrypted preauthentication data. krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_cred.rst.txt0000644000704600001450000000150014076311665026173 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-cred-struct: krb5_cred ========= .. .. c:type:: krb5_cred .. Credentials data structure. Declaration ------------ typedef struct _krb5_cred krb5_cred Members --------- .. c:member:: krb5_magic krb5_cred.magic .. c:member:: krb5_ticket ** krb5_cred.tickets Tickets. .. c:member:: krb5_enc_data krb5_cred.enc_part Encrypted part. .. c:member:: krb5_cred_enc_part * krb5_cred.enc_part2 Unencrypted version, if available. krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_responder_pkinit_identity.rst.txt0000644000704600001450000000115614076311665032555 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-responder-pkinit-identity-struct: krb5_responder_pkinit_identity ============================== .. .. c:type:: krb5_responder_pkinit_identity .. Declaration ------------ typedef struct _krb5_responder_pkinit_identity krb5_responder_pkinit_identity Members --------- .. c:member:: char * krb5_responder_pkinit_identity.identity .. c:member:: krb5_int32 krb5_responder_pkinit_identity.token_flags krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_expire_callback_func.rst.txt0000644000704600001450000000055314076311665031410 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-expire-callback-func-struct: krb5_expire_callback_func ========================= .. .. c:type:: krb5_expire_callback_func .. Declaration ------------ typedef void( \* krb5_expire_callback_func) (krb5_context context, void \*data, krb5_timestamp password_expiration, krb5_timestamp account_expiration, krb5_boolean is_last_req) krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_prompt_type.rst.txt0000644000704600001450000000027214076311665027645 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-prompt-type-struct: krb5_prompt_type ================ .. .. c:type:: krb5_prompt_type .. Declaration ------------ typedef krb5_int32 krb5_prompt_type krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_boolean.rst.txt0000644000704600001450000000025014076311665026676 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-boolean-struct: krb5_boolean ============ .. .. c:type:: krb5_boolean .. Declaration ------------ typedef unsigned int krb5_boolean krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_typed_data.rst.txt0000644000704600001450000000141614076311665027402 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-typed-data-struct: krb5_typed_data =============== .. .. c:type:: krb5_typed_data .. Declaration ------------ typedef struct _krb5_typed_data krb5_typed_data Members --------- .. c:member:: krb5_magic krb5_typed_data.magic .. c:member:: krb5_int32 krb5_typed_data.type .. c:member:: unsigned int krb5_typed_data.length .. c:member:: krb5_octet * krb5_typed_data.data krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_const_principal.rst.txt0000644000704600001450000000202514076311665030450 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-const-principal-struct: krb5_const_principal ==================== .. .. c:type:: krb5_const_principal .. Constant version of :c:type:`krb5_principal_data` . Declaration ------------ typedef const krb5_principal_data\* krb5_const_principal Members --------- .. c:member:: krb5_magic krb5_const_principal.magic .. c:member:: krb5_data krb5_const_principal.realm .. c:member:: krb5_data * krb5_const_principal.data An array of strings. .. c:member:: krb5_int32 krb5_const_principal.length .. c:member:: krb5_int32 krb5_const_principal.type krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_crypto_iov.rst.txt0000644000704600001450000000175614076311665027470 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-crypto-iov-struct: krb5_crypto_iov =============== .. .. c:type:: krb5_crypto_iov .. Structure to describe a region of text to be encrypted or decrypted. The *flags* member describes the type of the iov. The *data* member points to the memory that will be manipulated. All iov APIs take a pointer to the first element of an array of krb5_crypto_iov's along with the size of that array. Buffer contents are manipulated in-place; data is overwritten. Callers must allocate the right number of krb5_crypto_iov structures before calling into an iov API. Declaration ------------ typedef struct _krb5_crypto_iov krb5_crypto_iov Members --------- .. c:member:: krb5_cryptotype krb5_crypto_iov.flags :c:data:`KRB5_CRYPTO_TYPE` type of the iov .. c:member:: krb5_data krb5_crypto_iov.data krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_key.rst.txt0000644000704600001450000000065614076311665026061 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-key-struct: krb5_key ======== .. .. c:type:: krb5_key .. Opaque identifier for a key. Use with the krb5_k APIs for better performance for repeated operations with the same key and usage. Key identifiers must not be used simultaneously within multiple threads, as they may contain mutable internal state and are not mutex-protected. Declaration ------------ typedef struct krb5_key_st\* krb5_key krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_kdc_rep.rst.txt0000644000704600001450000000260314076311665026672 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-kdc-rep-struct: krb5_kdc_rep ============ .. .. c:type:: krb5_kdc_rep .. Representation of the *KDC-REP* protocol message. Declaration ------------ typedef struct _krb5_kdc_rep krb5_kdc_rep Members --------- .. c:member:: krb5_magic krb5_kdc_rep.magic .. c:member:: krb5_msgtype krb5_kdc_rep.msg_type KRB5_AS_REP or KRB5_KDC_REP. .. c:member:: krb5_pa_data ** krb5_kdc_rep.padata Preauthentication data from KDC. .. c:member:: krb5_principal krb5_kdc_rep.client Client principal and realm. .. c:member:: krb5_ticket * krb5_kdc_rep.ticket Ticket. .. c:member:: krb5_enc_data krb5_kdc_rep.enc_part Encrypted part of reply. .. c:member:: krb5_enc_kdc_rep_part * krb5_kdc_rep.enc_part2 Unencrypted version, if available. krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_checksum.rst.txt0000644000704600001450000000141314076311665027063 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-checksum-struct: krb5_checksum ============= .. .. c:type:: krb5_checksum .. Declaration ------------ typedef struct _krb5_checksum krb5_checksum Members --------- .. c:member:: krb5_magic krb5_checksum.magic .. c:member:: krb5_cksumtype krb5_checksum.checksum_type .. c:member:: unsigned int krb5_checksum.length .. c:member:: krb5_octet * krb5_checksum.contents krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_rcache.rst.txt0000644000704600001450000000025214076311665026506 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-rcache-struct: krb5_rcache =========== .. .. c:type:: krb5_rcache .. Declaration ------------ typedef struct krb5_rc_st\* krb5_rcache krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_enc_tkt_part.rst.txt0000644000704600001450000000306614076311665027744 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-enc-tkt-part-struct: krb5_enc_tkt_part ================= .. .. c:type:: krb5_enc_tkt_part .. Encrypted part of ticket. Declaration ------------ typedef struct _krb5_enc_tkt_part krb5_enc_tkt_part Members --------- .. c:member:: krb5_magic krb5_enc_tkt_part.magic .. c:member:: krb5_flags krb5_enc_tkt_part.flags flags .. c:member:: krb5_keyblock * krb5_enc_tkt_part.session session key: includes enctype .. c:member:: krb5_principal krb5_enc_tkt_part.client client name/realm .. c:member:: krb5_transited krb5_enc_tkt_part.transited list of transited realms .. c:member:: krb5_ticket_times krb5_enc_tkt_part.times auth, start, end, renew_till .. c:member:: krb5_address ** krb5_enc_tkt_part.caddrs array of ptrs to addresses .. c:member:: krb5_authdata ** krb5_enc_tkt_part.authorization_data auth data krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_flags.rst.txt0000644000704600001450000000023414076311665026355 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-flags-struct: krb5_flags ========== .. .. c:type:: krb5_flags .. Declaration ------------ typedef krb5_int32 krb5_flags krb5-1.19.2/doc/html/_sources/appdev/refs/types/passwd_phrase_element.rst.txt0000644000704600001450000000127214076311665030715 0ustar ghudsonsystemd-journal.. highlight:: c .. _passwd-phrase-element-struct: passwd_phrase_element ===================== .. .. c:type:: passwd_phrase_element .. Declaration ------------ typedef struct _passwd_phrase_element passwd_phrase_element Members --------- .. c:member:: krb5_magic passwd_phrase_element.magic .. c:member:: krb5_data * passwd_phrase_element.passwd .. c:member:: krb5_data * passwd_phrase_element.phrase krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_context.rst.txt0000644000704600001450000000026214076311665026746 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-context-struct: krb5_context ============ .. .. c:type:: krb5_context .. Declaration ------------ typedef struct _krb5_context\* krb5_context krb5-1.19.2/doc/html/_sources/appdev/refs/types/krb5_responder_context.rst.txt0000644000704600001450000000140314076311665031025 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-responder-context-struct: krb5_responder_context ====================== .. .. c:type:: krb5_responder_context .. A container for a set of preauthentication questions and answers. A responder context is supplied by the krb5 authentication system to a :c:type:`krb5_responder_fn` callback. It contains a list of questions and can receive answers. Questions contained in a responder context can be listed using :c:func:`krb5_responder_list_questions()` , retrieved using :c:func:`krb5_responder_get_challenge()` , or answered using :c:func:`krb5_responder_set_answer()` . The form of a question's challenge and answer depend on the question name. Declaration ------------ typedef struct krb5_responder_context_st\* krb5_responder_context krb5-1.19.2/doc/html/_sources/appdev/refs/macros/0000755000704600001450000000000014076312527023105 5ustar ghudsonsystemd-journal././@LongLink0000644000000000000000000000015600000000000011605 Lustar rootrootkrb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.rst.txtkrb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TR0000644000704600001450000000112114076311665032765 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-RESPONDER-PKINIT-FLAGS-TOKEN-USER-PIN-FINAL-TRY-data: KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY ==================================================== .. .. data:: KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY .. This flag indicates that supplying an incorrect PIN will cause the token to lock itself. =========================================================== ====================== ``KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY`` ``(1 << 1)`` =========================================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_TC_NOTICKET.rst.txt0000644000704600001450000000037614076311665027056 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-TC-NOTICKET-data: KRB5_TC_NOTICKET ================ .. .. data:: KRB5_TC_NOTICKET .. ======================= ====================== ``KRB5_TC_NOTICKET`` ``0x00000002`` ======================= ====================== ././@LongLink0000644000000000000000000000015600000000000011605 Lustar rootrootkrb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.rst.txtkrb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LO0000644000704600001450000000115714076311665033022 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-RESPONDER-PKINIT-FLAGS-TOKEN-USER-PIN-COUNT-LOW-data: KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW ==================================================== .. .. data:: KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW .. This flag indicates that an incorrect PIN was supplied at least once since the last time the correct PIN was supplied. =========================================================== ====================== ``KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW`` ``(1 << 0)`` =========================================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ADDRTYPE_INET6.rst.txt0000644000704600001450000000035414076311665026602 0ustar ghudsonsystemd-journal.. highlight:: c .. _ADDRTYPE-INET6-data: ADDRTYPE_INET6 ============== .. .. data:: ADDRTYPE_INET6 .. ===================== ====================== ``ADDRTYPE_INET6`` ``0x0018`` ===================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT.rst.txt0000644000704600001450000000047714076311665030165 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-SAM-REDIRECT-data: KRB5_PADATA_SAM_REDIRECT ======================== .. .. data:: KRB5_PADATA_SAM_REDIRECT .. SAM/OTP. RFC 4120 =============================== ====================== ``KRB5_PADATA_SAM_REDIRECT`` ``21`` =============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PAC_CLIENT_INFO.rst.txt0000644000704600001450000000045714076311665027524 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PAC-CLIENT-INFO-data: KRB5_PAC_CLIENT_INFO ==================== .. .. data:: KRB5_PAC_CLIENT_INFO .. Client name and ticket info. =========================== ====================== ``KRB5_PAC_CLIENT_INFO`` ``10`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM.rst.txt0000644000704600001450000000047614076311665030224 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PAC-SERVER-CHECKSUM-data: KRB5_PAC_SERVER_CHECKSUM ======================== .. .. data:: KRB5_PAC_SERVER_CHECKSUM .. Server checksum. =============================== ====================== ``KRB5_PAC_SERVER_CHECKSUM`` ``6`` =============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID.rst.txt0000644000704600001450000000056114076311665031060 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-ENC-SANDIA-SECURID-data: KRB5_PADATA_ENC_SANDIA_SECURID ============================== .. .. data:: KRB5_PADATA_ENC_SANDIA_SECURID .. SecurId passcode. RFC 4120 ===================================== ====================== ``KRB5_PADATA_ENC_SANDIA_SECURID`` ``6`` ===================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME.rst.txt0000644000704600001450000000046714076311665030375 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-LRQ-ONE-ACCT-EXPTIME-data: KRB5_LRQ_ONE_ACCT_EXPTIME ========================= .. .. data:: KRB5_LRQ_ONE_ACCT_EXPTIME .. ================================ ====================== ``KRB5_LRQ_ONE_ACCT_EXPTIME`` ``(-7)`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY.rst.txt0000644000704600001450000000052214076311665031004 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTH-CONTEXT-USE-SUBKEY-data: KRB5_AUTH_CONTEXT_USE_SUBKEY ============================ .. .. data:: KRB5_AUTH_CONTEXT_USE_SUBKEY .. =================================== ====================== ``KRB5_AUTH_CONTEXT_USE_SUBKEY`` ``0x00000020`` =================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.rst.txt0000644000704600001450000000057714076311665031767 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-GET-INIT-CREDS-OPT-FORWARDABLE-data: KRB5_GET_INIT_CREDS_OPT_FORWARDABLE =================================== .. .. data:: KRB5_GET_INIT_CREDS_OPT_FORWARDABLE .. ========================================== ====================== ``KRB5_GET_INIT_CREDS_OPT_FORWARDABLE`` ``0x0004`` ========================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_AS_FRESHNESS.rst.txt0000644000704600001450000000055514076311665031047 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-PA-AS-FRESHNESS-data: KRB5_KEYUSAGE_PA_AS_FRESHNESS ============================= .. .. data:: KRB5_KEYUSAGE_PA_AS_FRESHNESS .. Used for freshness tokens. ==================================== ====================== ``KRB5_KEYUSAGE_PA_AS_FRESHNESS`` ``514`` ==================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_NONE.rst.txt0000644000704600001450000000036514076311665027017 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-NONE-data: KRB5_PADATA_NONE ================ .. .. data:: KRB5_PADATA_NONE .. ======================= ====================== ``KRB5_PADATA_NONE`` ``0`` ======================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.rst.txt0000644000704600001450000000075314076311665033014 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTH-CONTEXT-GENERATE-LOCAL-FULL-ADDR-data: KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR ========================================== .. .. data:: KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR .. Generate the local network address and the local port. ================================================= ====================== ``KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR`` ``0x00000004`` ================================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/krb5_x.rst.txt0000644000704600001450000000036314076311665025653 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-x-data: krb5_x ====== .. .. data:: krb5_x .. ======================== ====================== ``krb5_x (ptr, args)`` ``((ptr)?((*(ptr)) args):(abort(),1))`` ======================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK.rst.txt0000644000704600001450000000045314076311665030165 0ustar ghudsonsystemd-journal.. highlight:: c .. _AD-TYPE-FIELD-TYPE-MASK-data: AD_TYPE_FIELD_TYPE_MASK ======================= .. .. data:: AD_TYPE_FIELD_TYPE_MASK .. ============================== ====================== ``AD_TYPE_FIELD_TYPE_MASK`` ``0x1fff`` ============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_TGS_NAME.rst.txt0000644000704600001450000000034714076311665026503 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-TGS-NAME-data: KRB5_TGS_NAME ============= .. .. data:: KRB5_TGS_NAME .. ==================== ====================== ``KRB5_TGS_NAME`` ``"krbtgt"`` ==================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.rst.txt0000644000704600001450000000054614076311665031370 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-AD-KDCISSUED-CKSUM-data: KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM ================================ .. .. data:: KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM .. ======================================= ====================== ``KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM`` ``19`` ======================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/krb524_init_ets.rst.txt0000644000704600001450000000037214076311665027370 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb524-init-ets-data: krb524_init_ets =============== .. .. data:: krb524_init_ets .. ========================= ====================== ``krb524_init_ets (x)`` ``(0)`` ========================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM.rst.txt0000644000704600001450000000060214076311665030174 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-CRYPTO-TYPE-STREAM-data: KRB5_CRYPTO_TYPE_STREAM ======================= .. .. data:: KRB5_CRYPTO_TYPE_STREAM .. [in] entire message without decomposing the structure into header, data and trailer buffers ============================== ====================== ``KRB5_CRYPTO_TYPE_STREAM`` ``7`` ============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/TKT_FLG_POSTDATED.rst.txt0000644000704600001450000000040514076311665027217 0ustar ghudsonsystemd-journal.. highlight:: c .. _TKT-FLG-POSTDATED-data: TKT_FLG_POSTDATED ================= .. .. data:: TKT_FLG_POSTDATED .. ======================== ====================== ``TKT_FLG_POSTDATED`` ``0x02000000`` ======================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/krb5_princ_name.rst.txt0000644000704600001450000000045314076311665027517 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-princ-name-data: krb5_princ_name =============== .. .. data:: krb5_princ_name .. ====================================== ====================== ``krb5_princ_name (context, princ)`` ``(princ)->data`` ====================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_TGS_REQ.rst.txt0000644000704600001450000000043314076311665027420 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-TGS-REQ-data: KRB5_PADATA_TGS_REQ =================== .. .. data:: KRB5_PADATA_TGS_REQ .. ========================== ====================== ``KRB5_PADATA_TGS_REQ`` ``KRB5_PADATA_AP_REQ`` ========================== ====================== ././@LongLink0000644000000000000000000000015300000000000011602 Lustar rootrootkrb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.rst.txtkrb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.r0000644000704600001450000000107714076311665032742 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-RESPONDER-PKINIT-FLAGS-TOKEN-USER-PIN-LOCKED-data: KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED ================================================= .. .. data:: KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED .. This flag indicates that the user PIN is locked, and you can't log in to the token with it. ======================================================== ====================== ``KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED`` ``(1 << 2)`` ======================================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/TKT_FLG_MAY_POSTDATE.rst.txt0000644000704600001450000000043214076311665027621 0ustar ghudsonsystemd-journal.. highlight:: c .. _TKT-FLG-MAY-POSTDATE-data: TKT_FLG_MAY_POSTDATE ==================== .. .. data:: TKT_FLG_MAY_POSTDATE .. =========================== ====================== ``TKT_FLG_MAY_POSTDATE`` ``0x04000000`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/TKT_FLG_PRE_AUTH.rst.txt0000644000704600001450000000037614076311665027146 0ustar ghudsonsystemd-journal.. highlight:: c .. _TKT-FLG-PRE-AUTH-data: TKT_FLG_PRE_AUTH ================ .. .. data:: TKT_FLG_PRE_AUTH .. ======================= ====================== ``TKT_FLG_PRE_AUTH`` ``0x00200000`` ======================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OSF_DCE.rst.txt0000644000704600001450000000043314076311665027356 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-OSF-DCE-data: KRB5_PADATA_OSF_DCE =================== .. .. data:: KRB5_PADATA_OSF_DCE .. OSF DCE. RFC 4120 ========================== ====================== ``KRB5_PADATA_OSF_DCE`` ``8`` ========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART.rst.txt0000644000704600001450000000051214076311665030717 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-AP-REP-ENCPART-data: KRB5_KEYUSAGE_AP_REP_ENCPART ============================ .. .. data:: KRB5_KEYUSAGE_AP_REP_ENCPART .. =================================== ====================== ``KRB5_KEYUSAGE_AP_REP_ENCPART`` ``12`` =================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM.rst.txt0000644000704600001450000000055514076311665031036 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PRINCIPAL-PARSE-NO-REALM-data: KRB5_PRINCIPAL_PARSE_NO_REALM ============================= .. .. data:: KRB5_PRINCIPAL_PARSE_NO_REALM .. Error if realm is present. ==================================== ====================== ``KRB5_PRINCIPAL_PARSE_NO_REALM`` ``0x1`` ==================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR.rst.txt0000644000704600001450000000052714076311665030465 0ustar ghudsonsystemd-journal.. highlight:: c .. _CKSUMTYPE-MD5-HMAC-ARCFOUR-data: CKSUMTYPE_MD5_HMAC_ARCFOUR ========================== .. .. data:: CKSUMTYPE_MD5_HMAC_ARCFOUR .. ================================= ====================== ``CKSUMTYPE_MD5_HMAC_ARCFOUR`` ``-137 /* Microsoft netlogon */`` ================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2.rst.txt0000644000704600001450000000053414076311665030435 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-SAM-RESPONSE-2-data: KRB5_PADATA_SAM_RESPONSE_2 ========================== .. .. data:: KRB5_PADATA_SAM_RESPONSE_2 .. draft challenge system, updated ================================= ====================== ``KRB5_PADATA_SAM_RESPONSE_2`` ``31`` ================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SESAME.rst.txt0000644000704600001450000000043314076311665027231 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-SESAME-data: KRB5_PADATA_SESAME ================== .. .. data:: KRB5_PADATA_SESAME .. Sesame project. RFC 4120 ========================= ====================== ``KRB5_PADATA_SESAME`` ``7`` ========================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/krb5_roundup.rst.txt0000644000704600001450000000040614076311665027076 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-roundup-data: krb5_roundup ============ .. .. data:: krb5_roundup .. ========================= ====================== ``krb5_roundup (x, y)`` ``((((x) + (y) - 1)/(y))*(y))`` ========================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION.rst.txt0000644000704600001450000000050214076311665030226 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KPASSWD-BAD-VERSION-data: KRB5_KPASSWD_BAD_VERSION ======================== .. .. data:: KRB5_KPASSWD_BAD_VERSION .. Unknown RPC version. =============================== ====================== ``KRB5_KPASSWD_BAD_VERSION`` ``6`` =============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED.rst.txt0000644000704600001450000000050314076311665030543 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-FAST-FINISHED-data: KRB5_KEYUSAGE_FAST_FINISHED =========================== .. .. data:: KRB5_KEYUSAGE_FAST_FINISHED .. ================================== ====================== ``KRB5_KEYUSAGE_FAST_FINISHED`` ``53`` ================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/VALID_UINT_BITS.rst.txt0000644000704600001450000000036514076311665027002 0ustar ghudsonsystemd-journal.. highlight:: c .. _VALID-UINT-BITS-data: VALID_UINT_BITS =============== .. .. data:: VALID_UINT_BITS .. ====================== ====================== ``VALID_UINT_BITS`` ``UINT_MAX`` ====================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_KTYPE.rst.txt0000644000704600001450000000046714076311665027447 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-TC-MATCH-KTYPE-data: KRB5_TC_MATCH_KTYPE =================== .. .. data:: KRB5_TC_MATCH_KTYPE .. The encryption key type must match. ========================== ====================== ``KRB5_TC_MATCH_KTYPE`` ``0x00000100`` ========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_NT_SMTP_NAME.rst.txt0000644000704600001450000000043514076311665027230 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-NT-SMTP-NAME-data: KRB5_NT_SMTP_NAME ================= .. .. data:: KRB5_NT_SMTP_NAME .. Name in form of SMTP email name. ======================== ====================== ``KRB5_NT_SMTP_NAME`` ``7`` ======================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KDC_OPT_PROXY.rst.txt0000644000704600001450000000035114076311665026602 0ustar ghudsonsystemd-journal.. highlight:: c .. _KDC-OPT-PROXY-data: KDC_OPT_PROXY ============= .. .. data:: KDC_OPT_PROXY .. ==================== ====================== ``KDC_OPT_PROXY`` ``0x08000000`` ==================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/krb5_princ_size.rst.txt0000644000704600001450000000045514076311665027553 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-princ-size-data: krb5_princ_size =============== .. .. data:: krb5_princ_size .. ====================================== ====================== ``krb5_princ_size (context, princ)`` ``(princ)->length`` ====================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT.rst.txt0000644000704600001450000000177514076311665031222 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-RESPONDER-QUESTION-PKINIT-data: KRB5_RESPONDER_QUESTION_PKINIT ============================== .. .. data:: KRB5_RESPONDER_QUESTION_PKINIT .. PKINIT responder question. The PKINIT responder question is asked when the client needs a password that's being used to protect key information, and is formatted as a JSON object. A specific identity's flags value, if not zero, is the bitwise-OR of one or more of the KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_* flags defined below, and possibly other flags to be added later. Any resemblance to similarly-named CKF_* values in the PKCS#11 API should not be depended on. :: { identity : flags , ... } The answer to the question MUST be JSON formatted: :: { identity : password , ... } ===================================== ====================== ``KRB5_RESPONDER_QUESTION_PKINIT`` ``"pkinit"`` ===================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC.rst.txt0000644000704600001450000000045014076311665030031 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTHDATA-WIN2K-PAC-data: KRB5_AUTHDATA_WIN2K_PAC ======================= .. .. data:: KRB5_AUTHDATA_WIN2K_PAC .. ============================== ====================== ``KRB5_AUTHDATA_WIN2K_PAC`` ``128`` ============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC.rst.txt0000644000704600001450000000046514076311665030405 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-GSS-TOK-MIC-data: KRB5_KEYUSAGE_GSS_TOK_MIC ========================= .. .. data:: KRB5_KEYUSAGE_GSS_TOK_MIC .. ================================ ====================== ``KRB5_KEYUSAGE_GSS_TOK_MIC`` ``22`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY.rst.txt0000644000704600001450000000057214076311665031151 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PRINCIPAL-UNPARSE-DISPLAY-data: KRB5_PRINCIPAL_UNPARSE_DISPLAY ============================== .. .. data:: KRB5_PRINCIPAL_UNPARSE_DISPLAY .. Don't escape special characters. ===================================== ====================== ``KRB5_PRINCIPAL_UNPARSE_DISPLAY`` ``0x4`` ===================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128.rst.txt0000644000704600001450000000051214076311665030306 0ustar ghudsonsystemd-journal.. highlight:: c .. _CKSUMTYPE-CMAC-CAMELLIA128-data: CKSUMTYPE_CMAC_CAMELLIA128 ========================== .. .. data:: CKSUMTYPE_CMAC_CAMELLIA128 .. RFC 6803. ================================= ====================== ``CKSUMTYPE_CMAC_CAMELLIA128`` ``0x0011`` ================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME.rst.txt0000644000704600001450000000045114076311665030202 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-LRQ-ONE-PW-EXPTIME-data: KRB5_LRQ_ONE_PW_EXPTIME ======================= .. .. data:: KRB5_LRQ_ONE_PW_EXPTIME .. ============================== ====================== ``KRB5_LRQ_ONE_PW_EXPTIME`` ``(-6)`` ============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_NONE.rst.txt0000644000704600001450000000034014076311665026514 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-LRQ-NONE-data: KRB5_LRQ_NONE ============= .. .. data:: KRB5_LRQ_NONE .. ==================== ====================== ``KRB5_LRQ_NONE`` ``0`` ==================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD.rst.txt0000644000704600001450000000047514076311665030364 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-PK-AS-REQ-OLD-data: KRB5_PADATA_PK_AS_REQ_OLD ========================= .. .. data:: KRB5_PADATA_PK_AS_REQ_OLD .. PKINIT. ================================ ====================== ``KRB5_PADATA_PK_AS_REQ_OLD`` ``14`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS.rst.txt0000644000704600001450000000046414076311665027555 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-SHA1-RSA-CMS-data: ENCTYPE_SHA1_RSA_CMS ==================== .. .. data:: ENCTYPE_SHA1_RSA_CMS .. SHA1 with RSA, CMS signature. =========================== ====================== ``ENCTYPE_SHA1_RSA_CMS`` ``0x000b`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.rst.txt0000644000704600001450000000056314076311665031555 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTHDATA-INITIAL-VERIFIED-CAS-data: KRB5_AUTHDATA_INITIAL_VERIFIED_CAS ================================== .. .. data:: KRB5_AUTHDATA_INITIAL_VERIFIED_CAS .. ========================================= ====================== ``KRB5_AUTHDATA_INITIAL_VERIFIED_CAS`` ``9`` ========================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/AP_OPTS_USE_SUBKEY.rst.txt0000644000704600001450000000054214076311665027423 0ustar ghudsonsystemd-journal.. highlight:: c .. _AP-OPTS-USE-SUBKEY-data: AP_OPTS_USE_SUBKEY ================== .. .. data:: AP_OPTS_USE_SUBKEY .. Generate a subsession key from the current session key obtained from the credentials. ========================= ====================== ``AP_OPTS_USE_SUBKEY`` ``0x00000001`` ========================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE.rst.txt0000644000704600001450000000052114076311665030255 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-INIT-CONTEXT-SECURE-data: KRB5_INIT_CONTEXT_SECURE ======================== .. .. data:: KRB5_INIT_CONTEXT_SECURE .. Use secure context configuration. =============================== ====================== ``KRB5_INIT_CONTEXT_SECURE`` ``0x1`` =============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KDC_OPT_RENEWABLE.rst.txt0000644000704600001450000000040514076311665027165 0ustar ghudsonsystemd-journal.. highlight:: c .. _KDC-OPT-RENEWABLE-data: KDC_OPT_RENEWABLE ================= .. .. data:: KDC_OPT_RENEWABLE .. ======================== ====================== ``KDC_OPT_RENEWABLE`` ``0x00800000`` ======================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES.rst.txt0000644000704600001450000000043514076311665027711 0ustar ghudsonsystemd-journal.. highlight:: c .. _CKSUMTYPE-RSA-MD4-DES-data: CKSUMTYPE_RSA_MD4_DES ===================== .. .. data:: CKSUMTYPE_RSA_MD4_DES .. ============================ ====================== ``CKSUMTYPE_RSA_MD4_DES`` ``0x0003`` ============================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE.rst.txt0000644000704600001450000000062514076311665031060 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-PA-SAM-RESPONSE-data: KRB5_KEYUSAGE_PA_SAM_RESPONSE ============================= .. .. data:: KRB5_KEYUSAGE_PA_SAM_RESPONSE .. Note conflict with :c:data:`KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY` . ==================================== ====================== ``KRB5_KEYUSAGE_PA_SAM_RESPONSE`` ``27`` ==================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/VALID_INT_BITS.rst.txt0000644000704600001450000000035514076311665026654 0ustar ghudsonsystemd-journal.. highlight:: c .. _VALID-INT-BITS-data: VALID_INT_BITS ============== .. .. data:: VALID_INT_BITS .. ===================== ====================== ``VALID_INT_BITS`` ``INT_MAX`` ===================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING.rst.txt0000644000704600001450000000047314076311665030255 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-CRYPTO-TYPE-PADDING-data: KRB5_CRYPTO_TYPE_PADDING ======================== .. .. data:: KRB5_CRYPTO_TYPE_PADDING .. [out] padding =============================== ====================== ``KRB5_CRYPTO_TYPE_PADDING`` ``4`` =============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256.rst.txt0000644000704600001450000000056414076311665031112 0ustar ghudsonsystemd-journal.. highlight:: c .. _CKSUMTYPE-HMAC-SHA384-192-AES256-data: CKSUMTYPE_HMAC_SHA384_192_AES256 ================================ .. .. data:: CKSUMTYPE_HMAC_SHA384_192_AES256 .. RFC 8009. ======================================= ====================== ``CKSUMTYPE_HMAC_SHA384_192_AES256`` ``0x0014`` ======================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.rst.txt0000644000704600001450000000053714076311665031406 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-GSS-TOK-WRAP-PRIV-data: KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV =============================== .. .. data:: KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV .. ====================================== ====================== ``KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV`` ``24`` ====================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_TGS_REP.rst.txt0000644000704600001450000000040314076311665026402 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-TGS-REP-data: KRB5_TGS_REP ============ .. .. data:: KRB5_TGS_REP .. Response to TGS request. =================== ====================== ``KRB5_TGS_REP`` ``((krb5_msgtype)13)`` =================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA.rst.txt0000644000704600001450000000042614076311665027510 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-DES3-CBC-SHA-data: ENCTYPE_DES3_CBC_SHA ==================== .. .. data:: ENCTYPE_DES3_CBC_SHA .. =========================== ====================== ``ENCTYPE_DES3_CBC_SHA`` ``0x0005`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.rst.txt0000644000704600001450000000067714076311665032102 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-PA-S4U-X509-USER-REPLY-data: KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY ==================================== .. .. data:: KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY .. Note conflict with :c:data:`KRB5_KEYUSAGE_PA_SAM_RESPONSE` . =========================================== ====================== ``KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY`` ``27`` =========================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART.rst.txt0000644000704600001450000000053014076311665031167 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-KRB-PRIV-ENCPART-data: KRB5_KEYUSAGE_KRB_PRIV_ENCPART ============================== .. .. data:: KRB5_KEYUSAGE_KRB_PRIV_ENCPART .. ===================================== ====================== ``KRB5_KEYUSAGE_KRB_PRIV_ENCPART`` ``13`` ===================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.rst.txt0000644000704600001450000000060614076311665032173 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-GET-INIT-CREDS-OPT-PREAUTH-LIST-data: KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST ==================================== .. .. data:: KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST .. =========================================== ====================== ``KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST`` ``0x0040`` =========================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KDC_OPT_POSTDATED.rst.txt0000644000704600001450000000040514076311665027210 0ustar ghudsonsystemd-journal.. highlight:: c .. _KDC-OPT-POSTDATED-data: KDC_OPT_POSTDATED ================= .. .. data:: KDC_OPT_POSTDATED .. ======================== ====================== ``KDC_OPT_POSTDATED`` ``0x02000000`` ======================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ADDRTYPE_ADDRPORT.rst.txt0000644000704600001450000000040114076311665027165 0ustar ghudsonsystemd-journal.. highlight:: c .. _ADDRTYPE-ADDRPORT-data: ADDRTYPE_ADDRPORT ================= .. .. data:: ADDRTYPE_ADDRPORT .. ======================== ====================== ``ADDRTYPE_ADDRPORT`` ``0x0100`` ======================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_AFS3_SALT.rst.txt0000644000704600001450000000045714076311665027601 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-AFS3-SALT-data: KRB5_PADATA_AFS3_SALT ===================== .. .. data:: KRB5_PADATA_AFS3_SALT .. Cygnus. RFC 4120, 3961 ============================ ====================== ``KRB5_PADATA_AFS3_SALT`` ``10`` ============================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/TKT_FLG_PROXY.rst.txt0000644000704600001450000000035114076311665026611 0ustar ghudsonsystemd-journal.. highlight:: c .. _TKT-FLG-PROXY-data: TKT_FLG_PROXY ============= .. .. data:: TKT_FLG_PROXY .. ==================== ====================== ``TKT_FLG_PROXY`` ``0x08000000`` ==================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.rst.txt0000644000704600001450000000062114076311665031713 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PRINCIPAL-COMPARE-IGNORE-REALM-data: KRB5_PRINCIPAL_COMPARE_IGNORE_REALM =================================== .. .. data:: KRB5_PRINCIPAL_COMPARE_IGNORE_REALM .. ignore realm component ========================================== ====================== ``KRB5_PRINCIPAL_COMPARE_IGNORE_REALM`` ``1`` ========================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/TKT_FLG_INVALID.rst.txt0000644000704600001450000000036714076311665026765 0ustar ghudsonsystemd-journal.. highlight:: c .. _TKT-FLG-INVALID-data: TKT_FLG_INVALID =============== .. .. data:: TKT_FLG_INVALID .. ====================== ====================== ``TKT_FLG_INVALID`` ``0x01000000`` ====================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD4.rst.txt0000644000704600001450000000040114076311665027207 0ustar ghudsonsystemd-journal.. highlight:: c .. _CKSUMTYPE-RSA-MD4-data: CKSUMTYPE_RSA_MD4 ================= .. .. data:: CKSUMTYPE_RSA_MD4 .. ======================== ====================== ``CKSUMTYPE_RSA_MD4`` ``0x0002`` ======================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ADDRTYPE_IS_LOCAL.rst.txt0000644000704600001450000000045514076311665027204 0ustar ghudsonsystemd-journal.. highlight:: c .. _ADDRTYPE-IS-LOCAL-data: ADDRTYPE_IS_LOCAL ================= .. .. data:: ADDRTYPE_IS_LOCAL .. ================================== ====================== ``ADDRTYPE_IS_LOCAL (addrtype)`` ``(addrtype & 0x8000)`` ================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.rst.txt0000644000704600001450000000054514076311665031472 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-TGS-REQ-AUTH-CKSUM-data: KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM ================================ .. .. data:: KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM .. ======================================= ====================== ``KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM`` ``6`` ======================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED.rst.txt0000644000704600001450000000051114076311665031002 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-LRQ-ALL-LAST-TGT-ISSUED-data: KRB5_LRQ_ALL_LAST_TGT_ISSUED ============================ .. .. data:: KRB5_LRQ_ALL_LAST_TGT_ISSUED .. =================================== ====================== ``KRB5_LRQ_ALL_LAST_TGT_ISSUED`` ``3`` =================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_INT16_MAX.rst.txt0000644000704600001450000000035314076311665026551 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-INT16-MAX-data: KRB5_INT16_MAX ============== .. .. data:: KRB5_INT16_MAX .. ===================== ====================== ``KRB5_INT16_MAX`` ``65535`` ===================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD.rst.txt0000644000704600001450000000055114076311665031020 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-SAM-MUST-PK-ENCRYPT-SAD-data: KRB5_SAM_MUST_PK_ENCRYPT_SAD ============================ .. .. data:: KRB5_SAM_MUST_PK_ENCRYPT_SAD .. currently must be zero =================================== ====================== ``KRB5_SAM_MUST_PK_ENCRYPT_SAD`` ``0x20000000`` =================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA.rst.txt0000644000704600001450000000057714076311665031265 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-GET-FROM-TYPED-DATA-data: KRB5_PADATA_GET_FROM_TYPED_DATA =============================== .. .. data:: KRB5_PADATA_GET_FROM_TYPED_DATA .. Embedded in typed data. RFC 4120 ====================================== ====================== ``KRB5_PADATA_GET_FROM_TYPED_DATA`` ``22`` ====================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE.rst.txt0000644000704600001450000000060014076311665031055 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTH-CONTEXT-DO-SEQUENCE-data: KRB5_AUTH_CONTEXT_DO_SEQUENCE ============================= .. .. data:: KRB5_AUTH_CONTEXT_DO_SEQUENCE .. Prevent replays with sequence numbers. ==================================== ====================== ``KRB5_AUTH_CONTEXT_DO_SEQUENCE`` ``0x00000004`` ==================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.rst.txt0000644000704600001450000000055214076311665031245 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTHDATA-ETYPE-NEGOTIATION-data: KRB5_AUTHDATA_ETYPE_NEGOTIATION =============================== .. .. data:: KRB5_AUTHDATA_ETYPE_NEGOTIATION .. RFC 4537. ====================================== ====================== ``KRB5_AUTHDATA_ETYPE_NEGOTIATION`` ``129`` ====================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256.rst.txt0000644000704600001450000000051214076311665030310 0ustar ghudsonsystemd-journal.. highlight:: c .. _CKSUMTYPE-CMAC-CAMELLIA256-data: CKSUMTYPE_CMAC_CAMELLIA256 ========================== .. .. data:: CKSUMTYPE_CMAC_CAMELLIA256 .. RFC 6803. ================================= ====================== ``CKSUMTYPE_CMAC_CAMELLIA256`` ``0x0012`` ================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO.rst.txt0000644000704600001450000000054214076311665031121 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-USE-SPECIFIED-KVNO-data: KRB5_PADATA_USE_SPECIFIED_KVNO ============================== .. .. data:: KRB5_PADATA_USE_SPECIFIED_KVNO .. RFC 4120. ===================================== ====================== ``KRB5_PADATA_USE_SPECIFIED_KVNO`` ``20`` ===================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FX_ERROR.rst.txt0000644000704600001450000000043514076311665027544 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-FX-ERROR-data: KRB5_PADATA_FX_ERROR ==================== .. .. data:: KRB5_PADATA_FX_ERROR .. RFC 6113. =========================== ====================== ``KRB5_PADATA_FX_ERROR`` ``137`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_GC_NO_STORE.rst.txt0000644000704600001450000000042714076311665027106 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-GC-NO-STORE-data: KRB5_GC_NO_STORE ================ .. .. data:: KRB5_GC_NO_STORE .. Do not store in credential cache. ======================= ====================== ``KRB5_GC_NO_STORE`` ``8`` ======================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/AD_TYPE_RESERVED.rst.txt0000644000704600001450000000037214076311665027105 0ustar ghudsonsystemd-journal.. highlight:: c .. _AD-TYPE-RESERVED-data: AD_TYPE_RESERVED ================ .. .. data:: AD_TYPE_RESERVED .. ======================= ====================== ``AD_TYPE_RESERVED`` ``0x8000`` ======================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS.rst.txt0000644000704600001450000000047514076311665030470 0ustar ghudsonsystemd-journal.. highlight:: c .. _KDC-OPT-REQUEST-ANONYMOUS-data: KDC_OPT_REQUEST_ANONYMOUS ========================= .. .. data:: KDC_OPT_REQUEST_ANONYMOUS .. ================================ ====================== ``KDC_OPT_REQUEST_ANONYMOUS`` ``0x00008000`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AP_REQ.rst.txt0000644000704600001450000000040314076311665026246 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AP-REQ-data: KRB5_AP_REQ =========== .. .. data:: KRB5_AP_REQ .. Auth req to application server. ================== ====================== ``KRB5_AP_REQ`` ``((krb5_msgtype)14)`` ================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_NULL.rst.txt0000644000704600001450000000033614076311665026422 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-NULL-data: ENCTYPE_NULL ============ .. .. data:: ENCTYPE_NULL .. =================== ====================== ``ENCTYPE_NULL`` ``0x0000`` =================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM.rst.txt0000644000704600001450000000051214076311665030710 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-APP-DATA-CKSUM-data: KRB5_KEYUSAGE_APP_DATA_CKSUM ============================ .. .. data:: KRB5_KEYUSAGE_APP_DATA_CKSUM .. =================================== ====================== ``KRB5_KEYUSAGE_APP_DATA_CKSUM`` ``17`` =================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_NT_PRINCIPAL.rst.txt0000644000704600001450000000046414076311665027170 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-NT-PRINCIPAL-data: KRB5_NT_PRINCIPAL ================= .. .. data:: KRB5_NT_PRINCIPAL .. Just the name of the principal as in DCE, or for users. ======================== ====================== ``KRB5_NT_PRINCIPAL`` ``1`` ======================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM.rst.txt0000644000704600001450000000051314076311665030404 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-CRYPTO-TYPE-CHECKSUM-data: KRB5_CRYPTO_TYPE_CHECKSUM ========================= .. .. data:: KRB5_CRYPTO_TYPE_CHECKSUM .. [out] checksum for MIC ================================ ====================== ``KRB5_CRYPTO_TYPE_CHECKSUM`` ``6`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/krb5_princ_set_realm_length.rst.txt0000644000704600001450000000064614076311665032117 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-princ-set-realm-length-data: krb5_princ_set_realm_length =========================== .. .. data:: krb5_princ_set_realm_length .. ========================================================= ====================== ``krb5_princ_set_realm_length (context, princ, value)`` ``(princ)->realm.length = (value)`` ========================================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/SALT_TYPE_AFS_LENGTH.rst.txt0000644000704600001450000000043014076311665027612 0ustar ghudsonsystemd-journal.. highlight:: c .. _SALT-TYPE-AFS-LENGTH-data: SALT_TYPE_AFS_LENGTH ==================== .. .. data:: SALT_TYPE_AFS_LENGTH .. =========================== ====================== ``SALT_TYPE_AFS_LENGTH`` ``UINT_MAX`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AP_REP.rst.txt0000644000704600001450000000040214076311665026244 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AP-REP-data: KRB5_AP_REP =========== .. .. data:: KRB5_AP_REP .. Response to mutual AP request. ================== ====================== ``KRB5_AP_REP`` ``((krb5_msgtype)15)`` ================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE.rst.txt0000644000704600001450000000045014076311665030042 0ustar ghudsonsystemd-journal.. highlight:: c .. _KDC-OPT-ALLOW-POSTDATE-data: KDC_OPT_ALLOW_POSTDATE ====================== .. .. data:: KDC_OPT_ALLOW_POSTDATE .. ============================= ====================== ``KDC_OPT_ALLOW_POSTDATE`` ``0x04000000`` ============================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.rst.txt0000644000704600001450000000052714076311665031230 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-AS-REQ-PA-ENC-TS-data: KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS ============================== .. .. data:: KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS .. ===================================== ====================== ``KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS`` ``1`` ===================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_AP_REQ.rst.txt0000644000704600001450000000040314076311665027260 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-AP-REQ-data: KRB5_PADATA_AP_REQ ================== .. .. data:: KRB5_PADATA_AP_REQ .. ========================= ====================== ``KRB5_PADATA_AP_REQ`` ``1`` ========================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC.rst.txt0000644000704600001450000000053014076311665030542 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-CAMELLIA128-CTS-CMAC-data: ENCTYPE_CAMELLIA128_CTS_CMAC ============================ .. .. data:: ENCTYPE_CAMELLIA128_CTS_CMAC .. RFC 6803. =================================== ====================== ``ENCTYPE_CAMELLIA128_CTS_CMAC`` ``0x0019`` =================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_SUCCESS.rst.txt0000644000704600001450000000043214076311665027545 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KPASSWD-SUCCESS-data: KRB5_KPASSWD_SUCCESS ==================== .. .. data:: KRB5_KPASSWD_SUCCESS .. Success. =========================== ====================== ``KRB5_KPASSWD_SUCCESS`` ``0`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT.rst.txt0000644000704600001450000000053014076311665031152 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-APP-DATA-ENCRYPT-data: KRB5_KEYUSAGE_APP_DATA_ENCRYPT ============================== .. .. data:: KRB5_KEYUSAGE_APP_DATA_ENCRYPT .. ===================================== ====================== ``KRB5_KEYUSAGE_APP_DATA_ENCRYPT`` ``16`` ===================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/krb5_princ_set_realm.rst.txt0000644000704600001450000000056114076311665030552 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-princ-set-realm-data: krb5_princ_set_realm ==================== .. .. data:: krb5_princ_set_realm .. ================================================== ====================== ``krb5_princ_set_realm (context, princ, value)`` ``((princ)->realm = *(value))`` ================================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC.rst.txt0000644000704600001450000000053014076311665030544 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-CAMELLIA256-CTS-CMAC-data: ENCTYPE_CAMELLIA256_CTS_CMAC ============================ .. .. data:: ENCTYPE_CAMELLIA256_CTS_CMAC .. RFC 6803. =================================== ====================== ``ENCTYPE_CAMELLIA256_CTS_CMAC`` ``0x001a`` =================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD.rst.txt0000644000704600001450000000051314076311665030445 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PROMPT-TYPE-PASSWORD-data: KRB5_PROMPT_TYPE_PASSWORD ========================= .. .. data:: KRB5_PROMPT_TYPE_PASSWORD .. Prompt for password. ================================ ====================== ``KRB5_PROMPT_TYPE_PASSWORD`` ``0x1`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO.rst.txt0000644000704600001450000000051514076311665030276 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PAC-CREDENTIALS-INFO-data: KRB5_PAC_CREDENTIALS_INFO ========================= .. .. data:: KRB5_PAC_CREDENTIALS_INFO .. Credentials information. ================================ ====================== ``KRB5_PAC_CREDENTIALS_INFO`` ``2`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2.rst.txt0000644000704600001450000000054314076311665030461 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-SAM-CHALLENGE-2-data: KRB5_PADATA_SAM_CHALLENGE_2 =========================== .. .. data:: KRB5_PADATA_SAM_CHALLENGE_2 .. draft challenge system, updated ================================== ====================== ``KRB5_PADATA_SAM_CHALLENGE_2`` ``30`` ================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH.rst.txt0000644000704600001450000000050414076311665030530 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-AD-SIGNEDPATH-data: KRB5_KEYUSAGE_AD_SIGNEDPATH =========================== .. .. data:: KRB5_KEYUSAGE_AD_SIGNEDPATH .. ================================== ====================== ``KRB5_KEYUSAGE_AD_SIGNEDPATH`` ``-21`` ================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KDC_TKT_COMMON_MASK.rst.txt0000644000704600001450000000042314076311665027464 0ustar ghudsonsystemd-journal.. highlight:: c .. _KDC-TKT-COMMON-MASK-data: KDC_TKT_COMMON_MASK =================== .. .. data:: KDC_TKT_COMMON_MASK .. ========================== ====================== ``KDC_TKT_COMMON_MASK`` ``0x54800000`` ========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/TKT_FLG_FORWARDABLE.rst.txt0000644000704600001450000000042314076311665027420 0ustar ghudsonsystemd-journal.. highlight:: c .. _TKT-FLG-FORWARDABLE-data: TKT_FLG_FORWARDABLE =================== .. .. data:: TKT_FLG_FORWARDABLE .. ========================== ====================== ``TKT_FLG_FORWARDABLE`` ``0x40000000`` ========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED.rst.txt0000644000704600001450000000050414076311665030247 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KPASSWD-ACCESSDENIED-data: KRB5_KPASSWD_ACCESSDENIED ========================= .. .. data:: KRB5_KPASSWD_ACCESSDENIED .. Not authorized. ================================ ====================== ``KRB5_KPASSWD_ACCESSDENIED`` ``5`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3.rst.txt0000644000704600001450000000046214076311665030167 0ustar ghudsonsystemd-journal.. highlight:: c .. _CKSUMTYPE-HMAC-SHA1-DES3-data: CKSUMTYPE_HMAC_SHA1_DES3 ======================== .. .. data:: CKSUMTYPE_HMAC_SHA1_DES3 .. =============================== ====================== ``CKSUMTYPE_HMAC_SHA1_DES3`` ``0x000c`` =============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME.rst.txt0000644000704600001450000000046414076311665030361 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-LRQ-ALL-ACCT-EXPTIME-data: KRB5_LRQ_ALL_ACCT_EXPTIME ========================= .. .. data:: KRB5_LRQ_ALL_ACCT_EXPTIME .. ================================ ====================== ``KRB5_LRQ_ALL_ACCT_EXPTIME`` ``7`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.rst.txt0000644000704600001450000000053614076311665031335 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-TGS-REQ-AD-SUBKEY-data: KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY =============================== .. .. data:: KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY .. ====================================== ====================== ``KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY`` ``5`` ====================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE.rst.txt0000644000704600001450000000061614076311665031260 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PRINCIPAL-PARSE-ENTERPRISE-data: KRB5_PRINCIPAL_PARSE_ENTERPRISE =============================== .. .. data:: KRB5_PRINCIPAL_PARSE_ENTERPRISE .. Create single-component enterprise principle. ====================================== ====================== ``KRB5_PRINCIPAL_PARSE_ENTERPRISE`` ``0x4`` ====================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV.rst.txt0000644000704600001450000000052614076311665030201 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-RSA-ES-OAEP-ENV-data: ENCTYPE_RSA_ES_OAEP_ENV ======================= .. .. data:: ENCTYPE_RSA_ES_OAEP_ENV .. RSA w/OEAP encryption, CMS enveloped data. ============================== ====================== ``ENCTYPE_RSA_ES_OAEP_ENV`` ``0x000e`` ============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD.rst.txt0000644000704600001450000000102714076311665031454 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-RESPONDER-QUESTION-PASSWORD-data: KRB5_RESPONDER_QUESTION_PASSWORD ================================ .. .. data:: KRB5_RESPONDER_QUESTION_PASSWORD .. Long-term password responder question. This question is asked when the long-term password is needed. It has no challenge and the response is simply the password string. ======================================= ====================== ``KRB5_RESPONDER_QUESTION_PASSWORD`` ``"password"`` ======================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/krb5_const.rst.txt0000644000704600001450000000031714076311665026531 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-const-data: krb5_const ========== .. .. data:: krb5_const .. ================= ====================== ``krb5_const`` ``const`` ================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP.rst.txt0000644000704600001450000000047414076311665030260 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-ARCFOUR-HMAC-EXP-data: ENCTYPE_ARCFOUR_HMAC_EXP ======================== .. .. data:: ENCTYPE_ARCFOUR_HMAC_EXP .. RFC 4757. =============================== ====================== ``ENCTYPE_ARCFOUR_HMAC_EXP`` ``0x0018`` =============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY.rst.txt0000644000704600001450000000045714076311665030240 0ustar ghudsonsystemd-journal.. highlight:: c .. _KDC-OPT-ENC-TKT-IN-SKEY-data: KDC_OPT_ENC_TKT_IN_SKEY ======================= .. .. data:: KDC_OPT_ENC_TKT_IN_SKEY .. ============================== ====================== ``KDC_OPT_ENC_TKT_IN_SKEY`` ``0x00000008`` ============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP.rst.txt0000644000704600001450000000053414076311665031006 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-ENCPADATA-REQ-ENC-PA-REP-data: KRB5_ENCPADATA_REQ_ENC_PA_REP ============================= .. .. data:: KRB5_ENCPADATA_REQ_ENC_PA_REP .. RFC 6806. ==================================== ====================== ``KRB5_ENCPADATA_REQ_ENC_PA_REP`` ``149`` ==================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_AUTHERROR.rst.txt0000644000704600001450000000046514076311665030016 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KPASSWD-AUTHERROR-data: KRB5_KPASSWD_AUTHERROR ====================== .. .. data:: KRB5_KPASSWD_AUTHERROR .. Authentication error. ============================= ====================== ``KRB5_KPASSWD_AUTHERROR`` ``3`` ============================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES.rst.txt0000644000704600001450000000053214076311665030314 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-TC-SUPPORTED-KTYPES-data: KRB5_TC_SUPPORTED_KTYPES ======================== .. .. data:: KRB5_TC_SUPPORTED_KTYPES .. The supported key types must match. =============================== ====================== ``KRB5_TC_SUPPORTED_KTYPES`` ``0x00000200`` =============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/krb5_princ_type.rst.txt0000644000704600001450000000045314076311665027560 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-princ-type-data: krb5_princ_type =============== .. .. data:: krb5_princ_type .. ====================================== ====================== ``krb5_princ_type (context, princ)`` ``(princ)->type`` ====================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD.rst.txt0000644000704600001450000000051314076311665030576 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-SAM-SEND-ENCRYPTED-SAD-data: KRB5_SAM_SEND_ENCRYPTED_SAD =========================== .. .. data:: KRB5_SAM_SEND_ENCRYPTED_SAD .. ================================== ====================== ``KRB5_SAM_SEND_ENCRYPTED_SAD`` ``0x40000000`` ================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128.rst.txt0000644000704600001450000000056414076311665031105 0ustar ghudsonsystemd-journal.. highlight:: c .. _CKSUMTYPE-HMAC-SHA256-128-AES128-data: CKSUMTYPE_HMAC_SHA256_128_AES128 ================================ .. .. data:: CKSUMTYPE_HMAC_SHA256_128_AES128 .. RFC 8009. ======================================= ====================== ``CKSUMTYPE_HMAC_SHA256_128_AES128`` ``0x0013`` ======================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ.rst.txt0000644000704600001450000000042214076311665027547 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-AS-REQ-data: KRB5_KEYUSAGE_AS_REQ ==================== .. .. data:: KRB5_KEYUSAGE_AS_REQ .. =========================== ====================== ``KRB5_KEYUSAGE_AS_REQ`` ``56`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/TKT_FLG_FORWARDED.rst.txt0000644000704600001450000000040514076311665027205 0ustar ghudsonsystemd-journal.. highlight:: c .. _TKT-FLG-FORWARDED-data: TKT_FLG_FORWARDED ================= .. .. data:: TKT_FLG_FORWARDED .. ======================== ====================== ``TKT_FLG_FORWARDED`` ``0x20000000`` ======================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_INT32_MIN.rst.txt0000644000704600001450000000037114076311665026545 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-INT32-MIN-data: KRB5_INT32_MIN ============== .. .. data:: KRB5_INT32_MIN .. ===================== ====================== ``KRB5_INT32_MIN`` ``(-KRB5_INT32_MAX-1)`` ===================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PKINIT_KX.rst.txt0000644000704600001450000000044414076311665027656 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-PKINIT-KX-data: KRB5_PADATA_PKINIT_KX ===================== .. .. data:: KRB5_PADATA_PKINIT_KX .. RFC 6112. ============================ ====================== ``KRB5_PADATA_PKINIT_KX`` ``147`` ============================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.rst.txt0000644000704600001450000000062414076311665031633 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PRINCIPAL-PARSE-REQUIRE-REALM-data: KRB5_PRINCIPAL_PARSE_REQUIRE_REALM ================================== .. .. data:: KRB5_PRINCIPAL_PARSE_REQUIRE_REALM .. Error if realm is not present. ========================================= ====================== ``KRB5_PRINCIPAL_PARSE_REQUIRE_REALM`` ``0x2`` ========================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_INIT_CONTEXT_KDC.rst.txt0000644000704600001450000000047614076311665027701 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-INIT-CONTEXT-KDC-data: KRB5_INIT_CONTEXT_KDC ===================== .. .. data:: KRB5_INIT_CONTEXT_KDC .. Use KDC configuration if available. ============================ ====================== ``KRB5_INIT_CONTEXT_KDC`` ``0x2`` ============================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL.rst.txt0000644000704600001450000000046414076311665030374 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-LRQ-ALL-LAST-RENEWAL-data: KRB5_LRQ_ALL_LAST_RENEWAL ========================= .. .. data:: KRB5_LRQ_ALL_LAST_RENEWAL .. ================================ ====================== ``KRB5_LRQ_ALL_LAST_RENEWAL`` ``4`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_DEF_REALM.rst.txt0000644000704600001450000000061014076311665031504 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PRINCIPAL-PARSE-NO-DEF-REALM-data: KRB5_PRINCIPAL_PARSE_NO_DEF_REALM ================================= .. .. data:: KRB5_PRINCIPAL_PARSE_NO_DEF_REALM .. Don't add default realm. ======================================== ====================== ``KRB5_PRINCIPAL_PARSE_NO_DEF_REALM`` ``0x10`` ======================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION.rst.txt0000644000704600001450000000047514076311665030440 0ustar ghudsonsystemd-journal.. highlight:: c .. _AP-OPTS-ETYPE-NEGOTIATION-data: AP_OPTS_ETYPE_NEGOTIATION ========================= .. .. data:: AP_OPTS_ETYPE_NEGOTIATION .. ================================ ====================== ``AP_OPTS_ETYPE_NEGOTIATION`` ``0x00000002`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT.rst.txt0000644000704600001450000000046414076311665030317 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTHDATA-IF-RELEVANT-data: KRB5_AUTHDATA_IF_RELEVANT ========================= .. .. data:: KRB5_AUTHDATA_IF_RELEVANT .. ================================ ====================== ``KRB5_AUTHDATA_IF_RELEVANT`` ``1`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_TIMES.rst.txt0000644000704600001450000000053314076311665027426 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-TC-MATCH-TIMES-data: KRB5_TC_MATCH_TIMES =================== .. .. data:: KRB5_TC_MATCH_TIMES .. The requested lifetime must be at least as great as the time specified. ========================== ====================== ``KRB5_TC_MATCH_TIMES`` ``0x00000001`` ========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME.rst.txt0000644000704600001450000000055714076311665030416 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTH-CONTEXT-DO-TIME-data: KRB5_AUTH_CONTEXT_DO_TIME ========================= .. .. data:: KRB5_AUTH_CONTEXT_DO_TIME .. Prevent replays with timestamps and replay cache. ================================ ====================== ``KRB5_AUTH_CONTEXT_DO_TIME`` ``0x00000001`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE.rst.txt0000644000704600001450000000046714076311665030221 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-SAM-RESPONSE-data: KRB5_PADATA_SAM_RESPONSE ======================== .. .. data:: KRB5_PADATA_SAM_RESPONSE .. SAM/OTP. =============================== ====================== ``KRB5_PADATA_SAM_RESPONSE`` ``13`` =============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.rst.txt0000644000704600001450000000054614076311665031474 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-GSS-TOK-WRAP-INTEG-data: KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG ================================ .. .. data:: KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG .. ======================================= ====================== ``KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG`` ``23`` ======================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PAC_DELEGATION_INFO.rst.txt0000644000704600001450000000051314076311665030152 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PAC-DELEGATION-INFO-data: KRB5_PAC_DELEGATION_INFO ======================== .. .. data:: KRB5_PAC_DELEGATION_INFO .. Constrained delegation info. =============================== ====================== ``KRB5_PAC_DELEGATION_INFO`` ``11`` =============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ADDRTYPE_CHAOS.rst.txt0000644000704600001450000000035414076311665026612 0ustar ghudsonsystemd-journal.. highlight:: c .. _ADDRTYPE-CHAOS-data: ADDRTYPE_CHAOS ============== .. .. data:: ADDRTYPE_CHAOS .. ===================== ====================== ``ADDRTYPE_CHAOS`` ``0x0005`` ===================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/AD_TYPE_EXTERNAL.rst.txt0000644000704600001450000000037214076311665027110 0ustar ghudsonsystemd-journal.. highlight:: c .. _AD-TYPE-EXTERNAL-data: AD_TYPE_EXTERNAL ================ .. .. data:: AD_TYPE_EXTERNAL .. ======================= ====================== ``AD_TYPE_EXTERNAL`` ``0x4000`` ======================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_REFERRAL_REALM.rst.txt0000644000704600001450000000045114076311665027364 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-REFERRAL-REALM-data: KRB5_REFERRAL_REALM =================== .. .. data:: KRB5_REFERRAL_REALM .. Constant for realm referrals. ========================== ====================== ``KRB5_REFERRAL_REALM`` ``""`` ========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC.rst.txt0000644000704600001450000000042214076311665027456 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-CAMMAC-data: KRB5_KEYUSAGE_CAMMAC ==================== .. .. data:: KRB5_KEYUSAGE_CAMMAC .. =========================== ====================== ``KRB5_KEYUSAGE_CAMMAC`` ``64`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ADDRTYPE_IPPORT.rst.txt0000644000704600001450000000036314076311665026772 0ustar ghudsonsystemd-journal.. highlight:: c .. _ADDRTYPE-IPPORT-data: ADDRTYPE_IPPORT =============== .. .. data:: ADDRTYPE_IPPORT .. ====================== ====================== ``ADDRTYPE_IPPORT`` ``0x0101`` ====================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.rst.txt0000644000704600001450000000056114076311665031620 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-GET-INIT-CREDS-OPT-ANONYMOUS-data: KRB5_GET_INIT_CREDS_OPT_ANONYMOUS ================================= .. .. data:: KRB5_GET_INIT_CREDS_OPT_ANONYMOUS .. ======================================== ====================== ``KRB5_GET_INIT_CREDS_OPT_ANONYMOUS`` ``0x0400`` ======================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_SAFE.rst.txt0000644000704600001450000000035714076311665025765 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-SAFE-data: KRB5_SAFE ========= .. .. data:: KRB5_SAFE .. Safe application message. ================ ====================== ``KRB5_SAFE`` ``((krb5_msgtype)20)`` ================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.rst.txt0000644000704600001450000000053714076311665031174 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-ENC-CHALLENGE-KDC-data: KRB5_KEYUSAGE_ENC_CHALLENGE_KDC =============================== .. .. data:: KRB5_KEYUSAGE_ENC_CHALLENGE_KDC .. ====================================== ====================== ``KRB5_KEYUSAGE_ENC_CHALLENGE_KDC`` ``55`` ====================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET.rst.txt0000644000704600001450000000051014076311665030155 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTHDATA-SIGNTICKET-data: KRB5_AUTHDATA_SIGNTICKET ======================== .. .. data:: KRB5_AUTHDATA_SIGNTICKET .. formerly 142 in krb5 1.8 =============================== ====================== ``KRB5_AUTHDATA_SIGNTICKET`` ``512`` =============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.rst.txt0000644000704600001450000000063314076311665032060 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PROMPT-TYPE-NEW-PASSWORD-AGAIN-data: KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN =================================== .. .. data:: KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN .. Prompt for new password again. ========================================== ====================== ``KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN`` ``0x3`` ========================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM.rst.txt0000644000704600001450000000051214076311665030713 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-KRB-SAFE-CKSUM-data: KRB5_KEYUSAGE_KRB_SAFE_CKSUM ============================ .. .. data:: KRB5_KEYUSAGE_KRB_SAFE_CKSUM .. =================================== ====================== ``KRB5_KEYUSAGE_KRB_SAFE_CKSUM`` ``15`` =================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_NIST_SHA.rst.txt0000644000704600001450000000041014076311665027366 0ustar ghudsonsystemd-journal.. highlight:: c .. _CKSUMTYPE-NIST-SHA-data: CKSUMTYPE_NIST_SHA ================== .. .. data:: CKSUMTYPE_NIST_SHA .. ========================= ====================== ``CKSUMTYPE_NIST_SHA`` ``0x0009`` ========================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR.rst.txt0000644000704600001450000000051314076311665030142 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-ANONYMOUS-REALMSTR-data: KRB5_ANONYMOUS_REALMSTR ======================= .. .. data:: KRB5_ANONYMOUS_REALMSTR .. Anonymous realm. ============================== ====================== ``KRB5_ANONYMOUS_REALMSTR`` ``"WELLKNOWN:ANONYMOUS"`` ============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE.rst.txt0000644000704600001450000000047614076311665030245 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-SAM-CHALLENGE-data: KRB5_PADATA_SAM_CHALLENGE ========================= .. .. data:: KRB5_PADATA_SAM_CHALLENGE .. SAM/OTP. ================================ ====================== ``KRB5_PADATA_SAM_CHALLENGE`` ``12`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED.rst.txt0000644000704600001450000000045514076311665030176 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTHDATA-KDC-ISSUED-data: KRB5_AUTHDATA_KDC_ISSUED ======================== .. .. data:: KRB5_AUTHDATA_KDC_ISSUED .. =============================== ====================== ``KRB5_AUTHDATA_KDC_ISSUED`` ``4`` =============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.rst.txt0000644000704600001450000000060614076311665032067 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-GET-INIT-CREDS-OPT-CANONICALIZE-data: KRB5_GET_INIT_CREDS_OPT_CANONICALIZE ==================================== .. .. data:: KRB5_GET_INIT_CREDS_OPT_CANONICALIZE .. =========================================== ====================== ``KRB5_GET_INIT_CREDS_OPT_CANONICALIZE`` ``0x0200`` =========================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_MD4.rst.txt0000644000704600001450000000041714076311665027376 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-DES-CBC-MD4-data: ENCTYPE_DES_CBC_MD4 =================== .. .. data:: ENCTYPE_DES_CBC_MD4 .. ========================== ====================== ``ENCTYPE_DES_CBC_MD4`` ``0x0002`` ========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/krb5_xc.rst.txt0000644000704600001450000000040114076311665026007 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-xc-data: krb5_xc ======= .. .. data:: krb5_xc .. ========================= ====================== ``krb5_xc (ptr, args)`` ``((ptr)?