sec_login_validate_identity-Validate a login context
#include <dce/sec_login.h> boolean32 sec_login_validate_identity ( sec_login_handle_t login_context, sec_passwd_rec_t *passwd, boolean32 *reset_passwd, sec_login_auth_src_t *authn_src, error_status_t *status );
Input
- login_context
Login context to be validated.
Input/Output
- passwd
Password record to be used to validate the login context.
Output
- reset_passwd
Indicates whether a principal/account's password has expired.
- authn_src
The source of validation (or authentication) of this login context.
- status
The completion status.
Thesec_login_validate_identity() routine validates a login context; that is, makes it usable for making protected RPCs (in the sense of making it usable byrpc_binding_set_auth_info() ), and in the process demonstrates its trustworthiness (for use in protected RPCs) to the principal/account to which it is associated (under the assumption that the long-term key of the principal/account associated with the login context is uncompromised).Upon return, this operation destroys the contents of the input passwd parameter (that is, overwrites the actual password contained in it with NULL bytes-all bits reset to 0, in the caller's address space-thereby reducing its exposure to compromise).
In typical usage, validation is accomplished by decrypting the encrypted part of the login context as obtained from
sec_login_setup_identity() (and verifying that the decryption is correct), using the long-term key of the principal/account-hence, this information must have been encrypted by an entity knowing the principal/account's long-term key, which must have been an entity trusted by the caller. This routine also typically contacts the PS (of the cell in which the principal/account associated with the login context is registered), gets a PTGT for the principal/account, and decrypts the encrypted part of it. Thus, a validated login context typically contains both a TGT and a PTGT for the local cell (as well as other information).If reset_passwd returns non-0 (TRUE), then the account's password has expired. Otherwise, reset_password returns 0 (FALSE).
The routine returns non-0 (TRUE) if the login context has been successfully validated. Otherwise, it returns 0 (FALSE). (In the success case, this return value is redundant with error_status_ok.)
- error_status_ok
- sec_login_s_acct_invalid
- sec_login_s_already_valid
- sec_login_s_default_use
- sec_login_s_null_password
- sec_login_s_unsupp_passwd_type
- sec_rgy_passwd_invalid
- sec_rgy_server_unavailable
Functions:sec_login_certify_identity() ,sec_login_setup_identity() ,sec_login_valid_and_cert_ident() .
Contents | Next section | Index |