Manualshelf

HP-UX Reference (11i v1 00/12) - 3 Library Functions A-M (vol 6)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals
531532533534535536537538539540
__________________________________________________________________________________________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________________________________________________________________________________________
STANDARD Printed by: Nora Chuang [nchuang] STANDARD
/build/1111/BRICK/man3/!!!intro.3c
________________________________________________________________
___ ___
l
libkrb5(3) libkrb5(3)
NAME
libkrb5 - Kerberos client libraries (libkrb5, libk5crypto, libcom_err)
SYNOPSIS
/usr/lib/libkrb5.sl
/usr/lib/libcom_err.sl com_err()
/usr/lib/libk5crypto.sl
DESCRIPTION
Kerberos is a network authentication protocol developed at MIT. This is now an IETF standard RFC 1510,
the Kerberos Network Authentication Service (V5). The shared libraries, libkrb5.sl, libcom_err.sl and
libk5crypto.sl, support authentication, integrity and confidentiality services as per the Kerberos V5
specification.
Kerberos performs authentication as a trusted third-party authentication service by using conventional
(shared secret key) cryptography mechanism. It provides a means of verifying the identities of principals,
without relying on authentication by the host operating system and without basing trust on host addresses.
This protocol works without requiring the physical security of all the hosts on the network under the
assumption that packets transmitting over the network can be read, modified and inserted at will.
libkrb5.sl is the main Kerberos library, which provides APIs for authentication, verifying tickets,
creating authenticator, context management, cache and replay cache management, keytab file manage-
ment, memory management, principal name style mapping and operating system specific calls. The krb5.h
header file should be included in the application that uses APIs from libkrb5.sl library.
libk5crypto.sl, which is linked to
libkrb5.sl, will provide the encryption and decryption APIs. A
user should not link this library directly with an application. In order to add authentication, an application
may need to call one or more APIs of the Kerberos library, which results in the transmission of the neces-
sary messages to achieve authentication.
libcom_err.sl implements Kerberos library error code tables. There are separate error code tables for
database, magic numbers and ASN.1 APIs. Based on the failure in the API, the user may get an error from
these tables using the appropriate com_err() API. The com_err.h header file should be included in the
application that uses routines from the libcom_err.sl library. Executable files must be linked with ‘‘-
lcom_err’’ in order to cause the com_err library to be included.
The functionalities of the APIs implemented in Kerberos client libraries are given below.
krb5_context Management APIs
The context is designed to represent per process state. The Global parameters which are "context" specific
are stored in this structure. The structure contains default realm, default encryption type, default
configuration files and the like. APIs will provide full access to the data structure stored in the context and
should not be accessed directly by developers. Some of the common APIs are krb5_init_context(),
krb5_free_context(), and krb5_set_default_in_tkt_etypes().
The encryption types which are retrieved from the context and stored in the etypes should be freed by the
caller.
krb5_auth_context Management APIs
The auth_context is a per-connection context and is used by the various APIs involved directly in
client/server authentication. Some of the data stored in this context include keyblocks, addresses, sequence
numbers, authenticator, checksum type and replay cache pointer. Some of the common APIs are
krb5_auth_con_init(), krb5_auth_con_free(), krb5_auth_con_setaddrs(), krb5_auth_con_setports,
krb5_auth_con_setflags, krb5_auth_con_getlocalsubkey(), and krb5_auth_con_genaddrs().
The auth_context structure should be freed using krb5_auth_con_free(). It is the responsibility of the appli-
cation developer to free the memory allocated to the authenticator by using krb5_free_authenticator(). The
application developer must also free the memory that was allocated to store the local sub keyblocks using
krb5_free_keyblock().
Principal Access APIs
A Principal is a uniquely named client or server instance that participates in a network communication.
The APIs allow one to create, modify and access portions of the Krb5_principal. Some of the common APIs
are krb5_parse_name(), krb5_unparse_name(), krb5_free_principal(), krb5_princ_realm(),
krb5_copy_principal() etc.
HP-UX Release 11i: December 2000 1 Section 3487
___
___