diff options
Diffstat (limited to 'doc/html/_sources/plugindev')
| -rw-r--r-- | doc/html/_sources/plugindev/certauth.txt | 27 | ||||
| -rw-r--r-- | doc/html/_sources/plugindev/index.txt | 3 | ||||
| -rw-r--r-- | doc/html/_sources/plugindev/kadm5_auth.txt | 35 | ||||
| -rw-r--r-- | doc/html/_sources/plugindev/kdcpolicy.txt | 24 |
4 files changed, 89 insertions, 0 deletions
diff --git a/doc/html/_sources/plugindev/certauth.txt b/doc/html/_sources/plugindev/certauth.txt new file mode 100644 index 000000000000..8a7f7c5ebad6 --- /dev/null +++ b/doc/html/_sources/plugindev/certauth.txt @@ -0,0 +1,27 @@ +.. _certauth_plugin: + +PKINIT certificate authorization interface (certauth) +===================================================== + +The certauth interface was first introduced in release 1.16. It +allows customization of the X.509 certificate attribute requirements +placed on certificates used by PKINIT enabled clients. For a detailed +description of the certauth interface, see the header file +``<krb5/certauth_plugin.h>`` + +A certauth module implements the **authorize** method to determine +whether a client's certificate is authorized to authenticate a client +principal. **authorize** receives the DER-encoded certificate, the +requested client principal, and a pointer to the client's +krb5_db_entry (for modules that link against libkdb5). It returns the +authorization status and optionally outputs a list of authentication +indicator strings to be added to the ticket. A module must use its +own internal or library-provided ASN.1 certificate decoder. + +A module can optionally create and destroy module data with the +**init** and **fini** methods. Module data objects last for the +lifetime of the KDC process. + +If a module allocates and returns a list of authentication indicators +from **authorize**, it must also implement the **free_ind** method +to free the list. diff --git a/doc/html/_sources/plugindev/index.txt b/doc/html/_sources/plugindev/index.txt index 3fb921778cb5..5e7834635f42 100644 --- a/doc/html/_sources/plugindev/index.txt +++ b/doc/html/_sources/plugindev/index.txt @@ -25,11 +25,14 @@ Contents ccselect.rst pwqual.rst kadm5_hook.rst + kadm5_auth.rst hostrealm.rst localauth.rst locate.rst profile.rst gssapi.rst internal.rst + certauth.rst + kdcpolicy.rst .. TODO: GSSAPI mechanism plugins diff --git a/doc/html/_sources/plugindev/kadm5_auth.txt b/doc/html/_sources/plugindev/kadm5_auth.txt new file mode 100644 index 000000000000..b4839617bd2f --- /dev/null +++ b/doc/html/_sources/plugindev/kadm5_auth.txt @@ -0,0 +1,35 @@ +.. _kadm5_auth_plugin: + +kadmin authorization interface (kadm5_auth) +=========================================== + +The kadm5_auth interface (new in release 1.16) allows modules to +determine whether a client principal is authorized to perform an +operation in the kadmin protocol, and to apply restrictions to +principal operations. For a detailed description of the kadm5_auth +interface, see the header file ``<krb5/kadm5_auth_plugin.h>``. + +A module can create and destroy per-process state objects by +implementing the **init** and **fini** methods. State objects have +the type kadm5_auth_modinfo, which is an abstract pointer type. A +module should typically cast this to an internal type for the state +object. + +The kadm5_auth interface has one method for each kadmin operation, +with parameters specific to the operation. Each method can return +either 0 to authorize access, KRB5_PLUGIN_NO_HANDLE to defer the +decision to other modules, or another error (canonically EPERM) to +authoritatively deny access. Access is granted if at least one module +grants access and no module authoritatively denies access. + +The **addprinc** and **modprinc** methods can also impose restrictions +on the principal operation by returning a ``struct +kadm5_auth_restrictions`` object. The module should also implement +the **free_restrictions** method if it dynamically allocates +restrictions objects for principal operations. + +kadm5_auth modules can optionally inspect principal or policy objects. +To do this, the module must also include ``<kadm5/admin.h>`` to gain +access to the structure definitions for those objects. As the kadmin +interface is explicitly not as stable as other public interfaces, +modules which do this may not retain compatibility across releases. diff --git a/doc/html/_sources/plugindev/kdcpolicy.txt b/doc/html/_sources/plugindev/kdcpolicy.txt new file mode 100644 index 000000000000..74f21f08fbf4 --- /dev/null +++ b/doc/html/_sources/plugindev/kdcpolicy.txt @@ -0,0 +1,24 @@ +.. _kdcpolicy_plugin: + +KDC policy interface (kdcpolicy) +================================ + +The kdcpolicy interface was first introduced in release 1.16. It +allows modules to veto otherwise valid AS and TGS requests or restrict +the lifetime and renew time of the resulting ticket. For a detailed +description of the kdcpolicy interface, see the header file +``<krb5/kdcpolicy_plugin.h>``. + +The optional **check_as** and **check_tgs** functions allow the module +to perform access control. Additionally, a module can create and +destroy module data with the **init** and **fini** methods. Module +data objects last for the lifetime of the KDC process, and are +provided to all other methods. The data has the type +krb5_kdcpolicy_moddata, which should be cast to the appropriate +internal type. + +kdcpolicy modules can optionally inspect principal entries. To do +this, the module must also include ``<kdb.h>`` to gain access to the +principal entry structure definition. As the KDB interface is +explicitly not as stable as other public interfaces, modules which do +this may not retain compatibility across releases. |