2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include "kuser_locl.h"
38 #include "parse_units.h"
41 printable_time(time_t t
)
44 strlcpy(s
, ctime(&t
)+ 4, sizeof(s
));
50 printable_time_long(time_t t
)
53 strlcpy(s
, ctime(&t
)+ 4, sizeof(s
));
58 #define COL_ISSUED NP_(" Issued","")
59 #define COL_EXPIRES NP_(" Expires", "")
60 #define COL_FLAGS NP_("Flags", "")
61 #define COL_NAME NP_(" Name", "")
62 #define COL_PRINCIPAL NP_(" Principal", "in klist output")
63 #define COL_PRINCIPAL_KVNO NP_(" Principal (kvno)", "in klist output")
64 #define COL_CACHENAME NP_(" Cache name", "name in klist output")
65 #define COL_DEFCACHE NP_("", "")
68 print_cred(krb5_context context
, krb5_creds
*cred
, rtbl_t ct
, int do_flags
)
74 krb5_timeofday (context
, &sec
);
77 if(cred
->times
.starttime
)
78 rtbl_add_column_entry(ct
, COL_ISSUED
,
79 printable_time(cred
->times
.starttime
));
81 rtbl_add_column_entry(ct
, COL_ISSUED
,
82 printable_time(cred
->times
.authtime
));
84 if(cred
->times
.endtime
> sec
)
85 rtbl_add_column_entry(ct
, COL_EXPIRES
,
86 printable_time(cred
->times
.endtime
));
88 rtbl_add_column_entry(ct
, COL_EXPIRES
, N_(">>>Expired<<<", ""));
89 ret
= krb5_unparse_name (context
, cred
->server
, &str
);
91 krb5_err(context
, 1, ret
, "krb5_unparse_name");
92 rtbl_add_column_entry(ct
, COL_PRINCIPAL
, str
);
95 if(cred
->flags
.b
.forwardable
)
97 if(cred
->flags
.b
.forwarded
)
99 if(cred
->flags
.b
.proxiable
)
101 if(cred
->flags
.b
.proxy
)
103 if(cred
->flags
.b
.may_postdate
)
105 if(cred
->flags
.b
.postdated
)
107 if(cred
->flags
.b
.renewable
)
109 if(cred
->flags
.b
.initial
)
111 if(cred
->flags
.b
.invalid
)
113 if(cred
->flags
.b
.pre_authent
)
115 if(cred
->flags
.b
.hw_authent
)
118 rtbl_add_column_entry(ct
, COL_FLAGS
, s
);
124 print_cred_verbose(krb5_context context
, krb5_creds
*cred
)
131 krb5_timeofday (context
, &sec
);
133 ret
= krb5_unparse_name(context
, cred
->server
, &str
);
136 printf(N_("Server: %s\n", ""), str
);
139 ret
= krb5_unparse_name(context
, cred
->client
, &str
);
142 printf(N_("Client: %s\n", ""), str
);
150 decode_Ticket(cred
->ticket
.data
, cred
->ticket
.length
, &t
, &len
);
151 ret
= krb5_enctype_to_string(context
, t
.enc_part
.etype
, &s
);
152 printf(N_("Ticket etype: ", ""));
157 printf(N_("unknown-enctype(%d)", ""), t
.enc_part
.etype
);
160 printf(N_(", kvno %d", ""), *t
.enc_part
.kvno
);
162 if(cred
->session
.keytype
!= t
.enc_part
.etype
) {
163 ret
= krb5_enctype_to_string(context
, cred
->session
.keytype
, &str
);
165 krb5_warn(context
, ret
, "session keytype");
167 printf(N_("Session key: %s\n", "enctype"), str
);
172 printf(N_("Ticket length: %lu\n", ""),
173 (unsigned long)cred
->ticket
.length
);
175 printf(N_("Auth time: %s\n", ""),
176 printable_time_long(cred
->times
.authtime
));
177 if(cred
->times
.authtime
!= cred
->times
.starttime
)
178 printf(N_("Start time: %s\n", ""),
179 printable_time_long(cred
->times
.starttime
));
180 printf(N_("End time: %s", ""),
181 printable_time_long(cred
->times
.endtime
));
182 if(sec
> cred
->times
.endtime
)
183 printf(N_(" (expired)", ""));
185 if(cred
->flags
.b
.renewable
)
186 printf(N_("Renew till: %s\n", ""),
187 printable_time_long(cred
->times
.renew_till
));
190 unparse_flags(TicketFlags2int(cred
->flags
.b
),
191 asn1_TicketFlags_units(),
192 flags
, sizeof(flags
));
193 printf(N_("Ticket flags: %s\n", ""), flags
);
195 printf(N_("Addresses: ", ""));
196 if (cred
->addresses
.len
!= 0) {
197 for(j
= 0; j
< cred
->addresses
.len
; j
++){
201 ret
= krb5_print_address(&cred
->addresses
.val
[j
],
202 buf
, sizeof(buf
), &len
);
208 printf(N_("addressless", ""));
214 * Print all tickets in `ccache' on stdout, verbosily iff do_verbose.
