xref: /freebsd/lib/libc/rpc/rpc_secure.3 (revision 7ef62cebc2f965b0f640263e179276928885e33d)
1.\" @(#)rpc_secure.3n	2.1 88/08/08 4.0 RPCSRC; from 1.19 88/06/24 SMI
2.\" $FreeBSD$
3.\"
4.Dd February 16, 1988
5.Dt RPC 3
6.Os
7.Sh NAME
8.Nm rpc_secure
9.Nd library routines for secure remote procedure calls
10.Sh SYNOPSIS
11.In rpc/rpc.h
12.Ft AUTH *
13.Fo authdes_create
14.Fa "char *name"
15.Fa "unsigned window"
16.Fa "struct sockaddr *addr"
17.Fa "des_block *ckey"
18.Fc
19.Ft int
20.Fn authdes_getucred "struct authdes_cred *adc" "uid_t *uid" "gid_t *gid" "int *grouplen" "gid_t *groups"
21.Ft int
22.Fn getnetname "char *name"
23.Ft int
24.Fn host2netname "char *name" "const char *host" "const char *domain"
25.Ft int
26.Fn key_decryptsession "const char *remotename" "des_block *deskey"
27.Ft int
28.Fn key_encryptsession "const char *remotename" "des_block *deskey"
29.Ft int
30.Fn key_gendes "des_block *deskey"
31.Ft int
32.Fn key_setsecret "const char *key"
33.Ft int
34.Fn netname2host "char *name" "char *host" "int hostlen"
35.Ft int
36.Fn netname2user "char *name" "uid_t *uidp" "gid_t *gidp" "int *gidlenp" "gid_t *gidlist"
37.Ft int
38.Fn user2netname "char *name" "const uid_t uid" "const char *domain"
39.Sh DESCRIPTION
40These routines are part of the
41.Tn RPC
42library.
43They implement
44.Tn DES
45Authentication.
46See
47.Xr rpc 3
48for further details about
49.Tn RPC .
50.Pp
51The
52.Fn authdes_create
53is the first of two routines which interface to the
54.Tn RPC
55secure authentication system, known as
56.Tn DES
57authentication.
58The second is
59.Fn authdes_getucred ,
60below.
61.Pp
62Note: the keyserver daemon
63.Xr keyserv 8
64must be running for the
65.Tn DES
66authentication system to work.
67.Pp
68The
69.Fn authdes_create
70function,
71used on the client side, returns an authentication handle that
72will enable the use of the secure authentication system.
73The first argument
74.Fa name
75is the network name, or
76.Fa netname ,
77of the owner of the server process.
78This field usually
79represents a
80.Fa hostname
81derived from the utility routine
82.Fn host2netname ,
83but could also represent a user name using
84.Fn user2netname .
85The second field is window on the validity of
86the client credential, given in seconds.
87A small
88window is more secure than a large one, but choosing
89too small of a window will increase the frequency of
90resynchronizations because of clock drift.
91The third
92argument
93.Fa addr
94is optional.
95If it is
96.Dv NULL ,
97then the authentication system will assume
98that the local clock is always in sync with the server's
99clock, and will not attempt resynchronizations.
100If an address
101is supplied, however, then the system will use the address
102for consulting the remote time service whenever
103resynchronization
104is required.
105This argument is usually the
106address of the
107.Tn RPC
108server itself.
109The final argument
110.Fa ckey
111is also optional.
112If it is
113.Dv NULL ,
114then the authentication system will
115generate a random
116.Tn DES
117key to be used for the encryption of credentials.
118If it is supplied, however, then it will be used instead.
119.Pp
120The
121.Fn authdes_getucred
122function,
123the second of the two
124.Tn DES
125authentication routines,
126is used on the server side for converting a
127.Tn DES
128credential, which is
129operating system independent, into a
130.Ux
131credential.
132This routine differs from utility routine
133.Fn netname2user
134in that
135.Fn authdes_getucred
136pulls its information from a cache, and does not have to do a
137Yellow Pages lookup every time it is called to get its information.
138.Pp
139The
140.Fn getnetname
141function
142installs the unique, operating-system independent netname of
143the
144caller in the fixed-length array
145.Fa name .
146Returns
147.Dv TRUE
148if it succeeds and
149.Dv FALSE
150if it fails.
151.Pp
152The
153.Fn host2netname
154function
155converts from a domain-specific hostname to an
156operating-system independent netname.
157Returns
158.Dv TRUE
159if it succeeds and
160.Dv FALSE
161if it fails.
162Inverse of
163.Fn netname2host .
164.Pp
165The
166.Fn key_decryptsession
167function
168is an interface to the keyserver daemon, which is associated
169with
170.Tn RPC Ns 's
171secure authentication system
172.Tn ( DES
173authentication).
174User programs rarely need to call it, or its associated routines
175.Fn key_encryptsession ,
176.Fn key_gendes
177and
178.Fn key_setsecret .
179System commands such as
180.Xr login 1
181and the
182.Tn RPC
183library are the main clients of these four routines.
184.Pp
185The
186.Fn key_decryptsession
187function
188takes a server netname and a
189.Tn DES
190key, and decrypts the key by
191using the public key of the server and the secret key
192associated with the effective uid of the calling process.
193It
194is the inverse of
195.Fn key_encryptsession .
196.Pp
197The
198.Fn key_encryptsession
199function
200is a keyserver interface routine.
201It
202takes a server netname and a des key, and encrypts
203it using the public key of the server and the secret key
204associated with the effective uid of the calling process.
205It
206is the inverse of
207.Fn key_decryptsession .
208.Pp
209The
210.Fn key_gendes
211function
212is a keyserver interface routine.
213It
214is used to ask the keyserver for a secure conversation key.
215Choosing one
216.Qq random
217is usually not good enough,
218because
219the common ways of choosing random numbers, such as using the
220current time, are very easy to guess.
221.Pp
222The
223.Fn key_setsecret
224function
225is a keyserver interface routine.
226It is used to set the key for
227the effective
228.Fa uid
229of the calling process.
230.Pp
231The
232.Fn netname2host
233function
234converts from an operating-system independent netname to a
235domain-specific hostname.
236Returns
237.Dv TRUE
238if it succeeds and
239.Dv FALSE
240if it fails.
241Inverse of
242.Fn host2netname .
243.Pp
244The
245.Fn netname2user
246function
247converts from an operating-system independent netname to a
248domain-specific user ID.
249Returns
250.Dv TRUE
251if it succeeds and
252.Dv FALSE
253if it fails.
254Inverse of
255.Fn user2netname .
256.Pp
257The
258.Fn user2netname
259function
260converts from a domain-specific username to an operating-system
261independent netname.
262Returns
263.Dv TRUE
264if it succeeds and
265.Dv FALSE
266if it fails.
267Inverse of
268.Fn netname2user .
269.Sh SEE ALSO
270.Xr rpc 3 ,
271.Xr xdr 3 ,
272.Xr keyserv 8
273.Pp
274The following manuals:
275.Rs
276.%B Remote Procedure Calls: Protocol Specification
277.Re
278.Rs
279.%B Remote Procedure Call Programming Guide
280.Re
281.Rs
282.%B Rpcgen Programming Guide
283.Re
284.Rs
285.%B RPC: Remote Procedure Call Protocol Specification
286.%O RFC1050, Sun Microsystems Inc., USC-ISI
287.Re
288