The following example of AUTH_KERB has many similarities to the one for AUTH_DES, shown in the following code example. Note the differences.
#define AUTH_KERB 4 /* * There are two kinds of credentials: one in which the client * sends the (previously encrypted) Kerberos ticket, and one in * which it uses its “nickname” (just an unsigned integer) * given to it by the server. The client must use its full name * in its first transaction with the server, in which the server * returns to the client its nickname. The client may use * its nickname in all further transactions with the server * (until the ticket expires). There is no requirement to use * the nickname, but it is wise to use it for performance reasons. */ enum authkerb_namekind { AKN_FULLNAME = 0, AKN_NICKNAME = 1 }; /* * A fullname contains the encrypted service ticket and the * window. The window is actually a lifetime * for the credential. If the time indicated in the verifier * timestamp plus the window has passed, then the server should * expire the request and not grant it. To insure that requests * are not replayed, the server should insist that timestamps be * greater than the previous one seen, unless it is the first * transaction. In the first transaction, the server checks * instead that the window verifier is one less than the window. */ struct authkerb_fullname { KTEXT_ST ticket; /* Kerberos service ticket */ unsigned long window; /* encrypted window */ }; /* * A credential is either a fullname or a nickname */ union authkerb_credswitch(authkerb_namekind akc_namekind){ case AKN_FULLNAME: authkerb_fullname akc_fullname; case AKN_NICKNAME: unsigned long akc_nickname; }; /* * A timestamp encodes the time since midnight, January 1, 1970. */ struct timestamp { unsigned long seconds; /* seconds */ unsigned long useconds; /* and microseconds */ }; /* * Verifier: client variety */ struct authkerb_verf_clnt { timestamp akv_timestamp; /* encrypted timestamp */ unsigned long akv_winverf; /* encrypted window verifier */ }; /* * Verifier: server variety * The server returns (encrypted) the same timestamp the client * gave it minus one second. It also tells the client its * nickname to be used in future transactions (unencrypted). */ struct authkerb_verf_svr { timestamp akv_timeverf; /* encrypted verifier */ unsigned long akv_nickname; /* new nickname for clnt */ };