218 print_tickets (krb5_context context
,
220 krb5_principal principal
,
227 krb5_cc_cursor cursor
;
233 ret
= krb5_unparse_name (context
, principal
, &str
);
235 krb5_err (context
, 1, ret
, "krb5_unparse_name");
237 printf ("%17s: %s:%s\n",
238 N_("Credentials cache", ""),
239 krb5_cc_get_type(context
, ccache
),
240 krb5_cc_get_name(context
, ccache
));
241 printf ("%17s: %s\n", N_("Principal", ""), str
);
243 ret
= krb5_cc_get_friendly_name(context
, ccache
, &name
);
245 if (strcmp(name
, str
) != 0)
246 printf ("%17s: %s\n", N_("Friendly name", ""), name
);
252 printf ("%17s: %d\n", N_("Cache version", ""),
253 krb5_cc_get_version(context
, ccache
));
255 krb5_cc_set_flags(context
, ccache
, KRB5_TC_NOTICKET
);
258 ret
= krb5_cc_get_kdc_offset(context
, ccache
, &sec
);
260 if (ret
== 0 && do_verbose
&& sec
!= 0) {
272 unparse_time (val
, buf
, sizeof(buf
));
274 printf ("%17s: %s%s\n", N_("KDC time offset", ""),
275 sig
== -1 ? "-" : "", buf
);
280 ret
= krb5_cc_start_seq_get (context
, ccache
, &cursor
);
282 krb5_err(context
, 1, ret
, "krb5_cc_start_seq_get");
286 rtbl_add_column(ct
, COL_ISSUED
, 0);
287 rtbl_add_column(ct
, COL_EXPIRES
, 0);
289 rtbl_add_column(ct
, COL_FLAGS
, 0);
290 rtbl_add_column(ct
, COL_PRINCIPAL
, 0);
291 rtbl_set_separator(ct
, " ");
293 while ((ret
= krb5_cc_next_cred (context
,
297 if (!do_hidden
&& krb5_is_config_principal(context
, creds
.server
)) {
299 }else if(do_verbose
){
300 print_cred_verbose(context
, &creds
);
302 print_cred(context
, &creds
, ct
, do_flags
);
304 krb5_free_cred_contents (context
, &creds
);
306 if(ret
!= KRB5_CC_END
)
307 krb5_err(context
, 1, ret
, "krb5_cc_get_next");
308 ret
= krb5_cc_end_seq_get (context
, ccache
, &cursor
);
310 krb5_err (context
, 1, ret
, "krb5_cc_end_seq_get");
312 rtbl_format(ct
, stdout
);
318 * Check if there's a tgt for the realm of `principal' and ccache and
319 * if so return 0, else 1
323 check_for_tgt (krb5_context context
,
325 krb5_principal principal
,
331 krb5_const_realm client_realm
;
334 krb5_cc_clear_mcred(&pattern
);
336 client_realm
= krb5_principal_get_realm(context
, principal
);
338 ret
= krb5_make_principal (context
, &pattern
.server
,
339 client_realm
, KRB5_TGS_NAME
, client_realm
, NULL
);
341 krb5_err (context
, 1, ret
, "krb5_make_principal");
342 pattern
.client
= principal
;
344 ret
= krb5_cc_retrieve_cred (context
, ccache
, 0, &pattern
, &creds
);
345 krb5_free_principal (context
, pattern
.server
);
347 if (ret
== KRB5_CC_END
)
349 krb5_err (context
, 1, ret
, "krb5_cc_retrieve_cred");
352 expired
= time(NULL
) > creds
.times
.endtime
;
355 *expiration
= creds
.times
.endtime
;
357 krb5_free_cred_contents (context
, &creds
);
363 * Print a list of all AFS tokens
369 display_tokens(int do_verbose
)
372 unsigned char t
[4096];
373 struct ViceIoctl parms
;
375 parms
.in
= (void *)&i
;
376 parms
.in_size
= sizeof(i
);
377 parms
.out
= (void *)t
;
378 parms
.out_size
= sizeof(t
);
381 int32_t size_secret_tok
, size_public_tok
;
383 struct ClearToken ct
;
384 unsigned char *r
= t
;
386 char buf1
[20], buf2
[20];
388 if(k_pioctl(NULL
, VIOCGETTOK
, &parms
, 0) < 0) {
