.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.16) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .ie \nF \{\ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . nr % 0 . rr F .\} .el \{\ . de IX .. .\} .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "WebAuth 3pm" .TH WebAuth 3pm "2012-04-25" "perl v5.14.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" WebAuth \- Perl extension for WebAuth (version 3) .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& use WebAuth; \& \& eval { \& $key = WebAuth::random_key(WebAuth::WA_AES_128); \& ... \& }; \& if (WebAuth::Exception::match($@)) { \& # handle exception \& } .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" WebAuth is a low-level Perl interface into the WebAuth C \s-1API\s0. Some functions have been made more Perl-like, and there is some partial work on changing the \s-1API\s0 to be object-oriented. .PP All functions have the potential to croak with a WebAuth::Exception object, so an eval block should be placed around calls to WebAuth functions if you intend to recover from errors. See the WebAuth::Exception section for more information. .PP Nearly all of the functionality is directly in the WebAuth namespace for right now. The exceptions are WebAuth::Exception, WebAuth::Keyring, and WebAuth::KeyringEntry objects, described in \*(L"\s-1SUBCLASSES\s0\*(R" below. .SH "EXPORT" .IX Header "EXPORT" Nothing is exported by default, but the following \f(CW%EXPORT_TAGS\fR are available: .PP .Vb 8 \& attrs the attr_* functions \& base64 the base64_* functions \& const the wA_* constants \& hex the hex_* functions \& key the key_* functions \& krb5 the krb5_* functions \& random the random_* functions \& token the token_* functions .Ve .PP For example: .PP .Vb 1 \& use WebAuth qw(:krb5 :const); .Ve .SH "FUNCTIONS" .IX Header "FUNCTIONS" .IP "error_message(status)" 4 .IX Item "error_message(status)" \&\f(CW$message\fR = error_message($status) .Sp Returns an error message for the specified status, which should be one of the WA_ERR_* values. .IP "base64_encode(input);" 4 .IX Item "base64_encode(input);" \&\f(CW$output\fR = base64_encode($input); .Sp base64 encodes the \f(CW$input\fR string and returns the result. .IP "base64_decode(input)" 4 .IX Item "base64_decode(input)" .Vb 1 \& $output = base64_decode($input); .Ve .Sp base64 decodes the \f(CW$input\fR string and returns the result in \f(CW$output\fR, or undef if unable to parse \f(CW$input\fR. .IP "hex_encode(input);" 4 .IX Item "hex_encode(input);" \&\f(CW$output\fR = hex_encode($input); .Sp hex encodes the \f(CW$input\fR string and returns the result. .IP "hex_decode(input)" 4 .IX Item "hex_decode(input)" .Vb 1 \& $output = hex_decode($input); .Ve .Sp hex decodes the \f(CW$input\fR string and returns the result in \f(CW$output\fR, or undef if unable to decode \f(CW$input\fR. .IP "attrs_encode(attrs);" 4 .IX Item "attrs_encode(attrs);" .Vb 1 \& $output = attrs_encode($attrs); .Ve .Sp Takes as input \f(CW$attrs\fR (which must be a reference to a hash) and returns a string of the encoded attributes in \f(CW$output\fR. The values in the \f(CW$attrs\fR hash table get converted to strings if they aren't already. .IP "attrs_decode(input);" 4 .IX Item "attrs_decode(input);" .Vb 1 \& $attrs = attrs_decode($input); .Ve .Sp attr decodes the \f(CW$input\fR string and returns the result in \f(CW$attrs\fR as a reference to a hash, or croaks in case of an error. .IP "random_bytes(length)" 4 .IX Item "random_bytes(length)" .Vb 1 \& $bytes = random_bytes($length); .Ve .Sp Returns the specified number of random bytes, or undef if random data was unavailable. The returned data is suitable for nonces, but not necessarily for keys. Use random_key to generate a suitable random key. .IP "random_key(length)" 4 .IX Item "random_key(length)" .Vb 1 \& $key_material = random_key($length); .Ve .Sp Returns the specified number of random bytes, or undef if random data was unavailable. The returned data is suitable for use as a key. Use the constants \s-1WA_AES_128\s0, \s-1WA_AES_192\s0, and \&\s-1WA_AES_256\s0 to specify a 128 bit, 192 bit, or 256 bit \s-1AES\s0 key respectively. .IP "key_create(type, key_material)" 4 .IX Item "key_create(type, key_material)" .Vb 1 \& $key = key_create($type, $key_material); .Ve .Sp Creates a reference to a WEBAUTH_KEYPtr object, or undef on error. \f(CW$type\fR must be \s-1WA_AES_KEY\s0, and \f(CW$key_material\fR must be a string with a length of \&\s-1WA_AES_128\s0, \s-1WA_AES_192\s0, or \s-1WA_AES_256\s0 bytes. \f(CW$key\fR should be set to undef when the key is no longer needed. .IP "token_create(attrs, hint, key_or_ring)" 4 .IX Item "token_create(attrs, hint, key_or_ring)" .Vb 1 \& $token = token_create($attrs, $hint, $key_or_ring); .Ve .Sp Takes as input \f(CW$attrs\fR (which must be a reference to a hash) and \&\f(CW$key_or_ring\fR (created with keyring_new or key_create) and returns the encrypted token. If hint is 0, the current time will be used. .Sp The values in the \f(CW$attrs\fR hash table get converted to strings if they aren't already. .IP "token_parse(token, ttl, key_or_ring)" 4 .IX Item "token_parse(token, ttl, key_or_ring)" .Vb 1 \& $attrs = token_parse($token, $ttl, $key_or_ring); .Ve .Sp Takes as input an encrypted token and a key_or_ring (created with keyring_new or key_create) and returns the attributes. .IP "\fIkrb5_new()\fR" 4 .IX Item "krb5_new()" .Vb 1 \& $context = krb5_new(); .Ve .Sp Creates a new \s-1WEBAUTH_KRB5_CTXT\s0 reference in \f(CW$context\fR. .IP "krb5_keep_cred_cache(context)" 4 .IX Item "krb5_keep_cred_cache(context)" .Vb 1 \& krb5_keep_cred_cache($context); .Ve .Sp If called before \f(CW$context\fR is no longer in use, prevents the credential cache (created via one of the calls to krb5_init_via*) from being destroyed. This should only be used you need to keep a file-based credential cache from being removed. .IP "krb5_init_via_password(context, user, password, get_principal, keytab, server_principal[, cache])" 4 .IX Item "krb5_init_via_password(context, user, password, get_principal, keytab, server_principal[, cache])" .Vb 3 \& ($principal) = krb5_init_via_password($context, $user, $password, \& $get_principal, $keytab, \& $server_principal[, $cache]); .Ve .Sp Initializes a context using the specified username/password to obtain a \s-1TGT\s0. The \s-1TGT\s0 will be verified using the principal in the keytab by doing a krb5_mk_req/krb5_rd_req. If \f(CW$cache\fR is not specified, a memory cache will be used and destroyed when the context is destroyed. .Sp If \f(CW$server_princpal\fR is undef or "", then the first principal found in the keytab will be used. .Sp If \f(CW$get_principal\fR is definied, then rather than using the principal in the keytab, we will get a context for the given principal. This is currently used to get a context for kadmin/changepw with a given username and password, in order to then later use that to change the user password. .Sp If \f(CW$keytab\fR is not defined, then we do not obtain a \s-1TGT\s0, but only initialize the context without verifying its validity. This is currently only used in conjunction with \f(CW$get_principal\fR to get credentials for kadmin/changepw. .Sp Returns the server principal used to verify the \s-1TGT\s0. .IP "krb5_init_via_keytab(context, keytab, server_princpal, [, cache])" 4 .IX Item "krb5_init_via_keytab(context, keytab, server_princpal, [, cache])" .Vb 1 \& krb5_init_via_keytab($context, $keytab, $server_princpal[, $cache]); .Ve .Sp Initializes a context using the principal in the specified keytab by getting a \s-1TGT\s0. If \f(CW$cache\fR is not specified, a memory cache will be used and destroyed when the context is destroyed. .Sp If \f(CW$server_princpal\fR is undef or "", then the first princpal found in the keytab will be used. .IP "krb5_init_via_cache(context[, cache])" 4 .IX Item "krb5_init_via_cache(context[, cache])" .Vb 1 \& krb5_init_via_cache($context, "/tmp/krb5cc_foo"); .Ve .Sp Initializes a context using the specified ticket cache. If \f(CW$cache\fR is not specified, the default kerberos ticket cache is used. .IP "krb5_init_via_cred(context, cred[, cache])" 4 .IX Item "krb5_init_via_cred(context, cred[, cache])" .Vb 1 \& krb5_init_via_cred($context, $cred[, $cache]); .Ve .Sp Initializes a context using a ticket that was previously exported using krb5_export_*. If \f(CW$cache\fR is not specified, a memory cache will be used and destroyed when the context is destroyed. .IP "krb5_export_tgt(context)" 4 .IX Item "krb5_export_tgt(context)" .Vb 1 \& ($tgt, $expiration) = krb5_export_tgt($context) .Ve .Sp Used to \*(L"export\*(R" a \s-1TGT\s0 from the specified context, which should have been initialized via one of the krb5_init_via_* functions. On success both \f(CW$tgt\fR and \f(CW$expiration\fR get set. \f(CW$ticket\fR is the ticket itself (binary data) and \f(CW$expiration\fR is the expiration time of the ticket. .IP "krb5_import_cred(context, cred)" 4 .IX Item "krb5_import_cred(context, cred)" .Vb 1 \& krb5_import_cred($context, $cred); .Ve .Sp Used to \*(L"import\*(R" a ticket that was created with krb5_export_*. .IP "krb5_export_ticket(context, principal);" 4 .IX Item "krb5_export_ticket(context, principal);" .Vb 1 \& ($ticket, $expiration) = krb5_export_ticket($context, $principal); .Ve .Sp Used to \*(L"export\*(R" a ticket for the requested server principal. On success, both \f(CW$ticket\fR and \f(CW$expiration\fR will be set. \f(CW$ticket\fR is the ticket itself (binary data) and \f(CW$expiration\fR is the expiration time of the ticket. .IP "krb5_get_principal(context, 1)" 4 .IX Item "krb5_get_principal(context, 1)" .Vb 1 \& $principal = krb5_getprincipal($context, 1); .Ve .Sp Used to get the principal associated with the context. Should only be called after a successful call to krb5_init_via*. If local is 1, then krb5_aname_to_localname is called on the principal. If krb5_aname_to_localname returns an error then the fully-qualified principal name is returned. .IP "krb5_mk_req(context, principal[,data])" 4 .IX Item "krb5_mk_req(context, principal[,data])" .Vb 1 \& ($request[, $edata]) = krb5_mk_req($context, $principal[,$data]); .Ve .Sp Used to construct a kerberos V5 request for the specified principal. \f(CW$request\fR will be set on success, and will contain the result of the krb5_mk_req call. If \f(CW$data\fR is passed in, tben it will be encrypted using krb5_mk_priv and returned as \f(CW$edata\fR. .IP "krb5_rd_req(context, request, keytab, server_principal, local[, edata])" 4 .IX Item "krb5_rd_req(context, request, keytab, server_principal, local[, edata])" .Vb 3 \& ($principal[, $data]) \& = krb5_rd_req($context, $request, $keytab, \& $server_princpal, 1[, $edata]); .Ve .Sp Used to read a request created with krb5_mk_req. On success \f(CW$principal\fR will be set to the client principal in the request. If local is 1, then krb5_aname_to_localname is called on the principal. If krb5_aname_to_localname returns an error then the fully-qualified principal name is returned. .Sp If \f(CW$server_princpal\fR is undef or "", then the first principal found in the keytab will be used. .Sp If \f(CW$edata\fR is passed in, it is decrypted with krb5_rd_priv. .IP "krb5_change_password(context, password)" 4 .IX Item "krb5_change_password(context, password)" .Vb 1 \& krb5_change_password($context, $password); .Ve .Sp Used to change a principal to a new password. Requires a context with a kadmin/changepw credential already formed from that user's current principal name and password. .SH "SUBCLASSES" .IX Header "SUBCLASSES" .SS "WebAuth::Exception" .IX Subsection "WebAuth::Exception" The various WebAuth functions can all throw exceptions if something wrong happens. These exceptions will be of type WebAuth::Exception. .PP For example: .PP .Vb 10 \& eval { \& $data = WebAuth::base64_decode($buffer); \& ... \& }; \& if (WebAuth::Exception::match($@)) { \& my $e = $@; \& # you can call the following methods on an Exception object: \& # $e\->status() \& # $e\->error_message() \& # $e\->detail_message() \& # $e\->krb5_error_code() \& # $e\->krb5_error_message() \& # $e\->verbose_message() \& } .Ve .ie n .IP "match($exception[, $status])" 4 .el .IP "match($exception[, \f(CW$status\fR])" 4 .IX Item "match($exception[, $status])" This class function (not a method) returns true if the given \&\f(CW$exception\fR is a WebAuth::Exception. If \f(CW$status\fR is specified, then \&\f(CW$exception\fR\->\fIstatus()\fR will also be compared to \f(CW$status\fR. .IP "\fIstatus()\fR" 4 .IX Item "status()" This method returns the WebAuth status code for the exception, which will be one of the WA_ERR_* codes. .IP "\fIerror_message()\fR" 4 .IX Item "error_message()" This method returns the WebAuth error message for the status code, using the WebAuth::error_message function. .IP "\fIdetail_message()\fR" 4 .IX Item "detail_message()" This method returns the \*(L"detail\*(R" message in the exception. The detail message is additional information created with the exception when it is raised, and is usually the name of the WebAuth C function that raised the exception. .IP "\fIkrb5_error_code()\fR" 4 .IX Item "krb5_error_code()" If the status of the exception is \s-1WA_ERR_KRB5\s0, then this function will return the Kerberos V5 error code that caused the exception. There are currently no constants defined for these error codes. .IP "\fIkrb5_error_message()\fR" 4 .IX Item "krb5_error_message()" If the status of the exception is \s-1WA_ERR_KRB5\s0, then this function will return the Kerberos V5 error message corresponding to the krb5_error_code. .IP "\fIverbose_message()\fR" 4 .IX Item "verbose_message()" This method returns a verbose error message, which consists of all information available in the exception, including the status code, error message, line number and file, and any detail message in the exception. It also will include the kerberos error code and error message if status is \s-1WA_ERR_KRB5\s0. .Sp The verbose_message method is also called if the exception is used as a string. .SS "WebAuth::Keyring" .IX Subsection "WebAuth::Keyring" This Perl class represents a keyring, which is a set of WebAuth keys with associated creation times and times after which they become valid. These keyrings can be read from and stored to files on disk and are used by WebAuth Application Servers and WebKDCs to store their encryption keys. .PP \fIClass Methods\fR .IX Subsection "Class Methods" .IP "new([\s-1CAPACITY\s0])" 4 .IX Item "new([CAPACITY])" Create a new keyring with initial capacity \s-1CAPACITY\s0. The default initial capacity is 1 if none is given. Keyrings automatically resize to hold more keys when necessary, so the capacity is only for efficiency if one knows in advance roughly how many keys there will be. Returns a new WebAuth::Keyring object or throws a WebAuth::Exception. .IP "read_file(\s-1FILE\s0)" 4 .IX Item "read_file(FILE)" Reads a keyring from the file \s-1FILE\s0. The created keyring object will have no association with the file after being created; it won't automatically be saved, or updated when the file changes. Returns a new WebAuth::Keyring object or throws a WebAuth::Exception. .PP \fIInstance Methods\fR .IX Subsection "Instance Methods" .PP As with other WebAuth module functions, failures are signalled by throwing WebAuth::Exception rather than by return status. .IP "add(\s-1CREATION\s0, \s-1VALID_AFTER\s0, \s-1KEY\s0)" 4 .IX Item "add(CREATION, VALID_AFTER, KEY)" Add a new \s-1KEY\s0 to the keyring with \s-1CREATION\s0 as the creation time and \&\s-1VALID_AFTER\s0 as the valid after time. Both of the times should be in seconds since epoch, and the key must be a valid WebAuth key, such as is returned by \fIWebAuth::webauth_random_key()\fR. Keys will not used for encryption until after their valid after time, which provides an opportunity to synchronize the keyring between multiple systems before the keys are used. .IP "best_key(\s-1ENCRYPTION\s0, \s-1HINT\s0)" 4 .IX Item "best_key(ENCRYPTION, HINT)" Returns the best key available in the keyring for a particular purpose and time. \s-1ENCRYPTION\s0 is a boolean and should be true if the key will be used for encryption and false if it will be used for