2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include "kuser_locl.h"
39 #include <Security/Security.h>
46 int forwardable_flag
= -1;
47 int proxiable_flag
= -1;
48 int renewable_flag
= -1;
51 int validate_flag
= 0;
55 struct getarg_strings extra_addresses
;
56 int anonymous_flag
= 0;
57 char *lifetime
= NULL
;
58 char *renew_life
= NULL
;
59 char *server_str
= NULL
;
60 char *cred_cache
= NULL
;
61 char *start_str
= NULL
;
62 static int switch_cache_flags
= 1;
63 struct getarg_strings etype_str
;
65 char *keytab_str
= NULL
;
66 static krb5_keytab kt
= NULL
;
69 char *password_file
= NULL
;
70 char *pk_user_id
= NULL
;
71 int pk_enterprise_flag
= 0;
72 struct hx509_certs_data
*ent_user_id
= NULL
;
73 char *pk_x509_anchors
= NULL
;
74 int pk_use_enckey
= 0;
75 static int canonicalize_flag
= 0;
76 static int enterprise_flag
= 0;
77 static int ok_as_delegate_flag
= 0;
78 static char *fast_armor_cache_string
= NULL
;
79 static int use_referrals_flag
= 0;
80 static int windows_flag
= 0;
82 static char *ntlm_domain
;
86 static struct getargs args
[] = {
100 { "afslog", 0 , arg_flag
, &do_afslog
,
101 NP_("obtain afs tokens", ""), NULL
},
103 { "cache", 'c', arg_string
, &cred_cache
,
104 NP_("credentials cache", ""), "cachename" },
106 { "forwardable", 'F', arg_negative_flag
, &forwardable_flag
,
107 NP_("get tickets not forwardable", ""), NULL
},
109 { NULL
, 'f', arg_flag
, &forwardable_flag
,
110 NP_("get forwardable tickets", ""), NULL
},
112 { "keytab", 't', arg_string
, &keytab_str
,
113 NP_("keytab to use", ""), "keytabname" },
115 { "lifetime", 'l', arg_string
, &lifetime
,
116 NP_("lifetime of tickets", ""), "time" },
118 { "proxiable", 'p', arg_flag
, &proxiable_flag
,
119 NP_("get proxiable tickets", ""), NULL
},
121 { "renew", 'R', arg_flag
, &renew_flag
,
122 NP_("renew TGT", ""), NULL
},
124 { "renewable", 0, arg_flag
, &renewable_flag
,
125 NP_("get renewable tickets", ""), NULL
},
127 { "renewable-life", 'r', arg_string
, &renew_life
,
128 NP_("renewable lifetime of tickets", ""), "time" },
130 { "server", 'S', arg_string
, &server_str
,
131 NP_("server to get ticket for", ""), "principal" },
133 { "start-time", 's', arg_string
, &start_str
,
134 NP_("when ticket gets valid", ""), "time" },
136 { "use-keytab", 'k', arg_flag
, &use_keytab
,
137 NP_("get key from keytab", ""), NULL
},
139 { "validate", 'v', arg_flag
, &validate_flag
,
140 NP_("validate TGT", ""), NULL
},
142 { "enctypes", 'e', arg_strings
, &etype_str
,
143 NP_("encryption types to use", ""), "enctypes" },
145 { "fcache-version", 0, arg_integer
, &fcache_version
,
146 NP_("file cache version to create", ""), NULL
},
148 { "addresses", 'A', arg_negative_flag
, &addrs_flag
,
149 NP_("request a ticket with no addresses", ""), NULL
},
151 { "extra-addresses",'a', arg_strings
, &extra_addresses
,
152 NP_("include these extra addresses", ""), "addresses" },
154 { "anonymous", 0, arg_flag
, &anonymous_flag
,
155 NP_("request an anonymous ticket", ""), NULL
},
157 { "request-pac", 0, arg_flag
, &pac_flag
,
158 NP_("request a Windows PAC", ""), NULL
},
160 { "password-file", 0, arg_string
, &password_file
,
161 NP_("read the password from a file", ""), NULL
},
163 { "canonicalize",0, arg_flag
, &canonicalize_flag
,
164 NP_("canonicalize client principal", ""), NULL
