Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ ksend(3) — BSD/386 1.0

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

krb_mk_req(3)

krb_rd_req(3)

krb_get_phost(3)



KRB_SENDAUTH(3)                                   KRB_SENDAUTH(3)


NAME
       krb_sendauth,  krb_recvauth, krb_net_write, krb_net_read -
       Kerberos routines for sending authentication  via  network
       stream sockets

SYNOPSIS
       #include <kerberosIV/krb.h>
       #include <kerberosIV/des.h>
       #include <netinet/in.h>


       int krbsendauth(options, fd, ktext, service, inst, realm,
                 checksum,  msgdata,  cred,   schedule,   laddr,
                 faddr, version)
       long options;
       int fd;
       KTEXT ktext;
       char *service, *inst, *realm;
       ulong checksum;
       MSGDAT *msgdata;
       CREDENTIALS *cred;
       Keyschedule schedule;
       struct sockaddrin *laddr, *faddr;
       char *version;


       int krbrecvauth(options, fd, ktext, service, inst, faddr,
                 laddr, authdata, filename, schedule, version)
       long options;
       int fd;
       KTEXT ktext;
       char *service, *inst;
       struct sockaddrin *faddr, *laddr;
       AUTHDAT *authdata;
       char *filename;
       Keyschedule schedule;
       char *version;

       int krbnetwrite(fd, buf, len)
       int fd;
       char *buf;
       int len;

       int krbnetread(fd, buf, len)
       int fd;
       char *buf;
       int len;

DESCRIPTION
       These functions, which are built on top of the  core  Ker-
       beros  library,  provide a convenient means for client and
       server programs to send  authentication  messages  to  one
       another  through  network  connections.   The krbsendauth
       function sends an authenticated  ticket  from  the  client



MIT Project Athena     Kerberos Version 4.0                     1




KRB_SENDAUTH(3)                                   KRB_SENDAUTH(3)


       program  to  the server program by writing the ticket to a
       network socket.  The krbrecvauth  function  receives  the
       ticket from the client by reading from a network socket.


KRBSENDAUTH
       This  function  writes  the  ticket  to the network socket
       specified by the file descriptor fd, returning KSUCCESS if
       the  write  proceeds successfully, and an error code if it
       does not.

       The ktext argument should point to an  allocated  KTEXT_ST
       structure.  The service, inst, and realm arguments specify
       the server program's Kerberos  principal  name,  instance,
       and  realm.   If  you  are  writing a client that uses the
       local realm exclusively, you can set the realm argument to
       NULL.

       The  version argument allows the client program to pass an
       application-specific version string that the  server  pro-
       gram  can  then match against its own version string.  The
       version string can be up to  KSEND_VNO_LEN  (see  <krb.h>)
       characters in length.

       The  checksum argument can be used to pass checksum infor-
       mation to the  server  program.   The  client  program  is
       responsible  for specifying this information.  This check-
       sum  information   is   difficult   to   corrupt   because
       krbsendauth passes it over the network in encrypted form.
       The checksum argument is passed as the  checksum  argument
       to krbmkreq.

       You  can set krbsendauth's other arguments to NULL unless
       you want  the  client  and  server  programs  to  mutually
       authenticate  themselves.  In the case of mutual authenti-
       cation, the client authenticates itself to the server pro-
       gram,  and  demands  that  the server in turn authenticate
       itself to the client.


KRBSENDAUTH AND MUTUAL AUTHENTICATION
       If you want mutual authentication, make sure that you read
       all  pending  data  from  the  local socket before calling
       krbsendauth.   Set  krbsendauth's  options  argument  to
       KOPTDOMUTUAL  (this macro is defined in the krb.h file);
       make sure that the laddr argument points to the address of
       the  local  socket,  and  that faddr points to the foreign
       socket's network address.

       Krbsendauth fills  in  the  other  arguments--  msgdata,
       cred,  and  schedule--before  sending  the  ticket  to the
       server program.  You must,  however,  allocate  space  for
       these arguments before calling the function.




