* this program may not be set.
*
* The calling program can then use the name of the cache
- * to set the KRB5CCNAME and PAG for its self and its children.
+ * to set the KRB5CCNAME and PAG for itself and its children.
*
* If no ticket was passed, an attemplt to join an existing
* PAG will be made.
strcpy(ccname+38,direntp->d_name);
if (!k5dcematch(luid, pname, ccname, &size, &xtgt)) {
- /* its one of our caches, see if it is better
+ /* it's one of our caches, see if it is better
* i.e. the endtime is farther, and if the endtimes
* are the same, take the larger, as he who has the
* most tickets wins.
{
int i;
- buf[buflen-1] = '\0'; /* make sure its NULL terminated */
+ buf[buflen-1] = '\0'; /* make sure it's NULL terminated */
buflen -= 1;
switch(data[3]) {
{
int i;
- buf[buflen-1] = '\0'; /* make sure its NULL terminated */
+ buf[buflen-1] = '\0'; /* make sure it's NULL terminated */
buflen -= 1;
switch(data[3]) {
{
int i;
- buf[buflen-1] = '\0'; /* make sure its NULL terminated */
+ buf[buflen-1] = '\0'; /* make sure it's NULL terminated */
buflen -= 1;
switch(data[3]) {
{
int i;
- buf[buflen-1] = '\0'; /* make sure its NULL terminated */
+ buf[buflen-1] = '\0'; /* make sure it's NULL terminated */
buflen -= 1;
switch(data[3]) {
{
int i;
- buf[buflen-1] = '\0'; /* make sure its NULL terminated */
+ buf[buflen-1] = '\0'; /* make sure it's NULL terminated */
buflen -= 1;
switch(data[3]) {
@subsection What is 2b ?
2b is the name of the proposal that was implemented to give basic
-Kerberos 5 support to AFS in rxkad. Its not real Kerberos 5 support
+Kerberos 5 support to AFS in rxkad. It's not real Kerberos 5 support
since it still uses fcrypt for data encryption and not Kerberos
encryption types.
@item Proxy certificates
-Remember that End Entity can't issue certificates by them own, its not
+Remember that End Entity can't issue certificates by them own, it's not
really true. There there is an extension called proxy certificates,
defined in RFC3820, that allows certificates to be issued by end entity
certificates. The service that receives the proxy certificates must have
@node Setting up a CA, Creating a CA certificate, What is X.509 ?, Top
@chapter Setting up a CA
-Do not let this chapter scare you off, its just to give you an idea how
+Do not let this chapter scare you off, it's just to give you an idea how
to complicated setting up a CA can be. If you are just playing around,
skip all this and go to the next chapter, @pxref{Creating a CA
certificate}.
Creating a CA certificate should be more the just creating a
-certificate, there is the policy of the CA. If its just you and your
+certificate, there is the policy of the CA. If it's just you and your
friend that is playing around then it probably doesn't matter what the
policy is. But then it comes to trust in an organisation, it will
probably matter more whom your users and sysadmins will find it
acceptable to trust.
-At the same time, try to keep thing simple, its not very hard to run a
+At the same time, try to keep thing simple, it's not very hard to run a
Certificate authority and the process to get new certificates should
simple.
receiver allows it, authorises the server or client to use that JID.
When storing a JID inside the certificate, both for server and client,
-its stored inside a UTF8String within an otherName entity inside the
+it's stored inside a UTF8String within an otherName entity inside the
subjectAltName, using the OID id-on-xmppAddr (1.3.6.1.5.5.7.8.5).
To read more about the requirements, see RFC3920, Extensible Messaging
@chapter CMS signing and encryption
CMS is the Cryptographic Message System that among other, is used by
-S/MIME (secure email) and Kerberos PK-INIT. Its an extended version of
+S/MIME (secure email) and Kerberos PK-INIT. It's an extended version of
the RSA, Inc standard PKCS7.
@node CMS background, , CMS signing and encryption, Top
host/host.example.com@@EXAMLE.COM(kvno 3) in keytab /etc/krb5.keytab
(des-cbc-crc)''. This improves the chance that the user find the
cause of the error so you should use the customised error message
-whenever its available.
+whenever it's available.
See also manual page for @manpage{krb5_get_error_string,3} and
@manpage{krb5_get_err_text,3}.
First the client needs to call @code{krb5_init_context} to initialise
the Kerberos 5 library. This is only needed once per thread
in the program. If the function returns a non-zero value it indicates
-that either the Kerberos implementation is failing or its disabled on
+that either the Kerberos implementation is failing or it's disabled on
this host.
@example
@item @code{afs3-salt}
-@code{afs3-salt} is the salt that is used with Transarc kaserver. Its
+@code{afs3-salt} is the salt that is used with Transarc kaserver. It's
the cell name appended to the password.