},
166 { "enterprise",0, arg_flag
, &enterprise_flag
,
167 NP_("parse principal as a KRB5-NT-ENTERPRISE name", ""), NULL
},
169 { "pk-enterprise", 0, arg_flag
, &pk_enterprise_flag
,
170 NP_("use enterprise name from certificate", ""), NULL
},
172 { "pk-user", 'C', arg_string
, &pk_user_id
,
173 NP_("principal's public/private/certificate identifier", ""), "id" },
175 { "x509-anchors", 'D', arg_string
, &pk_x509_anchors
,
176 NP_("directory with CA certificates", ""), "directory" },
178 { "pk-use-enckey", 0, arg_flag
, &pk_use_enckey
,
179 NP_("Use RSA encrypted reply (instead of DH)", ""), NULL
},
182 { "ntlm-domain", 0, arg_string
, &ntlm_domain
,
183 NP_("NTLM domain", ""), "domain" },
186 { "change-default", 0, arg_negative_flag
, &switch_cache_flags
,
187 NP_("switch the default cache to the new credentials cache", ""), NULL
},
189 { "ok-as-delegate", 0, arg_flag
, &ok_as_delegate_flag
,
190 NP_("honor ok-as-delegate on tickets", ""), NULL
},
192 { "fast-armor-cache", 0, arg_string
, &fast_armor_cache_string
,
193 NP_("use this credential cache as FAST armor cache", ""), "cache" },
195 { "use-referrals", 0, arg_flag
, &use_referrals_flag
,
196 NP_("only use referrals, no dns canalisation", ""), NULL
},
198 { "windows", 0, arg_flag
, &windows_flag
,
199 NP_("get windows behavior", ""), NULL
},
201 { "version", 0, arg_flag
, &version_flag
, NULL
, NULL
},
202 { "help", 0, arg_flag
, &help_flag
, NULL
, NULL
}
208 arg_printusage_i18n(args
, sizeof(args
)/sizeof(*args
), N_("Usage: ", ""),
209 NULL
, "[principal [command]]", getarg_i18n
);
213 static krb5_error_code
214 get_server(krb5_context context
,
215 krb5_principal client
,
217 krb5_principal
*princ
)
219 krb5_const_realm realm
;
221 return krb5_parse_name(context
, server
, princ
);
223 realm
= krb5_principal_get_realm(context
, client
);
224 return krb5_make_principal(context
, princ
, realm
,
225 KRB5_TGS_NAME
, realm
, NULL
);
228 static krb5_error_code
229 copy_configs(krb5_context context
,
232 krb5_principal start_ticket_server
)
235 const char *cfg_names
[] = {"realm-config", "FriendlyName", NULL
};
236 const char *cfg_names_w_pname
[] = {"fast_avail", NULL
};
240 for (i
= 0; cfg_names
[i
]; i
++) {
241 ret
= krb5_cc_get_config(context
, src
, NULL
, cfg_names
[i
], &cfg_data
);
242 if (ret
== KRB5_CC_NOTFOUND
|| ret
== KRB5_CC_END
) {
245 krb5_warn(context
, ret
, "krb5_cc_get_config");
248 ret
= krb5_cc_set_config(context
, dst
, NULL
, cfg_names
[i
], &cfg_data
);
250 krb5_warn(context
, ret
, "krb5_cc_set_config");
252 for (i
= 0; start_ticket_server
&& cfg_names_w_pname
[i
]; i
++) {
253 ret
= krb5_cc_get_config(context
, src
, start_ticket_server
,
254 cfg_names_w_pname
[i
], &cfg_data
);
255 if (ret
== KRB5_CC_NOTFOUND
|| ret
== KRB5_CC_END
) {
258 krb5_warn(context
, ret
, "krb5_cc_get_config");
261 ret
= krb5_cc_set_config(context
, dst
, start_ticket_server
,
262 cfg_names_w_pname
[i
], &cfg_data
);
263 if (ret
&& ret
!= KRB5_CC_NOTFOUND
)
264 krb5_warn(context
, ret
, "krb5_cc_set_config");
267 * We don't copy cc configs for any other principals though (mostly
268 * those are per-target time offsets and the like, so it's bad to
269 * lose them, but hardly the end of the world, and as they may not
270 * expire anyways, it's good to let them go).