393 if(parms
.out_size
> sizeof(t
))
395 if(parms
.out_size
< sizeof(size_secret_tok
))
397 t
[min(parms
.out_size
,sizeof(t
)-1)] = 0;
398 memcpy(&size_secret_tok
, r
, sizeof(size_secret_tok
));
399 /* dont bother about the secret token */
400 r
+= size_secret_tok
+ sizeof(size_secret_tok
);
401 if (parms
.out_size
< (r
- t
) + sizeof(size_public_tok
))
403 memcpy(&size_public_tok
, r
, sizeof(size_public_tok
));
404 r
+= sizeof(size_public_tok
);
405 if (parms
.out_size
< (r
- t
) + size_public_tok
+ sizeof(int32_t))
407 memcpy(&ct
, r
, size_public_tok
);
408 r
+= size_public_tok
;
409 /* there is a int32_t with length of cellname, but we dont read it */
410 r
+= sizeof(int32_t);
413 gettimeofday (&tv
, NULL
);
414 strlcpy (buf1
, printable_time(ct
.BeginTimestamp
),
416 if (do_verbose
|| tv
.tv_sec
< ct
.EndTimestamp
)
417 strlcpy (buf2
, printable_time(ct
.EndTimestamp
),
420 strlcpy (buf2
, N_(">>> Expired <<<", ""), sizeof(buf2
));
422 printf("%s %s ", buf1
, buf2
);
424 if ((ct
.EndTimestamp
- ct
.BeginTimestamp
) & 1)
425 printf(N_("User's (AFS ID %d) tokens for %s", ""), ct
.ViceId
, cell
);
427 printf(N_("Tokens for %s", ""), cell
);
429 printf(" (%d)", ct
.AuthHandle
);
436 * display the ccache in `cred_cache'
440 display_v5_ccache (krb5_context context
, krb5_ccache ccache
,
441 int do_test
, int do_verbose
,
442 int do_flags
, int do_hidden
)
445 krb5_principal principal
;
449 ret
= krb5_cc_get_principal (context
, ccache
, &principal
);
453 krb5_warnx(context
, N_("No ticket file: %s", ""),
454 krb5_cc_get_name(context
, ccache
));
457 krb5_err (context
, 1, ret
, "krb5_cc_get_principal");
460 exit_status
= check_for_tgt (context
, ccache
, principal
, NULL
);
462 print_tickets (context
, ccache
, principal
, do_verbose
,
463 do_flags
, do_hidden
);
465 ret
= krb5_cc_close (context
, ccache
);
467 krb5_err (context
, 1, ret
, "krb5_cc_close");
469 krb5_free_principal (context
, principal
);
479 list_caches(krb5_context context
)
481 krb5_cc_cache_cursor cursor
;
482 const char *cdef_name
;
488 cdef_name
= krb5_cc_default_name(context
);
489 if (cdef_name
== NULL
)
490 krb5_errx(context
, 1, "krb5_cc_default_name");
491 def_name
= strdup(cdef_name
);
493 ret
= krb5_cc_cache_get_first (context
, NULL
, &cursor
);
494 if (ret
== KRB5_CC_NOSUPP
)
497 krb5_err (context
, 1, ret
, "krb5_cc_cache_get_first");
500 rtbl_add_column(ct
, COL_NAME
, 0);
501 rtbl_add_column(ct
, COL_CACHENAME
, 0);
502 rtbl_add_column(ct
, COL_EXPIRES
, 0);
503 rtbl_add_column(ct
, COL_DEFCACHE
, 0);
504 rtbl_set_prefix(ct
, " ");
505 rtbl_set_column_prefix(ct
, COL_NAME
, "");
507 while (krb5_cc_cache_next (context
, cursor
, &id
) == 0) {
508 krb5_principal principal
= NULL
;
513 ret
= krb5_cc_get_principal(context
, id
, &principal
);
517 expired
= check_for_tgt (context
, id
, principal
, &t
);
519 ret
= krb5_cc_get_friendly_name(context
, id
, &name
);
523 rtbl_add_column_entry(ct
, COL_NAME
, name
);
524 rtbl_add_column_entry(ct
, COL_CACHENAME
,
525 krb5_cc_get_name(context
, id
));
527 str
= N_(">>> Expired <<<", "");
529 str
= printable_time(t
);
530 rtbl_add_column_entry(ct
, COL_EXPIRES
, str