MIT Project Athena     Kerberos Version 4.0                     2




KRB_SENDAUTH(3)                                   KRB_SENDAUTH(3)


       Krbsendauth supports two other options: KOPTDONTMKREQ,
       and  KOPTDONTCANON.   If  called  with  options  set  as
       KOPT_DONT_MK_REQ, krbsendauth will not use the krbmkreq
       function to retrieve the ticket from the Kerberos  server.
       The  ktext  argument  must point to an existing ticket and
       authenticator (such as would be  created  by  krbmkreq),
       and  the  service, inst, and realm arguments can be set to
       NULL.

       If   called   with   options   set   as   KOPT_DONT_CANON,
       krbsendauth  will  not  convert the service's instance to
       canonical form using krbgetphost(3).

       If you want to call krbsendauth with a  multiple  options
       specification,  construct  options  as a bitwise-OR of the
       options you want to specify.


KRBRECVAUTH
       The krbrecvauth  function  reads  a  ticket/authenticator
       pair  from  the socket pointed to by the fd argument.  Set
       the options  argument  as  a  bitwise-OR  of  the  options
       desired.   Currently  only KOPT_DO_MUTUAL is useful to the
       receiver.

       The ktext argument should point to an  allocated  KTEXT_ST
       structure.     Krbrecvauth    fills    ktext   with   the
       ticket/authenticator pair read from fd, then passes it  to
       krbrdreq.

       The  service  and inst arguments specify the expected ser-
       vice and instance for  which  the  ticket  was  generated.
       They are also passed to krbrdreq.  The inst argument may
       be set to "*" if the caller wishes krbmkreq to  fill  in
       the  instance  used  (note that there must be space in the
       inst  argument  to  hold  a  full   instance   name,   see
       krbmkreq(3)).

       The faddr argument should point to the address of the peer
       which is presenting the ticket.   It  is  also  passed  to
       krbrdreq.

       If the client and server plan to mutually authenticate one
       another, the laddr argument  should  point  to  the  local
       address  of  the  file  descriptor.  Otherwise you can set
       this argument to NULL.

       The  authdata  argument  should  point  to  an  allocated
       AUTH_DAT   area.   It  is  passed  to  and  filled  in  by
       krbrdreq.  The  checksum  passed  to  the  corresponding
       krbsendauth   is  available  as  part  of  the  filled-in
       AUTH_DAT area.

       The filename argument specifies  the  filename  which  the



MIT Project Athena     Kerberos Version 4.0                     3




KRB_SENDAUTH(3)                                   KRB_SENDAUTH(3)


       service  program  should  use  to  obtain its service key.
       Krbrecvauth passes filename to the  krbrdreq  function.
       If  you  set this argument to "", krbrdreq looks for the
       service key in the file /etc/kerberosIV/srvtab.

       If the client and server are performing mutual  authenica-
       tion,  the  schedule argument should point to an allocated
       Key_schedule.  Otherwise it is ignored and may be NULL.

       The version argument should point to a character array  of
       at  least  KSEND_VNO_LEN characters.  It is filled in with
       the version string passed by the client to krbsendauth.


KRBNETWRITE AND KRBNETREAD
       The krbnetwrite function emulates  the  write(2)  system
       call, but guarantees that all data specified is written to
       fd before returning, unless an error condition occurs.

       The krbnetread  function  emulates  the  read(2)  system
       call,  but guarantees that the requested amount of data is
       read from fd before returning, unless an  error  condition
       occurs.


BUGS
       krbsendauth,     krbrecvauth,     krbnetwrite,     and
       krbnetread will not work properly on sockets set to non-
       blocking I/O mode.


SEE ALSO
       krb_mk_req(3), krb_rd_req(3), krb_get_phost(3)


AUTHOR
       John T. Kohl, MIT Project Athena

RESTRICTIONS
       Copyright  1988,  Massachusetts Instititute of Technology.
       For copying and distribution information, please  see  the
       file <mit-copyright.h>.















MIT Project Athena     Kerberos Version 4.0                     4


Typewritten Software • bear@typewritten.org • Edmonds, WA 98026