search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Move external libdeps after our own
[heimdal.git] / kuser / kinit.c
blob4e93c6905231fcc3ac42ed83a2b9f3d55724131a
1 /*
2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "kuser_locl.h"
37
38 #ifdef __APPLE__
39 #include <Security/Security.h>
40 #endif
41
42 #ifndef NO_NTLM
43 #include "heimntlm.h"
44 #endif
45
46 #ifndef SIGINFO
47 #define SIGINFO SIGUSR1
48 #endif
49
50 int forwardable_flag = -1;
51 int proxiable_flag = -1;
52 int renewable_flag = -1;
53 int renew_flag = 0;
54 int pac_flag = -1;
55 int validate_flag = 0;
56 int version_flag = 0;
57 int help_flag = 0;
58 int addrs_flag = -1;
59 struct getarg_strings extra_addresses;
60 int anonymous_flag = 0;
61 char *lifetime = NULL;
62 char *renew_life = NULL;
63 char *server_str = NULL;
64 char *cred_cache = NULL;
65 char *start_str = NULL;
66 static int switch_cache_flags = 1;
67 struct getarg_strings etype_str;
68 int use_keytab = 0;
69 char *keytab_str = NULL;
70 static krb5_keytab kt = NULL;
71 int do_afslog = -1;
72 int fcache_version;
73 char *password_file = NULL;
74 char *pk_user_id = NULL;
75 int pk_enterprise_flag = 0;
76 struct hx509_certs_data *ent_user_id = NULL;
77 char *pk_x509_anchors = NULL;
78 int pk_use_enckey = 0;
79 static int canonicalize_flag = 0;
80 static int enterprise_flag = 0;
81 static int ok_as_delegate_flag = 0;
82 static char *fast_armor_cache_string = NULL;
83 static int use_referrals_flag = 0;
84 static int windows_flag = 0;
85 #ifndef NO_NTLM
86 static char *ntlm_domain;
87 #endif
88
89
90 static struct getargs args[] = {
91 /*
92 * used by MIT
93 * a: ~A
94 * V: verbose
95 * F: ~f
96 * P: ~p
97 * C: v4 cache name?
98 * 5:
99 *
100 * old flags
101 * 4:
102 * 9:
103 */
104 { "afslog", 0 , arg_flag, &do_afslog,
105 NP_("obtain afs tokens", ""), NULL },
106
107 { "cache", 'c', arg_string, &cred_cache,
108 NP_("credentials cache", ""), "cachename" },
109
110 { "forwardable", 'F', arg_negative_flag, &forwardable_flag,
111 NP_("get tickets not forwardable", ""), NULL },
112
113 { NULL, 'f', arg_flag, &forwardable_flag,
114 NP_("get forwardable tickets", ""), NULL },
115
116 { "keytab", 't', arg_string, &keytab_str,
117 NP_("keytab to use", ""), "keytabname" },
118
119 { "lifetime", 'l', arg_string, &lifetime,
120 NP_("lifetime of tickets", ""), "time" },
121
122 { "proxiable", 'p', arg_flag, &proxiable_flag,
123 NP_("get proxiable tickets", ""), NULL },
124
125 { "renew", 'R', arg_flag, &renew_flag,
126 NP_("renew TGT", ""), NULL },
127
128 { "renewable", 0, arg_flag, &renewable_flag,
129 NP_("get renewable tickets", ""), NULL },
130
131 { "renewable-life", 'r', arg_string, &renew_life,
132 NP_("renewable lifetime of tickets", ""), "time" },
133
134 { "server", 'S', arg_string, &server_str,
135 NP_("server to get ticket for", ""), "principal" },
136
137 { "start-time", 's', arg_string, &start_str,
138 NP_("when ticket gets valid", ""), "time" },
139
140 { "use-keytab", 'k', arg_flag, &use_keytab,
141 NP_("get key from keytab", ""), NULL },
142
143 { "validate", 'v', arg_flag, &validate_flag,
144 NP_("validate TGT", ""), NULL },
145
146 { "enctypes", 'e', arg_strings, &etype_str,
147 NP_("encryption types to use", ""), "enctypes" },
148
149 { "fcache-version", 0, arg_integer, &fcache_version,
150 NP_("file cache version to create", ""), NULL },
151
152 { "addresses", 'A', arg_negative_flag, &addrs_flag,
153 NP_("request a ticket with no addresses", ""), NULL },
154
155 { "extra-addresses",'a', arg_strings, &extra_addresses,
156 NP_("include these extra addresses", ""), "addresses" },
157
158 { "anonymous", 0, arg_flag, &anonymous_flag,
159 NP_("request an anonymous ticket", ""), NULL },
160
161 { "request-pac", 0, arg_flag, &pac_flag,
162 NP_("request a Windows PAC", ""), NULL },
163
164 { "password-file", 0, arg_string, &password_file,
165 NP_("read the password from a file", ""), NULL },
166
167 { "canonicalize",0, arg_flag, &canonicalize_flag,
168 NP_("canonicalize client principal", ""), NULL },
169
170 { "enterprise",0, arg_flag, &enterprise_flag,
171 NP_("parse principal as a KRB5-NT-ENTERPRISE name", ""), NULL },
172 #ifdef PKINIT
173 { "pk-enterprise", 0, arg_flag, &pk_enterprise_flag,
174 NP_("use enterprise name from certificate", ""), NULL },
175
176 { "pk-user", 'C', arg_string, &pk_user_id,
177 NP_("principal's public/private/certificate identifier", ""), "id" },
178
179 { "x509-anchors", 'D', arg_string, &pk_x509_anchors,
180 NP_("directory with CA certificates", ""), "directory" },
181
182 { "pk-use-enckey", 0, arg_flag, &pk_use_enckey,
183 NP_("Use RSA encrypted reply (instead of DH)", ""), NULL },
184 #endif
185 #ifndef NO_NTLM
186 { "ntlm-domain", 0, arg_string, &ntlm_domain,
187 NP_("NTLM domain", ""), "domain" },
188 #endif
189
190 { "change-default", 0, arg_negative_flag, &switch_cache_flags,
191 NP_("switch the default cache to the new credentials cache", ""), NULL },
192
193 { "ok-as-delegate", 0, arg_flag, &ok_as_delegate_flag,
