NAME

     krb5_auth_con_addflags, krb5_auth_con_free, krb5_auth_con_genaddrs,
     krb5_auth_con_generatelocalsubkey, krb5_auth_con_getaddrs, krb5_auth_con_getauthenticator,
     krb5_auth_con_getflags, krb5_auth_con_getkey, krb5_auth_con_getlocalsubkey,
     krb5_auth_con_getrcache, krb5_auth_con_getremotesubkey, krb5_auth_con_getuserkey,
     krb5_auth_con_init, krb5_auth_con_initivector, krb5_auth_con_removeflags,
     krb5_auth_con_setaddrs, krb5_auth_con_setaddrs_from_fd, krb5_auth_con_setflags,
     krb5_auth_con_setivector, krb5_auth_con_setkey, krb5_auth_con_setlocalsubkey,
     krb5_auth_con_setrcache, krb5_auth_con_setremotesubkey, krb5_auth_con_setuserkey,
     krb5_auth_context, krb5_auth_getcksumtype, krb5_auth_getkeytype,
     krb5_auth_getlocalseqnumber, krb5_auth_getremoteseqnumber, krb5_auth_setcksumtype,
     krb5_auth_setkeytype, krb5_auth_setlocalseqnumber, krb5_auth_setremoteseqnumber,
     krb5_free_authenticator — manage authentication on connection level

LIBRARY

     Kerberos 5 Library (libkrb5, -lkrb5)

SYNOPSIS

     #include <krb5.h>

     krb5_error_code
     krb5_auth_con_init(krb5_context context, krb5_auth_context *auth_context);

     void
     krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context);

     krb5_error_code
     krb5_auth_con_setflags(krb5_context context, krb5_auth_context auth_context, int32_t flags);

     krb5_error_code
     krb5_auth_con_getflags(krb5_context context, krb5_auth_context auth_context,
         int32_t *flags);

     krb5_error_code
     krb5_auth_con_addflags(krb5_context context, krb5_auth_context auth_context,
         int32_t addflags, int32_t *flags);

     krb5_error_code
     krb5_auth_con_removeflags(krb5_context context, krb5_auth_context auth_context,
         int32_t removelags, int32_t *flags);

     krb5_error_code
     krb5_auth_con_setaddrs(krb5_context context, krb5_auth_context auth_context,
         krb5_address *local_addr, krb5_address *remote_addr);

     krb5_error_code
     krb5_auth_con_getaddrs(krb5_context context, krb5_auth_context auth_context,
         krb5_address **local_addr, krb5_address **remote_addr);

     krb5_error_code
     krb5_auth_con_genaddrs(krb5_context context, krb5_auth_context auth_context, int fd,
         int flags);

     krb5_error_code
     krb5_auth_con_setaddrs_from_fd(krb5_context context, krb5_auth_context auth_context,
         void *p_fd);

     krb5_error_code
     krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context,
         krb5_keyblock **keyblock);

     krb5_error_code
     krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context,
         krb5_keyblock **keyblock);

     krb5_error_code
     krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context,
         krb5_keyblock **keyblock);

     krb5_error_code
     krb5_auth_con_generatelocalsubkey(krb5_context context, krb5_auth_context auth_context,
         krb5_keyblock, *key");

     krb5_error_code
     krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context);

     krb5_error_code
     krb5_auth_con_setivector(krb5_context context, krb5_auth_context *auth_context,
         krb5_pointer ivector);

     void
     krb5_free_authenticator(krb5_context context, krb5_authenticator *authenticator);

DESCRIPTION

     The krb5_auth_context structure holds all context related to an authenticated connection, in
     a similar way to krb5_context that holds the context for the thread or process.
     krb5_auth_context is used by various functions that are directly related to authentication
     between the server/client. Example of data that this structure contains are various flags,
     addresses of client and server, port numbers, keyblocks (and subkeys), sequence numbers,
     replay cache, and checksum-type.

     krb5_auth_con_init() allocates and initializes the krb5_auth_context structure. Default
     values can be changed with krb5_auth_con_setcksumtype() and krb5_auth_con_setflags().  The
     auth_context structure must be freed by krb5_auth_con_free().

     krb5_auth_con_getflags(), krb5_auth_con_setflags(), krb5_auth_con_addflags() and
     krb5_auth_con_removeflags() gets and modifies the flags for a krb5_auth_context structure.
     Possible flags to set are:

     KRB5_AUTH_CONTEXT_DO_SEQUENCE
             Generate and check sequence-number on each packet.

