SECURE_RPC(3NSL) Networking Services Library Functions SECURE_RPC(3NSL)
NAME
secure_rpc, authdes_getucred, authdes_seccreate, getnetname,
host2netname, key_decryptsession, key_encryptsession, key_gendes,
key_setsecret, key_secretkey_is_set, netname2host, netname2user,
user2netname - library routines for secure remote procedure calls
SYNOPSIS
cc [
flag... ]
file...
-lnsl [
library...]
#include <rpc/rpc.h>
#include <sys/types.h>
int authdes_getucred(
const struct authdes_cred *adc,
uid_t *uidp,
gid_t *gidp,
short *gidlenp,
gid_t *gidlist);
AUTH *authdes_seccreate(
const char *name,
const uint_t window,
const char *timehost,
ckey);
int getnetname(
char name [MAXNETNAMELEN+1]);
int host2netname(
char name [MAXNETNAMELEN+1],
const char *host,
const char *domain);
int key_decryptsession(
const char *remotename,
des_block *deskey);
int key_encryptsession(
const char *remotename,
des_block *deskey);
int key_gendes(
des_block *deskey);
int key_setsecret(
const char *key);
int key_secretkey_is_set(void)
int netname2host(
const char *name,
char *host,
const int hostlen);
int netname2user(
const char *name,
uid_t *uidp,
gid_t *gidp,
int *gidlenp,
gid_t *gidlist [NGRPS]);
int user2netname(
char name [MAXNETNAMELEN+1],
const uid_t uid,
const char *domain);
DESCRIPTION
The
RPC library functions allow C programs to make procedure calls on
other machines across the network.
RPC supports various authentication flavors. Among them are:
AUTH_NONE No authentication (none).
AUTH_SYS Traditional
UNIX-style authentication.
AUTH_DES DES encryption-based authentication.
The
authdes_getucred() and
authdes_seccreate() functions implement the
AUTH_DES authentication style. The keyserver daemon
keyserv(8) must be
running for the
AUTH_DES authentication system to work and
keylogin(1) must have been run. The
AUTH_DES style of authentication is discussed
here. For information about the
AUTH_NONE and
AUTH_SYS flavors of
authentication, refer to
rpc_clnt_auth(3NSL). See
rpc(3NSL) for the
definition of the
AUTH data structure.
The following functions documented on this page are MT-Safe. For the MT-
levels of other authentication styles, see relevant man pages.
authdes_getucred() This is the first of two functions that
interface to the
RPC secure authentication
system
AUTH_DES. The second is the
authdes_seccreate() function. The
authdes_getucred() function is used on the
server side to convert an
AUTH_DES credential,
which is operating system independent, to an
AUTH_SYS credential. The
authdes_getucred() function returns
1 if it succeeds,
0 if it
fails.
The
*uidp parameter is set to the user's
numerical
ID associated with
adc. The
*gidp parameter is set to the numerical
ID of the
user's group. The
*gidlist parameter contains
the numerical
IDs of the other groups to which
the user belongs. The
*gidlenp parameter is
set to the number of valid group ID entries
specified by the
*gidlist parameter.
The
authdes_getucred() function fails if the
authdes_cred structure was created with the
netname of a host. In such a case,
netname2host() should be used to get the host
name from the host netname in the
authdes_cred structure.
authdes_seccreate() The second of two
AUTH_DES authentication
functions, the
authdes_seccreate() function is
used on the client side to return an
authentication handle that enables the use of
the secure authentication system. The first
field,
name, specifies the network name
netname of the owner of the server process. The field
usually represents a hostname derived from the
host2netname() utility, but the field might
also represent a user name converted with the
user2netname() utility.
The second field,
window, specifies the
validity of the client credential in seconds.
If the difference in time between the client's
clock and the server's clock exceeds
window,
the server rejects the client's credentials and
the clock will have to be resynchronized. A
small window is more secure than a large one,
but choosing too small a window increases the
frequency of resynchronization due to clock
drift.