@end itemize
necessary in order to use OpenLDAP 2.1.x.)
@item
-Add the hdb schema to the LDAP server, its included in the source-tree
+Add the hdb schema to the LDAP server, it's included in the source-tree
in @file{lib/hdb/hdb.schema}. Example from slapd.conf:
@example
group.
Since Heimdal talks to the LDAP server over a UNIX domain socket, and
-uses external sasl authentication, its not possible to require
+uses external sasl authentication, it's not possible to require
security layer quality (ssf in cyrus-sasl lingo). So that requirement
has to be turned off in OpenLDAP @command{slapd} configuration file
@file{slapd.conf}.
certificates to get the initial ticket, that is usually the krbtgt.
To use PK-INIT you must first have a PKI, so if you don't have one,
-now its time to create it. Note that you should read the whole chapter
-of the document to see the requirements on the CA sortware.
+it is time to create it. Note that you should read the whole chapter
+of the document to see the requirements on the CA software.
There needs to exist a mapping between the certificate and what
principals that certificate is allowed to use. There are several ways
Both of these two requirements are not required by the standard to be
checked by the client if it have external information what the
-certificate the KDC is supposed to be used. So its in the interst of
+certificate the KDC is supposed to be used. So it's in the interest of
minimum amount of configuration on the clients they should be included.
Remember that if the client would accept any certificate as the KDC's
*ent->salttype = key->salt->type;
#else
/*
- * We shouldn't sent salttype since its incompatible with the
- * specification and its break windows clients. The afs
+ * We shouldn't sent salttype since it is incompatible with the
+ * specification and it breaks windows clients. The afs
* salting problem is solved by using KRB5-PADATA-AFS3-SALT
* implemented in Heimdal 0.7 and later.
*/
if(rspac->length) {
/*
* No not need to filter out the any PAC from the
- * auth_data since its signed by the KDC.
+ * auth_data since it's signed by the KDC.
*/
ret = _kdc_tkt_add_if_relevant_ad(context, &et,
KRB5_AUTHDATA_WIN2K_PAC,
}
/*
- * Check that service is in the same realm as the krbtgt. If its
- * not the same, its someone that is using a uni-directional trust
+ * Check that service is in the same realm as the krbtgt. If it's
+ * not the same, it's someone that is using a uni-directional trust
* backward.
*/
.It Fl credential= Ns Ar principal
remove
.Fa principal
-from the credential cache if its exists.
+from the credential cache if it exists.
.It Fl c Ar cachefile
.It Fl cache= Ns Ar cachefile
The cache file to remove.
if (renew) {
/*
- * no need to check the error here, its only to be
+ * no need to check the error here, it's only to be
* friendly to the user
*/
krb5_get_credentials(context, KRB5_GC_CACHED, cache, &in, &out);
kaka3 [2] IMPLICIT Kaka3 OPTIONAL
}
--- Don't code kaka if its 1
+-- Don't code kaka if it's 1
-- Workaround is to use OPTIONAL and check for in the encoder stubs
Bar ::= SEQUENCE {
support it.
.Pp
Heimdal defaults to correct SPNEGO when the the kerberos
-implementation uses CFX, or when its configured by the user.
+implementation uses CFX, or when it is configured by the user.
To turn on compatibility with peers, use option
.Nm [gssapi]
.Ar require_mechlist_mic .
* If the credential doesn't have ok-as-delegate, check what local
* policy say about ok-as-delegate, default is FALSE that makes
* code ignore the KDC setting and follow what the application
- * requested. If its TRUE, strip of the GSS_C_DELEG_FLAG if the
+ * requested. If it is TRUE, strip of the GSS_C_DELEG_FLAG if the
* KDC doesn't set ok-as-delegate.
*/
if (!cred->flags.b.ok_as_delegate) {
/*
* Token must start with [APPLICATION 0] SEQUENCE.
- * But if it doesn't assume its DCE-STYLE Kerberos!
+ * But if it doesn't assume it is DCE-STYLE Kerberos!
*/
if (len == 0)
return (GSS_S_DEFECTIVE_TOKEN);
OM_uint32 status;
/*
- * First try to parse the gssapi token header and see if its a
+ * First try to parse the gssapi token header and see if it's a
* correct header, use that in the first hand.
*/
01110000 01110000 01110000 01110000 01111000 01111000 01111000 01111000
00001111 00001111 00001111 00001111 00000111 00000111 00000111 00000111
-The pattern is getting more obvious if its printed out where the bits
+The pattern is getting more obvious if it's printed out where the bits
are coming from.
