1.\" -*- nroff -*- 2.\" 3.\" Copyright (c) 2005 Doug Rabson 4.\" All rights reserved. 5.\" 6.\" Redistribution and use in source and binary forms, with or without 7.\" modification, are permitted provided that the following conditions 8.\" are met: 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 2. Redistributions in binary form must reproduce the above copyright 12.\" notice, this list of conditions and the following disclaimer in the 13.\" documentation and/or other materials provided with the distribution. 14.\" 15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 25.\" SUCH DAMAGE. 26.\" 27.\" $FreeBSD$ 28.\" 29.\" Copyright (C) The Internet Society (2000). All Rights Reserved. 30.\" 31.\" This document and translations of it may be copied and furnished to 32.\" others, and derivative works that comment on or otherwise explain it 33.\" or assist in its implementation may be prepared, copied, published 34.\" and distributed, in whole or in part, without restriction of any 35.\" kind, provided that the above copyright notice and this paragraph are 36.\" included on all such copies and derivative works. However, this 37.\" document itself may not be modified in any way, such as by removing 38.\" the copyright notice or references to the Internet Society or other 39.\" Internet organizations, except as needed for the purpose of 40.\" developing Internet standards in which case the procedures for 41.\" copyrights defined in the Internet Standards process must be 42.\" followed, or as required to translate it into languages other than 43.\" English. 44.\" 45.\" The limited permissions granted above are perpetual and will not be 46.\" revoked by the Internet Society or its successors or assigns. 47.\" 48.\" This document and the information contained herein is provided on an 49.\" "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 50.\" TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 51.\" BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 52.\" HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 53.\" MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 54.\" 55.\" The following commands are required for all man pages. 56.Dd November 12, 2005 57.Os 58.Dt GSS_ACQUIRE_CRED 3 PRM 59.Sh NAME 60.Nm gss_acquire_cred 61.Nd Obtain a GSS-API credential handle for pre-existing credentials 62.\" This next command is for sections 2 and 3 only. 63.\" .Sh LIBRARY 64.Sh SYNOPSIS 65.In "gssapi/gssapi.h" 66.Ft OM_uint32 67.Fo gss_acquire_cred 68.Fa "OM_uint32 *minor_status" 69.Fa "const gss_name_t desired_name" 70.Fa "OM_uint32 time_req" 71.Fa "const gss_OID_set desired_mechs" 72.Fa "gss_cred_usage_t cred_usage" 73.Fa "gss_cred_id_t *output_cred_handle" 74.Fa "gss_OID_set *actual_mechs" 75.Fa "OM_uint32 *time_rec" 76.Fc 77.Sh DESCRIPTION 78Allows an application to acquire a handle for a pre-existing 79credential by name. 80GSS-API implementations must impose a local 81access-control policy on callers of this routine to prevent 82unauthorized callers from acquiring credentials to which they are not 83entitled. 84This routine is not intended to provide a "login to the 85network" function, as such a function would involve the creation of 86new credentials rather than merely acquiring a handle to existing 87credentials. 88Such functions, if required, should be defined in 89implementation-specific extensions to the API. 90.Pp 91If desired_name is 92.Dv GSS_C_NO_NAME , 93the call is interpreted as a 94request for a credential handle that will invoke default behavior 95when passed to 96.Fn gss_init_sec_context 97(if cred_usage is 98.Dv GSS_C_INITIATE 99or 100.Dv GSS_C_BOTH ) 101or 102.Fn gss_accept_sec_context 103(if cred_usage is 104.Dv GSS_C_ACCEPT 105or 106.Dv GSS_C_BOTH ). 107.Pp 108Mechanisms should honor the 109.Fa desired_mechs 110parameter, 111and return a credential that is suitable to use only with the 112requested mechanisms. 