search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
hdb: add no-auth-data-reqd flag to HDB entry
[heimdal.git] / kuser / kinit.c
blob0b22e715095040718c3b8f2fc0db00e156d0cbe8
1 /*
2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "kuser_locl.h"
37
38 #ifdef HAVE_FRAMEWORK_SECURITY
39 #include <Security/Security.h>
40 #endif
41
42 #ifndef NO_NTLM
43 #include "heimntlm.h"
44 #endif
45
46 #ifndef SIGINFO
47 #define SIGINFO SIGUSR1
48 #endif
49
50 int forwardable_flag = -1;
51 int proxiable_flag = -1;
52 int renewable_flag = -1;
53 int renew_flag = 0;
54 int pac_flag = -1;
55 int validate_flag = 0;
56 int version_flag = 0;
57 int help_flag = 0;
58 int addrs_flag = -1;
59 struct getarg_strings extra_addresses;
60 int anonymous_flag = 0;
61 char *lifetime = NULL;
62 char *renew_life = NULL;
63 char *server_str = NULL;
64 static krb5_principal tgs_service;
65 char *cred_cache = NULL;
66 char *start_str = NULL;
67 static int default_for = 0;
68 static int switch_cache_flags = -1;
69 struct getarg_strings etype_str;
70 int use_keytab = 0;
71 char *keytab_str = NULL;
72 static krb5_keytab kt = NULL;
73 int do_afslog = -1;
74 int fcache_version;
75 char *password_file = NULL;
76 char *pk_user_id = NULL;
77 int pk_enterprise_flag = 0;
78 struct hx509_certs_data *ent_user_id = NULL;
79 char *pk_x509_anchors = NULL;
80 int pk_use_enckey = 0;
81 int pk_anon_fast_armor = 0;
82 char *gss_preauth_mech = NULL;
83 char *gss_preauth_name = NULL;
84 char *kdc_hostname = NULL;
85 static int canonicalize_flag = 0;
86 static int enterprise_flag = 0;
87 static int ok_as_delegate_flag = 0;
88 static char *fast_armor_cache_string = NULL;
89 static int use_referrals_flag = 0;
90 static int windows_flag = 0;
91 #ifndef NO_NTLM
92 static char *ntlm_domain;
93 #endif
94
95
96 static struct getargs args[] = {
97 /*
98 * used by MIT
99 * a: ~A
100 * V: verbose
101 * F: ~f
102 * P: ~p
103 * C: v4 cache name?
104 * 5:
105 *
106 * old flags
107 * 4:
108 * 9:
109 */
110 { "afslog", 0 , arg_flag, &do_afslog,
111 NP_("obtain afs tokens", ""), NULL },
112
113 { "cache", 'c', arg_string, &cred_cache,
114 NP_("credentials cache", ""), "cachename" },
115
116 { "forwardable", 'F', arg_negative_flag, &forwardable_flag,
117 NP_("get tickets not forwardable", ""), NULL },
118
119 { NULL, 'f', arg_flag, &forwardable_flag,
120 NP_("get forwardable tickets", ""), NULL },
121
122 { "keytab", 't', arg_string, &keytab_str,
123 NP_("keytab to use", ""), "keytabname" },
124
125 { "lifetime", 'l', arg_string, &lifetime,
126 NP_("lifetime of tickets", ""), "time" },
127
128 { "proxiable", 'p', arg_flag, &proxiable_flag,
129 NP_("get proxiable tickets", ""), NULL },
130
131 { "renew", 'R', arg_flag, &renew_flag,
132 NP_("renew TGT", ""), NULL },
133
134 { "renewable", 0, arg_flag, &renewable_flag,
135 NP_("get renewable tickets", ""), NULL },
136
137 { "renewable-life", 'r', arg_string, &renew_life,
138 NP_("renewable lifetime of tickets", ""), "time" },
139
140 { "server", 'S', arg_string, &server_str,
141 NP_("server to get ticket for", ""), "principal" },
142
143 { "start-time", 's', arg_string, &start_str,
144 NP_("when ticket gets valid", ""), "time" },
145
146 { "use-keytab", 'k', arg_flag, &use_keytab,
147 NP_("get key from keytab", ""), NULL },
148
149 { "validate", 'v', arg_flag, &validate_flag,
150 NP_("validate TGT", ""), NULL },
151
152 { "enctypes", 'e', arg_strings, &etype_str,
153 NP_("encryption types to use", ""), "enctypes" },
154
155 { "fcache-version", 0, arg_integer, &fcache_version,
156 NP_("file cache version to create", ""), NULL },
157
158 { "addresses", 'A', arg_negative_flag, &addrs_flag,
159 NP_("request a ticket with no addresses", ""), NULL },
160
161 { "extra-addresses",'a', arg_strings, &extra_addresses,
162 NP_("include these extra addresses", ""), "addresses" },
163
164 { "anonymous", 'n', arg_flag, &anonymous_flag,
165 NP_("request an anonymous ticket", ""), NULL },
166
167 { "request-pac", 0, arg_flag, &pac_flag,
168 NP_("request a Windows PAC", ""), NULL },
169
170 { "password-file", 0, arg_string, &password_file,
171 NP_("read the password from a file", ""), NULL },
172
173 { "canonicalize",0, arg_flag, &canonicalize_flag,
174 NP_("canonicalize client principal", ""), NULL },
175
176 { "enterprise",0, arg_flag, &enterprise_flag,
177 NP_("parse principal as a KRB5-NT-ENTERPRISE name", ""), NULL },
178 #ifdef PKINIT
179 { "pk-enterprise", 0, arg_flag, &pk_enterprise_flag,
180 NP_("use enterprise name from certificate", ""), NULL },
181
182 { "pk-user", 'C', arg_string, &pk_user_id,
183 NP_("principal's public/private/certificate identifier", ""), "id" },
184
185 { "x509-anchors", 'D', arg_string, &pk_x509_anchors,
186 NP_("directory with CA certificates", ""), "directory" },
187
188 { "pk-use-enckey", 0, arg_flag, &pk_use_enckey,
189 NP_("Use RSA encrypted reply (instead of DH)", ""), NULL },
190
191 { "pk-anon-fast-armor", 0, arg_flag, &pk_anon_fast_armor,
192 NP_("use unauthenticated anonymous PKINIT as FAST armor", ""), NULL },
193 #endif
194
195 { "gss-mech", 0, arg_string, &gss_preauth_mech,
196 NP_("use GSS mechanism for pre-authentication", ""), NULL },
197
198 { "gss-name", 0, arg_string, &gss_preauth_name,
199 NP_("use distinct GSS identity for pre-authentication", ""), NULL },
200
201 { "kdc-hostname", 0, arg_string, &kdc_hostname,
202 NP_("KDC host name", ""), "hostname" },
203
204 #ifndef NO_NTLM
205 { "ntlm-domain", 0, arg_string, &ntlm_domain,
206 NP_("NTLM domain", ""), "domain" },
207 #endif
208
209 { "change-default", 0, arg_negative_flag, &switch_cache_flags,
210 NP_("switch the default cache to the new credentials cache", ""), NULL },
211
212 { "default-for-principal", 0, arg_flag, &default_for,
213 NP_("Use a default cache appropriate for the client principal", ""), NULL },
214
215 { "ok-as-delegate", 0, arg_flag, &ok_as_delegate_flag,
216 NP_("honor ok-as-delegate on tickets", ""), NULL },
217
218 { "fast-armor-cache", 0, arg_string, &fast_armor_cache_string,
219 NP_("use this credential cache as FAST armor cache", ""), "cache" },
220
221 { "use-referrals", 0, arg_flag, &use_referrals_flag,
222 NP_("only use referrals, no dns canalisation", ""), NULL },
223
224 { "windows", 0, arg_flag, &windows_flag,
225 NP_("get windows behavior", ""), NULL },
226
227 { "version", 0, arg_flag, &version_flag, NULL, NULL },
228 { "help", 0, arg_flag, &help_flag, NULL, NULL }
229 };
230
231 static char *
232 get_default_realm(krb5_context context);
233
234 static void
235 usage(int ret)
236 {
237 arg_printusage_i18n(args, sizeof(args)/sizeof(*args), N_("Usage: ", ""),
238 NULL, "[principal [command]]", getarg_i18n);
239 exit(ret);
240 }
241
242 static krb5_error_code
243 tgs_principal(krb5_context context,
244 krb5_ccache cache,
245 krb5_principal client,
246 krb5_const_realm tgs_realm,
247 krb5_principal *out_princ)
248 {
249 krb5_error_code ret;
250 krb5_principal tgs_princ;
251 krb5_creds creds;
252 krb5_creds *tick;
253 krb5_flags options;
254
255 ret = krb5_make_principal(context, &tgs_princ, tgs_realm,
256 KRB5_TGS_NAME, tgs_realm, NULL);
257 if (ret)
258 return ret;
259
260 /*
261 * Don't fail-over to a different realm just because a TGT expired
262 */
263 options = KRB5_GC_CACHED | KRB5_GC_EXPIRED_OK;
264
265 memset(&creds, 0, sizeof(creds));
266 creds.client = client;
267 creds.server = tgs_princ;
268 ret = krb5_get_credentials(context, options, cache, &creds, &tick);
269 if (ret == 0) {
270 krb5_free_creds(context, tick);
271 *out_princ = tgs_princ;
272 } else {
273 krb5_free_principal(context, tgs_princ);
274 }
275
276 return ret;
277 }
278
279
280 /*
281 * Try TGS specified with '-S',
282 * then TGS of client realm,
283 * then if fallback is FALSE: fail,
284 * otherwise try TGS of default realm,
285 * and finally first TGT in ccache.