275 static krb5_error_code
276 renew_validate(krb5_context context
,
284 krb5_ccache tempccache
= NULL
;
285 krb5_creds in
, *out
= NULL
;
286 krb5_kdc_flags flags
;
288 memset(&in
, 0, sizeof(in
));
290 ret
= krb5_cc_get_principal(context
, cache
, &in
.client
);
292 krb5_warn(context
, ret
, "krb5_cc_get_principal");
295 ret
= get_server(context
, in
.client
, server
, &in
.server
);
297 krb5_warn(context
, ret
, "get_server");
303 * no need to check the error here, it's only to be
304 * friendly to the user
306 krb5_get_credentials(context
, KRB5_GC_CACHED
, cache
, &in
, &out
);
310 flags
.b
.renewable
= flags
.b
.renew
= renew
;
311 flags
.b
.validate
= validate
;
313 if (forwardable_flag
!= -1)
314 flags
.b
.forwardable
= forwardable_flag
;
316 flags
.b
.forwardable
= out
->flags
.b
.forwardable
;
318 if (proxiable_flag
!= -1)
319 flags
.b
.proxiable
= proxiable_flag
;
321 flags
.b
.proxiable
= out
->flags
.b
.proxiable
;
324 flags
.b
.request_anonymous
= anonymous_flag
;
326 in
.times
.endtime
= time(NULL
) + life
;
329 krb5_free_creds(context
, out
);
334 ret
= krb5_get_kdc_cred(context
,
342 krb5_warn(context
, ret
, "krb5_get_kdc_cred");
346 ret
= krb5_cc_new_unique(context
, krb5_cc_get_type(context
, cache
),
349 krb5_warn(context
, ret
, "krb5_cc_new_unique");
353 ret
= krb5_cc_initialize(context
, tempccache
, in
.client
);
355 krb5_warn(context
, ret
, "krb5_cc_initialize");
359 ret
= krb5_cc_store_cred(context
, tempccache
, out
);
361 krb5_warn(context
, ret
, "krb5_cc_store_cred");
366 * We want to preserve cc configs as some are security-relevant, and
367 * anyways it's the friendly thing to do.
369 ret
= copy_configs(context
, tempccache
, cache
, out
->server
);
373 ret
= krb5_cc_move(context
, tempccache
, cache
);
375 krb5_warn(context
, ret
, "krb5_cc_move");
382 krb5_cc_close(context
, tempccache
);
384 krb5_free_creds(context
, out
);
385 krb5_free_cred_contents(context
, &in
);
391 static krb5_error_code
392 store_ntlmkey(krb5_context context
, krb5_ccache id
,
393 const char *domain
, struct ntlm_buf
*buf
)
400 aret
= asprintf(&name
, "ntlm-key-%s", domain
);
401 if (aret
== -1 || name
== NULL
) {
402 krb5_clear_error_message(context
);
406 data
.length
= buf
->length
;
407 data
.data
= buf
->data
;
409 ret
= krb5_cc_set_config(context
, id
, NULL
, name
, &data
);
415 static krb5_error_code
416 get_new_tickets(krb5_context context
,
417 krb5_principal principal
,
419 krb5_deltat ticket_life
,
425 krb5_deltat start_time
= 0;
426 krb5_deltat renew
= 0;
427 const char *renewstr
= NULL
;
428 krb5_enctype
*enctype
= NULL
;
429 krb5_ccache tempccache
= NULL
;
430 krb5_init_creds_context ctx
= NULL
;
431 krb5_get_init_creds_opt
*opt
= NULL
;
432 krb5_prompter_fct prompter
= krb5_prompter_posix
;
434 struct ntlm_buf ntlmkey
;
435 memset(&ntlmkey
, 0, sizeof(ntlmkey
));
445 if (strcasecmp("STDIN", password_file
) == 0)
448 f
= fopen(password_file
, "r");
450 krb5_warnx(context
, "Failed to open the password file %s",
455 if (fgets(passwd
, sizeof(passwd
), f
) == NULL
) {
456 krb5_warnx(context
, N_("Failed to read password from file %s", ""),
459 return EINVAL
; /* XXX Need a better error */
463 passwd
[strcspn(passwd
, "\n")] = '\0';
467 if (passwd
[0] == '\0') {
474 realm
= krb5_principal_get_realm(context
, principal
);
476 ret
= krb5_unparse_name_flags(context
, principal
,
477 KRB5_PRINCIPAL_UNPARSE_NO_REALM
, &name
);
481 osret
= SecKeychainFindGenericPassword(NULL
, strlen(realm
), realm
,
483 &length
, &buffer
, NULL
);
485 if (osret
== noErr
&& length
< sizeof(passwd
) - 1) {
486 memcpy(passwd
, buffer
, length
);
487 passwd
[length
] = '\0';
