krb5_rd_cred() ?

Derrick Schommer dschommer at
Tue Nov 30 11:53:57 EST 2004

Yes yes!  Thanks for the clarity.  My requirements may or may not match
yours in general.  The important parts I believe a) order of operations
(must setup contexts correctly before calling other things, b) knowing
what 'data' is in the variable you want to rd_creds() from, and c)
understanding that each API call can generate errors, one of which is
CLOCK_SKEW and catching these errors is very handy because calling the
next krb5 routine when the prior gives you an error may end up in null
pointer dereferencing :-)

Thanks again for clearing up my random spewing of code and comments :-)


-----Original Message-----
From: Ken Hornstein [mailto:kenh at] 
Sent: Dienstag, 30. November 2004 11:47
To: krbdev at
Subject: Re: krb5_rd_cred() ? 

>krb5_auth_context authCtx;
>krb5_auth_con_init( &context, &authCtx );
>I populate my auth-context with user keys and such.  (see
>krb5_auth_con_setuseruserkey()), and I also set some flags for use with
>authentication type routines.  There is a thing called
>krb5_auth_con_setflags() that allows you to set neat options on your
>authentication (like storing sequence numbers, time stamps, subkeys,

One additional note: unless you're doing user2user authenticaiton (and
if you don't know what this means, then the answer is "you're not"),
you should never need to call krb5_auth_con_setuseruserkey().

krb5_rd_cred() needs some stuff set up in the auth context by other
calls (very likely krb5_rd_req()); you just can't fill it in with
random stuff.  Most notably, you need the session key used by
krb5_mk_1cred() (which is called by krb5_fwd_tgt_creds()) to encrypt
the forwarded credentials.

krbdev mailing list             krbdev at 
DISCLAIMER:   The information contained in this e-mail is confidential and is intended solely for the review of the named addressee, and in conjunction with specific Acopia Networks business.  Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you are unable to treat this information accordingly, or are not the intended recipient, please notify us immediately by returning the e-mail to the originator.  

More information about the krbdev mailing list