8 16 24 - - - - -
PC2 transformations
===================
-PC2 is also a table lookup, since its a 24 bit field, I use 4 6-bit
+PC2 is also a table lookup, since it's a 24 bit field, I use 4 6-bit
lookup tables. Printing the reverse of the PC2 table reveal that some
of the bits are not used, namely (9, 18, 22, 25) from c and (7, 10,
15, 26) from d.
/*
* If this is just a "account" entry and no other objectclass
- * is hanging on this entry, its really a new entry.
+ * is hanging on this entry, it's really a new entry.
*/
if (is_samba_account == FALSE && is_heimdal_principal == FALSE &&
is_heimdal_entry == FALSE) {
int add_krb5EncryptionType = 0;
/*
- * Only add/modify krb5EncryptionType if its a new heimdal
+ * Only add/modify krb5EncryptionType if it's a new heimdal
* entry or krb5EncryptionType already exists on the entry.
*/
/*
* Generate the `key_set' from the [kadmin]default_keys statement. If
* `no_salt' is set, salt is not important (and will not be set) since
- * its random keys that is going to be created.
+ * it's random keys that is going to be created.
*/
krb5_error_code
x509 issues:
- OtherName is left unspecified, but its used by other
+ OtherName is left unspecified, but it's used by other
specs. creating this hole where a application/CA can't specify
policy for SubjectAltName what covers whole space. For example, a
CA is trusted to provide authentication but not authorization.
memset(&si, 0, sizeof(si));
/*
- * Try to find AuthorityKeyIdentifier, if its not present in the
+ * Try to find AuthorityKeyIdentifier, if it's not present in the
* subject certificate nor the parent.
*/
}
/*
- * The subjectName is "null" when its empty set of relative DBs.
+ * The subjectName is "null" when it's empty set of relative DBs.
*/
static int
}
/*
- * If its not pkcs7-data send signedAttributes
+ * If it isn't pkcs7-data send signedAttributes
*/
if (der_heim_oid_cmp(eContentType, oid_id_pkcs7_data()) != 0) {
-This is a static file don't change the content, its used in the test
+This is a static file don't change the content, it is used in the test
#!/bin/sh
#
* prompter or known to work pin code.
*
* This code is very conversative and only uses the prompter in
- * the hx509_lock, the reason is that its bad to try many
+ * the hx509_lock, the reason is that it's bad to try many
* passwords on a pkcs11 token, it might lock up and have to be
* unlocked by a administrator.
*
/*
* If signer certificate isn't the CA certificate, lets check the
- * its the CA that signed the signer certificate and the OCSP EKU
+ * it is the CA that signed the signer certificate and the OCSP EKU
* is set.
*/
if (hx509_cert_cmp(signer, parent) != 0) {
_hx509_query_clear(&q);
/*
- * If its the signer have CRLSIGN bit set, use that as the signer
+ * If it's the signer have CRLSIGN bit set, use that as the signer
* cert for the certificate, otherwise, search for a certificate.
*/
if (_hx509_check_key_usage(context, parent, 1 << 6, FALSE) == 0) {
}
/*
- * Verify that the `cert' is part of the OCSP reply and its not
- * expired. Doesn't verify signature the OCSP reply or its done by a
+ * Verify that the `cert' is part of the OCSP reply and it's not
+ * expired. Doesn't verify signature the OCSP reply or it's done by a
* authorized sender, that is assumed to be already done.
*/
*
* The pointer in `sp´ is assumed to be at the top of the entry before
* previous entry. On success, the `sp´ pointer is set to data portion
- * of previous entry. In case of error, its not changed at all.
+ * of previous entry. In case of error, it's not changed at all.
*/
kadm5_ret_t
* the library chooses the default credential cache type. The supplied
* `hint' (that can be NULL) is a string that the credential cache
* type can use to base the name of the credential on, this is to make
- * its easier for the user to differentiate the credentials.
+ * it easier for the user to differentiate the credentials.
*
* @return Returns 0 or an error code.
*
}
/*
- * `pq' isn't free, its up the the caller
+ * `pq' isn't free, it's up the the caller
*/
krb5_error_code KRB5_LIB_FUNCTION
#ifdef ENABLE_AFS_STRING_TO_KEY
/* This defines the Andrew string_to_key function. It accepts a password
- * string as input and converts its via a one-way encryption algorithm to a DES
+ * string as input and converts it via a one-way encryption algorithm to a DES
* encryption key. It is compatible with the original Andrew authentication
* service password database.
*/
.Sh DESCRIPTION
This function takes a principal
.Fa name ,
-verifies its in the local realm (using
+verifies that it is in the local realm (using
.Fn krb5_get_default_realms )
and then returns the local name of the principal.
.Pp
(that can be
.Dv NULL )
is a string that the credential cache type can use to base the name of
-the credential on, this is to make its easier for the user to
+the credential on, this is to make it easier for the user to
differentiate the credentials.