494 memset(&cred
, 0, sizeof(cred
));
496 ret
= krb5_get_init_creds_opt_alloc(context
, &opt
);
498 krb5_warn(context
, ret
, "krb5_get_init_creds_opt_alloc");
502 krb5_get_init_creds_opt_set_default_flags(context
, "kinit",
503 krb5_principal_get_realm(context
, principal
), opt
);
505 if (forwardable_flag
!= -1)
506 krb5_get_init_creds_opt_set_forwardable(opt
, forwardable_flag
);
507 if (proxiable_flag
!= -1)
508 krb5_get_init_creds_opt_set_proxiable(opt
, proxiable_flag
);
510 krb5_get_init_creds_opt_set_anonymous(opt
, anonymous_flag
);
512 krb5_get_init_creds_opt_set_pac_request(context
, opt
,
513 pac_flag
? TRUE
: FALSE
);
514 if (canonicalize_flag
)
515 krb5_get_init_creds_opt_set_canonicalize(context
, opt
, TRUE
);
516 if (pk_enterprise_flag
|| enterprise_flag
|| canonicalize_flag
|| windows_flag
)
517 krb5_get_init_creds_opt_set_win2k(context
, opt
, TRUE
);
518 if (pk_user_id
|| ent_user_id
|| anonymous_flag
) {
519 ret
= krb5_get_init_creds_opt_set_pkinit(context
, opt
,
525 pk_use_enckey
? 2 : 0 |
526 anonymous_flag
? 4 : 0,
531 krb5_warn(context
, ret
, "krb5_get_init_creds_opt_set_pkinit");
535 krb5_get_init_creds_opt_set_pkinit_user_certs(context
, opt
, ent_user_id
);
538 if (addrs_flag
!= -1)
539 krb5_get_init_creds_opt_set_addressless(context
, opt
,
540 addrs_flag
? FALSE
: TRUE
);
542 if (renew_life
== NULL
&& renewable_flag
)
543 renewstr
= "1 month";
545 renewstr
= renew_life
;
547 renew
= parse_time(renewstr
, "s");
549 errx(1, "unparsable time: %s", renewstr
);
551 krb5_get_init_creds_opt_set_renew_life(opt
, renew
);
554 if (ticket_life
!= 0)
555 krb5_get_init_creds_opt_set_tkt_life(opt
, ticket_life
);
558 int tmp
= parse_time(start_str
, "s");
560 errx(1, N_("unparsable time: %s", ""), start_str
);
565 if (etype_str
.num_strings
) {
568 enctype
= malloc(etype_str
.num_strings
* sizeof(*enctype
));
570 errx(1, "out of memory");
571 for(i
= 0; i
< etype_str
.num_strings
; i
++) {
572 ret
= krb5_string_to_enctype(context
,
573 etype_str
.strings
[i
],
576 errx(1, "unrecognized enctype: %s", etype_str
.strings
[i
]);
578 krb5_get_init_creds_opt_set_etype_list(opt
, enctype
,
579 etype_str
.num_strings
);
582 ret
= krb5_init_creds_init(context
, principal
, prompter
, NULL
, start_time
, opt
, &ctx
);
584 krb5_warn(context
, ret
, "krb5_init_creds_init");
589 ret
= krb5_init_creds_set_service(context
, ctx
, server_str
);
591 krb5_warn(context
, ret
, "krb5_init_creds_set_service");
596 if (fast_armor_cache_string
) {
599 ret
= krb5_cc_resolve(context
, fast_armor_cache_string
, &fastid
);
601 krb5_warn(context
, ret
, "krb5_cc_resolve(FAST cache)");
605 ret
= krb5_init_creds_set_fast_ccache(context
, ctx
, fastid
);
607 krb5_warn(context
, ret
, "krb5_init_creds_set_fast_ccache");
612 if (use_keytab
|| keytab_str
) {
613 ret
= krb5_init_creds_set_keytab(context
, ctx
, kt
);
615 krb5_warn(context
, ret
, "krb5_init_creds_set_keytab");
618 } else if (pk_user_id
|| ent_user_id
|| anonymous_flag
) {
620 } else if (!interactive
&& passwd
[0] == '\0') {
621 static int already_warned
= 0;
624 krb5_warnx(context
, "Not interactive, failed to get "
626 krb5_get_init_creds_opt_free(context
, opt
);
631 if (passwd
[0] == '\0') {
635 ret
= krb5_unparse_name(context
, principal
, &p
);
637 aret
= asprintf(&prompt
, N_("%s's Password: ", ""), p
);
640 if (ret
|| aret
== -1)
641 errx(1, "failed to generate passwd prompt: not enough memory");
643 if (UI_UTIL_read_pw_string(passwd
, sizeof(passwd
)-1, prompt
, 0)){
644 memset(passwd
, 0, sizeof(passwd
));
645 errx(1, "failed to read password");
651 ret
= krb5_init_creds_set_password(context
, ctx
, passwd
);
