krb5: Update to 1.21.1 - src - FreeBSD source tree

diff options


context:
space:
mode:

author	Cy Schubert <cy@FreeBSD.org>	2023-08-04 17:53:10 +0000
committer	Cy Schubert <cy@FreeBSD.org>	2023-08-04 17:53:10 +0000
commit	0320e0d5bb9fbb5da53478b3fd80ad79b110191d (patch)
tree	e1185f75bd2d3f87b0c17f787debc3ee8648214b /doc/html/plugindev/kdcpreauth.html
parent	b0e4d68d5124581ae353493d69bea352de4cff8a (diff)

vendor/krb5/1.21.1

Diffstat (limited to 'doc/html/plugindev/kdcpreauth.html')

-rw-r--r--

doc/html/plugindev/kdcpreauth.html

1 files changed, 24 insertions, 26 deletions

diff --git a/doc/html/plugindev/kdcpreauth.html b/doc/html/plugindev/kdcpreauth.html
index a755232152c2..4c74128e4d25 100644
--- a/doc/html/plugindev/kdcpreauth.html
+++ b/doc/html/plugindev/kdcpreauth.html

@@ -1,33 +1,31 @@

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<head>

- <title>KDC preauthentication interface (kdcpreauth) — MIT Kerberos Documentation</title>

+ <title>KDC preauthentication interface (kdcpreauth) — MIT Kerberos Documentation</title>

var DOCUMENTATION_OPTIONS = {

URL_ROOT: '../',

- VERSION: '1.16',

+ VERSION: '1.21.1',

COLLAPSE_INDEX: false,

FILE_SUFFIX: '.html',

- HAS_SOURCE: true

+ HAS_SOURCE: true,

+ SOURCELINK_SUFFIX: '.txt'

};

</script>

+ <link rel="index" title="Index" href="../genindex.html" />

+ <link rel="search" title="Search" href="../search.html" />

- <link rel="top" title="MIT Kerberos Documentation" href="../index.html" />

- <link rel="up" title="For plugin module developers" href="index.html" />

</head>

@@ -61,23 +59,23 @@

- <div class="body">

+ <div class="body" role="main">

<h1>KDC preauthentication interface (kdcpreauth)<a class="headerlink" href="#kdc-preauthentication-interface-kdcpreauth" title="Permalink to this headline">¶</a></h1>

<p>The kdcpreauth interface allows the addition of KDC support for

preauthentication mechanisms beyond those included in the core MIT

krb5 code base. For a detailed description of the kdcpreauth

-interface, see the header file <tt class="docutils literal"><span class="pre"><krb5/kdcpreauth_plugin.h></span></tt> (or

-<tt class="docutils literal"><span class="pre"><krb5/preauth_plugin.h></span></tt> before release 1.12).</p>

+interface, see the header file <code class="docutils literal"><span class="pre"><krb5/kdcpreauth_plugin.h></span></code> (or

+<code class="docutils literal"><span class="pre"><krb5/preauth_plugin.h></span></code> before release 1.12).</p>

<p>A kdcpreauth module is generally responsible for:</p>

<li>Supplying a list of preauth type numbers used by the module in the

<strong>pa_type_list</strong> field of the vtable structure.</li>

<li>Indicating what kind of preauthentication mechanism it implements,

with the <strong>flags</strong> method. If the mechanism computes a new reply

-key, it must specify the <tt class="docutils literal"><span class="pre">PA_REPLACES_KEY</span></tt> flag. If the mechanism

-is generally only used with hardware tokens, the <tt class="docutils literal"><span class="pre">PA_HARDWARE</span></tt>

+key, it must specify the <code class="docutils literal"><span class="pre">PA_REPLACES_KEY</span></code> flag. If the mechanism

