xref: /freebsd/lib/libgssapi/gss_acquire_cred.3 (revision a812392203d7c4c3f0db9d8a0f3391374c49c71f)
1.\" -*- nroff -*-
2.\"
3.\" Copyright (c) 2005 Doug Rabson
4.\" All rights reserved.
5.\"
6.\" Redistribution and use in source and binary forms, with or without
7.\" modification, are permitted provided that the following conditions
8.\" are met:
9.\" 1. Redistributions of source code must retain the above copyright
10.\"    notice, this list of conditions and the following disclaimer.
11.\" 2. Redistributions in binary form must reproduce the above copyright
12.\"    notice, this list of conditions and the following disclaimer in the
13.\"    documentation and/or other materials provided with the distribution.
14.\"
15.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
25.\" SUCH DAMAGE.
26.\"
27.\"	$FreeBSD$
28.\"
29.\" The following commands are required for all man pages.
30.Dd January 26, 2010
31.Dt GSS_ACQUIRE_CRED 3 PRM
32.Os
33.Sh NAME
34.Nm gss_acquire_cred
35.Nd Obtain a GSS-API credential handle for pre-existing credentials
36.\" This next command is for sections 2 and 3 only.
37.\" .Sh LIBRARY
38.Sh SYNOPSIS
39.In "gssapi/gssapi.h"
40.Ft OM_uint32
41.Fo gss_acquire_cred
42.Fa "OM_uint32 *minor_status"
43.Fa "const gss_name_t desired_name"
44.Fa "OM_uint32 time_req"
45.Fa "const gss_OID_set desired_mechs"
46.Fa "gss_cred_usage_t cred_usage"
47.Fa "gss_cred_id_t *output_cred_handle"
48.Fa "gss_OID_set *actual_mechs"
49.Fa "OM_uint32 *time_rec"
50.Fc
51.Sh DESCRIPTION
52Allows an application to acquire a handle for a pre-existing
53credential by name.
54GSS-API implementations must impose a local
55access-control policy on callers of this routine to prevent
56unauthorized callers from acquiring credentials to which they are not
57entitled.
58This routine is not intended to provide a "login to the
59network" function, as such a function would involve the creation of
60new credentials rather than merely acquiring a handle to existing
61credentials.
62Such functions, if required, should be defined in
63implementation-specific extensions to the API.
64.Pp
65If desired_name is
66.Dv GSS_C_NO_NAME ,
67the call is interpreted as a
68request for a credential handle that will invoke default behavior
69when passed to
70.Fn gss_init_sec_context
71(if cred_usage is
72.Dv GSS_C_INITIATE
73or
74.Dv GSS_C_BOTH )
75or
76.Fn gss_accept_sec_context
77(if cred_usage is
78.Dv GSS_C_ACCEPT
79or
80.Dv GSS_C_BOTH ).
81.Pp
82Mechanisms should honor the
83.Fa desired_mechs
84parameter,
85and return a credential that is suitable to use only with the
86requested mechanisms.
87An exception to this is the case where one underlying credential
88element can be shared by multiple mechanisms;
89in this case it is permissible for an implementation to indicate all
90mechanisms with which the credential element may be used.
91If
92.Fa desired_mechs
93is an empty set, behavior is undefined.
94.Pp
95This routine is expected to be used primarily by context acceptors,
96since implementations are likely to provide mechanism-specific ways
97of obtaining GSS-API initiator credentials from the system login
98process.
99Some implementations may therefore not support the acquisition of
100.Dv GSS_C_INITIATE
101or
102.Dv GSS_C_BOTH
103credentials via
104.Fn gss_acquire_cred
105for any name other than
106.Dv GSS_C_NO_NAME ,
107or a name produced by applying either
108.Fn gss_inquire_cred
109to a valid credential, or
110.Fn gss_inquire_context
111to an active context.
112.Pp
113If credential acquisition is time-consuming for a mechanism,
114the mechanism may choose to delay the actual acquisition until the
115credential is required
116(e.g. by
117.Fn gss_init_sec_context
118or
119.Fn gss_accept_sec_context ).