653 krb5_warn(context
, ret
, "krb5_init_creds_set_password");
659 ret
= krb5_init_creds_get(context
, ctx
);
662 if (ntlm_domain
&& passwd
[0])
663 heim_ntlm_nt_key(passwd
, &ntlmkey
);
665 memset(passwd
, 0, sizeof(passwd
));
670 case KRB5_LIBOS_PWDINTR
: /* don't print anything if it was just C-c:ed */
672 case KRB5KRB_AP_ERR_BAD_INTEGRITY
:
673 case KRB5KRB_AP_ERR_MODIFIED
:
674 case KRB5KDC_ERR_PREAUTH_FAILED
:
675 case KRB5_GET_IN_TKT_LOOP
:
676 krb5_warnx(context
, N_("Password incorrect", ""));
678 case KRB5KRB_AP_ERR_V4_REPLY
:
679 krb5_warnx(context
, N_("Looks like a Kerberos 4 reply", ""));
682 krb5_warn(context
, ret
, "krb5_get_init_creds");
686 krb5_process_last_request(context
, opt
, ctx
);
688 ret
= krb5_init_creds_get_creds(context
, ctx
, &cred
);
690 krb5_warn(context
, ret
, "krb5_init_creds_get_creds");
694 if (ticket_life
!= 0) {
695 if (abs(cred
.times
.endtime
- cred
.times
.starttime
- ticket_life
) > 30) {
697 unparse_time_approx(cred
.times
.endtime
- cred
.times
.starttime
,
699 krb5_warnx(context
, N_("NOTICE: ticket lifetime is %s", ""), life
);
703 if (abs(cred
.times
.renew_till
- cred
.times
.starttime
- renew
) > 30) {
705 unparse_time_approx(cred
.times
.renew_till
- cred
.times
.starttime
,
708 N_("NOTICE: ticket renewable lifetime is %s", ""),
713 ret
= krb5_cc_new_unique(context
, krb5_cc_get_type(context
, ccache
),
716 krb5_warn(context
, ret
, "krb5_cc_new_unique");
720 ret
= krb5_init_creds_store(context
, ctx
, tempccache
);
722 krb5_warn(context
, ret
, "krb5_init_creds_store");
726 krb5_init_creds_free(context
, ctx
);
729 ret
= krb5_cc_move(context
, tempccache
, ccache
);
731 krb5_warn(context
, ret
, "krb5_cc_move");
736 if (switch_cache_flags
)
737 krb5_cc_switch(context
, ccache
);
740 if (ntlm_domain
&& ntlmkey
.data
)
741 store_ntlmkey(context
, ccache
, ntlm_domain
, &ntlmkey
);
744 if (ok_as_delegate_flag
|| windows_flag
|| use_referrals_flag
) {
748 if (ok_as_delegate_flag
|| windows_flag
)
750 if (use_referrals_flag
|| windows_flag
)
756 krb5_cc_set_config(context
, ccache
, NULL
, "realm-config", &data
);
760 krb5_get_init_creds_opt_free(context
, opt
);
762 krb5_init_creds_free(context
, ctx
);
764 krb5_cc_close(context
, tempccache
);
773 ticket_lifetime(krb5_context context
, krb5_ccache cache
, krb5_principal client
,
774 const char *server
, time_t *renew
)
776 krb5_creds in_cred
, *cred
;
781 memset(&in_cred
, 0, sizeof(in_cred
));
783 ret
= krb5_cc_get_principal(context
, cache
, &in_cred
.client
);
785 krb5_warn(context
, ret
, "krb5_cc_get_principal");
788 ret
= get_server(context
, in_cred
.client
, server
, &in_cred
.server
);
790 krb5_free_principal(context
, in_cred
.client
);
791 krb5_warn(context
, ret
, "get_server");
795 ret
= krb5_get_credentials(context
, KRB5_GC_CACHED
,
796 cache
, &in_cred
, &cred
);
797 krb5_free_principal(context
, in_cred
.client
);
798 krb5_free_principal(context
, in_cred
.server
);
800 krb5_warn(context
, ret
, "krb5_get_credentials");
803 curtime
= time(NULL
);
804 timeout
= cred
->times
.endtime
- curtime
;
808 *renew
= cred
->times
.renew_till
- curtime
;
812 krb5_free_creds(context
, cred
);
817 krb5_context context
;
819 krb5_principal principal
;
820 krb5_deltat ticket_life
;
824 renew_func(void *ptr
)
827 struct renew_ctx
*ctx
= ptr
;
830 static time_t exp_delay
= 1;
833 * NOTE: We count on the ccache implementation to notice changes to the
834 * actual ccache filesystem/whatever objects. There should be no ccache
835 * types for which this is not the case, but it might not hurt to
836 * re-krb5_cc_resolve() after each successful renew_validate()/
837 * get_new_tickets() call.
