search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Now pac from christian passes since we make hmac checksums always use the raw key
[heimdal.git] / kuser / klist.c
blob3e76c4a5a122e6850d9274919bf6ac1f47ec7f9d
1 /*
2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "kuser_locl.h"
37 #include "rtbl.h"
38 #include "parse_units.h"
39
40 static char*
41 printable_time(time_t t)
42 {
43 static char s[128];
44 strlcpy(s, ctime(&t)+ 4, sizeof(s));
45 s[15] = 0;
46 return s;
47 }
48
49 static char*
50 printable_time_long(time_t t)
51 {
52 static char s[128];
53 strlcpy(s, ctime(&t)+ 4, sizeof(s));
54 s[20] = 0;
55 return s;
56 }
57
58 #define COL_ISSUED NP_(" Issued","")
59 #define COL_EXPIRES NP_(" Expires", "")
60 #define COL_FLAGS NP_("Flags", "")
61 #define COL_NAME NP_(" Name", "")
62 #define COL_PRINCIPAL NP_(" Principal", "in klist output")
63 #define COL_PRINCIPAL_KVNO NP_(" Principal (kvno)", "in klist output")
64 #define COL_CACHENAME NP_(" Cache name", "name in klist output")
65 #define COL_DEFCACHE NP_("", "")
66
67 static void
68 print_cred(krb5_context context, krb5_creds *cred, rtbl_t ct, int do_flags)
69 {
70 char *str;
71 krb5_error_code ret;
72 krb5_timestamp sec;
73
74 krb5_timeofday (context, &sec);
75
76
77 if(cred->times.starttime)
78 rtbl_add_column_entry(ct, COL_ISSUED,
79 printable_time(cred->times.starttime));
80 else
81 rtbl_add_column_entry(ct, COL_ISSUED,
82 printable_time(cred->times.authtime));
83
84 if(cred->times.endtime > sec)
85 rtbl_add_column_entry(ct, COL_EXPIRES,
86 printable_time(cred->times.endtime));
87 else
88 rtbl_add_column_entry(ct, COL_EXPIRES, N_(">>>Expired<<<", ""));
89 ret = krb5_unparse_name (context, cred->server, &str);
90 if (ret)
91 krb5_err(context, 1, ret, "krb5_unparse_name");
92 rtbl_add_column_entry(ct, COL_PRINCIPAL, str);
93 if(do_flags) {
94 char s[16], *sp = s;
95 if(cred->flags.b.forwardable)
96 *sp++ = 'F';
97 if(cred->flags.b.forwarded)
98 *sp++ = 'f';
99 if(cred->flags.b.proxiable)
100 *sp++ = 'P';
101 if(cred->flags.b.proxy)
102 *sp++ = 'p';
103 if(cred->flags.b.may_postdate)
104 *sp++ = 'D';
105 if(cred->flags.b.postdated)
106 *sp++ = 'd';
107 if(cred->flags.b.renewable)
108 *sp++ = 'R';
109 if(cred->flags.b.initial)
110 *sp++ = 'I';
111 if(cred->flags.b.invalid)
112 *sp++ = 'i';
113 if(cred->flags.b.pre_authent)
114 *sp++ = 'A';
115 if(cred->flags.b.hw_authent)
116 *sp++ = 'H';
117 *sp = '\0';
118 rtbl_add_column_entry(ct, COL_FLAGS, s);
119 }
120 free(str);
121 }
122
123 static void
124 print_cred_verbose(krb5_context context, krb5_creds *cred)
125 {
126 int j;
127 char *str;
128 krb5_error_code ret;
129 krb5_timestamp sec;
130
131 krb5_timeofday (context, &sec);
132
133 ret = krb5_unparse_name(context, cred->server, &str);
134 if(ret)
135 exit(1);
136 printf(N_("Server: %s\n", ""), str);
137 free (str);
138
139 ret = krb5_unparse_name(context, cred->client, &str);
140 if(ret)
141 exit(1);
142 printf(N_("Client: %s\n", ""), str);
143 free (str);
144
145 {
146 Ticket t;
147 size_t len;
148 char *s;
149
150 decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len);
151 ret = krb5_enctype_to_string(context, t.enc_part.etype, &s);
152 printf(N_("Ticket etype: ", ""));
153 if (ret == 0) {
154 printf("%s", s);
155 free(s);
156 } else {
157 printf(N_("unknown-enctype(%d)", ""), t.enc_part.etype);
158 }
159 if(t.enc_part.kvno)
160 printf(N_(", kvno %d", ""), *t.enc_part.kvno);
161 printf("\n");
162 if(cred->session.keytype != t.enc_part.etype) {