((*(ptr)) args):(abort(),(char*)0))`` ========================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.rst.txt0000644000704600001450000000072614076311665032332 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-PA-S4U-X509-USER-REQUEST-data: KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST ====================================== .. .. data:: KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST .. Note conflict with :c:data:`KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID` . ============================================= ====================== ``KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST`` ``26`` ============================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.rst.txt0000644000704600001450000000060114076311665032135 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-TGS-REP-ENCPART-SUBKEY-data: KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY ==================================== .. .. data:: KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY .. =========================================== ====================== ``KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY`` ``9`` =========================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY.rst.txt0000644000704600001450000000050714076311665027714 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-TC-MATCH-IS-SKEY-data: KRB5_TC_MATCH_IS_SKEY ===================== .. .. data:: KRB5_TC_MATCH_IS_SKEY .. The is_skey field must match exactly. ============================ ====================== ``KRB5_TC_MATCH_IS_SKEY`` ``0x00000002`` ============================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.rst.txt0000644000704600001450000000054414076311665030774 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-PA-OTP-REQUEST-data: KRB5_KEYUSAGE_PA_OTP_REQUEST ============================ .. .. data:: KRB5_KEYUSAGE_PA_OTP_REQUEST .. See RFC 6560 section 4.2. =================================== ====================== ``KRB5_KEYUSAGE_PA_OTP_REQUEST`` ``45`` =================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PRIV.rst.txt0000644000704600001450000000036214076311665026023 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PRIV-data: KRB5_PRIV ========= .. .. data:: KRB5_PRIV .. Private application message. ================ ====================== ``KRB5_PRIV`` ``((krb5_msgtype)21)`` ================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.rst.txt0000644000704600001450000000061414076311665031656 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-INIT-CREDS-STEP-FLAG-CONTINUE-data: KRB5_INIT_CREDS_STEP_FLAG_CONTINUE ================================== .. .. data:: KRB5_INIT_CREDS_STEP_FLAG_CONTINUE .. More responses needed. ========================================= ====================== ``KRB5_INIT_CREDS_STEP_FLAG_CONTINUE`` ``0x1`` ========================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM.rst.txt0000644000704600001450000000050214076311665030357 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PAC-PRIVSVR-CHECKSUM-data: KRB5_PAC_PRIVSVR_CHECKSUM ========================= .. .. data:: KRB5_PAC_PRIVSVR_CHECKSUM .. KDC checksum. ================================ ====================== ``KRB5_PAC_PRIVSVR_CHECKSUM`` ``7`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA.rst.txt0000644000704600001450000000045414076311665027717 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-CRYPTO-TYPE-DATA-data: KRB5_CRYPTO_TYPE_DATA ===================== .. .. data:: KRB5_CRYPTO_TYPE_DATA .. [in, out] plaintext ============================ ====================== ``KRB5_CRYPTO_TYPE_DATA`` ``2`` ============================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER.rst.txt0000644000704600001450000000051014076311665030301 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-CRYPTO-TYPE-TRAILER-data: KRB5_CRYPTO_TYPE_TRAILER ======================== .. .. data:: KRB5_CRYPTO_TYPE_TRAILER .. [out] checksum for encrypt =============================== ====================== ``KRB5_CRYPTO_TYPE_TRAILER`` ``5`` =============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_GC_USER_USER.rst.txt0000644000704600001450000000042314076311665027226 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-GC-USER-USER-data: KRB5_GC_USER_USER ================= .. .. data:: KRB5_GC_USER_USER .. Want user-user ticket. ======================== ====================== ``KRB5_GC_USER_USER`` ``1`` ======================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/index.rst.txt0000644000704600001450000002711614076311665025575 0ustar ghudsonsystemd-journalkrb5 simple macros ========================= Public ------- .. toctree:: :maxdepth: 1 ADDRTYPE_ADDRPORT.rst ADDRTYPE_CHAOS.rst ADDRTYPE_DDP.rst ADDRTYPE_INET.rst ADDRTYPE_INET6.rst ADDRTYPE_IPPORT.rst ADDRTYPE_ISO.rst ADDRTYPE_IS_LOCAL.rst ADDRTYPE_NETBIOS.rst ADDRTYPE_XNS.rst AD_TYPE_EXTERNAL.rst AD_TYPE_FIELD_TYPE_MASK.rst AD_TYPE_REGISTERED.rst AD_TYPE_RESERVED.rst AP_OPTS_ETYPE_NEGOTIATION.rst AP_OPTS_MUTUAL_REQUIRED.rst AP_OPTS_RESERVED.rst AP_OPTS_USE_SESSION_KEY.rst AP_OPTS_USE_SUBKEY.rst AP_OPTS_WIRE_MASK.rst CKSUMTYPE_CMAC_CAMELLIA128.rst CKSUMTYPE_CMAC_CAMELLIA256.rst CKSUMTYPE_CRC32.rst CKSUMTYPE_DESCBC.rst CKSUMTYPE_HMAC_MD5_ARCFOUR.rst CKSUMTYPE_HMAC_SHA1_96_AES128.rst CKSUMTYPE_HMAC_SHA1_96_AES256.rst CKSUMTYPE_HMAC_SHA256_128_AES128.rst CKSUMTYPE_HMAC_SHA384_192_AES256.rst CKSUMTYPE_HMAC_SHA1_DES3.rst CKSUMTYPE_MD5_HMAC_ARCFOUR.rst CKSUMTYPE_NIST_SHA.rst CKSUMTYPE_RSA_MD4.rst CKSUMTYPE_RSA_MD4_DES.rst CKSUMTYPE_RSA_MD5.rst CKSUMTYPE_RSA_MD5_DES.rst ENCTYPE_AES128_CTS_HMAC_SHA1_96.rst ENCTYPE_AES128_CTS_HMAC_SHA256_128.rst ENCTYPE_AES256_CTS_HMAC_SHA1_96.rst ENCTYPE_AES256_CTS_HMAC_SHA384_192.rst ENCTYPE_ARCFOUR_HMAC.rst ENCTYPE_ARCFOUR_HMAC_EXP.rst ENCTYPE_CAMELLIA128_CTS_CMAC.rst ENCTYPE_CAMELLIA256_CTS_CMAC.rst ENCTYPE_DES3_CBC_ENV.rst ENCTYPE_DES3_CBC_RAW.rst ENCTYPE_DES3_CBC_SHA.rst ENCTYPE_DES3_CBC_SHA1.rst ENCTYPE_DES_CBC_CRC.rst ENCTYPE_DES_CBC_MD4.rst ENCTYPE_DES_CBC_MD5.rst ENCTYPE_DES_CBC_RAW.rst ENCTYPE_DES_HMAC_SHA1.rst ENCTYPE_DSA_SHA1_CMS.rst ENCTYPE_MD5_RSA_CMS.rst ENCTYPE_NULL.rst ENCTYPE_RC2_CBC_ENV.rst ENCTYPE_RSA_ENV.rst ENCTYPE_RSA_ES_OAEP_ENV.rst ENCTYPE_SHA1_RSA_CMS.rst ENCTYPE_UNKNOWN.rst KDC_OPT_ALLOW_POSTDATE.rst KDC_OPT_CANONICALIZE.rst KDC_OPT_CNAME_IN_ADDL_TKT.rst KDC_OPT_DISABLE_TRANSITED_CHECK.rst KDC_OPT_ENC_TKT_IN_SKEY.rst KDC_OPT_FORWARDABLE.rst KDC_OPT_FORWARDED.rst KDC_OPT_POSTDATED.rst KDC_OPT_PROXIABLE.rst KDC_OPT_PROXY.rst KDC_OPT_RENEW.rst KDC_OPT_RENEWABLE.rst KDC_OPT_RENEWABLE_OK.rst KDC_OPT_REQUEST_ANONYMOUS.rst KDC_OPT_VALIDATE.rst KDC_TKT_COMMON_MASK.rst KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.rst KRB5_ANONYMOUS_PRINCSTR.rst KRB5_ANONYMOUS_REALMSTR.rst KRB5_AP_REP.rst KRB5_AP_REQ.rst KRB5_AS_REP.rst KRB5_AS_REQ.rst KRB5_AUTHDATA_AND_OR.rst KRB5_AUTHDATA_AP_OPTIONS.rst KRB5_AUTHDATA_AUTH_INDICATOR.rst KRB5_AUTHDATA_CAMMAC.rst KRB5_AUTHDATA_ETYPE_NEGOTIATION.rst KRB5_AUTHDATA_FX_ARMOR.rst KRB5_AUTHDATA_IF_RELEVANT.rst KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.rst KRB5_AUTHDATA_KDC_ISSUED.rst KRB5_AUTHDATA_MANDATORY_FOR_KDC.rst KRB5_AUTHDATA_OSF_DCE.rst KRB5_AUTHDATA_SESAME.rst KRB5_AUTHDATA_SIGNTICKET.rst KRB5_AUTHDATA_WIN2K_PAC.rst KRB5_AUTH_CONTEXT_DO_SEQUENCE.rst KRB5_AUTH_CONTEXT_DO_TIME.rst KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.rst KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.rst KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.rst KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.rst KRB5_AUTH_CONTEXT_PERMIT_ALL.rst KRB5_AUTH_CONTEXT_RET_SEQUENCE.rst KRB5_AUTH_CONTEXT_RET_TIME.rst KRB5_AUTH_CONTEXT_USE_SUBKEY.rst KRB5_CRED.rst KRB5_CRYPTO_TYPE_CHECKSUM.rst KRB5_CRYPTO_TYPE_DATA.rst KRB5_CRYPTO_TYPE_EMPTY.rst KRB5_CRYPTO_TYPE_HEADER.rst KRB5_CRYPTO_TYPE_PADDING.rst KRB5_CRYPTO_TYPE_SIGN_ONLY.rst KRB5_CRYPTO_TYPE_STREAM.rst KRB5_CRYPTO_TYPE_TRAILER.rst KRB5_CYBERSAFE_SECUREID.rst KRB5_DOMAIN_X500_COMPRESS.rst KRB5_ENCPADATA_REQ_ENC_PA_REP.rst KRB5_ERROR.rst KRB5_FAST_REQUIRED.rst KRB5_GC_CACHED.rst KRB5_GC_CANONICALIZE.rst KRB5_GC_CONSTRAINED_DELEGATION.rst KRB5_GC_FORWARDABLE.rst KRB5_GC_NO_STORE.rst KRB5_GC_NO_TRANSIT_CHECK.rst KRB5_GC_USER_USER.rst KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.rst KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.rst KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.rst KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.rst KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.rst KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.rst KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.rst KRB5_GET_INIT_CREDS_OPT_PROXIABLE.rst KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.rst KRB5_GET_INIT_CREDS_OPT_SALT.rst KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.rst KRB5_INIT_CONTEXT_SECURE.rst KRB5_INIT_CONTEXT_KDC.rst KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.rst KRB5_INT16_MAX.rst KRB5_INT16_MIN.rst KRB5_INT32_MAX.rst KRB5_INT32_MIN.rst KRB5_KEYUSAGE_AD_ITE.rst KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.rst KRB5_KEYUSAGE_AD_MTE.rst KRB5_KEYUSAGE_AD_SIGNEDPATH.rst KRB5_KEYUSAGE_APP_DATA_CKSUM.rst KRB5_KEYUSAGE_APP_DATA_ENCRYPT.rst KRB5_KEYUSAGE_AP_REP_ENCPART.rst KRB5_KEYUSAGE_AP_REQ_AUTH.rst KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.rst KRB5_KEYUSAGE_AS_REP_ENCPART.rst KRB5_KEYUSAGE_AS_REQ.rst KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.rst KRB5_KEYUSAGE_CAMMAC.rst KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.rst KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.rst KRB5_KEYUSAGE_FAST_ENC.rst KRB5_KEYUSAGE_FAST_FINISHED.rst KRB5_KEYUSAGE_FAST_REP.rst KRB5_KEYUSAGE_FAST_REQ_CHKSUM.rst KRB5_KEYUSAGE_GSS_TOK_MIC.rst KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.rst KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.rst KRB5_KEYUSAGE_IAKERB_FINISHED.rst KRB5_KEYUSAGE_KDC_REP_TICKET.rst KRB5_KEYUSAGE_KRB_CRED_ENCPART.rst KRB5_KEYUSAGE_KRB_ERROR_CKSUM.rst KRB5_KEYUSAGE_KRB_PRIV_ENCPART.rst KRB5_KEYUSAGE_KRB_SAFE_CKSUM.rst KRB5_KEYUSAGE_PA_AS_FRESHNESS.rst KRB5_KEYUSAGE_PA_FX_COOKIE.rst KRB5_KEYUSAGE_PA_OTP_REQUEST.rst KRB5_KEYUSAGE_PA_PKINIT_KX.rst KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.rst KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.rst KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.rst KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.rst KRB5_KEYUSAGE_PA_SAM_RESPONSE.rst KRB5_KEYUSAGE_SPAKE.rst KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.rst KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.rst KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.rst KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.rst KRB5_KEYUSAGE_TGS_REQ_AUTH.rst KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.rst KRB5_KPASSWD_ACCESSDENIED.rst KRB5_KPASSWD_AUTHERROR.rst KRB5_KPASSWD_BAD_VERSION.rst KRB5_KPASSWD_HARDERROR.rst KRB5_KPASSWD_INITIAL_FLAG_NEEDED.rst KRB5_KPASSWD_MALFORMED.rst KRB5_KPASSWD_SOFTERROR.rst KRB5_KPASSWD_SUCCESS.rst KRB5_LRQ_ALL_ACCT_EXPTIME.rst KRB5_LRQ_ALL_LAST_INITIAL.rst KRB5_LRQ_ALL_LAST_RENEWAL.rst KRB5_LRQ_ALL_LAST_REQ.rst KRB5_LRQ_ALL_LAST_TGT.rst KRB5_LRQ_ALL_LAST_TGT_ISSUED.rst KRB5_LRQ_ALL_PW_EXPTIME.rst KRB5_LRQ_NONE.rst KRB5_LRQ_ONE_ACCT_EXPTIME.rst KRB5_LRQ_ONE_LAST_INITIAL.rst KRB5_LRQ_ONE_LAST_RENEWAL.rst KRB5_LRQ_ONE_LAST_REQ.rst KRB5_LRQ_ONE_LAST_TGT.rst KRB5_LRQ_ONE_LAST_TGT_ISSUED.rst KRB5_LRQ_ONE_PW_EXPTIME.rst KRB5_NT_ENTERPRISE_PRINCIPAL.rst KRB5_NT_ENT_PRINCIPAL_AND_ID.rst KRB5_NT_MS_PRINCIPAL.rst KRB5_NT_MS_PRINCIPAL_AND_ID.rst KRB5_NT_PRINCIPAL.rst KRB5_NT_SMTP_NAME.rst KRB5_NT_SRV_HST.rst KRB5_NT_SRV_INST.rst KRB5_NT_SRV_XHST.rst KRB5_NT_UID.rst KRB5_NT_UNKNOWN.rst KRB5_NT_WELLKNOWN.rst KRB5_NT_X500_PRINCIPAL.rst KRB5_PAC_CLIENT_INFO.rst KRB5_PAC_CREDENTIALS_INFO.rst KRB5_PAC_DELEGATION_INFO.rst KRB5_PAC_LOGON_INFO.rst KRB5_PAC_PRIVSVR_CHECKSUM.rst KRB5_PAC_SERVER_CHECKSUM.rst KRB5_PAC_UPN_DNS_INFO.rst KRB5_PADATA_AFS3_SALT.rst KRB5_PADATA_AP_REQ.rst KRB5_PADATA_AS_CHECKSUM.rst KRB5_PADATA_AS_FRESHNESS.rst KRB5_PADATA_ENCRYPTED_CHALLENGE.rst KRB5_PADATA_ENC_SANDIA_SECURID.rst KRB5_PADATA_ENC_TIMESTAMP.rst KRB5_PADATA_ENC_UNIX_TIME.rst KRB5_PADATA_ETYPE_INFO.rst KRB5_PADATA_ETYPE_INFO2.rst KRB5_PADATA_FOR_USER.rst KRB5_PADATA_FX_COOKIE.rst KRB5_PADATA_FX_ERROR.rst KRB5_PADATA_FX_FAST.rst KRB5_PADATA_GET_FROM_TYPED_DATA.rst KRB5_PADATA_NONE.rst KRB5_PADATA_OSF_DCE.rst KRB5_PADATA_OTP_CHALLENGE.rst KRB5_PADATA_OTP_PIN_CHANGE.rst KRB5_PADATA_OTP_REQUEST.rst KRB5_PADATA_PAC_OPTIONS.rst KRB5_PADATA_PAC_REQUEST.rst KRB5_PADATA_PKINIT_KX.rst KRB5_PADATA_PK_AS_REP.rst KRB5_PADATA_PK_AS_REP_OLD.rst KRB5_PADATA_PK_AS_REQ.rst KRB5_PADATA_PK_AS_REQ_OLD.rst KRB5_PADATA_PW_SALT.rst KRB5_PADATA_REFERRAL.rst KRB5_PADATA_S4U_X509_USER.rst KRB5_PADATA_SAM_CHALLENGE.rst KRB5_PADATA_SAM_CHALLENGE_2.rst KRB5_PADATA_SAM_REDIRECT.rst KRB5_PADATA_SAM_RESPONSE.rst KRB5_PADATA_SAM_RESPONSE_2.rst KRB5_PADATA_SESAME.rst KRB5_PADATA_SPAKE.rst KRB5_PADATA_SVR_REFERRAL_INFO.rst KRB5_PADATA_TGS_REQ.rst KRB5_PADATA_USE_SPECIFIED_KVNO.rst KRB5_PRINCIPAL_COMPARE_CASEFOLD.rst KRB5_PRINCIPAL_COMPARE_ENTERPRISE.rst KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.rst KRB5_PRINCIPAL_COMPARE_UTF8.rst KRB5_PRINCIPAL_PARSE_ENTERPRISE.rst KRB5_PRINCIPAL_PARSE_IGNORE_REALM.rst KRB5_PRINCIPAL_PARSE_NO_DEF_REALM.rst KRB5_PRINCIPAL_PARSE_NO_REALM.rst KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.rst KRB5_PRINCIPAL_UNPARSE_DISPLAY.rst KRB5_PRINCIPAL_UNPARSE_NO_REALM.rst KRB5_PRINCIPAL_UNPARSE_SHORT.rst KRB5_PRIV.rst KRB5_PROMPT_TYPE_NEW_PASSWORD.rst KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.rst KRB5_PROMPT_TYPE_PASSWORD.rst KRB5_PROMPT_TYPE_PREAUTH.rst KRB5_PVNO.rst KRB5_REALM_BRANCH_CHAR.rst KRB5_RECVAUTH_BADAUTHVERS.rst KRB5_RECVAUTH_SKIP_VERSION.rst KRB5_REFERRAL_REALM.rst KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.rst KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.rst KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.rst KRB5_RESPONDER_QUESTION_PKINIT.rst KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.rst KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.rst KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.rst KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.rst KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.rst KRB5_RESPONDER_OTP_FORMAT_DECIMAL.rst KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.rst KRB5_RESPONDER_QUESTION_OTP.rst KRB5_RESPONDER_QUESTION_PASSWORD.rst KRB5_SAFE.rst KRB5_SAM_MUST_PK_ENCRYPT_SAD.rst KRB5_SAM_SEND_ENCRYPTED_SAD.rst KRB5_SAM_USE_SAD_AS_KEY.rst KRB5_TC_MATCH_2ND_TKT.rst KRB5_TC_MATCH_AUTHDATA.rst KRB5_TC_MATCH_FLAGS.rst KRB5_TC_MATCH_FLAGS_EXACT.rst KRB5_TC_MATCH_IS_SKEY.rst KRB5_TC_MATCH_KTYPE.rst KRB5_TC_MATCH_SRV_NAMEONLY.rst KRB5_TC_MATCH_TIMES.rst KRB5_TC_MATCH_TIMES_EXACT.rst KRB5_TC_NOTICKET.rst KRB5_TC_OPENCLOSE.rst KRB5_TC_SUPPORTED_KTYPES.rst KRB5_TGS_NAME.rst KRB5_TGS_NAME_SIZE.rst KRB5_TGS_REP.rst KRB5_TGS_REQ.rst KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.rst KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.rst KRB5_WELLKNOWN_NAMESTR.rst LR_TYPE_INTERPRETATION_MASK.rst LR_TYPE_THIS_SERVER_ONLY.rst MAX_KEYTAB_NAME_LEN.rst MSEC_DIRBIT.rst MSEC_VAL_MASK.rst SALT_TYPE_AFS_LENGTH.rst SALT_TYPE_NO_LENGTH.rst THREEPARAMOPEN.rst TKT_FLG_ANONYMOUS.rst TKT_FLG_ENC_PA_REP.rst TKT_FLG_FORWARDABLE.rst TKT_FLG_FORWARDED.rst TKT_FLG_HW_AUTH.rst TKT_FLG_INITIAL.rst TKT_FLG_INVALID.rst TKT_FLG_MAY_POSTDATE.rst TKT_FLG_OK_AS_DELEGATE.rst TKT_FLG_POSTDATED.rst TKT_FLG_PRE_AUTH.rst TKT_FLG_PROXIABLE.rst TKT_FLG_PROXY.rst TKT_FLG_RENEWABLE.rst TKT_FLG_TRANSIT_POLICY_CHECKED.rst VALID_INT_BITS.rst VALID_UINT_BITS.rst krb5_const.rst krb5_princ_component.rst krb5_princ_name.rst krb5_princ_realm.rst krb5_princ_set_realm.rst krb5_princ_set_realm_data.rst krb5_princ_set_realm_length.rst krb5_princ_size.rst krb5_princ_type.rst krb5_roundup.rst krb5_x.rst krb5_xc.rst Deprecated macros ------------------------------ .. toctree:: :maxdepth: 1 krb524_convert_creds_kdc.rst krb524_init_ets.rst krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ.rst.txt0000644000704600001450000000045114076311665027660 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-PK-AS-REQ-data: KRB5_PADATA_PK_AS_REQ ===================== .. .. data:: KRB5_PADATA_PK_AS_REQ .. PKINIT. RFC 4556 ============================ ====================== ``KRB5_PADATA_PK_AS_REQ`` ``16`` ============================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.rst.txt0000644000704600001450000000137514076311665032241 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-RESPONDER-OTP-FLAGS-SEPARATE-PIN-data: KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN ===================================== .. .. data:: KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN .. This flag indicates that the PIN MUST be returned as a separate item. This flag only takes effect if KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN is set. If this flag is not set, the responder may either concatenate PIN + token value and store it as "value" in the answer or it may return them separately. If they are returned separately, they will be concatenated internally. ============================================ ====================== ``KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN`` ``0x0008`` ============================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER.rst.txt0000644000704600001450000000046314076311665030136 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-CRYPTO-TYPE-HEADER-data: KRB5_CRYPTO_TYPE_HEADER ======================= .. .. data:: KRB5_CRYPTO_TYPE_HEADER .. [out] header ============================== ====================== ``KRB5_CRYPTO_TYPE_HEADER`` ``1`` ============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX.rst.txt0000644000704600001450000000047414076311665030524 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-PA-PKINIT-KX-data: KRB5_KEYUSAGE_PA_PKINIT_KX ========================== .. .. data:: KRB5_KEYUSAGE_PA_PKINIT_KX .. ================================= ====================== ``KRB5_KEYUSAGE_PA_PKINIT_KX`` ``44`` ================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/krb5_princ_realm.rst.txt0000644000704600001450000000046614076311665027703 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-princ-realm-data: krb5_princ_realm ================ .. .. data:: krb5_princ_realm .. ======================================= ====================== ``krb5_princ_realm (context, princ)`` ``(&(princ)->realm)`` ======================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL.rst.txt0000644000704600001450000000046714076311665030404 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-LRQ-ONE-LAST-INITIAL-data: KRB5_LRQ_ONE_LAST_INITIAL ========================= .. .. data:: KRB5_LRQ_ONE_LAST_INITIAL .. ================================ ====================== ``KRB5_LRQ_ONE_LAST_INITIAL`` ``(-2)`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL.rst.txt0000644000704600001450000000046414076311665030370 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-LRQ-ALL-LAST-INITIAL-data: KRB5_LRQ_ALL_LAST_INITIAL ========================= .. .. data:: KRB5_LRQ_ALL_LAST_INITIAL .. ================================ ====================== ``KRB5_LRQ_ALL_LAST_INITIAL`` ``2`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PAC_REQUEST.rst.txt0000644000704600001450000000047414076311665030074 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-PAC-REQUEST-data: KRB5_PADATA_PAC_REQUEST ======================= .. .. data:: KRB5_PADATA_PAC_REQUEST .. include Windows PAC ============================== ====================== ``KRB5_PADATA_PAC_REQUEST`` ``128`` ============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/krb5_princ_set_realm_data.rst.txt0000644000704600001450000000062614076311665031545 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-princ-set-realm-data-data: krb5_princ_set_realm_data ========================= .. .. data:: krb5_princ_set_realm_data .. ======================================================= ====================== ``krb5_princ_set_realm_data (context, princ, value)`` ``(princ)->realm.data = (value)`` ======================================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE.rst.txt0000644000704600001450000000045014076311665030016 0ustar ghudsonsystemd-journal.. highlight:: c .. _TKT-FLG-OK-AS-DELEGATE-data: TKT_FLG_OK_AS_DELEGATE ====================== .. .. data:: TKT_FLG_OK_AS_DELEGATE .. ============================= ====================== ``TKT_FLG_OK_AS_DELEGATE`` ``0x00040000`` ============================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_NT_SRV_HST.rst.txt0000644000704600001450000000044514076311665027036 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-NT-SRV-HST-data: KRB5_NT_SRV_HST =============== .. .. data:: KRB5_NT_SRV_HST .. Service with host name as instance (telnet, rcommands) ====================== ====================== ``KRB5_NT_SRV_HST`` ``3`` ====================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE.rst.txt0000644000704600001450000000042214076311665027522 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-AD-ITE-data: KRB5_KEYUSAGE_AD_ITE ==================== .. .. data:: KRB5_KEYUSAGE_AD_ITE .. =========================== ====================== ``KRB5_KEYUSAGE_AD_ITE`` ``21`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.rst.txt0000644000704600001450000000060214076311665032041 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-PA-SAM-CHALLENGE-CKSUM-data: KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM ==================================== .. .. data:: KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM .. =========================================== ====================== ``KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM`` ``25`` =========================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE.rst.txt0000644000704600001450000000042214076311665027526 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-AD-MTE-data: KRB5_KEYUSAGE_AD_MTE ==================== .. .. data:: KRB5_KEYUSAGE_AD_MTE .. =========================== ====================== ``KRB5_KEYUSAGE_AD_MTE`` ``20`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_NT_SRV_XHST.rst.txt0000644000704600001450000000044014076311665027161 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-NT-SRV-XHST-data: KRB5_NT_SRV_XHST ================ .. .. data:: KRB5_NT_SRV_XHST .. Service with host as remaining components. ======================= ====================== ``KRB5_NT_SRV_XHST`` ``4`` ======================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2.rst.txt0000644000704600001450000000046114076311665030040 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-ETYPE-INFO2-data: KRB5_PADATA_ETYPE_INFO2 ======================= .. .. data:: KRB5_PADATA_ETYPE_INFO2 .. RFC 4120. ============================== ====================== ``KRB5_PADATA_ETYPE_INFO2`` ``19`` ============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_RC2_CBC_ENV.rst.txt0000644000704600001450000000046114076311665027414 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-RC2-CBC-ENV-data: ENCTYPE_RC2_CBC_ENV =================== .. .. data:: ENCTYPE_RC2_CBC_ENV .. RC2 cbc mode, CMS enveloped data. ========================== ====================== ``ENCTYPE_RC2_CBC_ENV`` ``0x000c`` ========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM.rst.txt0000644000704600001450000000046514076311665030046 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-AS-CHECKSUM-data: KRB5_PADATA_AS_CHECKSUM ======================= .. .. data:: KRB5_PADATA_AS_CHECKSUM .. AS checksum. ============================== ====================== ``KRB5_PADATA_AS_CHECKSUM`` ``132`` ============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_CYBERSAFE_SECUREID.rst.txt0000644000704600001450000000047114076311665030032 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-CYBERSAFE-SECUREID-data: KRB5_CYBERSAFE_SECUREID ======================= .. .. data:: KRB5_CYBERSAFE_SECUREID .. Cybersafe. RFC 4120 ============================== ====================== ``KRB5_CYBERSAFE_SECUREID`` ``9`` ============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_REFERRAL.rst.txt0000644000704600001450000000045014076311665027455 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-REFERRAL-data: KRB5_PADATA_REFERRAL ==================== .. .. data:: KRB5_PADATA_REFERRAL .. draft referral system =========================== ====================== ``KRB5_PADATA_REFERRAL`` ``25`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_CRC32.rst.txt0000644000704600001450000000036314076311665026701 0ustar ghudsonsystemd-journal.. highlight:: c .. _CKSUMTYPE-CRC32-data: CKSUMTYPE_CRC32 =============== .. .. data:: CKSUMTYPE_CRC32 .. ====================== ====================== ``CKSUMTYPE_CRC32`` ``0x0001`` ====================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/AD_TYPE_REGISTERED.rst.txt0000644000704600001450000000041014076311665027314 0ustar ghudsonsystemd-journal.. highlight:: c .. _AD-TYPE-REGISTERED-data: AD_TYPE_REGISTERED ================== .. .. data:: AD_TYPE_REGISTERED .. ========================= ====================== ``AD_TYPE_REGISTERED`` ``0x2000`` ========================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_MALFORMED.rst.txt0000644000704600001450000000046214076311665027746 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KPASSWD-MALFORMED-data: KRB5_KPASSWD_MALFORMED ====================== .. .. data:: KRB5_KPASSWD_MALFORMED .. Malformed request. ============================= ====================== ``KRB5_KPASSWD_MALFORMED`` ``1`` ============================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED.rst.txt0000644000704600001450000000051414076311665031016 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-LRQ-ONE-LAST-TGT-ISSUED-data: KRB5_LRQ_ONE_LAST_TGT_ISSUED ============================ .. .. data:: KRB5_LRQ_ONE_LAST_TGT_ISSUED .. =================================== ====================== ``KRB5_LRQ_ONE_LAST_TGT_ISSUED`` ``(-3)`` =================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/AP_OPTS_WIRE_MASK.rst.txt0000644000704600001450000000040514076311665027264 0ustar ghudsonsystemd-journal.. highlight:: c .. _AP-OPTS-WIRE-MASK-data: AP_OPTS_WIRE_MASK ================= .. .. data:: AP_OPTS_WIRE_MASK .. ======================== ====================== ``AP_OPTS_WIRE_MASK`` ``0xfffffff0`` ======================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD.rst.txt0000644000704600001450000000060314076311665031156 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PROMPT-TYPE-NEW-PASSWORD-data: KRB5_PROMPT_TYPE_NEW_PASSWORD ============================= .. .. data:: KRB5_PROMPT_TYPE_NEW_PASSWORD .. Prompt for new password (during password change) ==================================== ====================== ``KRB5_PROMPT_TYPE_NEW_PASSWORD`` ``0x2`` ==================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ADDRTYPE_NETBIOS.rst.txt0000644000704600001450000000037214076311665027060 0ustar ghudsonsystemd-journal.. highlight:: c .. _ADDRTYPE-NETBIOS-data: ADDRTYPE_NETBIOS ================ .. .. data:: ADDRTYPE_NETBIOS .. ======================= ====================== ``ADDRTYPE_NETBIOS`` ``0x0014`` ======================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_NT_UNKNOWN.rst.txt0000644000704600001450000000040314076311665026777 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-NT-UNKNOWN-data: KRB5_NT_UNKNOWN =============== .. .. data:: KRB5_NT_UNKNOWN .. Name type not known. ====================== ====================== ``KRB5_NT_UNKNOWN`` ``0`` ====================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128.rst.txt0000644000704600001450000000061014076311665030645 0ustar ghudsonsystemd-journal.. highlight:: c .. _CKSUMTYPE-HMAC-SHA1-96-AES128-data: CKSUMTYPE_HMAC_SHA1_96_AES128 ============================= .. .. data:: CKSUMTYPE_HMAC_SHA1_96_AES128 .. RFC 3962. Used with ENCTYPE_AES128_CTS_HMAC_SHA1_96 ==================================== ====================== ``CKSUMTYPE_HMAC_SHA1_96_AES128`` ``0x000f`` ==================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1.rst.txt0000644000704600001450000000043514076311665027571 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-DES3-CBC-SHA1-data: ENCTYPE_DES3_CBC_SHA1 ===================== .. .. data:: ENCTYPE_DES3_CBC_SHA1 .. ============================ ====================== ``ENCTYPE_DES3_CBC_SHA1`` ``0x0010`` ============================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO.rst.txt0000644000704600001450000000050014076311665027750 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-ETYPE-INFO-data: KRB5_PADATA_ETYPE_INFO ====================== .. .. data:: KRB5_PADATA_ETYPE_INFO .. Etype info for preauth. RFC 4120 ============================= ====================== ``KRB5_PADATA_ETYPE_INFO`` ``11`` ============================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_AS_FRESHNESS.rst.txt0000644000704600001450000000047114076311665030201 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-AS-FRESHNESS-data: KRB5_PADATA_AS_FRESHNESS ======================== .. .. data:: KRB5_PADATA_AS_FRESHNESS .. RFC 8070. =============================== ====================== ``KRB5_PADATA_AS_FRESHNESS`` ``150`` =============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KDC_OPT_RENEW.rst.txt0000644000704600001450000000035114076311665026541 0ustar ghudsonsystemd-journal.. highlight:: c .. _KDC-OPT-RENEW-data: KDC_OPT_RENEW ============= .. .. data:: KDC_OPT_RENEW .. ==================== ====================== ``KDC_OPT_RENEW`` ``0x00000002`` ==================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS.rst.txt0000644000704600001450000000046414076311665027537 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-DSA-SHA1-CMS-data: ENCTYPE_DSA_SHA1_CMS ==================== .. .. data:: ENCTYPE_DSA_SHA1_CMS .. DSA with SHA1, CMS signature. =========================== ====================== ``ENCTYPE_DSA_SHA1_CMS`` ``0x0009`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KDC_OPT_CANONICALIZE.rst.txt0000644000704600001450000000043214076311665027520 0ustar ghudsonsystemd-journal.. highlight:: c .. _KDC-OPT-CANONICALIZE-data: KDC_OPT_CANONICALIZE ==================== .. .. data:: KDC_OPT_CANONICALIZE .. =========================== ====================== ``KDC_OPT_CANONICALIZE`` ``0x00010000`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_TGS_REQ.rst.txt0000644000704600001450000000041214076311665026403 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-TGS-REQ-data: KRB5_TGS_REQ ============ .. .. data:: KRB5_TGS_REQ .. Ticket granting server request. =================== ====================== ``KRB5_TGS_REQ`` ``((krb5_msgtype)12)`` =================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.rst.txt0000644000704600001450000000060614076311665032150 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-GET-INIT-CREDS-OPT-ADDRESS-LIST-data: KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST ==================================== .. .. data:: KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST .. =========================================== ====================== ``KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST`` ``0x0020`` =========================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/AP_OPTS_RESERVED.rst.txt0000644000704600001450000000037614076311665027131 0ustar ghudsonsystemd-journal.. highlight:: c .. _AP-OPTS-RESERVED-data: AP_OPTS_RESERVED ================ .. .. data:: AP_OPTS_RESERVED .. ======================= ====================== ``AP_OPTS_RESERVED`` ``0x80000000`` ======================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ADDRTYPE_DDP.rst.txt0000644000704600001450000000033614076311665026364 0ustar ghudsonsystemd-journal.. highlight:: c .. _ADDRTYPE-DDP-data: ADDRTYPE_DDP ============ .. .. data:: ADDRTYPE_DDP .. =================== ====================== ``ADDRTYPE_DDP`` ``0x0010`` =================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/TKT_FLG_ANONYMOUS.rst.txt0000644000704600001450000000040514076311665027260 0ustar ghudsonsystemd-journal.. highlight:: c .. _TKT-FLG-ANONYMOUS-data: TKT_FLG_ANONYMOUS ================= .. .. data:: TKT_FLG_ANONYMOUS .. ======================== ====================== ``TKT_FLG_ANONYMOUS`` ``0x00008000`` ======================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART.rst.txt0000644000704600001450000000051114076311665030721 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-AS-REP-ENCPART-data: KRB5_KEYUSAGE_AS_REP_ENCPART ============================ .. .. data:: KRB5_KEYUSAGE_AS_REP_ENCPART .. =================================== ====================== ``KRB5_KEYUSAGE_AS_REP_ENCPART`` ``3`` =================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.rst.txt0000644000704600001450000000072014076311665032345 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-RESPONDER-OTP-FLAGS-COLLECT-TOKEN-data: KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN ====================================== .. .. data:: KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN .. This flag indicates that the token value MUST be collected. ============================================= ====================== ``KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN`` ``0x0001`` ============================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_CRC.rst.txt0000644000704600001450000000041714076311665027421 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-DES-CBC-CRC-data: ENCTYPE_DES_CBC_CRC =================== .. .. data:: ENCTYPE_DES_CBC_CRC .. ========================== ====================== ``ENCTYPE_DES_CBC_CRC`` ``0x0001`` ========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AS_REQ.rst.txt0000644000704600001450000000040314076311665026251 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AS-REQ-data: KRB5_AS_REQ =========== .. .. data:: KRB5_AS_REQ .. Initial authentication request. ================== ====================== ``KRB5_AS_REQ`` ``((krb5_msgtype)10)`` ================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ.rst.txt0000644000704600001450000000043014076311665027717 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-LRQ-ALL-LAST-REQ-data: KRB5_LRQ_ALL_LAST_REQ ===================== .. .. data:: KRB5_LRQ_ALL_LAST_REQ .. ============================ ====================== ``KRB5_LRQ_ALL_LAST_REQ`` ``5`` ============================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES.rst.txt0000644000704600001450000000043514076311665027712 0ustar ghudsonsystemd-journal.. highlight:: c .. _CKSUMTYPE-RSA-MD5-DES-data: CKSUMTYPE_RSA_MD5_DES ===================== .. .. data:: CKSUMTYPE_RSA_MD5_DES .. ============================ ====================== ``CKSUMTYPE_RSA_MD5_DES`` ``0x0008`` ============================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM.rst.txt0000644000704600001450000000052114076311665031066 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-KRB-ERROR-CKSUM-data: KRB5_KEYUSAGE_KRB_ERROR_CKSUM ============================= .. .. data:: KRB5_KEYUSAGE_KRB_ERROR_CKSUM .. ==================================== ====================== ``KRB5_KEYUSAGE_KRB_ERROR_CKSUM`` ``18`` ==================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS.rst.txt0000644000704600001450000000047114076311665030315 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-RECVAUTH-BADAUTHVERS-data: KRB5_RECVAUTH_BADAUTHVERS ========================= .. .. data:: KRB5_RECVAUTH_BADAUTHVERS .. ================================ ====================== ``KRB5_RECVAUTH_BADAUTHVERS`` ``0x0002`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_NT_UID.rst.txt0000644000704600001450000000033514076311665026265 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-NT-UID-data: KRB5_NT_UID =========== .. .. data:: KRB5_NT_UID .. Unique ID. ================== ====================== ``KRB5_NT_UID`` ``5`` ================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_TC_OPENCLOSE.rst.txt0000644000704600001450000000046714076311665027166 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-TC-OPENCLOSE-data: KRB5_TC_OPENCLOSE ================= .. .. data:: KRB5_TC_OPENCLOSE .. Open and close the file for each cache operation. ======================== ====================== ``KRB5_TC_OPENCLOSE`` ``0x00000001`` ======================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS.rst.txt0000644000704600001450000000051614076311665030242 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-DOMAIN-X500-COMPRESS-data: KRB5_DOMAIN_X500_COMPRESS ========================= .. .. data:: KRB5_DOMAIN_X500_COMPRESS .. Transited encoding types. ================================ ====================== ``KRB5_DOMAIN_X500_COMPRESS`` ``1`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_ERROR.rst.txt0000644000704600001450000000035414076311665026135 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-ERROR-data: KRB5_ERROR ========== .. .. data:: KRB5_ERROR .. Error response. ================= ====================== ``KRB5_ERROR`` ``((krb5_msgtype)30)`` ================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_AND_OR.rst.txt0000644000704600001450000000042114076311665027514 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTHDATA-AND-OR-data: KRB5_AUTHDATA_AND_OR ==================== .. .. data:: KRB5_AUTHDATA_AND_OR .. =========================== ====================== ``KRB5_AUTHDATA_AND_OR`` ``5`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH.rst.txt0000644000704600001450000000046514076311665030374 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-AP-REQ-AUTH-data: KRB5_KEYUSAGE_AP_REQ_AUTH ========================= .. .. data:: KRB5_KEYUSAGE_AP_REQ_AUTH .. ================================ ====================== ``KRB5_KEYUSAGE_AP_REQ_AUTH`` ``11`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/TKT_FLG_PROXIABLE.rst.txt0000644000704600001450000000040514076311665027215 0ustar ghudsonsystemd-journal.. highlight:: c .. _TKT-FLG-PROXIABLE-data: TKT_FLG_PROXIABLE ================= .. .. data:: TKT_FLG_PROXIABLE .. ======================== ====================== ``TKT_FLG_PROXIABLE`` ``0x10000000`` ======================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.rst.txt0000644000704600001450000000101014076311665031452 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-RESPONDER-OTP-FLAGS-NEXTOTP-data: KRB5_RESPONDER_OTP_FLAGS_NEXTOTP ================================ .. .. data:: KRB5_RESPONDER_OTP_FLAGS_NEXTOTP .. This flag indicates that the token is now in re-synchronization mode with the server. The user is expected to reply with the next code displayed on the token. ======================================= ====================== ``KRB5_RESPONDER_OTP_FLAGS_NEXTOTP`` ``0x0004`` ======================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.rst.txt0000644000704600001450000000070014076311665032111 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-RESPONDER-OTP-FLAGS-COLLECT-PIN-data: KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN ==================================== .. .. data:: KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN .. This flag indicates that the PIN value MUST be collected. =========================================== ====================== ``KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN`` ``0x0002`` =========================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.rst.txt0000644000704600001450000000072614076311665032247 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-PA-SAM-CHALLENGE-TRACKID-data: KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID ====================================== .. .. data:: KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID .. Note conflict with :c:data:`KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST` . ============================================= ====================== ``KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID`` ``26`` ============================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC.rst.txt0000644000704600001450000000053614076311665031246 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTHDATA-MANDATORY-FOR-KDC-data: KRB5_AUTHDATA_MANDATORY_FOR_KDC =============================== .. .. data:: KRB5_AUTHDATA_MANDATORY_FOR_KDC .. ====================================== ====================== ``KRB5_AUTHDATA_MANDATORY_FOR_KDC`` ``8`` ====================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR.rst.txt0000644000704600001450000000051214076311665030154 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-ANONYMOUS-PRINCSTR-data: KRB5_ANONYMOUS_PRINCSTR ======================= .. .. data:: KRB5_ANONYMOUS_PRINCSTR .. Anonymous principal name. ============================== ====================== ``KRB5_ANONYMOUS_PRINCSTR`` ``"ANONYMOUS"`` ============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME.rst.txt0000644000704600001450000000044614076311665030175 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-LRQ-ALL-PW-EXPTIME-data: KRB5_LRQ_ALL_PW_EXPTIME ======================= .. .. data:: KRB5_LRQ_ALL_PW_EXPTIME .. ============================== ====================== ``KRB5_LRQ_ALL_PW_EXPTIME`` ``6`` ============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.rst.txt0000644000704600001450000000067514076311665032336 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTH-CONTEXT-GENERATE-REMOTE-ADDR-data: KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR ====================================== .. .. data:: KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR .. Generate the remote network address. ============================================= ====================== ``KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR`` ``0x00000002`` ============================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.rst.txt0000644000704600001450000000057014076311665031751 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-GET-INIT-CREDS-OPT-ETYPE-LIST-data: KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST ================================== .. .. data:: KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST .. ========================================= ====================== ``KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST`` ``0x0010`` ========================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KDC_OPT_PROXIABLE.rst.txt0000644000704600001450000000040514076311665027206 0ustar ghudsonsystemd-journal.. highlight:: c .. _KDC-OPT-PROXIABLE-data: KDC_OPT_PROXIABLE ================= .. .. data:: KDC_OPT_PROXIABLE .. ======================== ====================== ``KDC_OPT_PROXIABLE`` ``0x10000000`` ======================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED.rst.txt0000644000704600001450000000054014076311665031201 0ustar ghudsonsystemd-journal.. highlight:: c .. _TKT-FLG-TRANSIT-POLICY-CHECKED-data: TKT_FLG_TRANSIT_POLICY_CHECKED ============================== .. .. data:: TKT_FLG_TRANSIT_POLICY_CHECKED .. ===================================== ====================== ``TKT_FLG_TRANSIT_POLICY_CHECKED`` ``0x00080000`` ===================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.rst.txt0000644000704600001450000000076414076311665033157 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTH-CONTEXT-GENERATE-REMOTE-FULL-ADDR-data: KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR =========================================== .. .. data:: KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR .. Generate the remote network address and the remote port. ================================================== ====================== ``KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR`` ``0x00000008`` ================================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT.rst.txt0000644000704600001450000000051614076311665030773 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-GET-INIT-CREDS-OPT-SALT-data: KRB5_GET_INIT_CREDS_OPT_SALT ============================ .. .. data:: KRB5_GET_INIT_CREDS_OPT_SALT .. =================================== ====================== ``KRB5_GET_INIT_CREDS_OPT_SALT`` ``0x0080`` =================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KDC_OPT_RENEWABLE_OK.rst.txt0000644000704600001450000000043214076311665027556 0ustar ghudsonsystemd-journal.. highlight:: c .. _KDC-OPT-RENEWABLE-OK-data: KDC_OPT_RENEWABLE_OK ==================== .. .. data:: KDC_OPT_RENEWABLE_OK .. =========================== ====================== ``KDC_OPT_RENEWABLE_OK`` ``0x00000010`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP.rst.txt0000644000704600001450000000044014076311665030000 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-FAST-REP-data: KRB5_KEYUSAGE_FAST_REP ====================== .. .. data:: KRB5_KEYUSAGE_FAST_REP .. ============================= ====================== ``KRB5_KEYUSAGE_FAST_REP`` ``52`` ============================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH.rst.txt0000644000704600001450000000055014076311665030314 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PROMPT-TYPE-PREAUTH-data: KRB5_PROMPT_TYPE_PREAUTH ======================== .. .. data:: KRB5_PROMPT_TYPE_PREAUTH .. Prompt for preauthentication data (such as an OTP value) =============================== ====================== ``KRB5_PROMPT_TYPE_PREAUTH`` ``0x4`` =============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_NT_X500_PRINCIPAL.rst.txt0000644000704600001450000000044714076311665027705 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-NT-X500-PRINCIPAL-data: KRB5_NT_X500_PRINCIPAL ====================== .. .. data:: KRB5_NT_X500_PRINCIPAL .. PKINIT. ============================= ====================== ``KRB5_NT_X500_PRINCIPAL`` ``6`` ============================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/TKT_FLG_ENC_PA_REP.rst.txt0000644000704600001450000000041414076311665027363 0ustar ghudsonsystemd-journal.. highlight:: c .. _TKT-FLG-ENC-PA-REP-data: TKT_FLG_ENC_PA_REP ================== .. .. data:: TKT_FLG_ENC_PA_REP .. ========================= ====================== ``TKT_FLG_ENC_PA_REP`` ``0x00010000`` ========================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_NT_SRV_INST.rst.txt0000644000704600001450000000044014076311665027150 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-NT-SRV-INST-data: KRB5_NT_SRV_INST ================ .. .. data:: KRB5_NT_SRV_INST .. Service and other unique instance (krbtgt) ======================= ====================== ``KRB5_NT_SRV_INST`` ``2`` ======================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART.rst.txt0000644000704600001450000000053014076311665031124 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-KRB-CRED-ENCPART-data: KRB5_KEYUSAGE_KRB_CRED_ENCPART ============================== .. .. data:: KRB5_KEYUSAGE_KRB_CRED_ENCPART .. ===================================== ====================== ``KRB5_KEYUSAGE_KRB_CRED_ENCPART`` ``14`` ===================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY.rst.txt0000644000704600001450000000045714076311665030166 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-SAM-USE-SAD-AS-KEY-data: KRB5_SAM_USE_SAD_AS_KEY ======================= .. .. data:: KRB5_SAM_USE_SAD_AS_KEY .. ============================== ====================== ``KRB5_SAM_USE_SAD_AS_KEY`` ``0x80000000`` ============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96.rst.txt0000644000704600001450000000055514076311665031113 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-AES256-CTS-HMAC-SHA1-96-data: ENCTYPE_AES256_CTS_HMAC_SHA1_96 =============================== .. .. data:: ENCTYPE_AES256_CTS_HMAC_SHA1_96 .. RFC 3962. ====================================== ====================== ``ENCTYPE_AES256_CTS_HMAC_SHA1_96`` ``0x0012`` ====================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PW_SALT.rst.txt0000644000704600001450000000042414076311665027425 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-PW-SALT-data: KRB5_PADATA_PW_SALT =================== .. .. data:: KRB5_PADATA_PW_SALT .. RFC 4120. ========================== ====================== ``KRB5_PADATA_PW_SALT`` ``3`` ========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL.rst.txt0000644000704600001450000000052214076311665030756 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTH-CONTEXT-PERMIT-ALL-data: KRB5_AUTH_CONTEXT_PERMIT_ALL ============================ .. .. data:: KRB5_AUTH_CONTEXT_PERMIT_ALL .. =================================== ====================== ``KRB5_AUTH_CONTEXT_PERMIT_ALL`` ``0x00000010`` =================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_GC_FORWARDABLE.rst.txt0000644000704600001450000000045014076311665027342 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-GC-FORWARDABLE-data: KRB5_GC_FORWARDABLE =================== .. .. data:: KRB5_GC_FORWARDABLE .. Acquire forwardable tickets. ========================== ====================== ``KRB5_GC_FORWARDABLE`` ``16`` ========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_AP_OPTIONS.rst.txt0000644000704600001450000000045714076311665030236 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTHDATA-AP-OPTIONS-data: KRB5_AUTHDATA_AP_OPTIONS ======================== .. .. data:: KRB5_AUTHDATA_AP_OPTIONS .. =============================== ====================== ``KRB5_AUTHDATA_AP_OPTIONS`` ``143`` =============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED.rst.txt0000644000704600001450000000053114076311665030212 0ustar ghudsonsystemd-journal.. highlight:: c .. _AP-OPTS-MUTUAL-REQUIRED-data: AP_OPTS_MUTUAL_REQUIRED ======================= .. .. data:: AP_OPTS_MUTUAL_REQUIRED .. Perform a mutual authentication exchange. ============================== ====================== ``AP_OPTS_MUTUAL_REQUIRED`` ``0x20000000`` ============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO.rst.txt0000644000704600001450000000047314076311665027712 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PAC-UPN-DNS-INFO-data: KRB5_PAC_UPN_DNS_INFO ===================== .. .. data:: KRB5_PAC_UPN_DNS_INFO .. User principal name and DNS info. ============================ ====================== ``KRB5_PAC_UPN_DNS_INFO`` ``12`` ============================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/MSEC_VAL_MASK.rst.txt0000644000704600001450000000034514076311665026525 0ustar ghudsonsystemd-journal.. highlight:: c .. _MSEC-VAL-MASK-data: MSEC_VAL_MASK ============= .. .. data:: MSEC_VAL_MASK .. ==================== ====================== ``MSEC_VAL_MASK`` ``0x7fff`` ==================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.rst.txt0000644000704600001450000000060514076311665031555 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-TKT-CREDS-STEP-FLAG-CONTINUE-data: KRB5_TKT_CREDS_STEP_FLAG_CONTINUE ================================= .. .. data:: KRB5_TKT_CREDS_STEP_FLAG_CONTINUE .. More responses needed. ======================================== ====================== ``KRB5_TKT_CREDS_STEP_FLAG_CONTINUE`` ``0x1`` ======================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD5.rst.txt0000644000704600001450000000040114076311665027210 0ustar ghudsonsystemd-journal.. highlight:: c .. _CKSUMTYPE-RSA-MD5-data: CKSUMTYPE_RSA_MD5 ================= .. .. data:: CKSUMTYPE_RSA_MD5 .. ======================== ====================== ``CKSUMTYPE_RSA_MD5`` ``0x0007`` ======================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION.rst.txt0000644000704600001450000000056014076311665031060 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-GC-CONSTRAINED-DELEGATION-data: KRB5_GC_CONSTRAINED_DELEGATION ============================== .. .. data:: KRB5_GC_CONSTRAINED_DELEGATION .. Constrained delegation. ===================================== ====================== ``KRB5_GC_CONSTRAINED_DELEGATION`` ``64`` ===================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PVNO.rst.txt0000644000704600001450000000033514076311665026025 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PVNO-data: KRB5_PVNO ========= .. .. data:: KRB5_PVNO .. Protocol version number. ================ ====================== ``KRB5_PVNO`` ``5`` ================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET.rst.txt0000644000704600001450000000051114076311665030706 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-KDC-REP-TICKET-data: KRB5_KEYUSAGE_KDC_REP_TICKET ============================ .. .. data:: KRB5_KEYUSAGE_KDC_REP_TICKET .. =================================== ====================== ``KRB5_KEYUSAGE_KDC_REP_TICKET`` ``2`` =================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FX_FAST.rst.txt0000644000704600001450000000042614076311665027410 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-FX-FAST-data: KRB5_PADATA_FX_FAST =================== .. .. data:: KRB5_PADATA_FX_FAST .. RFC 6113. ========================== ====================== ``KRB5_PADATA_FX_FAST`` ``136`` ========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_FLAGS.rst.txt0000644000704600001450000000051314076311665027377 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-TC-MATCH-FLAGS-data: KRB5_TC_MATCH_FLAGS =================== .. .. data:: KRB5_TC_MATCH_FLAGS .. All the flags set in the match credentials must be set. ========================== ====================== ``KRB5_TC_MATCH_FLAGS`` ``0x00000004`` ========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY.rst.txt0000644000704600001450000000057414076311665030526 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-TC-MATCH-SRV-NAMEONLY-data: KRB5_TC_MATCH_SRV_NAMEONLY ========================== .. .. data:: KRB5_TC_MATCH_SRV_NAMEONLY .. Only the name portion of the principal name must match. ================================= ====================== ``KRB5_TC_MATCH_SRV_NAMEONLY`` ``0x00000040`` ================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_HARDERROR.rst.txt0000644000704600001450000000045514076311665027772 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KPASSWD-HARDERROR-data: KRB5_KPASSWD_HARDERROR ====================== .. .. data:: KRB5_KPASSWD_HARDERROR .. Server error. ============================= ====================== ``KRB5_KPASSWD_HARDERROR`` ``2`` ============================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OTP_REQUEST.rst.txt0000644000704600001450000000047614076311665030135 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-OTP-REQUEST-data: KRB5_PADATA_OTP_REQUEST ======================= .. .. data:: KRB5_PADATA_OTP_REQUEST .. RFC 6560 section 4.2. ============================== ====================== ``KRB5_PADATA_OTP_REQUEST`` ``142`` ============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.rst.txt0000644000704600001450000000054514076311665031461 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-TGS-REQ-AD-SESSKEY-data: KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY ================================ .. .. data:: KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY .. ======================================= ====================== ``KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY`` ``4`` ======================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE.rst.txt0000644000704600001450000000051414076311665030260 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-OTP-CHALLENGE-data: KRB5_PADATA_OTP_CHALLENGE ========================= .. .. data:: KRB5_PADATA_OTP_CHALLENGE .. RFC 6560 section 4.1. ================================ ====================== ``KRB5_PADATA_OTP_CHALLENGE`` ``141`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE.rst.txt0000644000704600001450000000043114076311665027615 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTHDATA-OSF-DCE-data: KRB5_AUTHDATA_OSF_DCE ===================== .. .. data:: KRB5_AUTHDATA_OSF_DCE .. ============================ ====================== ``KRB5_AUTHDATA_OSF_DCE`` ``64`` ============================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FX_COOKIE.rst.txt0000644000704600001450000000044414076311665027624 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-FX-COOKIE-data: KRB5_PADATA_FX_COOKIE ===================== .. .. data:: KRB5_PADATA_FX_COOKIE .. RFC 6113. ============================ ====================== ``KRB5_PADATA_FX_COOKIE`` ``133`` ============================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192.rst.txt0000644000704600001450000000060214076311665031337 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-AES256-CTS-HMAC-SHA384-192-data: ENCTYPE_AES256_CTS_HMAC_SHA384_192 ================================== .. .. data:: ENCTYPE_AES256_CTS_HMAC_SHA384_192 .. RFC 8009. ========================================= ====================== ``ENCTYPE_AES256_CTS_HMAC_SHA384_192`` ``0x0014`` ========================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_INT32_MAX.rst.txt0000644000704600001450000000036014076311665026545 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-INT32-MAX-data: KRB5_INT32_MAX ============== .. .. data:: KRB5_INT32_MAX .. ===================== ====================== ``KRB5_INT32_MAX`` ``2147483647`` ===================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL.rst.txt0000644000704600001450000000046714076311665030410 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-LRQ-ONE-LAST-RENEWAL-data: KRB5_LRQ_ONE_LAST_RENEWAL ========================= .. .. data:: KRB5_LRQ_ONE_LAST_RENEWAL .. ================================ ====================== ``KRB5_LRQ_ONE_LAST_RENEWAL`` ``(-4)`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1.rst.txt0000644000704600001450000000043514076311665027627 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-DES-HMAC-SHA1-data: ENCTYPE_DES_HMAC_SHA1 ===================== .. .. data:: ENCTYPE_DES_HMAC_SHA1 .. ============================ ====================== ``ENCTYPE_DES_HMAC_SHA1`` ``0x0008`` ============================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.rst.txt0000644000704600001450000000055214076311665031471 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-GET-INIT-CREDS-OPT-TKT-LIFE-data: KRB5_GET_INIT_CREDS_OPT_TKT_LIFE ================================ .. .. data:: KRB5_GET_INIT_CREDS_OPT_TKT_LIFE .. ======================================= ====================== ``KRB5_GET_INIT_CREDS_OPT_TKT_LIFE`` ``0x0001`` ======================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/TKT_FLG_INITIAL.rst.txt0000644000704600001450000000036714076311665026770 0ustar ghudsonsystemd-journal.. highlight:: c .. _TKT-FLG-INITIAL-data: TKT_FLG_INITIAL =============== .. .. data:: TKT_FLG_INITIAL .. ====================== ====================== ``TKT_FLG_INITIAL`` ``0x00400000`` ====================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA.rst.txt0000644000704600001450000000051314076311665027736 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-TC-MATCH-AUTHDATA-data: KRB5_TC_MATCH_AUTHDATA ====================== .. .. data:: KRB5_TC_MATCH_AUTHDATA .. The authorization data must match. ============================= ====================== ``KRB5_TC_MATCH_AUTHDATA`` ``0x00000020`` ============================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REP.rst.txt0000644000704600001450000000045114076311665027657 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-PK-AS-REP-data: KRB5_PADATA_PK_AS_REP ===================== .. .. data:: KRB5_PADATA_PK_AS_REP .. PKINIT. RFC 4556 ============================ ====================== ``KRB5_PADATA_PK_AS_REP`` ``17`` ============================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP.rst.txt0000644000704600001450000000047614076311665030313 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-ENC-TIMESTAMP-data: KRB5_PADATA_ENC_TIMESTAMP ========================= .. .. data:: KRB5_PADATA_ENC_TIMESTAMP .. RFC 4120. ================================ ====================== ``KRB5_PADATA_ENC_TIMESTAMP`` ``2`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128.rst.txt0000644000704600001450000000060214076311665031332 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-AES128-CTS-HMAC-SHA256-128-data: ENCTYPE_AES128_CTS_HMAC_SHA256_128 ================================== .. .. data:: ENCTYPE_AES128_CTS_HMAC_SHA256_128 .. RFC 8009. ========================================= ====================== ``ENCTYPE_AES128_CTS_HMAC_SHA256_128`` ``0x0013`` ========================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_DESCBC.rst.txt0000644000704600001450000000037214076311665027050 0ustar ghudsonsystemd-journal.. highlight:: c .. _CKSUMTYPE-DESCBC-data: CKSUMTYPE_DESCBC ================ .. .. data:: CKSUMTYPE_DESCBC .. ======================= ====================== ``CKSUMTYPE_DESCBC`` ``0x0004`` ======================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FOR_USER.rst.txt0000644000704600001450000000047014076311665027541 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-FOR-USER-data: KRB5_PADATA_FOR_USER ==================== .. .. data:: KRB5_PADATA_FOR_USER .. username protocol transition request =========================== ====================== ``KRB5_PADATA_FOR_USER`` ``129`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/TKT_FLG_HW_AUTH.rst.txt0000644000704600001450000000036714076311665027036 0ustar ghudsonsystemd-journal.. highlight:: c .. _TKT-FLG-HW-AUTH-data: TKT_FLG_HW_AUTH =============== .. .. data:: TKT_FLG_HW_AUTH .. ====================== ====================== ``TKT_FLG_HW_AUTH`` ``0x00100000`` ====================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/krb5_princ_component.rst.txt0000644000704600001450000000062014076311665030575 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb5-princ-component-data: krb5_princ_component ==================== .. .. data:: krb5_princ_component .. ============================================== ====================== ``krb5_princ_component (context, princ, i)`` ``(((i) < krb5_princ_size(context, princ)) ? (princ)->data + (i) : NULL)`` ============================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL.rst.txt0000644000704600001450000000045614076311665027570 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-NT-MS-PRINCIPAL-data: KRB5_NT_MS_PRINCIPAL ==================== .. .. data:: KRB5_NT_MS_PRINCIPAL .. Windows 2000 UPN and SID. =========================== ====================== ``KRB5_NT_MS_PRINCIPAL`` ``-128`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY.rst.txt0000644000704600001450000000046214076311665030415 0ustar ghudsonsystemd-journal.. highlight:: c .. _LR-TYPE-THIS-SERVER-ONLY-data: LR_TYPE_THIS_SERVER_ONLY ======================== .. .. data:: LR_TYPE_THIS_SERVER_ONLY .. =============================== ====================== ``LR_TYPE_THIS_SERVER_ONLY`` ``0x8000`` =============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.rst.txt0000644000704600001450000000057014076311665031707 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-GET-INIT-CREDS-OPT-RENEW-LIFE-data: KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE ================================== .. .. data:: KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE .. ========================================= ====================== ``KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE`` ``0x0002`` ========================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD.rst.txt0000644000704600001450000000047514076311665030363 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-PK-AS-REP-OLD-data: KRB5_PADATA_PK_AS_REP_OLD ========================= .. .. data:: KRB5_PADATA_PK_AS_REP_OLD .. PKINIT. ================================ ====================== ``KRB5_PADATA_PK_AS_REP_OLD`` ``15`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH.rst.txt0000644000704600001450000000047314076311665030530 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-TGS-REQ-AUTH-data: KRB5_KEYUSAGE_TGS_REQ_AUTH ========================== .. .. data:: KRB5_KEYUSAGE_TGS_REQ_AUTH .. ================================= ====================== ``KRB5_KEYUSAGE_TGS_REQ_AUTH`` ``7`` ================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KDC_OPT_FORWARDED.rst.txt0000644000704600001450000000040514076311665027176 0ustar ghudsonsystemd-journal.. highlight:: c .. _KDC-OPT-FORWARDED-data: KDC_OPT_FORWARDED ================= .. .. data:: KDC_OPT_FORWARDED .. ======================== ====================== ``KDC_OPT_FORWARDED`` ``0x20000000`` ======================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE.rst.txt0000644000704600001450000000052314076311665030431 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-OTP-PIN-CHANGE-data: KRB5_PADATA_OTP_PIN_CHANGE ========================== .. .. data:: KRB5_PADATA_OTP_PIN_CHANGE .. RFC 6560 section 4.3. ================================= ====================== ``KRB5_PADATA_OTP_PIN_CHANGE`` ``144`` ================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_GC_CANONICALIZE.rst.txt0000644000704600001450000000045614076311665027457 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-GC-CANONICALIZE-data: KRB5_GC_CANONICALIZE ==================== .. .. data:: KRB5_GC_CANONICALIZE .. Set canonicalize KDC option. =========================== ====================== ``KRB5_GC_CANONICALIZE`` ``4`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR.rst.txt0000644000704600001450000000051214076311665030650 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTHDATA-AUTH-INDICATOR-data: KRB5_AUTHDATA_AUTH_INDICATOR ============================ .. .. data:: KRB5_AUTHDATA_AUTH_INDICATOR .. =================================== ====================== ``KRB5_AUTHDATA_AUTH_INDICATOR`` ``97`` =================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM.rst.txt0000644000704600001450000000056314076311665031300 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PRINCIPAL-UNPARSE-NO-REALM-data: KRB5_PRINCIPAL_UNPARSE_NO_REALM =============================== .. .. data:: KRB5_PRINCIPAL_UNPARSE_NO_REALM .. Omit realm always. ====================================== ====================== ``KRB5_PRINCIPAL_UNPARSE_NO_REALM`` ``0x2`` ====================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_GC_CACHED.rst.txt0000644000704600001450000000040014076311665026514 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-GC-CACHED-data: KRB5_GC_CACHED ============== .. .. data:: KRB5_GC_CACHED .. Want cached ticket only. ===================== ====================== ``KRB5_GC_CACHED`` ``2`` ===================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ.rst.txt0000644000704600001450000000043314076311665027733 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-LRQ-ONE-LAST-REQ-data: KRB5_LRQ_ONE_LAST_REQ ===================== .. .. data:: KRB5_LRQ_ONE_LAST_REQ .. ============================ ====================== ``KRB5_LRQ_ONE_LAST_REQ`` ``(-5)`` ============================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK.rst.txt0000644000704600001450000000050714076311665030232 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-GC-NO-TRANSIT-CHECK-data: KRB5_GC_NO_TRANSIT_CHECK ======================== .. .. data:: KRB5_GC_NO_TRANSIT_CHECK .. Disable transited check. =============================== ====================== ``KRB5_GC_NO_TRANSIT_CHECK`` ``32`` =============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ADDRTYPE_ISO.rst.txt0000644000704600001450000000033614076311665026407 0ustar ghudsonsystemd-journal.. highlight:: c .. _ADDRTYPE-ISO-data: ADDRTYPE_ISO ============ .. .. data:: ADDRTYPE_ISO .. =================== ====================== ``ADDRTYPE_ISO`` ``0x0007`` =================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED.rst.txt0000644000704600001450000000052114076311665030743 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-IAKERB-FINISHED-data: KRB5_KEYUSAGE_IAKERB_FINISHED ============================= .. .. data:: KRB5_KEYUSAGE_IAKERB_FINISHED .. ==================================== ====================== ``KRB5_KEYUSAGE_IAKERB_FINISHED`` ``42`` ==================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.rst.txt0000644000704600001450000000056414076311665031551 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-ENC-CHALLENGE-CLIENT-data: KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT ================================== .. .. data:: KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT .. ========================================= ====================== ``KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT`` ``54`` ========================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP.rst.txt0000644000704600001450000000220214076311665030650 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-RESPONDER-QUESTION-OTP-data: KRB5_RESPONDER_QUESTION_OTP =========================== .. .. data:: KRB5_RESPONDER_QUESTION_OTP .. OTP responder question. The OTP responder question is asked when the KDC indicates that an OTP value is required in order to complete the authentication. The JSON format of the challenge is: :: { "service": , "tokenInfo": [ { "flags": , "vendor": , "challenge": , "length": , "format": , "tokenID": , "algID": , }, ... ] } The answer to the question MUST be JSON formatted: :: { "tokeninfo": , "value": , "pin": , } For more detail, please see RFC 6560. ================================== ====================== ``KRB5_RESPONDER_QUESTION_OTP`` ``"otp"`` ================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/SALT_TYPE_NO_LENGTH.rst.txt0000644000704600001450000000042114076311665027515 0ustar ghudsonsystemd-journal.. highlight:: c .. _SALT-TYPE-NO-LENGTH-data: SALT_TYPE_NO_LENGTH =================== .. .. data:: SALT_TYPE_NO_LENGTH .. ========================== ====================== ``SALT_TYPE_NO_LENGTH`` ``UINT_MAX`` ========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PAC_OPTIONS.rst.txt0000644000704600001450000000047414076311665030077 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-PAC-OPTIONS-data: KRB5_PADATA_PAC_OPTIONS ======================= .. .. data:: KRB5_PADATA_PAC_OPTIONS .. MS-KILE and MS-SFU. ============================== ====================== ``KRB5_PADATA_PAC_OPTIONS`` ``167`` ============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256.rst.txt0000644000704600001450000000061014076311665030647 0ustar ghudsonsystemd-journal.. highlight:: c .. _CKSUMTYPE-HMAC-SHA1-96-AES256-data: CKSUMTYPE_HMAC_SHA1_96_AES256 ============================= .. .. data:: CKSUMTYPE_HMAC_SHA1_96_AES256 .. RFC 3962. Used with ENCTYPE_AES256_CTS_HMAC_SHA1_96 ==================================== ====================== ``CKSUMTYPE_HMAC_SHA1_96_AES256`` ``0x0010`` ==================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.rst.txt0000644000704600001450000000053714076311665031336 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-AP-REQ-AUTH-CKSUM-data: KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM =============================== .. .. data:: KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM .. ====================================== ====================== ``KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM`` ``10`` ====================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/THREEPARAMOPEN.rst.txt0000644000704600001450000000041514076311665026571 0ustar ghudsonsystemd-journal.. highlight:: c .. _THREEPARAMOPEN-data: THREEPARAMOPEN ============== .. .. data:: THREEPARAMOPEN .. ============================== ====================== ``THREEPARAMOPEN (x, y, z)`` ``open(x,y,z)`` ============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_NT_WELLKNOWN.rst.txt0000644000704600001450000000043514076311665027225 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-NT-WELLKNOWN-data: KRB5_NT_WELLKNOWN ================= .. .. data:: KRB5_NT_WELLKNOWN .. Well-known (special) principal. ======================== ====================== ``KRB5_NT_WELLKNOWN`` ``11`` ======================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE.rst.txt0000644000704600001450000000056114076311665031555 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-GET-INIT-CREDS-OPT-PROXIABLE-data: KRB5_GET_INIT_CREDS_OPT_PROXIABLE ================================= .. .. data:: KRB5_GET_INIT_CREDS_OPT_PROXIABLE .. ======================================== ====================== ``KRB5_GET_INIT_CREDS_OPT_PROXIABLE`` ``0x0008`` ======================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME.rst.txt0000644000704600001450000000053014076311665030340 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-ENC-UNIX-TIME-data: KRB5_PADATA_ENC_UNIX_TIME ========================= .. .. data:: KRB5_PADATA_ENC_UNIX_TIME .. timestamp encrypted in key. RFC 4120 ================================ ====================== ``KRB5_PADATA_ENC_UNIX_TIME`` ``5`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT.rst.txt0000644000704600001450000000056014076311665030740 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PRINCIPAL-UNPARSE-SHORT-data: KRB5_PRINCIPAL_UNPARSE_SHORT ============================ .. .. data:: KRB5_PRINCIPAL_UNPARSE_SHORT .. Omit realm if it is the local realm. =================================== ====================== ``KRB5_PRINCIPAL_UNPARSE_SHORT`` ``0x1`` =================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/TKT_FLG_RENEWABLE.rst.txt0000644000704600001450000000040514076311665027174 0ustar ghudsonsystemd-journal.. highlight:: c .. _TKT-FLG-RENEWABLE-data: TKT_FLG_RENEWABLE ================= .. .. data:: TKT_FLG_RENEWABLE .. ======================== ====================== ``TKT_FLG_RENEWABLE`` ``0x00800000`` ======================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_REALM_BRANCH_CHAR.rst.txt0000644000704600001450000000044114076311665027713 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-REALM-BRANCH-CHAR-data: KRB5_REALM_BRANCH_CHAR ====================== .. .. data:: KRB5_REALM_BRANCH_CHAR .. ============================= ====================== ``KRB5_REALM_BRANCH_CHAR`` ``'.'`` ============================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT.rst.txt0000644000704600001450000000043014076311665027726 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-LRQ-ALL-LAST-TGT-data: KRB5_LRQ_ALL_LAST_TGT ===================== .. .. data:: KRB5_LRQ_ALL_LAST_TGT .. ============================ ====================== ``KRB5_LRQ_ALL_LAST_TGT`` ``1`` ============================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED.rst.txt0000644000704600001450000000065414076311665031331 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KPASSWD-INITIAL-FLAG-NEEDED-data: KRB5_KPASSWD_INITIAL_FLAG_NEEDED ================================ .. .. data:: KRB5_KPASSWD_INITIAL_FLAG_NEEDED .. The presented credentials were not obtained using a password directly. ======================================= ====================== ``KRB5_KPASSWD_INITIAL_FLAG_NEEDED`` ``7`` ======================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT.rst.txt0000644000704600001450000000053714076311665030331 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-TC-MATCH-FLAGS-EXACT-data: KRB5_TC_MATCH_FLAGS_EXACT ========================= .. .. data:: KRB5_TC_MATCH_FLAGS_EXACT .. All the flags must match exactly. ================================ ====================== ``KRB5_TC_MATCH_FLAGS_EXACT`` ``0x00000010`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE.rst.txt0000644000704600001450000000060714076311665031214 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTH-CONTEXT-RET-SEQUENCE-data: KRB5_AUTH_CONTEXT_RET_SEQUENCE ============================== .. .. data:: KRB5_AUTH_CONTEXT_RET_SEQUENCE .. Save sequence numbers for application. ===================================== ====================== ``KRB5_AUTH_CONTEXT_RET_SEQUENCE`` ``0x00000008`` ===================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_CRED.rst.txt0000644000704600001450000000035614076311665025763 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-CRED-data: KRB5_CRED ========= .. .. data:: KRB5_CRED .. Cred forwarding message. ================ ====================== ``KRB5_CRED`` ``((krb5_msgtype)22)`` ================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_ENV.rst.txt0000644000704600001450000000047214076311665027526 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-DES3-CBC-ENV-data: ENCTYPE_DES3_CBC_ENV ==================== .. .. data:: ENCTYPE_DES3_CBC_ENV .. DES-3 cbc mode, CMS enveloped data. =========================== ====================== ``ENCTYPE_DES3_CBC_ENV`` ``0x000f`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PAC_LOGON_INFO.rst.txt0000644000704600001450000000043514076311665027420 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PAC-LOGON-INFO-data: KRB5_PAC_LOGON_INFO =================== .. .. data:: KRB5_PAC_LOGON_INFO .. Logon information. ========================== ====================== ``KRB5_PAC_LOGON_INFO`` ``1`` ========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_SOFTERROR.rst.txt0000644000704600001450000000047114076311665030025 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KPASSWD-SOFTERROR-data: KRB5_KPASSWD_SOFTERROR ====================== .. .. data:: KRB5_KPASSWD_SOFTERROR .. Password change rejected. ============================= ====================== ``KRB5_KPASSWD_SOFTERROR`` ``4`` ============================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT.rst.txt0000644000704600001450000000047714076311665027661 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-TC-MATCH-2ND-TKT-data: KRB5_TC_MATCH_2ND_TKT ===================== .. .. data:: KRB5_TC_MATCH_2ND_TKT .. The second ticket must match. ============================ ====================== ``KRB5_TC_MATCH_2ND_TKT`` ``0x00000080`` ============================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/AP_OPTS_USE_SESSION_KEY.rst.txt0000644000704600001450000000050014076311665030246 0ustar ghudsonsystemd-journal.. highlight:: c .. _AP-OPTS-USE-SESSION-KEY-data: AP_OPTS_USE_SESSION_KEY ======================= .. .. data:: AP_OPTS_USE_SESSION_KEY .. Use session key. ============================== ====================== ``AP_OPTS_USE_SESSION_KEY`` ``0x40000000`` ============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR.rst.txt0000644000704600001450000000051014076311665030455 0ustar ghudsonsystemd-journal.. highlight:: c .. _CKSUMTYPE-HMAC-MD5-ARCFOUR-data: CKSUMTYPE_HMAC_MD5_ARCFOUR ========================== .. .. data:: CKSUMTYPE_HMAC_MD5_ARCFOUR .. RFC 4757. ================================= ====================== ``CKSUMTYPE_HMAC_MD5_ARCFOUR`` ``-138`` ================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK.rst.txt0000644000704600001450000000054714076311665031245 0ustar ghudsonsystemd-journal.. highlight:: c .. _KDC-OPT-DISABLE-TRANSITED-CHECK-data: KDC_OPT_DISABLE_TRANSITED_CHECK =============================== .. .. data:: KDC_OPT_DISABLE_TRANSITED_CHECK .. ====================================== ====================== ``KDC_OPT_DISABLE_TRANSITED_CHECK`` ``0x00000020`` ====================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL.rst.txt0000644000704600001450000000065314076311665031517 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-RESPONDER-OTP-FORMAT-DECIMAL-data: KRB5_RESPONDER_OTP_FORMAT_DECIMAL ================================= .. .. data:: KRB5_RESPONDER_OTP_FORMAT_DECIMAL .. These format constants identify the format of the token value. ======================================== ====================== ``KRB5_RESPONDER_OTP_FORMAT_DECIMAL`` ``0`` ======================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT.rst.txt0000644000704600001450000000054514076311665030355 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-TC-MATCH-TIMES-EXACT-data: KRB5_TC_MATCH_TIMES_EXACT ========================= .. .. data:: KRB5_TC_MATCH_TIMES_EXACT .. All the time fields must match exactly. ================================ ====================== ``KRB5_TC_MATCH_TIMES_EXACT`` ``0x00000008`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KDC_OPT_FORWARDABLE.rst.txt0000644000704600001450000000042314076311665027411 0ustar ghudsonsystemd-journal.. highlight:: c .. _KDC-OPT-FORWARDABLE-data: KDC_OPT_FORWARDABLE =================== .. .. data:: KDC_OPT_FORWARDABLE .. ========================== ====================== ``KDC_OPT_FORWARDABLE`` ``0x40000000`` ========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK.rst.txt0000644000704600001450000000050714076311665030701 0ustar ghudsonsystemd-journal.. highlight:: c .. _LR-TYPE-INTERPRETATION-MASK-data: LR_TYPE_INTERPRETATION_MASK =========================== .. .. data:: LR_TYPE_INTERPRETATION_MASK .. ================================== ====================== ``LR_TYPE_INTERPRETATION_MASK`` ``0x7fff`` ================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KDC_OPT_VALIDATE.rst.txt0000644000704600001450000000037614076311665027061 0ustar ghudsonsystemd-journal.. highlight:: c .. _KDC-OPT-VALIDATE-data: KDC_OPT_VALIDATE ================ .. .. data:: KDC_OPT_VALIDATE .. ======================= ====================== ``KDC_OPT_VALIDATE`` ``0x00000001`` ======================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.rst.txt0000644000704600001450000000061014076311665032156 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-RESPONDER-OTP-FORMAT-HEXADECIMAL-data: KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL ===================================== .. .. data:: KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL .. ============================================ ====================== ``KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL`` ``1`` ============================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8.rst.txt0000644000704600001450000000053414076311665030541 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PRINCIPAL-COMPARE-UTF8-data: KRB5_PRINCIPAL_COMPARE_UTF8 =========================== .. .. data:: KRB5_PRINCIPAL_COMPARE_UTF8 .. treat principals as UTF-8 ================================== ====================== ``KRB5_PRINCIPAL_COMPARE_UTF8`` ``8`` ================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_S4U_X509_USER.rst.txt0000644000704600001450000000053614076311665030256 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-S4U-X509-USER-data: KRB5_PADATA_S4U_X509_USER ========================= .. .. data:: KRB5_PADATA_S4U_X509_USER .. certificate protocol transition request ================================ ====================== ``KRB5_PADATA_S4U_X509_USER`` ``130`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/krb524_convert_creds_kdc.rst.txt0000644000704600001450000000050214076311665031226 0ustar ghudsonsystemd-journal.. highlight:: c .. _krb524-convert-creds-kdc-data: krb524_convert_creds_kdc ======================== .. .. data:: krb524_convert_creds_kdc .. =============================== ====================== ``krb524_convert_creds_kdc`` ``krb5_524_convert_creds`` =============================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SPAKE.rst.txt0000644000704600001450000000037614076311665027125 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-SPAKE-data: KRB5_PADATA_SPAKE ================= .. .. data:: KRB5_PADATA_SPAKE .. ======================== ====================== ``KRB5_PADATA_SPAKE`` ``151`` ======================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL.rst.txt0000644000704600001450000000053414076311665030726 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-NT-ENTERPRISE-PRINCIPAL-data: KRB5_NT_ENTERPRISE_PRINCIPAL ============================ .. .. data:: KRB5_NT_ENTERPRISE_PRINCIPAL .. Windows 2000 UPN. =================================== ====================== ``KRB5_NT_ENTERPRISE_PRINCIPAL`` ``10`` =================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.rst.txt0000644000704600001450000000061014076311665032261 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-TGS-REP-ENCPART-SESSKEY-data: KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY ===================================== .. .. data:: KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY .. ============================================ ====================== ``KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY`` ``8`` ============================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION.rst.txt0000644000704600001450000000050014076311665030511 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-RECVAUTH-SKIP-VERSION-data: KRB5_RECVAUTH_SKIP_VERSION ========================== .. .. data:: KRB5_RECVAUTH_SKIP_VERSION .. ================================= ====================== ``KRB5_RECVAUTH_SKIP_VERSION`` ``0x0001`` ================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID.rst.txt0000644000704600001450000000054514076311665030734 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-NT-ENT-PRINCIPAL-AND-ID-data: KRB5_NT_ENT_PRINCIPAL_AND_ID ============================ .. .. data:: KRB5_NT_ENT_PRINCIPAL_AND_ID .. NT 4 style name and SID. =================================== ====================== ``KRB5_NT_ENT_PRINCIPAL_AND_ID`` ``-130`` =================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY.rst.txt0000644000704600001450000000045414076311665030104 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-CRYPTO-TYPE-EMPTY-data: KRB5_CRYPTO_TYPE_EMPTY ====================== .. .. data:: KRB5_CRYPTO_TYPE_EMPTY .. [in] ignored ============================= ====================== ``KRB5_CRYPTO_TYPE_EMPTY`` ``0`` ============================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/MSEC_DIRBIT.rst.txt0000644000704600001450000000032714076311665026245 0ustar ghudsonsystemd-journal.. highlight:: c .. _MSEC-DIRBIT-data: MSEC_DIRBIT =========== .. .. data:: MSEC_DIRBIT .. ================== ====================== ``MSEC_DIRBIT`` ``0x8000`` ================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR.rst.txt0000644000704600001450000000044014076311665027770 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTHDATA-FX-ARMOR-data: KRB5_AUTHDATA_FX_ARMOR ====================== .. .. data:: KRB5_AUTHDATA_FX_ARMOR .. ============================= ====================== ``KRB5_AUTHDATA_FX_ARMOR`` ``71`` ============================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR.rst.txt0000644000704600001450000000052514076311665030015 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-WELLKNOWN-NAMESTR-data: KRB5_WELLKNOWN_NAMESTR ====================== .. .. data:: KRB5_WELLKNOWN_NAMESTR .. First component of NT_WELLKNOWN principals. ============================= ====================== ``KRB5_WELLKNOWN_NAMESTR`` ``"WELLKNOWN"`` ============================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_INT16_MIN.rst.txt0000644000704600001450000000037114076311665026547 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-INT16-MIN-data: KRB5_INT16_MIN ============== .. .. data:: KRB5_INT16_MIN .. ===================== ====================== ``KRB5_INT16_MIN`` ``(-KRB5_INT16_MAX-1)`` ===================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO.rst.txt0000644000704600001450000000056114076311665031025 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-SVR-REFERRAL-INFO-data: KRB5_PADATA_SVR_REFERRAL_INFO ============================= .. .. data:: KRB5_PADATA_SVR_REFERRAL_INFO .. Windows 2000 referrals. RFC 6820 ==================================== ====================== ``KRB5_PADATA_SVR_REFERRAL_INFO`` ``20`` ==================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ADDRTYPE_XNS.rst.txt0000644000704600001450000000033614076311665026425 0ustar ghudsonsystemd-journal.. highlight:: c .. _ADDRTYPE-XNS-data: ADDRTYPE_XNS ============ .. .. data:: ADDRTYPE_XNS .. =================== ====================== ``ADDRTYPE_XNS`` ``0x0006`` =================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD.rst.txt0000644000704600001450000000055714076311665031200 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PRINCIPAL-COMPARE-CASEFOLD-data: KRB5_PRINCIPAL_COMPARE_CASEFOLD =============================== .. .. data:: KRB5_PRINCIPAL_COMPARE_CASEFOLD .. case-insensitive ====================================== ====================== ``KRB5_PRINCIPAL_COMPARE_CASEFOLD`` ``4`` ====================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE.rst.txt0000644000704600001450000000053614076311665030471 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-PA-FX-COOKIE-data: KRB5_KEYUSAGE_PA_FX_COOKIE ========================== .. .. data:: KRB5_KEYUSAGE_PA_FX_COOKIE .. Used for encrypted FAST cookies. ================================= ====================== ``KRB5_KEYUSAGE_PA_FX_COOKIE`` ``513`` ================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_RAW.rst.txt0000644000704600001450000000041714076311665027443 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-DES-CBC-RAW-data: ENCTYPE_DES_CBC_RAW =================== .. .. data:: ENCTYPE_DES_CBC_RAW .. ========================== ====================== ``ENCTYPE_DES_CBC_RAW`` ``0x0004`` ========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ADDRTYPE_INET.rst.txt0000644000704600001450000000034514076311665026514 0ustar ghudsonsystemd-journal.. highlight:: c .. _ADDRTYPE-INET-data: ADDRTYPE_INET ============= .. .. data:: ADDRTYPE_INET .. ==================== ====================== ``ADDRTYPE_INET`` ``0x0002`` ==================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID.rst.txt0000644000704600001450000000052614076311665030624 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-NT-MS-PRINCIPAL-AND-ID-data: KRB5_NT_MS_PRINCIPAL_AND_ID =========================== .. .. data:: KRB5_NT_MS_PRINCIPAL_AND_ID .. NT 4 style name. ================================== ====================== ``KRB5_NT_MS_PRINCIPAL_AND_ID`` ``-129`` ================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_MD5.rst.txt0000644000704600001450000000041714076311665027377 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-DES-CBC-MD5-data: ENCTYPE_DES_CBC_MD5 =================== .. .. data:: ENCTYPE_DES_CBC_MD5 .. ========================== ====================== ``ENCTYPE_DES_CBC_MD5`` ``0x0003`` ========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.rst.txt0000644000704600001450000000061514076311665032325 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-GET-INIT-CREDS-OPT-CHG-PWD-PRMPT-data: KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT ===================================== .. .. data:: KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT .. ============================================ ====================== ``KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT`` ``0x0100`` ============================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.rst.txt0000644000704600001450000000063214076311665031735 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-ALTAUTH-ATT-CHALLENGE-RESPONSE-data: KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE =================================== .. .. data:: KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE .. alternate authentication types ========================================== ====================== ``KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE`` ``64`` ========================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME.rst.txt0000644000704600001450000000054514076311665030543 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTH-CONTEXT-RET-TIME-data: KRB5_AUTH_CONTEXT_RET_TIME ========================== .. .. data:: KRB5_AUTH_CONTEXT_RET_TIME .. Save timestamps for application. ================================= ====================== ``KRB5_AUTH_CONTEXT_RET_TIME`` ``0x00000002`` ================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT.rst.txt0000644000704600001450000000047514076311665030407 0ustar ghudsonsystemd-journal.. highlight:: c .. _KDC-OPT-CNAME-IN-ADDL-TKT-data: KDC_OPT_CNAME_IN_ADDL_TKT ========================= .. .. data:: KDC_OPT_CNAME_IN_ADDL_TKT .. ================================ ====================== ``KDC_OPT_CNAME_IN_ADDL_TKT`` ``0x00020000`` ================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE.rst.txt0000644000704600001450000000055214076311665031155 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PADATA-ENCRYPTED-CHALLENGE-data: KRB5_PADATA_ENCRYPTED_CHALLENGE =============================== .. .. data:: KRB5_PADATA_ENCRYPTED_CHALLENGE .. RFC 6113. ====================================== ====================== ``KRB5_PADATA_ENCRYPTED_CHALLENGE`` ``138`` ====================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE.rst.txt0000644000704600001450000000060514076311665031472 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PRINCIPAL-COMPARE-ENTERPRISE-data: KRB5_PRINCIPAL_COMPARE_ENTERPRISE ================================= .. .. data:: KRB5_PRINCIPAL_COMPARE_ENTERPRISE .. UPNs as real principals. ======================================== ====================== ``KRB5_PRINCIPAL_COMPARE_ENTERPRISE`` ``2`` ======================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.rst.txt0000644000704600001450000000042214076311665027434 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTHDATA-CAMMAC-data: KRB5_AUTHDATA_CAMMAC ==================== .. .. data:: KRB5_AUTHDATA_CAMMAC .. =========================== ====================== ``KRB5_AUTHDATA_CAMMAC`` ``96`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_FAST_REQUIRED.rst.txt0000644000704600001450000000044514076311665027302 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-FAST-REQUIRED-data: KRB5_FAST_REQUIRED ================== .. .. data:: KRB5_FAST_REQUIRED .. Require KDC to support FAST. ========================= ====================== ``KRB5_FAST_REQUIRED`` ``0x0001`` ========================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_RAW.rst.txt0000644000704600001450000000042614076311665027526 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-DES3-CBC-RAW-data: ENCTYPE_DES3_CBC_RAW ==================== .. .. data:: ENCTYPE_DES3_CBC_RAW .. =========================== ====================== ``ENCTYPE_DES3_CBC_RAW`` ``0x0006`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM.rst.txt0000644000704600001450000000052114076311665031053 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-FAST-REQ-CHKSUM-data: KRB5_KEYUSAGE_FAST_REQ_CHKSUM ============================= .. .. data:: KRB5_KEYUSAGE_FAST_REQ_CHKSUM .. ==================================== ====================== ``KRB5_KEYUSAGE_FAST_REQ_CHKSUM`` ``50`` ==================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC.rst.txt0000644000704600001450000000044014076311665027757 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-FAST-ENC-data: KRB5_KEYUSAGE_FAST_ENC ====================== .. .. data:: KRB5_KEYUSAGE_FAST_ENC .. ============================= ====================== ``KRB5_KEYUSAGE_FAST_ENC`` ``51`` ============================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_TGS_NAME_SIZE.rst.txt0000644000704600001450000000040314076311665027326 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-TGS-NAME-SIZE-data: KRB5_TGS_NAME_SIZE ================== .. .. data:: KRB5_TGS_NAME_SIZE .. ========================= ====================== ``KRB5_TGS_NAME_SIZE`` ``6`` ========================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AS_REP.rst.txt0000644000704600001450000000037314076311665026256 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AS-REP-data: KRB5_AS_REP =========== .. .. data:: KRB5_AS_REP .. Response to AS request. ================== ====================== ``KRB5_AS_REP`` ``((krb5_msgtype)11)`` ================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.rst.txt0000644000704600001450000000064214076311665032654 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-VERIFY-INIT-CREDS-OPT-AP-REQ-NOFAIL-data: KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL ======================================== .. .. data:: KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL .. =============================================== ====================== ``KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL`` ``0x0001`` =============================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT.rst.txt0000644000704600001450000000043314076311665027742 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-LRQ-ONE-LAST-TGT-data: KRB5_LRQ_ONE_LAST_TGT ===================== .. .. data:: KRB5_LRQ_ONE_LAST_TGT .. ============================ ====================== ``KRB5_LRQ_ONE_LAST_TGT`` ``(-1)`` ============================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC.rst.txt0000644000704600001450000000044014076311665027535 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-ARCFOUR-HMAC-data: ENCTYPE_ARCFOUR_HMAC ==================== .. .. data:: ENCTYPE_ARCFOUR_HMAC .. RFC 4757. =========================== ====================== ``ENCTYPE_ARCFOUR_HMAC`` ``0x0017`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_MD5_RSA_CMS.rst.txt0000644000704600001450000000045414076311665027445 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-MD5-RSA-CMS-data: ENCTYPE_MD5_RSA_CMS =================== .. .. data:: ENCTYPE_MD5_RSA_CMS .. MD5 with RSA, CMS signature. ========================== ====================== ``ENCTYPE_MD5_RSA_CMS`` ``0x000a`` ========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_UNKNOWN.rst.txt0000644000704600001450000000036314076311665027007 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-UNKNOWN-data: ENCTYPE_UNKNOWN =============== .. .. data:: ENCTYPE_UNKNOWN .. ====================== ====================== ``ENCTYPE_UNKNOWN`` ``0x01ff`` ====================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_SPAKE.rst.txt0000644000704600001450000000041314076311665027400 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-KEYUSAGE-SPAKE-data: KRB5_KEYUSAGE_SPAKE =================== .. .. data:: KRB5_KEYUSAGE_SPAKE .. ========================== ====================== ``KRB5_KEYUSAGE_SPAKE`` ``65`` ========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.rst.txt0000644000704600001450000000061714076311665032331 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-RESPONDER-OTP-FORMAT-ALPHANUMERIC-data: KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC ====================================== .. .. data:: KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC .. ============================================= ====================== ``KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC`` ``2`` ============================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY.rst.txt0000644000704600001450000000052014076311665030601 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-CRYPTO-TYPE-SIGN-ONLY-data: KRB5_CRYPTO_TYPE_SIGN_ONLY ========================== .. .. data:: KRB5_CRYPTO_TYPE_SIGN_ONLY .. [in] associated data ================================= ====================== ``KRB5_CRYPTO_TYPE_SIGN_ONLY`` ``3`` ================================= ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_RSA_ENV.rst.txt0000644000704600001450000000042714076311665027006 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-RSA-ENV-data: ENCTYPE_RSA_ENV =============== .. .. data:: ENCTYPE_RSA_ENV .. RSA encryption, CMS enveloped data. ====================== ====================== ``ENCTYPE_RSA_ENV`` ``0x000d`` ====================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.rst.txt0000644000704600001450000000066514076311665032174 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTH-CONTEXT-GENERATE-LOCAL-ADDR-data: KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR ===================================== .. .. data:: KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR .. Generate the local network address. ============================================ ====================== ``KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR`` ``0x00000001`` ============================================ ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_SESAME.rst.txt0000644000704600001450000000042214076311665027470 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-AUTHDATA-SESAME-data: KRB5_AUTHDATA_SESAME ==================== .. .. data:: KRB5_AUTHDATA_SESAME .. =========================== ====================== ``KRB5_AUTHDATA_SESAME`` ``65`` =========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96.rst.txt0000644000704600001450000000055514076311665031111 0ustar ghudsonsystemd-journal.. highlight:: c .. _ENCTYPE-AES128-CTS-HMAC-SHA1-96-data: ENCTYPE_AES128_CTS_HMAC_SHA1_96 =============================== .. .. data:: ENCTYPE_AES128_CTS_HMAC_SHA1_96 .. RFC 3962. ====================================== ====================== ``ENCTYPE_AES128_CTS_HMAC_SHA1_96`` ``0x0011`` ====================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/MAX_KEYTAB_NAME_LEN.rst.txt0000644000704600001450000000046614076311665027447 0ustar ghudsonsystemd-journal.. highlight:: c .. _MAX-KEYTAB-NAME-LEN-data: MAX_KEYTAB_NAME_LEN =================== .. .. data:: MAX_KEYTAB_NAME_LEN .. Long enough for MAXPATHLEN + some extra. ========================== ====================== ``MAX_KEYTAB_NAME_LEN`` ``1100`` ========================== ====================== krb5-1.19.2/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM.rst.txt0000644000704600001450000000060714076311665031503 0ustar ghudsonsystemd-journal.. highlight:: c .. _KRB5-PRINCIPAL-PARSE-IGNORE-REALM-data: KRB5_PRINCIPAL_PARSE_IGNORE_REALM ================================= .. .. data:: KRB5_PRINCIPAL_PARSE_IGNORE_REALM .. Ignore realm if present. ======================================== ====================== ``KRB5_PRINCIPAL_PARSE_IGNORE_REALM`` ``0x8`` ======================================== ====================== krb5-1.19.2/doc/html/_sources/appdev/y2038.rst.txt0000644000704600001450000000246514076311665023030 0ustar ghudsonsystemd-journalYear 2038 considerations for uses of krb5_timestamp =================================================== POSIX time values, which measure the number of seconds since January 1 1970, will exceed the maximum value representable in a signed 32-bit integer in January 2038. This documentation describes considerations for consumers of the MIT krb5 libraries. Applications or libraries which use libkrb5 and consume the timestamps included in credentials or other structures make use of the :c:type:`krb5_timestamp` type. For historical reasons, krb5_timestamp is a signed 32-bit integer, even on platforms where a larger type is natively used to represent time values. To behave properly for time values after January 2038, calling code should cast krb5_timestamp values to uint32_t, and then to time_t:: (time_t)(uint32_t)timestamp Used in this way, krb5_timestamp values can represent time values up until February 2106, provided that the platform uses a 64-bit or larger time_t type. This usage will also remain safe if a later version of MIT krb5 changes krb5_timestamp to an unsigned 32-bit integer. The GSSAPI only uses representations of time intervals, not absolute times. Callers of the GSSAPI should require no changes to behave correctly after January 2038, provided that they use MIT krb5 release 1.16 or later. krb5-1.19.2/doc/html/_sources/build_this.rst.txt0000644000704600001450000000554414076311665023113 0ustar ghudsonsystemd-journalHow to build this documentation from the source =============================================== Pre-requisites for a simple build, or to update man pages: * Sphinx 1.0.4 or higher (See https://www.sphinx-doc.org) with the autodoc extension installed. Additional prerequisites to include the API reference based on Doxygen markup: * Python 2.5 with the Cheetah, lxml, and xml modules * Doxygen Simple build without API reference ---------------------------------- To test simple changes to the RST sources, you can build the documentation without the Doxygen reference by running, from the doc directory:: sphinx-build . test_html You will see a number of warnings about missing files. This is expected. If there is not already a ``doc/version.py`` file, you will need to create one by first running ``make version.py`` in the ``src/doc`` directory of a configured build tree. Updating man pages ------------------ Man pages are generated from the RST sources and checked into the ``src/man`` directory of the repository. This allows man pages to be installed without requiring Sphinx when using a source checkout. To regenerate these files, run ``make man`` from the man subdirectory of a configured build tree. You can also do this from an unconfigured source tree with:: cd src/man make -f Makefile.in top_srcdir=.. srcdir=. man make clean As with the simple build, it is normal to see warnings about missing files when rebuilding the man pages. Building for a release tarball or web site ------------------------------------------ To generate documentation in HTML format, run ``make html`` in the ``doc`` subdirectory of a configured build tree (the build directory corresponding to ``src/doc``, not the top-level ``doc`` directory). The output will be placed in the top-level ``doc/html`` directory. This build will include the API reference generated from Doxygen markup in the source tree. Documentation generated this way will use symbolic names for paths (like ``BINDIR`` for the directory containing user programs), with the symbolic names being links to a table showing typical values for those paths. You can also do this from an unconfigured source tree with:: cd src/doc make -f Makefile.in SPHINX_ARGS= htmlsrc Building for an OS package or site documentation ------------------------------------------------ To generate documentation specific to a build of MIT krb5 as you have configured it, run ``make substhtml`` in the ``doc`` subdirectory of a configured build tree (the build directory corresponding to ``src/doc``, not the top-level ``doc`` directory). The output will be placed in the ``html_subst`` subdirectory of that build directory. This build will include the API reference. Documentation generated this way will use concrete paths (like ``/usr/local/bin`` for the directory containing user programs, for a default custom build). krb5-1.19.2/doc/html/_sources/mitK5license.rst.txt0000644000704600001450000000023514076311665023311 0ustar ghudsonsystemd-journal.. _mitK5license: MIT Kerberos License information ================================ .. toctree:: :hidden: copyright.rst .. include:: notice.rst krb5-1.19.2/doc/html/_sources/resources.rst.txt0000644000704600001450000000361014076311665022767 0ustar ghudsonsystemd-journalResources ========= Mailing lists ------------- * kerberos@mit.edu is a community resource for discussion and questions about MIT krb5 and other Kerberos implementations. To subscribe to the list, please follow the instructions at https://mailman.mit.edu/mailman/listinfo/kerberos. * krbdev@mit.edu is the primary list for developers of MIT Kerberos. To subscribe to the list, please follow the instructions at https://mailman.mit.edu/mailman/listinfo/krbdev. * krb5-bugs@mit.edu is notified when a ticket is created or updated. This list helps track bugs and feature requests. In addition, this list is used to track documentation criticism and recommendations for improvements. * krbcore@mit.edu is a private list for the MIT krb5 core team. Send mail to this list if you need to contact the core team. * krbcore-security@mit.edu is the point of contact for security problems with MIT Kerberos. Please use PGP-encrypted mail to report possible vulnerabilities to this list. IRC channels ------------ The IRC channel `#kerberos` on libera.chat is a community resource for general Kerberos discussion and support. The main IRC channel for MIT Kerberos development is `#krbdev` on Libera Chat. For more information about Libera Chat, see https://libera.chat/. Archives -------- * The archive https://mailman.mit.edu/pipermail/kerberos/ contains past postings from the `kerberos@mit.edu` list. * The https://mailman.mit.edu/pipermail/krbdev/ contains past postings from the `krbdev@mit.edu` list. Wiki ---- The wiki at https://k5wiki.kerberos.org/ contains useful information for developers working on the MIT Kerberos source code. Some of the information on the wiki may be useful for advanced users or system administrators. Web pages --------- * https://web.mit.edu/kerberos/ is the MIT Kerberos software web page. * https://kerberos.org/ is the MIT Kerberos Consortium web page. krb5-1.19.2/doc/html/_sources/mitK5features.rst.txt0000644000704600001450000005742314076311665023520 0ustar ghudsonsystemd-journal.. highlight:: rst .. toctree:: :hidden: mitK5license.rst .. _mitK5features: MIT Kerberos features ===================== https://web.mit.edu/kerberos Quick facts ----------- License - :ref:`mitK5license` Releases: - Latest stable: https://web.mit.edu/kerberos/krb5-1.18/ - Supported: https://web.mit.edu/kerberos/krb5-1.17/ - Release cycle: approximately 12 months Supported platforms \/ OS distributions: - Windows (KfW 4.0): Windows 7, Vista, XP - Solaris: SPARC, x86_64/x86 - GNU/Linux: Debian x86_64/x86, Ubuntu x86_64/x86, RedHat x86_64/x86 - BSD: NetBSD x86_64/x86 Crypto backends: - builtin - MIT Kerberos native crypto library - OpenSSL (1.0\+) - https://www.openssl.org Database backends: LDAP, DB2, LMDB krb4 support: Kerberos 5 release < 1.8 DES support: Kerberos 5 release < 1.18 (See :ref:`retiring-des`) Interoperability ---------------- `Microsoft` Starting from release 1.7: * Follow client principal referrals in the client library when obtaining initial tickets. * KDC can issue realm referrals for service principals based on domain names. * Extensions supporting DCE RPC, including three-leg GSS context setup and unencapsulated GSS tokens inside SPNEGO. * Microsoft GSS_WrapEX, implemented using the gss_iov API, which is similar to the equivalent SSPI functionality. This is needed to support some instances of DCE RPC. * NTLM recognition support in GSS-API, to facilitate dropping in an NTLM implementation for improved compatibility with older releases of Microsoft Windows. * KDC support for principal aliases, if the back end supports them. Currently, only the LDAP back end supports aliases. * Support Microsoft set/change password (:rfc:`3244`) protocol in kadmind. * Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which allows a GSS application to request credential delegation only if permitted by KDC policy. Starting from release 1.8: * Microsoft Services for User (S4U) compatibility `Heimdal` * Support for KCM credential cache starting from release 1.13 Feature list ------------ For more information on the specific project see https://k5wiki.kerberos.org/wiki/Projects Release 1.7 - Credentials delegation :rfc:`5896` - Cross-realm authentication and referrals :rfc:`6806` - Master key migration - PKINIT :rfc:`4556` :ref:`pkinit` Release 1.8 - Anonymous PKINIT :rfc:`6112` :ref:`anonymous_pkinit` - Constrained delegation - IAKERB https://tools.ietf.org/html/draft-ietf-krb-wg-iakerb-02 - Heimdal bridge plugin for KDC backend - GSS-API S4U extensions https://msdn.microsoft.com/en-us/library/cc246071 - GSS-API naming extensions :rfc:`6680` - GSS-API extensions for storing delegated credentials :rfc:`5588` Release 1.9 - Advance warning on password expiry - Camellia encryption (CTS-CMAC mode) :rfc:`6803` - KDC support for SecurID preauthentication - kadmin over IPv6 - Trace logging :ref:`trace_logging` - GSSAPI/KRB5 multi-realm support - Plugin to test password quality :ref:`pwqual_plugin` - Plugin to synchronize password changes :ref:`kadm5_hook_plugin` - Parallel KDC - GSS-API extensions for SASL GS2 bridge :rfc:`5801` :rfc:`5587` - Purging old keys - Naming extensions for delegation chain - Password expiration API - Windows client support (build-only) - IPv6 support in iprop Release 1.10 - Plugin interface for configuration :ref:`profile_plugin` - Credentials for multiple identities :ref:`ccselect_plugin` Release 1.11 - Client support for FAST OTP :rfc:`6560` - GSS-API extensions for credential locations - Responder mechanism Release 1.12 - Plugin to control krb5_aname_to_localname and krb5_kuserok behavior :ref:`localauth_plugin` - Plugin to control hostname-to-realm mappings and the default realm :ref:`hostrealm_plugin` - GSSAPI extensions for constructing MIC tokens using IOV lists :ref:`gssapi_mic_token` - Principal may refer to nonexistent policies `Policy Refcount project `_ - Support for having no long-term keys for a principal `Principals Without Keys project `_ - Collection support to the KEYRING credential cache type on Linux :ref:`ccache_definition` - FAST OTP preauthentication module for the KDC which uses RADIUS to validate OTP token values :ref:`otp_preauth` - Experimental Audit plugin for KDC processing `Audit project `_ Release 1.13 - Add support for accessing KDCs via an HTTPS proxy server using the `MS-KKDCP `_ protocol. - Add support for `hierarchical incremental propagation `_, where replicas can act as intermediates between an upstream primary and other downstream replicas. - Add support for configuring GSS mechanisms using ``/etc/gss/mech.d/*.conf`` files in addition to ``/etc/gss/mech``. - Add support to the LDAP KDB module for `binding to the LDAP server using SASL `_. - The KDC listens for TCP connections by default. - Fix a minor key disclosure vulnerability where using the "keepold" option to the kadmin randkey operation could return the old keys. `[CVE-2014-5351] `_ - Add client support for the Kerberos Cache Manager protocol. If the host is running a Heimdal kcm daemon, caches served by the daemon can be accessed with the KCM: cache type. - When built on macOS 10.7 and higher, use "KCM:" as the default cachetype, unless overridden by command-line options or krb5-config values. - Add support for doing unlocked database dumps for the DB2 KDC back end, which would allow the KDC and kadmind to continue accessing the database during lengthy database dumps. Release 1.14 * Administrator experience - Add a new kdb5_util tabdump command to provide reporting-friendly tabular dump formats (tab-separated or CSV) for the KDC database. Unlike the normal dump format, each output table has a fixed number of fields. Some tables include human-readable forms of data that are opaque in ordinary dump files. This format is also suitable for importing into relational databases for complex queries. - Add support to kadmin and kadmin.local for specifying a single command line following any global options, where the command arguments are split by the shell--for example, "kadmin getprinc principalname". Commands issued this way do not prompt for confirmation or display warning messages, and exit with non-zero status if the operation fails. - Accept the same principal flag names in kadmin as we do for the default_principal_flags kdc.conf variable, and vice versa. Also accept flag specifiers in the form that kadmin prints, as well as hexadecimal numbers. - Remove the triple-DES and RC4 encryption types from the default value of supported_enctypes, which determines the default key and salt types for new password-derived keys. By default, keys will only created only for AES128 and AES256. This mitigates some types of password guessing attacks. - Add support for directory names in the KRB5_CONFIG and KRB5_KDC_PROFILE environment variables. - Add support for authentication indicators, which are ticket annotations to indicate the strength of the initial authentication. Add support for the "require_auth" string attribute, which can be set on server principal entries to require an indicator when authenticating to the server. - Add support for key version numbers larger than 255 in keytab files, and for version numbers up to 65535 in KDC databases. - Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC during pre-authentication, corresponding to the client's most preferred encryption type. - Add support for server name identification (SNI) when proxying KDC requests over HTTPS. - Add support for the err_fmt profile parameter, which can be used to generate custom-formatted error messages. * Developer experience: - Change gss_acquire_cred_with_password() to acquire credentials into a private memory credential cache. Applications can use gss_store_cred() to make the resulting credentials visible to other processes. - Change gss_acquire_cred() and SPNEGO not to acquire credentials for IAKERB or for non-standard variants of the krb5 mechanism OID unless explicitly requested. (SPNEGO will still accept the Microsoft variant of the krb5 mechanism OID during negotiation.) - Change gss_accept_sec_context() not to accept tokens for IAKERB or for non-standard variants of the krb5 mechanism OID unless an acceptor credential is acquired for those mechanisms. - Change gss_acquire_cred() to immediately resolve credentials if the time_rec parameter is not NULL, so that a correct expiration time can be returned. Normally credential resolution is delayed until the target name is known. - Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs, which can be used by plugin modules or applications to add prefixes to existing detailed error messages. - Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which implement the RFC 6113 PRF+ operation and key derivation using PRF+. - Add support for pre-authentication mechanisms which use multiple round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth interface; these callbacks can be used to save marshalled state information in an encrypted cookie for the next request. - Add a client_key() callback to the kdcpreauth interface to retrieve the chosen client key, corresponding to the ETYPE-INFO2 entry sent by the KDC. - Add an add_auth_indicator() callback to the kdcpreauth interface, allowing pre-authentication modules to assert authentication indicators. - Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to suppress sending the confidentiality and integrity flags in GSS initiator tokens unless they are requested by the caller. These flags control the negotiated SASL security layer for the Microsoft GSS-SPNEGO SASL mechanism. - Make the FILE credential cache implementation less prone to corruption issues in multi-threaded programs, especially on platforms with support for open file description locks. * Performance: - On replica KDCs, poll the primary KDC immediately after processing a full resync, and do not require two full resyncs after the primary KDC's log file is reset. Release 1.15 * Administrator experience: - Add support to kadmin for remote extraction of current keys without changing them (requires a special kadmin permission that is excluded from the wildcard permission), with the exception of highly protected keys. - Add a lockdown_keys principal attribute to prevent retrieval of the principal's keys (old or new) via the kadmin protocol. In newly created databases, this attribute is set on the krbtgt and kadmin principals. - Restore recursive dump capability for DB2 back end, so sites can more easily recover from database corruption resulting from power failure events. - Add DNS auto-discovery of KDC and kpasswd servers from URI records, in addition to SRV records. URI records can convey TCP and UDP servers and primary KDC status in a single DNS lookup, and can also point to HTTPS proxy servers. - Add support for password history to the LDAP back end. - Add support for principal renaming to the LDAP back end. - Use the getrandom system call on supported Linux kernels to avoid blocking problems when getting entropy from the operating system. * Code quality: - Clean up numerous compilation warnings. - Remove various infrequently built modules, including some preauth modules that were not built by default. * Developer experience: - Add support for building with OpenSSL 1.1. - Use SHA-256 instead of MD5 for (non-cryptographic) hashing of authenticators in the replay cache. This helps sites that must build with FIPS 140 conformant libraries that lack MD5. * Protocol evolution: - Add support for the AES-SHA2 enctypes, which allows sites to conform to Suite B crypto requirements. Release 1.16 * Administrator experience: - The KDC can match PKINIT client certificates against the "pkinit_cert_match" string attribute on the client principal entry, using the same syntax as the existing "pkinit_cert_match" profile option. - The ktutil addent command supports the "-k 0" option to ignore the key version, and the "-s" option to use a non-default salt string. - kpropd supports a --pid-file option to write a pid file at startup, when it is run in standalone mode. - The "encrypted_challenge_indicator" realm option can be used to attach an authentication indicator to tickets obtained using FAST encrypted challenge pre-authentication. - Localization support can be disabled at build time with the --disable-nls configure option. * Developer experience: - The kdcpolicy pluggable interface allows modules control whether tickets are issued by the KDC. - The kadm5_auth pluggable interface allows modules to control whether kadmind grants access to a kadmin request. - The certauth pluggable interface allows modules to control which PKINIT client certificates can authenticate to which client principals. - KDB modules can use the client and KDC interface IP addresses to determine whether to allow an AS request. - GSS applications can query the bit strength of a krb5 GSS context using the GSS_C_SEC_CONTEXT_SASL_SSF OID with gss_inquire_sec_context_by_oid(). - GSS applications can query the impersonator name of a krb5 GSS credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with gss_inquire_cred_by_oid(). - kdcpreauth modules can query the KDC for the canonicalized requested client principal name, or match a principal name against the requested client principal name with canonicalization. * Protocol evolution: - The client library will continue to try pre-authentication mechanisms after most failure conditions. - The KDC will issue trivially renewable tickets (where the renewable lifetime is equal to or less than the ticket lifetime) if requested by the client, to be friendlier to scripts. - The client library will use a random nonce for TGS requests instead of the current system time. - For the RC4 string-to-key or PAC operations, UTF-16 is supported (previously only UCS-2 was supported). - When matching PKINIT client certificates, UPN SANs will be matched correctly as UPNs, with canonicalization. * User experience: - Dates after the year 2038 are accepted (provided that the platform time facilities support them), through the year 2106. - Automatic credential cache selection based on the client realm will take into account the fallback realm and the service hostname. - Referral and alternate cross-realm TGTs will not be cached, avoiding some scenarios where they can be added to the credential cache multiple times. - A German translation has been added. * Code quality: - The build is warning-clean under clang with the configured warning options. - The automated test suite runs cleanly under AddressSanitizer. Release 1.17 * Administrator experience: - A new Kerberos database module using the Lightning Memory-Mapped Database library (LMDB) has been added. The LMDB KDB module should be more performant and more robust than the DB2 module, and may become the default module for new databases in a future release. - "kdb5_util dump" will no longer dump policy entries when specific principal names are requested. * Developer experience: - The new krb5_get_etype_info() API can be used to retrieve enctype, salt, and string-to-key parameters from the KDC for a client principal. - The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise principal names to be used with GSS-API functions. - KDC and kadmind modules which call com_err() will now write to the log file in a format more consistent with other log messages. - Programs which use large numbers of memory credential caches should perform better. * Protocol evolution: - The SPAKE pre-authentication mechanism is now supported. This mechanism protects against password dictionary attacks without requiring any additional infrastructure such as certificates. SPAKE is enabled by default on clients, but must be manually enabled on the KDC for this release. - PKINIT freshness tokens are now supported. Freshness tokens can protect against scenarios where an attacker uses temporary access to a smart card to generate authentication requests for the future. - Password change operations now prefer TCP over UDP, to avoid spurious error messages about replays when a response packet is dropped. - The KDC now supports cross-realm S4U2Self requests when used with a third-party KDB module such as Samba's. The client code for cross-realm S4U2Self requests is also now more robust. * User experience: - The new ktutil addent -f flag can be used to fetch salt information from the KDC for password-based keys. - The new kdestroy -p option can be used to destroy a credential cache within a collection by client principal name. - The Kerberos man page has been restored, and documents the environment variables that affect programs using the Kerberos library. * Code quality: - Python test scripts now use Python 3. - Python test scripts now display markers in verbose output, making it easier to find where a failure occurred within the scripts. - The Windows build system has been simplified and updated to work with more recent versions of Visual Studio. A large volume of unused Windows-specific code has been removed. Visual Studio 2013 or later is now required. Release 1.18 * Administrator experience: - Remove support for single-DES encryption types. - Change the replay cache format to be more efficient and robust. Replay cache filenames using the new format end with ``.rcache2`` by default. - setuid programs will automatically ignore environment variables that normally affect krb5 API functions, even if the caller does not use krb5_init_secure_context(). - Add an ``enforce_ok_as_delegate`` krb5.conf relation to disable credential forwarding during GSSAPI authentication unless the KDC sets the ok-as-delegate bit in the service ticket. * Developer experience: - Implement krb5_cc_remove_cred() for all credential cache types. - Add the krb5_pac_get_client_info() API to get the client account name from a PAC. * Protocol evolution: - Add KDC support for S4U2Self requests where the user is identified by X.509 certificate. (Requires support for certificate lookup from a third-party KDB module.) - Remove support for an old ("draft 9") variant of PKINIT. - Add support for Microsoft NegoEx. (Requires one or more third-party GSS modules implementing NegoEx mechanisms.) * User experience: - Add support for ``dns_canonicalize_hostname=fallback``, causing host-based principal names to be tried first without DNS canonicalization, and again with DNS canonicalization if the un-canonicalized server is not found. - Expand single-component hostnames in hhost-based principal names when DNS canonicalization is not used, adding the system's first DNS search path as a suffix. Add a ``qualify_shortname`` krb5.conf relation to override this suffix or disable expansion. * Code quality: - The libkrb5 serialization code (used to export and import krb5 GSS security contexts) has been simplified and made type-safe. - The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED messages has been revised to conform to current coding practices. - The test suite has been modified to work with macOS System Integrity Protection enabled. - The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support can always be tested. Release 1.19 * Administrator experience: - When a client keytab is present, the GSSAPI krb5 mech will refresh credentials even if the current credentials were acquired manually. - It is now harder to accidentally delete the K/M entry from a KDB. * Developer experience: - gss_acquire_cred_from() now supports the "password" and "verify" options, allowing credentials to be acquired via password and verified using a keytab key. - When an application accepts a GSS security context, the new GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor both provided matching channel bindings. - Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests to identify the desired client principal by certificate. - PKINIT certauth modules can now cause the hw-authent flag to be set in issued tickets. - The krb5_init_creds_step() API will now issue the same password expiration warnings as krb5_get_init_creds_password(). * Protocol evolution: - Added client and KDC support for Microsoft's Resource-Based Constrained Delegation, which allows cross-realm S4U2Proxy requests. A third-party database module is required for KDC support. - kadmin/admin is now the preferred server principal name for kadmin connections, and the host-based form is no longer created by default. The client will still try the host-based form as a fallback. - Added client and server support for Microsoft's KERB_AP_OPTIONS_CBT extension, which causes channel bindings to be required for the initiator if the acceptor provided them. The client will send this option if the client_aware_gss_bindings profile option is set. User experience: - The default setting of dns_canonicalize_realm is now "fallback". Hostnames provided from applications will be tried in principal names as given (possibly with shortname qualification), falling back to the canonicalized name. - kinit will now issue a warning if the des3-cbc-sha1 encryption type is used in the reply. This encryption type will be deprecated and removed in future releases. - Added kvno flags --out-cache, --no-store, and --cached-only (inspired by Heimdal's kgetcred). `Pre-authentication mechanisms` - PW-SALT :rfc:`4120#section-5.2.7.3` - ENC-TIMESTAMP :rfc:`4120#section-5.2.7.2` - SAM-2 - FAST negotiation framework (release 1.8) :rfc:`6113` - PKINIT with FAST on client (release 1.10) :rfc:`6113` - PKINIT :rfc:`4556` - FX-COOKIE :rfc:`6113#section-5.2` - S4U-X509-USER (release 1.8) https://msdn.microsoft.com/en-us/library/cc246091 - OTP (release 1.12) :ref:`otp_preauth` - SPAKE (release 1.17) :ref:`spake` `PRNG` - modularity (release 1.9) - Yarrow PRNG (release < 1.10) - Fortuna PRNG (release 1.9) https://www.schneier.com/book-practical.html - OS PRNG (release 1.10) OS's native PRNG krb5-1.19.2/doc/html/_sources/plugindev/0000755000704600001450000000000014076312552021376 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/_sources/plugindev/localauth.rst.txt0000644000704600001450000000406214076311665024730 0ustar ghudsonsystemd-journal.. _localauth_plugin: Local authorization interface (localauth) ========================================= The localauth interface was first introduced in release 1.12. It allows modules to control the relationship between Kerberos principals and local system accounts. When an application calls :c:func:`krb5_kuserok` or :c:func:`krb5_aname_to_localname`, localauth modules are consulted to determine the result. For a detailed description of the localauth interface, see the header file ````. A module can create and destroy per-library-context state objects using the **init** and **fini** methods. If the module does not need any state, it does not need to implement these methods. The optional **userok** method allows a module to control the behavior of :c:func:`krb5_kuserok`. The module receives the authenticated name and the local account name as inputs, and can return either 0 to authorize access, KRB5_PLUGIN_NO_HANDLE to defer the decision to other modules, or another error (canonically EPERM) to authoritatively deny access. Access is granted if at least one module grants access and no module authoritatively denies access. The optional **an2ln** method can work in two different ways. If the module sets an array of uppercase type names in **an2ln_types**, then the module's **an2ln** method will only be invoked by :c:func:`krb5_aname_to_localname` if an **auth_to_local** value in :ref:`krb5.conf(5)` refers to one of the module's types. In this case, the *type* and *residual* arguments will give the type name and residual string of the **auth_to_local** value. If the module does not set **an2ln_types** but does implement **an2ln**, the module's **an2ln** method will be invoked for all :c:func:`krb5_aname_to_localname` operations unless an earlier module determines a mapping, with *type* and *residual* set to NULL. The module can return KRB5_LNAME_NO_TRANS to defer mapping to later modules. If a module implements **an2ln**, it must also implement **free_string** to ensure that memory is allocated and deallocated consistently. krb5-1.19.2/doc/html/_sources/plugindev/clpreauth.rst.txt0000644000704600001450000000513514076311665024745 0ustar ghudsonsystemd-journalClient preauthentication interface (clpreauth) ============================================== During an initial ticket request, a KDC may ask a client to prove its knowledge of the password before issuing an encrypted ticket, or to use credentials other than a password. This process is called preauthentication, and is described in :rfc:`4120` and :rfc:`6113`. The clpreauth interface allows the addition of client support for preauthentication mechanisms beyond those included in the core MIT krb5 code base. For a detailed description of the clpreauth interface, see the header file ```` (or ```` before release 1.12). A clpreauth module is generally responsible for: * Supplying a list of preauth type numbers used by the module in the **pa_type_list** field of the vtable structure. * Indicating what kind of preauthentication mechanism it implements, with the **flags** method. In the most common case, this method just returns ``PA_REAL``, indicating that it implements a normal preauthentication type. * Examining the padata information included in a PREAUTH_REQUIRED or MORE_PREAUTH_DATA_REQUIRED error and producing padata values for the next AS request. This is done with the **process** method. * Examining the padata information included in a successful ticket reply, possibly verifying the KDC identity and computing a reply key. This is also done with the **process** method. * For preauthentication types which support it, recovering from errors by examining the error data from the KDC and producing a padata value for another AS request. This is done with the **tryagain** method. * Receiving option information (supplied by ``kinit -X`` or by an application), with the **gic_opts** method. A clpreauth module can create and destroy per-library-context and per-request state objects by implementing the **init**, **fini**, **request_init**, and **request_fini** methods. Per-context state objects have the type krb5_clpreauth_moddata, and per-request state objects have the type krb5_clpreauth_modreq. These are abstract pointer types; a module should typically cast these to internal types for the state objects. The **process** and **tryagain** methods have access to a callback function and handle (called a "rock") which can be used to get additional information about the current request, including the expected enctype of the AS reply, the FAST armor key, and the client long-term key (prompting for the user password if necessary). A callback can also be used to replace the AS reply key if the preauthentication mechanism computes one. krb5-1.19.2/doc/html/_sources/plugindev/locate.rst.txt0000644000704600001450000000303214076311665024217 0ustar ghudsonsystemd-journalServer location interface (locate) ================================== The locate interface allows modules to control how KDCs and similar services are located by clients. For a detailed description of the ccselect interface, see the header file ````. .. note: The locate interface does not follow the normal conventions for MIT krb5 pluggable interfaces, because it was made public before those conventions were established. A locate module exports a structure object of type krb5plugin_service_locate_ftable, with the name ``service_locator``. The structure contains a minor version and pointers to the module's methods. The primary locate method is **lookup**, which accepts a service type, realm name, desired socket type, and desired address family (which will be AF_UNSPEC if no specific address family is desired). The method should invoke the callback function once for each server address it wants to return, passing a socket type (SOCK_STREAM for TCP or SOCK_DGRAM for UDP) and socket address. The **lookup** method should return 0 if it has authoritatively determined the server addresses for the realm, KRB5_PLUGIN_NO_HANDLE if it wants to let other location mechanisms determine the server addresses, or another code if it experienced a failure which should abort the location process. A module can create and destroy per-library-context state objects by implementing the **init** and **fini** methods. State objects have the type void \*, and should be cast to an internal type for the state object. krb5-1.19.2/doc/html/_sources/plugindev/ccselect.rst.txt0000644000704600001450000000236514076311665024545 0ustar ghudsonsystemd-journal.. _ccselect_plugin: Credential cache selection interface (ccselect) =============================================== The ccselect interface allows modules to control how credential caches are chosen when a GSSAPI client contacts a service. For a detailed description of the ccselect interface, see the header file ````. The primary ccselect method is **choose**, which accepts a server principal as input and returns a ccache and/or principal name as output. A module can use the krb5_cccol APIs to iterate over the cache collection in order to find an appropriate ccache to use. .. TODO: add reference to the admin guide for ccaches and cache collections when we have appropriate sections. A module can create and destroy per-library-context state objects by implementing the **init** and **fini** methods. State objects have the type krb5_ccselect_moddata, which is an abstract pointer type. A module should typically cast this to an internal type for the state object. A module can have one of two priorities, "authoritative" or "heuristic". Results from authoritative modules, if any are available, will take priority over results from heuristic modules. A module communicates its priority as a result of the **init** method. krb5-1.19.2/doc/html/_sources/plugindev/certauth.rst.txt0000644000704600001450000000262514076311665024576 0ustar ghudsonsystemd-journal.. _certauth_plugin: PKINIT certificate authorization interface (certauth) ===================================================== The certauth interface was first introduced in release 1.16. It allows customization of the X.509 certificate attribute requirements placed on certificates used by PKINIT enabled clients. For a detailed description of the certauth interface, see the header file ```` A certauth module implements the **authorize** method to determine whether a client's certificate is authorized to authenticate a client principal. **authorize** receives the DER-encoded certificate, the requested client principal, and a pointer to the client's krb5_db_entry (for modules that link against libkdb5). It returns the authorization status and optionally outputs a list of authentication indicator strings to be added to the ticket. Beginning in release 1.19, the authorize method can request that the hardware authentication bit be set in the ticket by returning **KRB5_CERTAUTH_HWAUTH**. A module must use its own internal or library-provided ASN.1 certificate decoder. A module can optionally create and destroy module data with the **init** and **fini** methods. Module data objects last for the lifetime of the KDC process. If a module allocates and returns a list of authentication indicators from **authorize**, it must also implement the **free_ind** method to free the list. krb5-1.19.2/doc/html/_sources/plugindev/kdcpolicy.rst.txt0000644000704600001450000000212614076311665024734 0ustar ghudsonsystemd-journal.. _kdcpolicy_plugin: KDC policy interface (kdcpolicy) ================================ The kdcpolicy interface was first introduced in release 1.16. It allows modules to veto otherwise valid AS and TGS requests or restrict the lifetime and renew time of the resulting ticket. For a detailed description of the kdcpolicy interface, see the header file ````. The optional **check_as** and **check_tgs** functions allow the module to perform access control. Additionally, a module can create and destroy module data with the **init** and **fini** methods. Module data objects last for the lifetime of the KDC process, and are provided to all other methods. The data has the type krb5_kdcpolicy_moddata, which should be cast to the appropriate internal type. kdcpolicy modules can optionally inspect principal entries. To do this, the module must also include ```` to gain access to the principal entry structure definition. As the KDB interface is explicitly not as stable as other public interfaces, modules which do this may not retain compatibility across releases. krb5-1.19.2/doc/html/_sources/plugindev/kadm5_auth.rst.txt0000644000704600001450000000332714076311665025001 0ustar ghudsonsystemd-journal.. _kadm5_auth_plugin: kadmin authorization interface (kadm5_auth) =========================================== The kadm5_auth interface (new in release 1.16) allows modules to determine whether a client principal is authorized to perform an operation in the kadmin protocol, and to apply restrictions to principal operations. For a detailed description of the kadm5_auth interface, see the header file ````. A module can create and destroy per-process state objects by implementing the **init** and **fini** methods. State objects have the type kadm5_auth_modinfo, which is an abstract pointer type. A module should typically cast this to an internal type for the state object. The kadm5_auth interface has one method for each kadmin operation, with parameters specific to the operation. Each method can return either 0 to authorize access, KRB5_PLUGIN_NO_HANDLE to defer the decision to other modules, or another error (canonically EPERM) to authoritatively deny access. Access is granted if at least one module grants access and no module authoritatively denies access. The **addprinc** and **modprinc** methods can also impose restrictions on the principal operation by returning a ``struct kadm5_auth_restrictions`` object. The module should also implement the **free_restrictions** method if it dynamically allocates restrictions objects for principal operations. kadm5_auth modules can optionally inspect principal or policy objects. To do this, the module must also include ```` to gain access to the structure definitions for those objects. As the kadmin interface is explicitly not as stable as other public interfaces, modules which do this may not retain compatibility across releases. krb5-1.19.2/doc/html/_sources/plugindev/kadm5_hook.rst.txt0000644000704600001450000000231414076311665024773 0ustar ghudsonsystemd-journal.. _kadm5_hook_plugin: KADM5 hook interface (kadm5_hook) ================================= The kadm5_hook interface allows modules to perform actions when changes are made to the Kerberos database through :ref:`kadmin(1)`. For a detailed description of the kadm5_hook interface, see the header file ````. The kadm5_hook interface has five primary methods: **chpass**, **create**, **modify**, **remove**, and **rename**. (The **rename** method was introduced in release 1.14.) Each of these methods is called twice when the corresponding administrative action takes place, once before the action is committed and once afterwards. A module can prevent the action from taking place by returning an error code during the pre-commit stage. A module can create and destroy per-process state objects by implementing the **init** and **fini** methods. State objects have the type kadm5_hook_modinfo, which is an abstract pointer type. A module should typically cast this to an internal type for the state object. Because the kadm5_hook interface is tied closely to the kadmin interface (which is explicitly unstable), it may not remain as stable across versions as other public pluggable interfaces. krb5-1.19.2/doc/html/_sources/plugindev/index.rst.txt0000644000704600001450000000152514076311665024064 0ustar ghudsonsystemd-journalFor plugin module developers ============================ Kerberos plugin modules allow increased control over MIT krb5 library and server behavior. This guide describes how to create dynamic plugin modules and the currently available pluggable interfaces. See :ref:`plugin_config` for information on how to register dynamic plugin modules and how to enable and disable modules via :ref:`krb5.conf(5)`. .. TODO: update the above reference when we have a free-form section in the admin guide about plugin configuration Contents -------- .. toctree:: :maxdepth: 2 general.rst clpreauth.rst kdcpreauth.rst ccselect.rst pwqual.rst kadm5_hook.rst kadm5_auth.rst hostrealm.rst localauth.rst locate.rst profile.rst gssapi.rst internal.rst certauth.rst kdcpolicy.rst .. TODO: GSSAPI mechanism plugins krb5-1.19.2/doc/html/_sources/plugindev/profile.rst.txt0000644000704600001450000000717614076311665024425 0ustar ghudsonsystemd-journal.. _profile_plugin: Configuration interface (profile) ================================= The profile interface allows a module to control how krb5 configuration information is obtained by the Kerberos library and applications. For a detailed description of the profile interface, see the header file ````. .. note:: The profile interface does not follow the normal conventions for MIT krb5 pluggable interfaces, because it is part of a lower-level component of the krb5 library. As with other types of plugin modules, a profile module is a Unix shared object or Windows DLL, built separately from the krb5 tree. The krb5 library will dynamically load and use a profile plugin module if it reads a ``module`` directive at the beginning of krb5.conf, as described in :ref:`profile_plugin_config`. A profile module exports a function named ``profile_module_init`` matching the signature of the profile_module_init_fn type. This function accepts a residual string, which may be used to help locate the configuration source. The function fills in a vtable and may also create a per-profile state object. If the module uses state objects, it should implement the **copy** and **cleanup** methods to manage them. A basic read-only profile module need only implement the **get_values** and **free_values** methods. The **get_values** method accepts a null-terminated list of C string names (e.g., an array containing "libdefaults", "clockskew", and NULL for the **clockskew** variable in the :ref:`libdefaults` section) and returns a null-terminated list of values, which will be cleaned up with the **free_values** method when the caller is done with them. Iterable profile modules must also define the **iterator_create**, **iterator**, **iterator_free**, and **free_string** methods. The core krb5 code does not require profiles to be iterable, but some applications may iterate over the krb5 profile object in order to present configuration interfaces. Writable profile modules must also define the **writable**, **modified**, **update_relation**, **rename_section**, **add_relation**, and **flush** methods. The core krb5 code does not require profiles to be writable, but some applications may write to the krb5 profile in order to present configuration interfaces. The following is an example of a very basic read-only profile module which returns a hardcoded value for the **default_realm** variable in :ref:`libdefaults`, and provides no other configuration information. (For conciseness, the example omits code for checking the return values of malloc and strdup.) :: #include #include #include static long get_values(void *cbdata, const char *const *names, char ***values) { if (names[0] != NULL && strcmp(names[0], "libdefaults") == 0 && names[1] != NULL && strcmp(names[1], "default_realm") == 0) { *values = malloc(2 * sizeof(char *)); (*values)[0] = strdup("ATHENA.MIT.EDU"); (*values)[1] = NULL; return 0; } return PROF_NO_RELATION; } static void free_values(void *cbdata, char **values) { char **v; for (v = values; *v; v++) free(*v); free(values); } long profile_module_init(const char *residual, struct profile_vtable *vtable, void **cb_ret); long profile_module_init(const char *residual, struct profile_vtable *vtable, void **cb_ret) { *cb_ret = NULL; vtable->get_values = get_values; vtable->free_values = free_values; return 0; } krb5-1.19.2/doc/html/_sources/plugindev/internal.rst.txt0000644000704600001450000000231614076311665024570 0ustar ghudsonsystemd-journalInternal pluggable interfaces ============================= Following are brief discussions of pluggable interfaces which have not yet been made public. These interfaces are functional, but the interfaces are likely to change in incompatible ways from release to release. In some cases, it may be necessary to copy header files from the krb5 source tree to use an internal interface. Use these with care, and expect to need to update your modules for each new release of MIT krb5. Kerberos database interface (KDB) --------------------------------- A KDB module implements a database back end for KDC principal and policy information, and can also control many aspects of KDC behavior. For a full description of the interface, see the header file ````. The KDB pluggable interface is often referred to as the DAL (Database Access Layer). Authorization data interface (authdata) --------------------------------------- The authdata interface allows a module to provide (from the KDC) or consume (in application servers) authorization data of types beyond those handled by the core MIT krb5 code base. The interface is defined in the header file ````, which is not installed by the build. krb5-1.19.2/doc/html/_sources/plugindev/kdcpreauth.rst.txt0000644000704600001450000000760614076311665025115 0ustar ghudsonsystemd-journalKDC preauthentication interface (kdcpreauth) ============================================ The kdcpreauth interface allows the addition of KDC support for preauthentication mechanisms beyond those included in the core MIT krb5 code base. For a detailed description of the kdcpreauth interface, see the header file ```` (or ```` before release 1.12). A kdcpreauth module is generally responsible for: * Supplying a list of preauth type numbers used by the module in the **pa_type_list** field of the vtable structure. * Indicating what kind of preauthentication mechanism it implements, with the **flags** method. If the mechanism computes a new reply key, it must specify the ``PA_REPLACES_KEY`` flag. If the mechanism is generally only used with hardware tokens, the ``PA_HARDWARE`` flag allows the mechanism to work with principals which have the **requires_hwauth** flag set. * Producing a padata value to be sent with a preauth_required error, with the **edata** method. * Examining a padata value sent by a client and verifying that it proves knowledge of the appropriate client credential information. This is done with the **verify** method. * Producing a padata response value for the client, and possibly computing a reply key. This is done with the **return_padata** method. A module can create and destroy per-KDC state objects by implementing the **init** and **fini** methods. Per-KDC state objects have the type krb5_kdcpreauth_moddata, which is an abstract pointer types. A module should typically cast this to an internal type for the state object. A module can create a per-request state object by returning one in the **verify** method, receiving it in the **return_padata** method, and destroying it in the **free_modreq** method. Note that these state objects only apply to the processing of a single AS request packet, not to an entire authentication exchange (since an authentication exchange may remain unfinished by the client or may involve multiple different KDC hosts). Per-request state objects have the type krb5_kdcpreauth_modreq, which is an abstract pointer type. The **edata**, **verify**, and **return_padata** methods have access to a callback function and handle (called a "rock") which can be used to get additional information about the current request, including the maximum allowable clock skew, the client's long-term keys, the DER-encoded request body, the FAST armor key, string attributes on the client's database entry, and the client's database entry itself. The **verify** method can assert one or more authentication indicators to be included in the issued ticket using the ``add_auth_indicator`` callback (new in release 1.14). A module can generate state information to be included with the next client request using the ``set_cookie`` callback (new in release 1.14). On the next request, the module can read this state information using the ``get_cookie`` callback. Cookie information is encrypted, timestamped, and transmitted to the client in a ``PA-FX-COOKIE`` pa-data item. Older clients may not support cookies and therefore may not transmit the cookie in the next request; in this case, ``get_cookie`` will not yield the saved information. If a module implements a mechanism which requires multiple round trips, its **verify** method can respond with the code ``KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED`` and a list of pa-data in the *e_data* parameter to be processed by the client. The **edata** and **verify** methods can be implemented asynchronously. Because of this, they do not return values directly to the caller, but must instead invoke responder functions with their results. A synchronous implementation can invoke the responder function immediately. An asynchronous implementation can use the callback to get an event context for use with the libverto_ API. .. _libverto: https://fedorahosted.org/libverto/ krb5-1.19.2/doc/html/_sources/plugindev/gssapi.rst.txt0000644000704600001450000001266614076311665024253 0ustar ghudsonsystemd-journalGSSAPI mechanism interface ========================== The GSSAPI library in MIT krb5 can load mechanism modules to augment the set of built-in mechanisms. .. note: The GSSAPI loadable mechanism interface does not follow the normal conventions for MIT krb5 pluggable interfaces. A mechanism module is a Unix shared object or Windows DLL, built separately from the krb5 tree. Modules are loaded according to the GSS mechanism config files described in :ref:`gssapi_plugin_config`. For the most part, a GSSAPI mechanism module exports the same functions as would a GSSAPI implementation itself, with the same function signatures. The mechanism selection layer within the GSSAPI library (called the "mechglue") will dispatch calls from the application to the module if the module's mechanism is requested. If a module does not wish to implement a GSSAPI extension, it can simply refrain from exporting it, and the mechglue will fail gracefully if the application calls that function. The mechglue does not invoke a module's **gss_add_cred**, **gss_add_cred_from**, **gss_add_cred_impersonate_name**, or **gss_add_cred_with_password** function. A mechanism only needs to implement the "acquire" variants of those functions. A module does not need to coordinate its minor status codes with those of other mechanisms. If the mechglue detects conflicts, it will map the mechanism's status codes onto unique values, and then map them back again when **gss_display_status** is called. NegoEx modules -------------- Some Windows GSSAPI mechanisms can only be negotiated via a Microsoft extension to SPNEGO called NegoEx. Beginning with release 1.18, mechanism modules can support NegoEx as follows: * Implement the gssspi_query_meta_data(), gssspi_exchange_meta_data(), and gssspi_query_mechanism_info() SPIs declared in ````. * Implement gss_inquire_sec_context_by_oid() and answer the **GSS_C_INQ_NEGOEX_KEY** and **GSS_C_INQ_NEGOEX_VERIFY_KEY** OIDs to provide the checksum keys for outgoing and incoming checksums, respectively. The answer must be in two buffers: the first buffer contains the key contents, and the second buffer contains the key encryption type as a four-byte little-endian integer. By default, NegoEx mechanisms will not be directly negotiated via SPNEGO. If direct SPNEGO negotiation is required for interoperability, implement gss_inquire_attrs_for_mech() and assert the GSS_C_MA_NEGOEX_AND_SPNEGO attribute (along with any applicable RFC 5587 attributes). Interposer modules ------------------ The mechglue also supports a kind of loadable module, called an interposer module, which intercepts calls to existing mechanisms rather than implementing a new mechanism. An interposer module must export the symbol **gss_mech_interposer** with the following signature:: gss_OID_set gss_mech_interposer(gss_OID mech_type); This function is invoked with the OID of the interposer mechanism as specified in the mechanism config file, and returns a set of mechanism OIDs to be interposed. The returned OID set must have been created using the mechglue's gss_create_empty_oid_set and gss_add_oid_set_member functions. An interposer module must use the prefix ``gssi_`` for the GSSAPI functions it exports, instead of the prefix ``gss_``. An interposer module can link against the GSSAPI library in order to make calls to the original mechanism. To do so, it must specify a special mechanism OID which is the concatention of the interposer's own OID byte string and the original mechanism's OID byte string. Since **gss_accept_sec_context** does not accept a mechanism argument, an interposer mechanism must, in order to invoke the original mechanism's function, acquire a credential for the concatenated OID and pass that as the *verifier_cred_handle* parameter. Since **gss_import_name**, **gss_import_cred**, and **gss_import_sec_context** do not accept mechanism parameters, the SPI has been extended to include variants which do. This allows the interposer module to know which mechanism should be used to interpret the token. These functions have the following signatures:: OM_uint32 gssi_import_sec_context_by_mech(OM_uint32 *minor_status, gss_OID desired_mech, gss_buffer_t interprocess_token, gss_ctx_id_t *context_handle); OM_uint32 gssi_import_name_by_mech(OM_uint32 *minor_status, gss_OID mech_type, gss_buffer_t input_name_buffer, gss_OID input_name_type, gss_name_t output_name); OM_uint32 gssi_import_cred_by_mech(OM_uint32 *minor_status, gss_OID mech_type, gss_buffer_t token, gss_cred_id_t *cred_handle); To re-enter the original mechanism when importing tokens for the above functions, the interposer module must wrap the mechanism token in the mechglue's format, using the concatenated OID. The mechglue token formats are: * For **gss_import_sec_context**, a four-byte OID length in big-endian order, followed by the mechanism OID, followed by the mechanism token. * For **gss_import_name**, the bytes 04 01, followed by a two-byte OID length in big-endian order, followed by the mechanism OID, followed by the bytes 06, followed by the OID length as a single byte, followed by the mechanism OID, followed by the mechanism token. * For **gss_import_cred**, a four-byte OID length in big-endian order, followed by the mechanism OID, followed by a four-byte token length in big-endian order, followed by the mechanism token. This sequence may be repeated multiple times. krb5-1.19.2/doc/html/_sources/plugindev/hostrealm.rst.txt0000644000704600001450000000305514076311665024753 0ustar ghudsonsystemd-journal.. _hostrealm_plugin: Host-to-realm interface (hostrealm) =================================== The host-to-realm interface was first introduced in release 1.12. It allows modules to control the local mapping of hostnames to realm names as well as the default realm. For a detailed description of the hostrealm interface, see the header file ````. Although the mapping methods in the hostrealm interface return a list of one or more realms, only the first realm in the list is currently used by callers. Callers may begin using later responses in the future. Any mapping method may return KRB5_PLUGIN_NO_HANDLE to defer processing to a later module. A module can create and destroy per-library-context state objects using the **init** and **fini** methods. If the module does not need any state, it does not need to implement these methods. The optional **host_realm** method allows a module to determine authoritative realm mappings for a hostname. The first authoritative mapping is used in preference to KDC referrals when getting service credentials. The optional **fallback_realm** method allows a module to determine fallback mappings for a hostname. The first fallback mapping is tried if there is no authoritative mapping for a realm, and KDC referrals failed to produce a successful result. The optional **default_realm** method allows a module to determine the local default realm. If a module implements any of the above methods, it must also implement **free_list** to ensure that memory is allocated and deallocated consistently. krb5-1.19.2/doc/html/_sources/plugindev/pwqual.rst.txt0000644000704600001450000000233314076311665024264 0ustar ghudsonsystemd-journal.. _pwqual_plugin: Password quality interface (pwqual) =================================== The pwqual interface allows modules to control what passwords are allowed when a user changes passwords. For a detailed description of the pwqual interface, see the header file ````. The primary pwqual method is **check**, which receives a password as input and returns success (0) or a ``KADM5_PASS_Q_`` failure code depending on whether the password is allowed. The **check** method also receives the principal name and the name of the principal's password policy as input; although there is no stable interface for the module to obtain the fields of the password policy, it can define its own configuration or data store based on the policy name. A module can create and destroy per-process state objects by implementing the **open** and **close** methods. State objects have the type krb5_pwqual_moddata, which is an abstract pointer type. A module should typically cast this to an internal type for the state object. The **open** method also receives the name of the realm's dictionary file (as configured by the **dict_file** variable in the :ref:`kdc_realms` section of :ref:`kdc.conf(5)`) if it wishes to use it. krb5-1.19.2/doc/html/_sources/plugindev/general.rst.txt0000644000704600001450000001172214076311665024372 0ustar ghudsonsystemd-journalGeneral plugin concepts ======================= A krb5 dynamic plugin module is a Unix shared object or Windows DLL. Typically, the source code for a dynamic plugin module should live in its own project with a build system using automake_ and libtool_, or tools with similar functionality. A plugin module must define a specific symbol name, which depends on the pluggable interface and module name. For most pluggable interfaces, the exported symbol is a function named ``INTERFACE_MODULE_initvt``, where *INTERFACE* is the name of the pluggable interface and *MODULE* is the name of the module. For these interfaces, it is possible for one shared object or DLL to implement multiple plugin modules, either for the same pluggable interface or for different ones. For example, a shared object could implement both KDC and client preauthentication mechanisms, by exporting functions named ``kdcpreauth_mymech_initvt`` and ``clpreauth_mymech_initvt``. .. note: The profile, locate, and GSSAPI mechglue pluggable interfaces follow different conventions. See the documentation for those interfaces for details. The remainder of this section applies to pluggable interfaces which use the standard conventions. A plugin module implementation should include the header file ````, where *INTERFACE* is the name of the pluggable interface. For instance, a ccselect plugin module implementation should use ``#include ``. .. note: clpreauth and kdcpreauth module implementations should include . initvt functions have the following prototype:: krb5_error_code interface_modname_initvt(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable); and should do the following: 1. Check that the supplied maj_ver argument is supported by the module. If it is not supported, the function should return KRB5_PLUGIN_VER_NOTSUPP. 2. Cast the supplied vtable pointer to the structure type corresponding to the major version, as documented in the pluggable interface header file. 3. Fill in the structure fields with pointers to method functions and static data, stopping at the field indicated by the supplied minor version. Fields for unimplemented optional methods can be left alone; it is not necessary to initialize them to NULL. In most cases, the context argument will not be used. The initvt function should not allocate memory; think of it as a glorified structure initializer. Each pluggable interface defines methods for allocating and freeing module state if doing so is necessary for the interface. Pluggable interfaces typically include a **name** field in the vtable structure, which should be filled in with a pointer to a string literal containing the module name. Here is an example of what an initvt function might look like for a fictional pluggable interface named fences, for a module named "wicker":: krb5_error_code fences_wicker_initvt(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable) { krb5_ccselect_vtable vt; if (maj_ver == 1) { krb5_fences_vtable vt = (krb5_fences_vtable)vtable; vt->name = "wicker"; vt->slats = wicker_slats; vt->braces = wicker_braces; } else if (maj_ver == 2) { krb5_fences_vtable_v2 vt = (krb5_fences_vtable_v2)vtable; vt->name = "wicker"; vt->material = wicker_material; vt->construction = wicker_construction; if (min_ver < 2) return 0; vt->footing = wicker_footing; if (min_ver < 3) return 0; vt->appearance = wicker_appearance; } else { return KRB5_PLUGIN_VER_NOTSUPP; } return 0; } Logging from KDC and kadmind plugin modules ------------------------------------------- Plugin modules for the KDC or kadmind daemons can write to the configured logging outputs (see :ref:`logging`) by calling the **com_err** function. The first argument (*whoami*) is ignored. If the second argument (*code*) is zero, the formatted message is logged at informational severity; otherwise, the formatted message is logged at error severity and includes the error message for the supplied code. Here are examples:: com_err("", 0, "Client message contains %d items", nitems); com_err("", retval, "while decoding client message"); (The behavior described above is new in release 1.17. In prior releases, the *whoami* argument is included for some logging output types, the logged message does not include the usual header for some output types, and the severity for syslog outputs is configured as part of the logging specification, defaulting to error severity.) .. _automake: https://www.gnu.org/software/automake/ .. _libtool: https://www.gnu.org/software/libtool/ krb5-1.19.2/doc/html/genindex-S.html0000644000704600001450000001211314076312554020446 0ustar ghudsonsystemd-journal Index — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | index | Search | feedback

