krb5_verify_init_creds (3) - Linux Manuals


krb5_verify_init_creds_opt_init krb5_verify_init_creds_opt_set_ap_req_nofail krb5_verify_init_creds - verifies a credential cache is correct by using a local keytab


Kerberos 5 Library (libkrb5, -lkrb5)


In krb5.h

struct krb5_verify_init_creds_opt; Ft void Fo krb5_verify_init_creds_opt_init Fa krb5_verify_init_creds_opt *options Fc Ft void Fo krb5_verify_init_creds_opt_set_ap_req_nofail Fa krb5_verify_init_creds_opt *options Fa int ap_req_nofail Fc Ft krb5_error_code Fo krb5_verify_init_creds Fa krb5_context context Fa krb5_creds *creds Fa krb5_principal ap_req_server Fa krb5_ccache *ccache Fa krb5_verify_init_creds_opt *options Fc


The krb5_verify_init_creds function verifies the initial tickets with the local keytab to make sure the response of the KDC was spoof-ed.

krb5_verify_init_creds will use principal Fa ap_req_server from the local keytab, if NULL is passed in, the code will guess the local hostname and use that to form host/hostname/GUESSED-REALM-FOR-HOSTNAME. Fa creds is the credential that krb5_verify_init_creds should verify. If Fa ccache is given Fn krb5_verify_init_creds stores all credentials it fetched from the KDC there, otherwise it will use a memory credential cache that is destroyed when done.

Fn krb5_verify_init_creds_opt_init cleans the the structure, must be used before trying to pass it in to Fn krb5_verify_init_creds .

Fn krb5_verify_init_creds_opt_set_ap_req_nofail controls controls the behavior if Fa ap_req_server doesn't exists in the local keytab or in the KDC's database, if it's true, the error will be ignored. Note that this use is possible insecure.


krb5(3), krb5_get_init_creds3, krb5_verify_user3, krb5.conf5