286 */
287 static krb5_error_code
288 get_server(krb5_context context,
289 krb5_ccache cache,
290 krb5_principal client,
291 const char *server,
292 krb5_boolean fallback,
293 krb5_principal *princ)
294 {
295 krb5_error_code ret = 0;
296 krb5_const_realm realm;
297 krb5_realm def_realm;
298 krb5_cc_cursor cursor;
299 krb5_creds creds;
300 const char *pcomp;
301
302 if (tgs_service)
303 goto done;
304
305 if (server) {
306 ret = krb5_parse_name(context, server, &tgs_service);
307 goto done;
308 }
309
310 /* Try the client realm first */
311 realm = krb5_principal_get_realm(context, client);
312 ret = tgs_principal(context, cache, client, realm, &tgs_service);
313 if (ret == 0 || ret != KRB5_CC_NOTFOUND)
314 goto done;
315
316 if (!fallback)
317 return ret;
318
319 /* Next try the default realm */
320 ret = krb5_get_default_realm(context, &def_realm);
321 if (ret)
322 return ret;
323 ret = tgs_principal(context, cache, client, def_realm, &tgs_service);
324 free(def_realm);
325 if (ret == 0 || ret != KRB5_CC_NOTFOUND)
326 goto done;
327
328 /* Finally try the first TGT with instance == realm in the cache */
329 ret = krb5_cc_start_seq_get(context, cache, &cursor);
330 if (ret)
331 return ret;
332
333 for (/**/; ret == 0; krb5_free_cred_contents (context, &creds)) {
334
335 ret = krb5_cc_next_cred(context, cache, &cursor, &creds);
336 if (ret)
337 break;
338 if (creds.server->name.name_string.len != 2)
339 continue;
340 pcomp = krb5_principal_get_comp_string(context, creds.server, 0);
341 if (strcmp(pcomp, KRB5_TGS_NAME) != 0)
342 continue;
343 realm = krb5_principal_get_realm(context, creds.server);
344 pcomp = krb5_principal_get_comp_string(context, creds.server, 1);
345 if (strcmp(realm, pcomp) != 0)
346 continue;
347 ret = krb5_copy_principal(context, creds.server, &tgs_service);
348 break;
349 }
350 if (ret == KRB5_CC_END) {
351 ret = KRB5_CC_NOTFOUND;
352 krb5_set_error_message(context, ret,
353 N_("Credential cache contains no TGTs", ""));
354 }
355 krb5_cc_end_seq_get(context, cache, &cursor);
356
357 done:
358 if (!ret)
359 ret = krb5_copy_principal(context, tgs_service, princ);
360 return ret;
361 }
362
363 static krb5_error_code
364 copy_configs(krb5_context context,
365 krb5_ccache dst,
366 krb5_ccache src,
367 krb5_principal start_ticket_server)
368 {
369 krb5_error_code ret;
370 const char *cfg_names[] = {"realm-config", "FriendlyName", "anon_pkinit_realm", NULL};
371 const char *cfg_names_w_pname[] = {"fast_avail", NULL};
372 krb5_data cfg_data;
373 size_t i;
374
375 for (i = 0; cfg_names[i]; i++) {
376 ret = krb5_cc_get_config(context, src, NULL, cfg_names[i], &cfg_data);
377 if (ret == KRB5_CC_NOTFOUND || ret == KRB5_CC_END) {
378 continue;
379 } else if (ret) {
380 krb5_warn(context, ret, "krb5_cc_get_config");
381 return ret;
382 }
383 ret = krb5_cc_set_config(context, dst, NULL, cfg_names[i], &cfg_data);
384 if (ret)
385 krb5_warn(context, ret, "krb5_cc_set_config");
386 }
387 for (i = 0; start_ticket_server && cfg_names_w_pname[i]; i++) {
388 ret = krb5_cc_get_config(context, src, start_ticket_server,
389 cfg_names_w_pname[i], &cfg_data);
390 if (ret == KRB5_CC_NOTFOUND || ret == KRB5_CC_END) {
391 continue;
392 } else if (ret) {
393 krb5_warn(context, ret, "krb5_cc_get_config");
394 return ret;
395 }
396 ret = krb5_cc_set_config(context, dst, start_ticket_server,
397 cfg_names_w_pname[i], &cfg_data);
398 if (ret && ret != KRB5_CC_NOTFOUND)
399 krb5_warn(context, ret, "krb5_cc_set_config");
400 }
401 /*
402 * We don't copy cc configs for any other principals though (mostly
403 * those are per-target time offsets and the like, so it's bad to
404 * lose them, but hardly the end of the world, and as they may not
405 * expire anyways, it's good to let them go).