The third parameter,
timehost, is the host's
name and is optional. If
timehost is
NULL, the
authentication system assumes that the local
clock is always in sync with the
timehost clock
and does not attempt resynchronization. If a
timehost is supplied, the system consults the
remote time service whenever resynchronization
is required. The
timehost parameter is usually
the name of the host on which the server is
running.
The final parameter,
ckey, is also optional. If
ckey is
NULL, the authentication system
generates a random
DES key to be used for the
encryption of credentials. If
ckey is supplied,
it is used for encryption.
If
authdes_seccreate() fails, it returns
NULL. getnetname() This function returns the unique, operating
system independent netname of the caller in the
fixed-length array
name. The function returns
1 if it succeeds and
0 if it fails.
host2netname() This function converts a domain-specific
hostname
host to an operating system
independent netname. The function returns
1 if
it succeeds and
0 if it fails. The
host2netname() function is the inverse of the
netname2host() function. If the
domain is
NULL,
host2netname() uses the default domain name of
the machine. If
host is
NULL, it defaults to
that machine itself. If
domain is
NULL and
host is an NIS name such as
myhost.sun.example.com,
the
host2netname() function uses the domain
sun.example.com rather than the default domain
name of the machine.
key_decryptsession() This function is an interface to the keyserver
daemon, which is associated with
RPC's secure
authentication system (
AUTH_DES authentication). User programs rarely need to
call
key_decryptsession() or the associated
functions
key_encryptsession(),
key_gendes(),
and
key_setsecret().
The
key_decryptsession() function takes a
server netname
remotename and a
DES key
deskey,
and decrypts the key by using the public key of
the server and the secret key associated with
the effective
UID of the calling process. The
key_decryptsession() function is the inverse of
key_encryptsession() function.
key_encryptsession() This function is a keyserver interface that
takes a server netname
remotename and a
DES key
deskey, and encrypts the key using the public
key of the server and the secret key associated
with the effective
UID of the calling process.
If the keyserver does not have a key registered
for the UID, it falls back to using the secret
key for the netname
nobody unless this feature
has been disabled. See
keyserv(8). The
key_encryptsession() function is the inverse of
key_decryptsession() function. The
key_encryptsession() function returns
0 if it
succeeds,
-1 if it fails.
key_gendes() This is a keyserver interface function used to
ask the keyserver for a secure conversation
key. Selecting a conversion key at random is
generally not secure because the common ways of
choosing random numbers are too easy to guess.
The
key_gendes() function returns
0 if it
succeeds,
-1 if it fails.
key_setsecret() This is a keyserver interface function used to
set the key for the effective
UID of the
calling process. This function returns
0 if it
succeeds,
-1 if it fails.
key_secretkey_is_set() This is a keyserver interface function used to
determine if a key has been set for the
effective
UID of the calling process. If the
keyserver has a key stored for the effective
UID of the calling process, the
key_secretkey_is_set() function returns
1.
Otherwise it returns
0.
netname2host() This function converts an operating system
independent netname
name to a domain-specific
hostname
host. The
hostlen parameter is the
maximum size of
host. The
netname2host() function returns
1 if it succeeds and
0 if it
fails. The function is the inverse of the
host2netname() function.
netname2user() This function converts an operating system
independent netname to a domain-specific user
ID. The
netname2user() function returns
1 if it
succeeds and
0 if it fails.The function is the
inverse of the
user2netname() function.
The
*uidp parameter is set to the user's
numerical
ID associated with
name. The
*gidp parameter is set to the numerical
ID of the
user's group. The
gidlist parameter contains
the numerical
IDs of the other groups to which
the user belongs. The
*gidlenp parameter is set
to the number of valid group
ID entries
specified by the
gidlist parameter.
user2netname() This function converts a domain-specific
username to an operating system independent
netname. The
user2netname() function returns
1 if it succeeds and
0 if it fails. The function
is the inverse of
netname2user() function.
ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+---------------+-----------------+
|ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+---------------+-----------------+
|MT-Level | MT-Safe |
+---------------+-----------------+
SEE ALSO
chkey(1),
keylogin(1),
rpc(3NSL),
rpc_clnt_auth(3NSL),
attributes(7),
keyserv(8),
newkey(8) April 9, 2016
SECURE_RPC(3NSL)