2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include "kuser_locl.h"
38 #ifdef HAVE_FRAMEWORK_SECURITY
39 #include <Security/Security.h>
47 #define SIGINFO SIGUSR1
50 int forwardable_flag
= -1;
51 int proxiable_flag
= -1;
52 int renewable_flag
= -1;
55 int validate_flag
= 0;
59 struct getarg_strings extra_addresses
;
60 int anonymous_flag
= 0;
61 char *lifetime
= NULL
;
62 char *renew_life
= NULL
;
63 char *server_str
= NULL
;
64 static krb5_principal tgs_service
;
65 char *cred_cache
= NULL
;
66 char *start_str
= NULL
;
67 static int default_for
= 0;
68 static int switch_cache_flags
= -1;
69 struct getarg_strings etype_str
;
71 char *keytab_str
= NULL
;
72 static krb5_keytab kt
= NULL
;
75 char *password_file
= NULL
;
76 char *pk_user_id
= NULL
;
77 int pk_enterprise_flag
= 0;
78 struct hx509_certs_data
*ent_user_id
= NULL
;
79 char *pk_x509_anchors
= NULL
;
80 int pk_use_enckey
= 0;
81 int pk_anon_fast_armor
= 0;
82 char *gss_preauth_mech
= NULL
;
83 char *gss_preauth_name
= NULL
;
84 char *kdc_hostname
= NULL
;
85 static int canonicalize_flag
= 0;
86 static int enterprise_flag
= 0;
87 static int ok_as_delegate_flag
= 0;
88 static char *fast_armor_cache_string
= NULL
;
89 static int use_referrals_flag
= 0;
90 static int windows_flag
= 0;
92 static char *ntlm_domain
;
96 static struct getargs args
[] = {
110 { "afslog", 0 , arg_flag
, &do_afslog
,
111 NP_("obtain afs tokens", ""), NULL
},
113 { "cache", 'c', arg_string
, &cred_cache
,
114 NP_("credentials cache", ""), "cachename" },
116 { "forwardable", 'F', arg_negative_flag
, &forwardable_flag
,
117 NP_("get tickets not forwardable", ""), NULL
},
119 { NULL
, 'f', arg_flag
, &forwardable_flag
,
120 NP_("get forwardable tickets", ""), NULL
},
122 { "keytab", 't', arg_string
, &keytab_str
,
123 NP_("keytab to use", ""), "keytabname" },
125 { "lifetime", 'l', arg_string
, &lifetime
,
126 NP_("lifetime of tickets", ""), "time" },
128 { "proxiable", 'p', arg_flag
, &proxiable_flag
,
129 NP_("get proxiable tickets", ""), NULL
},
131 { "renew", 'R', arg_flag
, &renew_flag
,
132 NP_("renew TGT", ""), NULL
},
134 { "renewable", 0, arg_flag
, &renewable_flag
,
135 NP_("get renewable tickets", ""), NULL
},
137 { "renewable-life", 'r', arg_string
, &renew_life
,
138 NP_("renewable lifetime of tickets", ""), "time" },
140 { "server", 'S', arg_string
, &server_str
,
141 NP_("server to get ticket for", ""), "principal" },
143 { "start-time", 's', arg_string
, &start_str
,
144 NP_("when ticket gets valid", ""), "time" },
146 { "use-keytab", 'k', arg_flag
, &use_keytab
,
147 NP_("get key from keytab", ""), NULL
},
149 { "validate", 'v', arg_flag
, &validate_flag
,
150 NP_("validate TGT", ""), NULL
},
152 { "enctypes", 'e', arg_strings
, &etype_str
,
153 NP_("encryption types to use", ""), "enctypes" },
155 { "fcache-version", 0, arg_integer
, &fcache_version
,
156 NP_("file cache version to create", ""), NULL
},
158 { "addresses", 'A', arg_negative_flag
, &addrs_flag
,
159 NP_("request a ticket with no addresses", ""), NULL
},
161 { "extra-addresses",'a', arg_strings
, &extra_addresses
,
162 NP_("include these extra addresses", ""), "addresses" },
164 { "anonymous", 'n', arg_flag
, &anonymous_flag
,
165 NP_("request an anonymous ticket", ""), NULL
},
167 { "request-pac", 0, arg_flag
, &pac_flag
,
168 NP_("request a Windows PAC", ""), NULL
},
170 { "password-file", 0, arg_string
, &password_file
,
171 NP_("read the password from a file", ""), NULL
},
173 { "canonicalize",0, arg_flag
, &canonicalize_flag
,
174 NP_("canonicalize client principal", ""), NULL
},
176 { "enterprise",0, arg_flag
, &enterprise_flag
,
177 NP_("parse principal as a KRB5-NT-ENTERPRISE name", ""), NULL
},
179 { "pk-enterprise", 0, arg_flag
, &pk_enterprise_flag
,
180 NP_("use enterprise name from certificate", ""), NULL
},
182 { "pk-user", 'C', arg_string
, &pk_user_id
,
183 NP_("principal's public/private/certificate identifier", ""), "id" },
185 { "x509-anchors", 'D', arg_string
, &pk_x509_anchors
,
186 NP_("directory with CA certificates", ""), "directory" },
188 { "pk-use-enckey", 0, arg_flag
, &pk_use_enckey
,
189 NP_("Use RSA encrypted reply (instead of DH)", ""), NULL
},
191 { "pk-anon-fast-armor", 0, arg_flag
, &pk_anon_fast_armor
,
192 NP_("use unauthenticated anonymous PKINIT as FAST armor", ""), NULL
},
195 { "gss-mech", 0, arg_string
, &gss_preauth_mech
,
196 NP_("use GSS mechanism for pre-authentication", ""), NULL
},
198 { "gss-name", 0, arg_string
, &gss_preauth_name
,
199 NP_("use distinct GSS identity for pre-authentication", ""), NULL
},
201 { "kdc-hostname", 0, arg_string
, &kdc_hostname
,
202 NP_("KDC host name", ""), "hostname" },
205 { "ntlm-domain", 0, arg_string
, &ntlm_domain
,
206 NP_("NTLM domain", ""), "domain" },
209 { "change-default", 0, arg_negative_flag
, &switch_cache_flags
,
210 NP_("switch the default cache to the new credentials cache", ""), NULL
},
212 { "default-for-principal", 0, arg_flag
, &default_for
,
213 NP_("Use a default cache appropriate for the client principal", ""), NULL
},
215 { "ok-as-delegate", 0, arg_flag
, &ok_as_delegate_flag
,
216 NP_("honor ok-as-delegate on tickets", ""), NULL
},
218 { "fast-armor-cache", 0, arg_string
, &fast_armor_cache_string
,
219 NP_("use this credential cache as FAST armor cache", ""), "cache" },
221 { "use-referrals", 0, arg_flag
, &use_referrals_flag
,
222 NP_("only use referrals, no dns canalisation", ""), NULL
},
224 { "windows", 0, arg_flag
, &windows_flag
,
225 NP_("get windows behavior", ""), NULL
},
227 { "version", 0, arg_flag
, &version_flag
, NULL
, NULL
},
228 { "help", 0, arg_flag
, &help_flag
, NULL
, NULL
}
232 get_default_realm(krb5_context context
);
237 arg_printusage_i18n(args
, sizeof(args
)/sizeof(*args
), N_("Usage: ", ""),
238 NULL
, "[principal [command]]", getarg_i18n
);
242 static krb5_error_code
243 tgs_principal(krb5_context context
,
245 krb5_principal client
,
246 krb5_const_realm tgs_realm
,
247 krb5_principal
*out_princ
)
250 krb5_principal tgs_princ
;
255 ret
= krb5_make_principal(context
, &tgs_princ
, tgs_realm
,
256 KRB5_TGS_NAME
, tgs_realm
, NULL
);
261 * Don't fail-over to a different realm just because a TGT expired
263 options
= KRB5_GC_CACHED
| KRB5_GC_EXPIRED_OK
;
265 memset(&creds
, 0, sizeof(creds
));
266 creds
.client
= client
;
267 creds
.server
= tgs_princ
;
268 ret
= krb5_get_credentials(context
, options
, cache
, &creds
, &tick
);
270 krb5_free_creds(context
, tick
);
271 *out_princ
= tgs_princ
;
273 krb5_free_principal(context
, tgs_princ
);
281 * Try TGS specified with '-S',
282 * then TGS of client realm,
283 * then if fallback is FALSE: fail,
284 * otherwise try TGS of default realm,
285 * and finally first TGT in ccache.