406 */
407 return 0;
408 }
409
410 static krb5_error_code
411 get_anon_pkinit_tgs_name(krb5_context context,
412 krb5_ccache ccache,
413 krb5_principal *tgs_name)
414 {
415 krb5_error_code ret;
416 krb5_data data;
417 char *realm;
418
419 ret = krb5_cc_get_config(context, ccache, NULL, "anon_pkinit_realm", &data);
420 if (ret == 0)
421 realm = strndup(data.data, data.length);
422 else
423 realm = get_default_realm(context);
424
425 krb5_data_free(&data);
426
427 if (realm == NULL)
428 return krb5_enomem(context);
429
430 ret = krb5_make_principal(context, tgs_name, realm,
431 KRB5_TGS_NAME, realm, NULL);
432
433 free(realm);
434
435 return ret;
436 }
437
438 static krb5_error_code
439 renew_validate(krb5_context context,
440 int renew,
441 int validate,
442 krb5_ccache *cachep,
443 krb5_const_principal principal,
444 krb5_boolean cache_is_default_for,
445 const char *server,
446 krb5_deltat life)
447 {
448 krb5_error_code ret;
449 krb5_ccache tempccache = NULL;
450 krb5_ccache cache = *cachep;
451 krb5_creds in, *out = NULL;
452 krb5_kdc_flags flags;
453
454 memset(&in, 0, sizeof(in));
455
456 ret = krb5_cc_get_principal(context, cache, &in.client);
457 if (ret && cache_is_default_for && principal) {
458 krb5_error_code ret2;
459 krb5_ccache def_ccache = NULL;
460
461 ret2 = krb5_cc_default(context, &def_ccache);
462 if (ret2 == 0)
463 ret2 = krb5_cc_get_principal(context, def_ccache, &in.client);
464 if (ret2 == 0 &&
465 krb5_principal_compare(context, principal, in.client)) {
466 krb5_cc_close(context, *cachep);
467 cache = *cachep = def_ccache;
468 def_ccache = NULL;
469 ret = 0;
470 }
471 krb5_cc_close(context, def_ccache);
472 }
473 if (ret) {
474 krb5_warn(context, ret, "krb5_cc_get_principal");
475 return ret;
476 }
477
478 if (principal && !krb5_principal_compare(context, principal, in.client)) {
479 char *ccname = NULL;
480
481 (void) krb5_cc_get_full_name(context, cache, &ccname);
482 krb5_errx(context, 1, "Credentials in cache %s do not match requested "
483 "principal", ccname ? ccname : "requested");
484 free(ccname);
485 }
486
487 if (server == NULL &&
488 krb5_principal_is_anonymous(context, in.client,
489 KRB5_ANON_MATCH_UNAUTHENTICATED))
490 ret = get_anon_pkinit_tgs_name(context, cache, &in.server);
491 else
492 ret = get_server(context, cache, in.client, server, TRUE, &in.server);
493 if (ret) {
494 krb5_warn(context, ret, "get_server");
495 goto out;
496 }
497
498 if (renew) {
499 /*
500 * no need to check the error here, it's only to be
501 * friendly to the user
502 */
503 krb5_get_credentials(context, KRB5_GC_CACHED, cache, &in, &out);
504 }
505
506 flags.i = 0;
507 flags.b.renewable = flags.b.renew = renew;
508 flags.b.validate = validate;
509
510 if (forwardable_flag != -1)
511 flags.b.forwardable = forwardable_flag;
512 else if (out)
513 flags.b.forwardable = out->flags.b.forwardable;
514
515 if (proxiable_flag != -1)
516 flags.b.proxiable = proxiable_flag;
517 else if (out)
518 flags.b.proxiable = out->flags.b.proxiable;
519
520 if (anonymous_flag)
521 flags.b.request_anonymous = anonymous_flag;
522 if (life)
523 in.times.endtime = time(NULL) + life;
524
525 if (out) {
526 krb5_free_creds(context, out);
527 out = NULL;
528 }
529
530
531 ret = krb5_get_kdc_cred(context,
532 cache,
533 flags,
534 NULL,
535 NULL,
536 &in,
537 &out);
538 if (ret) {
539 krb5_warn(context, ret, "krb5_get_kdc_cred");
540 goto out;
541 }
542
543 ret = krb5_cc_new_unique(context, krb5_cc_get_type(context, cache),
544 NULL, &tempccache);
545 if (ret) {
546 krb5_warn(context, ret, "krb5_cc_new_unique");
547 goto out;
548 }
549
550 ret = krb5_cc_initialize(context, tempccache, in.client);
551 if (ret) {
552 krb5_warn(context, ret, "krb5_cc_initialize");
553 goto out;
554 }
555
556 ret = krb5_cc_store_cred(context, tempccache, out);
557 if (ret) {
558 krb5_warn(context, ret, "krb5_cc_store_cred");
559 goto out;
560 }
561
562 /*
563 * We want to preserve cc configs as some are security-relevant, and
564 * anyways it's the friendly thing to do.
565 */
566 ret = copy_configs(context, tempccache, cache, out->server);
567 if (ret)
568 goto out;
569
570 ret = krb5_cc_move(context, tempccache, cache);
571 if (ret) {
572 krb5_warn(context, ret, "krb5_cc_move");
573 goto out;
574 }
575 tempccache = NULL;
576
577 out:
578 if (tempccache)
579 krb5_cc_destroy(context, tempccache);
580 if (out)
581 krb5_free_creds(context, out);
582 krb5_free_cred_contents(context, &in);
583 return ret;
584 }
585
586 static krb5_error_code
587 make_wellknown_name(krb5_context context,
588 krb5_const_realm realm,
589 const char *instance,
590 krb5_principal *principal)
591 {
592 krb5_error_code ret;
593
594 ret = krb5_make_principal(context, principal, realm,
595 KRB5_WELLKNOWN_NAME, instance, NULL);
596 if (ret == 0)
597 krb5_principal_set_type(context, *principal, KRB5_NT_WELLKNOWN);
598
599 return ret;
600 }
601
602 static krb5_error_code
603 acquire_gss_cred(krb5_context context,
604 krb5_const_principal client,
605 krb5_deltat life,
606 const char *passwd,
607 gss_cred_id_t *cred,
608 gss_OID *mech)
609 {
610 krb5_error_code ret;
611 OM_uint32 major, minor;
612 gss_name_t name = GSS_C_NO_NAME;
613 gss_key_value_element_desc cred_element;
614 gss_key_value_set_desc cred_store;
615 gss_OID_set_desc mechs;
616
617 *cred = GSS_C_NO_CREDENTIAL;
618 *mech = GSS_C_NO_OID;
619
620 if (gss_preauth_mech) {
621 *mech = gss_name_to_oid(gss_preauth_mech);
622 if (*mech == GSS_C_NO_OID)
623 return EINVAL;
624 }
625
626 if (gss_preauth_name) {
627 gss_buffer_desc buf;
628
629 buf.value = gss_preauth_name;
630 buf.length = strlen(gss_preauth_name);
631
632 major = gss_import_name(&minor, &buf, GSS_C_NT_USER_NAME, &name);
633 ret = _krb5_gss_map_error(major, minor);
634 } else if (!krb5_principal_is_federated(context, client)) {
635 ret = _krb5_gss_pa_unparse_name(context, client, &name);
636 } else {
637 /*
638 * WELLKNOWN/FEDERATED is used a placeholder where the user
639 * did not specify either a Kerberos credential or a GSS-API
640 * initiator name. It avoids the expense of acquiring a default
641 * credential purely to interrogate the credential name.
642 */
643 name = GSS_C_NO_NAME;
644 ret = 0;
645 }
646 if (ret)
647 goto out;
648
649 cred_store.count = 1;
650 cred_store.elements = &cred_element;
651
652 if (passwd && passwd[0]) {
653 cred_element.key = "password";
654 cred_element.value = passwd;
655 } else if (keytab_str) {
656 cred_element.key = "client_keytab",
657 cred_element.value = keytab_str;
658 } else {
659 cred_store.count = 0;
660 }
661
662 if (*mech) {
663 mechs.count = 1;
664 mechs.elements = (gss_OID)*mech;
665 }
666
667 major = gss_acquire_cred_from(&minor,
668 name,
669 life ? life : GSS_C_INDEFINITE,
670 *mech ? &mechs : GSS_C_NO_OID_SET,
671 GSS_C_INITIATE,
672 &cred_store,
673 cred,
674 NULL,
675 NULL);
676 if (major != GSS_S_COMPLETE) {
677 ret = _krb5_gss_map_error(major, minor);
678 goto out;
679 }
680
681 out:
682 gss_release_name(&minor, &name);
683 return ret;
684 }
685
686 #ifndef NO_NTLM
687
688 static krb5_error_code
689 store_ntlmkey(krb5_context context, krb5_ccache id,
690 const char *domain, struct ntlm_buf *buf)
691 {
692 krb5_error_code ret;
693 krb5_data data;
694 char *name;
695 int aret;
696
697 ret = krb5_cc_get_config(context, id, NULL, "default-ntlm-domain", &data);
698 if (ret == 0) {