);
533 ret
= krb5_cc_get_full_name(context
, id
, &fname
);
535 krb5_err (context
, 1, ret
, "krb5_cc_get_full_name");
537 if (strcmp(fname
, def_name
) == 0)
538 rtbl_add_column_entry(ct
, COL_DEFCACHE
, "*");
540 rtbl_add_column_entry(ct
, COL_DEFCACHE
, "");
544 krb5_cc_close(context
, id
);
546 krb5_free_principal(context
, principal
);
549 krb5_cc_cache_end_seq_get(context
, cursor
);
552 rtbl_format(ct
, stdout
);
562 static int version_flag
= 0;
563 static int help_flag
= 0;
564 static int do_verbose
= 0;
565 static int do_list_caches
= 0;
566 static int do_all_content
= 0;
567 static int do_test
= 0;
569 static int do_tokens
= 0;
571 static int do_v5
= 1;
572 static char *cred_cache
;
573 static int do_flags
= 0;
574 static int do_hidden
= 0;
576 static struct getargs args
[] = {
577 { NULL
, 'f', arg_flag
, &do_flags
},
578 { "cache", 'c', arg_string
, &cred_cache
,
579 NP_("credentials cache to list", ""), "cache" },
580 { "test", 't', arg_flag
, &do_test
,
581 NP_("test for having tickets", ""), NULL
},
582 { NULL
, 's', arg_flag
, &do_test
},
584 { "tokens", 'T', arg_flag
, &do_tokens
,
585 NP_("display AFS tokens", ""), NULL
},
587 { "v5", '5', arg_flag
, &do_v5
,
588 NP_("display v5 cred cache", ""), NULL
},
589 { "all-content", 'A', arg_flag
, &do_all_content
,
590 NP_("all caches with their content", ""), NULL
},
591 { "list-caches", 'l', arg_flag
, &do_list_caches
,
592 NP_("list all caches", ""), NULL
},
593 { "verbose", 'v', arg_flag
, &do_verbose
,
594 NP_("verbose output", ""), NULL
},
595 { "hidden", 0, arg_flag
, &do_hidden
,
596 NP_("display hidden credentials", ""), NULL
},
597 { NULL
, 'a', arg_flag
, &do_verbose
},
598 { NULL
, 'n', arg_flag
, &do_verbose
},
599 { "version", 0, arg_flag
, &version_flag
,
600 NP_("print version", ""), NULL
},
601 { "help", 0, arg_flag
, &help_flag
,
608 arg_printusage_i18n (args
,
609 sizeof(args
)/sizeof(*args
),
618 main (int argc
, char **argv
)
620 krb5_context context
;
625 setprogname (argv
[0]);
627 setlocale (LC_ALL
, "");
628 bindtextdomain ("heimdal_kuser", HEIMDAL_LOCALEDIR
);
629 textdomain("heimdal_kuser");
631 if(getarg(args
, sizeof(args
) / sizeof(args
[0]), argc
, argv
, &optidx
))
647 ret
= krb5_init_context (&context
);
649 errx (1, "krb5_init_context failed: %d", ret
);
652 if (do_list_caches
) {
653 exit_status
= list_caches(context
);
660 if (do_all_content
) {
661 krb5_cc_cache_cursor cursor
;
663 ret
= krb5_cc_cache_get_first (context
, NULL
, &cursor
);
665 krb5_err (context
, 1, ret
, "krb5_cc_cache_get_first");
668 while (krb5_cc_cache_next (context
, cursor
, &id
) == 0) {
669 exit_status
|= display_v5_ccache(context
, id
, do_test
,
670 do_verbose
, do_flags
,
674 krb5_cc_cache_end_seq_get(context
, cursor
);
678 ret
= krb5_cc_resolve(context
, cred_cache
, &id
);
680 krb5_err (context
, 1, ret
, "%s", cred_cache
);
682 ret
= krb5_cc_default (context
, &id
);
684 krb5_err (context
, 1, ret
, "krb5_cc_resolve");
686 exit_status
= display_v5_ccache(context
, id
, do_test
,
687 do_verbose
, do_flags
,
694 if (do_tokens
&& k_hasafs ()) {
697 display_tokens (do_verbose
);
702 krb5_free_context(context
);