Index – S

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | index | Search | feedback
krb5-1.19.2/doc/html/genindex-V.html0000644000704600001450000001205514076312554020456 0ustar ghudsonsystemd-journal Index — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | index | Search | feedback

Index – V

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | index | Search | feedback
krb5-1.19.2/doc/html/genindex-R.html0000644000704600001450000001767314076312554020465 0ustar ghudsonsystemd-journal Index — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | index | Search | feedback

Index – R

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | index | Search | feedback
krb5-1.19.2/doc/html/index.html0000644000704600001450000001466214076312551017564 0ustar ghudsonsystemd-journal MIT Kerberos Documentation (1.19.2) — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | next | index | Search | feedback

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | next | index | Search | feedback
krb5-1.19.2/doc/html/basic/0000755000704600001450000000000014076312547016644 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/basic/index.html0000644000704600001450000001511614076312547020645 0ustar ghudsonsystemd-journal Kerberos V5 concepts — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/basic/date_format.html0000644000704600001450000003531214076312547022023 0ustar ghudsonsystemd-journal Supported date and time formats — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Supported date and time formats

Time duration

This format is used to express a time duration in the Kerberos configuration files and user commands. The allowed formats are:

Format Example Value
h:m[:s] 36:00 36 hours
NdNhNmNs 8h30s 8 hours 30 seconds
N (number of seconds) 3600 1 hour

Here N denotes a number, d - days, h - hours, m - minutes, s - seconds.

Note

The time interval should not exceed 2147483647 seconds.

Examples:

Request a ticket valid for one hour, five hours, 30 minutes
and 10 days respectively:

  kinit -l 3600
  kinit -l 5:00
  kinit -l 30m
  kinit -l "10d 0h 0m 0s"

getdate time

Some of the kadmin and kdb5_util commands take a date-time in a human-readable format. Some of the acceptable date-time strings are:

  Format Example
Date mm/dd/yy 07/27/12
month dd, yyyy Jul 27, 2012
yyyy-mm-dd 2012-07-27
Absolute time HH:mm[:ss]pp 08:30 PM
hh:mm[:ss] 20:30
Relative time N tt 30 sec
Time zone Z EST
z -0400

(See Abbreviations used in this document.)

Examples:

Create a principal that expires on the date indicated:
    addprinc test1 -expire "3/27/12 10:00:07 EST"
    addprinc test2 -expire "January 23, 2015 10:05pm"
    addprinc test3 -expire "22:00 GMT"
Add a principal that will expire in 30 minutes:
    addprinc test4 -expire "30 minutes"

Absolute time

This rarely used date-time format can be noted in one of the following ways:

Format Example Value
yyyymmddhhmmss 20141231235900 One minute before 2015
yyyy.mm.dd.hh.mm.ss 2014.12.31.23.59.00
yymmddhhmmss 141231235900
yy.mm.dd.hh.mm.ss 14.12.31.23.59.00
dd-month-yyyy:hh:mm:ss 31-Dec-2014:23:59:00
hh:mm:ss 20:00:00 8 o’clock in the evening
hhmmss 200000

(See Abbreviations used in this document.)

Example:

Set the default expiration date to July 27, 2012 at 20:30
default_principal_expiration = 20120727203000

Abbreviations used in this document

month : locale’s month name or its abbreviation;
dd : day of month (01-31);
HH : hours (00-12);
hh : hours (00-23);
mm : in time - minutes (00-59); in date - month (01-12);
N : number;
pp : AM or PM;
ss : seconds (00-60);
tt : time units (hours, minutes, min, seconds, sec);
yyyy : year;
yy : last two digits of the year;
Z : alphabetic time zone abbreviation;
z : numeric time zone;

Note

  • If the date specification contains spaces, you may need to enclose it in double quotes;
  • All keywords are case-insensitive.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/basic/rcache_def.html0000644000704600001450000003033214076312547021576 0ustar ghudsonsystemd-journal replay cache — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

replay cache

A replay cache (or “rcache”) keeps track of all authenticators recently presented to a service. If a duplicate authentication request is detected in the replay cache, an error message is sent to the application program.

The replay cache interface, like the credential cache and keytab interfaces, uses type:residual strings to indicate the type of replay cache and any associated cache naming data to use.

Background information

Some Kerberos or GSSAPI services use a simple authentication mechanism where a message is sent containing an authenticator, which establishes the encryption key that the client will use for talking to the service. But nothing about that prevents an eavesdropper from recording the messages sent by the client, establishing a new connection, and re-sending or “replaying” the same messages; the replayed authenticator will establish the same encryption key for the new session, and the following messages will be decrypted and processed. The attacker may not know what the messages say, and can’t generate new messages under the same encryption key, but in some instances it may be harmful to the user (or helpful to the attacker) to cause the server to see the same messages again a second time. For example, if the legitimate client sends “delete first message in mailbox”, a replay from an attacker may delete another, different “first” message. (Protocol design to guard against such problems has been discussed in RFC 4120#section-10.)

Even if one protocol uses further protection to verify that the client side of the connection actually knows the encryption keys (and thus is presumably a legitimate user), if another service uses the same service principal name, it may be possible to record an authenticator used with the first protocol and “replay” it against the second.

The replay cache mitigates these attacks somewhat, by keeping track of authenticators that have been seen until their five-minute window expires. Different authenticators generated by multiple connections from the same legitimate client will generally have different timestamps, and thus will not be considered the same.

