OSF DCE Application Development Guide--Core Components

Chapter 29. The Login API

The login API communicates with the security server to establish, and possibly change, a

principal’s login context. A login context contains the information necessary for a

principal to qualify for (although not necessarily be granted) access to network services

and possibly local resources as well. Login context information normally includes the

following:

• Identity information concerning the principal, including its certiﬁcate of identity (in

shared-secret authentication, this is the TGT), its PAC, and registry policy

information such as the maximum lifetime of certiﬁcates of identity.

• The context state; that is, whether the authentication service has validated the context

or not.

• The source of authentication information. (It may originate from the network

authentication service, or locally, if that network service is unavailable.)

29.1 Establishing Login Contexts

This section outlines the basic procedure by which a network login context is

established. See Chapter 23 for a detailed description of this process.

The procedure is as follows:

1. The client calls sec_login_setup_identity() specifying the name of the principal

whose network identity is to be established. Memory is allocated to receive the

principal’s login context.

2. The client calls sec_login_valid_and_cert_ident( ), which does the following:

a. Forwards a TGT request encrypted with the user’s secret key and with a

random key, to the authentication service, which decrypts the request,

authenticates the principal, and returns a TGT for the principal.

b. The client’s security runtime then decrypts the TGT and forwards it to the

privilege service, which creates a PAC for the principal and encloses it in a

PTGT, which is returned to the client’s security runtime.

124245 Tandem Computers Incorporated 29−1