 dc130c2c75
			
		
	
	dc130c2c75
	
	
	
		
			
			from Thomas Klausner <wiz@netbsd.org> git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@12032 ec53bebd-3082-4978-b11e-865c3cabbd6b
		
			
				
	
	
		
			412 lines
		
	
	
		
			9.5 KiB
		
	
	
	
		
			Groff
		
	
	
	
	
	
			
		
		
	
	
			412 lines
		
	
	
		
			9.5 KiB
		
	
	
	
		
			Groff
		
	
	
	
	
	
| .\" Copyright (c) 2001 - 2003 Kungliga Tekniska Högskolan
 | |
| .\" (Royal Institute of Technology, Stockholm, Sweden). 
 | |
| .\" All rights reserved. 
 | |
| .\"
 | |
| .\" Redistribution and use in source and binary forms, with or without 
 | |
| .\" modification, are permitted provided that the following conditions 
 | |
| .\" are met: 
 | |
| .\"
 | |
| .\" 1. Redistributions of source code must retain the above copyright 
 | |
| .\"    notice, this list of conditions and the following disclaimer. 
 | |
| .\"
 | |
| .\" 2. Redistributions in binary form must reproduce the above copyright 
 | |
| .\"    notice, this list of conditions and the following disclaimer in the 
 | |
| .\"    documentation and/or other materials provided with the distribution. 
 | |
| .\"
 | |
| .\" 3. Neither the name of the Institute nor the names of its contributors 
 | |
| .\"    may be used to endorse or promote products derived from this software 
 | |
| .\"    without specific prior written permission. 
 | |
| .\"
 | |
| .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
 | |
| .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
 | |
| .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
 | |
| .\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
 | |
| .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
 | |
| .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
 | |
| .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
 | |
| .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
 | |
| .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
 | |
| .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
 | |
| .\" SUCH DAMAGE. 
 | |
| .\"
 | |
| .\" $Id$
 | |
| .\"
 | |
| .Dd February 5, 2001
 | |
| .Dt KRB5_KEYTAB 3
 | |
| .Os HEIMDAL
 | |
| .Sh NAME
 | |
| .Nm krb5_kt_ops ,
 | |
| .Nm krb5_keytab_entry ,
 | |
| .Nm krb5_kt_cursor ,
 | |
| .Nm krb5_kt_add_entry ,
 | |
| .Nm krb5_kt_close ,
 | |
| .Nm krb5_kt_compare ,
 | |
| .Nm krb5_kt_copy_entry_contents ,
 | |
| .Nm krb5_kt_default ,
 | |
| .Nm krb5_kt_default_name ,
 | |
| .Nm krb5_kt_end_seq_get ,
 | |
| .Nm krb5_kt_free_entry ,
 | |
| .Nm krb5_kt_get_entry ,
 | |
| .Nm krb5_kt_get_name ,
 | |
| .Nm krb5_kt_get_type ,
 | |
| .Nm krb5_kt_next_entry ,
 | |
| .Nm krb5_kt_read_service_key ,
 | |
| .Nm krb5_kt_register ,
 | |
| .Nm krb5_kt_remove_entry ,
 | |
| .Nm krb5_kt_resolve ,
 | |
| .Nm krb5_kt_start_seq_get
 | |
| .Nd manage keytab (key storage) files
 | |
| .Sh LIBRARY
 | |
| Kerberos 5 Library (libkrb5, -lkrb5)
 | |
| .Sh SYNOPSIS
 | |
| .In krb5.h
 | |
| .Pp
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_kt_add_entry
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_keytab id"
 | |
| .Fa "krb5_keytab_entry *entry"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_kt_close
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_keytab id"