699 krb5_data_free(&data);
700 } else {
701 data.length = strlen(domain);
702 data.data = rk_UNCONST(domain);
703 ret = krb5_cc_set_config(context, id, NULL, "default-ntlm-domain", &data);
704 if (ret != 0)
705 return ret;
706 }
707
708 aret = asprintf(&name, "ntlm-key-%s", domain);
709 if (aret == -1 || name == NULL)
710 return krb5_enomem(context);
711
712 data.length = buf->length;
713 data.data = buf->data;
714
715 ret = krb5_cc_set_config(context, id, NULL, name, &data);
716 free(name);
717 return ret;
718 }
719 #endif
720
721 static krb5_error_code
722 get_new_tickets(krb5_context context,
723 krb5_principal principal,
724 krb5_ccache ccache,
725 krb5_deltat ticket_life,
726 int interactive,
727 int anonymous_pkinit)
728 {
729 krb5_error_code ret;
730 krb5_creds cred;
731 char passwd[256];
732 krb5_deltat start_time = 0;
733 krb5_deltat renew = 0;
734 const char *renewstr = NULL;
735 krb5_enctype *enctype = NULL;
736 krb5_ccache tempccache = NULL;
737 krb5_init_creds_context ctx = NULL;
738 krb5_get_init_creds_opt *opt = NULL;
739 krb5_prompter_fct prompter = krb5_prompter_posix;
740 gss_cred_id_t gss_cred = GSS_C_NO_CREDENTIAL;
741 gss_OID gss_mech = GSS_C_NO_OID;
742 krb5_principal federated_name = NULL;
743
744 #ifndef NO_NTLM
745 struct ntlm_buf ntlmkey;
746 memset(&ntlmkey, 0, sizeof(ntlmkey));
747 #endif
748 passwd[0] = '\0';
749
750 if (!interactive)
751 prompter = NULL;
752
753 if (password_file) {
754 FILE *f;
755
756 if (strcasecmp("STDIN", password_file) == 0)
757 f = stdin;
758 else
759 f = fopen(password_file, "r");
760 if (f == NULL) {
761 krb5_warnx(context, N_("Failed to open the password file %s", ""),
762 password_file);
763 return errno;
764 }
765
766 if (fgets(passwd, sizeof(passwd), f) == NULL) {
767 krb5_warnx(context, N_("Failed to read password from file %s", ""),
768 password_file);
769 if (f != stdin)
770 fclose(f);
771 return EINVAL; /* XXX Need a better error */
772 }
773 if (f != stdin)
774 fclose(f);
775 passwd[strcspn(passwd, "\n")] = '\0';
776 }
777
778 #ifdef HAVE_FRAMEWORK_SECURITY
779 if (passwd[0] == '\0') {
780 const char *realm;
781 OSStatus osret;
782 UInt32 length;
783 void *buffer;
784 char *name;
785
786 realm = krb5_principal_get_realm(context, principal);
787
788 ret = krb5_unparse_name_flags(context, principal,
789 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
790 if (ret)
791 goto nopassword;
792
793 osret = SecKeychainFindGenericPassword(NULL, strlen(realm), realm,
794 strlen(name), name,
795 &length, &buffer, NULL);
796 free(name);
797 if (osret == noErr && length < sizeof(passwd) - 1) {
798 memcpy(passwd, buffer, length);
799 passwd[length] = '\0';
800 }
801 nopassword:
802 do { } while(0);
803 }
804 #endif
805
806 memset(&cred, 0, sizeof(cred));
807
808 ret = krb5_get_init_creds_opt_alloc(context, &opt);
809 if (ret) {
810 krb5_warn(context, ret, "krb5_get_init_creds_opt_alloc");
811 goto out;
812 }
813
814 krb5_get_init_creds_opt_set_default_flags(context, "kinit",
815 krb5_principal_get_realm(context, principal), opt);
816
817 if (forwardable_flag != -1)
818 krb5_get_init_creds_opt_set_forwardable(opt, forwardable_flag);
819 if (proxiable_flag != -1)
820 krb5_get_init_creds_opt_set_proxiable(opt, proxiable_flag);
821 if (anonymous_flag)
822 krb5_get_init_creds_opt_set_anonymous(opt, anonymous_flag);
823 if (pac_flag != -1)
824 krb5_get_init_creds_opt_set_pac_request(context, opt,
825 pac_flag ? TRUE : FALSE);
826 if (canonicalize_flag)
827 krb5_get_init_creds_opt_set_canonicalize(context, opt, TRUE);
828 if (pk_enterprise_flag || enterprise_flag || canonicalize_flag || windows_flag)
829 krb5_get_init_creds_opt_set_win2k(context, opt, TRUE);
830 if (pk_user_id || ent_user_id || anonymous_pkinit) {
831 ret = krb5_get_init_creds_opt_set_pkinit(context, opt,
832 principal,
833 pk_user_id,
834 pk_x509_anchors,
835 NULL,
836 NULL,
837 pk_use_enckey ? KRB5_GIC_OPT_PKINIT_USE_ENCKEY : 0 |
838 anonymous_pkinit ? KRB5_GIC_OPT_PKINIT_ANONYMOUS : 0,
839 prompter,
840 NULL,
841 passwd);
842 if (ret) {
843 krb5_warn(context, ret, "krb5_get_init_creds_opt_set_pkinit");
844 goto out;
845 }
846 if (ent_user_id)
847 krb5_get_init_creds_opt_set_pkinit_user_certs(context, opt, ent_user_id);
848 }
849
850 if (addrs_flag != -1)
851 krb5_get_init_creds_opt_set_addressless(context, opt,
852 addrs_flag ? FALSE : TRUE);
853
854 if (renew_life == NULL && renewable_flag)
855 renewstr = "6 months";
856 if (renew_life)
857 renewstr = renew_life;
858 if (renewstr) {
859 renew = parse_time(renewstr, "s");
860 if (renew < 0)
861 errx(1, "unparsable time: %s", renewstr);
862
863 krb5_get_init_creds_opt_set_renew_life(opt, renew);
864 }
865
866 if (ticket_life != 0)
867 krb5_get_init_creds_opt_set_tkt_life(opt, ticket_life);
868
869 if (start_str) {
870 int tmp = parse_time(start_str, "s");
871 if (tmp < 0)
872 errx(1, N_("unparsable time: %s", ""), start_str);
873
874 start_time = tmp;
875 }
876
877 if (etype_str.num_strings) {
878 int i;
879
880 enctype = malloc(etype_str.num_strings * sizeof(*enctype));
881 if (enctype == NULL)
882 errx(1, "out of memory");
883 for(i = 0; i < etype_str.num_strings; i++) {
884 ret = krb5_string_to_enctype(context,
885 etype_str.strings[i],
886 &enctype[i]);
887 if (ret)
888 errx(1, "unrecognized enctype: %s", etype_str.strings[i]);
889 }
890 krb5_get_init_creds_opt_set_etype_list(opt, enctype,
891 etype_str.num_strings);
892 }
893
894 if (gss_preauth_mech || gss_preauth_name) {
895 ret = acquire_gss_cred(context, principal, ticket_life,
896 passwd, &gss_cred, &gss_mech);
897 if (ret)
898 goto out;
899
900 /*
901 * The principal specified on the command line is used as the GSS-API
902 * initiator name, unless the --gss-name option was present, in which
903 * case the initiator name is specified independently.
904 */
905 if (gss_preauth_name == NULL) {
906 krb5_const_realm realm = krb5_principal_get_realm(context, principal);
907
908 ret = make_wellknown_name(context, realm,
909 KRB5_FEDERATED_NAME, &federated_name);
910 if (ret)
911 goto out;
912
913 principal = federated_name;
914 }
915 }
916
917 ret = krb5_init_creds_init(context, principal, prompter, NULL, start_time, opt, &ctx);
918 if (ret) {
919 krb5_warn(context, ret, "krb5_init_creds_init");
920 goto out;
921 }
922
923 if (server_str) {
924 ret = krb5_init_creds_set_service(context, ctx, server_str);
925 if (ret) {
926 krb5_warn(context, ret, "krb5_init_creds_set_service");
927 goto out;
928 }
929 }
930
931 if (kdc_hostname) {
932 ret = krb5_init_creds_set_kdc_hostname(context, ctx, kdc_hostname);
933 if (ret) {
934 krb5_warn(context, ret, "krb5_init_creds_set_kdc_hostname");
935 goto out;
936 }
937 }
938
939 if (fast_armor_cache_string) {
940 krb5_ccache fastid = NULL;
941
942 if (pk_anon_fast_armor)
943 krb5_errx(context, 1,
944 N_("cannot specify FAST armor cache with FAST "
945 "anonymous PKINIT option", ""));
946
947 ret = krb5_cc_resolve(context, fast_armor_cache_string, &fastid);
948 if (ret) {
949 krb5_warn(context, ret, "krb5_cc_resolve(FAST cache)");
950 goto out;
951 }
952
953 ret = krb5_init_creds_set_fast_ccache(context, ctx, fastid);
954 if (ret) {
955 krb5_warn(context, ret, "krb5_init_creds_set_fast_ccache");
956 goto out;
957 }
958 } else if (pk_anon_fast_armor) {
959 ret = krb5_init_creds_set_fast_anon_pkinit(context, ctx);
960 if (ret) {