     KRB5_AUTH_CONTEXT_DO_TIME
             Check timestamp on incoming packets.

     KRB5_AUTH_CONTEXT_RET_SEQUENCE, KRB5_AUTH_CONTEXT_RET_TIME
             Return sequence numbers and time stamps in the outdata parameters.

     KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED
             will force krb5_get_forwarded_creds() and krb5_fwd_tgt_creds() to create unencrypted
             ) KRB5_ENCTYPE_NULL) credentials.  This is for use with old MIT server and JAVA
             based servers as they can't handle encrypted KRB-CRED.  Note that sending such
             KRB-CRED is clear exposes crypto keys and tickets and is insecure, make sure the
             packet is encrypted in the protocol.  krb5_rd_cred(3), krb5_rd_priv(3),
             krb5_rd_safe(3), krb5_mk_priv(3) and krb5_mk_safe(3).  Setting this flag requires
             that parameter to be passed to these functions.

             The flags KRB5_AUTH_CONTEXT_DO_TIME also modifies the behavior the function
             krb5_get_forwarded_creds() by removing the timestamp in the forward credential
             message, this have backward compatibility problems since not all versions of the
             heimdal supports timeless credentional messages.  Is very useful since it always the
             sender of the message to cache forward message and thus avoiding a round trip to the
             KDC for each time a credential is forwarded.  The same functionality can be obtained
             by using address-less tickets.

     krb5_auth_con_setaddrs(), krb5_auth_con_setaddrs_from_fd() and krb5_auth_con_getaddrs() gets
     and sets the addresses that are checked when a packet is received.  It is mandatory to set
     an address for the remote host. If the local address is not set, it iss deduced from the
     underlaying operating system.  krb5_auth_con_getaddrs() will call krb5_free_address() on any
     address that is passed in local_addr or remote_addr.  krb5_auth_con_setaddr() allows passing
     in a NULL pointer as local_addr and remote_addr, in that case it will just not set that
     address.

     krb5_auth_con_setaddrs_from_fd() fetches the addresses from a file descriptor.

     krb5_auth_con_genaddrs() fetches the address information from the given file descriptor fd
     depending on the bitmap argument flags.

     Possible values on flags are:

     KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR
             fetches the local address from fd.

     KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR
             fetches the remote address from fd.

     krb5_auth_con_setkey(), krb5_auth_con_setuserkey() and krb5_auth_con_getkey() gets and sets
     the key used for this auth context. The keyblock returned by krb5_auth_con_getkey() should
     be freed with krb5_free_keyblock().  The keyblock send into krb5_auth_con_setkey() is copied
     into the krb5_auth_context, and thus no special handling is needed.  NULL is not a valid
     keyblock to krb5_auth_con_setkey().

     krb5_auth_con_setuserkey() is only useful when doing user to user authentication.
     krb5_auth_con_setkey() is equivalent to krb5_auth_con_setuserkey().

     krb5_auth_con_getlocalsubkey(), krb5_auth_con_setlocalsubkey(),
     krb5_auth_con_getremotesubkey() and krb5_auth_con_setremotesubkey() gets and sets the
     keyblock for the local and remote subkey.  The keyblock returned by
     krb5_auth_con_getlocalsubkey() and krb5_auth_con_getremotesubkey() must be freed with
     krb5_free_keyblock().

     krb5_auth_setcksumtype() and krb5_auth_getcksumtype() sets and gets the checksum type that
     should be used for this connection.

     krb5_auth_con_generatelocalsubkey() generates a local subkey that have the same encryption
     type as key.

     krb5_auth_getremoteseqnumber() krb5_auth_setremoteseqnumber(), krb5_auth_getlocalseqnumber()
     and krb5_auth_setlocalseqnumber() gets and sets the sequence-number for the local and remote
     sequence-number counter.

     krb5_auth_setkeytype() and krb5_auth_getkeytype() gets and gets the keytype of the keyblock
     in krb5_auth_context.

     krb5_auth_con_getauthenticator() Retrieves the authenticator that was used during mutual
     authentication. The authenticator returned should be freed by calling
     krb5_free_authenticator().

     krb5_auth_con_getrcache() and krb5_auth_con_setrcache() gets and sets the replay-cache.

     krb5_auth_con_initivector() allocates memory for and zeros the initial vector in the
     auth_context keyblock.

     krb5_auth_con_setivector() sets the i_vector portion of auth_context to ivector.

     krb5_free_authenticator() free the content of authenticator and authenticator itself.

SEE ALSO

     krb5_context(3), kerberos(8)