 | |
| .Fc
 | |
| .Ft krb5_boolean
 | |
| .Fo krb5_kt_compare
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_keytab_entry *entry"
 | |
| .Fa "krb5_const_principal principal"
 | |
| .Fa "krb5_kvno vno"
 | |
| .Fa "krb5_enctype enctype"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_kt_copy_entry_contents
 | |
| .Fa "krb5_context context"
 | |
| .Fa "const krb5_keytab_entry *in"
 | |
| .Fa "krb5_keytab_entry *out"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_kt_default
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_keytab *id"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_kt_default_name
 | |
| .Fa "krb5_context context"
 | |
| .Fa "char *name"
 | |
| .Fa "size_t namesize"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_kt_end_seq_get
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_keytab id"
 | |
| .Fa "krb5_kt_cursor *cursor"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_kt_free_entry
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_keytab_entry *entry"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_kt_get_entry
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_keytab id"
 | |
| .Fa "krb5_const_principal principal"
 | |
| .Fa "krb5_kvno kvno"
 | |
| .Fa "krb5_enctype enctype"
 | |
| .Fa "krb5_keytab_entry *entry"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_kt_get_name
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_keytab keytab"
 | |
| .Fa "char *name"
 | |
| .Fa "size_t namesize"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_kt_get_type
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_keytab keytab"
 | |
| .Fa "char *prefix"
 | |
| .Fa "size_t prefixsize"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_kt_next_entry
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_keytab id"
 | |
| .Fa "krb5_keytab_entry *entry"
 | |
| .Fa "krb5_kt_cursor *cursor"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_kt_read_service_key
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_pointer keyprocarg"
 | |
| .Fa "krb5_principal principal"
 | |
| .Fa "krb5_kvno vno"
 | |
| .Fa "krb5_enctype enctype"
 | |
| .Fa "krb5_keyblock **key"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_kt_register
 | |
| .Fa "krb5_context context"
 | |
| .Fa "const krb5_kt_ops *ops"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_kt_remove_entry
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_keytab id"
 | |
| .Fa "krb5_keytab_entry *entry"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_kt_resolve
 | |
| .Fa "krb5_context context"
 | |
| .Fa "const char *name"
 | |
| .Fa "krb5_keytab *id"
 | |
| .Fc
 | |
| .Ft krb5_error_code
 | |
| .Fo krb5_kt_start_seq_get
 | |
| .Fa "krb5_context context"
 | |
| .Fa "krb5_keytab id"
 | |
| .Fa "krb5_kt_cursor *cursor"
 | |
| .Fc
 | |
| .Sh DESCRIPTION
 | |
| A keytab name is on the form
 | |
| .Li type:residual .
 | |
| The
 | |
| .Li residual
 | |
| part is specific to each keytab-type.
 | |
| .Pp
 | |
| When a keytab-name is resolved, the type is matched with an internal
 | |
| list of keytab types. If there is no matching keytab type,
 | |
| the default keytab is used. The current default type is