113An exception to this is the case where one underlying credential 114element can be shared by multiple mechanisms; 115in this case it is permissible for an implementation to indicate all 116mechanisms with which the credential element may be used. 117If 118.Fa desired_mechs 119is an empty set, behavior is undefined. 120.Pp 121This routine is expected to be used primarily by context acceptors, 122since implementations are likely to provide mechanism-specific ways 123of obtaining GSS-API initiator credentials from the system login 124process. 125Some implementations may therefore not support the acquisition of 126.Dv GSS_C_INITIATE 127or 128.Dv GSS_C_BOTH 129credentials via 130.Fn gss_acquire_cred 131for any name other than 132.Dv GSS_C_NO_NAME , 133or a name produced by applying either 134.Fn gss_inquire_cred 135to a valid credential, or 136.Fn gss_inquire_context 137to an active context. 138.Pp 139If credential acquisition is time-consuming for a mechanism, 140the mechanism may choose to delay the actual acquisition until the 141credential is required 142(e.g. by 143.Fn gss_init_sec_context 144or 145.Fn gss_accept_sec_context ). 146Such mechanism-specific implementation 147decisions should be invisible to the calling application; 148thus a call of 149.Fn gss_inquire_cred 150immediately following the call of 151.Fn gss_acquire_cred 152must return valid credential data, 153and may therefore incur the overhead of a deferred credential acquisition. 154.Sh PARAMETERS 155.Bl -tag 156.It desired_name 157Name of principal whose credential should be acquired. 158.It time_req 159Number of seconds that credentials should remain valid. 160Specify 161.Dv GSS_C_INDEFINITE 162to request that the credentials have the maximum 163permitted lifetime. 164.It desired_mechs 165Set of underlying security mechanisms that may be used. 166.Dv GSS_C_NO_OID_SET 167may be used to obtain an implementation-specific default. 168.It cred_usage 169.Bl -tag -width "GSS_C_INITIATE" 170.It GSS_C_BOTH 171Credentials may be used either to initiate or accept security 172contexts. 173.It GSS_C_INITIATE 174Credentials will only be used to initiate security contexts. 175.It GSS_C_ACCEPT 176Credentials will only be used to accept security contexts. 177.El 178.It output_cred_handle 179The returned credential handle. 180Resources 181associated with this credential handle must be released by 182the application after use with a call to 183.Fn gss_release_cred . 184.It actual_mechs 185The set of mechanisms for which the credential is valid. 186Storage associated with the returned OID-set must be released by the 187application after use with a call to 188.Fn gss_release_oid_set . 189Specify 190.Dv NULL if not required. 191.It time_rec 192Actual number of seconds for which the returned credentials will 193remain valid. 194If the implementation does not support expiration of credentials, 195the value 196.Dv GSS_C_INDEFINITE 197will be returned. 198Specify NULL if not required. 199.It minor_status 200Mechanism specific status code. 201.El 202.Sh RETURN VALUES 203.Bl -tag 204.It GSS_S_COMPLETE 205Successful completion. 206.It GSS_S_BAD_MECH 207Unavailable mechanism requested. 208.It GSS_S_BAD_NAMETYPE 209Type contained within desired_name parameter is not supported. 210.It GSS_S_BAD_NAME 211Value supplied for desired_name parameter is ill formed. 212.It GSS_S_CREDENTIALS_EXPIRED 213The credentials could not be acquired Because they have expired. 214.It GSS_S_NO_CRED 215No credentials were found for the specified name. 216.El 217.Sh SEE ALSO 218.Xr gss_init_sec_context 3 , 219.Xr gss_accept_sec_context 3 , 220.Xr gss_inquire_cred 3 , 221.Xr gss_inquire_context 3 , 222.Xr gss_release_cred 3 , 223.Xr gss_release_oid_set 3 224.Sh STANDARDS 225.Bl -tag 226.It RFC 2743 227Generic Security Service Application Program Interface Version 2, Update 1 228.It RFC 2744 229Generic Security Service API Version 2 : C-bindings 230.\" .Sh HISTORY 231.El 232.Sh HISTORY 233The 234.Nm 235manual page example first appeared in 236.Fx 7.0 . 237.Sh AUTHORS 238John Wray, Iris Associates 239