#define AUTH_KERB 4
/*
* There are two kinds of credentials: one in which the client
* sends the (previously encrypted) Kerberos ticket, and one in
* which it uses its "nickname" (just an unsigned integer)
* given to it by the server. The client must use its full name
* in its first transaction with the server, in which the server
* will return to the client its nickname. The client may use
* its nickname in all further transactions with the server
* (until the ticket expires). There is no requirement to use
* the nickname, but it is wise to use it for performance reasons.
*/
enum authkerb_namekind {
AKN_FULLNAME = 0,
AKN_NICKNAME = 1
};
/*
* A fullname contains the encrypted service ticket and the
* window. The window is actually a lifetime
* for the credential. If the time indicated in the verifier
* timestamp plus the window has passed, then the server should
* expire the request and not grant it. To insure that requests
* are not replayed, the server should insist that timestamps be
* greater than the previous one seen, unless it is the first
* transaction. In the first transaction, the server checks
* instead that the window verifier is one less than the window.
*/
struct authkerb_fullname {
KTEXT_ST ticket; /* Kerberos service ticket */
unsigned long window; /* encrypted window */
};
/*
* A credential is either a fullname or a nickname
*/
union authkerb_credswitch(authkerb_namekind akc_namekind){
case AKN_FULLNAME:
authkerb_fullname akc_fullname;
case AKN_NICKNAME:
unsigned long akc_nickname;
};
/*
* A timestamp encodes the time since midnight, January 1, 1970.
*/
struct timestamp {
unsigned long seconds; /* seconds */
unsigned long useconds; /* and microseconds */
};
/*
* Verifier: client variety
*/
struct authkerb_verf_clnt {
timestamp akv_timestamp; /* encrypted timestamp */
unsigned long akv_winverf; /* encrypted window verifier */
};
/*
* Verifier: server variety
* The server returns (encrypted) the same timestamp the client
* gave it minus one second. It also tells the client its
* nickname to be used in future transactions (unencrypted).
*/
struct authkerb_verf_svr {
timestamp akv_timeverf; /* encrypted verifier */
unsigned long akv_nickname; /* new nickname for clnt */
};
|