840 expire
= ticket_lifetime(ctx
->context
, ctx
->ccache
, ctx
->principal
,
841 server_str
, &renew_expire
);
843 if (renew_expire
> expire
) {
844 ret
= renew_validate(ctx
->context
, 1, validate_flag
, ctx
->ccache
,
845 server_str
, ctx
->ticket_life
);
846 expire
= ticket_lifetime(ctx
->context
, ctx
->ccache
, ctx
->principal
,
847 server_str
, &renew_expire
);
850 if (expire
< ctx
->ticket_life
/ 2) {
851 ret
= get_new_tickets(ctx
->context
, ctx
->principal
,
852 ctx
->ccache
, ctx
->ticket_life
, 0);
853 expire
= ticket_lifetime(ctx
->context
, ctx
->ccache
, ctx
->principal
,
854 server_str
, &renew_expire
);
858 if (ret
== 0 && server_str
== NULL
&& do_afslog
&& k_hasafs())
859 krb5_afslog(ctx
->context
, ctx
->ccache
, NULL
, NULL
);
863 * If our tickets have expired and we been able to either renew them
864 * or obtain new tickets, then we still call this function but we use
865 * an exponential backoff. This should take care of the case where
866 * we are using stored credentials but the KDC has been unavailable
872 * We can't ask to keep spamming stderr but not syslog, so we warn
875 if (exp_delay
== 1) {
876 krb5_warnx(ctx
->context
, N_("NOTICE: Could not renew/refresh "
879 if (exp_delay
< 7200)
880 exp_delay
+= exp_delay
/ 2 + 1;
885 return expire
/ 2 + 1;
889 set_princ_realm(krb5_context context
,
890 krb5_principal principal
,
895 if ((ret
= krb5_principal_set_realm(context
, principal
, realm
)) != 0)
896 krb5_err(context
, 1, ret
, "krb5_principal_set_realm");
900 parse_name_realm(krb5_context context
,
904 krb5_principal
*princ
)
909 flags
|= KRB5_PRINCIPAL_PARSE_NO_DEF_REALM
;
910 if ((ret
= krb5_parse_name_flags(context
, name
, flags
, princ
)) != 0)
911 krb5_err(context
, 1, ret
, "krb5_parse_name_flags");
912 if (realm
&& krb5_principal_get_realm(context
, *princ
) == NULL
)
913 set_princ_realm(context
, *princ
, realm
);
917 get_default_realm(krb5_context context
)
922 if ((ret
= krb5_get_default_realm(context
, &realm
)) != 0)
923 krb5_err(context
, 1, ret
, "krb5_get_default_realm");
928 get_default_principal(krb5_context context
, krb5_principal
*princ
)
932 if ((ret
= krb5_get_default_principal(context
, princ
)) != 0)
933 krb5_err(context
, 1, ret
, "krb5_get_default_principal");
937 get_user_realm(krb5_context context
)
940 char *user_realm
= NULL
;
943 * If memory allocation fails, we don't try to use the wrong realm,
944 * that will trigger misleading error messages complicate support.
