1ae771770SStanislav Sedov<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> 2ae771770SStanislav Sedov<html><head><meta http-equiv="Content-Type" content="text/html;charset=UTF-8"> 3ae771770SStanislav Sedov<title>HeimdalKerberos5library: The keytab handing functions</title> 4ae771770SStanislav Sedov<link href="doxygen.css" rel="stylesheet" type="text/css"> 5ae771770SStanislav Sedov<link href="tabs.css" rel="stylesheet" type="text/css"> 6ae771770SStanislav Sedov</head><body> 7ae771770SStanislav Sedov<p> 8ae771770SStanislav Sedov<a href="http://www.h5l.org/"><img src="http://www.h5l.org/keyhole-heimdal.png" alt="keyhole logo"/></a> 9ae771770SStanislav Sedov</p> 10ae771770SStanislav Sedov<!-- end of header marker --> 11ae771770SStanislav Sedov<!-- Generated by Doxygen 1.5.6 --> 12ae771770SStanislav Sedov<div class="navigation" id="top"> 13ae771770SStanislav Sedov <div class="tabs"> 14ae771770SStanislav Sedov <ul> 15ae771770SStanislav Sedov <li><a href="index.html"><span>Main Page</span></a></li> 16ae771770SStanislav Sedov <li><a href="pages.html"><span>Related Pages</span></a></li> 17ae771770SStanislav Sedov <li><a href="modules.html"><span>Modules</span></a></li> 18ae771770SStanislav Sedov <li><a href="annotated.html"><span>Data Structures</span></a></li> 19ae771770SStanislav Sedov </ul> 20ae771770SStanislav Sedov </div> 21ae771770SStanislav Sedov</div> 22ae771770SStanislav Sedov<div class="contents"> 23ae771770SStanislav Sedov<h1><a class="anchor" name="krb5_keytab_intro">The keytab handing functions </a></h1><h2><a class="anchor" name="section_krb5_keytab"> 24ae771770SStanislav SedovKerberos Keytabs</a></h2> 25ae771770SStanislav SedovSee the library functions here: <a class="el" href="group__krb5__keytab.html">Heimdal Kerberos 5 keytab handling functions</a><p> 26ae771770SStanislav SedovKeytabs are long term key storage for servers, their equvalment of password files.<p> 27ae771770SStanislav SedovNormally the only function that useful for server are to specify what keytab to use to other core functions like krb5_rd_req() <a class="el" href="group__krb5__keytab.html#gc57fead58fb1baa003d6438613731901">krb5_kt_resolve()</a>, and <a class="el" href="group__krb5__keytab.html#gb67f5ae0a7c4b87d193218b842cad590">krb5_kt_close()</a>.<h3><a class="anchor" name="krb5_keytab_names"> 28ae771770SStanislav SedovKeytab names</a></h3> 29ae771770SStanislav SedovA keytab name is on the form type:residual. The residual part is specific to each keytab-type.<p> 30ae771770SStanislav SedovWhen a keytab-name is resolved, the type is matched with an internal list of keytab types. If there is no matching keytab type, the default keytab is used. The current default type is FILE.<p> 31ae771770SStanislav SedovThe default value can be changed in the configuration file /etc/krb5.conf by setting the variable [defaults]default_keytab_name.<p> 32ae771770SStanislav SedovThe keytab types that are implemented in Heimdal are:<ul> 33ae771770SStanislav Sedov<li>file store the keytab in a file, the type's name is FILE . The residual part is a filename. For compatibility with other Kerberos implemtation WRFILE and JAVA14 is also accepted. WRFILE has the same format as FILE. JAVA14 have a format that is compatible with older versions of MIT kerberos and SUN's Java based installation. They store a truncted kvno, so when the knvo excess 255, they are truncted in this format.</li></ul> 34ae771770SStanislav Sedov<p> 35ae771770SStanislav Sedov<ul> 36ae771770SStanislav Sedov<li>keytab store the keytab in a AFS keyfile (usually /usr/afs/etc/KeyFile ), the type's name is AFSKEYFILE. The residual part is a filename.</li></ul> 37ae771770SStanislav Sedov<p> 38ae771770SStanislav Sedov<ul> 39ae771770SStanislav Sedov<li>memory The keytab is stored in a memory segment. This allows sensitive and/or temporary data not to be stored on disk. The type's name is MEMORY. Each MEMORY keytab is referenced counted by and opened by the residual name, so two handles can point to the same memory area. When the last user closes using <a class="el" href="group__krb5__keytab.html#gb67f5ae0a7c4b87d193218b842cad590">krb5_kt_close()</a> the keytab, the keys in they keytab is memset() to zero and freed and can no longer be looked up by name.