194 NP_("honor ok-as-delegate on tickets", ""), NULL },
195
196 { "fast-armor-cache", 0, arg_string, &fast_armor_cache_string,
197 NP_("use this credential cache as FAST armor cache", ""), "cache" },
198
199 { "use-referrals", 0, arg_flag, &use_referrals_flag,
200 NP_("only use referrals, no dns canalisation", ""), NULL },
201
202 { "windows", 0, arg_flag, &windows_flag,
203 NP_("get windows behavior", ""), NULL },
204
205 { "version", 0, arg_flag, &version_flag, NULL, NULL },
206 { "help", 0, arg_flag, &help_flag, NULL, NULL }
207 };
208
209 static void
210 usage(int ret)
211 {
212 arg_printusage_i18n(args, sizeof(args)/sizeof(*args), N_("Usage: ", ""),
213 NULL, "[principal [command]]", getarg_i18n);
214 exit(ret);
215 }
216
217 static krb5_error_code
218 get_server(krb5_context context,
219 krb5_principal client,
220 const char *server,
221 krb5_principal *princ)
222 {
223 krb5_const_realm realm;
224 if (server)
225 return krb5_parse_name(context, server, princ);
226
227 realm = krb5_principal_get_realm(context, client);
228 return krb5_make_principal(context, princ, realm,
229 KRB5_TGS_NAME, realm, NULL);
230 }
231
232 static krb5_error_code
233 copy_configs(krb5_context context,
234 krb5_ccache dst,
235 krb5_ccache src,
236 krb5_principal start_ticket_server)
237 {
238 krb5_error_code ret;
239 const char *cfg_names[] = {"realm-config", "FriendlyName", NULL};
240 const char *cfg_names_w_pname[] = {"fast_avail", NULL};
241 krb5_data cfg_data;
242 size_t i;
243
244 for (i = 0; cfg_names[i]; i++) {
245 ret = krb5_cc_get_config(context, src, NULL, cfg_names[i], &cfg_data);
246 if (ret == KRB5_CC_NOTFOUND || ret == KRB5_CC_END) {
247 continue;
248 } else if (ret) {
249 krb5_warn(context, ret, "krb5_cc_get_config");
250 return ret;
251 }
252 ret = krb5_cc_set_config(context, dst, NULL, cfg_names[i], &cfg_data);
253 if (ret)
254 krb5_warn(context, ret, "krb5_cc_set_config");
255 }
256 for (i = 0; start_ticket_server && cfg_names_w_pname[i]; i++) {
257 ret = krb5_cc_get_config(context, src, start_ticket_server,
258 cfg_names_w_pname[i], &cfg_data);
259 if (ret == KRB5_CC_NOTFOUND || ret == KRB5_CC_END) {
260 continue;
261 } else if (ret) {
262 krb5_warn(context, ret, "krb5_cc_get_config");
263 return ret;
264 }
265 ret = krb5_cc_set_config(context, dst, start_ticket_server,
266 cfg_names_w_pname[i], &cfg_data);
267 if (ret && ret != KRB5_CC_NOTFOUND)
268 krb5_warn(context, ret, "krb5_cc_set_config");
269 }
270 /*
271 * We don't copy cc configs for any other principals though (mostly
272 * those are per-target time offsets and the like, so it's bad to
273 * lose them, but hardly the end of the world, and as they may not
274 * expire anyways, it's good to let them go).
275 */
276 return 0;
277 }
278
279 static krb5_error_code
280 renew_validate(krb5_context context,
281 int renew,
282 int validate,
283 krb5_ccache cache,
284 const char *server,
285 krb5_deltat life)
286 {
287 krb5_error_code ret;
288 krb5_ccache tempccache = NULL;
289 krb5_creds in, *out = NULL;
290 krb5_kdc_flags flags;
291
292 memset(&in, 0, sizeof(in));
293
294 ret = krb5_cc_get_principal(context, cache, &in.client);
295 if (ret) {
296 krb5_warn(context, ret, "krb5_cc_get_principal");
297 return ret;
298 }
299 ret = get_server(context, in.client, server, &in.server);
300 if (ret) {
301 krb5_warn(context, ret, "get_server");
302 goto out;
303 }
304
305 if (renew) {
306 /*
307 * no need to check the error here, it's only to be
308 * friendly to the user
309 */
310 krb5_get_credentials(context, KRB5_GC_CACHED, cache, &in, &out);
311 }
312
313 flags.i = 0;
314 flags.b.renewable = flags.b.renew = renew;
315 flags.b.validate = validate;
316
317 if (forwardable_flag != -1)
318 flags.b.forwardable = forwardable_flag;
319 else if (out)
320 flags.b.forwardable = out->flags.b.forwardable;
321
322 if (proxiable_flag != -1)
323 flags.b.proxiable = proxiable_flag;
324 else if (out)
325 flags.b.proxiable = out->flags.b.proxiable;
326
327 if (anonymous_flag)
328 flags.b.request_anonymous = anonymous_flag;
329 if (life)
330 in.times.endtime = time(NULL) + life;
331
332 if (out) {
333 krb5_free_creds(context, out);
334 out = NULL;
335 }
336
337
338 ret = krb5_get_kdc_cred(context,
339 cache,
340 flags,
341 NULL,
342 NULL,
343 &in,
344 &out);
345 if (ret) {
346 krb5_warn(context, ret, "krb5_get_kdc_cred");
347 goto out;
348 }
349
350 ret = krb5_cc_new_unique(context, krb5_cc_get_type(context, cache),
351 NULL, &tempccache);
352 if (ret) {
353 krb5_warn(context, ret, "krb5_cc_new_unique");
354 goto out;
355 }
356
357 ret = krb5_cc_initialize(context, tempccache, in.client);
358 if (ret) {
359 krb5_warn(context, ret, "krb5_cc_initialize");
360 goto out;
361 }
362
363 ret = krb5_cc_store_cred(context, tempccache, out);
364 if (ret) {
365 krb5_warn(context, ret, "krb5_cc_store_cred");
366 goto out;
367 }
368
369 /*
370 * We want to preserve cc configs as some are security-relevant, and
371 * anyways it's the friendly thing to do.