This mechanism isn’t perfect. If a message is sent to one application server but a man-in-the-middle attacker can prevent it from actually arriving at that server, the attacker could then use the authenticator (once!) against a different service on the same host. This could be a problem if the message from the client included something more than authentication in the first message that could be useful to the attacker (which is uncommon; in most protocols the server has to indicate a successful authentication before the client sends additional messages), or if the simple act of presenting the authenticator triggers some interesting action in the service being attacked.

Replay cache types

Unlike the credential cache and keytab interfaces, replay cache types are in lowercase. The following types are defined:

  1. none disables the replay cache. The residual value is ignored.
  2. file2 (new in release 1.18) uses a hash-based format to store replay records. The file may grow to accommodate hash collisions. The residual value is the filename.
  3. dfl is the default type if no environment variable or configuration specifies a different type. It stores replay data in a file2 replay cache with a filename based on the effective uid. The residual value is ignored.

For the dfl type, the location of the replay cache file is determined as follows:

  1. The directory is taken from the KRB5RCACHEDIR environment variable, or the TMPDIR environment variable, or a temporary directory determined at configuration time such as /var/tmp, in descending order of preference.
  2. The filename is krb5_EUID.rcache2 where EUID is the effective uid of the process.
  3. The file is opened without following symbolic links, and ownership of the file is verified to match the effective uid.

On Windows, the directory for the dfl type is the local appdata directory, unless overridden by the KRB5RCACHEDIR environment variable. The filename on Windows is krb5.rcache2, and the file is opened normally.

Default replay cache name

The default replay cache name is determined by the following, in descending order of priority:

  1. The KRB5RCACHENAME environment variable (new in release 1.18).
  2. The KRB5RCACHETYPE environment variable. If this variable is set, the residual value is empty.
  3. The default_rcache_name profile variable in [libdefaults] (new in release 1.18).
  4. If none of the above are set, the default replay cache name is dfl:.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/basic/ccache_def.html0000644000704600001450000003744314076312547021571 0ustar ghudsonsystemd-journal Credential cache — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Credential cache

A credential cache (or “ccache”) holds Kerberos credentials while they remain valid and, generally, while the user’s session lasts, so that authenticating to a service multiple times (e.g., connecting to a web or mail server more than once) doesn’t require contacting the KDC every time.

A credential cache usually contains one initial ticket which is obtained using a password or another form of identity verification. If this ticket is a ticket-granting ticket, it can be used to obtain additional credentials without the password. Because the credential cache does not store the password, less long-term damage can be done to the user’s account if the machine is compromised.

A credentials cache stores a default client principal name, set when the cache is created. This is the name shown at the top of the klist -A output.

Each normal cache entry includes a service principal name, a client principal name (which, in some ccache types, need not be the same as the default), lifetime information, and flags, along with the credential itself. There are also other entries, indicated by special names, that store additional information.

ccache types

The credential cache interface, like the keytab and replay cache interfaces, uses TYPE:value strings to indicate the type of credential cache and any associated cache naming data to use.

There are several kinds of credentials cache supported in the MIT Kerberos library. Not all are supported on every platform. In most cases, it should be correct to use the default type built into the library.

  1. API is only implemented on Windows. It communicates with a server process that holds the credentials in memory for the user, rather than writing them to disk.

  2. DIR points to the storage location of the collection of the credential caches in FILE: format. It is most useful when dealing with multiple Kerberos realms and KDCs. For release 1.10 the directory must already exist. In post-1.10 releases the requirement is for parent directory to exist and the current process must have permissions to create the directory if it does not exist. See Collections of caches for details. New in release 1.10. The following residual forms are supported:

    • DIR:dirname
    • DIR::dirpath/filename - a single cache within the directory

    Switching to a ccache of the latter type causes it to become the primary for the directory.

  3. FILE caches are the simplest and most portable. A simple flat file format is used to store one credential after another. This is the default ccache type if no type is specified in a ccache name.

  4. KCM caches work by contacting a daemon process called kcm to perform cache operations. If the cache name is just KCM:, the default cache as determined by the KCM daemon will be used. Newly created caches must generally be named KCM:uid:name, where uid is the effective user ID of the running process.

    KCM client support is new in release 1.13. A KCM daemon has not yet been implemented in MIT krb5, but the client will interoperate with the KCM daemon implemented by Heimdal. macOS 10.7 and higher provides a KCM daemon as part of the operating system, and the KCM cache type is used as the default cache on that platform in a default build.

  5. KEYRING is Linux-specific, and uses the kernel keyring support to store credential data in unswappable kernel memory where only the current user should be able to access it. The following residual forms are supported:

    • KEYRING:name
    • KEYRING:process:name - process keyring
    • KEYRING:thread:name - thread keyring

    Starting with release 1.12 the KEYRING type supports collections. The following new residual forms were added:

    • KEYRING:session:name - session keyring
    • KEYRING:user:name - user keyring
    • KEYRING:persistent:uidnumber - persistent per-UID collection. Unlike the user keyring, this collection survives after the user logs out, until the cache credentials expire. This type of ccache requires support from the kernel; otherwise, it will fall back to the user keyring.

    See Collections of caches for details.

  6. MEMORY caches are for storage of credentials that don’t need to be made available outside of the current process. For example, a memory ccache is used by kadmin to store the administrative ticket used to contact the admin server. Memory ccaches are faster than file ccaches and are automatically destroyed when the process exits.

  7. MSLSA is a Windows-specific cache type that accesses the Windows credential store.

Collections of caches

Some credential cache types can support collections of multiple caches. One of the caches in the collection is designated as the primary and will be used when the collection is resolved as a cache. When a collection-enabled cache type is the default cache for a process, applications can search the specified collection for a specific client principal, and GSSAPI applications will automatically select between the caches in the collection based on criteria such as the target service realm.

Credential cache collections are new in release 1.10, with support from the DIR and API ccache types. Starting in release 1.12, collections are also supported by the KEYRING ccache type. Collections are supported by the KCM ccache type in release 1.13.

Tool alterations to use cache collection

  • kdestroy -A will destroy all caches in the collection.
  • If the default cache type supports switching, kinit princname will search the collection for a matching cache and store credentials there, or will store credentials in a new unique cache of the default type if no existing cache for the principal exists. Either way, kinit will switch to the selected cache.
  • klist -l will list the caches in the collection.
  • klist -A will show the content of all caches in the collection.
  • kswitch -p princname will search the collection for a matching cache and switch to it.
  • kswitch -c cachename will switch to a specified cache.

Default ccache name

The default credential cache name is determined by the following, in descending order of priority:

  1. The KRB5CCNAME environment variable. For example, KRB5CCNAME=DIR:/mydir/.
  2. The default_ccache_name profile variable in [libdefaults].
  3. The hardcoded default, DEFCCNAME.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/basic/stash_file_def.html0000644000704600001450000001661514076312547022502 0ustar ghudsonsystemd-journal stash file — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

stash file

The stash file is a local copy of the master key that resides in encrypted form on the KDC’s local disk. The stash file is used to authenticate the KDC to itself automatically before starting the kadmind and krb5kdc daemons (e.g., as part of the machine’s boot sequence). The stash file, like the keytab file (see The keytab file) is a potential point-of-entry for a break-in, and if compromised, would allow unrestricted access to the Kerberos database. If you choose to install a stash file, it should be readable only by root, and should exist only on the KDC’s local disk. The file should not be part of any backup of the machine, unless access to the backup data is secured as tightly as access to the master password itself.

Note

If you choose not to install a stash file, the KDC will prompt you for the master key each time it starts up. This means that the KDC will not be able to start automatically, such as after a system reboot.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/basic/keytab_def.html0000644000704600001450000002363114076312547021634 0ustar ghudsonsystemd-journal keytab — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

keytab

A keytab (short for “key table”) stores long-term keys for one or more principals. Keytabs are normally represented by files in a standard format, although in rare cases they can be represented in other ways. Keytabs are used most often to allow server applications to accept authentications from clients, but can also be used to obtain initial credentials for client applications.

Keytabs are named using the format type:value. Usually type is FILE and value is the absolute pathname of the file. The other possible value for type is MEMORY, which indicates a temporary keytab stored in the memory of the current process.

A keytab contains one or more entries, where each entry consists of a timestamp (indicating when the entry was written to the keytab), a principal name, a key version number, an encryption type, and the encryption key itself.

A keytab can be displayed using the klist command with the -k option. Keytabs can be created or appended to by extracting keys from the KDC database using the kadmin ktadd command. Keytabs can be manipulated using the ktutil and k5srvutil commands.

Default keytab

The default keytab is used by server applications if the application does not request a specific keytab. The name of the default keytab is determined by the following, in decreasing order of preference:

  1. The KRB5_KTNAME environment variable.
  2. The default_keytab_name profile variable in [libdefaults].
  3. The hardcoded default, DEFKTNAME.

Default client keytab

The default client keytab is used, if it is present and readable, to automatically obtain initial credentials for GSSAPI client applications. The principal name of the first entry in the client keytab is used by default when obtaining initial credentials. The name of the default client keytab is determined by the following, in decreasing order of preference:

  1. The KRB5_CLIENT_KTNAME environment variable.
  2. The default_client_keytab_name profile variable in [libdefaults].
  3. The hardcoded default, DEFCKTNAME.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/mitK5license.html0000644000704600001450000023324414076312551021010 0ustar ghudsonsystemd-journal MIT Kerberos License information — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

MIT Kerberos License information

Copyright © 1985-2021 by the Massachusetts Institute of Technology.

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Downloading of this software may constitute an export of cryptographic software from the United States of America that is subject to the United States Export Administration Regulations (EAR), 15 CFR 730-774. Additional laws or regulations may apply. It is the responsibility of the person or entity contemplating export to comply with all applicable export laws and regulations, including obtaining any required license from the U.S. government.

The U.S. government prohibits export of encryption source code to certain countries and individuals, including, but not limited to, the countries of Cuba, Iran, North Korea, Sudan, Syria, and residents and nationals of those countries.

Documentation components of this software distribution are licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. (https://creativecommons.org/licenses/by-sa/3.0/)

Individual source code files are copyright MIT, Cygnus Support, Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems, FundsXpress, and others.

Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, and Zephyr are trademarks of the Massachusetts Institute of Technology (MIT). No commercial use of these trademarks may be made without prior written permission of MIT.

“Commercial use” means use of a name in a product or other for-profit manner. It does NOT prevent a commercial firm from referring to the MIT trademarks in order to convey information (although in doing so, recognition of their trademark status should be given).

The following copyright and permission notice applies to the OpenVision Kerberos Administration system located in kadmin/create, kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions of lib/rpc:

Copyright, OpenVision Technologies, Inc., 1993-1996, All Rights Reserved

WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described below, indicates your acceptance of the following terms. If you do not agree to the following terms, do not retrieve the OpenVision Kerberos administration system.

You may freely use and distribute the Source Code and Object Code compiled from it, with or without modification, but this Source Code is provided to you “AS IS” EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON.

OpenVision retains all copyrights in the donated Source Code. OpenVision also retains copyright to derivative works of the Source Code, whether created by OpenVision or by a third party. The OpenVision copyright notice must be preserved if derivative works are made based on the donated Source Code.

OpenVision Technologies, Inc. has donated this Kerberos Administration system to MIT for inclusion in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which has been performed by MIT and the Kerberos community.

Portions contributed by Matt Crawford crawdad@fnal.gov were work performed at Fermi National Accelerator Laboratory, which is operated by Universities Research Association, Inc., under contract DE-AC02-76CHO3000 with the U.S. Department of Energy.

Portions of src/lib/crypto have the following copyright:

Copyright © 1998 by the FundsXpress, INC.

All rights reserved.

Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of FundsXpress. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. FundsXpress makes no representations about the suitability of this software for any purpose. It is provided “as is” without express or implied warranty.

THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.

The implementation of the AES encryption algorithm in src/lib/crypto/builtin/aes has the following copyright:

Copyright © 1998-2013, Brian Gladman, Worcester, UK. All
rights reserved.

The redistribution and use of this software (with or without changes) is allowed without the payment of fees or royalties provided that:

source code distributions include the above copyright notice, this list of conditions and the following disclaimer;

binary distributions include the above copyright notice, this list of conditions and the following disclaimer in their documentation.

This software is provided ‘as is’ with no explicit or implied warranties in respect of its operation, including, but not limited to, correctness and fitness for purpose.

Portions contributed by Red Hat, including the pre-authentication plug-in framework and the NSS crypto implementation, contain the following copyright:

Copyright © 2006 Red Hat, Inc.
Portions copyright © 2006 Massachusetts Institute of Technology
All Rights Reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  • Neither the name of Red Hat, Inc., nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The bundled verto source code is subject to the following license:

Copyright 2011 Red Hat, Inc.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

The MS-KKDCP client implementation has the following copyright:

Copyright 2013,2014 Red Hat, Inc.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in src/lib/gssapi, including the following files:

lib/gssapi/generic/gssapi_err_generic.et
lib/gssapi/mechglue/g_accept_sec_context.c
lib/gssapi/mechglue/g_acquire_cred.c
lib/gssapi/mechglue/g_canon_name.c
lib/gssapi/mechglue/g_compare_name.c
lib/gssapi/mechglue/g_context_time.c
lib/gssapi/mechglue/g_delete_sec_context.c
lib/gssapi/mechglue/g_dsp_name.c
lib/gssapi/mechglue/g_dsp_status.c
lib/gssapi/mechglue/g_dup_name.c
lib/gssapi/mechglue/g_exp_sec_context.c
lib/gssapi/mechglue/g_export_name.c
lib/gssapi/mechglue/g_glue.c
lib/gssapi/mechglue/g_imp_name.c
lib/gssapi/mechglue/g_imp_sec_context.c
lib/gssapi/mechglue/g_init_sec_context.c
lib/gssapi/mechglue/g_initialize.c
lib/gssapi/mechglue/g_inquire_context.c
lib/gssapi/mechglue/g_inquire_cred.c
lib/gssapi/mechglue/g_inquire_names.c
lib/gssapi/mechglue/g_process_context.c
lib/gssapi/mechglue/g_rel_buffer.c
lib/gssapi/mechglue/g_rel_cred.c
lib/gssapi/mechglue/g_rel_name.c
lib/gssapi/mechglue/g_rel_oid_set.c
lib/gssapi/mechglue/g_seal.c
lib/gssapi/mechglue/g_sign.c
lib/gssapi/mechglue/g_store_cred.c
lib/gssapi/mechglue/g_unseal.c
lib/gssapi/mechglue/g_userok.c
lib/gssapi/mechglue/g_utils.c
lib/gssapi/mechglue/g_verify.c
lib/gssapi/mechglue/gssd_pname_to_uid.c
lib/gssapi/mechglue/mglueP.h
lib/gssapi/mechglue/oid_ops.c
lib/gssapi/spnego/gssapiP_spnego.h
lib/gssapi/spnego/spnego_mech.c

and the initial implementation of incremental propagation, including the following new or changed files:

include/iprop_hdr.h
kadmin/server/ipropd_svc.c
lib/kdb/iprop.x
lib/kdb/kdb_convert.c
lib/kdb/kdb_log.c
lib/kdb/kdb_log.h
lib/krb5/error_tables/kdb5_err.et
kprop/kpropd_rpc.c
kprop/kproplog.c

are subject to the following license:

Copyright © 2004 Sun Microsystems, Inc.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Kerberos V5 includes documentation and software developed at the University of California at Berkeley, which includes this copyright notice:

Copyright © 1983 Regents of the University of California.
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Portions contributed by Novell, Inc., including the LDAP database backend, are subject to the following license:

Copyright © 2004-2005, Novell, Inc.
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  • The copyright holder’s name is not used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Portions funded by Sandia National Laboratory and developed by the University of Michigan’s Center for Information Technology Integration, including the PKINIT implementation, are subject to the following license:

COPYRIGHT © 2006-2007
THE REGENTS OF THE UNIVERSITY OF MICHIGAN
ALL RIGHTS RESERVED

Permission is granted to use, copy, create derivative works and redistribute this software and such derivative works for any purpose, so long as the name of The University of Michigan is not used in any advertising or publicity pertaining to the use of distribution of this software without specific, written prior authorization. If the above copyright notice or any other identification of the University of Michigan is included in any copy of any portion of this software, then the disclaimer below must also be included.

THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The pkcs11.h file included in the PKINIT code has the following license:

Copyright 2006 g10 Code GmbH
Copyright 2006 Andreas Jellinghaus

This file is free software; as a special exception the author gives unlimited permission to copy and/or distribute it, with or without modifications, as long as this notice is preserved.

This file is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY, to the extent permitted by law; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Portions contributed by Apple Inc. are subject to the following license:

Copyright 2004-2008 Apple Inc. All Rights Reserved.

Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Apple Inc. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Apple Inc. makes no representations about the suitability of this software for any purpose. It is provided “as is” without express or implied warranty.

THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.

The implementations of UTF-8 string handling in src/util/support and src/lib/krb5/unicode are subject to the following copyright and permission notice:

The OpenLDAP Public License
Version 2.8, 17 August 2003

Redistribution and use of this software and associated documentation (“Software”), with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions in source form must retain copyright statements and notices,
  2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and
  3. Redistributions must contain a verbatim copy of this document.

The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use this Software under terms of this license revision or under the terms of any subsequent revision of the license.

THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this Software without specific, written prior permission. Title to copyright in this Software shall at all times remain with copyright holders.

OpenLDAP is a registered trademark of the OpenLDAP Foundation.

Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted.

Marked test programs in src/lib/krb5/krb have the following copyright:

Copyright © 2006 Kungliga Tekniska Högskola
(Royal Institute of Technology, Stockholm, Sweden).
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  3. Neither the name of KTH nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The KCM Mach RPC definition file used on macOS has the following copyright:

Copyright © 2009 Kungliga Tekniska Högskola
(Royal Institute of Technology, Stockholm, Sweden).
All rights reserved.

Portions Copyright © 2009 Apple Inc. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  3. Neither the name of the Institute nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Portions of the RPC implementation in src/lib/rpc and src/include/gssrpc have the following copyright and permission notice:

Copyright © 2010, Oracle America, Inc.

All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  3. Neither the name of the “Oracle America, Inc.” nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright © 2006,2007,2009 NTT (Nippon Telegraph and Telephone Corporation). All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer as the first lines of this file unmodified.
  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY NTT “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright 2000 by Carnegie Mellon University

All Rights Reserved

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Carnegie Mellon University not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission.

CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

Copyright © 2002 Naval Research Laboratory (NRL/CCS)

Permission to use, copy, modify and distribute this software and its documentation is hereby granted, provided that both the copyright notice and this permission notice appear in all copies of the software, derivative works or modified versions, and any portions thereof.

NRL ALLOWS FREE USE OF THIS SOFTWARE IN ITS “AS IS” CONDITION AND DISCLAIMS ANY LIABILITY OF ANY KIND FOR ANY DAMAGES WHATSOEVER RESULTING FROM THE USE OF THIS SOFTWARE.

Copyright © 1991, 1992, 1994 by Cygnus Support.

Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. Cygnus Support makes no representations about the suitability of this software for any purpose. It is provided “as is” without express or implied warranty.

Copyright © 2006 Secure Endpoints Inc.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

Portions of the implementation of the Fortuna-like PRNG are subject to the following notice:

Copyright © 2005 Marko Kreen
All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright © 1994 by the University of Southern California

EXPORT OF THIS SOFTWARE from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.

WITHIN THAT CONSTRAINT, permission to copy, modify, and distribute this software and its documentation in source and binary forms is hereby granted, provided that any documentation or other materials related to such distribution or use acknowledge that the software was developed by the University of Southern California.

DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED “AS IS”. The University of Southern California MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not limitation, the University of Southern California MAKES NO REPRESENTATIONS OR WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE. The University of Southern California shall not be held liable for any liability nor for any direct, indirect, or consequential damages with respect to any claim by the user or distributor of the ksu software.

Copyright © 1995
The President and Fellows of Harvard University

This code is derived from software contributed to Harvard by Jeremy Rassen.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

  3. All advertising materials mentioning features or use of this software must display the following acknowledgement:

    This product includes software developed by the University of California, Berkeley and its contributors.

  4. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Copyright © 2008 by the Massachusetts Institute of Technology.
Copyright 1995 by Richard P. Basch. All Rights Reserved.
Copyright 1995 by Lehman Brothers, Inc. All Rights Reserved.
Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Richard P. Basch, Lehman Brothers and M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Richard P. Basch, Lehman Brothers and M.I.T. make no representations about the suitability of this software for any purpose. It is provided “as is” without express or implied warranty.

The following notice applies to src/lib/krb5/krb/strptime.c and src/include/k5-queue.h.

Copyright © 1997, 1998 The NetBSD Foundation, Inc.
All rights reserved.

This code was contributed to The NetBSD Foundation by Klaus Klein.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.

  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

  3. All advertising materials mentioning features or use of this software must display the following acknowledgement:

    This product includes software developed by the NetBSD Foundation, Inc. and its contributors.

  4. Neither the name of The NetBSD Foundation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The following notice applies to Unicode library files in src/lib/krb5/unicode:

Copyright 1997, 1998, 1999 Computing Research Labs,
New Mexico State University

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE COMPUTING RESEARCH LAB OR NEW MEXICO STATE UNIVERSITY BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

The following notice applies to src/util/support/strlcpy.c:

Copyright © 1998 Todd C. Miller Todd.Miller@courtesan.com

Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

The following notice applies to src/util/profile/argv_parse.c and src/util/profile/argv_parse.h:

Copyright 1999 by Theodore Ts’o.

Permission to use, copy, modify, and distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED “AS IS” AND THEODORE TS’O (THE AUTHOR) DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. (Isn’t it sick that the U.S. culture of lawsuit-happy lawyers requires this kind of disclaimer?)

The following notice applies to SWIG-generated code in src/util/profile/profile_tcl.c:

Copyright © 1999-2000, The University of Chicago

This file may be freely redistributed without license or fee provided this copyright message remains intact.

The following notice applies to portiions of src/lib/rpc and src/include/gssrpc:

Copyright © 2000 The Regents of the University of Michigan. All rights reserved.

Copyright © 2000 Dug Song dugsong@UMICH.EDU. All rights reserved, all wrongs reversed.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Implementations of the MD4 algorithm are subject to the following notice:

Copyright © 1990, RSA Data Security, Inc. All rights reserved.

License to copy and use this software is granted provided that it is identified as the “RSA Data Security, Inc. MD4 Message Digest Algorithm” in all material mentioning or referencing this software or this function.

License is also granted to make and use derivative works provided that such works are identified as “derived from the RSA Data Security, Inc. MD4 Message Digest Algorithm” in all material mentioning or referencing the derived work.

RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided “as is” without express or implied warranty of any kind.

These notices must be retained in any copies of any part of this documentation and/or software.

Implementations of the MD5 algorithm are subject to the following notice:

Copyright © 1990, RSA Data Security, Inc. All rights reserved.

License to copy and use this software is granted provided that it is identified as the “RSA Data Security, Inc. MD5 Message- Digest Algorithm” in all material mentioning or referencing this software or this function.

License is also granted to make and use derivative works provided that such works are identified as “derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing the derived work.

RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided “as is” without express or implied warranty of any kind.

These notices must be retained in any copies of any part of this documentation and/or software.

The following notice applies to src/lib/crypto/crypto_tests/t_mddriver.c:

Copyright © 1990-2, RSA Data Security, Inc. Created 1990. All rights reserved.

RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided “as is” without express or implied warranty of any kind.

These notices must be retained in any copies of any part of this documentation and/or software.

Portions of src/lib/krb5 are subject to the following notice:

Copyright © 1994 CyberSAFE Corporation.
Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology.
All Rights Reserved.
Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original M.I.T. software. Neither M.I.T., the Open Computing Security Group, nor CyberSAFE Corporation make any representations about the suitability of this software for any purpose. It is provided “as is” without express or implied warranty.

Portions contributed by PADL Software are subject to the following license:

Copyright (c) 2011, PADL Software Pty Ltd. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  3. Neither the name of PADL Software nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The bundled libev source code is subject to the following license:

All files in libev are Copyright (C)2007,2008,2009 Marc Alexander Lehmann.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Alternatively, the contents of this package may be used under the terms of the GNU General Public License (“GPL”) version 2 or any later version, in which case the provisions of the GPL are applicable instead of the above. If you wish to allow the use of your version of this package only under the terms of the GPL and not to allow others to use your version of this file under the BSD license, indicate your decision by deleting the provisions above and replace them with the notice and other provisions required by the GPL in this and the other files of this package. If you do not delete the provisions above, a recipient may use your version of this file under either the BSD or the GPL.

Files copied from the Intel AESNI Sample Library are subject to the following license:

Copyright © 2010, Intel Corporation All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
  • Neither the name of Intel Corporation nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The following notice applies to src/ccapi/common/win/OldCC/autolock.hxx:

Copyright (C) 1998 by Danilo Almeida. All rights reserved.

Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:

  • Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
  • Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

The following notice applies to portions of src/plugins/preauth/spake/edwards25519.c and src/plugins/preauth/spake/edwards25519_tables.h:

The MIT License (MIT)

Copyright (c) 2015-2016 the fiat-crypto authors (see the AUTHORS file).

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

The following notice applies to portions of src/plugins/preauth/spake/edwards25519.c:

Copyright (c) 2015-2016, Google Inc.

Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies.

THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/mitK5defaults.html0000644000704600001450000004722314076312551021175 0ustar ghudsonsystemd-journal MIT Kerberos defaults — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

MIT Kerberos defaults

General defaults

Description Default Environment
keytab file DEFKTNAME KRB5_KTNAME
Client keytab file DEFCKTNAME KRB5_CLIENT_KTNAME
Kerberos config file krb5.conf /etc/krb5.conf:SYSCONFDIR/krb5.conf KRB5_CONFIG
KDC config file kdc.conf LOCALSTATEDIR/krb5kdc/kdc.conf KRB5_KDC_PROFILE
GSS mechanism config file SYSCONFDIR/gss/mech GSS_MECH_CONFIG
KDC database path (DB2) LOCALSTATEDIR/krb5kdc/principal  
Master key stash file LOCALSTATEDIR/krb5kdc/.k5.realm  
Admin server ACL file kadm5.acl LOCALSTATEDIR/krb5kdc/kadm5.acl  
OTP socket directory RUNSTATEDIR/krb5kdc  
Plugin base directory LIBDIR/krb5/plugins  
replay cache directory /var/tmp KRB5RCACHEDIR
Master key default enctype aes256-cts-hmac-sha1-96  
Default keysalt list aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal  
Permitted enctypes aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac  
KDC default port 88  
Admin server port 749  
Password change port 464  

Replica KDC propagation defaults

This table shows defaults used by the kprop and kpropd programs.

Description Default Environment
kprop database dump file LOCALSTATEDIR/krb5kdc/replica_datatrans  
kpropd temporary dump file LOCALSTATEDIR/krb5kdc/from_master  
kdb5_util location SBINDIR/kdb5_util  
kprop location SBINDIR/kprop  
kpropd ACL file LOCALSTATEDIR/krb5kdc/kpropd.acl  
kprop port 754 KPROP_PORT

Default paths for Unix-like systems

On Unix-like systems, some paths used by MIT krb5 depend on parameters chosen at build time. For a custom build, these paths default to subdirectories of /usr/local. When MIT krb5 is integrated into an operating system, the paths are generally chosen to match the operating system’s filesystem layout.

Description Symbolic name Custom build path Typical OS path
User programs BINDIR /usr/local/bin /usr/bin
Libraries and plugins LIBDIR /usr/local/lib /usr/lib
Parent of KDC state dir LOCALSTATEDIR /usr/local/var /var
Parent of KDC runtime dir RUNSTATEDIR /usr/local/var/run /run
Administrative programs SBINDIR /usr/local/sbin /usr/sbin
Alternate krb5.conf dir SYSCONFDIR /usr/local/etc /etc
Default ccache name DEFCCNAME FILE:/tmp/krb5cc_%{uid} FILE:/tmp/krb5cc_%{uid}
Default keytab name DEFKTNAME FILE:/etc/krb5.keytab FILE:/etc/krb5.keytab

The default client keytab name (DEFCKTNAME) typically defaults to FILE:/usr/local/var/krb5/user/%{euid}/client.keytab for a custom build. A native build will typically use a path which will vary according to the operating system’s layout of /var.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/build/0000755000704600001450000000000014076312547016662 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/build/index.html0000644000704600001450000002363414076312547020667 0ustar ghudsonsystemd-journal Building Kerberos V5 — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Building Kerberos V5

This section details how to build and install MIT Kerberos software from the source.

Prerequisites

In order to build Kerberos V5, you will need approximately 60-70 megabytes of disk space. The exact amount will vary depending on the platform and whether the distribution is compiled with debugging symbol tables or not.

Your C compiler must conform to ANSI C (ISO/IEC 9899:1990, “c89”). Some operating systems do not have an ANSI C compiler, or their default compiler requires extra command-line options to enable ANSI C conformance.

If you wish to keep a separate build tree, which contains the compiled *.o file and executables, separate from your source tree, you will need a make program which supports VPATH, or you will need to use a tool such as lndir to produce a symbolic link tree for your build tree.

Obtaining the software

The source code can be obtained from MIT Kerberos Distribution page, at https://kerberos.org/dist/index.html. The MIT Kerberos distribution comes in an archive file, generally named krb5-VERSION-signed.tar, where VERSION is a placeholder for the major and minor versions of MIT Kerberos. (For example, MIT Kerberos 1.9 has major version “1” and minor version “9”.)

The krb5-VERSION-signed.tar contains a compressed tar file consisting of the sources for all of Kerberos (generally named krb5-VERSION.tar.gz) and a PGP signature file for this source tree (generally named krb5-VERSION.tar.gz.asc). MIT highly recommends that you verify the integrity of the source code using this signature, e.g., by running:

tar xf krb5-VERSION-signed.tar
gpg --verify krb5-VERSION.tar.gz.asc

Unpack krb5-VERSION.tar.gz in some directory. In this section we will assume that you have chosen the top directory of the distribution the directory /u1/krb5-VERSION.

Review the README file for the license, copyright and other sprecific to the distribution information.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/build/doing_build.html0000644000704600001450000004075714076312547022044 0ustar ghudsonsystemd-journal Doing the build — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Doing the build

Building within a single tree

If you only need to build Kerberos for one platform, using a single directory tree which contains both the source files and the object files is the simplest. However, if you need to maintain Kerberos for a large number of platforms, you will probably want to use separate build trees for each platform. We recommend that you look at OS Incompatibilities, for notes that we have on particular operating systems.

If you don’t want separate build trees for each architecture, then use the following abbreviated procedure:

cd /u1/krb5-VERSION/src
./configure
make

That’s it!

Building with separate build directories

If you wish to keep separate build directories for each platform, you can do so using the following procedure. (Note, this requires that your make program support VPATH. GNU’s make will provide this functionality, for example.) If your make program does not support this, see the next section.

For example, if you wish to store the binaries in tmpbuild build directory you might use the following procedure:

mkdir /u1/tmpbuild
cd /u1/tmpbuild
/u1/krb5-VERSION/src/configure
make

Building using lndir

If you wish to keep separate build directories for each platform, and you do not have access to a make program which supports VPATH, all is not lost. You can use the lndir program to create symbolic link trees in your build directory.

For example, if you wish to create a build directory for solaris binaries you might use the following procedure:

mkdir /u1/krb5-VERSION/solaris
cd /u1/krb5-VERSION/solaris
/u1/krb5-VERSION/src/util/lndir `pwd`/../src
./configure
make

You must give an absolute pathname to lndir because it has a bug that makes it fail for relative pathnames. Note that this version differs from the latest version as distributed and installed by the XConsortium with X11R6. Either version should be acceptable.

Installing the binaries

Once you have built Kerberos, you should install the binaries. You can do this by running:

make install

If you want to install the binaries into a destination directory that is not their final destination, which may be convenient if you want to build a binary distribution to be deployed on multiple hosts, you may use:

make install DESTDIR=/path/to/destdir

This will install the binaries under DESTDIR/PREFIX, e.g., the user programs will install into DESTDIR/PREFIX/bin, the libraries into DESTDIR/PREFIX/lib, etc. DESTDIR must be an absolute path.

Some implementations of make allow multiple commands to be run in parallel, for faster builds. We test our Makefiles in parallel builds with GNU make only; they may not be compatible with other parallel build implementations.

Testing the build

The Kerberos V5 distribution comes with built-in regression tests. To run them, simply type the following command while in the top-level build directory (i.e., the directory where you sent typed make to start building Kerberos; see Building within a single tree):

make check

However, there are several prerequisites that must be satisfied first:

  • Configure and build Kerberos with Tcl support. Tcl is used to drive the test suite. This often means passing --with-tcl to configure to tell it the location of the Tcl configuration script. (See Options to configure.)
  • In addition to Tcl, DejaGnu must be available on the system for some of the tests to run. The test suite will still run the other tests if DejaGnu is not present, but the test coverage will be reduced accordingly.
  • On some operating systems, you have to run make install before running make check, or the test suite will pick up installed versions of Kerberos libraries rather than the newly built ones. You can install into a prefix that isn’t in the system library search path, though. Alternatively, you can configure with --disable-rpath, which renders the build tree less suitable for installation, but allows testing without interference from previously installed libraries.

There are additional regression tests available, which are not run by make check. These tests require manual setup and teardown of support infrastructure which is not easily automated, or require excessive resources for ordinary use. The procedure for running the manual tests is documented at https://k5wiki.kerberos.org/wiki/Manual_Testing.

Cleaning up the build

  • Use make clean to remove all files generated by running make command.
  • Use make distclean to remove all files generated by running ./configure script. After running make distclean your source tree (ideally) should look like the raw (just un-tarred) source tree.

Using autoconf

(If you are not a developer, you can ignore this section.)

In the Kerberos V5 source directory, there is a configure script which automatically determines the compilation environment and creates the proper Makefiles for a particular platform. This configure script is generated using autoconf, which you should already have installed if you will be making changes to src/configure.in.

Normal users will not need to worry about running autoconf; the distribution comes with the configure script already prebuilt.

The autoconf package comes with a script called autoreconf that will automatically run autoconf and autoheader as needed. You should run autoreconf from the top source directory, e.g.:

cd /u1/krb5-VERSION/src
autoreconf --verbose

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/build/osconf.html0000644000704600001450000001723114076312547021043 0ustar ghudsonsystemd-journal osconf.hin — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

osconf.hin

There is one configuration file which you may wish to edit to control various compile-time parameters in the Kerberos distribution:

include/osconf.hin

The list that follows is by no means complete, just some of the more interesting variables.

DEFAULT_PROFILE_PATH
The pathname to the file which contains the profiles for the known realms, their KDCs, etc. The default value is /etc/krb5.conf.
DEFAULT_KEYTAB_NAME
The type and pathname to the default server keytab file. The default is DEFKTNAME.
DEFAULT_KDC_ENCTYPE
The default encryption type for the KDC database master key. The default value is aes256-cts-hmac-sha1-96.
RCTMPDIR
The directory which stores replay caches. The default is /var/tmp.
DEFAULT_KDB_FILE
The location of the default database. The default value is LOCALSTATEDIR/krb5kdc/principal.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/build/directory_org.html0000644000704600001450000002572714076312547022440 0ustar ghudsonsystemd-journal Organization of the source directory — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Organization of the source directory

Below is a brief overview of the organization of the complete source directory. More detailed descriptions follow.

appl Kerberos application client and server programs
ccapi Credential cache services
clients Kerberos V5 user programs (See User commands)
config Configure scripts
config-files Sample Kerberos configuration files
include include files needed to build the Kerberos system
kadmin Administrative interface to the Kerberos database: kadmin, kdb5_util, ktutil.
kdc Kerberos V5 Authentication Service and Key Distribution Center
lib Libraries for use with/by Kerberos V5
plugins Kerberos plugins directory
po Localization infrastructure
prototype Templates files containing the MIT copyright message and a placeholder for the title and description of the file.
kprop Utilities for propagating the database to replica KDCs kprop and kpropd
tests Test suite
util Various utilities for building/configuring the code, sending bug reports, etc.
windows Source code for building Kerberos V5 on Windows (see windows/README)

lib

The lib directory contain several subdirectories as well as some definition and glue files.

  • The apputils directory contains the code for the generic network servicing.
  • The crypto subdirectory contains the Kerberos V5 encryption library.
  • The gssapi library contains the Generic Security Services API, which is a library of commands to be used in secure client-server communication.
  • The kadm5 directory contains the libraries for the KADM5 administration utilities.
  • The Kerberos 5 database libraries are contained in kdb.
  • The krb5 directory contains Kerberos 5 API.
  • The rpc directory contains the API for the Kerberos Remote Procedure Call protocol.

util

The util directory contains several utility programs and libraries.
  • the programs used to configure and build the code, such as autoconf, lndir, kbuild, reconf, and makedepend, are in this directory.
  • the profile directory contains most of the functions which parse the Kerberos configuration files (krb5.conf and kdc.conf).
  • the Kerberos error table library and utilities (et);
  • the Sub-system library and utilities (ss);
  • database utilities (db2);
  • pseudo-terminal utilities (pty);
  • bug-reporting program send-pr;
  • a generic support library support used by several of our other libraries;
  • the build infrastructure for building lightweight Kerberos client (collected-client-lib)
  • the tool for validating Kerberos configuration files (confvalidator);
  • the toolkit for kernel integrators for building krb5 code subsets (gss-kernel-lib);
  • source code for building Kerberos V5 on MacOS (mac)
  • Windows getopt operations (windows)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/build/options2configure.html0000644000704600001450000007542514076312547023244 0ustar ghudsonsystemd-journal Options to configure — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Options to configure

There are a number of options to configure which you can use to control how the Kerberos distribution is built.

Most commonly used options

--help
Provides help to configure. This will list the set of commonly used options for building Kerberos.
--prefix=PREFIX
By default, Kerberos will install the package’s files rooted at /usr/local. If you desire to place the binaries into the directory PREFIX, use this option.
--exec-prefix=EXECPREFIX
This option allows one to separate the architecture independent programs from the host-dependent files (configuration files, manual pages). Use this option to install architecture-dependent programs in EXECPREFIX. The default location is the value of specified by --prefix option.
--localstatedir=LOCALSTATEDIR
This option sets the directory for locally modifiable single-machine data. In Kerberos, this mostly is useful for setting a location for the KDC data files, as they will be installed in LOCALSTATEDIR/krb5kdc, which is by default PREFIX/var/krb5kdc.
--with-netlib[=libs]
Allows for suppression of or replacement of network libraries. By default, Kerberos V5 configuration will look for -lnsl and -lsocket. If your operating system has a broken resolver library or fails to pass the tests in src/tests/resolv, you will need to use this option.
--with-tcl=TCLPATH
Some of the unit-tests in the build tree rely upon using a program in Tcl. The directory specified by TCLPATH specifies where the Tcl header file (TCLPATH/include/tcl.h) as well as where the Tcl library (TCLPATH/lib) should be found.
--enable-dns-for-realm
Enable the use of DNS to look up a host’s Kerberos realm, if the information is not provided in krb5.conf. See Mapping hostnames onto Kerberos realms for information about using DNS to determine the default realm. DNS lookups for realm names are disabled by default.
--with-system-et

Use an installed version of the error-table (et) support software, the compile_et program, the com_err.h header file and the com_err library. If these are not in the default locations, you may wish to specify CPPFLAGS=-I/some/dir and LDFLAGS=-L/some/other/dir options at configuration time as well.

If this option is not given, a version supplied with the Kerberos sources will be built and installed along with the rest of the Kerberos tree, for Kerberos applications to link against.

--with-system-ss

Use an installed version of the subsystem command-line interface software, the mk_cmds program, the ss/ss.h header file and the ss library. If these are not in the default locations, you may wish to specify CPPFLAGS=-I/some/dir and LDFLAGS=-L/some/other/dir options at configuration time as well. See also the SS_LIB option.

If this option is not given, the ss library supplied with the Kerberos sources will be compiled and linked into those programs that need it; it will not be installed separately.

--with-system-db

Use an installed version of the Berkeley DB package, which must provide an API compatible with version 1.85. This option is unsupported and untested. In particular, we do not know if the database-rename code used in the dumpfile load operation will behave properly.

If this option is not given, a version supplied with the Kerberos sources will be built and installed. (We are not updating this version at this time because of licensing issues with newer versions that we haven’t investigated sufficiently yet.)

Environment variables

CC=COMPILER
Use COMPILER as the C compiler.
CFLAGS=FLAGS
Use FLAGS as the default set of C compiler flags.
CPP=CPP
C preprocessor to use. (e.g., CPP='gcc -E')
CPPFLAGS=CPPOPTS
Use CPPOPTS as the default set of C preprocessor flags. The most common use of this option is to select certain #define’s for use with the operating system’s include files.
DB_HEADER=headername
If db.h is not the correct header file to include to compile against the Berkeley DB 1.85 API, specify the correct header file name with this option. For example, DB_HEADER=db3/db_185.h.
DB_LIB=libs
If -ldb is not the correct library specification for the Berkeley DB library version to be used, override it with this option. For example, DB_LIB=-ldb-3.3.
DEFCCNAME=ccachename
Override the built-in default credential cache name. For example, DEFCCNAME=DIR:/var/run/user/%{USERID}/ccache See Parameter expansion for information about supported parameter expansions.
DEFCKTNAME=keytabname
Override the built-in default client keytab name. The format is the same as for DEFCCNAME.
DEFKTNAME=keytabname
Override the built-in default keytab name. The format is the same as for DEFCCNAME.
LD=LINKER
Use LINKER as the default loader if it should be different from C compiler as specified above.
LDFLAGS=LDOPTS
This option informs the linker where to get additional libraries (e.g., -L<lib dir>).
LIBS=LDNAME
This option allows one to specify libraries to be passed to the linker (e.g., -l<library>)
SS_LIB=libs

If -lss is not the correct way to link in your installed ss library, for example if additional support libraries are needed, specify the correct link options here. Some variants of this library are around which allow for Emacs-like line editing, but different versions require different support libraries to be explicitly specified.

This option is ignored if --with-system-ss is not specified.

YACC
The ‘Yet Another C Compiler’ implementation to use. Defaults to the first program found out of: ‘bison -y’, ‘byacc’, ‘yacc’.
YFLAGS
The list of arguments that will be passed by default to $YACC. This script will default YFLAGS to the empty string to avoid a default value of -d given by some make applications.

Fine tuning of the installation directories

--bindir=DIR
User executables. Defaults to EXECPREFIX/bin, where EXECPREFIX is the path specified by --exec-prefix configuration option.
--sbindir=DIR
System admin executables. Defaults to EXECPREFIX/sbin, where EXECPREFIX is the path specified by --exec-prefix configuration option.
--sysconfdir=DIR
Read-only single-machine data such as krb5.conf. Defaults to PREFIX/etc, where PREFIX is the path specified by --prefix configuration option.
--libdir=DIR
Object code libraries. Defaults to EXECPREFIX/lib, where EXECPREFIX is the path specified by --exec-prefix configuration option.
--includedir=DIR
C header files. Defaults to PREFIX/include, where PREFIX is the path specified by --prefix configuration option.
--datarootdir=DATAROOTDIR
Read-only architecture-independent data root. Defaults to PREFIX/share, where PREFIX is the path specified by --prefix configuration option.
--datadir=DIR
Read-only architecture-independent data. Defaults to path specified by --datarootdir configuration option.
--localedir=DIR
Locale-dependent data. Defaults to DATAROOTDIR/locale, where DATAROOTDIR is the path specified by --datarootdir configuration option.
--mandir=DIR
Man documentation. Defaults to DATAROOTDIR/man, where DATAROOTDIR is the path specified by --datarootdir configuration option.

Program names

--program-prefix=PREFIX
Prepend PREFIX to the names of the programs when installing them. For example, specifying --program-prefix=mit- at the configure time will cause the program named abc to be installed as mit-abc.
--program-suffix=SUFFIX
Append SUFFIX to the names of the programs when installing them. For example, specifying --program-suffix=-mit at the configure time will cause the program named abc to be installed as abc-mit.
--program-transform-name=PROGRAM
Run sed -e PROGRAM on installed program names. (PROGRAM is a sed script).

System types

--build=BUILD
Configure for building on BUILD (e.g., --build=x86_64-linux-gnu).
--host=HOST
Cross-compile to build programs to run on HOST (e.g., --host=x86_64-linux-gnu). By default, Kerberos V5 configuration will look for “build” option.

Optional features

--disable-option-checking
Ignore unrecognized –enable/–with options.
--disable-FEATURE
Do not include FEATURE (same as –enable-FEATURE=no).
--enable-FEATURE[=ARG]
Include FEATURE [ARG=yes].
--enable-maintainer-mode
Enable rebuilding of source files, Makefiles, etc.
--disable-delayed-initialization
Initialize library code when loaded. Defaults to delay until first use.
--disable-thread-support
Don’t enable thread support. Defaults to enabled.
--disable-rpath
Suppress run path flags in link lines.
--enable-athena
Build with MIT Project Athena configuration.
--disable-kdc-lookaside-cache
Disable the cache which detects client retransmits.
--disable-pkinit
Disable PKINIT plugin support.
--disable-aesni
Disable support for using AES instructions on x86 platforms.
--enable-asan[=ARG]
Enable building with asan memory error checking. If ARG is given, it controls the -fsanitize compilation flag value (the default is “address”).

Optional packages

--with-PACKAGE[=ARG]
Use PACKAGE (e.g., --with-imap). The default value of ARG is yes.
--without-PACKAGE
Do not use PACKAGE (same as --with-PACKAGE=no) (e.g., --without-libedit).
--with-size-optimizations
Enable a few optimizations to reduce code size possibly at some run-time cost.
--with-system-et
Use the com_err library and compile_et utility that are already installed on the system, instead of building and installing local versions.
--with-system-ss
Use the ss library and mk_cmds utility that are already installed on the system, instead of building and using private versions.
--with-system-db
Use the berkeley db utility already installed on the system, instead of using a private version. This option is not recommended; enabling it may result in incompatibility with key databases originating on other systems.
--with-netlib=LIBS
Use the resolver library specified in LIBS. Use this variable if the C library resolver is insufficient or broken.
--with-hesiod=path
Compile with Hesiod support. The path points to the Hesiod directory. By default Hesiod is unsupported.
--with-ldap
Compile OpenLDAP database backend module.
--with-lmdb
Compile LMDB database backend module.
--with-tcl=path
Specifies that path is the location of a Tcl installation. Tcl is needed for some of the tests run by ‘make check’; such tests will be skipped if this option is not set.
--with-vague-errors
Do not send helpful errors to client. For example, if the KDC should return only vague error codes to clients.
--with-crypto-impl=IMPL
Use specified crypto implementation (e.g., --with-crypto-impl=openssl). The default is the native MIT Kerberos implementation builtin. The other currently implemented crypto backend is openssl. (See MIT Kerberos features)
--with-prng-alg=ALG
Use specified PRNG algorithm. For example, to use the OS native prng specify --with-prng-alg=os. The default is fortuna. (See MIT Kerberos features)
--without-libedit
Do not compile and link against libedit. Some utilities will no longer offer command history or completion in interactive mode if libedit is disabled.
--with-readline
Compile and link against GNU readline, as an alternative to libedit. Building with readline breaks the dejagnu test suite, which is a subset of the tests run by ‘make check’.
--with-system-verto

Use an installed version of libverto. If the libverto header and library are not in default locations, you may wish to specify CPPFLAGS=-I/some/dir and LDFLAGS=-L/some/other/dir options at configuration time as well.

If this option is not given, the build system will try to detect an installed version of libverto and use it if it is found. Otherwise, a version supplied with the Kerberos sources will be built and installed. The built-in version does not contain the full set of back-end modules and is not a suitable general replacement for the upstream version, but will work for the purposes of Kerberos.

Specifying --without-system-verto will cause the built-in version of libverto to be used unconditionally.

--with-krb5-config=PATH
Use the krb5-config program at PATH to obtain the build-time default credential cache, keytab, and client keytab names. The default is to use krb5-config from the program path. Specify --without-krb5-config to disable the use of krb5-config and use the usual built-in defaults.
--without-keyutils
Build without libkeyutils support. This disables the KEYRING credential cache type.

Examples

For example, in order to configure Kerberos on a Solaris machine using the suncc compiler with the optimizer turned on, run the configure script with the following options:

% ./configure CC=suncc CFLAGS=-O

For a slightly more complicated example, consider a system where several packages to be used by Kerberos are installed in /usr/foobar, including Berkeley DB 3.3, and an ss library that needs to link against the curses library. The configuration of Kerberos might be done thus:

./configure CPPFLAGS=-I/usr/foobar/include LDFLAGS=-L/usr/foobar/lib \
--with-system-et --with-system-ss --with-system-db  \
SS_LIB='-lss -lcurses'  DB_HEADER=db3/db_185.h DB_LIB=-ldb-3.3

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/.buildinfo0000644000704600001450000000034614076312554017540 0ustar ghudsonsystemd-journal# Sphinx build info version 1 # This file hashes the configuration used when building these files. When it is not found, a full rebuild will be done. config: 34caa36bac49723da7f9b58c15a32a2e tags: 645f666f9bcd5a90fca523b33c5a78b7 krb5-1.19.2/doc/html/resources.html0000644000704600001450000002252214076312552020462 0ustar ghudsonsystemd-journal Resources — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | index | Search | feedback

Resources

Mailing lists

  • kerberos@mit.edu is a community resource for discussion and questions about MIT krb5 and other Kerberos implementations. To subscribe to the list, please follow the instructions at https://mailman.mit.edu/mailman/listinfo/kerberos.
  • krbdev@mit.edu is the primary list for developers of MIT Kerberos. To subscribe to the list, please follow the instructions at https://mailman.mit.edu/mailman/listinfo/krbdev.
  • krb5-bugs@mit.edu is notified when a ticket is created or updated. This list helps track bugs and feature requests. In addition, this list is used to track documentation criticism and recommendations for improvements.
  • krbcore@mit.edu is a private list for the MIT krb5 core team. Send mail to this list if you need to contact the core team.
  • krbcore-security@mit.edu is the point of contact for security problems with MIT Kerberos. Please use PGP-encrypted mail to report possible vulnerabilities to this list.

IRC channels

The IRC channel #kerberos on libera.chat is a community resource for general Kerberos discussion and support.

The main IRC channel for MIT Kerberos development is #krbdev on Libera Chat.

For more information about Libera Chat, see https://libera.chat/.

Archives

Wiki

The wiki at https://k5wiki.kerberos.org/ contains useful information for developers working on the MIT Kerberos source code. Some of the information on the wiki may be useful for advanced users or system administrators.

Web pages

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | index | Search | feedback
krb5-1.19.2/doc/html/mitK5features.html0000644000704600001450000011160414076312551021177 0ustar ghudsonsystemd-journal MIT Kerberos features — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

MIT Kerberos features

https://web.mit.edu/kerberos

Quick facts

License - MIT Kerberos License information

Releases:
Supported platforms / OS distributions:
  • Windows (KfW 4.0): Windows 7, Vista, XP
  • Solaris: SPARC, x86_64/x86
  • GNU/Linux: Debian x86_64/x86, Ubuntu x86_64/x86, RedHat x86_64/x86
  • BSD: NetBSD x86_64/x86
Crypto backends:

Database backends: LDAP, DB2, LMDB

krb4 support: Kerberos 5 release < 1.8

DES support: Kerberos 5 release < 1.18 (See Retiring DES)

Interoperability

Microsoft

Starting from release 1.7:

  • Follow client principal referrals in the client library when obtaining initial tickets.
  • KDC can issue realm referrals for service principals based on domain names.
  • Extensions supporting DCE RPC, including three-leg GSS context setup and unencapsulated GSS tokens inside SPNEGO.
  • Microsoft GSS_WrapEX, implemented using the gss_iov API, which is similar to the equivalent SSPI functionality. This is needed to support some instances of DCE RPC.
  • NTLM recognition support in GSS-API, to facilitate dropping in an NTLM implementation for improved compatibility with older releases of Microsoft Windows.
  • KDC support for principal aliases, if the back end supports them. Currently, only the LDAP back end supports aliases.
  • Support Microsoft set/change password (RFC 3244) protocol in kadmind.
  • Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which allows a GSS application to request credential delegation only if permitted by KDC policy.

Starting from release 1.8:

  • Microsoft Services for User (S4U) compatibility

Heimdal

  • Support for KCM credential cache starting from release 1.13

Feature list

For more information on the specific project see https://k5wiki.kerberos.org/wiki/Projects

Release 1.7
Release 1.8
Release 1.9
  • Advance warning on password expiry
  • Camellia encryption (CTS-CMAC mode) RFC 6803
  • KDC support for SecurID preauthentication
  • kadmin over IPv6
  • Trace logging Trace logging
  • GSSAPI/KRB5 multi-realm support
  • Plugin to test password quality Password quality interface (pwqual)
  • Plugin to synchronize password changes KADM5 hook interface (kadm5_hook)
  • Parallel KDC
  • GSS-API extensions for SASL GS2 bridge RFC 5801 RFC 5587
  • Purging old keys
  • Naming extensions for delegation chain
  • Password expiration API
  • Windows client support (build-only)
  • IPv6 support in iprop
Release 1.10
Release 1.11
  • Client support for FAST OTP RFC 6560
  • GSS-API extensions for credential locations
  • Responder mechanism
Release 1.12

Release 1.13

  • Add support for accessing KDCs via an HTTPS proxy server using the MS-KKDCP protocol.
  • Add support for hierarchical incremental propagation, where replicas can act as intermediates between an upstream primary and other downstream replicas.
  • Add support for configuring GSS mechanisms using /etc/gss/mech.d/*.conf files in addition to /etc/gss/mech.
  • Add support to the LDAP KDB module for binding to the LDAP server using SASL.
  • The KDC listens for TCP connections by default.
  • Fix a minor key disclosure vulnerability where using the “keepold” option to the kadmin randkey operation could return the old keys. [CVE-2014-5351]
  • Add client support for the Kerberos Cache Manager protocol. If the host is running a Heimdal kcm daemon, caches served by the daemon can be accessed with the KCM: cache type.
  • When built on macOS 10.7 and higher, use “KCM:” as the default cachetype, unless overridden by command-line options or krb5-config values.
  • Add support for doing unlocked database dumps for the DB2 KDC back end, which would allow the KDC and kadmind to continue accessing the database during lengthy database dumps.

