Functions | |
| krb5_error_code KRB5_LIB_FUNCTION | krb5_fwd_tgt_creds (krb5_context context, krb5_auth_context auth_context, const char *hostname, krb5_principal client, krb5_principal server, krb5_ccache ccache, int forwardable, krb5_data *out_data) |
| krb5_error_code KRB5_LIB_FUNCTION | krb5_get_forwarded_creds (krb5_context context, krb5_auth_context auth_context, krb5_ccache ccache, krb5_flags flags, const char *hostname, krb5_creds *in_creds, krb5_data *out_data) |
| krb5_error_code KRB5_LIB_FUNCTION krb5_fwd_tgt_creds | ( | krb5_context | context, | |
| krb5_auth_context | auth_context, | |||
| const char * | hostname, | |||
| krb5_principal | client, | |||
| krb5_principal | server, | |||
| krb5_ccache | ccache, | |||
| int | forwardable, | |||
| krb5_data * | out_data | |||
| ) |
Forward credentials for client to host hostname , making them forwardable if forwardable, and returning the blob of data to sent in out_data. If hostname == NULL, pick it from server.
| context | A kerberos 5 context. | |
| auth_context | the auth context with the key to encrypt the out_data. | |
| hostname | the host to forward the tickets too. | |
| client | the client to delegate from. | |
| server | the server to delegate the credential too. | |
| ccache | credential cache to use. | |
| forwardable | make the forwarded ticket forwabledable. | |
| out_data | the resulting credential. |
| krb5_error_code KRB5_LIB_FUNCTION krb5_get_forwarded_creds | ( | krb5_context | context, | |
| krb5_auth_context | auth_context, | |||
| krb5_ccache | ccache, | |||
| krb5_flags | flags, | |||
| const char * | hostname, | |||
| krb5_creds * | in_creds, | |||
| krb5_data * | out_data | |||
| ) |
Gets tickets forwarded to hostname. If the tickets that are forwarded are address-less, the forwarded tickets will also be address-less.
If the ticket have any address, hostname will be used for figure out the address to forward the ticket too. This since this might use DNS, its insecure and also doesn't represent configured all addresses of the host. For example, the host might have two adresses, one IPv4 and one IPv6 address where the later is not published in DNS. This IPv6 address might be used communications and thus the resulting ticket useless.
| context | A kerberos 5 context. | |
| auth_context | the auth context with the key to encrypt the out_data. | |
| ccache | credential cache to use | |
| flags | the flags to control the resulting ticket flags | |
| hostname | the host to forward the tickets too. | |
| in_creds | the in client and server ticket names. The client and server components forwarded to the remote host. | |
| out_data | the resulting credential. |
Some older of the MIT gssapi library used clear-text tickets (warped inside AP-REQ encryption), use the krb5_auth_context flag KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED to support those tickets. The session key is used otherwise to encrypt the forwarded ticket.
1.5.4