961 krb5_warn(context, ret, "krb5_init_creds_set_fast_anon_pkinit");
962 goto out;
963 }
964 }
965
966 if (gss_mech != GSS_C_NO_OID) {
967 ret = krb5_gss_set_init_creds(context, ctx, gss_cred, gss_mech);
968 if (ret) {
969 krb5_warn(context, ret, "krb5_gss_set_init_creds");
970 goto out;
971 }
972 } else if (use_keytab || keytab_str) {
973 ret = krb5_init_creds_set_keytab(context, ctx, kt);
974 if (ret) {
975 krb5_warn(context, ret, "krb5_init_creds_set_keytab");
976 goto out;
977 }
978 } else if (pk_user_id || ent_user_id ||
979 krb5_principal_is_anonymous(context, principal, KRB5_ANON_MATCH_ANY)) {
980 /* nop */;
981 } else if (!interactive && passwd[0] == '\0') {
982 static int already_warned = 0;
983
984 if (!already_warned)
985 krb5_warnx(context, "Not interactive, failed to get "
986 "initial ticket");
987 krb5_get_init_creds_opt_free(context, opt);
988 already_warned = 1;
989 return 0;
990 } else {
991
992 if (passwd[0] == '\0') {
993 char *p, *prompt;
994 int aret = 0;
995
996 ret = krb5_unparse_name(context, principal, &p);
997 if (ret)
998 errx(1, "failed to generate passwd prompt: not enough memory");
999
1000 aret = asprintf(&prompt, N_("%s's Password: ", ""), p);
1001 free(p);
1002 if (aret == -1)
1003 errx(1, "failed to generate passwd prompt: not enough memory");
1004
1005 if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
1006 memset(passwd, 0, sizeof(passwd));
1007 errx(1, "failed to read password");
1008 }
1009 free(prompt);
1010 }
1011
1012 if (passwd[0]) {
1013 ret = krb5_init_creds_set_password(context, ctx, passwd);
1014 if (ret) {
1015 krb5_warn(context, ret, "krb5_init_creds_set_password");
1016 goto out;
1017 }
1018 }
1019 }
1020
1021 ret = krb5_init_creds_get(context, ctx);
1022
1023 #ifndef NO_NTLM
1024 if (ntlm_domain && passwd[0])
1025 heim_ntlm_nt_key(passwd, &ntlmkey);
1026 #endif
1027 memset_s(passwd, sizeof(passwd), 0, sizeof(passwd));
1028
1029 switch(ret){
1030 case 0:
1031 break;
1032 case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */
1033 exit(1);
1034 case KRB5KRB_AP_ERR_BAD_INTEGRITY:
1035 case KRB5KRB_AP_ERR_MODIFIED:
1036 case KRB5KDC_ERR_PREAUTH_FAILED:
1037 case KRB5_GET_IN_TKT_LOOP:
1038 krb5_warnx(context, N_("Password incorrect", ""));
1039 goto out;
1040 case KRB5KRB_AP_ERR_V4_REPLY:
1041 krb5_warnx(context, N_("Looks like a Kerberos 4 reply", ""));
1042 goto out;
1043 case KRB5KDC_ERR_KEY_EXPIRED:
1044 krb5_warnx(context, N_("Password expired", ""));
1045 goto out;
1046 default:
1047 krb5_warn(context, ret, "krb5_get_init_creds");
1048 goto out;
1049 }
1050
1051 krb5_process_last_request(context, opt, ctx);
1052
1053 ret = krb5_init_creds_get_creds(context, ctx, &cred);
1054 if (ret) {
1055 krb5_warn(context, ret, "krb5_init_creds_get_creds");
1056 goto out;
1057 }
1058
1059 if (ticket_life != 0) {
1060 if (labs(cred.times.endtime - cred.times.starttime - ticket_life) > 30) {
1061 char life[64];
1062 unparse_time_approx(cred.times.endtime - cred.times.starttime,
1063 life, sizeof(life));
1064 krb5_warnx(context, N_("NOTICE: ticket lifetime is %s", ""), life);
1065 }
1066 }
1067 if (renew_life) {
1068 if (labs(cred.times.renew_till - cred.times.starttime - renew) > 30) {
1069 char life[64];
1070 unparse_time_approx(cred.times.renew_till - cred.times.starttime,
1071 life, sizeof(life));
1072 krb5_warnx(context,
1073 N_("NOTICE: ticket renewable lifetime is %s", ""),
1074 life);
1075 }
1076 }
1077 krb5_free_cred_contents(context, &cred);
1078
1079 ret = krb5_cc_new_unique(context, krb5_cc_get_type(context, ccache),
1080 NULL, &tempccache);
1081 if (ret) {
1082 krb5_warn(context, ret, "krb5_cc_new_unique");
1083 goto out;
1084 }
1085
1086 ret = krb5_init_creds_store(context, ctx, tempccache);
1087 if (ret) {
1088 krb5_warn(context, ret, "krb5_init_creds_store");
1089 goto out;
1090 }
1091
1092 ret = krb5_init_creds_store_config(context, ctx, tempccache);
1093 if (ret) {
1094 krb5_warn(context, ret, "krb5_init_creds_store_config");
1095 goto out;
1096 }
1097
1098 ret = krb5_init_creds_warn_user(context, ctx);
1099 if (ret) {
1100 krb5_warn(context, ret, "krb5_init_creds_warn_user");
1101 goto out;
1102 }
1103
1104 krb5_init_creds_free(context, ctx);
1105 ctx = NULL;
1106
1107 ret = krb5_cc_move(context, tempccache, ccache);
1108 if (ret) {
1109 krb5_warn(context, ret, "krb5_cc_move");
1110 goto out;
1111 }
1112 tempccache = NULL;
1113
1114 if (switch_cache_flags)
1115 krb5_cc_switch(context, ccache);
1116
1117 #ifndef NO_NTLM
1118 if (ntlm_domain && ntlmkey.data)
1119 store_ntlmkey(context, ccache, ntlm_domain, &ntlmkey);
1120 #endif
1121
1122 if (ok_as_delegate_flag || windows_flag || use_referrals_flag) {
1123 unsigned char d = 0;
1124 krb5_data data;
1125
1126 if (ok_as_delegate_flag || windows_flag)
1127 d |= 1;
1128 if (use_referrals_flag || windows_flag)
1129 d |= 2;
1130
1131 data.length = 1;
1132 data.data = &d;
1133
1134 krb5_cc_set_config(context, ccache, NULL, "realm-config", &data);
1135 }
1136
1137 if (anonymous_pkinit) {
1138 krb5_data data;
1139
1140 data.length = strlen(principal->realm);
1141 data.data = principal->realm;
1142
1143 krb5_cc_set_config(context, ccache, NULL, "anon_pkinit_realm", &data);
1144 }
1145
1146 out:
1147 {
1148 OM_uint32 minor;
1149 gss_release_cred(&minor, &gss_cred);
1150 }
1151 krb5_free_principal(context, federated_name);
1152 krb5_get_init_creds_opt_free(context, opt);
1153 if (ctx)
1154 krb5_init_creds_free(context, ctx);
1155 if (tempccache)
1156 krb5_cc_destroy(context, tempccache);
1157 if (enctype)
1158 free(enctype);
1159
1160 return ret;
1161 }
1162
1163 static time_t
1164 ticket_lifetime(krb5_context context, krb5_ccache cache, krb5_principal client,
1165 const char *server, time_t *renew)
1166 {
1167 krb5_creds in_cred, *cred;
1168 krb5_error_code ret;
1169 time_t timeout;
1170 time_t curtime;
1171
1172 memset(&in_cred, 0, sizeof(in_cred));
1173
1174 if (renew != NULL)
1175 *renew = 0;
1176
1177 ret = krb5_cc_get_principal(context, cache, &in_cred.client);
1178 if (ret) {
1179 krb5_warn(context, ret, "krb5_cc_get_principal");
1180 return 0;
1181 }
1182
1183 /* Determine TGS principal without fallback */
1184 ret = get_server(context, cache, in_cred.client, server, FALSE,
1185 &in_cred.server);
1186 if (ret) {
1187 krb5_free_principal(context, in_cred.client);
1188 krb5_warn(context, ret, "get_server");
1189 return 0;
1190 }
1191
1192 ret = krb5_get_credentials(context, KRB5_GC_CACHED,
1193 cache, &in_cred, &cred);
1194 krb5_free_principal(context, in_cred.client);
1195 krb5_free_principal(context, in_cred.server);
1196 if (ret) {
1197 krb5_warn(context, ret, "krb5_get_credentials");
1198 return 0;
1199 }
1200 curtime = time(NULL);
1201 timeout = cred->times.endtime - curtime;
1202 if (timeout < 0)
1203 timeout = 0;
1204 if (renew) {
1205 *renew = cred->times.renew_till - curtime;
1206 if (*renew < 0)
1207 *renew = 0;
1208 }
1209 krb5_free_creds(context, cred);
1210 return timeout;
1211 }
1212
1213 static time_t expire;
1214
1215 static char siginfo_msg[1024] = "No credentials\n";
1216
1217 static void
1218 update_siginfo_msg(time_t exp, const char *srv)
1219 {
1220 /* Note that exp is relative time */
1221 memset(siginfo_msg, 0, sizeof(siginfo_msg));
1222 memcpy(&siginfo_msg, "Updating...\n", sizeof("Updating...\n"));
1223 if (exp) {
1224 if (srv == NULL) {
1225 snprintf(siginfo_msg, sizeof(siginfo_msg),