287 static krb5_error_code
288 get_server(krb5_context context
,
290 krb5_principal client
,
292 krb5_boolean fallback
,
293 krb5_principal
*princ
)
295 krb5_error_code ret
= 0;
296 krb5_const_realm realm
;
297 krb5_realm def_realm
;
298 krb5_cc_cursor cursor
;
306 ret
= krb5_parse_name(context
, server
, &tgs_service
);
310 /* Try the client realm first */
311 realm
= krb5_principal_get_realm(context
, client
);
312 ret
= tgs_principal(context
, cache
, client
, realm
, &tgs_service
);
313 if (ret
== 0 || ret
!= KRB5_CC_NOTFOUND
)
319 /* Next try the default realm */
320 ret
= krb5_get_default_realm(context
, &def_realm
);
323 ret
= tgs_principal(context
, cache
, client
, def_realm
, &tgs_service
);
325 if (ret
== 0 || ret
!= KRB5_CC_NOTFOUND
)
328 /* Finally try the first TGT with instance == realm in the cache */
329 ret
= krb5_cc_start_seq_get(context
, cache
, &cursor
);
333 for (/**/; ret
== 0; krb5_free_cred_contents (context
, &creds
)) {
335 ret
= krb5_cc_next_cred(context
, cache
, &cursor
, &creds
);
338 if (creds
.server
->name
.name_string
.len
!= 2)
340 pcomp
= krb5_principal_get_comp_string(context
, creds
.server
, 0);
341 if (strcmp(pcomp
, KRB5_TGS_NAME
) != 0)
343 realm
= krb5_principal_get_realm(context
, creds
.server
);
344 pcomp
= krb5_principal_get_comp_string(context
, creds
.server
, 1);
345 if (strcmp(realm
, pcomp
) != 0)
347 ret
= krb5_copy_principal(context
, creds
.server
, &tgs_service
);
350 if (ret
== KRB5_CC_END
) {
351 ret
= KRB5_CC_NOTFOUND
;
352 krb5_set_error_message(context
, ret
,
353 N_("Credential cache contains no TGTs", ""));
355 krb5_cc_end_seq_get(context
, cache
, &cursor
);
359 ret
= krb5_copy_principal(context
, tgs_service
, princ
);
363 static krb5_error_code
364 copy_configs(krb5_context context
,
367 krb5_principal start_ticket_server
)
370 const char *cfg_names
[] = {"realm-config", "FriendlyName", "anon_pkinit_realm", NULL
};
371 const char *cfg_names_w_pname
[] = {"fast_avail", NULL
};
375 for (i
= 0; cfg_names
[i
]; i
++) {
376 ret
= krb5_cc_get_config(context
, src
, NULL
, cfg_names
[i
], &cfg_data
);
377 if (ret
== KRB5_CC_NOTFOUND
|| ret
== KRB5_CC_END
) {
380 krb5_warn(context
, ret
, "krb5_cc_get_config");
383 ret
= krb5_cc_set_config(context
, dst
, NULL
, cfg_names
[i
], &cfg_data
);
385 krb5_warn(context
, ret
, "krb5_cc_set_config");
387 for (i
= 0; start_ticket_server
&& cfg_names_w_pname
[i
]; i
++) {
388 ret
= krb5_cc_get_config(context
, src
, start_ticket_server
,
389 cfg_names_w_pname
[i
], &cfg_data
);
390 if (ret
== KRB5_CC_NOTFOUND
|| ret
== KRB5_CC_END
) {
393 krb5_warn(context
, ret
, "krb5_cc_get_config");
396 ret
= krb5_cc_set_config(context
, dst
, start_ticket_server
,
397 cfg_names_w_pname
[i
], &cfg_data
);
398 if (ret
&& ret
!= KRB5_CC_NOTFOUND
)
399 krb5_warn(context
, ret
, "krb5_cc_set_config");
402 * We don't copy cc configs for any other principals though (mostly
403 * those are per-target time offsets and the like, so it's bad to
404 * lose them, but hardly the end of the world, and as they may not
405 * expire anyways, it's good to let them go).
