char * shishi_realm_default_guess
( void)
Guesses a realm based on getdomainname() (which really is NIS/YP
domain, but if it is set it might be a good guess), or if it fails,
based on gethostname(), or if it fails, the string
"could-not-guess-default-realm". Note that the hostname is not
trimmed off of the data returned by gethostname() to get the domain
name and use that as the realm.
Return value: Returns guessed realm for host as a string that has to be deallocated with free() by the caller.
const char * shishi_realm_default
(Shishi * handle)
handle: Shishi library handle create by shishi_init().
Return value: Returns the default realm used in the library. (Not a copy of it, so don't modify or deallocate it.)
void shishi_realm_default_set
(Shishi * handle, const char * realm)
handle: Shishi library handle create by shishi_init().
realm: string with new default realm name, or NULL to reset to default.
Set the default realm used in the library. The string is copied into the library, so you can dispose of the variable immediately after calling this function.
char * shishi_realm_for_server_file
(Shishi * handle, char * server)
handle: Shishi library handle create by shishi_init().
server: hostname to find realm for.
Find Kerberos realm for a host using configuration file.
Return value: Returns realm for host, or NULL if not found.
char * shishi_realm_for_server_dns
(Shishi * handle, char * server)
handle: Shishi library handle create by shishi_init().
server: hostname to find realm for.
Find Kerberos realm for a host using DNS lookups, according to draft-ietf-krb-wg-krb-dns-locate-03.txt. Since DNS lookups may be spoofed, relying on the realm information may result in a redirection attack. In a single-realm scenario, this only achieves a denial of service, but with cross-realm trust it may redirect you to a compromised realm. For this reason, Shishi prints a warning, suggesting that the user should add the proper 'server-realm' configuration tokens instead.
To illustrate the DNS information used, here is an extract from a zone file for the domain ASDF.COM:
_kerberos.asdf.com. IN TXT "ASDF.COM" _kerberos.mrkserver.asdf.com. IN TXT "MARKETING.ASDF.COM" _kerberos.salesserver.asdf.com. IN TXT "SALES.ASDF.COM"
Let us suppose that in this case, a Kerberos client wishes to use a Kerberized service on the host foo.asdf.com. It would first query:
_kerberos.foo.asdf.com. IN TXT
Finding no match, it would then query:
_kerberos.asdf.com. IN TXT
Return value: Returns realm for host, or NULL if not found.
char * shishi_realm_for_server
(Shishi * handle, char * server)
handle: Shishi library handle create by shishi_init().
server: hostname to find realm for.
Find Kerberos realm for a host, using various methods. Currently this includes static configuration files (see shishi_realm_for_server_file()) and DNS (see shishi_realm_for_server_dns()).
Return value: Returns realm for host, or NULL if not found.
char * shishi_principal_default_guess
( void)
Guesses a principal using getpwuid(getuid)), or if it fails, the
string "user".
Return value: Returns guessed default principal for user as a string that has to be deallocated with free() by the caller.
const char * shishi_principal_default
(Shishi * handle)
handle: Shishi library handle create by shishi_init().
Return value: Returns the default principal name used in the library. (Not a copy of it, so don't modify or deallocate it.)
void shishi_principal_default_set
(Shishi * handle, const char * principal)
handle: Shishi library handle create by shishi_init().
principal: string with new default principal name, or NULL to reset to default.
Set the default realm used in the library. The string is copied into the library, so you can dispose of the variable immediately after calling this function.
int shishi_principal_name_set
(Shishi * handle, Shishi_asn1 namenode, const char * namefield, Shishi_name_type name_type, const char * [] name)
handle: shishi handle as allocated by shishi_init().
namenode: ASN.1 structure with principal in namefield.
namefield: name of field in namenode containing principal name.
name_type: type of principial, see Shishi_name_type, usually SHISHI_NT_UNKNOWN.
name: zero-terminated input array with principal name.
Set the given principal name field to given name.
Return value: Returns SHISHI_OK iff successful.
int shishi_principal_set
(Shishi * handle, Shishi_asn1 namenode, const char * namefield, const char * name)
handle: shishi handle as allocated by shishi_init().
namenode: ASN.1 structure with principal in namefield.
namefield: name of field in namenode containing principal name.
name: zero-terminated string with principal name on RFC 1964 form.
Set principal name field in ASN.1 structure to given name.
Return value: Returns SHISHI_OK iff successful.
int shishi_authorization_parse
(const char * authorization)
authorization: name of authorization type, e.g. "basic".
Return value: Return authorization type corresponding to a string.
int shishi_authorized_p
(Shishi * handle, Shishi_tkt * tkt, const char * authzname)
handle: shishi handle as allocated by shishi_init().
tkt: input variable with ticket info.
authzname: authorization name.
Simplistic authorization of authzname against encrypted client principal name inside ticket. Currently this function only compare the principal name with authzname using strcmp().
Return value: Returns 1 if authzname is authorized for services by authenticated Kerberos client principal, or 0 otherwise.