DOKK / manpages / debian 12 / heimdal-dev / krb5_verify_init_creds.3.en

krb5_verify_init_creds_opt_init, krb5_verify_init_creds_opt_set_ap_req_nofail, krb5_verify_init_credsverifies a credential cache is correct by using a local keytab

Kerberos 5 Library (libkrb5, -lkrb5)

#include <krb5.h>

struct krb5_verify_init_creds_opt;
krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt *options);

krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt *options, int ap_req_nofail);

krb5_verify_init_creds(krb5_context context, krb5_creds *creds, krb5_principal ap_req_server, krb5_ccache *ccache, krb5_verify_init_creds_opt *options);

The krb5_verify_init_creds function verifies the initial tickets with the local keytab to make sure the response of the KDC was spoof-ed.

krb5_verify_init_creds will use principal ap_req_server from the local keytab, if NULL is passed in, the code will guess the local hostname and use that to form host/hostname/GUESSED-REALM-FOR-HOSTNAME. creds is the credential that krb5_verify_init_creds should verify. If ccache is given () stores all credentials it fetched from the KDC there, otherwise it will use a memory credential cache that is destroyed when done.

() cleans the the structure, must be used before trying to pass it in to krb5_verify_init_creds().

() controls controls the behavior if ap_req_server doesn't exists in the local keytab or in the KDC's database, if it's true, the error will be ignored. Note that this use is possible insecure.

krb5(3), krb5_get_init_creds(3), krb5_verify_user(3), krb5.conf(5)

May 1, 2006 HEIMDAL