410 static krb5_error_code
411 get_anon_pkinit_tgs_name(krb5_context context
,
413 krb5_principal
*tgs_name
)
419 ret
= krb5_cc_get_config(context
, ccache
, NULL
, "anon_pkinit_realm", &data
);
421 realm
= strndup(data
.data
, data
.length
);
423 realm
= get_default_realm(context
);
425 krb5_data_free(&data
);
428 return krb5_enomem(context
);
430 ret
= krb5_make_principal(context
, tgs_name
, realm
,
431 KRB5_TGS_NAME
, realm
, NULL
);
438 static krb5_error_code
439 renew_validate(krb5_context context
,
443 krb5_const_principal principal
,
444 krb5_boolean cache_is_default_for
,
449 krb5_ccache tempccache
= NULL
;
450 krb5_ccache cache
= *cachep
;
451 krb5_creds in
, *out
= NULL
;
452 krb5_kdc_flags flags
;
454 memset(&in
, 0, sizeof(in
));
456 ret
= krb5_cc_get_principal(context
, cache
, &in
.client
);
457 if (ret
&& cache_is_default_for
&& principal
) {
458 krb5_error_code ret2
;
459 krb5_ccache def_ccache
= NULL
;
461 ret2
= krb5_cc_default(context
, &def_ccache
);
463 ret2
= krb5_cc_get_principal(context
, def_ccache
, &in
.client
);
465 krb5_principal_compare(context
, principal
, in
.client
)) {
466 krb5_cc_close(context
, *cachep
);
467 cache
= *cachep
= def_ccache
;
471 krb5_cc_close(context
, def_ccache
);
474 krb5_warn(context
, ret
, "krb5_cc_get_principal");
478 if (principal
&& !krb5_principal_compare(context
, principal
, in
.client
)) {
481 (void) krb5_cc_get_full_name(context
, cache
, &ccname
);
482 krb5_errx(context
, 1, "Credentials in cache %s do not match requested "
483 "principal", ccname
? ccname
: "requested");
487 if (server
== NULL
&&
488 krb5_principal_is_anonymous(context
, in
.client
,
489 KRB5_ANON_MATCH_UNAUTHENTICATED
))
490 ret
= get_anon_pkinit_tgs_name(context
, cache
, &in
.server
);
492 ret
= get_server(context
, cache
, in
.client
, server
, TRUE
, &in
.server
);
494 krb5_warn(context
, ret
, "get_server");
500 * no need to check the error here, it's only to be
501 * friendly to the user
503 krb5_get_credentials(context
, KRB5_GC_CACHED
, cache
, &in
, &out
);
507 flags
.b
.renewable
= flags
.b
.renew
= renew
;
508 flags
.b
.validate
= validate
;
510 if (forwardable_flag
!= -1)
511 flags
.b
.forwardable
= forwardable_flag
;
513 flags
.b
.forwardable
= out
->flags
.b
.forwardable
;
515 if (proxiable_flag
!= -1)
516 flags
.b
.proxiable
= proxiable_flag
;
518 flags
.b
.proxiable
= out
->flags
.b
.proxiable
;
521 flags
.b
.request_anonymous
= anonymous_flag
;
523 in
.times
.endtime
= time(NULL
) + life
;
526 krb5_free_creds(context
, out
);
531 ret
= krb5_get_kdc_cred(context
,
539 krb5_warn(context
, ret
, "krb5_get_kdc_cred");
543 ret
= krb5_cc_new_unique(context
, krb5_cc_get_type(context
, cache
),
546 krb5_warn(context
, ret
, "krb5_cc_new_unique");
550 ret
= krb5_cc_initialize(context
, tempccache
, in
.client
);
552 krb5_warn(context
, ret
, "krb5_cc_initialize");
556 ret
= krb5_cc_store_cred(context
, tempccache
, out
);
558 krb5_warn(context
, ret
, "krb5_cc_store_cred");
563 * We want to preserve cc configs as some are security-relevant, and
564 * anyways it's the friendly thing to do.
566 ret
= copy_configs(context
, tempccache
, cache
, out
->server
);
570 ret
= krb5_cc_move(context
, tempccache
, cache
);
572 krb5_warn(context
, ret
, "krb5_cc_move");
579 krb5_cc_destroy(context
, tempccache
);
581 krb5_free_creds(context
, out
);
582 krb5_free_cred_contents(context
, &in
);
586 static krb5_error_code
587 make_wellknown_name(krb5_context context
,
588 krb5_const_realm realm
,
589 const char *instance
,
590 krb5_principal
*principal
)
594 ret
= krb5_make_principal(context
, principal
, realm
,
595 KRB5_WELLKNOWN_NAME
, instance
, NULL
);
597 krb5_principal_set_type(context
, *principal
, KRB5_NT_WELLKNOWN
);
602 static krb5_error_code
603 acquire_gss_cred(krb5_context context
,
604 krb5_const_principal client
,
611 OM_uint32 major
, minor
;
612 gss_name_t name
= GSS_C_NO_NAME
;
613 gss_key_value_element_desc cred_element
;
614 gss_key_value_set_desc cred_store
;
615 gss_OID_set_desc mechs
;
617 *cred
= GSS_C_NO_CREDENTIAL
;
618 *mech
= GSS_C_NO_OID
;
620 if (gss_preauth_mech
) {
621 *mech
= gss_name_to_oid(gss_preauth_mech
);
622 if (*mech
== GSS_C_NO_OID
)
626 if (gss_preauth_name
) {
629 buf
.value
= gss_preauth_name
;
630 buf
.length
= strlen(gss_preauth_name
);
632 major
= gss_import_name(&minor
, &buf
, GSS_C_NT_USER_NAME
, &name
);
633 ret
= _krb5_gss_map_error(major
, minor
);
634 } else if (!krb5_principal_is_federated(context
, client
)) {
635 ret
= _krb5_gss_pa_unparse_name(context
, client
, &name
);
638 * WELLKNOWN/FEDERATED is used a placeholder where the user
639 * did not specify either a Kerberos credential or a GSS-API
640 * initiator name. It avoids the expense of acquiring a default
641 * credential purely to interrogate the credential name.
643 name
= GSS_C_NO_NAME
;
649 cred_store
.count
= 1;
650 cred_store
.elements
= &cred_element
;
652 if (passwd
&& passwd
[0]) {
653 cred_element
.key
= "password";
654 cred_element
.value
= passwd
;
655 } else if (keytab_str
) {
656 cred_element
.key
= "client_keytab",
657 cred_element
.value
= keytab_str
;
659 cred_store
.count
= 0;
664 mechs
.elements
= (gss_OID
)*mech
;
667 major
= gss_acquire_cred_from(&minor
,
669 life
? life
: GSS_C_INDEFINITE
,
670 *mech
? &mechs
: GSS_C_NO_OID_SET
,
676 if (major
!= GSS_S_COMPLETE
) {
677 ret
= _krb5_gss_map_error(major
, minor
);
682 gss_release_name(&minor
, &name
);
688 static krb5_error_code
689 store_ntlmkey(krb5_context context
, krb5_ccache id
,
690 const char *domain
, struct ntlm_buf
*buf
)
697 ret
= krb5_cc_get_config(context
, id
, NULL
, "default-ntlm-domain", &data
);
699 krb5_data_free(&data
);
701 data
.length
= strlen(domain
);
702 data
.data
= rk_UNCONST(domain
);
703 ret
= krb5_cc_set_config(context
, id
, NULL
, "default-ntlm-domain", &data
);
708 aret
= asprintf(&name
, "ntlm-key-%s", domain
);
709 if (aret
== -1 || name
== NULL
)
710 return krb5_enomem(context
);
712 data
.length
= buf
->length
;
713 data
.data
= buf
->data
;
715 ret
= krb5_cc_set_config(context
, id
, NULL
, name
, &data
);
721 static krb5_error_code