946 krb5_appdefault_string(context
, "kinit", NULL
, "user_realm", "",
948 if (user_realm
== NULL
) {
949 ret
= krb5_enomem(context
);
950 krb5_err(context
, 1, ret
, "krb5_appdefault_string");
953 if (*user_realm
== 0) {
962 get_princ(krb5_context context
, krb5_principal
*principal
, const char *name
)
972 /* If credential cache provides a client principal, use that. */
973 if (krb5_cc_default(context
, &ccache
) == 0) {
974 ret
= krb5_cc_get_principal(context
, ccache
, principal
);
975 krb5_cc_close(context
, ccache
);
981 user_realm
= get_user_realm(context
);
984 if (canonicalize_flag
|| enterprise_flag
)
985 parseflags
|= KRB5_PRINCIPAL_PARSE_ENTERPRISE
;
987 parse_name_realm(context
, name
, parseflags
, user_realm
, &tmp
);
989 if (user_realm
&& krb5_principal_get_num_comp(context
, tmp
) > 1) {
990 /* Principal is instance qualified, reparse with default realm. */
991 krb5_free_principal(context
, tmp
);
992 parse_name_realm(context
, name
, parseflags
, NULL
, principal
);
997 get_default_principal(context
, principal
);
999 set_princ_realm(context
, *principal
, user_realm
);
1007 get_princ_kt(krb5_context context
,
1008 krb5_principal
*principal
,
1011 krb5_error_code ret
;
1014 krb5_kt_cursor cursor
;
1015 krb5_keytab_entry entry
;
1021 * If the credential cache exists and specifies a client principal,
1024 if (krb5_cc_default(context
, &ccache
) == 0) {
1025 ret
= krb5_cc_get_principal(context
, ccache
, principal
);
1026 krb5_cc_close(context
, ccache
);
1033 /* If the principal specifies an explicit realm, just use that. */
1034 parseflags
|= KRB5_PRINCIPAL_PARSE_NO_DEF_REALM
;
1035 parse_name_realm(context
, name
, parseflags
, NULL
, &tmp
);
1036 if (krb5_principal_get_realm(context
, tmp
) != NULL
) {
1041 /* Otherwise, search keytab for bare name of the default principal. */
1042 get_default_principal(context
, &tmp
);
1043 set_princ_realm(context
, tmp
, NULL
);
1046 def_realm
= get_default_realm(context
);
1048 ret
= krb5_kt_start_seq_get(context
, kt
, &cursor
);
1050 krb5_err(context
, 1, ret
, "krb5_kt_start_seq_get");
1053 krb5_kt_next_entry(context
, kt
, &entry
, &cursor
) == 0) {
1056 if (!krb5_principal_compare_any_realm(context
, tmp
, entry
.principal
))
1059 krb5_principal_compare(context
, *principal
, entry
.principal
))
1061 /* The default realm takes precedence */
1062 realm
= krb5_principal_get_realm(context
, entry
.principal
);
1063 if (*principal
&& strcmp(def_realm
, realm
) == 0) {
1064 krb5_free_principal(context
, *principal
);
1065 ret
= krb5_copy_principal(context
, entry
.principal
, principal
);
1069 ret
= krb5_copy_principal(context
, entry
.principal
, principal
);
1071 if (ret
!= 0 || (ret
= krb5_kt_end_seq_get(context
, kt
, &cursor
)) != 0)
1072 krb5_err(context
, 1, ret
, "get_princ_kt");
1074 parse_name_realm(context
, name
, parseflags
, NULL
, principal
);
1076 krb5_free_principal(context
, tmp
);
1081 main(int argc
, char **argv
)
1083 krb5_error_code ret
;
1084 krb5_context context
;
1086 krb5_principal principal
= NULL
;
1088 krb5_deltat ticket_life
= 0;
1090 setprogname(argv
[0]);
1092 setlocale(LC_ALL
, "");
1093 bindtextdomain("heimdal_kuser", HEIMDAL_LOCALEDIR
);
1094 textdomain("heimdal_kuser");
1096 ret
= krb5_init_context(&context
);
1097 if (ret
== KRB5_CONFIG_BADFORMAT
)
1098 errx(1, "krb5_init_context failed to parse configuration file");
1100 errx(1, "krb5_init_context failed: %d", ret
);
1102 if (getarg(args
, sizeof(args
) / sizeof(args
[0]), argc
, argv
, &optidx
))
1109 print_version(NULL
);
1117 * Open the keytab now, we use the keytab to determine the principal's
1118 * realm when the requested principal has no realm.