372 */
373 ret = copy_configs(context, tempccache, cache, out->server);
374 if (ret)
375 goto out;
376
377 ret = krb5_cc_move(context, tempccache, cache);
378 if (ret) {
379 krb5_warn(context, ret, "krb5_cc_move");
380 goto out;
381 }
382 tempccache = NULL;
383
384 out:
385 if (tempccache)
386 krb5_cc_close(context, tempccache);
387 if (out)
388 krb5_free_creds(context, out);
389 krb5_free_cred_contents(context, &in);
390 return ret;
391 }
392
393 #ifndef NO_NTLM
394
395 static krb5_error_code
396 store_ntlmkey(krb5_context context, krb5_ccache id,
397 const char *domain, struct ntlm_buf *buf)
398 {
399 krb5_error_code ret;
400 krb5_data data;
401 char *name;
402 int aret;
403
404 ret = krb5_cc_get_config(context, id, NULL, "default-ntlm-domain", &data);
405 if (ret == 0) {
406 krb5_data_free(&data);
407 } else {
408 data.length = strlen(domain);
409 data.data = rk_UNCONST(domain);
410 ret = krb5_cc_set_config(context, id, NULL, "default-ntlm-domain", &data);
411 if (ret != 0)
412 return ret;
413 }
414
415 aret = asprintf(&name, "ntlm-key-%s", domain);
416 if (aret == -1 || name == NULL)
417 return krb5_enomem(context);
418
419 data.length = buf->length;
420 data.data = buf->data;
421
422 ret = krb5_cc_set_config(context, id, NULL, name, &data);
423 free(name);
424 return ret;
425 }
426 #endif
427
428 static krb5_error_code
429 get_new_tickets(krb5_context context,
430 krb5_principal principal,
431 krb5_ccache ccache,
432 krb5_deltat ticket_life,
433 int interactive)
434 {
435 krb5_error_code ret;
436 krb5_creds cred;
437 char passwd[256];
438 krb5_deltat start_time = 0;
439 krb5_deltat renew = 0;
440 const char *renewstr = NULL;
441 krb5_enctype *enctype = NULL;
442 krb5_ccache tempccache = NULL;
443 krb5_init_creds_context ctx = NULL;
444 krb5_get_init_creds_opt *opt = NULL;
445 krb5_prompter_fct prompter = krb5_prompter_posix;
446 #ifndef NO_NTLM
447 struct ntlm_buf ntlmkey;
448 memset(&ntlmkey, 0, sizeof(ntlmkey));
449 #endif
450 passwd[0] = '\0';
451
452 if (!interactive)
453 prompter = NULL;
454
455 if (password_file) {
456 FILE *f;
457
458 if (strcasecmp("STDIN", password_file) == 0)
459 f = stdin;
460 else
461 f = fopen(password_file, "r");
462 if (f == NULL) {
463 krb5_warnx(context, "Failed to open the password file %s",
464 password_file);
465 return errno;
466 }
467
468 if (fgets(passwd, sizeof(passwd), f) == NULL) {
469 krb5_warnx(context, N_("Failed to read password from file %s", ""),
470 password_file);
471 fclose(f);
472 return EINVAL; /* XXX Need a better error */
473 }
474 if (f != stdin)
475 fclose(f);
476 passwd[strcspn(passwd, "\n")] = '\0';
477 }
478
479 #ifdef __APPLE__
480 if (passwd[0] == '\0') {
481 const char *realm;
482 OSStatus osret;
483 UInt32 length;
484 void *buffer;
485 char *name;
486
487 realm = krb5_principal_get_realm(context, principal);
488
489 ret = krb5_unparse_name_flags(context, principal,
490 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
491 if (ret)
492 goto nopassword;
493
494 osret = SecKeychainFindGenericPassword(NULL, strlen(realm), realm,
495 strlen(name), name,
496 &length, &buffer, NULL);
497 free(name);
498 if (osret == noErr && length < sizeof(passwd) - 1) {
499 memcpy(passwd, buffer, length);
500 passwd[length] = '\0';
501 }
502 nopassword:
503 do { } while(0);
504 }
505 #endif
506
507 memset(&cred, 0, sizeof(cred));
508
509 ret = krb5_get_init_creds_opt_alloc(context, &opt);
510 if (ret) {
511 krb5_warn(context, ret, "krb5_get_init_creds_opt_alloc");
512 goto out;
513 }
514
515 krb5_get_init_creds_opt_set_default_flags(context, "kinit",
516 krb5_principal_get_realm(context, principal), opt);
517
518 if (forwardable_flag != -1)
519 krb5_get_init_creds_opt_set_forwardable(opt, forwardable_flag);
520 if (proxiable_flag != -1)
521 krb5_get_init_creds_opt_set_proxiable(opt, proxiable_flag);
522 if (anonymous_flag)
523 krb5_get_init_creds_opt_set_anonymous(opt, anonymous_flag);
524 if (pac_flag != -1)
525 krb5_get_init_creds_opt_set_pac_request(context, opt,
526 pac_flag ? TRUE : FALSE);
527 if (canonicalize_flag)
528 krb5_get_init_creds_opt_set_canonicalize(context, opt, TRUE);
529 if (pk_enterprise_flag || enterprise_flag || canonicalize_flag || windows_flag)
530 krb5_get_init_creds_opt_set_win2k(context, opt, TRUE);
531 if (pk_user_id || ent_user_id || anonymous_flag) {
532 ret = krb5_get_init_creds_opt_set_pkinit(context, opt,
533 principal,
534 pk_user_id,
535 pk_x509_anchors,
536 NULL,
537 NULL,
538 pk_use_enckey ? 2 : 0 |
539 anonymous_flag ? 4 : 0,
540 prompter,
541 NULL,
542 passwd);
543 if (ret) {
544 krb5_warn(context, ret, "krb5_get_init_creds_opt_set_pkinit");
545 goto out;
546 }
547 if (ent_user_id)
548 krb5_get_init_creds_opt_set_pkinit_user_certs(context, opt, ent_user_id);