Release 1.14

  • Administrator experience
    • Add a new kdb5_util tabdump command to provide reporting-friendly tabular dump formats (tab-separated or CSV) for the KDC database. Unlike the normal dump format, each output table has a fixed number of fields. Some tables include human-readable forms of data that are opaque in ordinary dump files. This format is also suitable for importing into relational databases for complex queries.
    • Add support to kadmin and kadmin.local for specifying a single command line following any global options, where the command arguments are split by the shell–for example, “kadmin getprinc principalname”. Commands issued this way do not prompt for confirmation or display warning messages, and exit with non-zero status if the operation fails.
    • Accept the same principal flag names in kadmin as we do for the default_principal_flags kdc.conf variable, and vice versa. Also accept flag specifiers in the form that kadmin prints, as well as hexadecimal numbers.
    • Remove the triple-DES and RC4 encryption types from the default value of supported_enctypes, which determines the default key and salt types for new password-derived keys. By default, keys will only created only for AES128 and AES256. This mitigates some types of password guessing attacks.
    • Add support for directory names in the KRB5_CONFIG and KRB5_KDC_PROFILE environment variables.
    • Add support for authentication indicators, which are ticket annotations to indicate the strength of the initial authentication. Add support for the “require_auth” string attribute, which can be set on server principal entries to require an indicator when authenticating to the server.
    • Add support for key version numbers larger than 255 in keytab files, and for version numbers up to 65535 in KDC databases.
    • Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC during pre-authentication, corresponding to the client’s most preferred encryption type.
    • Add support for server name identification (SNI) when proxying KDC requests over HTTPS.
    • Add support for the err_fmt profile parameter, which can be used to generate custom-formatted error messages.
  • Developer experience:
    • Change gss_acquire_cred_with_password() to acquire credentials into a private memory credential cache. Applications can use gss_store_cred() to make the resulting credentials visible to other processes.
    • Change gss_acquire_cred() and SPNEGO not to acquire credentials for IAKERB or for non-standard variants of the krb5 mechanism OID unless explicitly requested. (SPNEGO will still accept the Microsoft variant of the krb5 mechanism OID during negotiation.)
    • Change gss_accept_sec_context() not to accept tokens for IAKERB or for non-standard variants of the krb5 mechanism OID unless an acceptor credential is acquired for those mechanisms.
    • Change gss_acquire_cred() to immediately resolve credentials if the time_rec parameter is not NULL, so that a correct expiration time can be returned. Normally credential resolution is delayed until the target name is known.
    • Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs, which can be used by plugin modules or applications to add prefixes to existing detailed error messages.
    • Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which implement the RFC 6113 PRF+ operation and key derivation using PRF+.
    • Add support for pre-authentication mechanisms which use multiple round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth interface; these callbacks can be used to save marshalled state information in an encrypted cookie for the next request.
    • Add a client_key() callback to the kdcpreauth interface to retrieve the chosen client key, corresponding to the ETYPE-INFO2 entry sent by the KDC.
    • Add an add_auth_indicator() callback to the kdcpreauth interface, allowing pre-authentication modules to assert authentication indicators.
    • Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to suppress sending the confidentiality and integrity flags in GSS initiator tokens unless they are requested by the caller. These flags control the negotiated SASL security layer for the Microsoft GSS-SPNEGO SASL mechanism.
    • Make the FILE credential cache implementation less prone to corruption issues in multi-threaded programs, especially on platforms with support for open file description locks.
  • Performance:
    • On replica KDCs, poll the primary KDC immediately after processing a full resync, and do not require two full resyncs after the primary KDC’s log file is reset.

Release 1.15

  • Administrator experience:
    • Add support to kadmin for remote extraction of current keys without changing them (requires a special kadmin permission that is excluded from the wildcard permission), with the exception of highly protected keys.
    • Add a lockdown_keys principal attribute to prevent retrieval of the principal’s keys (old or new) via the kadmin protocol. In newly created databases, this attribute is set on the krbtgt and kadmin principals.
    • Restore recursive dump capability for DB2 back end, so sites can more easily recover from database corruption resulting from power failure events.
    • Add DNS auto-discovery of KDC and kpasswd servers from URI records, in addition to SRV records. URI records can convey TCP and UDP servers and primary KDC status in a single DNS lookup, and can also point to HTTPS proxy servers.
    • Add support for password history to the LDAP back end.
    • Add support for principal renaming to the LDAP back end.
    • Use the getrandom system call on supported Linux kernels to avoid blocking problems when getting entropy from the operating system.
  • Code quality:
    • Clean up numerous compilation warnings.
    • Remove various infrequently built modules, including some preauth modules that were not built by default.
  • Developer experience:
    • Add support for building with OpenSSL 1.1.
    • Use SHA-256 instead of MD5 for (non-cryptographic) hashing of authenticators in the replay cache. This helps sites that must build with FIPS 140 conformant libraries that lack MD5.
  • Protocol evolution:
    • Add support for the AES-SHA2 enctypes, which allows sites to conform to Suite B crypto requirements.

Release 1.16

  • Administrator experience:
    • The KDC can match PKINIT client certificates against the “pkinit_cert_match” string attribute on the client principal entry, using the same syntax as the existing “pkinit_cert_match” profile option.
    • The ktutil addent command supports the “-k 0” option to ignore the key version, and the “-s” option to use a non-default salt string.
    • kpropd supports a –pid-file option to write a pid file at startup, when it is run in standalone mode.
    • The “encrypted_challenge_indicator” realm option can be used to attach an authentication indicator to tickets obtained using FAST encrypted challenge pre-authentication.
    • Localization support can be disabled at build time with the –disable-nls configure option.
  • Developer experience:
    • The kdcpolicy pluggable interface allows modules control whether tickets are issued by the KDC.
    • The kadm5_auth pluggable interface allows modules to control whether kadmind grants access to a kadmin request.
    • The certauth pluggable interface allows modules to control which PKINIT client certificates can authenticate to which client principals.
    • KDB modules can use the client and KDC interface IP addresses to determine whether to allow an AS request.
    • GSS applications can query the bit strength of a krb5 GSS context using the GSS_C_SEC_CONTEXT_SASL_SSF OID with gss_inquire_sec_context_by_oid().
    • GSS applications can query the impersonator name of a krb5 GSS credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with gss_inquire_cred_by_oid().
    • kdcpreauth modules can query the KDC for the canonicalized requested client principal name, or match a principal name against the requested client principal name with canonicalization.
  • Protocol evolution:
    • The client library will continue to try pre-authentication mechanisms after most failure conditions.
    • The KDC will issue trivially renewable tickets (where the renewable lifetime is equal to or less than the ticket lifetime) if requested by the client, to be friendlier to scripts.
    • The client library will use a random nonce for TGS requests instead of the current system time.
    • For the RC4 string-to-key or PAC operations, UTF-16 is supported (previously only UCS-2 was supported).
    • When matching PKINIT client certificates, UPN SANs will be matched correctly as UPNs, with canonicalization.
  • User experience:
    • Dates after the year 2038 are accepted (provided that the platform time facilities support them), through the year 2106.
    • Automatic credential cache selection based on the client realm will take into account the fallback realm and the service hostname.
    • Referral and alternate cross-realm TGTs will not be cached, avoiding some scenarios where they can be added to the credential cache multiple times.
    • A German translation has been added.
  • Code quality:
    • The build is warning-clean under clang with the configured warning options.
    • The automated test suite runs cleanly under AddressSanitizer.

Release 1.17

  • Administrator experience:
    • A new Kerberos database module using the Lightning Memory-Mapped Database library (LMDB) has been added. The LMDB KDB module should be more performant and more robust than the DB2 module, and may become the default module for new databases in a future release.
    • “kdb5_util dump” will no longer dump policy entries when specific principal names are requested.
  • Developer experience:
    • The new krb5_get_etype_info() API can be used to retrieve enctype, salt, and string-to-key parameters from the KDC for a client principal.
    • The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise principal names to be used with GSS-API functions.
    • KDC and kadmind modules which call com_err() will now write to the log file in a format more consistent with other log messages.
    • Programs which use large numbers of memory credential caches should perform better.
  • Protocol evolution:
    • The SPAKE pre-authentication mechanism is now supported. This mechanism protects against password dictionary attacks without requiring any additional infrastructure such as certificates. SPAKE is enabled by default on clients, but must be manually enabled on the KDC for this release.
    • PKINIT freshness tokens are now supported. Freshness tokens can protect against scenarios where an attacker uses temporary access to a smart card to generate authentication requests for the future.
    • Password change operations now prefer TCP over UDP, to avoid spurious error messages about replays when a response packet is dropped.
    • The KDC now supports cross-realm S4U2Self requests when used with a third-party KDB module such as Samba’s. The client code for cross-realm S4U2Self requests is also now more robust.
  • User experience:
    • The new ktutil addent -f flag can be used to fetch salt information from the KDC for password-based keys.
    • The new kdestroy -p option can be used to destroy a credential cache within a collection by client principal name.
    • The Kerberos man page has been restored, and documents the environment variables that affect programs using the Kerberos library.
  • Code quality:
    • Python test scripts now use Python 3.
    • Python test scripts now display markers in verbose output, making it easier to find where a failure occurred within the scripts.
    • The Windows build system has been simplified and updated to work with more recent versions of Visual Studio. A large volume of unused Windows-specific code has been removed. Visual Studio 2013 or later is now required.

Release 1.18

  • Administrator experience:
    • Remove support for single-DES encryption types.
    • Change the replay cache format to be more efficient and robust. Replay cache filenames using the new format end with .rcache2 by default.
    • setuid programs will automatically ignore environment variables that normally affect krb5 API functions, even if the caller does not use krb5_init_secure_context().
    • Add an enforce_ok_as_delegate krb5.conf relation to disable credential forwarding during GSSAPI authentication unless the KDC sets the ok-as-delegate bit in the service ticket.
  • Developer experience:
    • Implement krb5_cc_remove_cred() for all credential cache types.
    • Add the krb5_pac_get_client_info() API to get the client account name from a PAC.
  • Protocol evolution:
    • Add KDC support for S4U2Self requests where the user is identified by X.509 certificate. (Requires support for certificate lookup from a third-party KDB module.)
    • Remove support for an old (“draft 9”) variant of PKINIT.
    • Add support for Microsoft NegoEx. (Requires one or more third-party GSS modules implementing NegoEx mechanisms.)
  • User experience:
    • Add support for dns_canonicalize_hostname=fallback, causing host-based principal names to be tried first without DNS canonicalization, and again with DNS canonicalization if the un-canonicalized server is not found.
    • Expand single-component hostnames in hhost-based principal names when DNS canonicalization is not used, adding the system’s first DNS search path as a suffix. Add a qualify_shortname krb5.conf relation to override this suffix or disable expansion.
  • Code quality:
    • The libkrb5 serialization code (used to export and import krb5 GSS security contexts) has been simplified and made type-safe.
    • The libkrb5 code for creating KRB-PRIV, KRB-SAFE, and KRB-CRED messages has been revised to conform to current coding practices.
    • The test suite has been modified to work with macOS System Integrity Protection enabled.
    • The test suite incorporates soft-pkcs11 so that PKINIT PKCS11 support can always be tested.

Release 1.19

  • Administrator experience:
    • When a client keytab is present, the GSSAPI krb5 mech will refresh credentials even if the current credentials were acquired manually.
    • It is now harder to accidentally delete the K/M entry from a KDB.
  • Developer experience:
    • gss_acquire_cred_from() now supports the “password” and “verify” options, allowing credentials to be acquired via password and verified using a keytab key.
    • When an application accepts a GSS security context, the new GSS_C_CHANNEL_BOUND_FLAG will be set if the initiator and acceptor both provided matching channel bindings.
    • Added the GSS_KRB5_NT_X509_CERT name type, allowing S4U2Self requests to identify the desired client principal by certificate.
    • PKINIT certauth modules can now cause the hw-authent flag to be set in issued tickets.
    • The krb5_init_creds_step() API will now issue the same password expiration warnings as krb5_get_init_creds_password().
  • Protocol evolution:
    • Added client and KDC support for Microsoft’s Resource-Based Constrained Delegation, which allows cross-realm S4U2Proxy requests. A third-party database module is required for KDC support.
    • kadmin/admin is now the preferred server principal name for kadmin connections, and the host-based form is no longer created by default. The client will still try the host-based form as a fallback.
    • Added client and server support for Microsoft’s KERB_AP_OPTIONS_CBT extension, which causes channel bindings to be required for the initiator if the acceptor provided them. The client will send this option if the client_aware_gss_bindings profile option is set.

User experience:

  • The default setting of dns_canonicalize_realm is now “fallback”. Hostnames provided from applications will be tried in principal names as given (possibly with shortname qualification), falling back to the canonicalized name.
  • kinit will now issue a warning if the des3-cbc-sha1 encryption type is used in the reply. This encryption type will be deprecated and removed in future releases.
  • Added kvno flags –out-cache, –no-store, and –cached-only (inspired by Heimdal’s kgetcred).

Pre-authentication mechanisms

PRNG

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/user/0000755000704600001450000000000014076312553016536 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/user/index.html0000644000704600001450000002110514076312552020531 0ustar ghudsonsystemd-journal For users — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/user/user_commands/0000755000704600001450000000000014076312553021375 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/user/user_commands/index.html0000644000704600001450000001717214076312552023401 0ustar ghudsonsystemd-journal User commands — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/user/user_commands/klist.html0000644000704600001450000003126614076312553023421 0ustar ghudsonsystemd-journal klist — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

klist

SYNOPSIS

klist [-e] [[-c] [-l] [-A] [-f] [-s] [-a [-n]]] [-C] [-k [-i] [-t] [-K]] [-V] [-d] [cache_name|keytab_name]

DESCRIPTION

klist lists the Kerberos principal and Kerberos tickets held in a credentials cache, or the keys held in a keytab file.

OPTIONS

-e
Displays the encryption types of the session key and the ticket for each credential in the credential cache, or each key in the keytab file.
-l
If a cache collection is available, displays a table summarizing the caches present in the collection.
-A
If a cache collection is available, displays the contents of all of the caches in the collection.
-c
List tickets held in a credentials cache. This is the default if neither -c nor -k is specified.
-f

Shows the flags present in the credentials, using the following abbreviations:

F    Forwardable
f    forwarded
P    Proxiable
p    proxy
D    postDateable
d    postdated
R    Renewable
I    Initial
i    invalid
H    Hardware authenticated
A    preAuthenticated
T    Transit policy checked
O    Okay as delegate
a    anonymous
-s
Causes klist to run silently (produce no output). klist will exit with status 1 if the credentials cache cannot be read or is expired, and with status 0 otherwise.
-a
Display list of addresses in credentials.
-n
Show numeric addresses instead of reverse-resolving addresses.
-C
List configuration data that has been stored in the credentials cache when klist encounters it. By default, configuration data is not listed.
-k
List keys held in a keytab file.
-i
In combination with -k, defaults to using the default client keytab instead of the default acceptor keytab, if no name is given.
-t
Display the time entry timestamps for each keytab entry in the keytab file.
-K
Display the value of the encryption key in each keytab entry in the keytab file.
-d
Display the authdata types (if any) for each entry.
-V
Display the Kerberos version number and exit.

If cache_name or keytab_name is not specified, klist will display the credentials in the default credentials cache or keytab file as appropriate. If the KRB5CCNAME environment variable is set, its value is used to locate the default ticket cache.

ENVIRONMENT

See kerberos for a description of Kerberos environment variables.

FILES

DEFCCNAME
Default location of Kerberos 5 credentials cache
DEFKTNAME
Default location for the local host’s keytab file.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/user/user_commands/ksu.html0000644000704600001450000007641014076312553023075 0ustar ghudsonsystemd-journal ksu — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

ksu

SYNOPSIS

ksu [ target_user ] [ -n target_principal_name ] [ -c source_cache_name ] [ -k ] [ -r time ] [ -p | -P] [ -f | -F] [ -l lifetime ] [ -z | Z ] [ -q ] [ -e command [ args … ] ] [ -a [ args … ] ]

REQUIREMENTS

Must have Kerberos version 5 installed to compile ksu. Must have a Kerberos version 5 server running to use ksu.

DESCRIPTION

ksu is a Kerberized version of the su program that has two missions: one is to securely change the real and effective user ID to that of the target user, and the other is to create a new security context.

Note

For the sake of clarity, all references to and attributes of the user invoking the program will start with “source” (e.g., “source user”, “source cache”, etc.).

Likewise, all references to and attributes of the target account will start with “target”.

AUTHENTICATION

To fulfill the first mission, ksu operates in two phases: authentication and authorization. Resolving the target principal name is the first step in authentication. The user can either specify his principal name with the -n option (e.g., -n jqpublic@USC.EDU) or a default principal name will be assigned using a heuristic described in the OPTIONS section (see -n option). The target user name must be the first argument to ksu; if not specified root is the default. If . is specified then the target user will be the source user (e.g., ksu .). If the source user is root or the target user is the source user, no authentication or authorization takes place. Otherwise, ksu looks for an appropriate Kerberos ticket in the source cache.

The ticket can either be for the end-server or a ticket granting ticket (TGT) for the target principal’s realm. If the ticket for the end-server is already in the cache, it’s decrypted and verified. If it’s not in the cache but the TGT is, the TGT is used to obtain the ticket for the end-server. The end-server ticket is then verified. If neither ticket is in the cache, but ksu is compiled with the GET_TGT_VIA_PASSWD define, the user will be prompted for a Kerberos password which will then be used to get a TGT. If the user is logged in remotely and does not have a secure channel, the password may be exposed. If neither ticket is in the cache and GET_TGT_VIA_PASSWD is not defined, authentication fails.

AUTHORIZATION

This section describes authorization of the source user when ksu is invoked without the -e option. For a description of the -e option, see the OPTIONS section.

Upon successful authentication, ksu checks whether the target principal is authorized to access the target account. In the target user’s home directory, ksu attempts to access two authorization files: .k5login and .k5users. In the .k5login file each line contains the name of a principal that is authorized to access the account.

For example:

jqpublic@USC.EDU
jqpublic/secure@USC.EDU
jqpublic/admin@USC.EDU

The format of .k5users is the same, except the principal name may be followed by a list of commands that the principal is authorized to execute (see the -e option in the OPTIONS section for details).

Thus if the target principal name is found in the .k5login file the source user is authorized to access the target account. Otherwise ksu looks in the .k5users file. If the target principal name is found without any trailing commands or followed only by * then the source user is authorized. If either .k5login or .k5users exist but an appropriate entry for the target principal does not exist then access is denied. If neither file exists then the principal will be granted access to the account according to the aname->lname mapping rules. Otherwise, authorization fails.

EXECUTION OF THE TARGET SHELL

Upon successful authentication and authorization, ksu proceeds in a similar fashion to su. The environment is unmodified with the exception of USER, HOME and SHELL variables. If the target user is not root, USER gets set to the target user name. Otherwise USER remains unchanged. Both HOME and SHELL are set to the target login’s default values. In addition, the environment variable KRB5CCNAME gets set to the name of the target cache. The real and effective user ID are changed to that of the target user. The target user’s shell is then invoked (the shell name is specified in the password file). Upon termination of the shell, ksu deletes the target cache (unless ksu is invoked with the -k option). This is implemented by first doing a fork and then an exec, instead of just exec, as done by su.

CREATING A NEW SECURITY CONTEXT

ksu can be used to create a new security context for the target program (either the target shell, or command specified via the -e option). The target program inherits a set of credentials from the source user. By default, this set includes all of the credentials in the source cache plus any additional credentials obtained during authentication. The source user is able to limit the credentials in this set by using -z or -Z option. -z restricts the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name. The -Z option provides the target user with a fresh target cache (no creds in the cache). Note that for security reasons, when the source user is root and target user is non-root, -z option is the default mode of operation.

While no authentication takes place if the source user is root or is the same as the target user, additional tickets can still be obtained for the target cache. If -n is specified and no credentials can be copied to the target cache, the source user is prompted for a Kerberos password (unless -Z specified or GET_TGT_VIA_PASSWD is undefined). If successful, a TGT is obtained from the Kerberos server and stored in the target cache. Otherwise, if a password is not provided (user hit return) ksu continues in a normal mode of operation (the target cache will not contain the desired TGT). If the wrong password is typed in, ksu fails.

Note

During authentication, only the tickets that could be obtained without providing a password are cached in the source cache.

OPTIONS

-n target_principal_name

Specify a Kerberos target principal name. Used in authentication and authorization phases of ksu.

If ksu is invoked without -n, a default principal name is assigned via the following heuristic:

  • Case 1: source user is non-root.

    If the target user is the source user the default principal name is set to the default principal of the source cache. If the cache does not exist then the default principal name is set to target_user@local_realm. If the source and target users are different and neither ~target_user/.k5users nor ~target_user/.k5login exist then the default principal name is target_user_login_name@local_realm. Otherwise, starting with the first principal listed below, ksu checks if the principal is authorized to access the target account and whether there is a legitimate ticket for that principal in the source cache. If both conditions are met that principal becomes the default target principal, otherwise go to the next principal.

    1. default principal of the source cache
    2. target_user@local_realm
    3. source_user@local_realm

    If a-c fails try any principal for which there is a ticket in the source cache and that is authorized to access the target account. If that fails select the first principal that is authorized to access the target account from the above list. If none are authorized and ksu is configured with PRINC_LOOK_AHEAD turned on, select the default principal as follows:

    For each candidate in the above list, select an authorized principal that has the same realm name and first part of the principal name equal to the prefix of the candidate. For example if candidate a) is jqpublic@ISI.EDU and jqpublic/secure@ISI.EDU is authorized to access the target account then the default principal is set to jqpublic/secure@ISI.EDU.

  • Case 2: source user is root.

    If the target user is non-root then the default principal name is target_user@local_realm. Else, if the source cache exists the default principal name is set to the default principal of the source cache. If the source cache does not exist, default principal name is set to root\@local_realm.

-c source_cache_name

Specify source cache name (e.g., -c FILE:/tmp/my_cache). If -c option is not used then the name is obtained from KRB5CCNAME environment variable. If KRB5CCNAME is not defined the source cache name is set to krb5cc_<source uid>. The target cache name is automatically set to krb5cc_<target uid>.(gen_sym()), where gen_sym generates a new number such that the resulting cache does not already exist. For example:

krb5cc_1984.2
-k
Do not delete the target cache upon termination of the target shell or a command (-e command). Without -k, ksu deletes the target cache.
-z
Restrict the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name. Use the -n option if you want the tickets for other then the default principal. Note that the -z option is mutually exclusive with the -Z option.
-Z
Don’t copy any tickets from the source cache to the target cache. Just create a fresh target cache, where the default principal name of the cache is initialized to the target principal name. Note that the -Z option is mutually exclusive with the -z option.
-q
Suppress the printing of status messages.

Ticket granting ticket options:

-l lifetime -r time -p -P -f -F
The ticket granting ticket options only apply to the case where there are no appropriate tickets in the cache to authenticate the source user. In this case if ksu is configured to prompt users for a Kerberos password (GET_TGT_VIA_PASSWD is defined), the ticket granting ticket options that are specified will be used when getting a ticket granting ticket from the Kerberos server.
-l lifetime
(Time duration string.) Specifies the lifetime to be requested for the ticket; if this option is not specified, the default ticket lifetime (12 hours) is used instead.
-r time
(Time duration string.) Specifies that the renewable option should be requested for the ticket, and specifies the desired total lifetime of the ticket.
-p
specifies that the proxiable option should be requested for the ticket.
-P
specifies that the proxiable option should not be requested for the ticket, even if the default configuration is to ask for proxiable tickets.
-f
option specifies that the forwardable option should be requested for the ticket.
-F
option specifies that the forwardable option should not be requested for the ticket, even if the default configuration is to ask for forwardable tickets.
-e command [args …]

ksu proceeds exactly the same as if it was invoked without the -e option, except instead of executing the target shell, ksu executes the specified command. Example of usage:

ksu bob -e ls -lag

The authorization algorithm for -e is as follows:

If the source user is root or source user == target user, no authorization takes place and the command is executed. If source user id != 0, and ~target_user/.k5users file does not exist, authorization fails. Otherwise, ~target_user/.k5users file must have an appropriate entry for target principal to get authorized.

The .k5users file format:

A single principal entry on each line that may be followed by a list of commands that the principal is authorized to execute. A principal name followed by a * means that the user is authorized to execute any command. Thus, in the following example:

jqpublic@USC.EDU ls mail /local/kerberos/klist
jqpublic/secure@USC.EDU *
jqpublic/admin@USC.EDU

jqpublic@USC.EDU is only authorized to execute ls, mail and klist commands. jqpublic/secure@USC.EDU is authorized to execute any command. jqpublic/admin@USC.EDU is not authorized to execute any command. Note, that jqpublic/admin@USC.EDU is authorized to execute the target shell (regular ksu, without the -e option) but jqpublic@USC.EDU is not.

The commands listed after the principal name must be either a full path names or just the program name. In the second case, CMD_PATH specifying the location of authorized programs must be defined at the compilation time of ksu. Which command gets executed?

If the source user is root or the target user is the source user or the user is authorized to execute any command (* entry) then command can be either a full or a relative path leading to the target program. Otherwise, the user must specify either a full path or just the program name.

-a args

Specify arguments to be passed to the target shell. Note that all flags and parameters following -a will be passed to the shell, thus all options intended for ksu must precede -a.

The -a option can be used to simulate the -e option if used as follows:

-a -c [command [arguments]].

-c is interpreted by the c-shell to execute the command.

INSTALLATION INSTRUCTIONS

ksu can be compiled with the following four flags:

GET_TGT_VIA_PASSWD
In case no appropriate tickets are found in the source cache, the user will be prompted for a Kerberos password. The password is then used to get a ticket granting ticket from the Kerberos server. The danger of configuring ksu with this macro is if the source user is logged in remotely and does not have a secure channel, the password may get exposed.
PRINC_LOOK_AHEAD
During the resolution of the default principal name, PRINC_LOOK_AHEAD enables ksu to find principal names in the .k5users file as described in the OPTIONS section (see -n option).
CMD_PATH
Specifies a list of directories containing programs that users are authorized to execute (via .k5users file).
HAVE_GETUSERSHELL
If the source user is non-root, ksu insists that the target user’s shell to be invoked is a “legal shell”. getusershell(3) is called to obtain the names of “legal shells”. Note that the target user’s shell is obtained from the passwd file.

Sample configuration:

KSU_OPTS = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /usr/ucb /local/bin"

ksu should be owned by root and have the set user id bit turned on.

ksu attempts to get a ticket for the end server just as Kerberized telnet and rlogin. Thus, there must be an entry for the server in the Kerberos database (e.g., host/nii.isi.edu@ISI.EDU). The keytab file must be in an appropriate location.

SIDE EFFECTS

ksu deletes all expired tickets from the source cache.

AUTHOR OF KSU

GENNADY (ARI) MEDVINSKY

ENVIRONMENT

See kerberos for a description of Kerberos environment variables.

SEE ALSO

kerberos, kinit

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/user/user_commands/kpasswd.html0000644000704600001450000002227414076312553023746 0ustar ghudsonsystemd-journal kpasswd — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

kpasswd

SYNOPSIS

kpasswd [principal]

DESCRIPTION

The kpasswd command is used to change a Kerberos principal’s password. kpasswd first prompts for the current Kerberos password, then prompts the user twice for the new password, and the password is changed.

If the principal is governed by a policy that specifies the length and/or number of character classes required in the new password, the new password must conform to the policy. (The five character classes are lower case, upper case, numbers, punctuation, and all other characters.)

OPTIONS

principal
Change the password for the Kerberos principal principal. Otherwise, kpasswd uses the principal name from an existing ccache if there is one; if not, the principal is derived from the identity of the user invoking the kpasswd command.

ENVIRONMENT

See kerberos for a description of Kerberos environment variables.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/user/user_commands/kvno.html0000644000704600001450000003043014076312553023240 0ustar ghudsonsystemd-journal kvno — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

kvno

SYNOPSIS

kvno [-c ccache] [-e etype] [-k keytab] [-q] [-u | -S sname] [-P] [–cached-only] [–no-store] [–out-cache cache] [[{-F cert_file | {-I | -U} for_user} [-P]] | –u2u ccache] service1 service2

DESCRIPTION

kvno acquires a service ticket for the specified Kerberos principals and prints out the key version numbers of each.

OPTIONS

-c ccache
Specifies the name of a credentials cache to use (if not the default)
-e etype
Specifies the enctype which will be requested for the session key of all the services named on the command line. This is useful in certain backward compatibility situations.
-k keytab
Decrypt the acquired tickets using keytab to confirm their validity.
-q
Suppress printing output when successful. If a service ticket cannot be obtained, an error message will still be printed and kvno will exit with nonzero status.
-u
Use the unknown name type in requested service principal names. This option Cannot be used with -S.
-P
Specifies that the service1 service2 … arguments are to be treated as services for which credentials should be acquired using constrained delegation. This option is only valid when used in conjunction with protocol transition.
-S sname
Specifies that the service1 service2 … arguments are interpreted as hostnames, and the service principals are to be constructed from those hostnames and the service name sname. The service hostnames will be canonicalized according to the usual rules for constructing service principals.
-I for_user
Specifies that protocol transition (S4U2Self) is to be used to acquire a ticket on behalf of for_user. If constrained delegation is not requested, the service name must match the credentials cache client principal.
-U for_user
Same as -I, but treats for_user as an enterprise name.
-F cert_file
Specifies that protocol transition is to be used, identifying the client principal with the X.509 certificate in cert_file. The certificate file must be in PEM format.
–cached-only
Only retrieve credentials already present in the cache, not from the KDC. (Added in release 1.19.)
–no-store
Do not store retrieved credentials in the cache. If –out-cache is also specified, credentials will still be stored into the output credential cache. (Added in release 1.19.)
–out-cache ccache
Initialize ccache and store all retrieved credentials into it. Do not store acquired credentials in the input cache. (Added in release 1.19.)
–u2u ccache
Requests a user-to-user ticket. ccache must contain a local krbtgt ticket for the server principal. The reported version number will typically be 0, as the resulting ticket is not encrypted in the server’s long-term key.

ENVIRONMENT

See kerberos for a description of Kerberos environment variables.

FILES

DEFCCNAME
Default location of the credentials cache

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/user/user_commands/krb5-config.html0000644000704600001450000003030014076312553024365 0ustar ghudsonsystemd-journal krb5-config — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

krb5-config

SYNOPSIS

krb5-config [--help | --all | --version | --vendor | --prefix | --exec-prefix | --defccname | --defktname | --defcktname | --cflags | --libs [libraries]]

DESCRIPTION

krb5-config tells the application programmer what flags to use to compile and link programs against the installed Kerberos libraries.

OPTIONS

--help
prints a usage message. This is the default behavior when no options are specified.
--all
prints the version, vendor, prefix, and exec-prefix.
--version
prints the version number of the Kerberos installation.
--vendor
prints the name of the vendor of the Kerberos installation.
--prefix
prints the prefix for which the Kerberos installation was built.
--exec-prefix
prints the prefix for executables for which the Kerberos installation was built.
--defccname
prints the built-in default credentials cache location.
--defktname
prints the built-in default keytab location.
--defcktname
prints the built-in default client (initiator) keytab location.
--cflags
prints the compilation flags used to build the Kerberos installation.
--libs [library]

prints the compiler options needed to link against library. Allowed values for library are:

krb5 Kerberos 5 applications (default)
gssapi GSSAPI applications with Kerberos 5 bindings
kadm-client Kadmin client
kadm-server Kadmin server
kdb Applications that access the Kerberos database

EXAMPLES

krb5-config is particularly useful for compiling against a Kerberos installation that was installed in a non-standard location. For example, a Kerberos installation that is installed in /opt/krb5/ but uses libraries in /usr/local/lib/ for text localization would produce the following output:

shell% krb5-config --libs krb5
-L/opt/krb5/lib -Wl,-rpath -Wl,/opt/krb5/lib -L/usr/local/lib -lkrb5 -lk5crypto -lcom_err

SEE ALSO

kerberos, cc(1)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/user/user_commands/kdestroy.html0000644000704600001450000002474514076312553024143 0ustar ghudsonsystemd-journal kdestroy — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

kdestroy

SYNOPSIS

kdestroy [-A] [-q] [-c cache_name] [-p princ_name]

DESCRIPTION

The kdestroy utility destroys the user’s active Kerberos authorization tickets by overwriting and deleting the credentials cache that contains them. If the credentials cache is not specified, the default credentials cache is destroyed.

OPTIONS

-A
Destroys all caches in the collection, if a cache collection is available. May be used with the -c option to specify the collection to be destroyed.
-q
Run quietly. Normally kdestroy beeps if it fails to destroy the user’s tickets. The -q flag suppresses this behavior.
-c cache_name

Use cache_name as the credentials (ticket) cache name and location; if this option is not used, the default cache name and location are used.

The default credentials cache may vary between systems. If the KRB5CCNAME environment variable is set, its value is used to name the default ticket cache.

-p princ_name
If a cache collection is available, destroy the cache for princ_name instead of the primary cache. May be used with the -c option to specify the collection to be searched.

NOTE

Most installations recommend that you place the kdestroy command in your .logout file, so that your tickets are destroyed automatically when you log out.

ENVIRONMENT

See kerberos for a description of Kerberos environment variables.

FILES

DEFCCNAME
Default location of Kerberos 5 credentials cache

SEE ALSO

kinit, klist, kerberos

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/user/user_commands/kswitch.html0000644000704600001450000002247114076312553023745 0ustar ghudsonsystemd-journal kswitch — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

kswitch

SYNOPSIS

kswitch {-c cachename|-p principal}

DESCRIPTION

kswitch makes the specified credential cache the primary cache for the collection, if a cache collection is available.

OPTIONS

-c cachename
Directly specifies the credential cache to be made primary.
-p principal
Causes the cache collection to be searched for a cache containing credentials for principal. If one is found, that collection is made primary.

ENVIRONMENT

See kerberos for a description of Kerberos environment variables.

FILES

DEFCCNAME
Default location of Kerberos 5 credentials cache

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/user/user_commands/sclient.html0000644000704600001450000002102614076312553023725 0ustar ghudsonsystemd-journal sclient — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

sclient

SYNOPSIS

sclient remotehost

DESCRIPTION

sclient is a sample application, primarily useful for testing purposes. It contacts a sample server sserver and authenticates to it using Kerberos version 5 tickets, then displays the server’s response.

ENVIRONMENT

See kerberos for a description of Kerberos environment variables.

SEE ALSO

kinit, sserver, kerberos

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/user/user_commands/kinit.html0000644000704600001450000004443114076312553023407 0ustar ghudsonsystemd-journal kinit — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

kinit

SYNOPSIS

kinit [-V] [-l lifetime] [-s start_time] [-r renewable_life] [-p | -P] [-f | -F] [-a] [-A] [-C] [-E] [-v] [-R] [-k [-i | -t keytab_file]] [-c cache_name] [-n] [-S service_name] [-I input_ccache] [-T armor_ccache] [-X attribute[=value]] [–request-pac | –no-request-pac] [principal]

DESCRIPTION

kinit obtains and caches an initial ticket-granting ticket for principal. If principal is absent, kinit chooses an appropriate principal name based on existing credential cache contents or the local username of the user invoking kinit. Some options modify the choice of principal name.

OPTIONS

-V
display verbose output.
-l lifetime

(Time duration string.) Requests a ticket with the lifetime lifetime.

For example, kinit -l 5:30 or kinit -l 5h30m.

If the -l option is not specified, the default ticket lifetime (configured by each site) is used. Specifying a ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum ticket lifetime.

-s start_time

(Time duration string.) Requests a postdated ticket. Postdated tickets are issued with the invalid flag set, and need to be resubmitted to the KDC for validation before use.

start_time specifies the duration of the delay before the ticket can become valid.

-r renewable_life
(Time duration string.) Requests renewable tickets, with a total lifetime of renewable_life.
-f
requests forwardable tickets.
-F
requests non-forwardable tickets.
-p
requests proxiable tickets.
-P
requests non-proxiable tickets.
-a
requests tickets restricted to the host’s local address[es].
-A
requests tickets not restricted by address.
-C
requests canonicalization of the principal name, and allows the KDC to reply with a different client principal from the one requested.
-E
treats the principal name as an enterprise name.
-v
requests that the ticket-granting ticket in the cache (with the invalid flag set) be passed to the KDC for validation. If the ticket is within its requested time range, the cache is replaced with the validated ticket.
-R

requests renewal of the ticket-granting ticket. Note that an expired ticket cannot be renewed, even if the ticket is still within its renewable life.

Note that renewable tickets that have expired as reported by klist may sometimes be renewed using this option, because the KDC applies a grace period to account for client-KDC clock skew. See krb5.conf clockskew setting.

-k [-i | -t keytab_file]
requests a ticket, obtained from a key in the local host’s keytab. The location of the keytab may be specified with the -t keytab_file option, or with the -i option to specify the use of the default client keytab; otherwise the default keytab will be used. By default, a host ticket for the local host is requested, but any principal may be specified. On a KDC, the special keytab location KDB: can be used to indicate that kinit should open the KDC database and look up the key directly. This permits an administrator to obtain tickets as any principal that supports authentication based on the key.
-n

Requests anonymous processing. Two types of anonymous principals are supported.

For fully anonymous Kerberos, configure pkinit on the KDC and configure pkinit_anchors in the client’s krb5.conf. Then use the -n option with a principal of the form @REALM (an empty principal name followed by the at-sign and a realm name). If permitted by the KDC, an anonymous ticket will be returned.

A second form of anonymous tickets is supported; these realm-exposed tickets hide the identity of the client but not the client’s realm. For this mode, use kinit -n with a normal principal name. If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal.

As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation.

-I input_ccache

Specifies the name of a credentials cache that already contains a ticket. When obtaining that ticket, if information about how that ticket was obtained was also stored to the cache, that information will be used to affect how new credentials are obtained, including preselecting the same methods of authenticating to the KDC.
-T armor_ccache
Specifies the name of a credentials cache that already contains a ticket. If supported by the KDC, this cache will be used to armor the request, preventing offline dictionary attacks and allowing the use of additional preauthentication mechanisms. Armoring also makes sure that the response from the KDC is not modified in transit.
-c cache_name

use cache_name as the Kerberos 5 credentials (ticket) cache location. If this option is not used, the default cache location is used.

The default cache location may vary between systems. If the KRB5CCNAME environment variable is set, its value is used to locate the default cache. If a principal name is specified and the type of the default cache supports a collection (such as the DIR type), an existing cache containing credentials for the principal is selected or a new one is created and becomes the new primary cache. Otherwise, any existing contents of the default cache are destroyed by kinit.

-S service_name
specify an alternate service name to use when getting initial tickets.
-X attribute[=value]

specify a pre-authentication attribute and value to be interpreted by pre-authentication modules. The acceptable attribute and value values vary from module to module. This option may be specified multiple times to specify multiple attributes. If no value is specified, it is assumed to be “yes”.

The following attributes are recognized by the PKINIT pre-authentication mechanism:

X509_user_identity=value
specify where to find user’s X509 identity information
X509_anchors=value
specify where to find trusted X509 anchor information
flag_RSA_PROTOCOL[=yes]
specify use of RSA, rather than the default Diffie-Hellman protocol
disable_freshness[=yes]
disable sending freshness tokens (for testing purposes only)
–request-pac | –no-request-pac
mutually exclusive. If –request-pac is set, ask the KDC to include a PAC in authdata; if –no-request-pac is set, ask the KDC not to include a PAC; if neither are set, the KDC will follow its default, which is typically is to include a PAC if doing so is supported.

ENVIRONMENT

See kerberos for a description of Kerberos environment variables.

FILES

DEFCCNAME
default location of Kerberos 5 credentials cache
DEFKTNAME
default location for the local host’s keytab.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/user/user_config/0000755000704600001450000000000014076312553021041 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/user/user_config/index.html0000644000704600001450000001543714076312553023050 0ustar ghudsonsystemd-journal User config files — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

User config files

The following files in your home directory can be used to control the behavior of Kerberos as it applies to your account (unless they have been disabled by your host’s configuration):

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/user/user_config/k5identity.html0000644000704600001450000002526714076312553024034 0ustar ghudsonsystemd-journal .k5identity — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

.k5identity

DESCRIPTION

The .k5identity file, which resides in a user’s home directory, contains a list of rules for selecting a client principals based on the server being accessed. These rules are used to choose a credential cache within the cache collection when possible.

Blank lines and lines beginning with # are ignored. Each line has the form:

principal field=value

If the server principal meets all of the field constraints, then principal is chosen as the client principal. The following fields are recognized:

realm
If the realm of the server principal is known, it is matched against value, which may be a pattern using shell wildcards. For host-based server principals, the realm will generally only be known if there is a [domain_realm] section in krb5.conf with a mapping for the hostname.
service
If the server principal is a host-based principal, its service component is matched against value, which may be a pattern using shell wildcards.
host

If the server principal is a host-based principal, its hostname component is converted to lower case and matched against value, which may be a pattern using shell wildcards.

If the server principal matches the constraints of multiple lines in the .k5identity file, the principal from the first matching line is used. If no line matches, credentials will be selected some other way, such as the realm heuristic or the current primary cache.

EXAMPLE

The following example .k5identity file selects the client principal alice@KRBTEST.COM if the server principal is within that realm, the principal alice/root@EXAMPLE.COM if the server host is within a servers subdomain, and the principal alice/mail@EXAMPLE.COM when accessing the IMAP service on mail.example.com:

alice@KRBTEST.COM       realm=KRBTEST.COM
alice/root@EXAMPLE.COM  host=*.servers.example.com
alice/mail@EXAMPLE.COM  host=mail.example.com service=imap

SEE ALSO

kerberos(1), krb5.conf

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/user/user_config/kerberos.html0000644000704600001450000004740114076312553023551 0ustar ghudsonsystemd-journal kerberos — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

kerberos

DESCRIPTION

The Kerberos system authenticates individual users in a network environment. After authenticating yourself to Kerberos, you can use Kerberos-enabled programs without having to present passwords or certificates to those programs.

If you receive the following response from kinit:

kinit: Client not found in Kerberos database while getting initial credentials

you haven’t been registered as a Kerberos user. See your system administrator.

A Kerberos name usually contains three parts. The first is the primary, which is usually a user’s or service’s name. The second is the instance, which in the case of a user is usually null. Some users may have privileged instances, however, such as root or admin. In the case of a service, the instance is the fully qualified name of the machine on which it runs; i.e. there can be an ssh service running on the machine ABC (ssh/ABC@REALM), which is different from the ssh service running on the machine XYZ (ssh/XYZ@REALM). The third part of a Kerberos name is the realm. The realm corresponds to the Kerberos service providing authentication for the principal. Realms are conventionally all-uppercase, and often match the end of hostnames in the realm (for instance, host01.example.com might be in realm EXAMPLE.COM).

When writing a Kerberos name, the principal name is separated from the instance (if not null) by a slash, and the realm (if not the local realm) follows, preceded by an “@” sign. The following are examples of valid Kerberos names:

david
jennifer/admin
joeuser@BLEEP.COM
cbrown/root@FUBAR.ORG

When you authenticate yourself with Kerberos you get an initial Kerberos ticket. (A Kerberos ticket is an encrypted protocol message that provides authentication.) Kerberos uses this ticket for network utilities such as ssh. The ticket transactions are done transparently, so you don’t have to worry about their management.

Note, however, that tickets expire. Administrators may configure more privileged tickets, such as those with service or instance of root or admin, to expire in a few minutes, while tickets that carry more ordinary privileges may be good for several hours or a day. If your login session extends beyond the time limit, you will have to re-authenticate yourself to Kerberos to get new tickets using the kinit command.

Some tickets are renewable beyond their initial lifetime. This means that kinit -R can extend their lifetime without requiring you to re-authenticate.

If you wish to delete your local tickets, use the kdestroy command.

Kerberos tickets can be forwarded. In order to forward tickets, you must request forwardable tickets when you kinit. Once you have forwardable tickets, most Kerberos programs have a command line option to forward them to the remote host. This can be useful for, e.g., running kinit on your local machine and then sshing into another to do work. Note that this should not be done on untrusted machines since they will then have your tickets.

ENVIRONMENT VARIABLES

Several environment variables affect the operation of Kerberos-enabled programs. These include:

KRB5CCNAME

Default name for the credentials cache file, in the form TYPE:residual. The type of the default cache may determine the availability of a cache collection. FILE is not a collection type; KEYRING, DIR, and KCM are.

If not set, the value of default_ccache_name from configuration files (see KRB5_CONFIG) will be used. If that is also not set, the default type is FILE, and the residual is the path /tmp/krb5cc_*uid*, where uid is the decimal user ID of the user.

KRB5_KTNAME
Specifies the location of the default keytab file, in the form TYPE:residual. If no type is present, the FILE type is assumed and residual is the pathname of the keytab file. If unset, DEFKTNAME will be used.
KRB5_CONFIG
Specifies the location of the Kerberos configuration file. The default is SYSCONFDIR/krb5.conf. Multiple filenames can be specified, separated by a colon; all files which are present will be read.
KRB5_KDC_PROFILE
Specifies the location of the KDC configuration file, which contains additional configuration directives for the Key Distribution Center daemon and associated programs. The default is LOCALSTATEDIR/krb5kdc/kdc.conf.
KRB5RCACHENAME
(New in release 1.18) Specifies the location of the default replay cache, in the form type:residual. The file2 type with a pathname residual specifies a replay cache file in the version-2 format in the specified location. The none type (residual is ignored) disables the replay cache. The dfl type (residual is ignored) indicates the default, which uses a file2 replay cache in a temporary directory. The default is dfl:.
KRB5RCACHETYPE
Specifies the type of the default replay cache, if KRB5RCACHENAME is unspecified. No residual can be specified, so none and dfl are the only useful types.
KRB5RCACHEDIR
Specifies the directory used by the dfl replay cache type. The default is the value of the TMPDIR environment variable, or /var/tmp if TMPDIR is not set.
KRB5_TRACE
Specifies a filename to write trace log output to. Trace logs can help illuminate decisions made internally by the Kerberos libraries. For example, env KRB5_TRACE=/dev/stderr kinit would send tracing information for kinit to /dev/stderr. The default is not to write trace log output anywhere.
KRB5_CLIENT_KTNAME
Default client keytab file name. If unset, DEFCKTNAME will be used).
KPROP_PORT
kprop port to use. Defaults to 754.
GSS_MECH_CONFIG
Specifies a filename containing GSSAPI mechanism module configuration. The default is to read SYSCONFDIR/gss/mech and files with a .conf suffix within the directory SYSCONFDIR/gss/mech.d.

Most environment variables are disabled for certain programs, such as login system programs and setuid programs, which are designed to be secure when run within an untrusted process environment.

BUGS

AUTHORS

Steve Miller, MIT Project Athena/Digital Equipment Corporation
Clifford Neuman, MIT Project Athena
Greg Hudson, MIT Kerberos Consortium
Robbie Harwood, Red Hat, Inc.

HISTORY

The MIT Kerberos 5 implementation was developed at MIT, with contributions from many outside parties. It is currently maintained by the MIT Kerberos Consortium.

RESTRICTIONS

Copyright 1985, 1986, 1989-1996, 2002, 2011, 2018 Masachusetts Institute of Technology

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/user/user_config/k5login.html0000644000704600001450000002366714076312553023315 0ustar ghudsonsystemd-journal .k5login — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

.k5login

DESCRIPTION

The .k5login file, which resides in a user’s home directory, contains a list of the Kerberos principals. Anyone with valid tickets for a principal in the file is allowed host access with the UID of the user in whose home directory the file resides. One common use is to place a .k5login file in root’s home directory, thereby granting system administrators remote root access to the host via Kerberos.

EXAMPLES

Suppose the user alice had a .k5login file in her home directory containing just the following line:

bob@FOOBAR.ORG

This would allow bob to use Kerberos network applications, such as ssh(1), to access alice’s account, using bob’s Kerberos tickets. In a default configuration (with k5login_authoritative set to true in krb5.conf), this .k5login file would not let alice use those network applications to access her account, since she is not listed! With no .k5login file, or with k5login_authoritative set to false, a default rule would permit the principal alice in the machine’s default realm to access the alice account.

Let us further suppose that alice is a system administrator. Alice and the other system administrators would have their principals in root’s .k5login file on each host:

alice@BLEEP.COM

joeadmin/root@BLEEP.COM

This would allow either system administrator to log in to these hosts using their Kerberos tickets instead of having to type the root password. Note that because bob retains the Kerberos tickets for his own principal, bob@FOOBAR.ORG, he would not have any of the privileges that require alice’s tickets, such as root access to any of the site’s hosts, or the ability to change alice’s password.

SEE ALSO

kerberos(1)

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/user/tkt_mgmt.html0000644000704600001450000011054014076312552021252 0ustar ghudsonsystemd-journal Ticket management — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Ticket management

On many systems, Kerberos is built into the login program, and you get tickets automatically when you log in. Other programs, such as ssh, can forward copies of your tickets to a remote host. Most of these programs also automatically destroy your tickets when they exit. However, MIT recommends that you explicitly destroy your Kerberos tickets when you are through with them, just to be sure. One way to help ensure that this happens is to add the kdestroy command to your .logout file. Additionally, if you are going to be away from your machine and are concerned about an intruder using your permissions, it is safest to either destroy all copies of your tickets, or use a screensaver that locks the screen.

Kerberos ticket properties

There are various properties that Kerberos tickets can have:

If a ticket is forwardable, then the KDC can issue a new ticket (with a different network address, if necessary) based on the forwardable ticket. This allows for authentication forwarding without requiring a password to be typed in again. For example, if a user with a forwardable TGT logs into a remote system, the KDC could issue a new TGT for that user with the network address of the remote system, allowing authentication on that host to work as though the user were logged in locally.

When the KDC creates a new ticket based on a forwardable ticket, it sets the forwarded flag on that new ticket. Any tickets that are created based on a ticket with the forwarded flag set will also have their forwarded flags set.

A proxiable ticket is similar to a forwardable ticket in that it allows a service to take on the identity of the client. Unlike a forwardable ticket, however, a proxiable ticket is only issued for specific services. In other words, a ticket-granting ticket cannot be issued based on a ticket that is proxiable but not forwardable.

A proxy ticket is one that was issued based on a proxiable ticket.

A postdated ticket is issued with the invalid flag set. After the starting time listed on the ticket, it can be presented to the KDC to obtain valid tickets.

Ticket-granting tickets with the postdateable flag set can be used to obtain postdated service tickets.

Renewable tickets can be used to obtain new session keys without the user entering their password again. A renewable ticket has two expiration times. The first is the time at which this particular ticket expires. The second is the latest possible expiration time for any ticket issued based on this renewable ticket.

A ticket with the initial flag set was issued based on the authentication protocol, and not on a ticket-granting ticket. Application servers that wish to ensure that the user’s key has been recently presented for verification could specify that this flag must be set to accept the ticket.

An invalid ticket must be rejected by application servers. Postdated tickets are usually issued with this flag set, and must be validated by the KDC before they can be used.

A preauthenticated ticket is one that was only issued after the client requesting the ticket had authenticated itself to the KDC.

The hardware authentication flag is set on a ticket which required the use of hardware for authentication. The hardware is expected to be possessed only by the client which requested the tickets.

If a ticket has the transit policy checked flag set, then the KDC that issued this ticket implements the transited-realm check policy and checked the transited-realms list on the ticket. The transited-realms list contains a list of all intermediate realms between the realm of the KDC that issued the first ticket and that of the one that issued the current ticket. If this flag is not set, then the application server must check the transited realms itself or else reject the ticket.

The okay as delegate flag indicates that the server specified in the ticket is suitable as a delegate as determined by the policy of that realm. Some client applications may use this flag to decide whether to forward tickets to a remote host, although many applications do not honor it.

An anonymous ticket is one in which the named principal is a generic principal for that realm; it does not actually specify the individual that will be using the ticket. This ticket is meant only to securely distribute a session key.

Obtaining tickets with kinit

If your site has integrated Kerberos V5 with the login system, you will get Kerberos tickets automatically when you log in. Otherwise, you may need to explicitly obtain your Kerberos tickets, using the kinit program. Similarly, if your Kerberos tickets expire, use the kinit program to obtain new ones.

To use the kinit program, simply type kinit and then type your password at the prompt. For example, Jennifer (whose username is jennifer) works for Bleep, Inc. (a fictitious company with the domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU). She would type:

shell% kinit
Password for jennifer@ATHENA.MIT.EDU: <-- [Type jennifer's password here.]
shell%

If you type your password incorrectly, kinit will give you the following error message:

shell% kinit
Password for jennifer@ATHENA.MIT.EDU: <-- [Type the wrong password here.]
kinit: Password incorrect
shell%

and you won’t get Kerberos tickets.

By default, kinit assumes you want tickets for your own username in your default realm. Suppose Jennifer’s friend David is visiting, and he wants to borrow a window to check his mail. David needs to get tickets for himself in his own realm, EXAMPLE.COM. He would type:

shell% kinit david@EXAMPLE.COM
Password for david@EXAMPLE.COM: <-- [Type david's password here.]
shell%

David would then have tickets which he could use to log onto his own machine. Note that he typed his password locally on Jennifer’s machine, but it never went over the network. Kerberos on the local host performed the authentication to the KDC in the other realm.

If you want to be able to forward your tickets to another host, you need to request forwardable tickets. You do this by specifying the -f option:

shell% kinit -f
Password for jennifer@ATHENA.MIT.EDU: <-- [Type your password here.]
shell%

Note that kinit does not tell you that it obtained forwardable tickets; you can verify this using the klist command (see Viewing tickets with klist).

Normally, your tickets are good for your system’s default ticket lifetime, which is ten hours on many systems. You can specify a different ticket lifetime with the -l option. Add the letter s to the value for seconds, m for minutes, h for hours, or d for days. For example, to obtain forwardable tickets for david@EXAMPLE.COM that would be good for three hours, you would type:

shell% kinit -f -l 3h david@EXAMPLE.COM
Password for david@EXAMPLE.COM: <-- [Type david's password here.]
shell%

Note

You cannot mix units; specifying a lifetime of 3h30m would result in an error. Note also that most systems specify a maximum ticket lifetime. If you request a longer ticket lifetime, it will be automatically truncated to the maximum lifetime.

Viewing tickets with klist

The klist command shows your tickets. When you first obtain tickets, you will have only the ticket-granting ticket. The listing would look like this:

shell% klist
Ticket cache: /tmp/krb5cc_ttypa
Default principal: jennifer@ATHENA.MIT.EDU

Valid starting     Expires            Service principal
06/07/04 19:49:21  06/08/04 05:49:19  krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
shell%

The ticket cache is the location of your ticket file. In the above example, this file is named /tmp/krb5cc_ttypa. The default principal is your Kerberos principal.

The “valid starting” and “expires” fields describe the period of time during which the ticket is valid. The “service principal” describes each ticket. The ticket-granting ticket has a first component krbtgt, and a second component which is the realm name.

Now, if jennifer connected to the machine daffodil.mit.edu, and then typed “klist” again, she would have gotten the following result:

shell% klist
Ticket cache: /tmp/krb5cc_ttypa
Default principal: jennifer@ATHENA.MIT.EDU

Valid starting     Expires            Service principal
06/07/04 19:49:21  06/08/04 05:49:19  krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
06/07/04 20:22:30  06/08/04 05:49:19  host/daffodil.mit.edu@ATHENA.MIT.EDU
shell%

Here’s what happened: when jennifer used ssh to connect to the host daffodil.mit.edu, the ssh program presented her ticket-granting ticket to the KDC and requested a host ticket for the host daffodil.mit.edu. The KDC sent the host ticket, which ssh then presented to the host daffodil.mit.edu, and she was allowed to log in without typing her password.

Suppose your Kerberos tickets allow you to log into a host in another domain, such as trillium.example.com, which is also in another Kerberos realm, EXAMPLE.COM. If you ssh to this host, you will receive a ticket-granting ticket for the realm EXAMPLE.COM, plus the new host ticket for trillium.example.com. klist will now show:

shell% klist
Ticket cache: /tmp/krb5cc_ttypa
Default principal: jennifer@ATHENA.MIT.EDU

Valid starting     Expires            Service principal
06/07/04 19:49:21  06/08/04 05:49:19  krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
06/07/04 20:22:30  06/08/04 05:49:19  host/daffodil.mit.edu@ATHENA.MIT.EDU
06/07/04 20:24:18  06/08/04 05:49:19  krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU
06/07/04 20:24:18  06/08/04 05:49:19  host/trillium.example.com@EXAMPLE.COM
shell%

Depending on your host’s and realm’s configuration, you may also see a ticket with the service principal host/trillium.example.com@. If so, this means that your host did not know what realm trillium.example.com is in, so it asked the ATHENA.MIT.EDU KDC for a referral. The next time you connect to trillium.example.com, the odd-looking entry will be used to avoid needing to ask for a referral again.