120Such mechanism-specific implementation
121decisions should be invisible to the calling application;
122thus a call of
123.Fn gss_inquire_cred
124immediately following the call of
125.Fn gss_acquire_cred
126must return valid credential data,
127and may therefore incur the overhead of a deferred credential acquisition.
128.Sh PARAMETERS
129.Bl -tag -width ".It output_cred_handle"
130.It desired_name
131Name of principal whose credential should be acquired.
132.It time_req
133Number of seconds that credentials should remain valid.
134Specify
135.Dv GSS_C_INDEFINITE
136to request that the credentials have the maximum
137permitted lifetime.
138.It desired_mechs
139Set of underlying security mechanisms that may be used.
140.Dv GSS_C_NO_OID_SET
141may be used to obtain an implementation-specific default.
142.It cred_usage
143.Bl -tag -width "GSS_C_INITIATE"
144.It GSS_C_BOTH
145Credentials may be used either to initiate or accept security
146contexts.
147.It GSS_C_INITIATE
148Credentials will only be used to initiate security contexts.
149.It GSS_C_ACCEPT
150Credentials will only be used to accept security contexts.
151.El
152.It output_cred_handle
153The returned credential handle.
154Resources
155associated with this credential handle must be released by
156the application after use with a call to
157.Fn gss_release_cred .
158.It actual_mechs
159The set of mechanisms for which the credential is valid.
160Storage associated with the returned OID-set must be released by the
161application after use with a call to
162.Fn gss_release_oid_set .
163Specify
164.Dv NULL if not required.
165.It time_rec
166Actual number of seconds for which the returned credentials will
167remain valid.
168If the implementation does not support expiration of credentials,
169the value
170.Dv GSS_C_INDEFINITE
171will be returned.
172Specify NULL if not required.
173.It minor_status
174Mechanism specific status code.
175.El
176.Sh RETURN VALUES
177.Bl -tag -width ".It GSS_S_CREDENTIALS_EXPIRED"
178.It GSS_S_COMPLETE
179Successful completion.
180.It GSS_S_BAD_MECH
181Unavailable mechanism requested.
182.It GSS_S_BAD_NAMETYPE
183Type contained within desired_name parameter is not supported.
184.It GSS_S_BAD_NAME
185Value supplied for desired_name parameter is ill formed.
186.It GSS_S_CREDENTIALS_EXPIRED
187The credentials could not be acquired because they have expired.
188.It GSS_S_NO_CRED
189No credentials were found for the specified name.
190.El
191.Sh SEE ALSO
192.Xr gss_accept_sec_context 3 ,
193.Xr gss_init_sec_context 3 ,
194.Xr gss_inquire_context 3 ,
195.Xr gss_inquire_cred 3 ,
196.Xr gss_release_cred 3 ,
197.Xr gss_release_oid_set 3
198.Sh STANDARDS
199.Bl -tag -width ".It RFC 2743"
200.It RFC 2743
201Generic Security Service Application Program Interface Version 2, Update 1
202.It RFC 2744
203Generic Security Service API Version 2 : C-bindings
204.El
205.Sh HISTORY
206The
207.Nm
208function first appeared in
209.Fx 7.0 .
210.Sh AUTHORS
211John Wray, Iris Associates
212.Sh COPYRIGHT
213Copyright (C) The Internet Society (2000).  All Rights Reserved.
214.Pp
215This document and translations of it may be copied and furnished to
216others, and derivative works that comment on or otherwise explain it
217or assist in its implementation may be prepared, copied, published
218and distributed, in whole or in part, without restriction of any
219kind, provided that the above copyright notice and this paragraph are
220included on all such copies and derivative works.  However, this
221document itself may not be modified in any way, such as by removing
222the copyright notice or references to the Internet Society or other
223Internet organizations, except as needed for the purpose of
224developing Internet standards in which case the procedures for
225copyrights defined in the Internet Standards process must be
226followed, or as required to translate it into languages other than
227English.
228.Pp
229The limited permissions granted above are perpetual and will not be
230revoked by the Internet Society or its successors or assigns.
231.Pp
232This document and the information contained herein is provided on an
233"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
234TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
235BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
236HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
237MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
238