1.\" Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan
2.\" (Royal Institute of Technology, Stockholm, Sweden).
3.\" All rights reserved.
4.\"
5.\" Redistribution and use in source and binary forms, with or without
6.\" modification, are permitted provided that the following conditions
7.\" are met:
8.\"
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\"
12.\" 2. Redistributions in binary form must reproduce the above copyright
13.\"    notice, this list of conditions and the following disclaimer in the
14.\"    documentation and/or other materials provided with the distribution.
15.\"
16.\" 3. Neither the name of the Institute nor the names of its contributors
17.\"    may be used to endorse or promote products derived from this software
18.\"    without specific prior written permission.
19.\"
20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30.\" SUCH DAMAGE.
31.\"
32.\" $Id$
33.\"
34.Dd May  1, 2006
35.Dt KRB5_VERIFY_INIT_CREDS 3
36.Os HEIMDAL
37.Sh NAME
38.Nm krb5_verify_init_creds_opt_init ,
39.Nm krb5_verify_init_creds_opt_set_ap_req_nofail ,
40.Nm krb5_verify_init_creds
41.Nd "verifies a credential cache is correct by using a local keytab"
42.Sh LIBRARY
43Kerberos 5 Library (libkrb5, -lkrb5)
44.Sh SYNOPSIS
45.In krb5.h
46.Pp
47.Li "struct krb5_verify_init_creds_opt;"
48.Ft void
49.Fo krb5_verify_init_creds_opt_init
50.Fa "krb5_verify_init_creds_opt *options"
51.Fc
52.Ft void
53.Fo krb5_verify_init_creds_opt_set_ap_req_nofail
54.Fa "krb5_verify_init_creds_opt *options"
55.Fa "int ap_req_nofail"
56.Fc
57.Ft krb5_error_code
58.Fo krb5_verify_init_creds
59.Fa "krb5_context context"
60.Fa "krb5_creds *creds"
61.Fa "krb5_principal ap_req_server"
62.Fa "krb5_ccache *ccache"
63.Fa "krb5_verify_init_creds_opt *options"
64.Fc
65.Sh DESCRIPTION
66The
67.Nm krb5_verify_init_creds
68function verifies the initial tickets with the local keytab to make
69sure the response of the KDC was spoof-ed.
70.Pp
71.Nm krb5_verify_init_creds
72will use principal
73.Fa ap_req_server
74from the local keytab, if
75.Dv NULL
76is passed in, the code will guess the local hostname and use that to
77form host/hostname/GUESSED-REALM-FOR-HOSTNAME.
78.Fa creds
79is the credential that
80.Nm krb5_verify_init_creds
81should verify.
82If
83.Fa ccache
84is given
85.Fn krb5_verify_init_creds
86stores all credentials it fetched from the KDC there, otherwise it
87will use a memory credential cache that is destroyed when done.
88.Pp
89.Fn krb5_verify_init_creds_opt_init
90cleans the the structure, must be used before trying to pass it in to
91.Fn krb5_verify_init_creds .
92.Pp
93.Fn krb5_verify_init_creds_opt_set_ap_req_nofail
94controls controls the behavior if
95.Fa ap_req_server
96doesn't exists in the local keytab or in the KDC's database, if it's
97true, the error will be ignored.  Note that this use is possible
98insecure.
99.Sh SEE ALSO
100.Xr krb5 3 ,
101.Xr krb5_get_init_creds 3 ,
102.Xr krb5_verify_user 3 ,
103.Xr krb5.conf 5
104