krb v0.15.0 · OCaml Package

type t

krb5_creds

A ticket that allows one to connect as a particular client principal to a particular server principal for a given time using a particular session key whenever encryption is needed for client/server communication.

val sexp_of_t : t -> Sexplib0.Sexp.t

val create : 
  ?ticket:string ->
  ?second_ticket:string ->
  client:Principal.t ->
  server:Principal.t ->
  unit ->
  t Async.Deferred.Or_error.t

From RFC 4120, a ticket is:

"A record that helps a client authenticate itself to a server; it contains the client's identity, a session key, a timestamp, and other information, all sealed using the server's secret key. It only serves to authenticate a client when presented along with a fresh Authenticator."

Ultimately, it's some bytes that are used in authentication and come from a ticket request to the KDC.

The odd thing regarding this type is that it is both used to represent a request for credentials (no tickets specified) and as the retrieved credentials (contains a ticket).

As for second_ticket, it's a special ticket that is used in user-to-user authentication. It is set to the TGT of the server when requesting credentials from the KDC.

You should only need to use this function if you're doing something low-level manually.

val of_password : 
  ?options:Get_init_creds_opts.t ->
  ?tkt_service:string ->
  Principal.t ->
  string ->
  t Async.Deferred.Or_error.t

of_password and of_keytab request tickets from the KDC.

options is used to override default lifetimes and flags for the returned ticket.

tkt_service specifies what ticket to acquire. If not specified, it defaults to the KDC's ticket granting service (i.e. the returned ticket is a TGT).

principal is the requesting principal.

val of_keytab : 
  ?options:Get_init_creds_opts.t ->
  ?tkt_service:string ->
  Principal.t ->
  Keytab.t ->
  t Async.Deferred.Or_error.t

val check_password : 
  Principal.t ->
  password:string ->
  unit Async.Deferred.Or_error.t

check_password principal ~password checks with the KDC that principal's password is password

val client : t -> Principal.t

val server : t -> Principal.t

val is_skey : t -> bool

is_skey t iff the server should decrypt the ticket with the session key of its tgt (user-to-user)

val ticket : t -> Ticket.t Async.Deferred.Or_error.t

val ticket_string : t -> string

val second_ticket : t -> string

val starttime : t -> Core.Time.t

val endtime : t -> Core.Time.t

valid until this time

val renew_until : t -> Core.Time.t

val keyblock : t -> Keyblock.t Async.Deferred.Or_error.t

the session key

module Flags : sig ... end

val flags : t -> Flags.t

module Raw : sig ... end

val to_raw : t -> Raw.t

val of_raw : Raw.t -> t Async.Deferred.Or_error.t

module Expert : sig ... end

package krb