163 ret = krb5_enctype_to_string(context, cred->session.keytype, &str);
164 if(ret)
165 krb5_warn(context, ret, "session keytype");
166 else {
167 printf(N_("Session key: %s\n", "enctype"), str);
168 free(str);
169 }
170 }
171 free_Ticket(&t);
172 printf(N_("Ticket length: %lu\n", ""),
173 (unsigned long)cred->ticket.length);
174 }
175 printf(N_("Auth time: %s\n", ""),
176 printable_time_long(cred->times.authtime));
177 if(cred->times.authtime != cred->times.starttime)
178 printf(N_("Start time: %s\n", ""),
179 printable_time_long(cred->times.starttime));
180 printf(N_("End time: %s", ""),
181 printable_time_long(cred->times.endtime));
182 if(sec > cred->times.endtime)
183 printf(N_(" (expired)", ""));
184 printf("\n");
185 if(cred->flags.b.renewable)
186 printf(N_("Renew till: %s\n", ""),
187 printable_time_long(cred->times.renew_till));
188 {
189 char flags[1024];
190 unparse_flags(TicketFlags2int(cred->flags.b),
191 asn1_TicketFlags_units(),
192 flags, sizeof(flags));
193 printf(N_("Ticket flags: %s\n", ""), flags);
194 }
195 printf(N_("Addresses: ", ""));
196 if (cred->addresses.len != 0) {
197 for(j = 0; j < cred->addresses.len; j++){
198 char buf[128];
199 size_t len;
200 if(j) printf(", ");
201 ret = krb5_print_address(&cred->addresses.val[j],
202 buf, sizeof(buf), &len);
203
204 if(ret == 0)
205 printf("%s", buf);
206 }
207 } else {
208 printf(N_("addressless", ""));
209 }
210 printf("\n\n");
211 }
212
213 /*
214 * Print all tickets in `ccache' on stdout, verbosily iff do_verbose.
215 */
216
217 static void
218 print_tickets (krb5_context context,
219 krb5_ccache ccache,
220 krb5_principal principal,
221 int do_verbose,
222 int do_flags,
223 int do_hidden)
224 {
225 krb5_error_code ret;
226 char *str, *name;
227 krb5_cc_cursor cursor;
228 krb5_creds creds;
229 krb5_deltat sec;
230
231 rtbl_t ct = NULL;
232
233 ret = krb5_unparse_name (context, principal, &str);
234 if (ret)
235 krb5_err (context, 1, ret, "krb5_unparse_name");
236
237 printf ("%17s: %s:%s\n",
238 N_("Credentials cache", ""),
239 krb5_cc_get_type(context, ccache),
240 krb5_cc_get_name(context, ccache));
241 printf ("%17s: %s\n", N_("Principal", ""), str);
242
243 ret = krb5_cc_get_friendly_name(context, ccache, &name);
244 if (ret == 0) {
245 if (strcmp(name, str) != 0)
246 printf ("%17s: %s\n", N_("Friendly name", ""), name);
247 free(name);
248 }
249 free (str);
250
251 if(do_verbose) {
252 printf ("%17s: %d\n", N_("Cache version", ""),
253 krb5_cc_get_version(context, ccache));
254 } else {
255 krb5_cc_set_flags(context, ccache, KRB5_TC_NOTICKET);
256 }
257
258 ret = krb5_cc_get_kdc_offset(context, ccache, &sec);
259
260 if (ret == 0 && do_verbose && sec != 0) {
261 char buf[BUFSIZ];
262 int val;
263 int sig;
264
265 val = sec;
266 sig = 1;
267 if (val < 0) {
268 sig = -1;
269 val = -val;
270 }
271
272 unparse_time (val, buf, sizeof(buf));
273
274 printf ("%17s: %s%s\n", N_("KDC time offset", ""),
275 sig == -1 ? "-" : "", buf);
276 }
277
278 printf("\n");
279
280 ret = krb5_cc_start_seq_get (context, ccache, &cursor);
281 if (ret)
282 krb5_err(context, 1, ret, "krb5_cc_start_seq_get");
283
284 if(!do_verbose) {
285 ct = rtbl_create();
286 rtbl_add_column(ct, COL_ISSUED, 0);
287 rtbl_add_column(ct, COL_EXPIRES, 0);
288 if(do_flags)
289 rtbl_add_column(ct, COL_FLAGS, 0);
290 rtbl_add_column(ct, COL_PRINCIPAL, 0);
291 rtbl_set_separator(ct, " ");
292 }
293 while ((ret = krb5_cc_next_cred (context,
294 ccache,