549 }
550
551 if (addrs_flag != -1)
552 krb5_get_init_creds_opt_set_addressless(context, opt,
553 addrs_flag ? FALSE : TRUE);
554
555 if (renew_life == NULL && renewable_flag)
556 renewstr = "6 months";
557 if (renew_life)
558 renewstr = renew_life;
559 if (renewstr) {
560 renew = parse_time(renewstr, "s");
561 if (renew < 0)
562 errx(1, "unparsable time: %s", renewstr);
563
564 krb5_get_init_creds_opt_set_renew_life(opt, renew);
565 }
566
567 if (ticket_life != 0)
568 krb5_get_init_creds_opt_set_tkt_life(opt, ticket_life);
569
570 if (start_str) {
571 int tmp = parse_time(start_str, "s");
572 if (tmp < 0)
573 errx(1, N_("unparsable time: %s", ""), start_str);
574
575 start_time = tmp;
576 }
577
578 if (etype_str.num_strings) {
579 int i;
580
581 enctype = malloc(etype_str.num_strings * sizeof(*enctype));
582 if (enctype == NULL)
583 errx(1, "out of memory");
584 for(i = 0; i < etype_str.num_strings; i++) {
585 ret = krb5_string_to_enctype(context,
586 etype_str.strings[i],
587 &enctype[i]);
588 if (ret)
589 errx(1, "unrecognized enctype: %s", etype_str.strings[i]);
590 }
591 krb5_get_init_creds_opt_set_etype_list(opt, enctype,
592 etype_str.num_strings);
593 }
594
595 ret = krb5_init_creds_init(context, principal, prompter, NULL, start_time, opt, &ctx);
596 if (ret) {
597 krb5_warn(context, ret, "krb5_init_creds_init");
598 goto out;
599 }
600
601 if (server_str) {
602 ret = krb5_init_creds_set_service(context, ctx, server_str);
603 if (ret) {
604 krb5_warn(context, ret, "krb5_init_creds_set_service");
605 goto out;
606 }
607 }
608
609 if (fast_armor_cache_string) {
610 krb5_ccache fastid;
611
612 ret = krb5_cc_resolve(context, fast_armor_cache_string, &fastid);
613 if (ret) {
614 krb5_warn(context, ret, "krb5_cc_resolve(FAST cache)");
615 goto out;
616 }
617
618 ret = krb5_init_creds_set_fast_ccache(context, ctx, fastid);
619 if (ret) {
620 krb5_warn(context, ret, "krb5_init_creds_set_fast_ccache");
621 goto out;
622 }
623 }
624
625 if (use_keytab || keytab_str) {
626 ret = krb5_init_creds_set_keytab(context, ctx, kt);
627 if (ret) {
628 krb5_warn(context, ret, "krb5_init_creds_set_keytab");
629 goto out;
630 }
631 } else if (pk_user_id || ent_user_id || anonymous_flag) {
632
633 } else if (!interactive && passwd[0] == '\0') {
634 static int already_warned = 0;
635
636 if (!already_warned)
637 krb5_warnx(context, "Not interactive, failed to get "
638 "initial ticket");
639 krb5_get_init_creds_opt_free(context, opt);
640 already_warned = 1;
641 return 0;
642 } else {
643
644 if (passwd[0] == '\0') {
645 char *p, *prompt;
646 int aret = 0;
647
648 ret = krb5_unparse_name(context, principal, &p);
649 if (ret)
650 errx(1, "failed to generate passwd prompt: not enough memory");
651
652 aret = asprintf(&prompt, N_("%s's Password: ", ""), p);
653 free(p);
654 if (aret == -1)
655 errx(1, "failed to generate passwd prompt: not enough memory");
656
657 if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
658 memset(passwd, 0, sizeof(passwd));
659 errx(1, "failed to read password");
660 }
661 free(prompt);
662 }
663
664 if (passwd[0]) {
665 ret = krb5_init_creds_set_password(context, ctx, passwd);
666 if (ret) {
667 krb5_warn(context, ret, "krb5_init_creds_set_password");
668 goto out;
669 }
670 }
671 }
672
673 ret = krb5_init_creds_get(context, ctx);
674
675 #ifndef NO_NTLM
676 if (ntlm_domain && passwd[0])
677 heim_ntlm_nt_key(passwd, &ntlmkey);
678 #endif
679 memset(passwd, 0, sizeof(passwd));
680
681 switch(ret){
682 case 0:
683 break;
684 case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */
685 exit(1);
686 case KRB5KRB_AP_ERR_BAD_INTEGRITY:
687 case KRB5KRB_AP_ERR_MODIFIED:
688 case KRB5KDC_ERR_PREAUTH_FAILED:
689 case KRB5_GET_IN_TKT_LOOP:
690 krb5_warnx(context, N_("Password incorrect", ""));
691 goto out;
692 case KRB5KRB_AP_ERR_V4_REPLY:
693 krb5_warnx(context, N_("Looks like a Kerberos 4 reply", ""));
694 goto out;
695 case KRB5KDC_ERR_KEY_EXPIRED:
696 krb5_warnx(context, N_("Password expired", ""));
697 goto out;
698 default:
699 krb5_warn(context, ret, "krb5_get_init_creds");
700 goto out;
701 }
702
703 krb5_process_last_request(context, opt, ctx);
704
705 ret = krb5_init_creds_get_creds(context, ctx, &cred);
706 if (ret) {
707 krb5_warn(context, ret, "krb5_init_creds_get_creds");
708 goto out;
709 }
710
711 if (ticket_life != 0) {
712 if (labs(cred.times.endtime - cred.times.starttime - ticket_life) > 30) {
713 char life[64];
714 unparse_time_approx(cred.times.endtime - cred.times.starttime,
715 life, sizeof(life));
716 krb5_warnx(context, N_("NOTICE: ticket lifetime is %s", ""), life);
717 }
718 }
719 if (renew_life) {
720 if (labs(cred.times.renew_till - cred.times.starttime - renew) > 30) {
721 char life[64];