722 get_new_tickets(krb5_context context
,
723 krb5_principal principal
,
725 krb5_deltat ticket_life
,
727 int anonymous_pkinit
)
732 krb5_deltat start_time
= 0;
733 krb5_deltat renew
= 0;
734 const char *renewstr
= NULL
;
735 krb5_enctype
*enctype
= NULL
;
736 krb5_ccache tempccache
= NULL
;
737 krb5_init_creds_context ctx
= NULL
;
738 krb5_get_init_creds_opt
*opt
= NULL
;
739 krb5_prompter_fct prompter
= krb5_prompter_posix
;
740 gss_cred_id_t gss_cred
= GSS_C_NO_CREDENTIAL
;
741 gss_OID gss_mech
= GSS_C_NO_OID
;
742 krb5_principal federated_name
= NULL
;
745 struct ntlm_buf ntlmkey
;
746 memset(&ntlmkey
, 0, sizeof(ntlmkey
));
756 if (strcasecmp("STDIN", password_file
) == 0)
759 f
= fopen(password_file
, "r");
761 krb5_warnx(context
, N_("Failed to open the password file %s", ""),
766 if (fgets(passwd
, sizeof(passwd
), f
) == NULL
) {
767 krb5_warnx(context
, N_("Failed to read password from file %s", ""),
771 return EINVAL
; /* XXX Need a better error */
775 passwd
[strcspn(passwd
, "\n")] = '\0';
778 #ifdef HAVE_FRAMEWORK_SECURITY
779 if (passwd
[0] == '\0') {
786 realm
= krb5_principal_get_realm(context
, principal
);
788 ret
= krb5_unparse_name_flags(context
, principal
,
789 KRB5_PRINCIPAL_UNPARSE_NO_REALM
, &name
);
793 osret
= SecKeychainFindGenericPassword(NULL
, strlen(realm
), realm
,
795 &length
, &buffer
, NULL
);
797 if (osret
== noErr
&& length
< sizeof(passwd
) - 1) {
798 memcpy(passwd
, buffer
, length
);
799 passwd
[length
] = '\0';
806 memset(&cred
, 0, sizeof(cred
));
808 ret
= krb5_get_init_creds_opt_alloc(context
, &opt
);
810 krb5_warn(context
, ret
, "krb5_get_init_creds_opt_alloc");
814 krb5_get_init_creds_opt_set_default_flags(context
, "kinit",
815 krb5_principal_get_realm(context
, principal
), opt
);
817 if (forwardable_flag
!= -1)
818 krb5_get_init_creds_opt_set_forwardable(opt
, forwardable_flag
);
819 if (proxiable_flag
!= -1)
820 krb5_get_init_creds_opt_set_proxiable(opt
, proxiable_flag
);
822 krb5_get_init_creds_opt_set_anonymous(opt
, anonymous_flag
);
824 krb5_get_init_creds_opt_set_pac_request(context
, opt
,
825 pac_flag
? TRUE
: FALSE
);
826 if (canonicalize_flag
)
827 krb5_get_init_creds_opt_set_canonicalize(context
, opt
, TRUE
);
828 if (pk_enterprise_flag
|| enterprise_flag
|| canonicalize_flag
|| windows_flag
)
829 krb5_get_init_creds_opt_set_win2k(context
, opt
, TRUE
);
830 if (pk_user_id
|| ent_user_id
|| anonymous_pkinit
) {
831 ret
= krb5_get_init_creds_opt_set_pkinit(context
, opt
,
837 pk_use_enckey
? KRB5_GIC_OPT_PKINIT_USE_ENCKEY
: 0 |
838 anonymous_pkinit
? KRB5_GIC_OPT_PKINIT_ANONYMOUS
: 0,
843 krb5_warn(context
, ret
, "krb5_get_init_creds_opt_set_pkinit");
847 krb5_get_init_creds_opt_set_pkinit_user_certs(context
, opt
, ent_user_id
);
850 if (addrs_flag
!= -1)
851 krb5_get_init_creds_opt_set_addressless(context
, opt
,
852 addrs_flag
? FALSE
: TRUE
);
854 if (renew_life
== NULL
&& renewable_flag
)
855 renewstr
= "6 months";
857 renewstr
= renew_life
;
859 renew
= parse_time(renewstr
, "s");
861 errx(1, "unparsable time: %s", renewstr
);
863 krb5_get_init_creds_opt_set_renew_life(opt
, renew
);
866 if (ticket_life
!= 0)
867 krb5_get_init_creds_opt_set_tkt_life(opt
, ticket_life
);
870 int tmp
= parse_time(start_str
, "s");
872 errx(1, N_("unparsable time: %s", ""), start_str
);
877 if (etype_str
.num_strings
) {
880 enctype
= malloc(etype_str
.num_strings
* sizeof(*enctype
));
882 errx(1, "out of memory");
883 for(i
= 0; i
< etype_str
.num_strings
; i
++) {
884 ret
= krb5_string_to_enctype(context
,
885 etype_str
.strings
[i
],
888 errx(1, "unrecognized enctype: %s", etype_str
.strings
[i
]);
890 krb5_get_init_creds_opt_set_etype_list(opt
, enctype
,
891 etype_str
.num_strings
);
894 if (gss_preauth_mech
|| gss_preauth_name
) {
895 ret
= acquire_gss_cred(context
, principal
, ticket_life
,
896 passwd
, &gss_cred
, &gss_mech
);
901 * The principal specified on the command line is used as the GSS-API
902 * initiator name, unless the --gss-name option was present, in which
903 * case the initiator name is specified independently.
905 if (gss_preauth_name
== NULL
) {
906 krb5_const_realm realm
= krb5_principal_get_realm(context
, principal
);
908 ret
= make_wellknown_name(context
, realm
,
909 KRB5_FEDERATED_NAME
, &federated_name
);
913 principal
= federated_name
;
917 ret
= krb5_init_creds_init(context
, principal
, prompter
, NULL
, start_time
, opt
, &ctx
);
919 krb5_warn(context
, ret
, "krb5_init_creds_init");
924 ret
= krb5_init_creds_set_service(context
, ctx
, server_str
);
926 krb5_warn(context
, ret
, "krb5_init_creds_set_service");
932 ret
= krb5_init_creds_set_kdc_hostname(context
, ctx
, kdc_hostname
);
934 krb5_warn(context
, ret
, "krb5_init_creds_set_kdc_hostname");
939 if (fast_armor_cache_string
) {
940 krb5_ccache fastid
= NULL
;
942 if (pk_anon_fast_armor
)
943 krb5_errx(context
, 1,
944 N_("cannot specify FAST armor cache with FAST "
945 "anonymous PKINIT option", ""));
947 ret
= krb5_cc_resolve(context
, fast_armor_cache_string
, &fastid
);
949 krb5_warn(context
, ret
, "krb5_cc_resolve(FAST cache)");
953 ret
= krb5_init_creds_set_fast_ccache(context
, ctx
, fastid
);
955 krb5_warn(context
, ret
, "krb5_init_creds_set_fast_ccache");
958 } else if (pk_anon_fast_armor
) {
959 ret
= krb5_init_creds_set_fast_anon_pkinit(context
, ctx
);
961 krb5_warn(context
, ret
, "krb5_init_creds_set_fast_anon_pkinit");
966 if (gss_mech
!= GSS_C_NO_OID
) {
967 ret
= krb5_gss_set_init_creds(context
, ctx
, gss_cred
, gss_mech
);
969 krb5_warn(context
, ret
, "krb5_gss_set_init_creds");
972 } else if (use_keytab
|| keytab_str
) {
973 ret
= krb5_init_creds_set_keytab(context
, ctx
, kt
);
975 krb5_warn(context
, ret
, "krb5_init_creds_set_keytab");
978 } else if (pk_user_id
|| ent_user_id
||
979 krb5_principal_is_anonymous(context
, principal
, KRB5_ANON_MATCH_ANY
)) {
981 } else if (!interactive
&& passwd
[0] == '\0') {
982 static int already_warned
= 0;
985 krb5_warnx(context
, "Not interactive, failed to get "
987 krb5_get_init_creds_opt_free(context
, opt
);
992 if (passwd
[0] == '\0') {
996 ret
= krb5_unparse_name(context
, principal
, &p
);
