Previous section.

DCE 1.1: Authentication and Security Services
Copyright © 1997 The Open Group

NAME

sec_login_validate_identity-Validate a login context

SYNOPSIS

#include <dce/sec_login.h>

boolean32 sec_login_validate_identity (
    sec_login_handle_t login_context,
    sec_passwd_rec_t *passwd,
    boolean32 *reset_passwd,
    sec_login_auth_src_t *authn_src,
    error_status_t *status );

PARAMETERS

Input

login_context

Login context to be validated.

Input/Output

passwd

Password record to be used to validate the login context.

Output

reset_passwd

Indicates whether a principal/account's password has expired.

authn_src

The source of validation (or authentication) of this login context.

status

The completion status.

DESCRIPTION

The sec_login_validate_identity() routine validates a login context; that is, makes it usable for making protected RPCs (in the sense of making it usable by rpc_binding_set_auth_info()), and in the process demonstrates its trustworthiness (for use in protected RPCs) to the principal/account to which it is associated (under the assumption that the long-term key of the principal/account associated with the login context is uncompromised).

Upon return, this operation destroys the contents of the input passwd parameter (that is, overwrites the actual password contained in it with NULL bytes-all bits reset to 0, in the caller's address space-thereby reducing its exposure to compromise).

In typical usage, validation is accomplished by decrypting the encrypted part of the login context as obtained from sec_login_setup_identity() (and verifying that the decryption is correct), using the long-term key of the principal/account-hence, this information must have been encrypted by an entity knowing the principal/account's long-term key, which must have been an entity trusted by the caller. This routine also typically contacts the PS (of the cell in which the principal/account associated with the login context is registered), gets a PTGT for the principal/account, and decrypts the encrypted part of it. Thus, a validated login context typically contains both a TGT and a PTGT for the local cell (as well as other information).

If reset_passwd returns non-0 (TRUE), then the account's password has expired. Otherwise, reset_password returns 0 (FALSE).

RETURN VALUES

The routine returns non-0 (TRUE) if the login context has been successfully validated. Otherwise, it returns 0 (FALSE). (In the success case, this return value is redundant with error_status_ok.)

ERRORS

error_status_ok

sec_login_s_acct_invalid

sec_login_s_already_valid

sec_login_s_default_use

sec_login_s_null_password

sec_login_s_unsupp_passwd_type

sec_rgy_passwd_invalid

sec_rgy_server_unavailable

SEE ALSO

Functions: sec_login_certify_identity(), sec_login_setup_identity(), sec_login_valid_and_cert_ident().
Please note that the html version of this specification may contain formatting aberrations. The definitive version is available as an electronic publication on CD-ROM from The Open Group.

Contents Next section Index