+is generally only used with hardware tokens, the <code class="docutils literal"><span class="pre">PA_HARDWARE</span></code>

flag allows the mechanism to work with principals which have the

<strong>requires_hwauth</strong> flag set.</li>

<li>Producing a padata value to be sent with a preauth_required error,

@@ -103,25 +101,25 @@ exchange may remain unfinished by the client or may involve multiple

different KDC hosts). Per-request state objects have the type

krb5_kdcpreauth_modreq, which is an abstract pointer type.</p>

<p>The <strong>edata</strong>, <strong>verify</strong>, and <strong>return_padata</strong> methods have access

-to a callback function and handle (called a “rock”) which can be used

+to a callback function and handle (called a “rock”) which can be used

to get additional information about the current request, including the

-maximum allowable clock skew, the client’s long-term keys, the

+maximum allowable clock skew, the client’s long-term keys, the

DER-encoded request body, the FAST armor key, string attributes on the

-client’s database entry, and the client’s database entry itself. The

+client’s database entry, and the client’s database entry itself. The

<strong>verify</strong> method can assert one or more authentication indicators to

-be included in the issued ticket using the <tt class="docutils literal"><span class="pre">add_auth_indicator</span></tt>

+be included in the issued ticket using the <code class="docutils literal"><span class="pre">add_auth_indicator</span></code>

callback (new in release 1.14).</p>

<p>A module can generate state information to be included with the next

-client request using the <tt class="docutils literal"><span class="pre">set_cookie</span></tt> callback (new in release

+client request using the <code class="docutils literal"><span class="pre">set_cookie</span></code> callback (new in release

1.14). On the next request, the module can read this state

-information using the <tt class="docutils literal"><span class="pre">get_cookie</span></tt> callback. Cookie information is

+information using the <code class="docutils literal"><span class="pre">get_cookie</span></code> callback. Cookie information is

encrypted, timestamped, and transmitted to the client in a

-<tt class="docutils literal"><span class="pre">PA-FX-COOKIE</span></tt> pa-data item. Older clients may not support cookies

+<code class="docutils literal"><span class="pre">PA-FX-COOKIE</span></code> pa-data item. Older clients may not support cookies

and therefore may not transmit the cookie in the next request; in this

-case, <tt class="docutils literal"><span class="pre">get_cookie</span></tt> will not yield the saved information.</p>

+case, <code class="docutils literal"><span class="pre">get_cookie</span></code> will not yield the saved information.</p>

<p>If a module implements a mechanism which requires multiple round

trips, its <strong>verify</strong> method can respond with the code

-<tt class="docutils literal"><span class="pre">KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED</span></tt> and a list of pa-data in

+<code class="docutils literal"><span class="pre">KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED</span></code> and a list of pa-data in

the <em>e_data</em> parameter to be processed by the client.</p>

<p>The <strong>edata</strong> and <strong>verify</strong> methods can be implemented

asynchronously. Because of this, they do not return values directly

@@ -151,7 +149,7 @@ callback to get an event context for use with the <a class="reference external"

<li class="toctree-l1 current"><a class="reference internal" href="index.html">For plugin module developers</a><ul class="current">

<li class="toctree-l2"><a class="reference internal" href="general.html">General plugin concepts</a></li>

<li class="toctree-l2"><a class="reference internal" href="clpreauth.html">Client preauthentication interface (clpreauth)</a></li>

-<li class="toctree-l2 current"><a class="current reference internal" href="">KDC preauthentication interface (kdcpreauth)</a></li>

+<li class="toctree-l2 current"><a class="current reference internal" href="#">KDC preauthentication interface (kdcpreauth)</a></li>

<li class="toctree-l2"><a class="reference internal" href="ccselect.html">Credential cache selection interface (ccselect)</a></li>

<li class="toctree-l2"><a class="reference internal" href="pwqual.html">Password quality interface (pwqual)</a></li>

<li class="toctree-l2"><a class="reference internal" href="kadm5_hook.html">KADM5 hook interface (kadm5_hook)</a></li>

@@ -191,8 +189,8 @@ callback to get an event context for use with the <a class="reference external"

- <div class="right" ><i>Release: 1.16</i><br />

+ <div class="right" ><i>Release: 1.21.1</i><br />

</div>