998 errx(1, "failed to generate passwd prompt: not enough memory");
1000 aret
= asprintf(&prompt
, N_("%s's Password: ", ""), p
);
1003 errx(1, "failed to generate passwd prompt: not enough memory");
1005 if (UI_UTIL_read_pw_string(passwd
, sizeof(passwd
)-1, prompt
, 0)){
1006 memset(passwd
, 0, sizeof(passwd
));
1007 errx(1, "failed to read password");
1013 ret
= krb5_init_creds_set_password(context
, ctx
, passwd
);
1015 krb5_warn(context
, ret
, "krb5_init_creds_set_password");
1021 ret
= krb5_init_creds_get(context
, ctx
);
1024 if (ntlm_domain
&& passwd
[0])
1025 heim_ntlm_nt_key(passwd
, &ntlmkey
);
1027 memset_s(passwd
, sizeof(passwd
), 0, sizeof(passwd
));
1032 case KRB5_LIBOS_PWDINTR
: /* don't print anything if it was just C-c:ed */
1034 case KRB5KRB_AP_ERR_BAD_INTEGRITY
:
1035 case KRB5KRB_AP_ERR_MODIFIED
:
1036 case KRB5KDC_ERR_PREAUTH_FAILED
:
1037 case KRB5_GET_IN_TKT_LOOP
:
1038 krb5_warnx(context
, N_("Password incorrect", ""));
1040 case KRB5KRB_AP_ERR_V4_REPLY
:
1041 krb5_warnx(context
, N_("Looks like a Kerberos 4 reply", ""));
1043 case KRB5KDC_ERR_KEY_EXPIRED
:
1044 krb5_warnx(context
, N_("Password expired", ""));
1047 krb5_warn(context
, ret
, "krb5_get_init_creds");
1051 krb5_process_last_request(context
, opt
, ctx
);
1053 ret
= krb5_init_creds_get_creds(context
, ctx
, &cred
);
1055 krb5_warn(context
, ret
, "krb5_init_creds_get_creds");
1059 if (ticket_life
!= 0) {
1060 if (labs(cred
.times
.endtime
- cred
.times
.starttime
- ticket_life
) > 30) {
1062 unparse_time_approx(cred
.times
.endtime
- cred
.times
.starttime
,
1063 life
, sizeof(life
));
1064 krb5_warnx(context
, N_("NOTICE: ticket lifetime is %s", ""), life
);
1068 if (labs(cred
.times
.renew_till
- cred
.times
.starttime
- renew
) > 30) {
1070 unparse_time_approx(cred
.times
.renew_till
- cred
.times
.starttime
,
1071 life
, sizeof(life
));
1073 N_("NOTICE: ticket renewable lifetime is %s", ""),
1077 krb5_free_cred_contents(context
, &cred
);
1079 ret
= krb5_cc_new_unique(context
, krb5_cc_get_type(context
, ccache
),
1082 krb5_warn(context
, ret
, "krb5_cc_new_unique");
1086 ret
= krb5_init_creds_store(context
, ctx
, tempccache
);
1088 krb5_warn(context
, ret
, "krb5_init_creds_store");
1092 ret
= krb5_init_creds_store_config(context
, ctx
, tempccache
);
1094 krb5_warn(context
, ret
, "krb5_init_creds_store_config");
1098 ret
= krb5_init_creds_warn_user(context
, ctx
);
1100 krb5_warn(context
, ret
, "krb5_init_creds_warn_user");
1104 krb5_init_creds_free(context
, ctx
);
1107 ret
= krb5_cc_move(context
, tempccache
, ccache
);
1109 krb5_warn(context
, ret
, "krb5_cc_move");
1114 if (switch_cache_flags
)
1115 krb5_cc_switch(context
, ccache
);
1118 if (ntlm_domain
&& ntlmkey
.data
)
1119 store_ntlmkey(context
, ccache
, ntlm_domain
, &ntlmkey
);
1122 if (ok_as_delegate_flag
|| windows_flag
|| use_referrals_flag
) {
1123 unsigned char d
= 0;
1126 if (ok_as_delegate_flag
|| windows_flag
)
1128 if (use_referrals_flag
|| windows_flag
)
1134 krb5_cc_set_config(context
, ccache
, NULL
, "realm-config", &data
);
1137 if (anonymous_pkinit
) {
1140 data
.length
= strlen(principal
->realm
);
1141 data
.data
= principal
->realm
;
1143 krb5_cc_set_config(context
, ccache
, NULL
, "anon_pkinit_realm", &data
);
1149 gss_release_cred(&minor
, &gss_cred
);
1151 krb5_free_principal(context
, federated_name
);
1152 krb5_get_init_creds_opt_free(context
, opt
);
1154 krb5_init_creds_free(context
, ctx
);
1156 krb5_cc_destroy(context
, tempccache
);
1164 ticket_lifetime(krb5_context context
, krb5_ccache cache
, krb5_principal client
,
1165 const char *server
, time_t *renew
)
1167 krb5_creds in_cred
, *cred
;
1168 krb5_error_code ret
;
1172 memset(&in_cred
, 0, sizeof(in_cred
));
1177 ret
= krb5_cc_get_principal(context
, cache
, &in_cred
.client
);
1179 krb5_warn(context
, ret
, "krb5_cc_get_principal");
1183 /* Determine TGS principal without fallback */
1184 ret
= get_server(context
, cache
, in_cred
.client
, server
, FALSE
,
1187 krb5_free_principal(context
, in_cred
.client
);
1188 krb5_warn(context
, ret
, "get_server");
1192 ret
= krb5_get_credentials(context
, KRB5_GC_CACHED
,
1193 cache
, &in_cred
, &cred
);
1194 krb5_free_principal(context
, in_cred
.client
);
1195 krb5_free_principal(context
, in_cred
.server
);
1197 krb5_warn(context
, ret
, "krb5_get_credentials");
1200 curtime
= time(NULL
);
1201 timeout
= cred
->times
.endtime
- curtime
;
1205 *renew
= cred
->times
.renew_till
- curtime
;
1209 krb5_free_creds(context
, cred
);
1213 static time_t expire
;
1215 static char siginfo_msg
[1024] = "No credentials\n";
1218 update_siginfo_msg(time_t exp
, const char *srv
)
1220 /* Note that exp is relative time */
1221 memset(siginfo_msg
, 0, sizeof(siginfo_msg
));
1222 memcpy(&siginfo_msg
, "Updating...\n", sizeof("Updating...\n"));
1225 snprintf(siginfo_msg
, sizeof(siginfo_msg
),
1226 N_("kinit: TGT expires in %llu seconds\n", ""),
1227 (unsigned long long)expire
);
1229 snprintf(siginfo_msg
, sizeof(siginfo_msg
),
1230 N_("kinit: Ticket for %s expired\n", ""), srv
);
1237 snprintf(siginfo_msg
, sizeof(siginfo_msg
),
1238 N_("kinit: TGT expired\n", ""));
1240 snprintf(siginfo_msg
, sizeof(siginfo_msg
),
1241 N_("kinit: Ticket for %s expired\n", ""), srv
);
1245 #ifdef HAVE_SIGACTION
1247 handle_siginfo(int sig
)
1249 struct iovec iov
[2];
1251 iov
[0].iov_base
= rk_UNCONST(siginfo_msg
);
1252 iov
[0].iov_len
= strlen(siginfo_msg
);
1253 iov
[1].iov_base
= "\n";
1256 writev(STDERR_FILENO
, iov
, sizeof(iov
)/sizeof(iov
[0]));
1261 krb5_context context
;
1263 krb5_principal principal
;
1264 krb5_deltat ticket_life
;
1265 krb5_deltat timeout
;
1266 int anonymous_pkinit
;
1270 renew_func(void *ptr
)
1272 krb5_error_code ret
;
1273 struct renew_ctx
*ctx
= ptr
;
1274 time_t renew_expire
;
1275 static time_t exp_delay
= 1;
1278 * NOTE: We count on the ccache implementation to notice changes to the
1279 * actual ccache filesystem/whatever objects. There should be no ccache
1280 * types for which this is not the case, but it might not hurt to
1281 * re-krb5_cc_resolve() after each successful renew_validate()/
1282 * get_new_tickets() call.