You can use the -f option to view the flags that apply to your tickets. The flags are:

F Forwardable
f forwarded
P Proxiable
p proxy
D postDateable
d postdated
R Renewable
I Initial
i invalid
H Hardware authenticated
A preAuthenticated
T Transit policy checked
O Okay as delegate
a anonymous

Here is a sample listing. In this example, the user jennifer obtained her initial tickets (I), which are forwardable (F) and postdated (d) but not yet validated (i):

shell% klist -f
Ticket cache: /tmp/krb5cc_320
Default principal: jennifer@ATHENA.MIT.EDU

Valid starting      Expires             Service principal
31/07/05 19:06:25  31/07/05 19:16:25  krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
        Flags: FdiI
shell%

In the following example, the user david’s tickets were forwarded (f) to this host from another host. The tickets are reforwardable (F):

shell% klist -f
Ticket cache: /tmp/krb5cc_p11795
Default principal: david@EXAMPLE.COM

Valid starting     Expires            Service principal
07/31/05 11:52:29  07/31/05 21:11:23  krbtgt/EXAMPLE.COM@EXAMPLE.COM
        Flags: Ff
07/31/05 12:03:48  07/31/05 21:11:23  host/trillium.example.com@EXAMPLE.COM
        Flags: Ff
shell%

Destroying tickets with kdestroy

Your Kerberos tickets are proof that you are indeed yourself, and tickets could be stolen if someone gains access to a computer where they are stored. If this happens, the person who has them can masquerade as you until they expire. For this reason, you should destroy your Kerberos tickets when you are away from your computer.

Destroying your tickets is easy. Simply type kdestroy:

shell% kdestroy
shell%

If kdestroy fails to destroy your tickets, it will beep and give an error message. For example, if kdestroy can’t find any tickets to destroy, it will give the following message:

shell% kdestroy
kdestroy: No credentials cache file found while destroying cache
shell%

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/user/pwd_mgmt.html0000644000704600001450000003432214076312552021245 0ustar ghudsonsystemd-journal Password management — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

Password management

Your password is the only way Kerberos has of verifying your identity. If someone finds out your password, that person can masquerade as you—send email that comes from you, read, edit, or delete your files, or log into other hosts as you—and no one will be able to tell the difference. For this reason, it is important that you choose a good password, and keep it secret. If you need to give access to your account to someone else, you can do so through Kerberos (see Granting access to your account). You should never tell your password to anyone, including your system administrator, for any reason. You should change your password frequently, particularly any time you think someone may have found out what it is.

Changing your password

To change your Kerberos password, use the kpasswd command. It will ask you for your old password (to prevent someone else from walking up to your computer when you’re not there and changing your password), and then prompt you for the new one twice. (The reason you have to type it twice is to make sure you have typed it correctly.) For example, user david would do the following:

shell% kpasswd
Password for david:    <- Type your old password.
Enter new password:    <- Type your new password.
Enter it again:  <- Type the new password again.
Password changed.
shell%

If david typed the incorrect old password, he would get the following message:

shell% kpasswd
Password for david:  <- Type the incorrect old password.
kpasswd: Password incorrect while getting initial ticket
shell%

If you make a mistake and don’t type the new password the same way twice, kpasswd will ask you to try again:

shell% kpasswd
Password for david:  <- Type the old password.
Enter new password:  <- Type the new password.
Enter it again: <- Type a different new password.
kpasswd: Password mismatch while reading password
shell%

Once you change your password, it takes some time for the change to propagate through the system. Depending on how your system is set up, this might be anywhere from a few minutes to an hour or more. If you need to get new Kerberos tickets shortly after changing your password, try the new password. If the new password doesn’t work, try again using the old one.

Granting access to your account

If you need to give someone access to log into your account, you can do so through Kerberos, without telling the person your password. Simply create a file called .k5login in your home directory. This file should contain the Kerberos principal of each person to whom you wish to give access. Each principal must be on a separate line. Here is a sample .k5login file:

jennifer@ATHENA.MIT.EDU
david@EXAMPLE.COM

This file would allow the users jennifer and david to use your user ID, provided that they had Kerberos tickets in their respective realms. If you will be logging into other hosts across a network, you will want to include your own Kerberos principal in your .k5login file on each of these hosts.

Using a .k5login file is much safer than giving out your password, because:

  • You can take access away any time simply by removing the principal from your .k5login file.
  • Although the user has full access to your account on one particular host (or set of hosts if your .k5login file is shared, e.g., over NFS), that user does not inherit your network privileges.
  • Kerberos keeps a log of who obtains tickets, so a system administrator could find out, if necessary, who was capable of using your user ID at a particular time.

One common application is to have a .k5login file in root’s home directory, giving root access to that machine to the Kerberos principals listed. This allows system administrators to allow users to become root locally, or to log in remotely as root, without their having to give out the root password, and without anyone having to type the root password over the network.

Password quality verification

TODO

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/genindex-K.html0000644000704600001450000041450414076312554020450 0ustar ghudsonsystemd-journal Index — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | index | Search | feedback

Index – K

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | index | Search | feedback
krb5-1.19.2/doc/html/search.html0000644000704600001450000001305014076312554017713 0ustar ghudsonsystemd-journal Search — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | index | Search | feedback

Search

Please activate JavaScript to enable the search functionality.

From here you can search these documents. Enter your search words into the box below and click "search". Note that the search function will automatically search for all of the words. Pages containing fewer words won't appear in the result list.

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | index | Search | feedback
krb5-1.19.2/doc/html/copyright.html0000644000704600001450000001335614076312547020471 0ustar ghudsonsystemd-journal Copyright — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | previous | next | index | Search | feedback

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | previous | next | index | Search | feedback
krb5-1.19.2/doc/html/genindex-all.html0000644000704600001450000046025214076312553021026 0ustar ghudsonsystemd-journal Index — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | index | Search | feedback

Index

A | C | E | K | L | M | P | R | S | T | V

A

C

E

K

L

M

P

R

S

T

V

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | index | Search | feedback
krb5-1.19.2/doc/html/genindex-C.html0000644000704600001450000001616114076312554020435 0ustar ghudsonsystemd-journal Index — MIT Kerberos Documentation

MIT Kerberos Documentation

Contents | index | Search | feedback

Index – C

On this page


Table of contents


Full Table of Contents

Search

Release: 1.19.2
© Copyright 1985-2021, MIT.
Contents | index | Search | feedback
krb5-1.19.2/doc/html/_static/0000755000704600001450000000000014076312554017207 5ustar ghudsonsystemd-journalkrb5-1.19.2/doc/html/_static/kerb.css0000644000704600001450000000461414076312554020651 0ustar ghudsonsystemd-journal/* * kerb.css * ~~~~~~~~~~~ * * Sphinx stylesheet -- modification to agogo theme. * */ div.body { padding-right: .5em; text-align: left; overflow-x: hidden; } /* Page layout */ div.header, div.content, div.footer { margin-left: auto; margin-right: auto; padding-left: 1em; padding-right: 1em; max-width: 60em; } div.header-wrapper { background: white; border-bottom: 3px solid #2e3436; border-top: 13px solid #5d1509; } /* Header */ div.header { padding-top: 10px; padding-bottom: 0px; } div.header h1 { font-family: "Georgia", "Times New Roman", serif, black; font-weight: normal; } div.header h1 a { color: #5d1509; font-size: 120%; padding-top: 10px; } div.header div.right a { color: #fcaf3e; letter-spacing: .1em; text-transform: lowercase; float: right; } div.header div.rel { font-family: "Georgia", "Times New Roman", serif, black; font-weight: normal; margin-bottom: 1.6em; } /* Content */ div.document { width: 80%; float: left; margin: 0; background-color: white; padding-top: 20px; padding-bottom: 20px; } div.document div.section h1 { margin-bottom: 20px; padding: 1px; line-height: 130%; } div.document div.section dl { margin-top: 15px; margin-bottom: 5px; padding: 1px; text-align: left; } /* Sidebar */ div.sidebar { float: right; font-size: .9em; width: 20%; margin: 0; padding: 0; background-color: #F9F9F9; } div.sidebar ul { list-style-type: none; margin-left: .5em; } div.sidebar li.toctree-l1 a { margin-left: .5em; } div.sidebar li.toctree-l2 a { margin-left: .5em; } div.sidebar li.toctree-l3 a { margin-left: .5em; } div.sidebar li.toctree-l2.current a { border-right: 2px solid #fcaf3e !important; } div.sidebar li.toctree-l3.current a { font-weight: bold; } div.sidebar li.toctree-l4 a { display: none; } div.sidebar input[type=text] { width: auto; } /* Other body styles */ dt:target, .highlighted { background-color: #c1c1c1; } /* Code displays */ pre { overflow: auto; overflow-y: hidden; } td.linenos pre { padding: 5px 0px; border: 0; background-color: transparent; color: #aaa; } /* ordered lists */ ol.arabic { list-style: decimal; } ol.loweralpha { list-style: lower-alpha; } ol.upperalpha { list-style: upper-alpha; } ol.lowerroman { list-style-type: lower-roman; } ol.upperroman { list-style-type: upper-roman; }krb5-1.19.2/doc/html/_static/down.png0000644000704600001450000000031213232117076020653 0ustar ghudsonsystemd-journalPNG  IHDR7IDATxP@ @Iߗ`&"z6xK@kbϢxs]M :/+gPd2GeÐ~߸J_c S_ S%exdU](UH>&;4i$n3> ycdIENDB`krb5-1.19.2/doc/html/_static/ajax-loader.gif0000644000704600001450000000124113227146175022064 0ustar ghudsonsystemd-journalGIF89aU|NU|l!Created with ajaxload.info! ! NETSCAPE2.0,30Ikc:Nf E1º.`q-[9ݦ9 JkH! ,4N!  DqBQT`1 `LE[|ua C%$*! ,62#+AȐ̔V/cNIBap ̳ƨ+Y2d! ,3b%+2V_ ! 1DaFbR]=08,Ȥr9L! ,2r'+JdL &v`\bThYB)@<&,ȤR! ,3 9tڞ0!.BW1  sa50 m)J! ,2 ٜU]qp`a4AF0` @1Α! ,20IeBԜ) q10ʰPaVڥ ub[;krb5-1.19.2/doc/html/_static/plus.png0000644000704600001450000000013213232117076020667 0ustar ghudsonsystemd-journalPNG  IHDR (!IDATxc8 g>@;([[U @l-!a@IENDB`krb5-1.19.2/doc/html/_static/underscore.js0000644000704600001450000015034514033316720021716 0ustar ghudsonsystemd-journal// Underscore.js 1.8.3 // http://underscorejs.org // (c) 2009-2015 Jeremy Ashkenas, DocumentCloud and Investigative Reporters & Editors // Underscore may be freely distributed under the MIT license. (function() { // Baseline setup // -------------- // Establish the root object, `window` in the browser, or `exports` on the server. var root = this; // Save the previous value of the `_` variable. var previousUnderscore = root._; // Save bytes in the minified (but not gzipped) version: var ArrayProto = Array.prototype, ObjProto = Object.prototype, FuncProto = Function.prototype; // Create quick reference variables for speed access to core prototypes. var push = ArrayProto.push, slice = ArrayProto.slice, toString = ObjProto.toString, hasOwnProperty = ObjProto.hasOwnProperty; // All **ECMAScript 5** native function implementations that we hope to use // are declared here. var nativeIsArray = Array.isArray, nativeKeys = Object.keys, nativeBind = FuncProto.bind, nativeCreate = Object.create; // Naked function reference for surrogate-prototype-swapping. var Ctor = function(){}; // Create a safe reference to the Underscore object for use below. var _ = function(obj) { if (obj instanceof _) return obj; if (!(this instanceof _)) return new _(obj); this._wrapped = obj; }; // Export the Underscore object for **Node.js**, with // backwards-compatibility for the old `require()` API. If we're in // the browser, add `_` as a global object. if (typeof exports !== 'undefined') { if (typeof module !== 'undefined' && module.exports) { exports = module.exports = _; } exports._ = _; } else { root._ = _; } // Current version. _.VERSION = '1.8.3'; // Internal function that returns an efficient (for current engines) version // of the passed-in callback, to be repeatedly applied in other Underscore // functions. var optimizeCb = function(func, context, argCount) { if (context === void 0) return func; switch (argCount == null ? 3 : argCount) { case 1: return function(value) { return func.call(context, value); }; case 2: return function(value, other) { return func.call(context, value, other); }; case 3: return function(value, index, collection) { return func.call(context, value, index, collection); }; case 4: return function(accumulator, value, index, collection) { return func.call(context, accumulator, value, index, collection); }; } return function() { return func.apply(context, arguments); }; }; // A mostly-internal function to generate callbacks that can be applied // to each element in a collection, returning the desired result — either // identity, an arbitrary callback, a property matcher, or a property accessor. var cb = function(value, context, argCount) { if (value == null) return _.identity; if (_.isFunction(value)) return optimizeCb(value, context, argCount); if (_.isObject(value)) return _.matcher(value); return _.property(value); }; _.iteratee = function(value, context) { return cb(value, context, Infinity); }; // An internal function for creating assigner functions. var createAssigner = function(keysFunc, undefinedOnly) { return function(obj) { var length = arguments.length; if (length < 2 || obj == null) return obj; for (var index = 1; index < length; index++) { var source = arguments[index], keys = keysFunc(source), l = keys.length; for (var i = 0; i < l; i++) { var key = keys[i]; if (!undefinedOnly || obj[key] === void 0) obj[key] = source[key]; } } return obj; }; }; // An internal function for creating a new object that inherits from another. var baseCreate = function(prototype) { if (!_.isObject(prototype)) return {}; if (nativeCreate) return nativeCreate(prototype); Ctor.prototype = prototype; var result = new Ctor; Ctor.prototype = null; return result; }; var property = function(key) { return function(obj) { return obj == null ? void 0 : obj[key]; }; }; // Helper for collection methods to determine whether a collection // should be iterated as an array or as an object // Related: http://people.mozilla.org/~jorendorff/es6-draft.html#sec-tolength // Avoids a very nasty iOS 8 JIT bug on ARM-64. #2094 var MAX_ARRAY_INDEX = Math.pow(2, 53) - 1; var getLength = property('length'); var isArrayLike = function(collection) { var length = getLength(collection); return typeof length == 'number' && length >= 0 && length <= MAX_ARRAY_INDEX; }; // Collection Functions // -------------------- // The cornerstone, an `each` implementation, aka `forEach`. // Handles raw objects in addition to array-likes. Treats all // sparse array-likes as if they were dense. _.each = _.forEach = function(obj, iteratee, context) { iteratee = optimizeCb(iteratee, context); var i, length; if (isArrayLike(obj)) { for (i = 0, length = obj.length; i < length; i++) { iteratee(obj[i], i, obj); } } else { var keys = _.keys(obj); for (i = 0, length = keys.length; i < length; i++) { iteratee(obj[keys[i]], keys[i], obj); } } return obj; }; // Return the results of applying the iteratee to each element. _.map = _.collect = function(obj, iteratee, context) { iteratee = cb(iteratee, context); var keys = !isArrayLike(obj) && _.keys(obj), length = (keys || obj).length, results = Array(length); for (var index = 0; index < length; index++) { var currentKey = keys ? keys[index] : index; results[index] = iteratee(obj[currentKey], currentKey, obj); } return results; }; // Create a reducing function iterating left or right. function createReduce(dir) { // Optimized iterator function as using arguments.length // in the main function will deoptimize the, see #1991. function iterator(obj, iteratee, memo, keys, index, length) { for (; index >= 0 && index < length; index += dir) { var currentKey = keys ? keys[index] : index; memo = iteratee(memo, obj[currentKey], currentKey, obj); } return memo; } return function(obj, iteratee, memo, context) { iteratee = optimizeCb(iteratee, context, 4); var keys = !isArrayLike(obj) && _.keys(obj), length = (keys || obj).length, index = dir > 0 ? 0 : length - 1; // Determine the initial value if none is provided. if (arguments.length < 3) { memo = obj[keys ? keys[index] : index]; index += dir; } return iterator(obj, iteratee, memo, keys, index, length); }; } // **Reduce** builds up a single result from a list of values, aka `inject`, // or `foldl`. _.reduce = _.foldl = _.inject = createReduce(1); // The right-associative version of reduce, also known as `foldr`. _.reduceRight = _.foldr = createReduce(-1); // Return the first value which passes a truth test. Aliased as `detect`. _.find = _.detect = function(obj, predicate, context) { var key; if (isArrayLike(obj)) { key = _.findIndex(obj, predicate, context); } else { key = _.findKey(obj, predicate, context); } if (key !== void 0 && key !== -1) return obj[key]; }; // Return all the elements that pass a truth test. // Aliased as `select`. _.filter = _.select = function(obj, predicate, context) { var results = []; predicate = cb(predicate, context); _.each(obj, function(value, index, list) { if (predicate(value, index, list)) results.push(value); }); return results; }; // Return all the elements for which a truth test fails. _.reject = function(obj, predicate, context) { return _.filter(obj, _.negate(cb(predicate)), context); }; // Determine whether all of the elements match a truth test. // Aliased as `all`. _.every = _.all = function(obj, predicate, context) { predicate = cb(predicate, context); var keys = !isArrayLike(obj) && _.keys(obj), length = (keys || obj).length; for (var index = 0; index < length; index++) { var currentKey = keys ? keys[index] : index; if (!predicate(obj[currentKey], currentKey, obj)) return false; } return true; }; // Determine if at least one element in the object matches a truth test. // Aliased as `any`. _.some = _.any = function(obj, predicate, context) { predicate = cb(predicate, context); var keys = !isArrayLike(obj) && _.keys(obj), length = (keys || obj).length; for (var index = 0; index < length; index++) { var currentKey = keys ? keys[index] : index; if (predicate(obj[currentKey], currentKey, obj)) return true; } return false; }; // Determine if the array or object contains a given item (using `===`). // Aliased as `includes` and `include`. _.contains = _.includes = _.include = function(obj, item, fromIndex, guard) { if (!isArrayLike(obj)) obj = _.values(obj); if (typeof fromIndex != 'number' || guard) fromIndex = 0; return _.indexOf(obj, item, fromIndex) >= 0; }; // Invoke a method (with arguments) on every item in a collection. _.invoke = function(obj, method) { var args = slice.call(arguments, 2); var isFunc = _.isFunction(method); return _.map(obj, function(value) { var func = isFunc ? method : value[method]; return func == null ? func : func.apply(value, args); }); }; // Convenience version of a common use case of `map`: fetching a property. _.pluck = function(obj, key) { return _.map(obj, _.property(key)); }; // Convenience version of a common use case of `filter`: selecting only objects // containing specific `key:value` pairs. _.where = function(obj, attrs) { return _.filter(obj, _.matcher(attrs)); }; // Convenience version of a common use case of `find`: getting the first object // containing specific `key:value` pairs. _.findWhere = function(obj, attrs) { return _.find(obj, _.matcher(attrs)); }; // Return the maximum element (or element-based computation). _.max = function(obj, iteratee, context) { var result = -Infinity, lastComputed = -Infinity, value, computed; if (iteratee == null && obj != null) { obj = isArrayLike(obj) ? obj : _.values(obj); for (var i = 0, length = obj.length; i < length; i++) { value = obj[i]; if (value > result) { result = value; } } } else { iteratee = cb(iteratee, context); _.each(obj, function(value, index, list) { computed = iteratee(value, index, list); if (computed > lastComputed || computed === -Infinity && result === -Infinity) { result = value; lastComputed = computed; } }); } return result; }; // Return the minimum element (or element-based computation). _.min = function(obj, iteratee, context) { var result = Infinity, lastComputed = Infinity, value, computed; if (iteratee == null && obj != null) { obj = isArrayLike(obj) ? obj : _.values(obj); for (var i = 0, length = obj.length; i < length; i++) { value = obj[i]; if (value < result) { result = value; } } } else { iteratee = cb(iteratee, context); _.each(obj, function(value, index, list) { computed = iteratee(value, index, list); if (computed < lastComputed || computed === Infinity && result === Infinity) { result = value; lastComputed = computed; } }); } return result; }; // Shuffle a collection, using the modern version of the // [Fisher-Yates shuffle](http://en.wikipedia.org/wiki/Fisher–Yates_shuffle). _.shuffle = function(obj) { var set = isArrayLike(obj) ? obj : _.values(obj); var length = set.length; var shuffled = Array(length); for (var index = 0, rand; index < length; index++) { rand = _.random(0, index); if (rand !== index) shuffled[index] = shuffled[rand]; shuffled[rand] = set[index]; } return shuffled; }; // Sample **n** random values from a collection. // If **n** is not specified, returns a single random element. // The internal `guard` argument allows it to work with `map`. _.sample = function(obj, n, guard) { if (n == null || guard) { if (!isArrayLike(obj)) obj = _.values(obj); return obj[_.random(obj.length - 1)]; } return _.shuffle(obj).slice(0, Math.max(0, n)); }; // Sort the object's values by a criterion produced by an iteratee. _.sortBy = function(obj, iteratee, context) { iteratee = cb(iteratee, context); return _.pluck(_.map(obj, function(value, index, list) { return { value: value, index: index, criteria: iteratee(value, index, list) }; }).sort(function(left, right) { var a = left.criteria; var b = right.criteria; if (a !== b) { if (a > b || a === void 0) return 1; if (a < b || b === void 0) return -1; } return left.index - right.index; }), 'value'); }; // An internal function used for aggregate "group by" operations. var group = function(behavior) { return function(obj, iteratee, context) { var result = {}; iteratee = cb(iteratee, context); _.each(obj, function(value, index) { var key = iteratee(value, index, obj); behavior(result, value, key); }); return result; }; }; // Groups the object's values by a criterion. Pass either a string attribute // to group by, or a function that returns the criterion. _.groupBy = group(function(result, value, key) { if (_.has(result, key)) result[key].push(value); else result[key] = [value]; }); // Indexes the object's values by a criterion, similar to `groupBy`, but for // when you know that your index values will be unique. _.indexBy = group(function(result, value, key) { result[key] = value; }); // Counts instances of an object that group by a certain criterion. Pass // either a string attribute to count by, or a function that returns the // criterion. _.countBy = group(function(result, value, key) { if (_.has(result, key)) result[key]++; else result[key] = 1; }); // Safely create a real, live array from anything iterable. _.toArray = function(obj) { if (!obj) return []; if (_.isArray(obj)) return slice.call(obj); if (isArrayLike(obj)) return _.map(obj, _.identity); return _.values(obj); }; // Return the number of elements in an object. _.size = function(obj) { if (obj == null) return 0; return isArrayLike(obj) ? obj.length : _.keys(obj).length; }; // Split a collection into two arrays: one whose elements all satisfy the given // predicate, and one whose elements all do not satisfy the predicate. _.partition = function(obj, predicate, context) { predicate = cb(predicate, context); var pass = [], fail = []; _.each(obj, function(value, key, obj) { (predicate(value, key, obj) ? pass : fail).push(value); }); return [pass, fail]; }; // Array Functions // --------------- // Get the first element of an array. Passing **n** will return the first N // values in the array. Aliased as `head` and `take`. The **guard** check // allows it to work with `_.map`. _.first = _.head = _.take = function(array, n, guard) { if (array == null) return void 0; if (n == null || guard) return array[0]; return _.initial(array, array.length - n); }; // Returns everything but the last entry of the array. Especially useful on // the arguments object. Passing **n** will return all the values in // the array, excluding the last N. _.initial = function(array, n, guard) { return slice.call(array, 0, Math.max(0, array.length - (n == null || guard ? 1 : n))); }; // Get the last element of an array. Passing **n** will return the last N // values in the array. _.last = function(array, n, guard) { if (array == null) return void 0; if (n == null || guard) return array[array.length - 1]; return _.rest(array, Math.max(0, array.length - n)); }; // Returns everything but the first entry of the array. Aliased as `tail` and `drop`. // Especially useful on the arguments object. Passing an **n** will return // the rest N values in the array. _.rest = _.tail = _.drop = function(array, n, guard) { return slice.call(array, n == null || guard ? 1 : n); }; // Trim out all falsy values from an array. _.compact = function(array) { return _.filter(array, _.identity); }; // Internal implementation of a recursive `flatten` function. var flatten = function(input, shallow, strict, startIndex) { var output = [], idx = 0; for (var i = startIndex || 0, length = getLength(input); i < length; i++) { var value = input[i]; if (isArrayLike(value) && (_.isArray(value) || _.isArguments(value))) { //flatten current level of array or arguments object if (!shallow) value = flatten(value, shallow, strict); var j = 0, len = value.length; output.length += len; while (j < len) { output[idx++] = value[j++]; } } else if (!strict) { output[idx++] = value; } } return output; }; // Flatten out an array, either recursively (by default), or just one level. _.flatten = function(array, shallow) { return flatten(array, shallow, false); }; // Return a version of the array that does not contain the specified value(s). _.without = function(array) { return _.difference(array, slice.call(arguments, 1)); }; // Produce a duplicate-free version of the array. If the array has already // been sorted, you have the option of using a faster algorithm. // Aliased as `unique`. _.uniq = _.unique = function(array, isSorted, iteratee, context) { if (!_.isBoolean(isSorted)) { context = iteratee; iteratee = isSorted; isSorted = false; } if (iteratee != null) iteratee = cb(iteratee, context); var result = []; var seen = []; for (var i = 0, length = getLength(array); i < length; i++) { var value = array[i], computed = iteratee ? iteratee(value, i, array) : value; if (isSorted) { if (!i || seen !== computed) result.push(value); seen = computed; } else if (iteratee) { if (!_.contains(seen, computed)) { seen.push(computed); result.push(value); } } else if (!_.contains(result, value)) { result.push(value); } } return result; }; // Produce an array that contains the union: each distinct element from all of // the passed-in arrays. _.union = function() { return _.uniq(flatten(arguments, true, true)); }; // Produce an array that contains every item shared between all the // passed-in arrays. _.intersection = function(array) { var result = []; var argsLength = arguments.length; for (var i = 0, length = getLength(array); i < length; i++) { var item = array[i]; if (_.contains(result, item)) continue; for (var j = 1; j < argsLength; j++) { if (!_.contains(arguments[j], item)) break; } if (j === argsLength) result.push(item); } return result; }; // Take the difference between one array and a number of other arrays. // Only the elements present in just the first array will remain. _.difference = function(array) { var rest = flatten(arguments, true, true, 1); return _.filter(array, function(value){ return !_.contains(rest, value); }); }; // Zip together multiple lists into a single array -- elements that share // an index go together. _.zip = function() { return _.unzip(arguments); }; // Complement of _.zip. Unzip accepts an array of arrays and groups // each array's elements on shared indices _.unzip = function(array) { var length = array && _.max(array, getLength).length || 0; var result = Array(length); for (var index = 0; index < length; index++) { result[index] = _.pluck(array, index); } return result; }; // Converts lists into objects. Pass either a single array of `[key, value]` // pairs, or two parallel arrays of the same length -- one of keys, and one of // the corresponding values. _.object = function(list, values) { var result = {}; for (var i = 0, length = getLength(list); i < length; i++) { if (values) { result[list[i]] = values[i]; } else { result[list[i][0]] = list[i][1]; } } return result; }; // Generator function to create the findIndex and findLastIndex functions function createPredicateIndexFinder(dir) { return function(array, predicate, context) { predicate = cb(predicate, context); var length = getLength(array); var index = dir > 0 ? 0 : length - 1; for (; index >= 0 && index < length; index += dir) { if (predicate(array[index], index, array)) return index; } return -1; }; } // Returns the first index on an array-like that passes a predicate test _.findIndex = createPredicateIndexFinder(1); _.findLastIndex = createPredicateIndexFinder(-1); // Use a comparator function to figure out the smallest index at which // an object should be inserted so as to maintain order. Uses binary search. _.sortedIndex = function(array, obj, iteratee, context) { iteratee = cb(iteratee, context, 1); var value = iteratee(obj); var low = 0, high = getLength(array); while (low < high) { var mid = Math.floor((low + high) / 2); if (iteratee(array[mid]) < value) low = mid + 1; else high = mid; } return low; }; // Generator function to create the indexOf and lastIndexOf functions function createIndexFinder(dir, predicateFind, sortedIndex) { return function(array, item, idx) { var i = 0, length = getLength(array); if (typeof idx == 'number') { if (dir > 0) { i = idx >= 0 ? idx : Math.max(idx + length, i); } else { length = idx >= 0 ? Math.min(idx + 1, length) : idx + length + 1; } } else if (sortedIndex && idx && length) { idx = sortedIndex(array, item); return array[idx] === item ? idx : -1; } if (item !== item) { idx = predicateFind(slice.call(array, i, length), _.isNaN); return idx >= 0 ? idx + i : -1; } for (idx = dir > 0 ? i : length - 1; idx >= 0 && idx < length; idx += dir) { if (array[idx] === item) return idx; } return -1; }; } // Return the position of the first occurrence of an item in an array, // or -1 if the item is not included in the array. // If the array is large and already in sort order, pass `true` // for **isSorted** to use binary search. _.indexOf = createIndexFinder(1, _.findIndex, _.sortedIndex); _.lastIndexOf = createIndexFinder(-1, _.findLastIndex); // Generate an integer Array containing an arithmetic progression. A port of // the native Python `range()` function. See // [the Python documentation](http://docs.python.org/library/functions.html#range). _.range = function(start, stop, step) { if (stop == null) { stop = start || 0; start = 0; } step = step || 1; var length = Math.max(Math.ceil((stop - start) / step), 0); var range = Array(length); for (var idx = 0; idx < length; idx++, start += step) { range[idx] = start; } return range; }; // Function (ahem) Functions // ------------------ // Determines whether to execute a function as a constructor // or a normal function with the provided arguments var executeBound = function(sourceFunc, boundFunc, context, callingContext, args) { if (!(callingContext instanceof boundFunc)) return sourceFunc.apply(context, args); var self = baseCreate(sourceFunc.prototype); var result = sourceFunc.apply(self, args); if (_.isObject(result)) return result; return self; }; // Create a function bound to a given object (assigning `this`, and arguments, // optionally). Delegates to **ECMAScript 5**'s native `Function.bind` if // available. _.bind = function(func, context) { if (nativeBind && func.bind === nativeBind) return nativeBind.apply(func, slice.call(arguments, 1)); if (!_.isFunction(func)) throw new TypeError('Bind must be called on a function'); var args = slice.call(arguments, 2); var bound = function() { return executeBound(func, bound, context, this, args.concat(slice.call(arguments))); }; return bound; }; // Partially apply a function by creating a version that has had some of its // arguments pre-filled, without changing its dynamic `this` context. _ acts // as a placeholder, allowing any combination of arguments to be pre-filled. _.partial = function(func) { var boundArgs = slice.call(arguments, 1); var bound = function() { var position = 0, length = boundArgs.length; var args = Array(length); for (var i = 0; i < length; i++) { args[i] = boundArgs[i] === _ ? arguments[position++] : boundArgs[i]; } while (position < arguments.length) args.push(arguments[position++]); return executeBound(func, bound, this, this, args); }; return bound; }; // Bind a number of an object's methods to that object. Remaining arguments // are the method names to be bound. Useful for ensuring that all callbacks // defined on an object belong to it. _.bindAll = function(obj) { var i, length = arguments.length, key; if (length <= 1) throw new Error('bindAll must be passed function names'); for (i = 1; i < length; i++) { key = arguments[i]; obj[key] = _.bind(obj[key], obj); } return obj; }; // Memoize an expensive function by storing its results. _.memoize = function(func, hasher) { var memoize = function(key) { var cache = memoize.cache; var address = '' + (hasher ? hasher.apply(this, arguments) : key); if (!_.has(cache, address)) cache[address] = func.apply(this, arguments); return cache[address]; }; memoize.cache = {}; return memoize; }; // Delays a function for the given number of milliseconds, and then calls // it with the arguments supplied. _.delay = function(func, wait) { var args = slice.call(arguments, 2); return setTimeout(function(){ return func.apply(null, args); }, wait); }; // Defers a function, scheduling it to run after the current call stack has // cleared. _.defer = _.partial(_.delay, _, 1); // Returns a function, that, when invoked, will only be triggered at most once // during a given window of time. Normally, the throttled function will run // as much as it can, without ever going more than once per `wait` duration; // but if you'd like to disable the execution on the leading edge, pass // `{leading: false}`. To disable execution on the trailing edge, ditto. _.throttle = function(func, wait, options) { var context, args, result; var timeout = null; var previous = 0; if (!options) options = {}; var later = function() { previous = options.leading === false ? 0 : _.now(); timeout = null; result = func.apply(context, args); if (!timeout) context = args = null; }; return function() { var now = _.now(); if (!previous && options.leading === false) previous = now; var remaining = wait - (now - previous); context = this; args = arguments; if (remaining <= 0 || remaining > wait) { if (timeout) { clearTimeout(timeout); timeout = null; } previous = now; result = func.apply(context, args); if (!timeout) context = args = null; } else if (!timeout && options.trailing !== false) { timeout = setTimeout(later, remaining); } return result; }; }; // Returns a function, that, as long as it continues to be invoked, will not // be triggered. The function will be called after it stops being called for // N milliseconds. If `immediate` is passed, trigger the function on the // leading edge, instead of the trailing. _.debounce = function(func, wait, immediate) { var timeout, args, context, timestamp, result; var later = function() { var last = _.now() - timestamp; if (last < wait && last >= 0) { timeout = setTimeout(later, wait - last); } else { timeout = null; if (!immediate) { result = func.apply(context, args); if (!timeout) context = args = null; } } }; return function() { context = this; args = arguments; timestamp = _.now(); var callNow = immediate && !timeout; if (!timeout) timeout = setTimeout(later, wait); if (callNow) { result = func.apply(context, args); context = args = null; } return result; }; }; // Returns the first function passed as an argument to the second, // allowing you to adjust arguments, run code before and after, and // conditionally execute the original function. _.wrap = function(func, wrapper) { return _.partial(wrapper, func); }; // Returns a negated version of the passed-in predicate. _.negate = function(predicate) { return function() { return !predicate.apply(this, arguments); }; }; // Returns a function that is the composition of a list of functions, each // consuming the return value of the function that follows. _.compose = function() { var args = arguments; var start = args.length - 1; return function() { var i = start; var result = args[start].apply(this, arguments); while (i--) result = args[i].call(this, result); return result; }; }; // Returns a function that will only be executed on and after the Nth call. _.after = function(times, func) { return function() { if (--times < 1) { return func.apply(this, arguments); } }; }; // Returns a function that will only be executed up to (but not including) the Nth call. _.before = function(times, func) { var memo; return function() { if (--times > 0) { memo = func.apply(this, arguments); } if (times <= 1) func = null; return memo; }; }; // Returns a function that will be executed at most one time, no matter how // often you call it. Useful for lazy initialization. _.once = _.partial(_.before, 2); // Object Functions // ---------------- // Keys in IE < 9 that won't be iterated by `for key in ...` and thus missed. var hasEnumBug = !{toString: null}.propertyIsEnumerable('toString'); var nonEnumerableProps = ['valueOf', 'isPrototypeOf', 'toString', 'propertyIsEnumerable', 'hasOwnProperty', 'toLocaleString']; function collectNonEnumProps(obj, keys) { var nonEnumIdx = nonEnumerableProps.length; var constructor = obj.constructor; var proto = (_.isFunction(constructor) && constructor.prototype) || ObjProto; // Constructor is a special case. var prop = 'constructor'; if (_.has(obj, prop) && !_.contains(keys, prop)) keys.push(prop); while (nonEnumIdx--) { prop = nonEnumerableProps[nonEnumIdx]; if (prop in obj && obj[prop] !== proto[prop] && !_.contains(keys, prop)) { keys.push(prop); } } } // Retrieve the names of an object's own properties. // Delegates to **ECMAScript 5**'s native `Object.keys` _.keys = function(obj) { if (!_.isObject(obj)) return []; if (nativeKeys) return nativeKeys(obj); var keys = []; for (var key in obj) if (_.has(obj, key)) keys.push(key); // Ahem, IE < 9. if (hasEnumBug) collectNonEnumProps(obj, keys); return keys; }; // Retrieve all the property names of an object. _.allKeys = function(obj) { if (!_.isObject(obj)) return []; var keys = []; for (var key in obj) keys.push(key); // Ahem, IE < 9. if (hasEnumBug) collectNonEnumProps(obj, keys); return keys; }; // Retrieve the values of an object's properties. _.values = function(obj) { var keys = _.keys(obj); var length = keys.length; var values = Array(length); for (var i = 0; i < length; i++) { values[i] = obj[keys[i]]; } return values; }; // Returns the results of applying the iteratee to each element of the object // In contrast to _.map it returns an object _.mapObject = function(obj, iteratee, context) { iteratee = cb(iteratee, context); var keys = _.keys(obj), length = keys.length, results = {}, currentKey; for (var index = 0; index < length; index++) { currentKey = keys[index]; results[currentKey] = iteratee(obj[currentKey], currentKey, obj); } return results; }; // Convert an object into a list of `[key, value]` pairs. _.pairs = function(obj) { var keys = _.keys(obj); var length = keys.length; var pairs = Array(length); for (var i = 0; i < length; i++) { pairs[i] = [keys[i], obj[keys[i]]]; } return pairs; }; // Invert the keys and values of an object. The values must be serializable. _.invert = function(obj) { var result = {}; var keys = _.keys(obj); for (var i = 0, length = keys.length; i < length; i++) { result[obj[keys[i]]] = keys[i]; } return result; }; // Return a sorted list of the function names available on the object. // Aliased as `methods` _.functions = _.methods = function(obj) { var names = []; for (var key in obj) { if (_.isFunction(obj[key])) names.push(key); } return names.sort(); }; // Extend a given object with all the properties in passed-in object(s). _.extend = createAssigner(_.allKeys); // Assigns a given object with all the own properties in the passed-in object(s) // (https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Object/assign) _.extendOwn = _.assign = createAssigner(_.keys); // Returns the first key on an object that passes a predicate test _.findKey = function(obj, predicate, context) { predicate = cb(predicate, context); var keys = _.keys(obj), key; for (var i = 0, length = keys.length; i < length; i++) { key = keys[i]; if (predicate(obj[key], key, obj)) return key; } }; // Return a copy of the object only containing the whitelisted properties. _.pick = function(object, oiteratee, context) { var result = {}, obj = object, iteratee, keys; if (obj == null) return result; if (_.isFunction(oiteratee)) { keys = _.allKeys(obj); iteratee = optimizeCb(oiteratee, context); } else { keys = flatten(arguments, false, false, 1); iteratee = function(value, key, obj) { return key in obj; }; obj = Object(obj); } for (var i = 0, length = keys.length; i < length; i++) { var key = keys[i]; var value = obj[key]; if (iteratee(value, key, obj)) result[key] = value; } return result; }; // Return a copy of the object without the blacklisted properties. _.omit = function(obj, iteratee, context) { if (_.isFunction(iteratee)) { iteratee = _.negate(iteratee); } else { var keys = _.map(flatten(arguments, false, false, 1), String); iteratee = function(value, key) { return !_.contains(keys, key); }; } return _.pick(obj, iteratee, context); }; // Fill in a given object with default properties. _.defaults = createAssigner(_.allKeys, true); // Creates an object that inherits from the given prototype object. // If additional properties are provided then they will be added to the // created object. _.create = function(prototype, props) { var result = baseCreate(prototype); if (props) _.extendOwn(result, props); return result; }; // Create a (shallow-cloned) duplicate of an object. _.clone = function(obj) { if (!_.isObject(obj)) return obj; return _.isArray(obj) ? obj.slice() : _.extend({}, obj); }; // Invokes interceptor with the obj, and then returns obj. // The primary purpose of this method is to "tap into" a method chain, in // order to perform operations on intermediate results within the chain. _.tap = function(obj, interceptor) { interceptor(obj); return obj; }; // Returns whether an object has a given set of `key:value` pairs. _.isMatch = function(object, attrs) { var keys = _.keys(attrs), length = keys.length; if (object == null) return !length; var obj = Object(object); for (var i = 0; i < length; i++) { var key = keys[i]; if (attrs[key] !== obj[key] || !(key in obj)) return false; } return true; }; // Internal recursive comparison function for `isEqual`. var eq = function(a, b, aStack, bStack) { // Identical objects are equal. `0 === -0`, but they aren't identical. // See the [Harmony `egal` proposal](http://wiki.ecmascript.org/doku.php?id=harmony:egal). if (a === b) return a !== 0 || 1 / a === 1 / b; // A strict comparison is necessary because `null == undefined`. if (a == null || b == null) return a === b; // Unwrap any wrapped objects. if (a instanceof _) a = a._wrapped; if (b instanceof _) b = b._wrapped; // Compare `[[Class]]` names. var className = toString.call(a); if (className !== toString.call(b)) return false; switch (className) { // Strings, numbers, regular expressions, dates, and booleans are compared by value. case '[object RegExp]': // RegExps are coerced to strings for comparison (Note: '' + /a/i === '/a/i') case '[object String]': // Primitives and their corresponding object wrappers are equivalent; thus, `"5"` is // equivalent to `new String("5")`. return '' + a === '' + b; case '[object Number]': // `NaN`s are equivalent, but non-reflexive. // Object(NaN) is equivalent to NaN if (+a !== +a) return +b !== +b; // An `egal` comparison is performed for other numeric values. return +a === 0 ? 1 / +a === 1 / b : +a === +b; case '[object Date]': case '[object Boolean]': // Coerce dates and booleans to numeric primitive values. Dates are compared by their // millisecond representations. Note that invalid dates with millisecond representations // of `NaN` are not equivalent. return +a === +b; } var areArrays = className === '[object Array]'; if (!areArrays) { if (typeof a != 'object' || typeof b != 'object') return false; // Objects with different constructors are not equivalent, but `Object`s or `Array`s // from different frames are. var aCtor = a.constructor, bCtor = b.constructor; if (aCtor !== bCtor && !(_.isFunction(aCtor) && aCtor instanceof aCtor && _.isFunction(bCtor) && bCtor instanceof bCtor) && ('constructor' in a && 'constructor' in b)) { return false; } } // Assume equality for cyclic structures. The algorithm for detecting cyclic // structures is adapted from ES 5.1 section 15.12.3, abstract operation `JO`. // Initializing stack of traversed objects. // It's done here since we only need them for objects and arrays comparison. aStack = aStack || []; bStack = bStack || []; var length = aStack.length; while (length--) { // Linear search. Performance is inversely proportional to the number of // unique nested structures. if (aStack[length] === a) return bStack[length] === b; } // Add the first object to the stack of traversed objects. aStack.push(a); bStack.push(b); // Recursively compare objects and arrays. if (areArrays) { // Compare array lengths to determine if a deep comparison is necessary. length = a.length; if (length !== b.length) return false; // Deep compare the contents, ignoring non-numeric properties. while (length--) { if (!eq(a[length], b[length], aStack, bStack)) return false; } } else { // Deep compare objects. var keys = _.keys(a), key; length = keys.length; // Ensure that both objects contain the same number of properties before comparing deep equality. if (_.keys(b).length !== length) return false; while (length--) { // Deep compare each member key = keys[length]; if (!(_.has(b, key) && eq(a[key], b[key], aStack, bStack))) return false; } } // Remove the first object from the stack of traversed objects. aStack.pop(); bStack.pop(); return true; }; // Perform a deep comparison to check if two objects are equal. _.isEqual = function(a, b) { return eq(a, b); }; // Is a given array, string, or object empty? // An "empty" object has no enumerable own-properties. _.isEmpty = function(obj) { if (obj == null) return true; if (isArrayLike(obj) && (_.isArray(obj) || _.isString(obj) || _.isArguments(obj))) return obj.length === 0; return _.keys(obj).length === 0; }; // Is a given value a DOM element? _.isElement = function(obj) { return !!(obj && obj.nodeType === 1); }; // Is a given value an array? // Delegates to ECMA5's native Array.isArray _.isArray = nativeIsArray || function(obj) { return toString.call(obj) === '[object Array]'; }; // Is a given variable an object? _.isObject = function(obj) { var type = typeof obj; return type === 'function' || type === 'object' && !!obj; }; // Add some isType methods: isArguments, isFunction, isString, isNumber, isDate, isRegExp, isError. _.each(['Arguments', 'Function', 'String', 'Number', 'Date', 'RegExp', 'Error'], function(name) { _['is' + name] = function(obj) { return toString.call(obj) === '[object ' + name + ']'; }; }); // Define a fallback version of the method in browsers (ahem, IE < 9), where // there isn't any inspectable "Arguments" type. if (!_.isArguments(arguments)) { _.isArguments = function(obj) { return _.has(obj, 'callee'); }; } // Optimize `isFunction` if appropriate. Work around some typeof bugs in old v8, // IE 11 (#1621), and in Safari 8 (#1929). if (typeof /./ != 'function' && typeof Int8Array != 'object') { _.isFunction = function(obj) { return typeof obj == 'function' || false; }; } // Is a given object a finite number? _.isFinite = function(obj) { return isFinite(obj) && !isNaN(parseFloat(obj)); }; // Is the given value `NaN`? (NaN is the only number which does not equal itself). _.isNaN = function(obj) { return _.isNumber(obj) && obj !== +obj; }; // Is a given value a boolean? _.isBoolean = function(obj) { return obj === true || obj === false || toString.call(obj) === '[object Boolean]'; }; // Is a given value equal to null? _.isNull = function(obj) { return obj === null; }; // Is a given variable undefined? _.isUndefined = function(obj) { return obj === void 0; }; // Shortcut function for checking if an object has a given property directly // on itself (in other words, not on a prototype). _.has = function(obj, key) { return obj != null && hasOwnProperty.call(obj, key); }; // Utility Functions // ----------------- // Run Underscore.js in *noConflict* mode, returning the `_` variable to its // previous owner. Returns a reference to the Underscore object. _.noConflict = function() { root._ = previousUnderscore; return this; }; // Keep the identity function around for default iteratees. _.identity = function(value) { return value; }; // Predicate-generating functions. Often useful outside of Underscore. _.constant = function(value) { return function() { return value; }; }; _.noop = function(){}; _.property = property; // Generates a function for a given object that returns a given property. _.propertyOf = function(obj) { return obj == null ? function(){} : function(key) { return obj[key]; }; }; // Returns a predicate for checking whether an object has a given set of // `key:value` pairs. _.matcher = _.matches = function(attrs) { attrs = _.extendOwn({}, attrs); return function(obj) { return _.isMatch(obj, attrs); }; }; // Run a function **n** times. _.times = function(n, iteratee, context) { var accum = Array(Math.max(0, n)); iteratee = optimizeCb(iteratee, context, 1); for (var i = 0; i < n; i++) accum[i] = iteratee(i); return accum; }; // Return a random integer between min and max (inclusive). _.random = function(min, max) { if (max == null) { max = min; min = 0; } return min + Math.floor(Math.random() * (max - min + 1)); }; // A (possibly faster) way to get the current timestamp as an integer. _.now = Date.now || function() { return new Date().getTime(); }; // List of HTML entities for escaping. var escapeMap = { '&': '&', '<': '<', '>': '>', '"': '"', "'": ''', '`': '`' }; var unescapeMap = _.invert(escapeMap); // Functions for escaping and unescaping strings to/from HTML interpolation. var createEscaper = function(map) { var escaper = function(match) { return map[match]; }; // Regexes for identifying a key that needs to be escaped var source = '(?:' + _.keys(map).join('|') + ')'; var testRegexp = RegExp(source); var replaceRegexp = RegExp(source, 'g'); return function(string) { string = string == null ? '' : '' + string; return testRegexp.test(string) ? string.replace(replaceRegexp, escaper) : string; }; }; _.escape = createEscaper(escapeMap); _.unescape = createEscaper(unescapeMap); // If the value of the named `property` is a function then invoke it with the // `object` as context; otherwise, return it. _.result = function(object, property, fallback) { var value = object == null ? void 0 : object[property]; if (value === void 0) { value = fallback; } return _.isFunction(value) ? value.call(object) : value; }; // Generate a unique integer id (unique within the entire client session). // Useful for temporary DOM ids. var idCounter = 0; _.uniqueId = function(prefix) { var id = ++idCounter + ''; return prefix ? prefix + id : id; }; // By default, Underscore uses ERB-style template delimiters, change the // following template settings to use alternative delimiters. _.templateSettings = { evaluate : /<%([\s\S]+?)%>/g, interpolate : /<%=([\s\S]+?)%>/g, escape : /<%-([\s\S]+?)%>/g }; // When customizing `templateSettings`, if you don't want to define an // interpolation, evaluation or escaping regex, we need one that is // guaranteed not to match. var noMatch = /(.)^/; // Certain characters need to be escaped so that they can be put into a // string literal. var escapes = { "'": "'", '\\': '\\', '\r': 'r', '\n': 'n', '\u2028': 'u2028', '\u2029': 'u2029' }; var escaper = /\\|'|\r|\n|\u2028|\u2029/g; var escapeChar = function(match) { return '\\' + escapes[match]; }; // In order to prevent third-party code injection through // `_.templateSettings.variable`, we test it against the following regular // expression. It is intentionally a bit more liberal than just matching valid // identifiers, but still prevents possible loopholes through defaults or // destructuring assignment. var bareIdentifier = /^\s*(\w|\$)+\s*$/; // JavaScript micro-templating, similar to John Resig's implementation. // Underscore templating handles arbitrary delimiters, preserves whitespace, // and correctly escapes quotes within interpolated code. // NB: `oldSettings` only exists for backwards compatibility. _.template = function(text, settings, oldSettings) { if (!settings && oldSettings) settings = oldSettings; settings = _.defaults({}, settings, _.templateSettings); // Combine delimiters into one regular expression via alternation. var matcher = RegExp([ (settings.escape || noMatch).source, (settings.interpolate || noMatch).source, (settings.evaluate || noMatch).source ].join('|') + '|$', 'g'); // Compile the template source, escaping string literals appropriately. var index = 0; var source = "__p+='"; text.replace(matcher, function(match, escape, interpolate, evaluate, offset) { source += text.slice(index, offset).replace(escaper, escapeChar); index = offset + match.length; if (escape) { source += "'+\n((__t=(" + escape + "))==null?'':_.escape(__t))+\n'"; } else if (interpolate) { source += "'+\n((__t=(" + interpolate + "))==null?'':__t)+\n'"; } else if (evaluate) { source += "';\n" + evaluate + "\n__p+='"; } // Adobe VMs need the match returned to produce the correct offest. return match; }); source += "';\n"; var argument = settings.variable; if (argument) { // Insure against third-party code injection. if (!bareIdentifier.test(argument)) throw new Error( 'variable is not a bare identifier: ' + argument ); } else { // If a variable is not specified, place data values in local scope. source = 'with(obj||{}){\n' + source + '}\n'; argument = 'obj'; } source = "var __t,__p='',__j=Array.prototype.join," + "print=function(){__p+=__j.call(arguments,'');};\n" + source + 'return __p;\n'; try { render = new Function(argument, '_', source); } catch (e) { e.source = source; throw e; } var template = function(data) { return render.call(this, data, _); }; // Provide the compiled source as a convenience for precompilation. template.source = 'function(' + argument + '){\n' + source + '}'; return template; }; // Add a "chain" function. Start chaining a wrapped Underscore object. _.chain = function(obj) { var instance = _(obj); instance._chain = true; return instance; }; // OOP // --------------- // If Underscore is called as a function, it returns a wrapped object that // can be used OO-style. This wrapper holds altered versions of all the // underscore functions. Wrapped objects may be chained. // Helper function to continue chaining intermediate results. var result = function(instance, obj) { return instance._chain ? _(obj).chain() : obj; }; // Add your own custom functions to the Underscore object. _.mixin = function(obj) { _.each(_.functions(obj), function(name) { var func = _[name] = obj[name]; _.prototype[name] = function() { var args = [this._wrapped]; push.apply(args, arguments); return result(this, func.apply(_, args)); }; }); }; // Add all of the Underscore functions to the wrapper object. _.mixin(_); // Add all mutator Array functions to the wrapper. _.each(['pop', 'push', 'reverse', 'shift', 'sort', 'splice', 'unshift'], function(name) { var method = ArrayProto[name]; _.prototype[name] = function() { var obj = this._wrapped; method.apply(obj, arguments); if ((name === 'shift' || name === 'splice') && obj.length === 0) delete obj[0]; return result(this, obj); }; }); // Add all accessor Array functions to the wrapper. _.each(['concat', 'join', 'slice'], function(name) { var method = ArrayProto[name]; _.prototype[name] = function() { return result(this, method.apply(this._wrapped, arguments)); }; }); // Extracts the result from a wrapped and chained object. _.prototype.value = function() { return this._wrapped; }; // Provide unwrapping proxy for some methods used in engine operations // such as arithmetic and JSON stringification. _.prototype.valueOf = _.prototype.toJSON = _.prototype.value; _.prototype.toString = function() { return '' + this._wrapped; }; // AMD registration happens at the end for compatibility with AMD loaders // that may not enforce next-turn semantics on modules. Even though general // practice for AMD registration is to be anonymous, underscore registers // as a named module because, like jQuery, it is a base library that is // popular enough to be bundled in a third party lib, but not be part of // an AMD load request. Those cases could generate an error when an // anonymous define() is called outside of a loader request. if (typeof define === 'function' && define.amd) { define('underscore', [], function() { return _; }); } }.call(this)); krb5-1.19.2/doc/html/_static/comment-bright.png0000644000704600001450000000136413232117076022633 0ustar ghudsonsystemd-journalPNG  IHDRaIDATx<ߙm۶m۶qm۶m۶mM=D8tٍ\{56j>Qn~3sD{oS+ٻ؀=nnW?XumAHI%pHscYoo_{Z)48sڳۗ8YüYsj34s^#ǒtˋqkZܜwݿߵ>!8pVn{շ=n$p\^;=;wPIENDB`krb5-1.19.2/doc/html/_static/doctools.js0000644000704600001450000002170014076312554021373 0ustar ghudsonsystemd-journal/* * doctools.js * ~~~~~~~~~~~ * * Sphinx JavaScript utilities for all documentation. * * :copyright: Copyright 2007-2018 by the Sphinx team, see AUTHORS. * :license: BSD, see LICENSE for details. * */ /** * select a different prefix for underscore */ $u = _.noConflict(); /** * make the code below compatible with browsers without * an installed firebug like debugger if (!window.console || !console.firebug) { var names = ["log", "debug", "info", "warn", "error", "assert", "dir", "dirxml", "group", "groupEnd", "time", "timeEnd", "count", "trace", "profile", "profileEnd"]; window.console = {}; for (var i = 0; i < names.length; ++i) window.console[names[i]] = function() {}; } */ /** * small helper function to urldecode strings */ jQuery.urldecode = function(x) { return decodeURIComponent(x).replace(/\+/g, ' '); }; /** * small helper function to urlencode strings */ jQuery.urlencode = encodeURIComponent; /** * This function returns the parsed url parameters of the * current request. Multiple values per key are supported, * it will always return arrays of strings for the value parts. */ jQuery.getQueryParameters = function(s) { if (typeof s === 'undefined') s = document.location.search; var parts = s.substr(s.indexOf('?') + 1).split('&'); var result = {}; for (var i = 0; i < parts.length; i++) { var tmp = parts[i].split('=', 2); var key = jQuery.urldecode(tmp[0]); var value = jQuery.urldecode(tmp[1]); if (key in result) result[key].push(value); else result[key] = [value]; } return result; }; /** * highlight a given string on a jquery object by wrapping it in * span elements with the given class name. */ jQuery.fn.highlightText = function(text, className) { function highlight(node, addItems) { if (node.nodeType === 3) { var val = node.nodeValue; var pos = val.toLowerCase().indexOf(text); if (pos >= 0 && !jQuery(node.parentNode).hasClass(className)) { var span; var isInSVG = jQuery(node).closest("body, svg, foreignObject").is("svg"); if (isInSVG) { span = document.createElementNS("http://www.w3.org/2000/svg", "tspan"); } else { span = document.createElement("span"); span.className = className; } span.appendChild(document.createTextNode(val.substr(pos, text.length))); node.parentNode.insertBefore(span, node.parentNode.insertBefore( document.createTextNode(val.substr(pos + text.length)), node.nextSibling)); node.nodeValue = val.substr(0, pos); if (isInSVG) { var bbox = span.getBBox(); var rect = document.createElementNS("http://www.w3.org/2000/svg", "rect"); rect.x.baseVal.value = bbox.x; rect.y.baseVal.value = bbox.y; rect.width.baseVal.value = bbox.width; rect.height.baseVal.value = bbox.height; rect.setAttribute('class', className); var parentOfText = node.parentNode.parentNode; addItems.push({ "parent": node.parentNode, "target": rect}); } } } else if (!jQuery(node).is("button, select, textarea")) { jQuery.each(node.childNodes, function() { highlight(this, addItems); }); } } var addItems = []; var result = this.each(function() { highlight(this, addItems); }); for (var i = 0; i < addItems.length; ++i) { jQuery(addItems[i].parent).before(addItems[i].target); } return result; }; /* * backward compatibility for jQuery.browser * This will be supported until firefox bug is fixed. */ if (!jQuery.browser) { jQuery.uaMatch = function(ua) { ua = ua.toLowerCase(); var match = /(chrome)[ \/]([\w.]+)/.exec(ua) || /(webkit)[ \/]([\w.]+)/.exec(ua) || /(opera)(?:.*version|)[ \/]([\w.]+)/.exec(ua) || /(msie) ([\w.]+)/.exec(ua) || ua.indexOf("compatible") < 0 && /(mozilla)(?:.*? rv:([\w.]+)|)/.exec(ua) || []; return { browser: match[ 1 ] || "", version: match[ 2 ] || "0" }; }; jQuery.browser = {}; jQuery.browser[jQuery.uaMatch(navigator.userAgent).browser] = true; } /** * Small JavaScript module for the documentation. */ var Documentation = { init : function() { this.fixFirefoxAnchorBug(); this.highlightSearchWords(); this.initIndexTable(); }, /** * i18n support */ TRANSLATIONS : {}, PLURAL_EXPR : function(n) { return n === 1 ? 0 : 1; }, LOCALE : 'unknown', // gettext and ngettext don't access this so that the functions // can safely bound to a different name (_ = Documentation.gettext) gettext : function(string) { var translated = Documentation.TRANSLATIONS[string]; if (typeof translated === 'undefined') return string; return (typeof translated === 'string') ? translated : translated[0]; }, ngettext : function(singular, plural, n) { var translated = Documentation.TRANSLATIONS[singular]; if (typeof translated === 'undefined') return (n == 1) ? singular : plural; return translated[Documentation.PLURALEXPR(n)]; }, addTranslations : function(catalog) { for (var key in catalog.messages) this.TRANSLATIONS[key] = catalog.messages[key]; this.PLURAL_EXPR = new Function('n', 'return +(' + catalog.plural_expr + ')'); this.LOCALE = catalog.locale; }, /** * add context elements like header anchor links */ addContextElements : function() { $('div[id] > :header:first').each(function() { $('\u00B6'). attr('href', '#' + this.id). attr('title', _('Permalink to this headline')). appendTo(this); }); $('dt[id]').each(function() { $('\u00B6'). attr('href', '#' + this.id). attr('title', _('Permalink to this definition')). appendTo(this); }); }, /** * workaround a firefox stupidity * see: https://bugzilla.mozilla.org/show_bug.cgi?id=645075 */ fixFirefoxAnchorBug : function() { if (document.location.hash && $.browser.mozilla) window.setTimeout(function() { document.location.href += ''; }, 10); }, /** * highlight the search words provided in the url in the text */ highlightSearchWords : function() { var params = $.getQueryParameters(); var terms = (params.highlight) ? params.highlight[0].split(/\s+/) : []; if (terms.length) { var body = $('div.body'); if (!body.length) { body = $('body'); } window.setTimeout(function() { $.each(terms, function() { body.highlightText(this.toLowerCase(), 'highlighted'); }); }, 10); $('

