1.\" $NetBSD: krb5_get_init_creds.3,v 1.1.1.3 2014/04/24 12:45:50 pettai Exp $ 2.\" 3.\" Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan 4.\" (Royal Institute of Technology, Stockholm, Sweden). 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" 3. Neither the name of the Institute nor the names of its contributors 19.\" may be used to endorse or promote products derived from this software 20.\" without specific prior written permission. 21.\" 22.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32.\" SUCH DAMAGE. 33.\" 34.\" Id 35.\" 36.Dd Sep 16, 2006 37.Dt KRB5_GET_INIT_CREDS 3 38.Os 39.Sh NAME 40.Nm krb5_get_init_creds , 41.Nm krb5_get_init_creds_keytab , 42.Nm krb5_get_init_creds_opt , 43.Nm krb5_get_init_creds_opt_alloc , 44.Nm krb5_get_init_creds_opt_free , 45.Nm krb5_get_init_creds_opt_init , 46.Nm krb5_get_init_creds_opt_set_address_list , 47.Nm krb5_get_init_creds_opt_set_addressless , 48.Nm krb5_get_init_creds_opt_set_anonymous , 49.Nm krb5_get_init_creds_opt_set_default_flags , 50.Nm krb5_get_init_creds_opt_set_etype_list , 51.Nm krb5_get_init_creds_opt_set_forwardable , 52.Nm krb5_get_init_creds_opt_set_pa_password , 53.Nm krb5_get_init_creds_opt_set_paq_request , 54.Nm krb5_get_init_creds_opt_set_preauth_list , 55.Nm krb5_get_init_creds_opt_set_proxiable , 56.Nm krb5_get_init_creds_opt_set_renew_life , 57.Nm krb5_get_init_creds_opt_set_salt , 58.Nm krb5_get_init_creds_opt_set_tkt_life , 59.Nm krb5_get_init_creds_opt_set_canonicalize , 60.Nm krb5_get_init_creds_opt_set_win2k , 61.Nm krb5_get_init_creds_password , 62.Nm krb5_prompt , 63.Nm krb5_prompter_posix 64.Nd Kerberos 5 initial authentication functions 65.Sh LIBRARY 66Kerberos 5 Library (libkrb5, -lkrb5) 67.Sh SYNOPSIS 68.In krb5/krb5.h 69.Pp 70.Ft krb5_get_init_creds_opt; 71.Pp 72.Ft krb5_error_code 73.Fo krb5_get_init_creds_opt_alloc 74.Fa "krb5_context context" 75.Fa "krb5_get_init_creds_opt **opt" 76.Fc 77.Ft void 78.Fo krb5_get_init_creds_opt_free 79.Fa "krb5_context context" 80.Fa "krb5_get_init_creds_opt *opt" 81.Fc 82.Ft void 83.Fo krb5_get_init_creds_opt_init 84.Fa "krb5_get_init_creds_opt *opt" 85.Fc 86.Ft void 87.Fo krb5_get_init_creds_opt_set_address_list 88.Fa "krb5_get_init_creds_opt *opt" 89.Fa "krb5_addresses *addresses" 90.Fc 91.Ft void 92.Fo krb5_get_init_creds_opt_set_addressless 93.Fa "krb5_get_init_creds_opt *opt" 94.Fa "krb5_boolean addressless" 95.Fc 96.Ft void 97.Fo krb5_get_init_creds_opt_set_anonymous 98.Fa "krb5_get_init_creds_opt *opt" 99.Fa "int anonymous" 100.Fc 101.Ft void 102.Fo krb5_get_init_creds_opt_set_default_flags 103.Fa "krb5_context context" 104.Fa "const char *appname" 105.Fa "krb5_const_realm realm" 106.Fa "krb5_get_init_creds_opt *opt" 107.Fc 108.Ft void 109.Fo krb5_get_init_creds_opt_set_etype_list 110.Fa "krb5_get_init_creds_opt *opt" 111.Fa "krb5_enctype *etype_list" 112.Fa "int etype_list_length" 113.Fc 114.Ft void 115.Fo krb5_get_init_creds_opt_set_forwardable 116.Fa "krb5_get_init_creds_opt *opt" 117.Fa "int forwardable" 118.Fc 119.Ft krb5_error_code 120.Fo krb5_get_init_creds_opt_set_pa_password 121.Fa "krb5_context context" 122.Fa "krb5_get_init_creds_opt *opt" 123.Fa "const char *password" 124.Fa "krb5_s2k_proc key_proc" 125.Fc 126.Ft krb5_error_code 127.Fo krb5_get_init_creds_opt_set_paq_request 128.Fa "krb5_context context" 129.Fa "krb5_get_init_creds_opt *opt" 130.Fa "krb5_boolean req_pac" 131.Fc 132.Ft krb5_error_code 133.Fo krb5_get_init_creds_opt_set_pkinit 134.Fa "krb5_context context" 135.Fa "krb5_get_init_creds_opt *opt" 136.Fa "const char *cert_file" 137.Fa "const char *key_file" 138.Fa "const char *x509_anchors" 139.Fa "int flags" 140.Fa "char *password" 141.Fc 142.Ft void 143.Fo krb5_get_init_creds_opt_set_preauth_list 144.Fa "krb5_get_init_creds_opt *opt" 145.Fa "krb5_preauthtype *preauth_list" 146.Fa "int preauth_list_length" 147.Fc 148.Ft void 149.Fo krb5_get_init_creds_opt_set_proxiable 150.Fa "krb5_get_init_creds_opt *opt" 151.Fa "int proxiable" 152.Fc 153.Ft void 154.Fo krb5_get_init_creds_opt_set_renew_life 155.Fa "krb5_get_init_creds_opt *opt" 156.Fa "krb5_deltat renew_life" 157.Fc 158.Ft void 159.Fo krb5_get_init_creds_opt_set_salt 160.Fa "krb5_get_init_creds_opt *opt" 161.Fa "krb5_data *salt" 162.Fc 163.Ft void 164.Fo krb5_get_init_creds_opt_set_tkt_life 165.Fa "krb5_get_init_creds_opt *opt" 166.Fa "krb5_deltat tkt_life" 167.Fc 168.Ft krb5_error_code 169.Fo krb5_get_init_creds_opt_set_canonicalize 170.Fa "krb5_context context" 171.Fa "krb5_get_init_creds_opt *opt" 172.Fa "krb5_boolean req" 173.Fc 174.Ft krb5_error_code 175.Fo krb5_get_init_creds_opt_set_win2k 176.Fa "krb5_context context" 177.Fa "krb5_get_init_creds_opt *opt" 178.Fa "krb5_boolean req" 179.Fc 180.Ft krb5_error_code 181.Fo krb5_get_init_creds 182.Fa "krb5_context context" 183.Fa "krb5_creds *creds" 184.Fa "krb5_principal client" 185.Fa "krb5_prompter_fct prompter" 186.Fa "void *prompter_data" 187.Fa "krb5_deltat start_time" 188.Fa "const char *in_tkt_service" 189.Fa "krb5_get_init_creds_opt *options" 190.Fc 191.Ft krb5_error_code 192.Fo krb5_get_init_creds_password 193.Fa "krb5_context context" 194.Fa "krb5_creds *creds" 195.Fa "krb5_principal client" 196.Fa "const char *password" 197.Fa "krb5_prompter_fct prompter" 198.Fa "void *prompter_data" 199.Fa "krb5_deltat start_time" 200.Fa "const char *in_tkt_service" 201.Fa "krb5_get_init_creds_opt *in_options" 202.Fc 203.Ft krb5_error_code 204.Fo krb5_get_init_creds_keytab 205.Fa "krb5_context context" 206.Fa "krb5_creds *creds" 207.Fa "krb5_principal client" 208.Fa "krb5_keytab keytab" 209.Fa "krb5_deltat start_time" 210.Fa "const char *in_tkt_service" 211.Fa "krb5_get_init_creds_opt *options" 212.Fc 213.Ft int 214.Fo krb5_prompter_posix 215.Fa "krb5_context context" 216.Fa "void *data" 217.Fa "const char *name" 218.Fa "const char *banner" 219.Fa "int num_prompts" 220.Fa "krb5_prompt prompts[]" 221.Fc 222.Sh DESCRIPTION 223Getting initial credential ticket for a principal. 224That may include changing an expired password, and doing preauthentication. 225This interface that replaces the deprecated 226.Fa krb5_in_tkt 227and 228.Fa krb5_in_cred 229functions. 230.Pp 231If you only want to verify a username and password, consider using 232.Xr krb5_verify_user 3 233instead, since it also verifies that initial credentials with using a 234keytab to make sure the response was from the KDC. 235.Pp 236First a 237.Li krb5_get_init_creds_opt 238structure is initialized 239with 240.Fn krb5_get_init_creds_opt_alloc 241or 242.Fn krb5_get_init_creds_opt_init . 243.Fn krb5_get_init_creds_opt_alloc 244allocates a extendible structures that needs to be freed with 245.Fn krb5_get_init_creds_opt_free . 246The structure may be modified by any of the 247.Fn krb5_get_init_creds_opt_set 248functions to change request parameters and authentication information. 249.Pp 250If the caller want to use the default options, 251.Dv NULL 252can be passed instead. 253.Pp 254The the actual request to the KDC is done by any of the 255.Fn krb5_get_init_creds , 256.Fn krb5_get_init_creds_password , 257or 258.Fn krb5_get_init_creds_keytab 259functions. 260.Fn krb5_get_init_creds 261is the least specialized function and can, with the right in data, 262behave like the latter two. 263The latter two are there for compatibility with older releases and 264they are slightly easier to use. 265.Pp 266.Li krb5_prompt 267is a structure containing the following elements: 268.Bd -literal 269typedef struct { 270 const char *prompt; 271 int hidden; 272 krb5_data *reply; 273 krb5_prompt_type type 274} krb5_prompt; 275.Ed 276.Pp 277.Fa prompt 278is the prompt that should shown to the user 279If 280.Fa hidden 281is set, the prompter function shouldn't echo the output to the display 282device. 