1120 if (use_keytab
|| keytab_str
) {
1122 ret
= krb5_kt_resolve(context
, keytab_str
, &kt
);
1124 ret
= krb5_kt_default(context
, &kt
);
1126 krb5_err(context
, 1, ret
, "resolving keytab");
1129 if (pk_enterprise_flag
) {
1130 ret
= krb5_pk_enterprise_cert(context
, pk_user_id
,
1131 argv
[0], &principal
,
1134 krb5_err(context
, 1, ret
, "krb5_pk_enterprise_certs");
1138 } else if (anonymous_flag
) {
1140 ret
= krb5_make_principal(context
, &principal
, argv
[0],
1141 KRB5_WELLKNOWN_NAME
, KRB5_ANON_NAME
,
1144 krb5_err(context
, 1, ret
, "krb5_make_principal");
1145 krb5_principal_set_type(context
, principal
, KRB5_NT_WELLKNOWN
);
1147 } else if (use_keytab
|| keytab_str
) {
1148 get_princ_kt(context
, &principal
, argv
[0]);
1150 get_princ(context
, &principal
, argv
[0]);
1154 krb5_set_fcache_version(context
, fcache_version
);
1156 if (renewable_flag
== -1)
1157 /* this seems somewhat pointless, but whatever */
1158 krb5_appdefault_boolean(context
, "kinit",
1159 krb5_principal_get_realm(context
, principal
),
1160 "renewable", FALSE
, &renewable_flag
);
1161 if (do_afslog
== -1)
1162 krb5_appdefault_boolean(context
, "kinit",
1163 krb5_principal_get_realm(context
, principal
),
1164 "afslog", TRUE
, &do_afslog
);
1167 ret
= krb5_cc_resolve(context
, cred_cache
, &ccache
);
1171 ret
= krb5_cc_new_unique(context
, NULL
, NULL
, &ccache
);
1173 krb5_err(context
, 1, ret
, "creating cred cache");
1174 snprintf(s
, sizeof(s
), "%s:%s",
1175 krb5_cc_get_type(context
, ccache
),
1176 krb5_cc_get_name(context
, ccache
));
1177 setenv("KRB5CCNAME", s
, 1);
1179 ret
= krb5_cc_cache_match(context
, principal
, &ccache
);
1182 ret
= krb5_cc_default(context
, &ccache
);
1184 krb5_err(context
, 1, ret
,
1185 N_("resolving credentials cache", ""));
1188 * Check if the type support switching, and we do,
1189 * then do that instead over overwriting the current
1190 * default credential
1192 type
= krb5_cc_get_type(context
, ccache
);
1193 if (krb5_cc_support_switch(context
, type
)) {
1194 krb5_cc_close(context
, ccache
);
1195 ret
= krb5_cc_new_unique(context
, type
, NULL
, &ccache
);
1201 krb5_err(context
, 1, ret
, N_("resolving credentials cache", ""));
1204 if (argc
> 1 && k_hasafs())
1209 int tmp
= parse_time(lifetime
, "s");
1211 errx(1, N_("unparsable time: %s", ""), lifetime
);
1216 if (addrs_flag
== 0 && extra_addresses
.num_strings
> 0)
1217 krb5_errx(context
, 1,
1218 N_("specifying both extra addresses and "
1219 "no addresses makes no sense", ""));
1222 krb5_addresses addresses
;
1223 memset(&addresses
, 0, sizeof(addresses
));
1224 for(i
= 0; i
< extra_addresses
.num_strings
; i
++) {
1225 ret
= krb5_parse_address(context
, extra_addresses
.strings
[i
],
1228 krb5_add_extra_addresses(context
, &addresses
);
1229 krb5_free_addresses(context
, &addresses
);
1232 free_getarg_strings(&extra_addresses
);
1235 if (renew_flag
|| validate_flag
) {
1236 ret
= renew_validate(context
, renew_flag
, validate_flag
,
1237 ccache
, server_str
, ticket_life
);
1240 if (ret
== 0 && server_str
== NULL
&& do_afslog
&& k_hasafs())
1241 krb5_afslog(context
, ccache
, NULL
, NULL
);
1247 ret
= get_new_tickets(context
, principal
, ccache
, ticket_life
, 1);
1252 if (ret
== 0 && server_str
== NULL
&& do_afslog
&& k_hasafs())
1253 krb5_afslog(context
, ccache
, NULL
, NULL
);
1257 struct renew_ctx ctx
;
1260 timeout
= ticket_lifetime(context
, ccache
, principal
,
1261 server_str
, NULL
) / 2;
1263 ctx
.context
= context
;
1264 ctx
.ccache
= ccache
;
1265 ctx
.principal
= principal
;
1266 ctx
.ticket_life
= ticket_life
;
1268 ret
= simple_execvp_timed(argv
[1], argv
+1,
1269 renew_func
, &ctx
, timeout
);
1270 #define EX_NOEXEC 126
1271 #define EX_NOTFOUND 127
1272 if (ret
== EX_NOEXEC
)
1273 krb5_warnx(context
, N_("permission denied: %s", ""), argv
[1]);
1274 else if (ret
== EX_NOTFOUND
)
1275 krb5_warnx(context
, N_("command not found: %s", ""), argv
[1]);
1277 krb5_cc_destroy(context
, ccache
);
1283 krb5_cc_close(context
, ccache
);
1286 krb5_free_principal(context
, principal
);
1288 krb5_kt_close(context
, kt
);
1289 krb5_free_context(context
);