NAME¶
shishi_tkt_transited_policy_checked_p - API function
SYNOPSIS¶
#include <shishi.h>
int shishi_tkt_transited_policy_checked_p(Shishi_tkt *
tkt);
ARGUMENTS¶
- Shishi_tkt * tkt
- input variable with ticket info.
DESCRIPTION¶
Determine if ticket has been policy checked for transit.
The application server is ultimately responsible for accepting or rejecting
authentication and SHOULD check that only suitably trusted KDCs are relied
upon to authenticate a principal. The transited field in the ticket identifies
which realms (and thus which KDCs) were involved in the authentication process
and an application server would normally check this field. If any of these are
untrusted to authenticate the indicated client principal (probably determined
by a realm-based policy), the authentication attempt MUST be rejected. The
presence of trusted KDCs in this list does not provide any guarantee; an
untrusted KDC may have fabricated the list.
While the end server ultimately decides whether authentication is valid, the KDC
for the end server's realm MAY apply a realm specific policy for validating
the transited field and accepting credentials for cross-realm authentication.
When the KDC applies such checks and accepts such cross-realm authentication
it will set the TRANSITED-POLICY-CHECKED flag in the service tickets it issues
based on the cross-realm TGT. A client MAY request that the KDCs not check the
transited field by setting the DISABLE-TRANSITED-CHECK flag. KDCs are
encouraged but not required to honor this flag.
Application servers MUST either do the transited-realm checks themselves, or
reject cross-realm tickets without TRANSITED-POLICY- CHECKED set.
RETURN VALUE¶
Returns non-0 iff transited-policy-checked flag is set in ticket.
REPORTING BUGS¶
Report bugs to <bug-shishi@gnu.org>.
COPYRIGHT¶
Copyright © 2002-2010 Simon Josefsson.
Copying and distribution of this file, with or without modification, are
permitted in any medium without royalty provided the copyright notice and this
notice are preserved.
SEE ALSO¶
The full documentation for
shishi is maintained as a Texinfo manual. If
the
info and
shishi programs are properly installed at your
site, the command
- info shishi
should give you access to the complete manual.