1.\" $NetBSD: krb5_verify_init_creds.3,v 1.2 2017/01/28 21:31:49 christos Exp $ 2.\" 3.\" Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan 4.\" (Royal Institute of Technology, Stockholm, Sweden). 5.\" All rights reserved. 6.\" 7.\" Redistribution and use in source and binary forms, with or without 8.\" modification, are permitted provided that the following conditions 9.\" are met: 10.\" 11.\" 1. Redistributions of source code must retain the above copyright 12.\" notice, this list of conditions and the following disclaimer. 13.\" 14.\" 2. Redistributions in binary form must reproduce the above copyright 15.\" notice, this list of conditions and the following disclaimer in the 16.\" documentation and/or other materials provided with the distribution. 17.\" 18.\" 3. Neither the name of the Institute nor the names of its contributors 19.\" may be used to endorse or promote products derived from this software 20.\" without specific prior written permission. 21.\" 22.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32.\" SUCH DAMAGE. 33.\" 34.\" Id 35.\" 36.Dd May 1, 2006 37.Dt KRB5_VERIFY_INIT_CREDS 3 38.Os 39.Sh NAME 40.Nm krb5_verify_init_creds_opt_init , 41.Nm krb5_verify_init_creds_opt_set_ap_req_nofail , 42.Nm krb5_verify_init_creds 43.Nd "verifies a credential cache is correct by using a local keytab" 44.Sh LIBRARY 45Kerberos 5 Library (libkrb5, -lkrb5) 46.Sh SYNOPSIS 47.In krb5/krb5.h 48.Pp 49.Li "struct krb5_verify_init_creds_opt;" 50.Ft void 51.Fo krb5_verify_init_creds_opt_init 52.Fa "krb5_verify_init_creds_opt *options" 53.Fc 54.Ft void 55.Fo krb5_verify_init_creds_opt_set_ap_req_nofail 56.Fa "krb5_verify_init_creds_opt *options" 57.Fa "int ap_req_nofail" 58.Fc 59.Ft krb5_error_code 60.Fo krb5_verify_init_creds 61.Fa "krb5_context context" 62.Fa "krb5_creds *creds" 63.Fa "krb5_principal ap_req_server" 64.Fa "krb5_ccache *ccache" 65.Fa "krb5_verify_init_creds_opt *options" 66.Fc 67.Sh DESCRIPTION 68The 69.Nm krb5_verify_init_creds 70function verifies the initial tickets with the local keytab to make 71sure the response of the KDC was spoof-ed. 72.Pp 73.Nm krb5_verify_init_creds 74will use principal 75.Fa ap_req_server 76from the local keytab, if 77.Dv NULL 78is passed in, the code will guess the local hostname and use that to 79form host/hostname/GUESSED-REALM-FOR-HOSTNAME. 80.Fa creds 81is the credential that 82.Nm krb5_verify_init_creds 83should verify. 84If 85.Fa ccache 86is given 87.Fn krb5_verify_init_creds 88stores all credentials it fetched from the KDC there, otherwise it 89will use a memory credential cache that is destroyed when done. 90.Pp 91.Fn krb5_verify_init_creds_opt_init 92cleans the the structure, must be used before trying to pass it in to 93.Fn krb5_verify_init_creds . 94.Pp 95.Fn krb5_verify_init_creds_opt_set_ap_req_nofail 96controls controls the behavior if 97.Fa ap_req_server 98doesn't exists in the local keytab or in the KDC's database, if it's 99true, the error will be ignored. Note that this use is possible 100insecure. 101.Sh SEE ALSO 102.Xr krb5 3 , 103.Xr krb5_get_init_creds 3 , 104.Xr krb5_verify_user 3 , 105.Xr krb5.conf 5 106