source: web/old/remctl-2.14/docs/api/remctl_open.pod @ f6f3e91

web
Last change on this file since f6f3e91 was f6f3e91, checked in by Jessica B. Hamrick <jhamrick@…>, 15 years ago

Preserve directory hierarchy (not sure what happened to it)

  • Property mode set to 100644
File size: 3.5 KB
Line 
1=for stopwords
2remctl const TCP GSS-API DNS DNS-based KRB5CCNAME lookups canonicalization
3libdefaults Allbery CNAME
4
5=head1 NAME
6
7remctl_open - Connect to a remote remctl server
8
9=head1 SYNOPSIS
10
11#include <remctl.h>
12
13int B<remctl_open>(struct remctl *I<r>, const char *I<host>,
14                   unsigned short I<port>,
15                   const char *I<principal>);
16
17=head1 DESCRIPTION
18
19remctl_open() opens a TCP connection to the given I<host> on the given
20I<port> and then authenticates using the remctl protocol and the service
21principal I<principal>.  I<r> is a remctl struct created via remctl_new().
22I<host> must not be NULL.  If I<port> is 0, the library first attempts to
23connect to the registered port of 4373 and then tries the legacy port of
244444 if that fails.  Future versions of the library will drop this
25fallback to 4444.  If I<principal> is NULL, a service principal of
26C<host/I<host>> is used, with the realm determined by domain-realm
27mapping.
28
29If no principal is specified and the default is used, the underlying
30GSS-API library may canonicalize I<host> via DNS before determining the
31service principal, depending on your library configuration.  Specifying a
32principal disables this behavior.
33
34The remctl protocol uses Kerberos v5 via GSS-API for authentication.  The
35underlying GSS-API library will use the default ticket cache for
36authentication, so to successfully use remctl_open(), the caller should
37already have Kerberos tickets for an appropriate realm stored in its
38default ticket cache.  The environment variable KRB5CCNAME can be used to
39control which ticket cache is used.
40
41=head1 RETURN VALUE
42
43remctl_open() returns true on success and false on failure.  On failure,
44the caller should call remctl_error() to retrieve the error message.
45
46=head1 CAVEATS
47
48If the I<principal> argument to remctl_open() is NULL, most GSS-API
49libraries will canonicalize the I<host> using DNS before deriving the
50principal name from it.  This means that when connecting to a remctl
51server via a CNAME, remctl_open() will normally authenticate using a
52principal based on the canonical name of the host instead of the specified
53I<host> parameter.  This behavior may cause problems if two consecutive
54DNS lookups of I<host> may return two different results, such as with some
55DNS-based load-balancing systems.
56
57The canonicalization behavior is controlled by the GSS-API library; with
58the MIT Kerberos GSS-API library, canonicalization can be disabled by
59setting C<rdns> to false in the [libdefaults] section of F<krb5.conf>.  It
60can also be disabled by passing an explicit Kerberos principal name via
61the I<principal> argument, which will then be used without changes.  If
62canonicalization is desired, the caller may wish to canonicalize I<host>
63before calling remctl_open() to avoid problems with multiple DNS calls
64returning different results.
65
66The default behavior, when a port of 0 is given, of trying 4373 and
67falling back to 4444 will be removed in a future version of this library
68in favor of using the C<remctl> service in F</etc/services> if set and
69then falling back on only 4373.  4444 was the poorly-chosen original
70remctl port and should be phased out.
71
72=head1 NOTES
73
74The remctl port number, 4373, was derived by tracing the diagonals of a
75QWERTY keyboard up from the letters C<remc> to the number row.
76
77=head1 SEE ALSO
78
79remctl_new(3), remctl_error(3)
80
81The current version of the remctl library and complete details of the
82remctl protocol are available from its web page at
83L<http://www.eyrie.org/~eagle/software/remctl/>.
84
85=head1 AUTHOR
86
87Russ Allbery <rra@stanford.edu>
88
89=cut
Note: See TracBrowser for help on using the repository browser.