krb5_verify_init_creds (3) - Linux Man Pages

NAME

krb5_verify_init_creds_opt_init krb5_verify_init_creds_opt_set_ap_req_nofail krb5_verify_init_creds - verifies a credential cache is correct by using a local keytab

LIBRARY

Kerberos 5 Library (libkrb5, -lkrb5)

SYNOPSIS

In krb5.h

struct krb5_verify_init_creds_opt; Ft void Fo krb5_verify_init_creds_opt_init Fa krb5_verify_init_creds_opt *options Fc Ft void Fo krb5_verify_init_creds_opt_set_ap_req_nofail Fa krb5_verify_init_creds_opt *options Fa int ap_req_nofail Fc Ft krb5_error_code Fo krb5_verify_init_creds Fa krb5_context context Fa krb5_creds *creds Fa krb5_principal ap_req_server Fa krb5_ccache *ccache Fa krb5_verify_init_creds_opt *options Fc

DESCRIPTION

The krb5_verify_init_creds function verifies the initial tickets with the local keytab to make sure the response of the KDC was spoof-ed.

krb5_verify_init_creds will use principal Fa ap_req_server from the local keytab, if NULL is passed in, the code will guess the local hostname and use that to form host/hostname/GUESSED-REALM-FOR-HOSTNAME. Fa creds is the credential that krb5_verify_init_creds should verify. If Fa ccache is given Fn krb5_verify_init_creds stores all credentials it fetched from the KDC there, otherwise it will use a memory credential cache that is destroyed when done.

Fn krb5_verify_init_creds_opt_init cleans the the structure, must be used before trying to pass it in to Fn krb5_verify_init_creds .

Fn krb5_verify_init_creds_opt_set_ap_req_nofail controls controls the behavior if Fa ap_req_server doesn't exists in the local keytab or in the KDC's database, if it's true, the error will be ignored. Note that this use is possible insecure.

SEE ALSO

krb5(3), krb5_get_init_creds3, krb5_verify_user3, krb5.conf5