 | |
| .Nm file .
 | |
| The default value can be changed in the configuration file
 | |
| .Pa /etc/krb5.conf
 | |
| by setting the variable
 | |
| .Li [defaults]default_keytab_name .
 | |
| .Pp
 | |
| The keytab types that are implemented in Heimdal
 | |
| are:
 | |
| .Bl -tag -width Ds
 | |
| .It Nm file
 | |
| store the keytab in a file, the type's name is
 | |
| .Li KEYFILE .
 | |
| The residual part is a filename.
 | |
| .It Nm keyfile
 | |
| store the keytab in a
 | |
| .Li AFS
 | |
| keyfile (usually
 | |
| .Pa /usr/afs/etc/KeyFile ) ,
 | |
| the type's name is
 | |
| .Li AFSKEYFILE .
 | |
| The residual part is a filename.
 | |
| .It Nm krb4
 | |
| the keytab is a Kerberos 4
 | |
| .Pa srvtab
 | |
| that is on-the-fly converted to a keytab. The type's name is
 | |
| .Li krb4 .
 | |
| The residual part is a filename.
 | |
| .It Nm memory
 | |
| The keytab is stored in a memory segment. This allows sensitive and/or
 | |
| temporary data not to be stored on disk. The type's name is
 | |
| .Li MEMORY .
 | |
| There are no residual part, the only pointer back to the keytab is the
 | |
| .Fa id
 | |
| returned by
 | |
| .Fn krb5_kt_resolve .
 | |
| .El
 | |
| .Pp
 | |
| .Nm krb5_keytab_entry
 | |
| holds all data for an entry in a keytab file, like principal name,
 | |
| key-type, key, key-version number, etc.
 | |
| .Nm krb5_kt_cursor
 | |
| holds the current position that is used when iterating through a
 | |
| keytab entry with
 | |
| .Fn krb5_kt_start_seq_get ,
 | |
| .Fn krb5_kt_next_entry ,
 | |
| and
 | |
| .Fn krb5_kt_end_seq_get .
 | |
| .Pp
 | |
| .Nm krb5_kt_ops
 | |
| contains the different operations that can be done to a keytab. This
 | |
| structure is normally only used when doing a new keytab-type
 | |
| implementation.
 | |
| .Pp
 | |
| .Fn krb5_kt_resolve
 | |
| is the equivalent of an
 | |
| .Xr open 2
 | |
| on keytab. Resolve the keytab name in
 | |
| .Fa name
 | |
| into a keytab in
 | |
| .Fa id .
 | |
| Returns 0 or an error. The opposite of
 | |
| .Fn krb5_kt_resolve
 | |
| is
 | |
| .Fn krb5_kt_close .
 | |
| .Fn krb5_kt_close
 | |
| frees all resources allocated to the keytab.
 | |
| .Pp
 | |
| .Fn krb5_kt_default
 | |
| sets the argument
 | |
| .Fa id
 | |
| to the default keytab.
 | |
| Returns 0 or an error.
 | |
| .Pp
 | |
| .Fn krb5_kt_default_name
 | |
| copy the name of the default keytab into
 | |
| .Fa name .
 | |
| Return 0 or KRB5_CONFIG_NOTENUFSPACE if
 | |
| .Fa namesize
 | |
| is too short.
 | |
| .Pp
 | |
| .Fn krb5_kt_add_entry
 | |
| Add a new
 | |
| .Fa entry
 | |
| to the keytab
 | |
| .Fa id .
 | |
| .Li KRB5_KT_NOWRITE
 | |
| is returned if the keytab is a readonly keytab.
 | |
| .Pp
 | |
| .Fn krb5_kt_compare
 | |
| compares the passed in
 | |
| .Fa entry
 | |
| against
 | |
| .Fa principal ,
 | |
| .Fa vno ,
 | |
| and
 | |
| .Fa enctype .
 | |
| Any of
 | |
| .Fa principal ,
 | |
| .Fa vno
 | |
| or
 | |
| .Fa enctype
 | |
| might be 0 which acts as a wildcard. Return TRUE if they compare the
 | |
| same, FALSE otherwise.
 | |
| .Pp
 | |
| .Fn krb5_kt_copy_entry_contents
 | |
| copies the contents of
 | |
| .Fa in
 | |
| into
 | |
| .Fa out .
 | |
| Returns 0 or an error.
 | |