722 unparse_time_approx(cred.times.renew_till - cred.times.starttime,
723 life, sizeof(life));
724 krb5_warnx(context,
725 N_("NOTICE: ticket renewable lifetime is %s", ""),
726 life);
727 }
728 }
729 krb5_free_cred_contents(context, &cred);
730
731 ret = krb5_cc_new_unique(context, krb5_cc_get_type(context, ccache),
732 NULL, &tempccache);
733 if (ret) {
734 krb5_warn(context, ret, "krb5_cc_new_unique");
735 goto out;
736 }
737
738 ret = krb5_init_creds_store(context, ctx, tempccache);
739 if (ret) {
740 krb5_warn(context, ret, "krb5_init_creds_store");
741 goto out;
742 }
743
744 krb5_init_creds_free(context, ctx);
745 ctx = NULL;
746
747 ret = krb5_cc_move(context, tempccache, ccache);
748 if (ret) {
749 krb5_warn(context, ret, "krb5_cc_move");
750 goto out;
751 }
752 tempccache = NULL;
753
754 if (switch_cache_flags)
755 krb5_cc_switch(context, ccache);
756
757 #ifndef NO_NTLM
758 if (ntlm_domain && ntlmkey.data)
759 store_ntlmkey(context, ccache, ntlm_domain, &ntlmkey);
760 #endif
761
762 if (ok_as_delegate_flag || windows_flag || use_referrals_flag) {
763 unsigned char d = 0;
764 krb5_data data;
765
766 if (ok_as_delegate_flag || windows_flag)
767 d |= 1;
768 if (use_referrals_flag || windows_flag)
769 d |= 2;
770
771 data.length = 1;
772 data.data = &d;
773
774 krb5_cc_set_config(context, ccache, NULL, "realm-config", &data);
775 }
776
777 out:
778 krb5_get_init_creds_opt_free(context, opt);
779 if (ctx)
780 krb5_init_creds_free(context, ctx);
781 if (tempccache)
782 krb5_cc_close(context, tempccache);
783
784 if (enctype)
785 free(enctype);
786
787 return ret;
788 }
789
790 static time_t
791 ticket_lifetime(krb5_context context, krb5_ccache cache, krb5_principal client,
792 const char *server, time_t *renew)
793 {
794 krb5_creds in_cred, *cred;
795 krb5_error_code ret;
796 time_t timeout;
797 time_t curtime;
798
799 memset(&in_cred, 0, sizeof(in_cred));
800
801 if (renew != NULL)
802 *renew = 0;
803
804 ret = krb5_cc_get_principal(context, cache, &in_cred.client);
805 if (ret) {
806 krb5_warn(context, ret, "krb5_cc_get_principal");
807 return 0;
808 }
809 ret = get_server(context, in_cred.client, server, &in_cred.server);
810 if (ret) {
811 krb5_free_principal(context, in_cred.client);
812 krb5_warn(context, ret, "get_server");
813 return 0;
814 }
815
816 ret = krb5_get_credentials(context, KRB5_GC_CACHED,
817 cache, &in_cred, &cred);
818 krb5_free_principal(context, in_cred.client);
819 krb5_free_principal(context, in_cred.server);
820 if (ret) {
821 krb5_warn(context, ret, "krb5_get_credentials");
822 return 0;
823 }
824 curtime = time(NULL);
825 timeout = cred->times.endtime - curtime;
826 if (timeout < 0)
827 timeout = 0;
828 if (renew) {
829 *renew = cred->times.renew_till - curtime;
830 if (*renew < 0)
831 *renew = 0;
832 }
833 krb5_free_creds(context, cred);
834 return timeout;
835 }
836
837 static time_t expire;
838
839 static char siginfo_msg[1024] = "No credentials\n";
840
841 static void
842 update_siginfo_msg(time_t exp, const char *srv)
843 {
844 /* Note that exp is relative time */
845 memset(siginfo_msg, 0, sizeof(siginfo_msg));
846 memcpy(&siginfo_msg, "Updating...\n", sizeof("Updating...\n"));
847 if (exp) {
848 if (srv == NULL) {
849 snprintf(siginfo_msg, sizeof(siginfo_msg),
850 N_("kinit: TGT expires in %llu seconds\n", ""),
851 (unsigned long long)expire);
852 } else {
853 snprintf(siginfo_msg, sizeof(siginfo_msg),
854 N_("kinit: Ticket for %s expired\n", ""), srv);
855 }
856 return;
857 }
858
859 /* Expired creds */
860 if (srv == NULL) {
861 snprintf(siginfo_msg, sizeof(siginfo_msg),
862 N_("kinit: TGT expired\n", ""));
863 } else {
864 snprintf(siginfo_msg, sizeof(siginfo_msg),
865 N_("kinit: Ticket for %s expired\n", ""), srv);
866 }
867 }
868
869 #ifdef HAVE_SIGACTION
870 static void
871 handle_siginfo(int sig)
872 {
873 struct iovec iov[2];
874
875 iov[0].iov_base = rk_UNCONST(siginfo_msg);
876 iov[0].iov_len = strlen(siginfo_msg);
877 iov[1].iov_base = "\n";
878 iov[1].iov_len = 1;
879
880 writev(STDERR_FILENO, iov, sizeof(iov)/sizeof(iov[0]));
881 }
882 #endif
883
884 struct renew_ctx {
885 krb5_context context;
886 krb5_ccache ccache;
887 krb5_principal principal;
888 krb5_deltat ticket_life;
889 krb5_deltat timeout;
890 };
891
892 static time_t
893 renew_func(void *ptr)
894 {
895 krb5_error_code ret;
896 struct renew_ctx *ctx = ptr;
897 time_t renew_expire;
898 static time_t exp_delay = 1;
899
900 /*
901 * NOTE: We count on the ccache implementation to notice changes to the
902 * actual ccache filesystem/whatever objects. There should be no ccache
903 * types for which this is not the case, but it might not hurt to
904 * re-krb5_cc_resolve() after each successful renew_validate()/
905 * get_new_tickets() call.