295 &cursor,
296 &creds)) == 0) {
297 if (!do_hidden && krb5_is_config_principal(context, creds.server)) {
298 ;
299 }else if(do_verbose){
300 print_cred_verbose(context, &creds);
301 }else{
302 print_cred(context, &creds, ct, do_flags);
303 }
304 krb5_free_cred_contents (context, &creds);
305 }
306 if(ret != KRB5_CC_END)
307 krb5_err(context, 1, ret, "krb5_cc_get_next");
308 ret = krb5_cc_end_seq_get (context, ccache, &cursor);
309 if (ret)
310 krb5_err (context, 1, ret, "krb5_cc_end_seq_get");
311 if(!do_verbose) {
312 rtbl_format(ct, stdout);
313 rtbl_destroy(ct);
314 }
315 }
316
317 /*
318 * Check if there's a tgt for the realm of `principal' and ccache and
319 * if so return 0, else 1
320 */
321
322 static int
323 check_for_tgt (krb5_context context,
324 krb5_ccache ccache,
325 krb5_principal principal,
326 time_t *expiration)
327 {
328 krb5_error_code ret;
329 krb5_creds pattern;
330 krb5_creds creds;
331 krb5_const_realm client_realm;
332 int expired;
333
334 krb5_cc_clear_mcred(&pattern);
335
336 client_realm = krb5_principal_get_realm(context, principal);
337
338 ret = krb5_make_principal (context, &pattern.server,
339 client_realm, KRB5_TGS_NAME, client_realm, NULL);
340 if (ret)
341 krb5_err (context, 1, ret, "krb5_make_principal");
342 pattern.client = principal;
343
344 ret = krb5_cc_retrieve_cred (context, ccache, 0, &pattern, &creds);
345 krb5_free_principal (context, pattern.server);
346 if (ret) {
347 if (ret == KRB5_CC_END)
348 return 1;
349 krb5_err (context, 1, ret, "krb5_cc_retrieve_cred");
350 }
351
352 expired = time(NULL) > creds.times.endtime;
353
354 if (expiration)
355 *expiration = creds.times.endtime;
356
357 krb5_free_cred_contents (context, &creds);
358
359 return expired;
360 }
361
362 /*
363 * Print a list of all AFS tokens
364 */
365
366 #ifndef NO_AFS
367
368 static void
369 display_tokens(int do_verbose)
370 {
371 uint32_t i;
372 unsigned char t[4096];
373 struct ViceIoctl parms;
374
375 parms.in = (void *)&i;
376 parms.in_size = sizeof(i);
377 parms.out = (void *)t;
378 parms.out_size = sizeof(t);
379
380 for (i = 0;; i++) {
381 int32_t size_secret_tok, size_public_tok;
382 unsigned char *cell;
383 struct ClearToken ct;
384 unsigned char *r = t;
385 struct timeval tv;
386 char buf1[20], buf2[20];
387
388 if(k_pioctl(NULL, VIOCGETTOK, &parms, 0) < 0) {
389 if(errno == EDOM)
390 break;
391 continue;
392 }
393 if(parms.out_size > sizeof(t))
394 continue;
395 if(parms.out_size < sizeof(size_secret_tok))
396 continue;
397 t[min(parms.out_size,sizeof(t)-1)] = 0;
398 memcpy(&size_secret_tok, r, sizeof(size_secret_tok));
399 /* dont bother about the secret token */
400 r += size_secret_tok + sizeof(size_secret_tok);
401 if (parms.out_size < (r - t) + sizeof(size_public_tok))
402 continue;
403 memcpy(&size_public_tok, r, sizeof(size_public_tok));
404 r += sizeof(size_public_tok);
405 if (parms.out_size < (r - t) + size_public_tok + sizeof(int32_t))
406 continue;
407 memcpy(&ct, r, size_public_tok);
408 r += size_public_tok;
409 /* there is a int32_t with length of cellname, but we dont read it */
410 r += sizeof(int32_t);
411 cell = r;
412
413 gettimeofday (&tv, NULL);
414 strlcpy (buf1, printable_time(ct.BeginTimestamp),
415 sizeof(buf1));
416 if (do_verbose || tv.tv_sec < ct.EndTimestamp)
417 strlcpy (buf2, printable_time(ct.EndTimestamp),
418 sizeof(buf2));
419 else
420 strlcpy (buf2, N_(">>> Expired <<<", ""), sizeof(buf2));
421
422 printf("%s %s ", buf1, buf2);
423