The returned credential cache
.Fa id
.Fn krb5_cc_clear_mcred
clears the
.Fa mcreds
-argument so its reset and can be used with
+argument so it is reset and can be used with
.Fa krb5_cc_retrieve_cred .
.Pp
.Fn krb5_cc_retrieve_cred ,
.Fa usage
should be the appropriate key-usage.
.Fa ivec
-is a pointer to a initial IV, its modified to the end IV at the end of
+is a pointer to a initial IV, it is modified to the end IV at the end of
the round.
Ivec should be the size of
If
the
.Fa ccache .
.It KRB5_GC_EXPIRED_OK
-returns the credential even if its expired, default behavior is trying
+returns the credential even if it is expired, default behavior is trying
to refetch the credential from the KDC.
.El
.Pp
the
.Fa ccache .
.It KRB5_GC_EXPIRED_OK
-returns the credential even if its expired, default behavior is trying
+returns the credential even if it is expired, default behavior is trying
to refetch the credential from the KDC.
.It KRB5_GC_NO_STORE
Do not store the resulting credentials in the
.Fa service /
.Fa proto
pair from the global service table for and returns it in network order.
-If its not found in the global table, the
+If it isn't found in the global table, the
.Fa default_port
(given in host order)
is returned.
.Li [libdefaults]fcc-mit-ticketflags .
Heimdal 0.7 also code to detech that ticket flags was in the wrong
order and correct them. This matters when doing delegation in GSS-API
-because the client code looks at the flag to determin if its possible
+because the client code looks at the flag to determin if it is possible
to do delegation if the user requested it.
.Sh SEE ALSO
.Xr krb5.conf 5 ,
.Fn krb5_verify_init_creds_opt_set_ap_req_nofail
controls controls the behavior if
.Fa ap_req_server
-doesn't exists in the local keytab or in the KDC's database, if its
+doesn't exists in the local keytab or in the KDC's database, if it's
true, the error will be ignored. Note that this use is possible
insecure.
.Sh SEE ALSO
resets all opt to default values.
.Pp
None of the krb5_verify_opt_set function makes a copy of the data
-structure that they are called with. Its up the caller to free them
+structure that they are called with. It's up the caller to free them
after the
.Fn krb5_verify_user_opt
is called.
krb5_error_code ret;
/*
- * Windows 2000 and 2003 uses this inside their TGT so its normaly
+ * Windows 2000 and 2003 uses this inside their TGT so it's normaly
* not seen by others, however, samba4 joined with a Windows AD as
* a Domain Controller gets exposed to this.
*/
if(ret) goto cleanup;
/*
* Runtime detect the what is the higher bits of the bitfield. If
- * any of the higher bits are set in the input data, its either a
- * new ticket flag (and this code need to be removed), or its a
+ * any of the higher bits are set in the input data, it's either a
+ * new ticket flag (and this code need to be removed), or it's a
* MIT cache (or new Heimdal cache), lets change it to our current
* format.
*/
if(ret) goto cleanup;
/*
* Runtime detect the what is the higher bits of the bitfield. If
- * any of the higher bits are set in the input data, its either a
- * new ticket flag (and this code need to be removed), or its a
+ * any of the higher bits are set in the input data, it's either a
+ * new ticket flag (and this code need to be removed), or it's a
* MIT cache (or new Heimdal cache), lets change it to our current
* format.
*/
}
/*
- * Check that a closed cc still keeps it data and that its no longer
- * there when its destroyed.
+ * Check that a closed cc still keeps it data and that it's no longer
+ * there when it's destroyed.
*/
static void
RCSID("$Id$");
/*
- * Check that a closed cc still keeps it data and that its no longer
- * there when its destroyed.
+ * Check that a closed cc still keeps it data and that it's no longer
+ * there when it's destroyed.
*/
static void
RCHECK(ret, krb5_store_int8(sp, AUTH_MSG_ERR_REPLY), error);
RCHECK(ret, put_nir(sp, name, inst, realm), error);
RCHECK(ret, krb5_store_int32(sp, time_ws), error);
- /* If its a Kerberos 4 error-code, remove the et BASE */
+ /* If it is a Kerberos 4 error-code, remove the et BASE */
if (e >= ERROR_TABLE_BASE_krb && e <= ERROR_TABLE_BASE_krb + 255)
e -= ERROR_TABLE_BASE_krb;
RCHECK(ret, krb5_store_int32(sp, e), error);
static int gottoprec; /* Flag indicating retrieval of toprecord */
#if 0 /*
- * Don't use db support unless its build into libc but we dont
+ * Don't use db support unless it's build into libc but we don't
* check for that now, so just disable the code.
*/
#if defined(HAVE_DBOPEN) && defined(HAVE_DB_H)