906 */
907
908 expire = ticket_lifetime(ctx->context, ctx->ccache, ctx->principal,
909 server_str, &renew_expire);
910
911 /*
912 * When a keytab is available to obtain new tickets, if we are within
913 * half of the original ticket lifetime of the renew limit, get a new
914 * TGT instead of renewing the existing TGT. Note, ctx->ticket_life
915 * is zero by default (without a '-l' option) and cannot be used to
916 * set the time scale on which we decide whether we're "close to the
917 * renew limit".
918 */
919 if (use_keytab || keytab_str)
920 expire += ctx->timeout;
921 if (renew_expire > expire) {
922 ret = renew_validate(ctx->context, 1, validate_flag, ctx->ccache,
923 server_str, ctx->ticket_life);
924 } else {
925 ret = get_new_tickets(ctx->context, ctx->principal, ctx->ccache,
926 ctx->ticket_life, 0);
927 }
928 expire = ticket_lifetime(ctx->context, ctx->ccache, ctx->principal,
929 server_str, &renew_expire);
930
931 #ifndef NO_AFS
932 if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())
933 krb5_afslog(ctx->context, ctx->ccache, NULL, NULL);
934 #endif
935
936 update_siginfo_msg(expire, server_str);
937
938 /*
939 * If our tickets have expired and we been able to either renew them
940 * or obtain new tickets, then we still call this function but we use
941 * an exponential backoff. This should take care of the case where
942 * we are using stored credentials but the KDC has been unavailable
943 * for some reason...
944 */
945
946 if (expire < 1) {
947 /*
948 * We can't ask to keep spamming stderr but not syslog, so we warn
949 * only once.
950 */
951 if (exp_delay == 1) {
952 krb5_warnx(ctx->context, N_("NOTICE: Could not renew/refresh "
953 "tickets", ""));
954 }
955 if (exp_delay < 7200)
956 exp_delay += exp_delay / 2 + 1;
957 return exp_delay;
958 }
959 exp_delay = 1;
960
961 return expire / 2 + 1;
962 }
963
964 static void
965 set_princ_realm(krb5_context context,
966 krb5_principal principal,
967 const char *realm)
968 {
969 krb5_error_code ret;
970
971 if ((ret = krb5_principal_set_realm(context, principal, realm)) != 0)
972 krb5_err(context, 1, ret, "krb5_principal_set_realm");
973 }
974
975 static void
976 parse_name_realm(krb5_context context,
977 const char *name,
978 int flags,
979 const char *realm,
980 krb5_principal *princ)
981 {
982 krb5_error_code ret;
983
984 if (realm)
985 flags |= KRB5_PRINCIPAL_PARSE_NO_DEF_REALM;
986 if ((ret = krb5_parse_name_flags(context, name, flags, princ)) != 0)
987 krb5_err(context, 1, ret, "krb5_parse_name_flags");
988 if (realm && krb5_principal_get_realm(context, *princ) == NULL)
989 set_princ_realm(context, *princ, realm);
990 }
991
992 static char *
993 get_default_realm(krb5_context context)
994 {
995 char *realm;
996 krb5_error_code ret;
997
998 if ((ret = krb5_get_default_realm(context, &realm)) != 0)
999 krb5_err(context, 1, ret, "krb5_get_default_realm");
1000 return realm;
1001 }
1002
1003 static void
1004 get_default_principal(krb5_context context, krb5_principal *princ)
1005 {
1006 krb5_error_code ret;
1007
1008 if ((ret = krb5_get_default_principal(context, princ)) != 0)
1009 krb5_err(context, 1, ret, "krb5_get_default_principal");
1010 }
1011
1012 static char *
1013 get_user_realm(krb5_context context)
1014 {
1015 krb5_error_code ret;
1016 char *user_realm = NULL;
1017
1018 /*
1019 * If memory allocation fails, we don't try to use the wrong realm,
1020 * that will trigger misleading error messages complicate support.
1021 */
1022 krb5_appdefault_string(context, "kinit", NULL, "user_realm", "",
1023 &user_realm);
1024 if (user_realm == NULL) {
1025 ret = krb5_enomem(context);
1026 krb5_err(context, 1, ret, "krb5_appdefault_string");
1027 }
1028
1029 if (*user_realm == 0) {
1030 free(user_realm);
1031 user_realm = NULL;
1032 }
1033
1034 return user_realm;
1035 }
1036
1037 static void
1038 get_princ(krb5_context context, krb5_principal *principal, const char *name)
1039 {
1040 krb5_error_code ret;
1041 krb5_principal tmp;
1042 int parseflags = 0;
1043 char *user_realm;
1044
1045 if (name == NULL) {
1046 krb5_ccache ccache;
1047
1048 /* If credential cache provides a client principal, use that. */
1049 if (krb5_cc_default(context, &ccache) == 0) {
1050 ret = krb5_cc_get_principal(context, ccache, principal);
1051 krb5_cc_close(context, ccache);
1052 if (ret == 0)
1053 return;
1054 }
1055 }
1056
1057 user_realm = get_user_realm(context);
1058
1059 if (name) {
1060 if (canonicalize_flag || enterprise_flag)
1061 parseflags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
1062
1063 parse_name_realm(context, name, parseflags, user_realm, &tmp);
1064
1065 if (user_realm && krb5_principal_get_num_comp(context, tmp) > 1) {
1066 /* Principal is instance qualified, reparse with default realm. */
1067 krb5_free_principal(context, tmp);
1068 parse_name_realm(context, name, parseflags, NULL, principal);
1069 } else {
1070 *principal = tmp;
1071 }
1072 } else {
1073 get_default_principal(context, principal);
1074 if (user_realm)
1075 set_princ_realm(context, *principal, user_realm);
1076 }
1077
1078 if (user_realm)
1079 free(user_realm);
1080 }
1081
1082 static void
1083 get_princ_kt(krb5_context context,
1084 krb5_principal *principal,
1085 char *name)
1086 {
1087 krb5_error_code ret;
1088 krb5_principal tmp;
1089 krb5_ccache ccache;
1090 krb5_kt_cursor cursor;
1091 krb5_keytab_entry entry;
1092 char *def_realm;
1093
1094 if (name == NULL) {
1095 /*
1096 * If the credential cache exists and specifies a client principal,
1097 * use that.
