HP Open Source Security for OpenVMS Volume 3: Kerberos > Chapter 6 KRB5 (Kerberos V5) Application Programming Interface

krb5_get_credentials — Get an additional ticket for the client

  Table of Contents



C Prototype

krb5_error_code krb5_get_credentials(
krb5_context context,
const krb5_flags options,
krb5_ccache ccache,
krb5_creds *in_creds,
krb5_creds *out_creds );


context (input/output) 

The context structure.

options (input) 

Valid values are as follows:

KRB5_GC_USER_USER — Return a full user to user authentication ticket

KRB5_GC_CACHED — Only search credentials cache for the ticket.

ccache (input) 

The credentials cache.

in_creds (input) 

Input credentials.

out_creds (output) 

Output credentials.


This routine attempts to use the credentials cache ccache or a TGS exchange to get an additional ticket for the client identified by in_creds->client, with the following information:

  • The server identified by in_creds->server.

  • The options in options. Valid choices are KRB5_GC_USER_USER and KRB5_GC_CACHED.

  • The expiration date specified in in_creds->times.endtime.

  • The session key type specified in in_creds->keyblock.keytype if it is nonzero.

If options specifies KRB5_GC_CACHED, then krb5_get_credentials will only search the credentials cache for a ticket.

If options specifies KRB5_GC_USER_USER, then krb5_get_credentials will get credentials for a user-to-user authentication. In a user-to-user authentication, the secret key for the server is the session key from the server's ticket granting ticket (TGT). The TGT is passed from the server to the client over the network; this is safe since the TGT is encrypted in a key known only by the Kerberos server. The client must pass this TGT to krb5_get_credentials in in_creds->second_ticket. The Kerberos server will use this TGT to construct a user-to-user ticket that can be verified by the server, by using the session key from its TGT.

The effective expiration date is the minimum of the following:

  • The expiration date as specified in in_creds->times.endtime.

  • The requested start time plus the maximum lifetime of the server as specified by the server's entry in the Kerberos database.

  • The requested start time plus the maximum lifetime of tickets allowed in the local site, as specified by the KDC. This is a compile-time option, KRB5_KDB_MAX_LIFE in config.h, and is by default one day.

If any special authorization data needs to be included in the ticket for example, restrictions on how the ticket can be used, they should be specified in in_creds->authdata. If there is no special authorization data to be passed, in_creds->authdata should be NULL.

Any returned ticket and intermediate ticket-granting tickets are stored in ccache.

Return Values

This routine returns one of the following KRB5 status codes:


Successful completion.

ENOMEM Insufficient memory.