libkrb5.3 (2010 09)
l
libkrb5(3) libkrb5(3)
and should not be accessed directly by developers. Some of the common APIs are
krb5_init_context()
, krb5_free_context()
, and
krb5_set_default_in_tkt_etypes()
.
The encryption types which are retrieved from the
context and stored in the etypes should be freed
by the caller.
krb5_auth_context Management APIs
The
auth_context is a per-connection context and is used by the various APIs involved directly in
client/server authentication. Some of the data stored in this context include keyblocks, addresses,
sequence numbers, authenticator, checksum type and replay cache pointer. Some of the common APIs
are krb5_auth_con_init()
, krb5_auth_con_free()
, krb5_auth_con_setaddrs()
,
krb5_auth_con_setports()
,
krb5_auth_con_setflags()
,
krb5_auth_con_getlocalsubkey()
, and krb5_auth_con_genaddrs()
.
The
auth_context structure should be freed using
krb5_auth_con_free()
. It is the responsibil-
ity of the application developer to free the memory allocated to the authenticator by using
krb5_free_authenticator()
. The application developer must also free the memory that was allo-
cated to store the local sub keyblocks using
krb5_free_keyblock()
.
Principal Access APIs
A principal is a uniquely named client or server instance that participates in a network communication.
The APIs allow you to create, modify and access portions of the krb5_principal. Some of the common
APIs are
krb5_parse_name()
, krb5_unparse_name(), krb5_free_principal()
,
krb5_princ_realm()
, krb5_copy_principal(), and so on.
Some of the APIs are internal functions, which are not intended for use by the application programs since
this interface may change at any time. Even though it is possible to directly access the data elements in
the structure, it is recommended that these APIs should be used. The returned principal should be freed
with
krb5_free_principal()
.
Credential Cache Management APIs
These APIs deal with storing credentials (tickets, session keys and other identifying information) in a
semi-permanent store for later use by different programs. The credential storage can be a hard disk or a
memory storage. Some of the common APIs are
krb5_cc_resolve()
, krb5_cc_default(),
krb5_cc_initialize()
, krb5_cc_destroy(), krb5_cc_store_cred()
,
krb5_cc_retrieve_cred()
, krb5_cc_remove_cred(), and krb5_cc_set_flags()
.
The retrieved credentials should be freed using
krb5_free_credentials()
.
Replay Cache Management APIs
These APIs deal with verifying that
AP_REQ’s do not contain duplicate authenticators. The storage must
be non-volatile for the site-determined validity period of authenticators. Some of the common APIs are
krb5_auth_to_rep()
, krb5_rc_register_type(), krb5_rc_default()
,
krb5_rc_initialize()
, krb5_rc_close(), krb5_rc_store()
, and krb5_rc_resolve().
krb5_rc_resolve() initializes the private data for a replay cache. This API must be called before
the other replay cache APIs. The allocated memory should be freed using krb5_rc_close().
These APIs are not generally used by the applications.
Keytab Management APIs
These APIs deal with storing and retrieving service keys for use by unattended services which participate
in authentication exchanges. Keytab routines are all atomic. All keytab types support multiple con-
current sequential scans. Some of the common APIs are
krb5_kt_register(),
krb5_kt_resolve(), krb5_kt_default()
, krb5_kt_add_entry(), krb5_kt_close(),
krb5_kt_free_entry(), and krb5_kt_next_entry().
To free the resources, the user should use
krb5_kt_free_entry().
Memory Management APIs
These APIs deal with deallocation of memory that has been allocated by various routines. It is recom-
mended that the developer must use these routines in order to free the data structures. All the APIs start
with
krb5_free prefix. Some of the common APIs are krb5_free_principal(),
krb5_free_data(), krb5_free_authenticator(), krb5_free_ticket(),
krb5_free_cred(), krb5_free_pa_data(), and krb5_free_tgt_creds().
2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2010