1285 expire
= ticket_lifetime(ctx
->context
, ctx
->ccache
, ctx
->principal
,
1286 server_str
, &renew_expire
);
1289 * When a keytab is available to obtain new tickets, if we are within
1290 * half of the original ticket lifetime of the renew limit, get a new
1291 * TGT instead of renewing the existing TGT. Note, ctx->ticket_life
1292 * is zero by default (without a '-l' option) and cannot be used to
1293 * set the time scale on which we decide whether we're "close to the
1296 if (use_keytab
|| keytab_str
)
1297 expire
+= ctx
->timeout
;
1298 if (renew_expire
> expire
) {
1299 ret
= renew_validate(ctx
->context
, 1, validate_flag
, &ctx
->ccache
,
1300 NULL
, FALSE
, server_str
, ctx
->ticket_life
);
1302 ret
= get_new_tickets(ctx
->context
, ctx
->principal
, ctx
->ccache
,
1303 ctx
->ticket_life
, 0, ctx
->anonymous_pkinit
);
1305 expire
= ticket_lifetime(ctx
->context
, ctx
->ccache
, ctx
->principal
,
1306 server_str
, &renew_expire
);
1309 if (ret
== 0 && server_str
== NULL
&& do_afslog
&& k_hasafs())
1310 krb5_afslog(ctx
->context
, ctx
->ccache
, NULL
, NULL
);
1313 update_siginfo_msg(expire
, server_str
);
1316 * If our tickets have expired and we been able to either renew them
1317 * or obtain new tickets, then we still call this function but we use
1318 * an exponential backoff. This should take care of the case where
1319 * we are using stored credentials but the KDC has been unavailable
1320 * for some reason...
1325 * We can't ask to keep spamming stderr but not syslog, so we warn
1328 if (exp_delay
== 1) {
1329 krb5_warnx(ctx
->context
, N_("NOTICE: Could not renew/refresh "
1332 if (exp_delay
< 7200)
1333 exp_delay
+= exp_delay
/ 2 + 1;
1338 return expire
/ 2 + 1;
1342 set_princ_realm(krb5_context context
,
1343 krb5_principal principal
,
1346 krb5_error_code ret
;
1348 if ((ret
= krb5_principal_set_realm(context
, principal
, realm
)) != 0)
1349 krb5_err(context
, 1, ret
, "krb5_principal_set_realm");
1353 parse_name_realm(krb5_context context
,
1357 krb5_principal
*princ
)
1359 krb5_error_code ret
;
1362 flags
|= KRB5_PRINCIPAL_PARSE_NO_DEF_REALM
;
1363 if ((ret
= krb5_parse_name_flags(context
, name
, flags
, princ
)) != 0)
1364 krb5_err(context
, 1, ret
, "krb5_parse_name_flags");
1365 if (realm
&& krb5_principal_get_realm(context
, *princ
) == NULL
)
1366 set_princ_realm(context
, *princ
, realm
);
1370 get_default_realm(krb5_context context
)
1373 krb5_error_code ret
;
1375 if ((ret
= krb5_get_default_realm(context
, &realm
)) != 0)
1376 krb5_err(context
, 1, ret
, "krb5_get_default_realm");
1381 get_default_principal(krb5_context context
, krb5_principal
*princ
)
1383 krb5_error_code ret
;
1385 if ((ret
= krb5_get_default_principal(context
, princ
)) != 0)
1386 krb5_err(context
, 1, ret
, "krb5_get_default_principal");
1390 get_user_realm(krb5_context context
)
1392 krb5_error_code ret
;
1393 char *user_realm
= NULL
;
1396 * If memory allocation fails, we don't try to use the wrong realm,
1397 * that will trigger misleading error messages complicate support.
