krb5_get_in_tkt_with_password()--Get Initial Ticket Using Text Password
Syntax
#include <krb5.h> krb5_error_code krb5_get_in_tkt_with_password( krb5_context context, krb5_const krb5_flags options, krb5_address * krb5_const * addrs, krb5_enctype * enctypes, krb5_preauthtype * pre_auth_types, krb5_const char * password, krb5_ccache ccache, krb5_creds * creds, krb5_kdc_rep ** ret_as_reply);Service Program Name: QSYS/QKRBGSS
Default Public Authority: *USE
Threadsafe: Yes
The krb5_get_in_tkt_with_password() function obtains an initial ticket-granting ticket from the Kerberos Key Distribution Center (KDC) server using a text password. This initial ticket can then be used to obtain service tickets. The client must be in the same realm as the KDC to be able to obtain an initial ticket from the KDC. The initial ticket can be used to obtain tickets in the same realm or in different realms as long as the proper inter-realm trust relationships have been established.
Authorities
Object Referred to | Data Authority Required |
---|---|
Each directory in the path name preceding the credentials cache file | *X |
Credentials cache file | *RW |
Parameters
- context (Input)
- The Kerberos context.
- options (Input)
- The KDC options as follows:
KDC_OPT_FORWARDABLE (x'40000000') Obtain a forwardable ticket. KDC_OPT_PROXIABLE (x'10000000') Obtain a proxiable ticket. KDC_OPT_ALLOW_POSTDATE (x'04000000') Allow postdated tickets. KDC_OPT_RENEWABLE (x'00800000') Obtain a renewable ticket. The renew_till time must be set in the request. KDC_OPT_RENEWABLE_OK (x'00000010') A renewable ticket is acceptable if the KDC policy does not allow a ticket to be generated with the requested endtime.
- addrs (Input)
- The addresses to be placed in the ticket. If NULL is
specified for this parameter, the local system addresses are used. The address
list is an array of krb5_address pointers. The end of the array is indicated by
a NULL pointer. No addresses are included in the initial
ticket if the address array consists of a single NULL entry.
The ticket addresses determine which host systems can generate requests that
use the ticket.
- enctypes (Input)
- An array of encryption types to be used. The last entry in the array must
be ENCTYPE_NULL (x'00000000'). If NULL is
specified for this parameter, the default encryption types are used. The
following encryption types may be specified:
ENCTYPE_DES_CBC_CRC (x'00000001') 32-bit CRC checksum with DES encryption. This encryption type should be used for interoperability with older levels of Kerberos Version 5. ENCTYPE_DES_CBC_MD5 (x'00000003') MD5 checksum with DES encryption. ENCTYPE_AES128_CTS_HMAC_SHA1_96 (x'00000011') AES-128 CTS mode encryption with 96-bit SHA-1 HMAC checksum ENCTYPE_AES256_CTS_HMAC_SHA1_96 (x'00000012') AES-256 CTS mode encryption with 96-bit SHA-1 HMAC checksum . ENCTYPE_ARCFOUR_HMAC (x'00000017') ARCFOUR encryption with MD5 HMAC checksum.
- pre_auth_types (Input)
- An array of preauthentication types to be used. The last entry in the array
must be KRB5_PADATA_NONE (x'00000000'). If
NULL is specified for this parameter, no preauthentication is
done unless required by KDC policy. If multiple preauthentication types are
specified, the KDC is supposed to accept the request as long as it recognizes
at least one of the preauthentication types. Early implementations of the KDC
did not follow this rule and will fail the request if the first
preauthentication type is not recognized. The following preauthentication type
may be specified:
KRB5_PADATA_ENC_TIMESTAMP (x'00000002') Encrypted timestamp preauthentication. This preauthentication type should be used for interoperability with a Kerberos KDC.
- password (Input)
- The password string. This string is converted to a Kerberos key value using
the rules for the first encryption type specified by the enctypes
parameter. The user is prompted to enter the password if NULL
is specified for this parameter.
- ccache (Input)
- The credentials cache handle. The initial ticket is stored in the
credentials cache for later use by the application. The credentials are not
stored if NULL is specified for this parameter.
- creds (Input/Output)
- The credentials that are used to obtain the initial ticket. The
client and server fields must be set. The endtime
field may be set to explicitly specify the ticket lifetime or it may be set to
zero to use the default ticket lifetime. The renew_till field must be
set if a renewable ticket is being requested. The starttime field must
be set if a postdated ticket is being requested.
Upon completion of the request, creds are updated with the initial ticket, the session key, and the client address list. The krb5_free_cred_contents() or krb5_free_creds() routine should be called to release the credentials when they are no longer needed.
- ret_as_reply (Output)
- The KDC reply. Specify NULL for this parameter if the KDC reply is not needed. The krb5_free_kdc_rep() routine should be called to release the reply when it is no longer needed.
Return Value
If no errors occur, the return value is 0. Otherwise, a Kerberos error code is returned.
Error Messages
Message ID | Error Message Text |
---|---|
CPE3418 E | Possible APAR condition or hardware failure. |
API introduced: V5R1
[ Back to top | Security APIs | UNIX-Type APIs | APIs by category ]