1226 N_("kinit: TGT expires in %llu seconds\n", ""),
1227 (unsigned long long)expire);
1228 } else {
1229 snprintf(siginfo_msg, sizeof(siginfo_msg),
1230 N_("kinit: Ticket for %s expired\n", ""), srv);
1231 }
1232 return;
1233 }
1234
1235 /* Expired creds */
1236 if (srv == NULL) {
1237 snprintf(siginfo_msg, sizeof(siginfo_msg),
1238 N_("kinit: TGT expired\n", ""));
1239 } else {
1240 snprintf(siginfo_msg, sizeof(siginfo_msg),
1241 N_("kinit: Ticket for %s expired\n", ""), srv);
1242 }
1243 }
1244
1245 #ifdef HAVE_SIGACTION
1246 static void
1247 handle_siginfo(int sig)
1248 {
1249 struct iovec iov[2];
1250
1251 iov[0].iov_base = rk_UNCONST(siginfo_msg);
1252 iov[0].iov_len = strlen(siginfo_msg);
1253 iov[1].iov_base = "\n";
1254 iov[1].iov_len = 1;
1255
1256 writev(STDERR_FILENO, iov, sizeof(iov)/sizeof(iov[0]));
1257 }
1258 #endif
1259
1260 struct renew_ctx {
1261 krb5_context context;
1262 krb5_ccache ccache;
1263 krb5_principal principal;
1264 krb5_deltat ticket_life;
1265 krb5_deltat timeout;
1266 int anonymous_pkinit;
1267 };
1268
1269 static time_t
1270 renew_func(void *ptr)
1271 {
1272 krb5_error_code ret;
1273 struct renew_ctx *ctx = ptr;
1274 time_t renew_expire;
1275 static time_t exp_delay = 1;
1276
1277 /*
1278 * NOTE: We count on the ccache implementation to notice changes to the
1279 * actual ccache filesystem/whatever objects. There should be no ccache
1280 * types for which this is not the case, but it might not hurt to
1281 * re-krb5_cc_resolve() after each successful renew_validate()/
1282 * get_new_tickets() call.
1283 */
1284
1285 expire = ticket_lifetime(ctx->context, ctx->ccache, ctx->principal,
1286 server_str, &renew_expire);
1287
1288 /*
1289 * When a keytab is available to obtain new tickets, if we are within
1290 * half of the original ticket lifetime of the renew limit, get a new
1291 * TGT instead of renewing the existing TGT. Note, ctx->ticket_life
1292 * is zero by default (without a '-l' option) and cannot be used to
1293 * set the time scale on which we decide whether we're "close to the
1294 * renew limit".
1295 */
1296 if (use_keytab || keytab_str)
1297 expire += ctx->timeout;
1298 if (renew_expire > expire) {
1299 ret = renew_validate(ctx->context, 1, validate_flag, &ctx->ccache,
1300 NULL, FALSE, server_str, ctx->ticket_life);
1301 } else {
1302 ret = get_new_tickets(ctx->context, ctx->principal, ctx->ccache,
1303 ctx->ticket_life, 0, ctx->anonymous_pkinit);
1304 }
1305 expire = ticket_lifetime(ctx->context, ctx->ccache, ctx->principal,
1306 server_str, &renew_expire);
1307
1308 #ifndef NO_AFS
1309 if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())
1310 krb5_afslog(ctx->context, ctx->ccache, NULL, NULL);
1311 #endif
1312
1313 update_siginfo_msg(expire, server_str);
1314
1315 /*
1316 * If our tickets have expired and we been able to either renew them
1317 * or obtain new tickets, then we still call this function but we use
1318 * an exponential backoff. This should take care of the case where
1319 * we are using stored credentials but the KDC has been unavailable
1320 * for some reason...
1321 */
1322
1323 if (expire < 1) {
1324 /*
1325 * We can't ask to keep spamming stderr but not syslog, so we warn
1326 * only once.
1327 */
1328 if (exp_delay == 1) {
1329 krb5_warnx(ctx->context, N_("NOTICE: Could not renew/refresh "
1330 "tickets", ""));
1331 }
1332 if (exp_delay < 7200)
1333 exp_delay += exp_delay / 2 + 1;
1334 return exp_delay;
1335 }
1336 exp_delay = 1;
1337
1338 return expire / 2 + 1;
1339 }
1340
1341 static void
1342 set_princ_realm(krb5_context context,
1343 krb5_principal principal,
1344 const char *realm)
1345 {
1346 krb5_error_code ret;
1347
1348 if ((ret = krb5_principal_set_realm(context, principal, realm)) != 0)
1349 krb5_err(context, 1, ret, "krb5_principal_set_realm");
1350 }
1351
1352 static void
1353 parse_name_realm(krb5_context context,
1354 const char *name,
1355 int flags,
1356 const char *realm,
1357 krb5_principal *princ)
1358 {
1359 krb5_error_code ret;
1360
1361 if (realm)
1362 flags |= KRB5_PRINCIPAL_PARSE_NO_DEF_REALM;
1363 if ((ret = krb5_parse_name_flags(context, name, flags, princ)) != 0)
1364 krb5_err(context, 1, ret, "krb5_parse_name_flags");
1365 if (realm && krb5_principal_get_realm(context, *princ) == NULL)
1366 set_princ_realm(context, *princ, realm);
1367 }
1368
1369 static char *
1370 get_default_realm(krb5_context context)
1371 {
1372 char *realm;
1373 krb5_error_code ret;
1374
1375 if ((ret = krb5_get_default_realm(context, &realm)) != 0)
1376 krb5_err(context, 1, ret, "krb5_get_default_realm");
1377 return realm;
1378 }
1379
1380 static void
1381 get_default_principal(krb5_context context, krb5_principal *princ)
1382 {
1383 krb5_error_code ret;
1384
1385 if ((ret = krb5_get_default_principal(context, princ)) != 0)
1386 krb5_err(context, 1, ret, "krb5_get_default_principal");
1387 }
1388
1389 static char *
1390 get_user_realm(krb5_context context)
1391 {
1392 krb5_error_code ret;
1393 char *user_realm = NULL;
1394
1395 /*
1396 * If memory allocation fails, we don't try to use the wrong realm,
1397 * that will trigger misleading error messages complicate support.
1398 */
1399 krb5_appdefault_string(context, "kinit", NULL, "user_realm", "",
1400 &user_realm);
1401 if (user_realm == NULL) {
1402 ret = krb5_enomem(context);
1403 krb5_err(context, 1, ret, "krb5_appdefault_string");
1404 }
1405
1406 if (*user_realm == 0) {
1407 free(user_realm);
1408 user_realm = NULL;
1409 }
1410
1411 return user_realm;
1412 }
1413
1414 static void
1415 get_princ(krb5_context context,
1416 krb5_principal *principal,
1417 const char *ccname,
1418 const char *name)
1419 {
1420 krb5_error_code ret = 0;
1421 krb5_principal tmp;
1422 int parseflags = 0;
1423 char *user_realm;
1424
1425 if (name == NULL) {
1426 krb5_ccache ccache = NULL;
1427
1428 /* If credential cache provides a client principal, use that. */
1429 if (ccname)
1430 ret = krb5_cc_resolve(context, ccname, &ccache);
1431 else
1432 ret = krb5_cc_default(context, &ccache);
1433 if (ret == 0)
1434 ret = krb5_cc_get_principal(context, ccache, principal);
1435 krb5_cc_close(context, ccache);
1436 if (ret == 0)
1437 return;
1438 }
1439
1440 user_realm = get_user_realm(context);
1441
1442 if (name) {
1443 if (enterprise_flag)
1444 parseflags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
1445
1446 parse_name_realm(context, name, parseflags, user_realm, &tmp);
1447
1448 if (user_realm && krb5_principal_get_num_comp(context, tmp) > 1) {
1449 /* Principal is instance qualified, reparse with default realm. */
1450 krb5_free_principal(context, tmp);
1451 parse_name_realm(context, name, parseflags, NULL, principal);
1452 } else {
1453 *principal = tmp;
1454 }
1455 } else {
1456 get_default_principal(context, principal);
1457 if (user_realm)
1458 set_princ_realm(context, *principal, user_realm);
1459 }
1460
1461 if (user_realm)
1462 free(user_realm);
1463 }
1464
1465 static void
1466 get_princ_kt(krb5_context context,
1467 krb5_principal *principal,
1468 char *name)
1469 {
1470 krb5_error_code ret;
1471 krb5_principal tmp;
1472 krb5_ccache ccache;
1473 krb5_kt_cursor cursor;
1474 krb5_keytab_entry entry;
1475 char *def_realm;
1476
1477 if (name == NULL) {
1478 /*
1479 * If the credential cache exists and specifies a client principal,
1480 * use that.