1098 */
1099 if (krb5_cc_default(context, &ccache) == 0) {
1100 ret = krb5_cc_get_principal(context, ccache, principal);
1101 krb5_cc_close(context, ccache);
1102 if (ret == 0)
1103 return;
1104 }
1105 }
1106
1107 if (name) {
1108 /* If the principal specifies an explicit realm, just use that. */
1109 int parseflags = KRB5_PRINCIPAL_PARSE_NO_DEF_REALM;
1110
1111 parse_name_realm(context, name, parseflags, NULL, &tmp);
1112 if (krb5_principal_get_realm(context, tmp) != NULL) {
1113 *principal = tmp;
1114 return;
1115 }
1116 } else {
1117 /* Otherwise, search keytab for bare name of the default principal. */
1118 get_default_principal(context, &tmp);
1119 set_princ_realm(context, tmp, NULL);
1120 }
1121
1122 def_realm = get_default_realm(context);
1123
1124 ret = krb5_kt_start_seq_get(context, kt, &cursor);
1125 if (ret)
1126 krb5_err(context, 1, ret, "krb5_kt_start_seq_get");
1127
1128 while (ret == 0 &&
1129 krb5_kt_next_entry(context, kt, &entry, &cursor) == 0) {
1130 const char *realm;
1131
1132 if (!krb5_principal_compare_any_realm(context, tmp, entry.principal))
1133 continue;
1134 if (*principal &&
1135 krb5_principal_compare(context, *principal, entry.principal))
1136 continue;
1137 /* The default realm takes precedence */
1138 realm = krb5_principal_get_realm(context, entry.principal);
1139 if (*principal && strcmp(def_realm, realm) == 0) {
1140 krb5_free_principal(context, *principal);
1141 ret = krb5_copy_principal(context, entry.principal, principal);
1142 break;
1143 }
1144 if (!*principal)
1145 ret = krb5_copy_principal(context, entry.principal, principal);
1146 }
1147 if (ret != 0 || (ret = krb5_kt_end_seq_get(context, kt, &cursor)) != 0)
1148 krb5_err(context, 1, ret, "get_princ_kt");
1149 if (!*principal) {
1150 if (name)
1151 parse_name_realm(context, name, 0, NULL, principal);
1152 else
1153 krb5_err(context, 1, KRB5_CC_NOTFOUND, "get_princ_kt");
1154 }
1155
1156 krb5_free_principal(context, tmp);
1157 free(def_realm);
1158 }
1159
1160 static krb5_error_code
1161 get_switched_ccache(krb5_context context,
1162 const char * type,
1163 krb5_principal principal,
1164 krb5_ccache *ccache)
1165 {
1166 krb5_error_code ret;
1167
1168 #ifdef _WIN32
1169 if (strcmp(type, "API") == 0) {
1170 /*
1171 * Windows stores the default ccache name in the
1172 * registry which is shared across multiple logon
1173 * sessions for the same user. The API credential
1174 * cache provides a unique name space per logon
1175 * session. Therefore there is no need to generate
1176 * a unique ccache name. Instead use the principal
1177 * name. This provides a friendlier user experience.
1178 */
1179 char * unparsed_name;
1180 char * cred_cache;
1181
1182 ret = krb5_unparse_name(context, principal,
1183 &unparsed_name);
1184 if (ret)
1185 krb5_err(context, 1, ret,
1186 N_("unparsing principal name", ""));
1187
1188 ret = asprintf(&cred_cache, "API:%s", unparsed_name);
1189 krb5_free_unparsed_name(context, unparsed_name);
1190 if (ret == -1 || cred_cache == NULL)
1191 krb5_err(context, 1, ret,
1192 N_("building credential cache name", ""));
1193
1194 ret = krb5_cc_resolve(context, cred_cache, ccache);
1195 free(cred_cache);
1196 } else if (strcmp(type, "MSLSA") == 0) {
1197 /*
1198 * The Windows MSLSA cache when it is writeable
1199 * stores tickets for multiple client principals
1200 * in a single credential cache.
1201 */
1202 ret = krb5_cc_resolve(context, "MSLSA:", ccache);
1203 } else {
1204 ret = krb5_cc_new_unique(context, type, NULL, ccache);
1205 }
1206 #else /* !_WIN32 */
1207 ret = krb5_cc_new_unique(context, type, NULL, ccache);
1208 #endif /* _WIN32 */
1209
1210 return ret;
1211 }
1212
1213 int
1214 main(int argc, char **argv)
1215 {
1216 krb5_error_code ret;
1217 krb5_context context;
1218 krb5_ccache ccache;
1219 krb5_principal principal = NULL;
1220 int optidx = 0;
1221 krb5_deltat ticket_life = 0;
1222 #ifdef HAVE_SIGACTION
1223 struct sigaction sa;
1224 #endif
1225
1226 setprogname(argv[0]);
1227
1228 setlocale(LC_ALL, "");
1229 bindtextdomain("heimdal_kuser", HEIMDAL_LOCALEDIR);
1230 textdomain("heimdal_kuser");
1231
1232 ret = krb5_init_context(&context);
1233 if (ret == KRB5_CONFIG_BADFORMAT)
1234 errx(1, "krb5_init_context failed to parse configuration file");
1235 else if (ret)
1236 errx(1, "krb5_init_context failed: %d", ret);
1237
1238 if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
1239 usage(1);
1240
1241 if (help_flag)
1242 usage(0);
1243
1244 if (version_flag) {
1245 print_version(NULL);
1246 exit(0);
1247 }
1248
1249 argc -= optidx;
1250 argv += optidx;
1251
1252 /*
1253 * Open the keytab now, we use the keytab to determine the principal's
1254 * realm when the requested principal has no realm.
