KERB Authentication Protocol (ONC+ Developer's Guide)

ONC+ Developer's Guide

KERB Authentication Protocol

The following example of AUTH_KERB has many similarities to the one for AUTH_DES, shown in the following code example. Note the differences.

Example B–3 AUTH_KERB Authentication Protocol

#define AUTH_KERB 4
/*
 * There are two kinds of credentials: one in which the client
 * sends the (previously encrypted)
Kerberos ticket, and one in
 * which it uses its “nickname” (just an unsigned integer) 
 * given to it by the server. The client must use its full name
 * in its first transaction with the server, in which the server
 * returns to the client its nickname. The client may use
 * its nickname in all further transactions with the server
 * (until the ticket expires). There is no requirement to use
 * the nickname, but it is wise to use it for performance reasons.
 */
enum authkerb_namekind {
 	AKN_FULLNAME = 0,
 	AKN_NICKNAME = 1
 };
 
/*
 * A fullname contains the encrypted service ticket and the
 * window. 	The window is actually a lifetime
 * for the credential. If the time indicated in the verifier
 * timestamp plus the window has passed, then the server should
 * expire the request and not grant it. To insure that requests
 * are not replayed, the server should insist that timestamps be
 * greater than the previous one seen, unless it is the first
 * transaction. In the first transaction, the server checks
 * instead that the window verifier is one less than the window.
 */
struct authkerb_fullname {
 	KTEXT_ST ticket;              /* Kerberos service ticket */
 	unsigned long window;        /* encrypted window */
};                             
/*
 * A credential is either a fullname or a nickname
 */
union authkerb_credswitch(authkerb_namekind akc_namekind){
 	case AKN_FULLNAME:
 		authkerb_fullname akc_fullname;
 	case AKN_NICKNAME:
 		unsigned long akc_nickname;
};
 
/*
 * A timestamp encodes the time since midnight, January 1, 1970.
 */
struct timestamp {
 	unsigned long seconds;      /* seconds */
 	unsigned long useconds;     /* and microseconds */
};
 
/*
 * Verifier: client variety
 
 */
struct authkerb_verf_clnt {
 	timestamp akv_timestamp;   /* encrypted timestamp */
 	unsigned long akv_winverf;  /* encrypted window verifier */
};
 
/*
 * Verifier: server variety
 * The server returns (encrypted) the same timestamp the client
 * gave it minus one second. It also tells the client its
 * nickname to be used
in future transactions (unencrypted).
 */
struct authkerb_verf_svr {
 	timestamp akv_timeverf;    /* encrypted verifier */
 	unsigned long akv_nickname; /* new nickname for clnt */
};