1481 */
1482 if (krb5_cc_default(context, &ccache) == 0) {
1483 ret = krb5_cc_get_principal(context, ccache, principal);
1484 krb5_cc_close(context, ccache);
1485 if (ret == 0)
1486 return;
1487 }
1488 }
1489
1490 if (name) {
1491 /* If the principal specifies an explicit realm, just use that. */
1492 int parseflags = KRB5_PRINCIPAL_PARSE_NO_DEF_REALM;
1493
1494 parse_name_realm(context, name, parseflags, NULL, &tmp);
1495 if (krb5_principal_get_realm(context, tmp) != NULL) {
1496 *principal = tmp;
1497 return;
1498 }
1499 } else {
1500 /* Otherwise, search keytab for bare name of the default principal. */
1501 get_default_principal(context, &tmp);
1502 set_princ_realm(context, tmp, NULL);
1503 }
1504
1505 def_realm = get_default_realm(context);
1506
1507 ret = krb5_kt_start_seq_get(context, kt, &cursor);
1508 if (ret)
1509 krb5_err(context, 1, ret, "krb5_kt_start_seq_get");
1510
1511 while (ret == 0 &&
1512 krb5_kt_next_entry(context, kt, &entry, &cursor) == 0) {
1513 const char *realm;
1514
1515 if (!krb5_principal_compare_any_realm(context, tmp, entry.principal))
1516 continue;
1517 if (*principal &&
1518 krb5_principal_compare(context, *principal, entry.principal))
1519 continue;
1520 /* The default realm takes precedence */
1521 realm = krb5_principal_get_realm(context, entry.principal);
1522 if (*principal && strcmp(def_realm, realm) == 0) {
1523 krb5_free_principal(context, *principal);
1524 ret = krb5_copy_principal(context, entry.principal, principal);
1525 break;
1526 }
1527 if (!*principal)
1528 ret = krb5_copy_principal(context, entry.principal, principal);
1529 }
1530 if (ret != 0 || (ret = krb5_kt_end_seq_get(context, kt, &cursor)) != 0)
1531 krb5_err(context, 1, ret, "get_princ_kt");
1532 if (!*principal) {
1533 if (name)
1534 parse_name_realm(context, name, 0, NULL, principal);
1535 else
1536 krb5_err(context, 1, KRB5_CC_NOTFOUND, "get_princ_kt");
1537 }
1538
1539 krb5_free_principal(context, tmp);
1540 free(def_realm);
1541 }
1542
1543 static krb5_error_code
1544 get_switched_ccache(krb5_context context,
1545 const char * type,
1546 krb5_principal principal,
1547 krb5_ccache *ccache)
1548 {
1549 krb5_error_code ret;
1550
1551 #ifdef _WIN32
1552 if (strcmp(type, "API") == 0) {
1553 /*
1554 * Windows stores the default ccache name in the
1555 * registry which is shared across multiple logon
1556 * sessions for the same user. The API credential
1557 * cache provides a unique name space per logon
1558 * session. Therefore there is no need to generate
1559 * a unique ccache name. Instead use the principal
1560 * name. This provides a friendlier user experience.
1561 */
1562 char * unparsed_name;
1563 char * cred_cache;
1564
1565 ret = krb5_unparse_name(context, principal,
1566 &unparsed_name);
1567 if (ret)
1568 krb5_err(context, 1, ret,
1569 N_("unparsing principal name", ""));
1570
1571 ret = asprintf(&cred_cache, "API:%s", unparsed_name);
1572 krb5_free_unparsed_name(context, unparsed_name);
1573 if (ret == -1 || cred_cache == NULL)
1574 krb5_err(context, 1, ret,
1575 N_("building credential cache name", ""));
1576
1577 ret = krb5_cc_resolve(context, cred_cache, ccache);
1578 free(cred_cache);
1579 } else if (strcmp(type, "MSLSA") == 0) {
1580 /*
1581 * The Windows MSLSA cache when it is writeable
1582 * stores tickets for multiple client principals
1583 * in a single credential cache.
1584 */
1585 ret = krb5_cc_resolve(context, "MSLSA:", ccache);
1586 } else {
1587 ret = krb5_cc_new_unique(context, type, NULL, ccache);
1588 }
1589 #else /* !_WIN32 */
1590 ret = krb5_cc_new_unique(context, type, NULL, ccache);
1591 #endif /* _WIN32 */
1592
1593 return ret;
1594 }
1595
1596 int
1597 main(int argc, char **argv)
1598 {
1599 krb5_error_code ret;
1600 krb5_context context;
1601 krb5_ccache ccache;
1602 krb5_principal principal = NULL;
1603 int optidx = 0;
1604 krb5_deltat ticket_life = 0;
1605 #ifdef HAVE_SIGACTION
1606 struct sigaction sa;
1607 #endif
1608 krb5_boolean unique_ccache = FALSE;
1609 krb5_boolean historical_anon_pkinit = FALSE;
1610 int anonymous_pkinit = FALSE;
1611
1612 setprogname(argv[0]);
1613
1614 setlocale(LC_ALL, "");
1615 bindtextdomain("heimdal_kuser", HEIMDAL_LOCALEDIR);
1616 textdomain("heimdal_kuser");
1617
1618 ret = krb5_init_context(&context);
1619 if (ret == KRB5_CONFIG_BADFORMAT)
1620 errx(1, "krb5_init_context failed to parse configuration file");
1621 else if (ret)
1622 errx(1, "krb5_init_context failed: %d", ret);
1623
1624 if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
1625 usage(1);
1626
1627 if (help_flag)
1628 usage(0);
1629
1630 if (version_flag) {
1631 print_version(NULL);
1632 exit(0);
1633 }
1634
1635 argc -= optidx;
1636 argv += optidx;
1637
1638 krb5_appdefault_boolean(context, "kinit", NULL, "historical_anon_pkinit",
1639 FALSE, &historical_anon_pkinit);
1640
1641 /*
1642 * Open the keytab now, we use the keytab to determine the principal's
1643 * realm when the requested principal has no realm.
1644 */
1645 if (use_keytab || keytab_str) {
1646 if (keytab_str)
1647 ret = krb5_kt_resolve(context, keytab_str, &kt);
1648 else
1649 ret = krb5_kt_default(context, &kt);
1650 if (ret)
1651 krb5_err(context, 1, ret, "resolving keytab");
1652 }
1653
1654 if (pk_enterprise_flag) {
1655 ret = krb5_pk_enterprise_cert(context, pk_user_id,
1656 argv[0], &principal,
1657 &ent_user_id);
1658 if (ret)
1659 krb5_err(context, 1, ret, "krb5_pk_enterprise_certs");
1660
1661 pk_user_id = NULL;
1662 } else if (argc && argv[0][0] == '@' &&
1663 (gss_preauth_mech || anonymous_flag)) {
1664 const char *instance;
1665
1666 if (gss_preauth_mech) {
1667 instance = KRB5_FEDERATED_NAME;
1668 } else if (anonymous_flag) {
1669 instance = KRB5_ANON_NAME;
1670 anonymous_pkinit = TRUE;
1671 }
1672
1673 ret = make_wellknown_name(context, &argv[0][1], instance, &principal);
1674 if (ret)
1675 krb5_err(context, 1, ret, "make_wellknown_name");
1676 } else if (anonymous_flag && historical_anon_pkinit) {
1677 char *realm = argc == 0 ? get_default_realm(context) :
1678 argv[0][0] == '@' ? &argv[0][1] : argv[0];
1679
1680 ret = krb5_make_principal(context, &principal, realm,
1681 KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME, NULL);
1682 if (ret)
1683 krb5_err(context, 1, ret, "krb5_make_principal");
1684 krb5_principal_set_type(context, principal, KRB5_NT_WELLKNOWN);
1685 anonymous_pkinit = TRUE;
1686 } else if (use_keytab || keytab_str) {
1687 get_princ_kt(context, &principal, argv[0]);
1688 } else if (gss_preauth_mech && argc == 0 && gss_preauth_name == NULL) {
1689 /*
1690 * Use the federated name as a placeholder if we have neither a Kerberos
1691 * nor a GSS-API client name, and we are performing GSS-API preauth.
