1 | =for stopwords |
---|
2 | remctl const TCP GSS-API DNS DNS-based KRB5CCNAME lookups canonicalization |
---|
3 | libdefaults Allbery CNAME |
---|
4 | |
---|
5 | =head1 NAME |
---|
6 | |
---|
7 | remctl_open - Connect to a remote remctl server |
---|
8 | |
---|
9 | =head1 SYNOPSIS |
---|
10 | |
---|
11 | #include <remctl.h> |
---|
12 | |
---|
13 | int B<remctl_open>(struct remctl *I<r>, const char *I<host>, |
---|
14 | unsigned short I<port>, |
---|
15 | const char *I<principal>); |
---|
16 | |
---|
17 | =head1 DESCRIPTION |
---|
18 | |
---|
19 | remctl_open() opens a TCP connection to the given I<host> on the given |
---|
20 | I<port> and then authenticates using the remctl protocol and the service |
---|
21 | principal I<principal>. I<r> is a remctl struct created via remctl_new(). |
---|
22 | I<host> must not be NULL. If I<port> is 0, the library first attempts to |
---|
23 | connect to the registered port of 4373 and then tries the legacy port of |
---|
24 | 4444 if that fails. Future versions of the library will drop this |
---|
25 | fallback to 4444. If I<principal> is NULL, a service principal of |
---|
26 | C<host/I<host>> is used, with the realm determined by domain-realm |
---|
27 | mapping. |
---|
28 | |
---|
29 | If no principal is specified and the default is used, the underlying |
---|
30 | GSS-API library may canonicalize I<host> via DNS before determining the |
---|
31 | service principal, depending on your library configuration. Specifying a |
---|
32 | principal disables this behavior. |
---|
33 | |
---|
34 | The remctl protocol uses Kerberos v5 via GSS-API for authentication. The |
---|
35 | underlying GSS-API library will use the default ticket cache for |
---|
36 | authentication, so to successfully use remctl_open(), the caller should |
---|
37 | already have Kerberos tickets for an appropriate realm stored in its |
---|
38 | default ticket cache. The environment variable KRB5CCNAME can be used to |
---|
39 | control which ticket cache is used. |
---|
40 | |
---|
41 | =head1 RETURN VALUE |
---|
42 | |
---|
43 | remctl_open() returns true on success and false on failure. On failure, |
---|
44 | the caller should call remctl_error() to retrieve the error message. |
---|
45 | |
---|
46 | =head1 CAVEATS |
---|
47 | |
---|
48 | If the I<principal> argument to remctl_open() is NULL, most GSS-API |
---|
49 | libraries will canonicalize the I<host> using DNS before deriving the |
---|
50 | principal name from it. This means that when connecting to a remctl |
---|
51 | server via a CNAME, remctl_open() will normally authenticate using a |
---|
52 | principal based on the canonical name of the host instead of the specified |
---|
53 | I<host> parameter. This behavior may cause problems if two consecutive |
---|
54 | DNS lookups of I<host> may return two different results, such as with some |
---|
55 | DNS-based load-balancing systems. |
---|
56 | |
---|
57 | The canonicalization behavior is controlled by the GSS-API library; with |
---|
58 | the MIT Kerberos GSS-API library, canonicalization can be disabled by |
---|
59 | setting C<rdns> to false in the [libdefaults] section of F<krb5.conf>. It |
---|
60 | can also be disabled by passing an explicit Kerberos principal name via |
---|
61 | the I<principal> argument, which will then be used without changes. If |
---|
62 | canonicalization is desired, the caller may wish to canonicalize I<host> |
---|
63 | before calling remctl_open() to avoid problems with multiple DNS calls |
---|
64 | returning different results. |
---|
65 | |
---|
66 | The default behavior, when a port of 0 is given, of trying 4373 and |
---|
67 | falling back to 4444 will be removed in a future version of this library |
---|
68 | in favor of using the C<remctl> service in F</etc/services> if set and |
---|
69 | then falling back on only 4373. 4444 was the poorly-chosen original |
---|
70 | remctl port and should be phased out. |
---|
71 | |
---|
72 | =head1 NOTES |
---|
73 | |
---|
74 | The remctl port number, 4373, was derived by tracing the diagonals of a |
---|
75 | QWERTY keyboard up from the letters C<remc> to the number row. |
---|
76 | |
---|
77 | =head1 SEE ALSO |
---|
78 | |
---|
79 | remctl_new(3), remctl_error(3) |
---|
80 | |
---|
81 | The current version of the remctl library and complete details of the |
---|
82 | remctl protocol are available from its web page at |
---|
83 | L<http://www.eyrie.org/~eagle/software/remctl/>. |
---|
84 | |
---|
85 | =head1 AUTHOR |
---|
86 | |
---|
87 | Russ Allbery <rra@stanford.edu> |
---|
88 | |
---|
89 | =cut |
---|