| .Pp
 | |
| .Fn krb5_kt_get_name
 | |
| retrieves the name of the keytab
 | |
| .Fa keytab
 | |
| into
 | |
| .Fa name ,
 | |
| .Fa namesize .
 | |
| Returns 0 or an error.
 | |
| .Pp
 | |
| .Fn krb5_kt_get_type
 | |
| retrieves the type of the keytab
 | |
| .Fa keytab
 | |
| and store the prefix/name for type of the keytab into
 | |
| .Fa prefix ,
 | |
| .Fa prefixsize .
 | |
| The prefix will have the maximum length of
 | |
| .Dv KRB5_KT_PREFIX_MAX_LEN 
 | |
| (including terminating
 | |
| .Dv NUL ) .
 | |
| Returns 0 or an error.
 | |
| .Pp
 | |
| .Fn krb5_kt_free_entry
 | |
| frees the contents of
 | |
| .Fa entry .
 | |
| .Pp
 | |
| .Fn krb5_kt_start_seq_get
 | |
| sets
 | |
| .Fa cursor
 | |
| to point at the beginning of
 | |
| .Fa id .
 | |
| Returns 0 or an error.
 | |
| .Pp
 | |
| .Fn krb5_kt_next_entry
 | |
| gets the next entry from
 | |
| .Fa id
 | |
| pointed to by
 | |
| .Fa cursor
 | |
| and advance the
 | |
| .Fa cursor .
 | |
| Returns 0 or an error.
 | |
| .Pp
 | |
| .Fn krb5_kt_end_seq_get
 | |
| releases all resources associated with
 | |
| .Fa cursor .
 | |
| .Pp
 | |
| .Fn krb5_kt_get_entry
 | |
| retrieves the keytab entry for
 | |
| .Fa principal ,
 | |
| .Fa kvno,
 | |
| .Fa enctype
 | |
| into
 | |
| .Fa entry
 | |
| from the keytab
 | |
| .Fa id .
 | |
| Returns 0 or an error.
 | |
| .Pp
 | |
| .Fn krb5_kt_read_service_key
 | |
| reads the key identified by
 | |
| .Ns ( Fa principal ,
 | |
| .Fa vno ,
 | |
| .Fa enctype )
 | |
| from the keytab in
 | |
| .Fa keyprocarg
 | |
| (the default if == NULL) into
 | |
| .Fa *key .
 | |
| Returns 0 or an error.
 | |
| .Pp
 | |
| .Fn krb5_kt_remove_entry
 | |
| removes the entry
 | |
| .Fa entry
 | |
| from the keytab
 | |
| .Fa id .
 | |
| Returns 0 or an error.
 | |
| .Pp
 | |
| .Fn krb5_kt_register
 | |
| registers a new keytab type
 | |
| .Fa ops .
 | |
| Returns 0 or an error.
 | |
| .Sh EXAMPLE
 | |
| This is a minimalistic version of
 | |
| .Nm ktutil .
 | |
| .Pp
 | |
| .Bd -literal
 | |
| int
 | |
| main (int argc, char **argv)
 | |
| {
 | |
|     krb5_context context;
 | |
|     krb5_keytab keytab;
 | |
|     krb5_kt_cursor cursor;
 | |
|     krb5_keytab_entry entry;
 | |
|     krb5_error_code ret;
 | |
|     char *principal;
 | |
| 
 | |
|     if (krb5_init_context (&context) != 0)
 | |
| 	errx(1, "krb5_context");
 | |
| 
 | |
|     ret = krb5_kt_default (context, &keytab);
 | |
|     if (ret)
 | |
| 	krb5_err(context, 1, ret, "krb5_kt_default");
 | |
| 
 | |
|     ret = krb5_kt_start_seq_get(context, keytab, &cursor);
 | |
|     if (ret)
 | |
| 	krb5_err(context, 1, ret, "krb5_kt_start_seq_get");
 | |
|     while((ret = krb5_kt_next_entry(context, keytab, &entry, &cursor)) == 0){
 | |
| 	krb5_unparse_name_short(context, entry.principal, &principal);
 | |
| 	printf("principal: %s\\n", principal);
 | |
| 	free(principal);
 | |
| 	krb5_kt_free_entry(context, &entry);
 | |
|     }
 | |
|     ret = krb5_kt_end_seq_get(context, keytab, &cursor);
 | |
|     if (ret)
 | |
| 	krb5_err(context, 1, ret, "krb5_kt_end_seq_get");
 | |
|     krb5_free_context(context);
 | |
|     return 0;
 | |
| }
 | |
| .Ed
 | |
| .Sh SEE ALSO
 | |
| .Xr krb5.conf 5 ,
 | |
| .Xr kerberos 8
 |