1692 */
1693 ret = make_wellknown_name(context, get_default_realm(context),
1694 KRB5_FEDERATED_NAME, &principal);
1695 if (ret)
1696 krb5_err(context, 1, ret, "make_wellknown_name");
1697 } else {
1698 get_princ(context, &principal, cred_cache, argv[0]);
1699 }
1700
1701 if (fcache_version)
1702 krb5_set_fcache_version(context, fcache_version);
1703
1704 if (renewable_flag == -1)
1705 /* this seems somewhat pointless, but whatever */
1706 krb5_appdefault_boolean(context, "kinit",
1707 krb5_principal_get_realm(context, principal),
1708 "renewable", FALSE, &renewable_flag);
1709 if (do_afslog == -1)
1710 krb5_appdefault_boolean(context, "kinit",
1711 krb5_principal_get_realm(context, principal),
1712 "afslog", TRUE, &do_afslog);
1713
1714 /*
1715 * Cases:
1716 *
1717 * - use the given ccache
1718 * - use a new unique ccache for running a command with (in this case we
1719 * get to set KRB5CCNAME, so a new unique ccache makes sense)
1720 * - use the default ccache for the given principal as requested and do
1721 * not later switch the collection's default/primary to it
1722 * - use the default cache, possibly a new unique one that later gets
1723 * switched to it
1724 *
1725 * The important thing is that, except for the case where we're running a
1726 * command, we _can't set KRB5CCNAME_, and we can't expect the user to read
1727 * our output and figure out to set it (we could have an output-for-shell-
1728 * eval mode, like ssh-agent and such, but we don't). Therefore, in all
1729 * cases where we can't set KRB5CCNAME we must do something that makes
1730 * sense to the user, and that is to either initialize a given ccache, use
1731 * the default, or use a subsidiary ccache named after the principal whose
1732 * creds we're initializing.
1733 */
1734 if (cred_cache) {
1735 /* Use the given ccache */
1736 ret = krb5_cc_resolve(context, cred_cache, &ccache);
1737 } else if (argc > 1) {
1738 char s[1024];
1739
1740 /*
1741 * A command was given, so use a new unique ccache (and destroy it
1742 * later).
1743 */
1744 ret = krb5_cc_new_unique(context, NULL, NULL, &ccache);
1745 if (ret)
1746 krb5_err(context, 1, ret, "creating cred cache");
1747 snprintf(s, sizeof(s), "%s:%s",
1748 krb5_cc_get_type(context, ccache),
1749 krb5_cc_get_name(context, ccache));
1750 setenv("KRB5CCNAME", s, 1);
1751 unique_ccache = TRUE;
1752 switch_cache_flags = 0;
1753 } else if (default_for) {
1754 ret = krb5_cc_default_for(context, principal, &ccache);
1755 if (switch_cache_flags == -1)
1756 switch_cache_flags = 0;
1757 } else {
1758 ret = krb5_cc_cache_match(context, principal, &ccache);
1759 if (ret) {
1760 const char *type;
1761 ret = krb5_cc_default(context, &ccache);
1762 if (ret)
1763 krb5_err(context, 1, ret,
1764 N_("resolving credentials cache", ""));
1765
1766 /*
1767 * Check if the type support switching, and we do,
1768 * then do that instead over overwriting the current
1769 * default credential
1770 */
1771 type = krb5_cc_get_type(context, ccache);
1772 if (krb5_cc_support_switch(context, type) &&
1773 strcmp(type, "FILE")) {
1774 krb5_cc_close(context, ccache);
1775 ret = get_switched_ccache(context, type, principal,
1776 &ccache);
1777 if (ret == 0)
1778 unique_ccache = TRUE;
1779 }
1780 }
1781 }
1782 if (ret)
1783 krb5_err(context, 1, ret, N_("resolving credentials cache", ""));
1784
1785 #ifndef NO_AFS
1786 if (argc > 1 && k_hasafs())
1787 k_setpag();
1788 #endif
1789
1790 if (lifetime) {
1791 int tmp = parse_time(lifetime, "s");
1792 if (tmp < 0)
1793 errx(1, N_("unparsable time: %s", ""), lifetime);
1794
1795 ticket_life = tmp;
1796 }
1797
1798 if (addrs_flag == 0 && extra_addresses.num_strings > 0)
1799 krb5_errx(context, 1,
1800 N_("specifying both extra addresses and "
1801 "no addresses makes no sense", ""));
1802 {
1803 int i;
1804 krb5_addresses addresses;
1805 memset(&addresses, 0, sizeof(addresses));
1806 for(i = 0; i < extra_addresses.num_strings; i++) {
1807 ret = krb5_parse_address(context, extra_addresses.strings[i],
1808 &addresses);
1809 if (ret == 0) {
1810 krb5_add_extra_addresses(context, &addresses);
1811 krb5_free_addresses(context, &addresses);
1812 }
1813 }
1814 free_getarg_strings(&extra_addresses);
1815 }
1816
1817 if (renew_flag || validate_flag) {
1818 ret = renew_validate(context, renew_flag, validate_flag,
1819 &ccache, principal,
1820 default_for ? TRUE : FALSE, server_str,
1821 ticket_life);
1822
1823 #ifndef NO_AFS
1824 if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())
1825 krb5_afslog(context, ccache, NULL, NULL);
1826 #endif
1827
1828 if (unique_ccache)
1829 krb5_cc_destroy(context, ccache);
1830 exit(ret != 0);
1831 }
1832
1833 ret = get_new_tickets(context, principal, ccache, ticket_life,
1834 1, anonymous_pkinit);
1835 if (ret) {
1836 if (unique_ccache)
1837 krb5_cc_destroy(context, ccache);
1838 exit(1);
1839 }
1840
1841 #ifndef NO_AFS
1842 if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())
1843 krb5_afslog(context, ccache, NULL, NULL);
1844 #endif
1845
1846 if (argc > 1) {
1847 struct renew_ctx ctx;
1848 time_t timeout;
1849
1850 timeout = ticket_lifetime(context, ccache, principal,
1851 server_str, NULL) / 2;
1852
1853 ctx.context = context;
1854 ctx.ccache = ccache;
1855 ctx.principal = principal;
1856 ctx.ticket_life = ticket_life;
1857 ctx.timeout = timeout;
1858 ctx.anonymous_pkinit = anonymous_pkinit;
1859
1860 #ifdef HAVE_SIGACTION
1861 memset(&sa, 0, sizeof(sa));
1862 sigemptyset(&sa.sa_mask);
1863 sa.sa_handler = handle_siginfo;
1864
1865 sigaction(SIGINFO, &sa, NULL);
1866 #endif
1867
1868 ret = simple_execvp_timed(argv[1], argv+1,
1869 renew_func, &ctx, timeout);
1870 #define EX_NOEXEC 126
1871 #define EX_NOTFOUND 127
1872 if (ret == EX_NOEXEC)
1873 krb5_warnx(context, N_("permission denied: %s", ""), argv[1]);
1874 else if (ret == EX_NOTFOUND)
1875 krb5_warnx(context, N_("command not found: %s", ""), argv[1]);
1876
1877 krb5_cc_destroy(context, ccache);
1878 #ifndef NO_AFS
1879 if (k_hasafs())
1880 k_unlog();
1881 #endif
1882 } else {
1883 krb5_cc_close(context, ccache);
1884 ret = 0;
1885 }
1886 krb5_free_principal(context, principal);
1887 if (kt)
1888 krb5_kt_close(context, kt);
1889 krb5_free_context(context);
1890 return ret;
1891 }
Heimdal