krb5_get_in_tkt_with_password()--Get Initial Ticket Using Text Password

Syntax

 #include <krb5.h>

 krb5_error_code krb5_get_in_tkt_with_password(  
     krb5_context                 context,
     krb5_const krb5_flags        options,
     krb5_address * krb5_const *  addrs,
     krb5_enctype *               enctypes,
     krb5_preauthtype *           pre_auth_types,
     krb5_const char *            password,
     krb5_ccache                  ccache,
     krb5_creds *                 creds,
     krb5_kdc_rep **              ret_as_reply);

  Service Program Name: QSYS/QKRBGSS

  Default Public Authority: *USE

  Threadsafe: Yes

The krb5_get_in_tkt_with_password() function obtains an initial ticket-granting ticket from the Kerberos Key Distribution Center (KDC) server using a text password. This initial ticket can then be used to obtain service tickets. The client must be in the same realm as the KDC to be able to obtain an initial ticket from the KDC. The initial ticket can be used to obtain tickets in the same realm or in different realms as long as the proper inter-realm trust relationships have been established.

Authorities

Object Referred to

Data Authority Required

Each directory in the path name preceding the credentials cache file

Credentials cache file

*RW

Parameters

context (Input)

The Kerberos context.

options (Input)

The KDC options as follows:

KDC_OPT_FORWARDABLE (x'40000000')

Obtain a forwardable ticket.

KDC_OPT_PROXIABLE (x'10000000')

Obtain a proxiable ticket.

KDC_OPT_ALLOW_POSTDATE (x'04000000')

Allow postdated tickets.

KDC_OPT_RENEWABLE (x'00800000')

Obtain a renewable ticket. The renew_till time must be set in the request.

KDC_OPT_RENEWABLE_OK (x'00000010')

A renewable ticket is acceptable if the KDC policy does not allow a ticket to be generated with the requested endtime.

addrs (Input)

The addresses to be placed in the ticket. If NULL is specified for this parameter, the local system addresses are used. The address list is an array of krb5_address pointers. The end of the array is indicated by a NULL pointer. No addresses are included in the initial ticket if the address array consists of a single NULL entry. The ticket addresses determine which host systems can generate requests that use the ticket.

enctypes (Input)

An array of encryption types to be used. The last entry in the array must be ENCTYPE_NULL (x'00000000'). If NULL is specified for this parameter, the default encryption types are used. The following encryption types may be specified:

ENCTYPE_DES_CBC_CRC (x'00000001')

32-bit CRC checksum with DES encryption. This encryption type should be used for interoperability with older levels of Kerberos Version 5.

ENCTYPE_DES_CBC_MD5 (x'00000003')

MD5 checksum with DES encryption.

ENCTYPE_AES128_CTS_HMAC_SHA1_96 (x'00000011')

AES-128 CTS mode encryption with 96-bit SHA-1 HMAC checksum

ENCTYPE_AES256_CTS_HMAC_SHA1_96 (x'00000012')

AES-256 CTS mode encryption with 96-bit SHA-1 HMAC checksum .

ENCTYPE_ARCFOUR_HMAC (x'00000017')

ARCFOUR encryption with MD5 HMAC checksum.

pre_auth_types (Input)

An array of preauthentication types to be used. The last entry in the array must be KRB5_PADATA_NONE (x'00000000'). If NULL is specified for this parameter, no preauthentication is done unless required by KDC policy. If multiple preauthentication types are specified, the KDC is supposed to accept the request as long as it recognizes at least one of the preauthentication types. Early implementations of the KDC did not follow this rule and will fail the request if the first preauthentication type is not recognized. The following preauthentication type may be specified:

KRB5_PADATA_ENC_TIMESTAMP (x'00000002')

Encrypted timestamp preauthentication. This preauthentication type should be used for interoperability with a Kerberos KDC.

password (Input)

The password string. This string is converted to a Kerberos key value using the rules for the first encryption type specified by the enctypes parameter. The user is prompted to enter the password if NULL is specified for this parameter.

ccache (Input)

The credentials cache handle. The initial ticket is stored in the credentials cache for later use by the application. The credentials are not stored if NULL is specified for this parameter.

creds (Input/Output)

The credentials that are used to obtain the initial ticket. The client and server fields must be set. The endtime field may be set to explicitly specify the ticket lifetime or it may be set to zero to use the default ticket lifetime. The renew_till field must be set if a renewable ticket is being requested. The starttime field must be set if a postdated ticket is being requested.

Upon completion of the request, creds are updated with the initial ticket, the session key, and the client address list. The krb5_free_cred_contents() or krb5_free_creds() routine should be called to release the credentials when they are no longer needed.

ret_as_reply (Output)

The KDC reply. Specify NULL for this parameter if the KDC reply is not needed. The krb5_free_kdc_rep() routine should be called to release the reply when it is no longer needed.

Return Value

If no errors occur, the return value is 0. Otherwise, a Kerberos error code is returned.

Error Messages

Message ID

Error Message Text

CPE3418 E

Possible APAR condition or hardware failure.

API introduced: V5R1

[ Back to top | Security APIs | UNIX-Type APIs | APIs by category ]