1255 */
1256 if (use_keytab || keytab_str) {
1257 if (keytab_str)
1258 ret = krb5_kt_resolve(context, keytab_str, &kt);
1259 else
1260 ret = krb5_kt_default(context, &kt);
1261 if (ret)
1262 krb5_err(context, 1, ret, "resolving keytab");
1263 }
1264
1265 if (pk_enterprise_flag) {
1266 ret = krb5_pk_enterprise_cert(context, pk_user_id,
1267 argv[0], &principal,
1268 &ent_user_id);
1269 if (ret)
1270 krb5_err(context, 1, ret, "krb5_pk_enterprise_certs");
1271
1272 pk_user_id = NULL;
1273
1274 } else if (anonymous_flag) {
1275
1276 ret = krb5_make_principal(context, &principal, argv[0],
1277 KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME,
1278 NULL);
1279 if (ret)
1280 krb5_err(context, 1, ret, "krb5_make_principal");
1281 krb5_principal_set_type(context, principal, KRB5_NT_WELLKNOWN);
1282
1283 } else if (use_keytab || keytab_str) {
1284 get_princ_kt(context, &principal, argv[0]);
1285 } else {
1286 get_princ(context, &principal, argv[0]);
1287 }
1288
1289 if (fcache_version)
1290 krb5_set_fcache_version(context, fcache_version);
1291
1292 if (renewable_flag == -1)
1293 /* this seems somewhat pointless, but whatever */
1294 krb5_appdefault_boolean(context, "kinit",
1295 krb5_principal_get_realm(context, principal),
1296 "renewable", FALSE, &renewable_flag);
1297 if (do_afslog == -1)
1298 krb5_appdefault_boolean(context, "kinit",
1299 krb5_principal_get_realm(context, principal),
1300 "afslog", TRUE, &do_afslog);
1301
1302 if (cred_cache)
1303 ret = krb5_cc_resolve(context, cred_cache, &ccache);
1304 else {
1305 if (argc > 1) {
1306 char s[1024];
1307 ret = krb5_cc_new_unique(context, NULL, NULL, &ccache);
1308 if (ret)
1309 krb5_err(context, 1, ret, "creating cred cache");
1310 snprintf(s, sizeof(s), "%s:%s",
1311 krb5_cc_get_type(context, ccache),
1312 krb5_cc_get_name(context, ccache));
1313 setenv("KRB5CCNAME", s, 1);
1314 } else {
1315 ret = krb5_cc_cache_match(context, principal, &ccache);
1316 if (ret) {
1317 const char *type;
1318 ret = krb5_cc_default(context, &ccache);
1319 if (ret)
1320 krb5_err(context, 1, ret,
1321 N_("resolving credentials cache", ""));
1322
1323 /*
1324 * Check if the type support switching, and we do,
1325 * then do that instead over overwriting the current
1326 * default credential
1327 */
1328 type = krb5_cc_get_type(context, ccache);
1329 if (krb5_cc_support_switch(context, type)) {
1330 krb5_cc_close(context, ccache);
1331 ret = get_switched_ccache(context, type, principal,
1332 &ccache);
1333 }
1334 }
1335 }
1336 }
1337 if (ret)
1338 krb5_err(context, 1, ret, N_("resolving credentials cache", ""));
1339
1340 #ifndef NO_AFS
1341 if (argc > 1 && k_hasafs())
1342 k_setpag();
1343 #endif
1344
1345 if (lifetime) {
1346 int tmp = parse_time(lifetime, "s");
1347 if (tmp < 0)
1348 errx(1, N_("unparsable time: %s", ""), lifetime);
1349
1350 ticket_life = tmp;
1351 }
1352
1353 if (addrs_flag == 0 && extra_addresses.num_strings > 0)
1354 krb5_errx(context, 1,
1355 N_("specifying both extra addresses and "
1356 "no addresses makes no sense", ""));
1357 {
1358 int i;
1359 krb5_addresses addresses;
1360 memset(&addresses, 0, sizeof(addresses));
1361 for(i = 0; i < extra_addresses.num_strings; i++) {
1362 ret = krb5_parse_address(context, extra_addresses.strings[i],
1363 &addresses);
1364 if (ret == 0) {
1365 krb5_add_extra_addresses(context, &addresses);
1366 krb5_free_addresses(context, &addresses);
1367 }
1368 }
1369 free_getarg_strings(&extra_addresses);
1370 }
1371
1372 if (renew_flag || validate_flag) {
1373 ret = renew_validate(context, renew_flag, validate_flag,
1374 ccache, server_str, ticket_life);
1375
1376 #ifndef NO_AFS
1377 if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())
1378 krb5_afslog(context, ccache, NULL, NULL);
1379 #endif
1380
1381 exit(ret != 0);
1382 }
1383
1384 ret = get_new_tickets(context, principal, ccache, ticket_life, 1);
1385 if (ret)
1386 exit(1);
1387
1388 #ifndef NO_AFS
1389 if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())
1390 krb5_afslog(context, ccache, NULL, NULL);
1391 #endif
1392
1393 if (argc > 1) {
1394 struct renew_ctx ctx;
1395 time_t timeout;
1396
1397 timeout = ticket_lifetime(context, ccache, principal,
1398 server_str, NULL) / 2;
1399
1400 ctx.context = context;
1401 ctx.ccache = ccache;
1402 ctx.principal = principal;
1403 ctx.ticket_life = ticket_life;
1404 ctx.timeout = timeout;
1405
1406 #ifdef HAVE_SIGACTION
1407 memset(&sa, 0, sizeof(sa));
1408 sigemptyset(&sa.sa_mask);
1409 sa.sa_handler = handle_siginfo;
1410
1411 sigaction(SIGINFO, &sa, NULL);
1412 #endif
1413
1414 ret = simple_execvp_timed(argv[1], argv+1,
1415 renew_func, &ctx, timeout);
1416 #define EX_NOEXEC 126
1417 #define EX_NOTFOUND 127
1418 if (ret == EX_NOEXEC)
1419 krb5_warnx(context, N_("permission denied: %s", ""), argv[1]);
1420 else if (ret == EX_NOTFOUND)
1421 krb5_warnx(context, N_("command not found: %s", ""), argv[1]);
1422
1423 krb5_cc_destroy(context, ccache);
1424 #ifndef NO_AFS
1425 if (k_hasafs())
1426 k_unlog();
1427 #endif
1428 } else {
1429 krb5_cc_close(context, ccache);
1430 ret = 0;
1431 }
1432 krb5_free_principal(context, principal);
1433 if (kt)
1434 krb5_kt_close(context, kt);
1435 krb5_free_context(context);
1436 return ret;
1437 }
Heimdal