← Back to branch summary

~ubuntu-branches/ubuntu/oneiric/likewise-open/oneiric

« back to all changes in this revision

Viewing changes to krb5/doc/api/tables.tex

  • Committer: Bazaar Package Importer
  • Author(s): Scott Salley
  • Date: 2010-11-22 12:06:00 UTC
  • mfrom: (1.1.6 upstream)
  • Revision ID: james.westby@ubuntu.com-20101122120600-8lba1fpceot71wlb
Tags: 6.0.0.53010-1
Likewise Open 6.0

Show diffs side-by-side

added added

removed removed

Lines of Context:
krb5/doc/api/tables.tex
 
1
The following is a list of options which can be passed to the Kerberos
 
2
server (also known as the Key Distribution Center or KDC).  These
 
3
options affect what sort of tickets the KDC will return to the
 
4
application program.  The KDC options can be passed to
 
5
\funcname{krb5_get_in_tkt}, \funcname{krb5_get_in_tkt_with_password},
 
6
\funcname{krb5_get_in_tkt_with_skey}, and \funcname{krb5_send_tgs}. 
 
7
 
 
8
 
 
9
\begin{center}
 
10
\begin{tabular}{llc}
 
11
\multicolumn{1}{c}{Symbol}&\multicolumn{1}{c}{RFC}& Valid for \\
 
12
&\multicolumn{1}{c}{section}&get_in_tkt? \\ \hline
 
13
KDC_OPT_FORWARDABLE     & 2.6   & yes           \\
 
14
KDC_OPT_FORWARDED       & 2.6   &               \\
 
15
KDC_OPT_PROXIABLE       & 2.5   & yes           \\
 
16
KDC_OPT_PROXY           & 2.5   &               \\
 
17
KDC_OPT_ALLOW_POSTDATE  & 2.4   & yes           \\
 
18
KDC_OPT_POSTDATED       & 2.4   & yes           \\
 
19
KDC_OPT_RENEWABLE       & 2.3   & yes           \\
 
20
KDC_OPT_RENEWABLE_OK    & 2.7   & yes           \\
 
21
KDC_OPT_ENC_TKT_IN_SKEY & 2.7   &               \\
 
22
KDC_OPT_RENEW           & 2.3   &               \\
 
23
KDC_OPT_VALIDATE        & 2.2   &               \\
 
24
\end{tabular}
 
25
\end{center}
 
26
\label{KDCOptions}
 
27
 
 
28
The following is a list of preauthentication methods which are supported
 
29
by Kerberos.  Most preauthentication methods are used by
 
30
\funcname{krb5_get_in_tkt}, \funcname{krb5_get_in_tkt_with_password}, and
 
31
\funcname{krb5_get_in_tkt_with_skey}; at some sites, the Kerberos server can be
 
32
configured so that during the initial ticket transation, it will only
 
33
return encrypted tickets after the user has proven his or her identity
 
34
using a supported preauthentication mechanism.  This is done to make
 
35
certain password guessing attacks more difficult to carry out.
 
36
 
 
37
 
 
38
 
 
39
\begin{center}
 
40
\begin{tabular}{lcc}
 
41
\multicolumn{1}{c}{Symbol}&In & Valid for \\
 
42
&RFC?&get_in_tkt? \\ \hline
 
43
KRB5_PADATA_NONE                & yes   & yes   \\
 
44
KRB5_PADATA_AP_REQ              & yes   &       \\
 
45
KRB5_PADATA_TGS_REQ             & yes   &       \\
 
46
KRB5_PADATA_PW_SALT             & yes   &       \\
 
47
KRB5_PADATA_ENC_TIMESTAMP       & yes   & yes   \\
 
48
KRB5_PADATA_ENC_SECURID         &       & yes   \\
 
49
\end{tabular}
 
50
\end{center}
 
51
\label{padata-types}
 
52
 
 
53
KRB5_PADATA_TGS_REQ is rarely used by a programmer; it is used to pass
 
54
the ticket granting ticket to the Ticket Granting Service (TGS) during a
 
55
TGS transaction (as opposed to an initial ticket transaction).
 
56
 
 
57
KRB5_PW_SALT is not really a preauthentication method at all.  It is
 
58
passed back from the Kerberos server to application program, and it
 
59
contains a hint to the proper password salting algorithm which should be
 
60
used during the initial ticket exchange.
 
61
 
 
62
%The encription type can also be specified in
 
63
%\funcname{krb5_get_in_tkt}, however normally only one keytype is used
 
64
%in any one database.
 
65
%
 
66
%\begin{center}
 
67
%\begin{tabular}{llc}
 
68
%\multicolumn{1}{c}{Symbol}&\multicolumn{1}{c}{RFC}& Supported? \\
 
69
%& \multicolumn{1}{c}{section} &  \\ \hline
 
70
%ETYPE_NULL             & 6.3.1 &       \\
 
71
%ETYPE_DES_CBC_CRC      & 6.3.2 & yes   \\
 
72
%ETYPE_DES_CBC_MD4      & 6.3.3 &       \\
 
73
%ETYPE_DES_CBC_MD5      & 6.3.4 &       \\
 
74
%ETYPE_RAW_DES_CBC      &       & yes   \\
 
75
%\end{tabular}
 
76
%\end{center}
 
77
%\label{etypes}
 
78
 
 
79