</li></ul> 40ae771770SStanislav Sedov<h3><a class="anchor" name="krb5_keytab_example"> 41ae771770SStanislav SedovKeytab example</a></h3> 42ae771770SStanislav SedovThis is a minimalistic version of ktutil.<p> 43ae771770SStanislav Sedov<div class="fragment"><pre class="fragment"><span class="keywordtype">int</span> 44ae771770SStanislav Sedovmain (<span class="keywordtype">int</span> argc, <span class="keywordtype">char</span> **argv) 45ae771770SStanislav Sedov{ 46ae771770SStanislav Sedov krb5_context context; 47ae771770SStanislav Sedov krb5_keytab keytab; 48ae771770SStanislav Sedov krb5_kt_cursor cursor; 49ae771770SStanislav Sedov krb5_keytab_entry entry; 50ae771770SStanislav Sedov krb5_error_code ret; 51ae771770SStanislav Sedov <span class="keywordtype">char</span> *principal; 52ae771770SStanislav Sedov 53ae771770SStanislav Sedov <span class="keywordflow">if</span> (<a class="code" href="group__krb5.html#gbd94206e186c58a093975424a4a567a8">krb5_init_context</a> (&context) != 0) 54ae771770SStanislav Sedov errx(1, <span class="stringliteral">"krb5_context"</span>); 55ae771770SStanislav Sedov 56ae771770SStanislav Sedov ret = <a class="code" href="group__krb5__keytab.html#gfcd059883c79dbd99a179bc4225d16b5">krb5_kt_default</a> (context, &keytab); 57ae771770SStanislav Sedov <span class="keywordflow">if</span> (ret) 58ae771770SStanislav Sedov krb5_err(context, 1, ret, <span class="stringliteral">"krb5_kt_default"</span>); 59ae771770SStanislav Sedov 60ae771770SStanislav Sedov ret = <a class="code" href="group__krb5__keytab.html#g1efd8ee48d6e3caa31cad475423b8917">krb5_kt_start_seq_get</a>(context, keytab, &cursor); 61ae771770SStanislav Sedov <span class="keywordflow">if</span> (ret) 62ae771770SStanislav Sedov krb5_err(context, 1, ret, <span class="stringliteral">"krb5_kt_start_seq_get"</span>); 63ae771770SStanislav Sedov <span class="keywordflow">while</span>((ret = <a class="code" href="group__krb5__keytab.html#gc40140c41333a86d3c40426f50b4e1b0">krb5_kt_next_entry</a>(context, keytab, &entry, &cursor)) == 0){ 64ae771770SStanislav Sedov <a class="code" href="group__krb5__principal.html#gac881051ed59fe0dcd08cee62280b332">krb5_unparse_name</a>(context, entry.principal, &principal); 65ae771770SStanislav Sedov printf(<span class="stringliteral">"principal: %s\n"</span>, principal); 66ae771770SStanislav Sedov free(principal); 67ae771770SStanislav Sedov <a class="code" href="group__krb5__keytab.html#gc0774ab1407eaaaa0e5998478de246e2">krb5_kt_free_entry</a>(context, &entry); 68ae771770SStanislav Sedov } 69ae771770SStanislav Sedov ret = <a class="code" href="group__krb5__keytab.html#g11289efb407d93a1f84d5c64731a4bd1">krb5_kt_end_seq_get</a>(context, keytab, &cursor); 70ae771770SStanislav Sedov <span class="keywordflow">if</span> (ret) 71ae771770SStanislav Sedov krb5_err(context, 1, ret, <span class="stringliteral">"krb5_kt_end_seq_get"</span>); 72ae771770SStanislav Sedov ret = <a class="code" href="group__krb5__keytab.html#gb67f5ae0a7c4b87d193218b842cad590">krb5_kt_close</a>(context, keytab); 73ae771770SStanislav Sedov <span class="keywordflow">if</span> (ret) 74ae771770SStanislav Sedov krb5_err(context, 1, ret, <span class="stringliteral">"krb5_kt_close"</span>); 75ae771770SStanislav Sedov <a class="code" href="group__krb5.html#ge51d83f5d5f589883f1cd10887892777">krb5_free_context</a>(context); 76ae771770SStanislav Sedov <span class="keywordflow">return</span> 0; 77ae771770SStanislav Sedov} 78ae771770SStanislav Sedov</pre></div> </div> 79ae771770SStanislav Sedov<hr size="1"><address style="text-align: right;"><small> 80*cf771f22SStanislav SedovGenerated on Wed Jan 11 14:07:47 2012 for HeimdalKerberos5library by <a href="http://www.doxygen.org/index.html"><img src="doxygen.png" alt="doxygen" align="middle" border="0"></a> 1.5.6</small></address> 81ae771770SStanislav Sedov</body> 82ae771770SStanislav Sedov</html> 83