1399 krb5_appdefault_string(context
, "kinit", NULL
, "user_realm", "",
1401 if (user_realm
== NULL
) {
1402 ret
= krb5_enomem(context
);
1403 krb5_err(context
, 1, ret
, "krb5_appdefault_string");
1406 if (*user_realm
== 0) {
1415 get_princ(krb5_context context
,
1416 krb5_principal
*principal
,
1420 krb5_error_code ret
= 0;
1426 krb5_ccache ccache
= NULL
;
1428 /* If credential cache provides a client principal, use that. */
1430 ret
= krb5_cc_resolve(context
, ccname
, &ccache
);
1432 ret
= krb5_cc_default(context
, &ccache
);
1434 ret
= krb5_cc_get_principal(context
, ccache
, principal
);
1435 krb5_cc_close(context
, ccache
);
1440 user_realm
= get_user_realm(context
);
1443 if (enterprise_flag
)
1444 parseflags
|= KRB5_PRINCIPAL_PARSE_ENTERPRISE
;
1446 parse_name_realm(context
, name
, parseflags
, user_realm
, &tmp
);
1448 if (user_realm
&& krb5_principal_get_num_comp(context
, tmp
) > 1) {
1449 /* Principal is instance qualified, reparse with default realm. */
1450 krb5_free_principal(context
, tmp
);
1451 parse_name_realm(context
, name
, parseflags
, NULL
, principal
);
1456 get_default_principal(context
, principal
);
1458 set_princ_realm(context
, *principal
, user_realm
);
1466 get_princ_kt(krb5_context context
,
1467 krb5_principal
*principal
,
1470 krb5_error_code ret
;
1473 krb5_kt_cursor cursor
;
1474 krb5_keytab_entry entry
;
1479 * If the credential cache exists and specifies a client principal,
1482 if (krb5_cc_default(context
, &ccache
) == 0) {
1483 ret
= krb5_cc_get_principal(context
, ccache
, principal
);
1484 krb5_cc_close(context
, ccache
);
1491 /* If the principal specifies an explicit realm, just use that. */
1492 int parseflags
= KRB5_PRINCIPAL_PARSE_NO_DEF_REALM
;
1494 parse_name_realm(context
, name
, parseflags
, NULL
, &tmp
);
1495 if (krb5_principal_get_realm(context
, tmp
) != NULL
) {
1500 /* Otherwise, search keytab for bare name of the default principal. */
1501 get_default_principal(context
, &tmp
);
1502 set_princ_realm(context
, tmp
, NULL
);
1505 def_realm
= get_default_realm(context
);
1507 ret
= krb5_kt_start_seq_get(context
, kt
, &cursor
);
1509 krb5_err(context
, 1, ret
, "krb5_kt_start_seq_get");
1512 krb5_kt_next_entry(context
, kt
, &entry
, &cursor
) == 0) {
1515 if (!krb5_principal_compare_any_realm(context
, tmp
, entry
.principal
))
1518 krb5_principal_compare(context
, *principal
, entry
.principal
))
1520 /* The default realm takes precedence */
1521 realm
= krb5_principal_get_realm(context
, entry
.principal
);
1522 if (*principal
&& strcmp(def_realm
, realm
) == 0) {
1523 krb5_free_principal(context
, *principal
);
1524 ret
= krb5_copy_principal(context
, entry
.principal
, principal
);
1528 ret
= krb5_copy_principal(context
, entry
.principal
, principal
);
1530 if (ret
!= 0 || (ret
= krb5_kt_end_seq_get(context
, kt
, &cursor
)) != 0)
1531 krb5_err(context
, 1, ret
, "get_princ_kt");
1534 parse_name_realm(context
, name
, 0, NULL
, principal
);
1536 krb5_err(context
, 1, KRB5_CC_NOTFOUND
, "get_princ_kt");
1539 krb5_free_principal(context
, tmp
);
1543 static krb5_error_code
1544 get_switched_ccache(krb5_context context
,
1546 krb5_principal principal
,
1547 krb5_ccache
*ccache
)
1549 krb5_error_code ret
;
1552 if (strcmp(type
, "API") == 0) {
1554 * Windows stores the default ccache name in the
1555 * registry which is shared across multiple logon
1556 * sessions for the same user. The API credential
1557 * cache provides a unique name space per logon
1558 * session. Therefore there is no need to generate
1559 * a unique ccache name. Instead use the principal
1560 * name. This provides a friendlier user experience.
1562 char * unparsed_name
;
1565 ret
= krb5_unparse_name(context
, principal
,
1568 krb5_err(context
, 1, ret
,
1569 N_("unparsing principal name", ""));
1571 ret
= asprintf(&cred_cache
, "API:%s", unparsed_name
);
1572 krb5_free_unparsed_name(context
, unparsed_name
);
1573 if (ret
== -1 || cred_cache
== NULL
)
1574 krb5_err(context
, 1, ret
,
1575 N_("building credential cache name", ""));
1577 ret
= krb5_cc_resolve(context
, cred_cache
, ccache
);
1579 } else if (strcmp(type
, "MSLSA") == 0) {
1581 * The Windows MSLSA cache when it is writeable
1582 * stores tickets for multiple client principals
1583 * in a single credential cache.
1585 ret
= krb5_cc_resolve(context
, "MSLSA:", ccache
);
1587 ret
= krb5_cc_new_unique(context
, type
, NULL
, ccache
);
1590 ret
= krb5_cc_new_unique(context
, type
, NULL
, ccache
);
1597 main(int argc
, char **argv
)
1599 krb5_error_code ret
;
1600 krb5_context context
;
1602 krb5_principal principal
= NULL
;
1604 krb5_deltat ticket_life
= 0;
1605 #ifdef HAVE_SIGACTION
1606 struct sigaction sa
;
1608 krb5_boolean unique_ccache
= FALSE
;
1609 krb5_boolean historical_anon_pkinit
= FALSE
;
1610 int anonymous_pkinit
= FALSE
;
1612 setprogname(argv
[0]);
1614 setlocale(LC_ALL
, "");
1615 bindtextdomain("heimdal_kuser", HEIMDAL_LOCALEDIR
);
1616 textdomain("heimdal_kuser");
1618 ret
= krb5_init_context(&context
);
1619 if (ret
== KRB5_CONFIG_BADFORMAT
)
1620 errx(1, "krb5_init_context failed to parse configuration file");
1622 errx(1, "krb5_init_context failed: %d", ret
);
1624 if (getarg(args
, sizeof(args
) / sizeof(args
[0]), argc
, argv
, &optidx
))
1631 print_version(NULL
);
1638 krb5_appdefault_boolean(context
, "kinit", NULL
, "historical_anon_pkinit",
1639 FALSE
, &historical_anon_pkinit
);
1642 * Open the keytab now, we use the keytab to determine the principal's
1643 * realm when the requested principal has no realm.
1645 if (use_keytab
|| keytab_str
) {
1647 ret
= krb5_kt_resolve(context
, keytab_str
, &kt
);
1649 ret
= krb5_kt_default(context
, &kt
);
1651 krb5_err(context
, 1, ret
, "resolving keytab");
1654 if (pk_enterprise_flag
) {
1655 ret
= krb5_pk_enterprise_cert(context
, pk_user_id
,
1656 argv
[0], &principal
,
1659 krb5_err(context
, 1, ret
, "krb5_pk_enterprise_certs");
1662 } else if (argc
&& argv
[0][0] == '@' &&
1663 (gss_preauth_mech
|| anonymous_flag
)) {
1664 const char *instance
;
1666 if (gss_preauth_mech
) {
1667 instance
= KRB5_FEDERATED_NAME
;
1668 } else if (anonymous_flag
) {
1669 instance
= KRB5_ANON_NAME
;
1670 anonymous_pkinit
= TRUE
;
1673 ret
= make_wellknown_name(context
, &argv
[0][1], instance
, &principal
);
1675 krb5_err(context
, 1, ret
, "make_wellknown_name");
1676 } else if (anonymous_flag
&& historical_anon_pkinit
) {
1677 char *realm
= argc
== 0 ? get_default_realm(context
) :
1678 argv
[0][0] == '@' ? &argv
[0][1] : argv
[0];
1680 ret
= krb5_make_principal(context
, &principal
, realm
,
1681 KRB5_WELLKNOWN_NAME
, KRB5_ANON_NAME
, NULL
);
1683 krb5_err(context
, 1, ret
, "krb5_make_principal");
1684 krb5_principal_set_type(context
, principal
, KRB5_NT_WELLKNOWN
);
1685 anonymous_pkinit
= TRUE
;
1686 } else if (use_keytab
|| keytab_str
) {
1687 get_princ_kt(context
, &principal
, argv
[0]);
1688 } else if (gss_preauth_mech
&& argc
== 0 && gss_preauth_name
== NULL
) {
1690 * Use the federated name as a placeholder if we have neither a Kerberos
1691 * nor a GSS-API client name, and we are performing GSS-API preauth.