decryption. For decryption keys when \s-1ENCRYPTION\s0 is false, \s-1HINT\s0 is the timestamp of the data that will be decrypted. .Sp If \s-1ENCRYPTION\s0 is true, this method will return the valid key in the keyring that was created most recently, since this is the best key to use for encryption going forward. If \s-1ENCRYPTION\s0 is false, this method will return the key most likely to have been used to encrypt something at the time \s-1HINT\s0, where \s-1HINT\s0 is given in seconds since epoch. .IP "\fIcapacity()\fR" 4 .IX Item "capacity()" Returns the capacity of the keyring (the total number of keys it can hold without being resized). This is not usually interesting since keyrings will automatically resize if necessary. It is used mostly for testing. .IP "\fIentries()\fR" 4 .IX Item "entries()" In a scalar context, returns the number of entries in the keyring. In an array context, returns a list of keyring entries as WebAuth::KeyringEntry objects. .IP "remove(\s-1INDEX\s0)" 4 .IX Item "remove(INDEX)" Removes the \s-1INDEX\s0 entry in the keyring. The keyring will then be compacted, so all subsequent entries in the keyring will have their index decreased by one. If you are removing multiple entries from a keyring, you should therefore remove them from the end of the keyring (the highest \&\s-1INDEX\s0 number) first. .IP "write_file(\s-1FILE\s0)" 4 .IX Item "write_file(FILE)" Writes the keyring out to \s-1FILE\s0 in the format suitable for later reading by \&\fIread_file()\fR. .SS "WebAuth::KeyringEntry" .IX Subsection "WebAuth::KeyringEntry" This object is only used as the return value from the \fIentries()\fR method of WebAuth::Keyring. It's a read-only object that has the following methods: .PP \fIInstance Methods\fR .IX Subsection "Instance Methods" .IP "\fIcreation()\fR" 4 .IX Item "creation()" Returns the creation time of the key in seconds since epoch. .IP "\fIkey()\fR" 4 .IX Item "key()" Returns the key of this entry. This will be an opaque object that can be passed into other WebAuth module functions that take a key. .IP "\fIvalid_after()\fR" 4 .IX Item "valid_after()" Returns the valid after time of the key in seconds since epoch. .SH "CONSTANTS" .IX Header "CONSTANTS" The following constants from webauth.h are available: .PP .Vb 10 \& WA_ERR_NONE \& WA_ERR_NO_ROOM \& WA_ERR_CORRUPT \& WA_ERR_NO_MEM \& WA_ERR_BAD_HMAC \& WA_ERR_RAND_FAILURE \& WA_ERR_BAD_KEY \& WA_ERR_KEYRING_OPENWRITE \& WA_ERR_KEYRING_WRITE \& WA_ERR_KEYRING_OPENREAD \& WA_ERR_KEYRING_READ \& WA_ERR_KEYRING_VERISON \& WA_ERR_NOT_FOUND \& WA_ERR_KRB5 \& WA_ERR_INVALID_CONTEXT \& WA_ERR_LOGIN_FAILED \& WA_ERR_TOKEN_EXPIRED \& WA_ERR_TOKEN_STALE \& \& WA_PEC_SERVICE_TOKEN_EXPIRED \& WA_PEC_SERVICE_TOKEN_INVALID \& WA_PEC_PROXY_TOKEN_EXPIRED \& WA_PEC_PROXY_TOKEN_INVALID \& WA_PEC_INVALID_REQUEST \& WA_PEC_UNAUTHORIZED \& WA_PEC_SERVER_FAILURE \& WA_PEC_REQUEST_TOKEN_STALE \& WA_PEC_REQUEST_TOKEN_INVALID \& WA_PEC_GET_CRED_FAILURE \& WA_PEC_REQUESTER_KRB5_CRED_INVALID \& WA_PEC_LOGIN_TOKEN_STALE \& WA_PEC_LOGIN_TOKEN_INVALID \& WA_PEC_LOGIN_FAILED \& WA_PEC_PROXY_TOKEN_REQUIRED \& WA_PEC_LOGIN_CANCELED \& WA_PEC_LOGIN_FORCED \& WA_PEC_USER_REJECTED \& WA_PEC_CREDS_EXPIRED \& WA_PEC_MULTIFACTOR_REQUIRED \& WA_PEC_MULTIFACTOR_UNAVAILABLE \& WA_PEC_LOGIN_REJECTED \& WA_PEC_LOA_UNAVAILABLE \& \& WA_AES_KEY \& WA_AES_128 \& WA_AES_192 \& WA_AES_256 \& \& WA_TK_APP_STATE \& WA_TK_COMMAND \& WA_TK_CRED_DATA \& WA_TK_CRED_SERVICE \& WA_TK_CRED_TYPE \& WA_TK_CREATION_TIME \& WA_TK_ERROR_CODE \& WA_TK_ERROR_MESSAGE \& WA_TK_EXPIRATION_TIME \& WA_TK_INITIAL_FACTORS \& WA_TK_SESSION_KEY \& WA_TK_LOA \& WA_TK_LASTUSED_TIME \& WA_TK_OTP \& WA_TK_PASSWORD \& WA_TK_PROXY_DATA \& WA_TK_PROXY_SUBJECT \& WA_TK_PROXY_TYPE \& WA_TK_REQUEST_OPTIONS \& WA_TK_REQUESTED_TOKEN_TYPE \& WA_TK_RETURN_URL \& WA_TK_SUBJECT \& WA_TK_SUBJECT_AUTH \& WA_TK_SUBJECT_AUTH_DATA \& WA_TK_SESSION_FACTORS \& WA_TK_TOKEN_TYPE \& WA_TK_USERNAME \& WA_TK_WEBKDC_TOKEN .Ve .SH "AUTHOR" .IX Header "AUTHOR" Roland Schemers, Jon Robertson , and Russ Allbery .