' + _('Hide Search Matches') + '

') .appendTo($('#searchbox')); } }, /** * init the domain index toggle buttons */ initIndexTable : function() { var togglers = $('img.toggler').click(function() { var src = $(this).attr('src'); var idnum = $(this).attr('id').substr(7); $('tr.cg-' + idnum).toggle(); if (src.substr(-9) === 'minus.png') $(this).attr('src', src.substr(0, src.length-9) + 'plus.png'); else $(this).attr('src', src.substr(0, src.length-8) + 'minus.png'); }).css('display', ''); if (DOCUMENTATION_OPTIONS.COLLAPSE_INDEX) { togglers.click(); } }, /** * helper function to hide the search marks again */ hideSearchWords : function() { $('#searchbox .highlight-link').fadeOut(300); $('span.highlighted').removeClass('highlighted'); }, /** * make the url absolute */ makeURL : function(relativeURL) { return DOCUMENTATION_OPTIONS.URL_ROOT + '/' + relativeURL; }, /** * get the current relative url */ getCurrentURL : function() { var path = document.location.pathname; var parts = path.split(/\//); $.each(DOCUMENTATION_OPTIONS.URL_ROOT.split(/\//), function() { if (this === '..') parts.pop(); }); var url = parts.join('/'); return path.substring(url.lastIndexOf('/') + 1, path.length - 1); }, initOnKeyListeners: function() { $(document).keyup(function(event) { var activeElementType = document.activeElement.tagName; // don't navigate when in search box or textarea if (activeElementType !== 'TEXTAREA' && activeElementType !== 'INPUT' && activeElementType !== 'SELECT') { switch (event.keyCode) { case 37: // left var prevHref = $('link[rel="prev"]').prop('href'); if (prevHref) { window.location.href = prevHref; return false; } case 39: // right var nextHref = $('link[rel="next"]').prop('href'); if (nextHref) { window.location.href = nextHref; return false; } } } }); } }; // quick alias for translations _ = Documentation.gettext; $(document).ready(function() { Documentation.init(); });krb5-1.19.2/doc/html/_static/up-pressed.png0000644000704600001450000000032613232117076022000 0ustar ghudsonsystemd-journalPNG  IHDRaIDATxc o+ Sb)SbG&W +H,Cق n;"VsT?.#&ھjFcgb ..NG`49l* Ŀ'q< *]Jcyjؖf b0Sԙµ|IENDB`krb5-1.19.2/doc/html/_static/websupport.js0000644000704600001450000006140713235626226021767 0ustar ghudsonsystemd-journal/* * websupport.js * ~~~~~~~~~~~~~ * * sphinx.websupport utilities for all documentation. * * :copyright: Copyright 2007-2018 by the Sphinx team, see AUTHORS. * :license: BSD, see LICENSE for details. * */ (function($) { $.fn.autogrow = function() { return this.each(function() { var textarea = this; $.fn.autogrow.resize(textarea); $(textarea) .focus(function() { textarea.interval = setInterval(function() { $.fn.autogrow.resize(textarea); }, 500); }) .blur(function() { clearInterval(textarea.interval); }); }); }; $.fn.autogrow.resize = function(textarea) { var lineHeight = parseInt($(textarea).css('line-height'), 10); var lines = textarea.value.split('\n'); var columns = textarea.cols; var lineCount = 0; $.each(lines, function() { lineCount += Math.ceil(this.length / columns) || 1; }); var height = lineHeight * (lineCount + 1); $(textarea).css('height', height); }; })(jQuery); (function($) { var comp, by; function init() { initEvents(); initComparator(); } function initEvents() { $(document).on("click", 'a.comment-close', function(event) { event.preventDefault(); hide($(this).attr('id').substring(2)); }); $(document).on("click", 'a.vote', function(event) { event.preventDefault(); handleVote($(this)); }); $(document).on("click", 'a.reply', function(event) { event.preventDefault(); openReply($(this).attr('id').substring(2)); }); $(document).on("click", 'a.close-reply', function(event) { event.preventDefault(); closeReply($(this).attr('id').substring(2)); }); $(document).on("click", 'a.sort-option', function(event) { event.preventDefault(); handleReSort($(this)); }); $(document).on("click", 'a.show-proposal', function(event) { event.preventDefault(); showProposal($(this).attr('id').substring(2)); }); $(document).on("click", 'a.hide-proposal', function(event) { event.preventDefault(); hideProposal($(this).attr('id').substring(2)); }); $(document).on("click", 'a.show-propose-change', function(event) { event.preventDefault(); showProposeChange($(this).attr('id').substring(2)); }); $(document).on("click", 'a.hide-propose-change', function(event) { event.preventDefault(); hideProposeChange($(this).attr('id').substring(2)); }); $(document).on("click", 'a.accept-comment', function(event) { event.preventDefault(); acceptComment($(this).attr('id').substring(2)); }); $(document).on("click", 'a.delete-comment', function(event) { event.preventDefault(); deleteComment($(this).attr('id').substring(2)); }); $(document).on("click", 'a.comment-markup', function(event) { event.preventDefault(); toggleCommentMarkupBox($(this).attr('id').substring(2)); }); } /** * Set comp, which is a comparator function used for sorting and * inserting comments into the list. */ function setComparator() { // If the first three letters are "asc", sort in ascending order // and remove the prefix. if (by.substring(0,3) == 'asc') { var i = by.substring(3); comp = function(a, b) { return a[i] - b[i]; }; } else { // Otherwise sort in descending order. comp = function(a, b) { return b[by] - a[by]; }; } // Reset link styles and format the selected sort option. $('a.sel').attr('href', '#').removeClass('sel'); $('a.by' + by).removeAttr('href').addClass('sel'); } /** * Create a comp function. If the user has preferences stored in * the sortBy cookie, use those, otherwise use the default. */ function initComparator() { by = 'rating'; // Default to sort by rating. // If the sortBy cookie is set, use that instead. if (document.cookie.length > 0) { var start = document.cookie.indexOf('sortBy='); if (start != -1) { start = start + 7; var end = document.cookie.indexOf(";", start); if (end == -1) { end = document.cookie.length; by = unescape(document.cookie.substring(start, end)); } } } setComparator(); } /** * Show a comment div. */ function show(id) { $('#ao' + id).hide(); $('#ah' + id).show(); var context = $.extend({id: id}, opts); var popup = $(renderTemplate(popupTemplate, context)).hide(); popup.find('textarea[name="proposal"]').hide(); popup.find('a.by' + by).addClass('sel'); var form = popup.find('#cf' + id); form.submit(function(event) { event.preventDefault(); addComment(form); }); $('#s' + id).after(popup); popup.slideDown('fast', function() { getComments(id); }); } /** * Hide a comment div. */ function hide(id) { $('#ah' + id).hide(); $('#ao' + id).show(); var div = $('#sc' + id); div.slideUp('fast', function() { div.remove(); }); } /** * Perform an ajax request to get comments for a node * and insert the comments into the comments tree. */ function getComments(id) { $.ajax({ type: 'GET', url: opts.getCommentsURL, data: {node: id}, success: function(data, textStatus, request) { var ul = $('#cl' + id); var speed = 100; $('#cf' + id) .find('textarea[name="proposal"]') .data('source', data.source); if (data.comments.length === 0) { ul.html('
  • No comments yet.
    • '); ul.data('empty', true); } else { // If there are comments, sort them and put them in the list. var comments = sortComments(data.comments); speed = data.comments.length * 100; appendComments(comments, ul); ul.data('empty', false); } $('#cn' + id).slideUp(speed + 200); ul.slideDown(speed); }, error: function(request, textStatus, error) { showError('Oops, there was a problem retrieving the comments.'); }, dataType: 'json' }); } /** * Add a comment via ajax and insert the comment into the comment tree. */ function addComment(form) { var node_id = form.find('input[name="node"]').val(); var parent_id = form.find('input[name="parent"]').val(); var text = form.find('textarea[name="comment"]').val(); var proposal = form.find('textarea[name="proposal"]').val(); if (text == '') { showError('Please enter a comment.'); return; } // Disable the form that is being submitted. form.find('textarea,input').attr('disabled', 'disabled'); // Send the comment to the server. $.ajax({ type: "POST", url: opts.addCommentURL, dataType: 'json', data: { node: node_id, parent: parent_id, text: text, proposal: proposal }, success: function(data, textStatus, error) { // Reset the form. if (node_id) { hideProposeChange(node_id); } form.find('textarea') .val('') .add(form.find('input')) .removeAttr('disabled'); var ul = $('#cl' + (node_id || parent_id)); if (ul.data('empty')) { $(ul).empty(); ul.data('empty', false); } insertComment(data.comment); var ao = $('#ao' + node_id); ao.find('img').attr({'src': opts.commentBrightImage}); if (node_id) { // if this was a "root" comment, remove the commenting box // (the user can get it back by reopening the comment popup) $('#ca' + node_id).slideUp(); } }, error: function(request, textStatus, error) { form.find('textarea,input').removeAttr('disabled'); showError('Oops, there was a problem adding the comment.'); } }); } /** * Recursively append comments to the main comment list and children * lists, creating the comment tree. */ function appendComments(comments, ul) { $.each(comments, function() { var div = createCommentDiv(this); ul.append($(document.createElement('li')).html(div)); appendComments(this.children, div.find('ul.comment-children')); // To avoid stagnating data, don't store the comments children in data. this.children = null; div.data('comment', this); }); } /** * After adding a new comment, it must be inserted in the correct * location in the comment tree. */ function insertComment(comment) { var div = createCommentDiv(comment); // To avoid stagnating data, don't store the comments children in data. comment.children = null; div.data('comment', comment); var ul = $('#cl' + (comment.node || comment.parent)); var siblings = getChildren(ul); var li = $(document.createElement('li')); li.hide(); // Determine where in the parents children list to insert this comment. for(i=0; i < siblings.length; i++) { if (comp(comment, siblings[i]) <= 0) { $('#cd' + siblings[i].id) .parent() .before(li.html(div)); li.slideDown('fast'); return; } } // If we get here, this comment rates lower than all the others, // or it is the only comment in the list. ul.append(li.html(div)); li.slideDown('fast'); } function acceptComment(id) { $.ajax({ type: 'POST', url: opts.acceptCommentURL, data: {id: id}, success: function(data, textStatus, request) { $('#cm' + id).fadeOut('fast'); $('#cd' + id).removeClass('moderate'); }, error: function(request, textStatus, error) { showError('Oops, there was a problem accepting the comment.'); } }); } function deleteComment(id) { $.ajax({ type: 'POST', url: opts.deleteCommentURL, data: {id: id}, success: function(data, textStatus, request) { var div = $('#cd' + id); if (data == 'delete') { // Moderator mode: remove the comment and all children immediately div.slideUp('fast', function() { div.remove(); }); return; } // User mode: only mark the comment as deleted div .find('span.user-id:first') .text('[deleted]').end() .find('div.comment-text:first') .text('[deleted]').end() .find('#cm' + id + ', #dc' + id + ', #ac' + id + ', #rc' + id + ', #sp' + id + ', #hp' + id + ', #cr' + id + ', #rl' + id) .remove(); var comment = div.data('comment'); comment.username = '[deleted]'; comment.text = '[deleted]'; div.data('comment', comment); }, error: function(request, textStatus, error) { showError('Oops, there was a problem deleting the comment.'); } }); } function showProposal(id) { $('#sp' + id).hide(); $('#hp' + id).show(); $('#pr' + id).slideDown('fast'); } function hideProposal(id) { $('#hp' + id).hide(); $('#sp' + id).show(); $('#pr' + id).slideUp('fast'); } function showProposeChange(id) { $('#pc' + id).hide(); $('#hc' + id).show(); var textarea = $('#pt' + id); textarea.val(textarea.data('source')); $.fn.autogrow.resize(textarea[0]); textarea.slideDown('fast'); } function hideProposeChange(id) { $('#hc' + id).hide(); $('#pc' + id).show(); var textarea = $('#pt' + id); textarea.val('').removeAttr('disabled'); textarea.slideUp('fast'); } function toggleCommentMarkupBox(id) { $('#mb' + id).toggle(); } /** Handle when the user clicks on a sort by link. */ function handleReSort(link) { var classes = link.attr('class').split(/\s+/); for (var i=0; iThank you! Your comment will show up ' + 'once it is has been approved by a moderator.'); } // Prettify the comment rating. comment.pretty_rating = comment.rating + ' point' + (comment.rating == 1 ? '' : 's'); // Make a class (for displaying not yet moderated comments differently) comment.css_class = comment.displayed ? '' : ' moderate'; // Create a div for this comment. var context = $.extend({}, opts, comment); var div = $(renderTemplate(commentTemplate, context)); // If the user has voted on this comment, highlight the correct arrow. if (comment.vote) { var direction = (comment.vote == 1) ? 'u' : 'd'; div.find('#' + direction + 'v' + comment.id).hide(); div.find('#' + direction + 'u' + comment.id).show(); } if (opts.moderator || comment.text != '[deleted]') { div.find('a.reply').show(); if (comment.proposal_diff) div.find('#sp' + comment.id).show(); if (opts.moderator && !comment.displayed) div.find('#cm' + comment.id).show(); if (opts.moderator || (opts.username == comment.username)) div.find('#dc' + comment.id).show(); } return div; } /** * A simple template renderer. Placeholders such as <%id%> are replaced * by context['id'] with items being escaped. Placeholders such as <#id#> * are not escaped. */ function renderTemplate(template, context) { var esc = $(document.createElement('div')); function handle(ph, escape) { var cur = context; $.each(ph.split('.'), function() { cur = cur[this]; }); return escape ? esc.text(cur || "").html() : cur; } return template.replace(/<([%#])([\w\.]*)\1>/g, function() { return handle(arguments[2], arguments[1] == '%' ? true : false); }); } /** Flash an error message briefly. */ function showError(message) { $(document.createElement('div')).attr({'class': 'popup-error'}) .append($(document.createElement('div')) .attr({'class': 'error-message'}).text(message)) .appendTo('body') .fadeIn("slow") .delay(2000) .fadeOut("slow"); } /** Add a link the user uses to open the comments popup. */ $.fn.comment = function() { return this.each(function() { var id = $(this).attr('id').substring(1); var count = COMMENT_METADATA[id]; var title = count + ' comment' + (count == 1 ? '' : 's'); var image = count > 0 ? opts.commentBrightImage : opts.commentImage; var addcls = count == 0 ? ' nocomment' : ''; $(this) .append( $(document.createElement('a')).attr({ href: '#', 'class': 'sphinx-comment-open' + addcls, id: 'ao' + id }) .append($(document.createElement('img')).attr({ src: image, alt: 'comment', title: title })) .click(function(event) { event.preventDefault(); show($(this).attr('id').substring(2)); }) ) .append( $(document.createElement('a')).attr({ href: '#', 'class': 'sphinx-comment-close hidden', id: 'ah' + id }) .append($(document.createElement('img')).attr({ src: opts.closeCommentImage, alt: 'close', title: 'close' })) .click(function(event) { event.preventDefault(); hide($(this).attr('id').substring(2)); }) ); }); }; var opts = { processVoteURL: '/_process_vote', addCommentURL: '/_add_comment', getCommentsURL: '/_get_comments', acceptCommentURL: '/_accept_comment', deleteCommentURL: '/_delete_comment', commentImage: '/static/_static/comment.png', closeCommentImage: '/static/_static/comment-close.png', loadingImage: '/static/_static/ajax-loader.gif', commentBrightImage: '/static/_static/comment-bright.png', upArrow: '/static/_static/up.png', downArrow: '/static/_static/down.png', upArrowPressed: '/static/_static/up-pressed.png', downArrowPressed: '/static/_static/down-pressed.png', voting: false, moderator: false }; if (typeof COMMENT_OPTIONS != "undefined") { opts = jQuery.extend(opts, COMMENT_OPTIONS); } var popupTemplate = '\
    \

    \ Sort by:\ best rated\ newest\ oldest\

    \
    Comments
    \
    \ loading comments...
    \
      \
      \

      Add a comment\ (markup):

      \
      \ reStructured text markup: *emph*, **strong**, \ ``code``, \ code blocks: :: and an indented block after blank line
      \
      \ \

      \ \ Propose a change ▹\ \ \ Propose a change ▿\ \

      \ \ \ \ \
      \
      \
      '; var commentTemplate = '\
      \
      \
      \ \ \ \ \ \ \
      \
      \ \ \ \ \ \ \
      \
      \
      \

      \ <%username%>\ <%pretty_rating%>\ <%time.delta%>\

      \
      <#text#>
      \

      \ \ reply ▿\ proposal ▹\ proposal ▿\ \ \

      \ 
      \
<#proposal_diff#>\
      \
        \
        \
        \
        \ '; var replyTemplate = '\
      • \
        \
        \ \ \ \ \ \
        \
        \
        • '; $(document).ready(function() { init(); }); })(jQuery); $(document).ready(function() { // add comment anchors for all paragraphs that are commentable $('.sphinx-has-comment').comment(); // highlight search words in search results $("div.context").each(function() { var params = $.getQueryParameters(); var terms = (params.q) ? params.q[0].split(/\s+/) : []; var result = $(this); $.each(terms, function() { result.highlightText(this.toLowerCase(), 'highlighted'); }); }); // directly open comment window if requested var anchor = document.location.hash; if (anchor.substring(0, 9) == '#comment-') { $('#ao' + anchor.substring(9)).click(); document.location.hash = '#s' + anchor.substring(9); } }); krb5-1.19.2/doc/html/_static/agogo.css0000644000704600001450000002003014076312554021010 0ustar ghudsonsystemd-journal/* * agogo.css_t * ~~~~~~~~~~~ * * Sphinx stylesheet -- agogo theme. * * :copyright: Copyright 2007-2018 by the Sphinx team, see AUTHORS. * :license: BSD, see LICENSE for details. * */ * { margin: 0px; padding: 0px; } body { font-family: "Verdana", Arial, sans-serif; line-height: 1.4em; color: black; background-color: #5d1509; } /* Page layout */ div.header, div.content, div.footer { width: auto; margin-left: auto; margin-right: auto; } div.header-wrapper { background: #555573 url(bgtop.png) top left repeat-x; border-bottom: 3px solid #2e3436; } /* Default body styles */ a { color: #881f0d; } div.bodywrapper a, div.footer a { text-decoration: underline; } .clearer { clear: both; } .left { float: left; } .right { float: right; } .line-block { display: block; margin-top: 1em; margin-bottom: 1em; } .line-block .line-block { margin-top: 0; margin-bottom: 0; margin-left: 1.5em; } h1, h2, h3, h4 { font-family: "Georgia", "Times New Roman", serif; font-weight: normal; color: #3465a4; margin-bottom: .8em; } h1 { color: #204a87; } h2 { padding-bottom: .5em; border-bottom: 1px solid #3465a4; } a.headerlink { visibility: hidden; color: #dddddd; padding-left: .3em; } h1:hover > a.headerlink, h2:hover > a.headerlink, h3:hover > a.headerlink, h4:hover > a.headerlink, h5:hover > a.headerlink, h6:hover > a.headerlink, dt:hover > a.headerlink, caption:hover > a.headerlink, p.caption:hover > a.headerlink, div.code-block-caption:hover > a.headerlink { visibility: visible; } img { border: 0; } div.admonition { margin-top: 10px; margin-bottom: 10px; padding: 2px 7px 1px 7px; border-left: 0.2em solid black; } p.admonition-title { margin: 0px 10px 5px 0px; font-weight: bold; } dt:target, .highlighted { background-color: #fbe54e; } /* Header */ div.header { padding-top: 10px; padding-bottom: 10px; } div.header .headertitle { font-family: "Georgia", "Times New Roman", serif; font-weight: normal; font-size: 180%; letter-spacing: .08em; margin-bottom: .8em; } div.header .headertitle a { color: white; } div.header div.rel { margin-top: 1em; } div.header div.rel a { color: #fcaf3e; letter-spacing: .1em; text-transform: uppercase; } p.logo { float: right; } img.logo { border: 0; } /* Content */ div.content-wrapper { background-color: white; padding-top: 20px; padding-bottom: 20px; } div.document { width: 80%; float: left; } div.body { padding-right: 2em; text-align: justify; } div.document h1 { line-height: 120%; } div.document ul { margin: 1.5em; list-style-type: square; } div.document dd { margin-left: 1.2em; margin-top: .4em; margin-bottom: 1em; } div.document .section { margin-top: 1.7em; } div.document .section:first-child { margin-top: 0px; } div.document div.highlight { padding: 3px; background-color: #eeeeec; border-top: 2px solid #dddddd; border-bottom: 2px solid #dddddd; margin-top: .8em; margin-bottom: .8em; } div.document div.literal-block-wrapper { margin-top: .8em; margin-bottom: .8em; } div.document div.literal-block-wrapper div.highlight { margin: 0; } div.document div.code-block-caption span.caption-number { padding: 0.1em 0.3em; font-style: italic; } div.document div.code-block-caption span.caption-text { } div.document h2 { margin-top: .7em; } div.document p { margin-bottom: .5em; } div.document li.toctree-l1 { margin-bottom: 1em; } div.document .descname { font-weight: bold; } div.document .sig-paren { font-size: larger; } div.document .docutils.literal { background-color: #eeeeec; padding: 1px; } div.document .docutils.xref.literal { background-color: transparent; padding: 0px; } div.document blockquote { margin: 1em; } div.document ol { margin: 1.5em; } /* Sidebar */ div.sidebar { width: 20%; float: right; font-size: .9em; } div.sidebar a, div.header a { text-decoration: none; } div.sidebar a:hover, div.header a:hover { text-decoration: underline; } div.sidebar h3 { color: #2e3436; text-transform: uppercase; font-size: 130%; letter-spacing: .1em; } div.sidebar ul { list-style-type: none; } div.sidebar li.toctree-l1 a { display: block; padding: 1px; border: 1px solid #dddddd; background-color: #eeeeec; margin-bottom: .4em; padding-left: 3px; color: #2e3436; } div.sidebar li.toctree-l2 a { background-color: transparent; border: none; margin-left: 1em; border-bottom: 1px solid #dddddd; } div.sidebar li.toctree-l3 a { background-color: transparent; border: none; margin-left: 2em; border-bottom: 1px solid #dddddd; } div.sidebar li.toctree-l2:last-child a { border-bottom: none; } div.sidebar li.toctree-l1.current a { border-right: 5px solid #fcaf3e; } div.sidebar li.toctree-l1.current li.toctree-l2 a { border-right: none; } div.sidebar input[type="text"] { width: 170px; } div.sidebar input[type="submit"] { width: 30px; } /* Footer */ div.footer-wrapper { background: #5d1509; border-top: 4px solid #babdb6; padding-top: 10px; padding-bottom: 10px; min-height: 80px; } div.footer, div.footer a { color: #888a85; } div.footer .right { text-align: right; } div.footer .left { text-transform: uppercase; } /* Styles copied from basic theme */ img.align-left, .figure.align-left, object.align-left { clear: left; float: left; margin-right: 1em; } img.align-right, .figure.align-right, object.align-right { clear: right; float: right; margin-left: 1em; } img.align-center, .figure.align-center, object.align-center { display: block; margin-left: auto; margin-right: auto; } .align-left { text-align: left; } .align-center { text-align: center; } .align-right { text-align: right; } table caption span.caption-number { font-style: italic; } table caption span.caption-text { } div.figure p.caption span.caption-number { font-style: italic; } div.figure p.caption span.caption-text { } /* -- search page ----------------------------------------------------------- */ ul.search { margin: 10px 0 0 20px; padding: 0; } ul.search li { padding: 5px 0 5px 20px; background-image: url(file.png); background-repeat: no-repeat; background-position: 0 7px; } ul.search li a { font-weight: bold; } ul.search li div.context { color: #888; margin: 2px 0 0 30px; text-align: left; } ul.keywordmatches li.goodmatch a { font-weight: bold; } /* -- index page ------------------------------------------------------------ */ table.contentstable { width: 90%; } table.contentstable p.biglink { line-height: 150%; } a.biglink { font-size: 1.3em; } span.linkdescr { font-style: italic; padding-top: 5px; font-size: 90%; } /* -- general index --------------------------------------------------------- */ table.indextable td { text-align: left; vertical-align: top; } table.indextable ul { margin-top: 0; margin-bottom: 0; list-style-type: none; } table.indextable > tbody > tr > td > ul { padding-left: 0em; } table.indextable tr.pcap { height: 10px; } table.indextable tr.cap { margin-top: 10px; background-color: #f2f2f2; } img.toggler { margin-right: 3px; margin-top: 3px; cursor: pointer; } /* -- domain module index --------------------------------------------------- */ table.modindextable td { padding: 2px; border-collapse: collapse; } /* -- viewcode extension ---------------------------------------------------- */ .viewcode-link { float: right; } .viewcode-back { float: right; font-family:: "Verdana", Arial, sans-serif; } div.viewcode-block:target { margin: -1px -3px; padding: 0 3px; background-color: #f4debf; border-top: 1px solid #ac9; border-bottom: 1px solid #ac9; } div.code-block-caption { background-color: #ddd; color: #333; padding: 2px 5px; font-size: small; } /* -- math display ---------------------------------------------------------- */ div.body div.math p { text-align: center; } span.eqno { float: right; }krb5-1.19.2/doc/html/_static/comment-close.png0000644000704600001450000000147513232117076022464 0ustar ghudsonsystemd-journalPNG  IHDRaIDATxm8$km۶m۶m۶m۶AMfp:O'e$Qq aO[B3U9Og+ł-81dw=7q1CKa~ ʏ lϕ]O4l!A@@wny^xa*;1uSWݦO<*7g>b~yޞ mN\(t:+tU&>9Z}Ok=wԈ=ehjo OSd̳m#(2ڮ&!Q&>;A5K8S>m9sh"L\/ߴ^w^ڶ5eѕ*ʈ}*>m V1$KE |v>:y.9G^GI.ArIENDB`krb5-1.19.2/doc/html/_static/down-pressed.png0000644000704600001450000000033613232117076022324 0ustar ghudsonsystemd-journalPNG  IHDRaIDATxc@J@lKf[^g%_  HK ĿD Ab3CGhr.x/`X Wʱ 2 eF+,.xEJ lAR $WT?0i)1maUIENDB`krb5-1.19.2/doc/html/_static/up.png0000644000704600001450000000031313232117076020331 0ustar ghudsonsystemd-journalPNG  IHDR7IDATx@ez $& 8:& :Kpwn}O<:!!{G@Dz?"̧ S{g<ݢ lMQwy|? 0 pq8q` pL-'SBNAwTń|U VIENDB`krb5-1.19.2/doc/html/_static/basic.css0000644000704600001450000002427714076312554021016 0ustar ghudsonsystemd-journal/* * basic.css * ~~~~~~~~~ * * Sphinx stylesheet -- basic theme. * * :copyright: Copyright 2007-2018 by the Sphinx team, see AUTHORS. * :license: BSD, see LICENSE for details. * */ /* -- main layout ----------------------------------------------------------- */ div.clearer { clear: both; } /* -- relbar ---------------------------------------------------------------- */ div.related { width: 100%; font-size: 90%; } div.related h3 { display: none; } div.related ul { margin: 0; padding: 0 0 0 10px; list-style: none; } div.related li { display: inline; } div.related li.right { float: right; margin-right: 5px; } /* -- sidebar --------------------------------------------------------------- */ div.sphinxsidebarwrapper { padding: 10px 5px 0 10px; } div.sphinxsidebar { float: left; width: 0px; margin-left: -100%; font-size: 90%; word-wrap: break-word; overflow-wrap : break-word; } div.sphinxsidebar ul { list-style: none; } div.sphinxsidebar ul ul, div.sphinxsidebar ul.want-points { margin-left: 20px; list-style: square; } div.sphinxsidebar ul ul { margin-top: 0; margin-bottom: 0; } div.sphinxsidebar form { margin-top: 10px; } div.sphinxsidebar input { border: 1px solid #98dbcc; font-family: sans-serif; font-size: 1em; } div.sphinxsidebar #searchbox input[type="text"] { width: 170px; } img { border: 0; max-width: 100%; } /* -- search page ----------------------------------------------------------- */ ul.search { margin: 10px 0 0 20px; padding: 0; } ul.search li { padding: 5px 0 5px 20px; background-image: url(file.png); background-repeat: no-repeat; background-position: 0 7px; } ul.search li a { font-weight: bold; } ul.search li div.context { color: #888; margin: 2px 0 0 30px; text-align: left; } ul.keywordmatches li.goodmatch a { font-weight: bold; } /* -- index page ------------------------------------------------------------ */ table.contentstable { width: 90%; margin-left: auto; margin-right: auto; } table.contentstable p.biglink { line-height: 150%; } a.biglink { font-size: 1.3em; } span.linkdescr { font-style: italic; padding-top: 5px; font-size: 90%; } /* -- general index --------------------------------------------------------- */ table.indextable { width: 100%; } table.indextable td { text-align: left; vertical-align: top; } table.indextable ul { margin-top: 0; margin-bottom: 0; list-style-type: none; } table.indextable > tbody > tr > td > ul { padding-left: 0em; } table.indextable tr.pcap { height: 10px; } table.indextable tr.cap { margin-top: 10px; background-color: #f2f2f2; } img.toggler { margin-right: 3px; margin-top: 3px; cursor: pointer; } div.modindex-jumpbox { border-top: 1px solid #ddd; border-bottom: 1px solid #ddd; margin: 1em 0 1em 0; padding: 0.4em; } div.genindex-jumpbox { border-top: 1px solid #ddd; border-bottom: 1px solid #ddd; margin: 1em 0 1em 0; padding: 0.4em; } /* -- domain module index --------------------------------------------------- */ table.modindextable td { padding: 2px; border-collapse: collapse; } /* -- general body styles --------------------------------------------------- */ div.body p, div.body dd, div.body li, div.body blockquote { -moz-hyphens: auto; -ms-hyphens: auto; -webkit-hyphens: auto; hyphens: auto; } a.headerlink { visibility: hidden; } h1:hover > a.headerlink, h2:hover > a.headerlink, h3:hover > a.headerlink, h4:hover > a.headerlink, h5:hover > a.headerlink, h6:hover > a.headerlink, dt:hover > a.headerlink, caption:hover > a.headerlink, p.caption:hover > a.headerlink, div.code-block-caption:hover > a.headerlink { visibility: visible; } div.body p.caption { text-align: inherit; } div.body td { text-align: left; } .first { margin-top: 0 !important; } p.rubric { margin-top: 30px; font-weight: bold; } img.align-left, .figure.align-left, object.align-left { clear: left; float: left; margin-right: 1em; } img.align-right, .figure.align-right, object.align-right { clear: right; float: right; margin-left: 1em; } img.align-center, .figure.align-center, object.align-center { display: block; margin-left: auto; margin-right: auto; } .align-left { text-align: left; } .align-center { text-align: center; } .align-right { text-align: right; } /* -- sidebars -------------------------------------------------------------- */ div.sidebar { margin: 0 0 0.5em 1em; border: 1px solid #ddb; padding: 7px 7px 0 7px; background-color: #ffe; width: 40%; float: right; } p.sidebar-title { font-weight: bold; } /* -- topics ---------------------------------------------------------------- */ div.topic { border: 1px solid #ccc; padding: 7px 7px 0 7px; margin: 10px 0 10px 0; } p.topic-title { font-size: 1.1em; font-weight: bold; margin-top: 10px; } /* -- admonitions ----------------------------------------------------------- */ div.admonition { margin-top: 10px; margin-bottom: 10px; padding: 7px; } div.admonition dt { font-weight: bold; } div.admonition dl { margin-bottom: 0; } p.admonition-title { margin: 0px 10px 5px 0px; font-weight: bold; } div.body p.centered { text-align: center; margin-top: 25px; } /* -- tables ---------------------------------------------------------------- */ table.docutils { border: 0; border-collapse: collapse; } table.align-center { margin-left: auto; margin-right: auto; } table caption span.caption-number { font-style: italic; } table caption span.caption-text { } table.docutils td, table.docutils th { padding: 1px 8px 1px 5px; border-top: 0; border-left: 0; border-right: 0; border-bottom: 1px solid #aaa; } table.footnote td, table.footnote th { border: 0 !important; } th { text-align: left; padding-right: 5px; } table.citation { border-left: solid 1px gray; margin-left: 1px; } table.citation td { border-bottom: none; } /* -- figures --------------------------------------------------------------- */ div.figure { margin: 0.5em; padding: 0.5em; } div.figure p.caption { padding: 0.3em; } div.figure p.caption span.caption-number { font-style: italic; } div.figure p.caption span.caption-text { } /* -- field list styles ----------------------------------------------------- */ table.field-list td, table.field-list th { border: 0 !important; } .field-list ul { margin: 0; padding-left: 1em; } .field-list p { margin: 0; } .field-name { -moz-hyphens: manual; -ms-hyphens: manual; -webkit-hyphens: manual; hyphens: manual; } /* -- other body styles ----------------------------------------------------- */ ol.arabic { list-style: decimal; } ol.loweralpha { list-style: lower-alpha; } ol.upperalpha { list-style: upper-alpha; } ol.lowerroman { list-style: lower-roman; } ol.upperroman { list-style: upper-roman; } dl { margin-bottom: 15px; } dd p { margin-top: 0px; } dd ul, dd table { margin-bottom: 10px; } dd { margin-top: 3px; margin-bottom: 10px; margin-left: 30px; } dt:target, span.highlighted { background-color: #fbe54e; } rect.highlighted { fill: #fbe54e; } dl.glossary dt { font-weight: bold; font-size: 1.1em; } .optional { font-size: 1.3em; } .sig-paren { font-size: larger; } .versionmodified { font-style: italic; } .system-message { background-color: #fda; padding: 5px; border: 3px solid red; } .footnote:target { background-color: #ffa; } .line-block { display: block; margin-top: 1em; margin-bottom: 1em; } .line-block .line-block { margin-top: 0; margin-bottom: 0; margin-left: 1.5em; } .guilabel, .menuselection { font-family: sans-serif; } .accelerator { text-decoration: underline; } .classifier { font-style: oblique; } abbr, acronym { border-bottom: dotted 1px; cursor: help; } /* -- code displays --------------------------------------------------------- */ pre { overflow: auto; overflow-y: hidden; /* fixes display issues on Chrome browsers */ } span.pre { -moz-hyphens: none; -ms-hyphens: none; -webkit-hyphens: none; hyphens: none; } td.linenos pre { padding: 5px 0px; border: 0; background-color: transparent; color: #aaa; } table.highlighttable { margin-left: 0.5em; } table.highlighttable td { padding: 0 0.5em 0 0.5em; } div.code-block-caption { padding: 2px 5px; font-size: small; } div.code-block-caption code { background-color: transparent; } div.code-block-caption + div > div.highlight > pre { margin-top: 0; } div.code-block-caption span.caption-number { padding: 0.1em 0.3em; font-style: italic; } div.code-block-caption span.caption-text { } div.literal-block-wrapper { padding: 1em 1em 0; } div.literal-block-wrapper div.highlight { margin: 0; } code.descname { background-color: transparent; font-weight: bold; font-size: 1.2em; } code.descclassname { background-color: transparent; } code.xref, a code { background-color: transparent; font-weight: bold; } h1 code, h2 code, h3 code, h4 code, h5 code, h6 code { background-color: transparent; } .viewcode-link { float: right; } .viewcode-back { float: right; font-family: sans-serif; } div.viewcode-block:target { margin: -1px -10px; padding: 0 10px; } /* -- math display ---------------------------------------------------------- */ img.math { vertical-align: middle; } div.body div.math p { text-align: center; } span.eqno { float: right; } span.eqno a.headerlink { position: relative; left: 0px; z-index: 1; } div.math:hover a.headerlink { visibility: visible; } /* -- printout stylesheet --------------------------------------------------- */ @media print { div.document, div.documentwrapper, div.bodywrapper { margin: 0 !important; width: 100%; } div.sphinxsidebar, div.related, div.footer, #top-link { display: none; } }krb5-1.19.2/doc/html/_static/file.png0000644000704600001450000000043613232117076020632 0ustar ghudsonsystemd-journalPNG  IHDRaIDATxR){l ۶f=@ :3~箄rX$AX-D ~ lj(P%8<<9:: PO&$ l~X&EW^4wQ}^ͣ i0/H/@F)Dzq+j[SU5h/oY G&Lfs|{3%U+S`AFIENDB`krb5-1.19.2/doc/html/_static/comment.png0000644000704600001450000000120113232117076021344 0ustar ghudsonsystemd-journalPNG  IHDRaHIDATx_VTVܰQǵFT7m]$|~\>&nMK<+W 7zɫ ?w!8_O ާ4& MS'/қ=rּ`V0!?t'$#'P`iawP?Dãqف.`Ž lZ%9A {EҺ !;e`fT]P]ZCDX2e)ןryOZs߂Ј {1<*Bx `(B42|k@=PAȚe; HͭU`B@(IϚR F"a(. |R*wZB/bZ fMQ+d!!065.9Eq+@3ىVSËd8;&KpHh0f;hY,]|Lcne!fKcJFiySOhמ%ws vaJ{ڣ;/S3 ?qcC\qHxsemk2n@;(!&]f2nNIENDB`krb5-1.19.2/doc/html/_static/searchtools.js0000644000704600001450000006155114076312554022103 0ustar ghudsonsystemd-journal/* * searchtools.js_t * ~~~~~~~~~~~~~~~~ * * Sphinx JavaScript utilities for the full-text search. * * :copyright: Copyright 2007-2018 by the Sphinx team, see AUTHORS. * :license: BSD, see LICENSE for details. * */ /* Non-minified version JS is _stemmer.js if file is provided */ /** * Porter Stemmer */ var Stemmer = function() { var step2list = { ational: 'ate', tional: 'tion', enci: 'ence', anci: 'ance', izer: 'ize', bli: 'ble', alli: 'al', entli: 'ent', eli: 'e', ousli: 'ous', ization: 'ize', ation: 'ate', ator: 'ate', alism: 'al', iveness: 'ive', fulness: 'ful', ousness: 'ous', aliti: 'al', iviti: 'ive', biliti: 'ble', logi: 'log' }; var step3list = { icate: 'ic', ative: '', alize: 'al', iciti: 'ic', ical: 'ic', ful: '', ness: '' }; var c = "[^aeiou]"; // consonant var v = "[aeiouy]"; // vowel var C = c + "[^aeiouy]*"; // consonant sequence var V = v + "[aeiou]*"; // vowel sequence var mgr0 = "^(" + C + ")?" + V + C; // [C]VC... is m>0 var meq1 = "^(" + C + ")?" + V + C + "(" + V + ")?$"; // [C]VC[V] is m=1 var mgr1 = "^(" + C + ")?" + V + C + V + C; // [C]VCVC... is m>1 var s_v = "^(" + C + ")?" + v; // vowel in stem this.stemWord = function (w) { var stem; var suffix; var firstch; var origword = w; if (w.length < 3) return w; var re; var re2; var re3; var re4; firstch = w.substr(0,1); if (firstch == "y") w = firstch.toUpperCase() + w.substr(1); // Step 1a re = /^(.+?)(ss|i)es$/; re2 = /^(.+?)([^s])s$/; if (re.test(w)) w = w.replace(re,"$1$2"); else if (re2.test(w)) w = w.replace(re2,"$1$2"); // Step 1b re = /^(.+?)eed$/; re2 = /^(.+?)(ed|ing)$/; if (re.test(w)) { var fp = re.exec(w); re = new RegExp(mgr0); if (re.test(fp[1])) { re = /.$/; w = w.replace(re,""); } } else if (re2.test(w)) { var fp = re2.exec(w); stem = fp[1]; re2 = new RegExp(s_v); if (re2.test(stem)) { w = stem; re2 = /(at|bl|iz)$/; re3 = new RegExp("([^aeiouylsz])\\1$"); re4 = new RegExp("^" + C + v + "[^aeiouwxy]$"); if (re2.test(w)) w = w + "e"; else if (re3.test(w)) { re = /.$/; w = w.replace(re,""); } else if (re4.test(w)) w = w + "e"; } } // Step 1c re = /^(.+?)y$/; if (re.test(w)) { var fp = re.exec(w); stem = fp[1]; re = new RegExp(s_v); if (re.test(stem)) w = stem + "i"; } // Step 2 re = /^(.+?)(ational|tional|enci|anci|izer|bli|alli|entli|eli|ousli|ization|ation|ator|alism|iveness|fulness|ousness|aliti|iviti|biliti|logi)$/; if (re.test(w)) { var fp = re.exec(w); stem = fp[1]; suffix = fp[2]; re = new RegExp(mgr0); if (re.test(stem)) w = stem + step2list[suffix]; } // Step 3 re = /^(.+?)(icate|ative|alize|iciti|ical|ful|ness)$/; if (re.test(w)) { var fp = re.exec(w); stem = fp[1]; suffix = fp[2]; re = new RegExp(mgr0); if (re.test(stem)) w = stem + step3list[suffix]; } // Step 4 re = /^(.+?)(al|ance|ence|er|ic|able|ible|ant|ement|ment|ent|ou|ism|ate|iti|ous|ive|ize)$/; re2 = /^(.+?)(s|t)(ion)$/; if (re.test(w)) { var fp = re.exec(w); stem = fp[1]; re = new RegExp(mgr1); if (re.test(stem)) w = stem; } else if (re2.test(w)) { var fp = re2.exec(w); stem = fp[1] + fp[2]; re2 = new RegExp(mgr1); if (re2.test(stem)) w = stem; } // Step 5 re = /^(.+?)e$/; if (re.test(w)) { var fp = re.exec(w); stem = fp[1]; re = new RegExp(mgr1); re2 = new RegExp(meq1); re3 = new RegExp("^" + C + v + "[^aeiouwxy]$"); if (re.test(stem) || (re2.test(stem) && !(re3.test(stem)))) w = stem; } re = /ll$/; re2 = new RegExp(mgr1); if (re.test(w) && re2.test(w)) { re = /.$/; w = w.replace(re,""); } // and turn initial Y back to y if (firstch == "y") w = firstch.toLowerCase() + w.substr(1); return w; } } /** * Simple result scoring code. */ var Scorer = { // Implement the following function to further tweak the score for each result // The function takes a result array [filename, title, anchor, descr, score] // and returns the new score. /* score: function(result) { return result[4]; }, */ // query matches the full name of an object objNameMatch: 11, // or matches in the last dotted part of the object name objPartialMatch: 6, // Additive scores depending on the priority of the object objPrio: {0: 15, // used to be importantResults 1: 5, // used to be objectResults 2: -5}, // used to be unimportantResults // Used when the priority is not in the mapping. objPrioDefault: 0, // query found in title title: 15, // query found in terms term: 5 }; var splitChars = (function() { var result = {}; var singles = [96, 180, 187, 191, 215, 247, 749, 885, 903, 907, 909, 930, 1014, 1648, 1748, 1809, 2416, 2473, 2481, 2526, 2601, 2609, 2612, 2615, 2653, 2702, 2706, 2729, 2737, 2740, 2857, 2865, 2868, 2910, 2928, 2948, 2961, 2971, 2973, 3085, 3089, 3113, 3124, 3213, 3217, 3241, 3252, 3295, 3341, 3345, 3369, 3506, 3516, 3633, 3715, 3721, 3736, 3744, 3748, 3750, 3756, 3761, 3781, 3912, 4239, 4347, 4681, 4695, 4697, 4745, 4785, 4799, 4801, 4823, 4881, 5760, 5901, 5997, 6313, 7405, 8024, 8026, 8028, 8030, 8117, 8125, 8133, 8181, 8468, 8485, 8487, 8489, 8494, 8527, 11311, 11359, 11687, 11695, 11703, 11711, 11719, 11727, 11735, 12448, 12539, 43010, 43014, 43019, 43587, 43696, 43713, 64286, 64297, 64311, 64317, 64319, 64322, 64325, 65141]; var i, j, start, end; for (i = 0; i < singles.length; i++) { result[singles[i]] = true; } var ranges = [[0, 47], [58, 64], [91, 94], [123, 169], [171, 177], [182, 184], [706, 709], [722, 735], [741, 747], [751, 879], [888, 889], [894, 901], [1154, 1161], [1318, 1328], [1367, 1368], [1370, 1376], [1416, 1487], [1515, 1519], [1523, 1568], [1611, 1631], [1642, 1645], [1750, 1764], [1767, 1773], [1789, 1790], [1792, 1807], [1840, 1868], [1958, 1968], [1970, 1983], [2027, 2035], [2038, 2041], [2043, 2047], [2070, 2073], [2075, 2083], [2085, 2087], [2089, 2307], [2362, 2364], [2366, 2383], [2385, 2391], [2402, 2405], [2419, 2424], [2432, 2436], [2445, 2446], [2449, 2450], [2483, 2485], [2490, 2492], [2494, 2509], [2511, 2523], [2530, 2533], [2546, 2547], [2554, 2564], [2571, 2574], [2577, 2578], [2618, 2648], [2655, 2661], [2672, 2673], [2677, 2692], [2746, 2748], [2750, 2767], [2769, 2783], [2786, 2789], [2800, 2820], [2829, 2830], [2833, 2834], [2874, 2876], [2878, 2907], [2914, 2917], [2930, 2946], [2955, 2957], [2966, 2968], [2976, 2978], [2981, 2983], [2987, 2989], [3002, 3023], [3025, 3045], [3059, 3076], [3130, 3132], [3134, 3159], [3162, 3167], [3170, 3173], [3184, 3191], [3199, 3204], [3258, 3260], [3262, 3293], [3298, 3301], [3312, 3332], [3386, 3388], [3390, 3423], [3426, 3429], [3446, 3449], [3456, 3460], [3479, 3481], [3518, 3519], [3527, 3584], [3636, 3647], [3655, 3663], [3674, 3712], [3717, 3718], [3723, 3724], [3726, 3731], [3752, 3753], [3764, 3772], [3774, 3775], [3783, 3791], [3802, 3803], [3806, 3839], [3841, 3871], [3892, 3903], [3949, 3975], [3980, 4095], [4139, 4158], [4170, 4175], [4182, 4185], [4190, 4192], [4194, 4196], [4199, 4205], [4209, 4212], [4226, 4237], [4250, 4255], [4294, 4303], [4349, 4351], [4686, 4687], [4702, 4703], [4750, 4751], [4790, 4791], [4806, 4807], [4886, 4887], [4955, 4968], [4989, 4991], [5008, 5023], [5109, 5120], [5741, 5742], [5787, 5791], [5867, 5869], [5873, 5887], [5906, 5919], [5938, 5951], [5970, 5983], [6001, 6015], [6068, 6102], [6104, 6107], [6109, 6111], [6122, 6127], [6138, 6159], [6170, 6175], [6264, 6271], [6315, 6319], [6390, 6399], [6429, 6469], [6510, 6511], [6517, 6527], [6572, 6592], [6600, 6607], [6619, 6655], [6679, 6687], [6741, 6783], [6794, 6799], [6810, 6822], [6824, 6916], [6964, 6980], [6988, 6991], [7002, 7042], [7073, 7085], [7098, 7167], [7204, 7231], [7242, 7244], [7294, 7400], [7410, 7423], [7616, 7679], [7958, 7959], [7966, 7967], [8006, 8007], [8014, 8015], [8062, 8063], [8127, 8129], [8141, 8143], [8148, 8149], [8156, 8159], [8173, 8177], [8189, 8303], [8306, 8307], [8314, 8318], [8330, 8335], [8341, 8449], [8451, 8454], [8456, 8457], [8470, 8472], [8478, 8483], [8506, 8507], [8512, 8516], [8522, 8525], [8586, 9311], [9372, 9449], [9472, 10101], [10132, 11263], [11493, 11498], [11503, 11516], [11518, 11519], [11558, 11567], [11622, 11630], [11632, 11647], [11671, 11679], [11743, 11822], [11824, 12292], [12296, 12320], [12330, 12336], [12342, 12343], [12349, 12352], [12439, 12444], [12544, 12548], [12590, 12592], [12687, 12689], [12694, 12703], [12728, 12783], [12800, 12831], [12842, 12880], [12896, 12927], [12938, 12976], [12992, 13311], [19894, 19967], [40908, 40959], [42125, 42191], [42238, 42239], [42509, 42511], [42540, 42559], [42592, 42593], [42607, 42622], [42648, 42655], [42736, 42774], [42784, 42785], [42889, 42890], [42893, 43002], [43043, 43055], [43062, 43071], [43124, 43137], [43188, 43215], [43226, 43249], [43256, 43258], [43260, 43263], [43302, 43311], [43335, 43359], [43389, 43395], [43443, 43470], [43482, 43519], [43561, 43583], [43596, 43599], [43610, 43615], [43639, 43641], [43643, 43647], [43698, 43700], [43703, 43704], [43710, 43711], [43715, 43738], [43742, 43967], [44003, 44015], [44026, 44031], [55204, 55215], [55239, 55242], [55292, 55295], [57344, 63743], [64046, 64047], [64110, 64111], [64218, 64255], [64263, 64274], [64280, 64284], [64434, 64466], [64830, 64847], [64912, 64913], [64968, 65007], [65020, 65135], [65277, 65295], [65306, 65312], [65339, 65344], [65371, 65381], [65471, 65473], [65480, 65481], [65488, 65489], [65496, 65497]]; for (i = 0; i < ranges.length; i++) { start = ranges[i][0]; end = ranges[i][1]; for (j = start; j <= end; j++) { result[j] = true; } } return result; })(); function splitQuery(query) { var result = []; var start = -1; for (var i = 0; i < query.length; i++) { if (splitChars[query.charCodeAt(i)]) { if (start !== -1) { result.push(query.slice(start, i)); start = -1; } } else if (start === -1) { start = i; } } if (start !== -1) { result.push(query.slice(start)); } return result; } /** * Search Module */ var Search = { _index : null, _queued_query : null, _pulse_status : -1, init : function() { var params = $.getQueryParameters(); if (params.q) { var query = params.q[0]; $('input[name="q"]')[0].value = query; this.performSearch(query); } }, loadIndex : function(url) { $.ajax({type: "GET", url: url, data: null, dataType: "script", cache: true, complete: function(jqxhr, textstatus) { if (textstatus != "success") { document.getElementById("searchindexloader").src = url; } }}); }, setIndex : function(index) { var q; this._index = index; if ((q = this._queued_query) !== null) { this._queued_query = null; Search.query(q); } }, hasIndex : function() { return this._index !== null; }, deferQuery : function(query) { this._queued_query = query; }, stopPulse : function() { this._pulse_status = 0; }, startPulse : function() { if (this._pulse_status >= 0) return; function pulse() { var i; Search._pulse_status = (Search._pulse_status + 1) % 4; var dotString = ''; for (i = 0; i < Search._pulse_status; i++) dotString += '.'; Search.dots.text(dotString); if (Search._pulse_status > -1) window.setTimeout(pulse, 500); } pulse(); }, /** * perform a search for something (or wait until index is loaded) */ performSearch : function(query) { // create the required interface elements this.out = $('#search-results'); this.title = $('

        ' + _('Searching') + '

        ').appendTo(this.out); this.dots = $('').appendTo(this.title); this.status = $('

        ').appendTo(this.out); this.output = $('