424 if ((ct.EndTimestamp - ct.BeginTimestamp) & 1)
425 printf(N_("User's (AFS ID %d) tokens for %s", ""), ct.ViceId, cell);
426 else
427 printf(N_("Tokens for %s", ""), cell);
428 if (do_verbose)
429 printf(" (%d)", ct.AuthHandle);
430 putchar('\n');
431 }
432 }
433 #endif
434
435 /*
436 * display the ccache in `cred_cache'
437 */
438
439 static int
440 display_v5_ccache (krb5_context context, krb5_ccache ccache,
441 int do_test, int do_verbose,
442 int do_flags, int do_hidden)
443 {
444 krb5_error_code ret;
445 krb5_principal principal;
446 int exit_status = 0;
447
448
449 ret = krb5_cc_get_principal (context, ccache, &principal);
450 if (ret) {
451 if(ret == ENOENT) {
452 if (!do_test)
453 krb5_warnx(context, N_("No ticket file: %s", ""),
454 krb5_cc_get_name(context, ccache));
455 return 1;
456 } else
457 krb5_err (context, 1, ret, "krb5_cc_get_principal");
458 }
459 if (do_test)
460 exit_status = check_for_tgt (context, ccache, principal, NULL);
461 else
462 print_tickets (context, ccache, principal, do_verbose,
463 do_flags, do_hidden);
464
465 ret = krb5_cc_close (context, ccache);
466 if (ret)
467 krb5_err (context, 1, ret, "krb5_cc_close");
468
469 krb5_free_principal (context, principal);
470
471 return exit_status;
472 }
473
474 /*
475 *
476 */
477
478 static int
479 list_caches(krb5_context context)
480 {
481 krb5_cc_cache_cursor cursor;
482 const char *cdef_name;
483 char *def_name;
484 krb5_error_code ret;
485 krb5_ccache id;
486 rtbl_t ct;
487
488 cdef_name = krb5_cc_default_name(context);
489 if (cdef_name == NULL)
490 krb5_errx(context, 1, "krb5_cc_default_name");
491 def_name = strdup(cdef_name);
492
493 ret = krb5_cc_cache_get_first (context, NULL, &cursor);
494 if (ret == KRB5_CC_NOSUPP)
495 return 0;
496 else if (ret)
497 krb5_err (context, 1, ret, "krb5_cc_cache_get_first");
498
499 ct = rtbl_create();
500 rtbl_add_column(ct, COL_NAME, 0);
501 rtbl_add_column(ct, COL_CACHENAME, 0);
502 rtbl_add_column(ct, COL_EXPIRES, 0);
503 rtbl_add_column(ct, COL_DEFCACHE, 0);
504 rtbl_set_prefix(ct, " ");
505 rtbl_set_column_prefix(ct, COL_NAME, "");
506
507 while (krb5_cc_cache_next (context, cursor, &id) == 0) {
508 krb5_principal principal = NULL;
509 int expired = 0;
510 char *name;
511 time_t t;
512
513 ret = krb5_cc_get_principal(context, id, &principal);
514 if (ret)
515 continue;
516
517 expired = check_for_tgt (context, id, principal, &t);
518
519 ret = krb5_cc_get_friendly_name(context, id, &name);
520 if (ret == 0) {
521 const char *str;
522 char *fname;
523 rtbl_add_column_entry(ct, COL_NAME, name);
524 rtbl_add_column_entry(ct, COL_CACHENAME,
525 krb5_cc_get_name(context, id));
526 if (expired)
527 str = N_(">>> Expired <<<", "");
528 else
529 str = printable_time(t);
530 rtbl_add_column_entry(ct, COL_EXPIRES, str);
531 free(name);
532
533 ret = krb5_cc_get_full_name(context, id, &fname);
534 if (ret)
535 krb5_err (context, 1, ret, "krb5_cc_get_full_name");
536
537 if (strcmp(fname, def_name) == 0)
538 rtbl_add_column_entry(ct, COL_DEFCACHE, "*");
539 else
540 rtbl_add_column_entry(ct, COL_DEFCACHE, "");
541
542 krb5_xfree(fname);
543 }
544 krb5_cc_close(context, id);
545
546 krb5_free_principal(context, principal);
547 }
548
549 krb5_cc_cache_end_seq_get(context, cursor);
550
551 free(def_name);
552 rtbl_format(ct, stdout);
553 rtbl_destroy(ct);
554
555 return 0;
556 }
557
558 /*
559 *
560 */
561
562 static int version_flag = 0;
563 static int help_flag = 0;
564 static int do_verbose = 0;