1693 ret
= make_wellknown_name(context
, get_default_realm(context
),
1694 KRB5_FEDERATED_NAME
, &principal
);
1696 krb5_err(context
, 1, ret
, "make_wellknown_name");
1698 get_princ(context
, &principal
, cred_cache
, argv
[0]);
1702 krb5_set_fcache_version(context
, fcache_version
);
1704 if (renewable_flag
== -1)
1705 /* this seems somewhat pointless, but whatever */
1706 krb5_appdefault_boolean(context
, "kinit",
1707 krb5_principal_get_realm(context
, principal
),
1708 "renewable", FALSE
, &renewable_flag
);
1709 if (do_afslog
== -1)
1710 krb5_appdefault_boolean(context
, "kinit",
1711 krb5_principal_get_realm(context
, principal
),
1712 "afslog", TRUE
, &do_afslog
);
1717 * - use the given ccache
1718 * - use a new unique ccache for running a command with (in this case we
1719 * get to set KRB5CCNAME, so a new unique ccache makes sense)
1720 * - use the default ccache for the given principal as requested and do
1721 * not later switch the collection's default/primary to it
1722 * - use the default cache, possibly a new unique one that later gets
1725 * The important thing is that, except for the case where we're running a
1726 * command, we _can't set KRB5CCNAME_, and we can't expect the user to read
1727 * our output and figure out to set it (we could have an output-for-shell-
1728 * eval mode, like ssh-agent and such, but we don't). Therefore, in all
1729 * cases where we can't set KRB5CCNAME we must do something that makes
1730 * sense to the user, and that is to either initialize a given ccache, use
1731 * the default, or use a subsidiary ccache named after the principal whose
1732 * creds we're initializing.
1735 /* Use the given ccache */
1736 ret
= krb5_cc_resolve(context
, cred_cache
, &ccache
);
1737 } else if (argc
> 1) {
1741 * A command was given, so use a new unique ccache (and destroy it
1744 ret
= krb5_cc_new_unique(context
, NULL
, NULL
, &ccache
);
1746 krb5_err(context
, 1, ret
, "creating cred cache");
1747 snprintf(s
, sizeof(s
), "%s:%s",
1748 krb5_cc_get_type(context
, ccache
),
1749 krb5_cc_get_name(context
, ccache
));
1750 setenv("KRB5CCNAME", s
, 1);
1751 unique_ccache
= TRUE
;
1752 switch_cache_flags
= 0;
1753 } else if (default_for
) {
1754 ret
= krb5_cc_default_for(context
, principal
, &ccache
);
1755 if (switch_cache_flags
== -1)
1756 switch_cache_flags
= 0;
1758 ret
= krb5_cc_cache_match(context
, principal
, &ccache
);
1761 ret
= krb5_cc_default(context
, &ccache
);
1763 krb5_err(context
, 1, ret
,
1764 N_("resolving credentials cache", ""));
1767 * Check if the type support switching, and we do,
1768 * then do that instead over overwriting the current
1769 * default credential
1771 type
= krb5_cc_get_type(context
, ccache
);
1772 if (krb5_cc_support_switch(context
, type
) &&
1773 strcmp(type
, "FILE")) {
1774 krb5_cc_close(context
, ccache
);
1775 ret
= get_switched_ccache(context
, type
, principal
,
1778 unique_ccache
= TRUE
;
1783 krb5_err(context
, 1, ret
, N_("resolving credentials cache", ""));
1786 if (argc
> 1 && k_hasafs())
1791 int tmp
= parse_time(lifetime
, "s");
1793 errx(1, N_("unparsable time: %s", ""), lifetime
);
1798 if (addrs_flag
== 0 && extra_addresses
.num_strings
> 0)
1799 krb5_errx(context
, 1,
1800 N_("specifying both extra addresses and "
1801 "no addresses makes no sense", ""));
1804 krb5_addresses addresses
;
1805 memset(&addresses
, 0, sizeof(addresses
));
1806 for(i
= 0; i
< extra_addresses
.num_strings
; i
++) {
1807 ret
= krb5_parse_address(context
, extra_addresses
.strings
[i
],
1810 krb5_add_extra_addresses(context
, &addresses
);
1811 krb5_free_addresses(context
, &addresses
);
1814 free_getarg_strings(&extra_addresses
);
1817 if (renew_flag
|| validate_flag
) {
1818 ret
= renew_validate(context
, renew_flag
, validate_flag
,
1820 default_for
? TRUE
: FALSE
, server_str
,
1824 if (ret
== 0 && server_str
== NULL
&& do_afslog
&& k_hasafs())
1825 krb5_afslog(context
, ccache
, NULL
, NULL
);
1829 krb5_cc_destroy(context
, ccache
);
1833 ret
= get_new_tickets(context
, principal
, ccache
, ticket_life
,
1834 1, anonymous_pkinit
);
1837 krb5_cc_destroy(context
, ccache
);
1842 if (ret
== 0 && server_str
== NULL
&& do_afslog
&& k_hasafs())
1843 krb5_afslog(context
, ccache
, NULL
, NULL
);
1847 struct renew_ctx ctx
;
1850 timeout
= ticket_lifetime(context
, ccache
, principal
,
1851 server_str
, NULL
) / 2;
1853 ctx
.context
= context
;
1854 ctx
.ccache
= ccache
;
1855 ctx
.principal
= principal
;
1856 ctx
.ticket_life
= ticket_life
;
1857 ctx
.timeout
= timeout
;
1858 ctx
.anonymous_pkinit
= anonymous_pkinit
;
1860 #ifdef HAVE_SIGACTION
1861 memset(&sa
, 0, sizeof(sa
));
1862 sigemptyset(&sa
.sa_mask
);
1863 sa
.sa_handler
= handle_siginfo
;
1865 sigaction(SIGINFO
, &sa
, NULL
);
1868 ret
= simple_execvp_timed(argv
[1], argv
+1,
1869 renew_func
, &ctx
, timeout
);
1870 #define EX_NOEXEC 126
1871 #define EX_NOTFOUND 127
1872 if (ret
== EX_NOEXEC
)
1873 krb5_warnx(context
, N_("permission denied: %s", ""), argv
[1]);
1874 else if (ret
== EX_NOTFOUND
)
1875 krb5_warnx(context
, N_("command not found: %s", ""), argv
[1]);
1877 krb5_cc_destroy(context
, ccache
);
1883 krb5_cc_close(context
, ccache
);
1886 krb5_free_principal(context
, principal
);
1888 krb5_kt_close(context
, kt
);
1889 krb5_free_context(context
);