Партнёры:
Хостинг:
NAME
kerberos_rpc, authkerb_getucred, authkerb_seccreate,
svc_kerb_reg - library routines for remote procedure calls
using Kerberos authentication
SYNOPSIS
cc [ flag ... ] file ... -lkrb [ library ... ]
#include <rpc/rpc.h>
#include <sys/types.h>
int authkerb_getucred(const struct svc_req *rqst, uid_t
*uidp, gid_t *gidp, short *gidlenp, int gidlist[NGROUPS]);
AUTH *authkerb_seccreate(const char *service, const char
*srv_inst, const char *realm, const uint_t window, const
char *timehost, int *status);
int svc_kerb_reg(const SVCXPRT *xprt, const char *name,
const char *inst, const char *realm);
DESCRIPTION
RPC library routines allow C programs to make procedure
calls on other machines across the network.
RPC supports various authentication flavors. Among them are:
AUTH_NONE
(none) no authentication.
AUTH_SYS
Traditional UNIX-style authentication.
AUTH_DES
DES encryption-based authentication.
AUTH_KERB
Kerberos encryption-based authentication.
The authkerb_getucred(), authkerb_seccreate(), and
svc_kerb_reg() routines implement the AUTH_KERB authentica-
tion flavor. The kerbd daemon (see kerbd(1M)) must be run-
ning for the AUTH_KERB authentication system to work for
kernel based services such as NFS, and kinit(1) must have
been run by the user in all cases. Only the AUTH_KERB style
of authentication is discussed here. For information about
the AUTH_NONE and AUTH_SYS styles of authentication, refer
to rpc_clnt_auth(3NSL). For information about the AUTH_DES
style of authentication, refer to secure_rpc(3NSL).
Routines
See rpc(3NSL) for the definition of the AUTH data structure.
gid_t *gidp,
int authkerb_getucred(const struct svc_req *rqst, uid_t *uidp,
short *gidlenp, int gidlist[NGROUPS]);" 6
authkerb_getucred() is used on the server side for con-
verting an AUTH_KERB credential received in an RPC
request, which is operating system independent, into an
AUTH_SYS credential. This routine returns 1 if it
succeeds, 0 if it fails.
*uidp is set to the numerical ID of the user associated
with the RPC request referenced by rqst. *gidp is set
to the numerical ID of the user's group. The numerical
IDs of the other groups to which the user belongs are
stored in gidlist[]. *gidlenp is set to the number of
valid group ID entries returned in gidlist[]. All
information returned by this routine is based on the
Kerberos principal name contained in rqst. This prin-
cipal name is taken to be the login name of the user,
and the IDs returned are the same as if that user had
physically logged in to the system.
*srv_inst, const char *realm, const uint_t window, const char
*timehost, int *status);
AUTH *authkerb_seccreate(const char *service, const char
authkerb_seccreate() is used on the client side to
return an authentication handle that will enable the
use of the Kerberos authentication system. The first
parameter service is the Kerberos principal name of
the service to be used. This name is generally a con-
stant with respect to the service being used.
srv_instance is the instance of the service to be
called, and may be NULL to indicate any instance.
realm is the Kerberos realm name of the desired ser-
vice. If it is NULL, then the local default realm
will be used.
The fourth parameter is the window on the validity of
the client credential, given in seconds. If the
difference in time between the client's clock and the
server's clock exceeds window, the server will reject
the client's credentials, and the clock will have to
be resynchronized. A small window is more secure than
a large one, but choosing too small of a window will
increase the frequency of resynchronizations because
of clock drift.
The fifth parameter, timehost, is optional. If it is
NULL, then the authentication system will assume that
the local clock is always in sync with the timehost
clock, and will not attempt resynchronizations. If a
timehost is supplied, however, then the system will
consult with the remote time service whenever resyn-
chronization is required. This parameter is usually
the name of the host on which the server is running.
The final parameter status is also optional. If
status is supplied, then it will be used to return a
Kerberos error status codes if an error occurs. If
status is NULL, then no detailed error codes will be
returned.
If authkerb_seccreate() fails, it returns NULL.
char *inst, const char *realm);
int svc_kerb_reg(const SVCXPRT *xprt, const char *name, const
svc_kerb_reg() performs registration tasks in the
server which are required before AUTH_KERB requests
can be processed. xprt is the RPC transport to which
this information is to be associated. If xprt is NULL
then this registration will be effective for any
requests arriving on transports that have not been
specifically registered. The service handles associ-
ated with connection endpoints are not exposed to the
programmer. Consequently, xprt should be NULL for
connection-oriented transports.
The other parameters describe the Kerberos principal
identity that this server will take on. This must be
the same identity that the clients will use when
requesting Kerberos tickets for authentication. name
is the principal name of the service and must be pro-
vided. inst is the instance. This parameter may be
NULL to specify the NULL instance of the service.
Most common would be for inst to be "*" which allows
the Kerberos library to determine the correct instance
to use, such as the hostname that the service is run-
ning on. realm is the Kerberos realm name to use in
validating tickets. If it is NULL, then the local
default realm will be used.
svc_kerb_reg() should generally be called immediately
before svc_run(). It returns 0 if it succeeds, and
-1 if it fails.
ATTRIBUTES
See attributes (5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| MT-Level | Unsafe |
|_____________________________|_____________________________|
SEE ALSO
kerberos(1), kinit(1), kerbd(1M), rpc(3NSL),
rpc_clnt_auth(3NSL), secure_rpc(3NSL), svc_run(3NSL) attri-
butes(5)
NOTES
These interfaces are unsafe in multithreaded applications.
Unsafe interfaces should be called only from the main
thread.
|
Закладки на сайте Проследить за страницей |
Created 1996-2024 by Maxim Chirkov Добавить, Поддержать, Вебмастеру |