283.Fa reply 284must be preallocated; it will not be allocated by the prompter 285function. 286Possible values for the 287.Fa type 288element are: 289.Pp 290.Bl -tag -width Ds -compact -offset indent 291.It KRB5_PROMPT_TYPE_PASSWORD 292.It KRB5_PROMPT_TYPE_NEW_PASSWORD 293.It KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN 294.It KRB5_PROMPT_TYPE_PREAUTH 295.It KRB5_PROMPT_TYPE_INFO 296.El 297.Pp 298.Fn krb5_prompter_posix 299is the default prompter function in a POSIX environment. 300It matches the 301.Fa krb5_prompter_fct 302and can be used in the 303.Fa krb5_get_init_creds 304functions. 305.Fn krb5_prompter_posix 306doesn't require 307.Fa prompter_data. 308.Pp 309If the 310.Fa start_time 311is zero, then the requested ticket will be valid 312beginning immediately. 313Otherwise, the 314.Fa start_time 315indicates how far in the future the ticket should be postdated. 316.Pp 317If the 318.Fa in_tkt_service 319name is 320.Dv non-NULL , 321that principal name will be 322used as the server name for the initial ticket request. 323The realm of the name specified will be ignored and will be set to the 324realm of the client name. 325If no in_tkt_service name is specified, 326krbtgt/CLIENT-REALM@CLIENT-REALM will be used. 327.Pp 328For the rest of arguments, a configuration or library default will be 329used if no value is specified in the options structure. 330.Pp 331.Fn krb5_get_init_creds_opt_set_address_list 332sets the list of 333.Fa addresses 334that is should be stored in the ticket. 335.Pp 336.Fn krb5_get_init_creds_opt_set_addressless 337controls if the ticket is requested with addresses or not, 338.Fn krb5_get_init_creds_opt_set_address_list 339overrides this option. 340.Pp 341.Fn krb5_get_init_creds_opt_set_anonymous 342make the request anonymous if the 343.Fa anonymous 344parameter is non-zero. 345.Pp 346.Fn krb5_get_init_creds_opt_set_default_flags 347sets the default flags using the configuration file. 348.Pp 349.Fn krb5_get_init_creds_opt_set_etype_list 350set a list of enctypes that the client is willing to support in the 351request. 352.Pp 353.Fn krb5_get_init_creds_opt_set_forwardable 354request a forwardable ticket. 355.Pp 356.Fn krb5_get_init_creds_opt_set_pa_password 357set the 358.Fa password 359and 360.Fa key_proc 361that is going to be used to get a new ticket. 362.Fa password 363or 364.Fa key_proc 365can be 366.Dv NULL 367if the caller wants to use the default values. 368If the 369.Fa password 370is unset and needed, the user will be prompted for it. 371.Pp 372.Fn krb5_get_init_creds_opt_set_paq_request 373sets the password that is going to be used to get a new ticket. 374.Pp 375.Fn krb5_get_init_creds_opt_set_preauth_list 376sets the list of client-supported preauth types. 377.Pp 378.Fn krb5_get_init_creds_opt_set_proxiable 379makes the request proxiable. 380.Pp 381.Fn krb5_get_init_creds_opt_set_renew_life 382sets the requested renewable lifetime. 383.Pp 384.Fn krb5_get_init_creds_opt_set_salt 385sets the salt that is going to be used in the request. 386.Pp 387.Fn krb5_get_init_creds_opt_set_tkt_life 388sets requested ticket lifetime. 389.Pp 390.Fn krb5_get_init_creds_opt_set_canonicalize 391requests that the KDC canonicalize the client pricipal if possible. 392.Pp 393.Fn krb5_get_init_creds_opt_set_win2k 394turns on compatibility with Windows 2000. 395.Sh SEE ALSO 396.Xr krb5 3 , 397.Xr krb5_creds 3 , 398.Xr krb5_verify_user 3 , 399.Xr krb5.conf 5 , 400.Xr kerberos 8 401