565 static int do_list_caches = 0;
566 static int do_all_content = 0;
567 static int do_test = 0;
568 #ifndef NO_AFS
569 static int do_tokens = 0;
570 #endif
571 static int do_v5 = 1;
572 static char *cred_cache;
573 static int do_flags = 0;
574 static int do_hidden = 0;
575
576 static struct getargs args[] = {
577 { NULL, 'f', arg_flag, &do_flags },
578 { "cache", 'c', arg_string, &cred_cache,
579 NP_("credentials cache to list", ""), "cache" },
580 { "test", 't', arg_flag, &do_test,
581 NP_("test for having tickets", ""), NULL },
582 { NULL, 's', arg_flag, &do_test },
583 #ifndef NO_AFS
584 { "tokens", 'T', arg_flag, &do_tokens,
585 NP_("display AFS tokens", ""), NULL },
586 #endif
587 { "v5", '5', arg_flag, &do_v5,
588 NP_("display v5 cred cache", ""), NULL},
589 { "all-content", 'A', arg_flag, &do_all_content,
590 NP_("all caches with their content", ""), NULL },
591 { "list-caches", 'l', arg_flag, &do_list_caches,
592 NP_("list all caches", ""), NULL },
593 { "verbose", 'v', arg_flag, &do_verbose,
594 NP_("verbose output", ""), NULL },
595 { "hidden", 0, arg_flag, &do_hidden,
596 NP_("display hidden credentials", ""), NULL },
597 { NULL, 'a', arg_flag, &do_verbose },
598 { NULL, 'n', arg_flag, &do_verbose },
599 { "version", 0, arg_flag, &version_flag,
600 NP_("print version", ""), NULL },
601 { "help", 0, arg_flag, &help_flag,
602 NULL, NULL}
603 };
604
605 static void
606 usage (int ret)
607 {
608 arg_printusage_i18n (args,
609 sizeof(args)/sizeof(*args),
610 N_("Usage: ", ""),
611 NULL,
612 "",
613 getarg_i18n);
614 exit (ret);
615 }
616
617 int
618 main (int argc, char **argv)
619 {
620 krb5_context context;
621 krb5_error_code ret;
622 int optidx = 0;
623 int exit_status = 0;
624
625 setprogname (argv[0]);
626
627 setlocale (LC_ALL, "");
628 bindtextdomain ("heimdal_kuser", HEIMDAL_LOCALEDIR);
629 textdomain("heimdal_kuser");
630
631 if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
632 usage(1);
633
634 if (help_flag)
635 usage (0);
636
637 if(version_flag){
638 print_version(NULL);
639 exit(0);
640 }
641
642 argc -= optidx;
643
644 if (argc != 0)
645 usage (1);
646
647 ret = krb5_init_context (&context);
648 if (ret)
649 errx (1, "krb5_init_context failed: %d", ret);
650
651
652 if (do_list_caches) {
653 exit_status = list_caches(context);
654 return exit_status;
655 }
656
657 if (do_v5) {
658 krb5_ccache id;
659
660 if (do_all_content) {
661 krb5_cc_cache_cursor cursor;
662
663 ret = krb5_cc_cache_get_first (context, NULL, &cursor);
664 if (ret)
665 krb5_err (context, 1, ret, "krb5_cc_cache_get_first");
666
667
668 while (krb5_cc_cache_next (context, cursor, &id) == 0) {
669 exit_status |= display_v5_ccache(context, id, do_test,
670 do_verbose, do_flags,
671 do_hidden);
672 printf("\n\n");
673 }
674 krb5_cc_cache_end_seq_get(context, cursor);
675
676 } else {
677 if(cred_cache) {
678 ret = krb5_cc_resolve(context, cred_cache, &id);
679 if (ret)
680 krb5_err (context, 1, ret, "%s", cred_cache);
681 } else {
682 ret = krb5_cc_default (context, &id);
683 if (ret)
684 krb5_err (context, 1, ret, "krb5_cc_resolve");
685 }
686 exit_status = display_v5_ccache(context, id, do_test,
687 do_verbose, do_flags,
688 do_hidden);
689 }
690 }
691
692 if (!do_test) {
693 #ifndef NO_AFS
694 if (do_tokens && k_hasafs ()) {
695 if (do_v5)
696 printf ("\n");
697 display_tokens (do_verbose);
698 }
699 #endif
700 }
701
702 krb5_free_context(context);
703
704 return exit_status;
705 }
Heimdal