2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include "kuser_locl.h"
37 #include "parse_units.h"
38 #include "heimtools-commands.h"
39 #undef HC_DEPRECATED_CRYPTO
42 printable_time_internal(time_t t
, int x
)
47 if ((p
= ctime(&t
)) == NULL
)
48 strlcpy(s
, "?", sizeof(s
));
50 strlcpy(s
, p
+ 4, sizeof(s
));
56 printable_time(time_t t
)
58 return printable_time_internal(t
, 20);
62 printable_time_long(time_t t
)
64 return printable_time_internal(t
, 20);
67 #define COL_ISSUED NP_(" Issued","")
68 #define COL_EXPIRES NP_(" Expires", "")
69 #define COL_FLAGS NP_("Flags", "")
70 #define COL_NAME NP_(" Name", "")
71 #define COL_PRINCIPAL NP_(" Principal", "in klist output")
72 #define COL_PRINCIPAL_KVNO NP_(" Principal (kvno)", "in klist output")
73 #define COL_CACHENAME NP_(" Cache name", "name in klist output")
74 #define COL_DEFCACHE NP_("", "")
77 print_cred(krb5_context context
, krb5_creds
*cred
, rtbl_t ct
, int do_flags
)
83 krb5_timeofday (context
, &sec
);
86 if(cred
->times
.starttime
)
87 rtbl_add_column_entry(ct
, COL_ISSUED
,
88 printable_time(cred
->times
.starttime
));
90 rtbl_add_column_entry(ct
, COL_ISSUED
,
91 printable_time(cred
->times
.authtime
));
93 if(cred
->times
.endtime
> sec
)
94 rtbl_add_column_entry(ct
, COL_EXPIRES
,
95 printable_time(cred
->times
.endtime
));
97 rtbl_add_column_entry(ct
, COL_EXPIRES
, N_(">>>Expired<<<", ""));
98 ret
= krb5_unparse_name (context
, cred
->server
, &str
);
100 krb5_err(context
, 1, ret
, "krb5_unparse_name");
101 rtbl_add_column_entry(ct
, COL_PRINCIPAL
, str
);
104 if(cred
->flags
.b
.forwardable
)
106 if(cred
->flags
.b
.forwarded
)
108 if(cred
->flags
.b
.proxiable
)
110 if(cred
->flags
.b
.proxy
)
112 if(cred
->flags
.b
.may_postdate
)
114 if(cred
->flags
.b
.postdated
)
116 if(cred
->flags
.b
.renewable
)
118 if(cred
->flags
.b
.initial
)
120 if(cred
->flags
.b
.invalid
)
122 if(cred
->flags
.b
.pre_authent
)
124 if(cred
->flags
.b
.hw_authent
)
126 if(cred
->flags
.b
.transited_policy_checked
)
128 if(cred
->flags
.b
.ok_as_delegate
)
130 if(cred
->flags
.b
.anonymous
)
133 rtbl_add_column_entry(ct
, COL_FLAGS
, s
);
139 print_cred_verbose(krb5_context context
, krb5_creds
*cred
, int do_json
)
146 if (do_json
) { /* XXX support more json formating later */
147 printf("{ \"verbose-supported\" : false }");
151 krb5_timeofday (context
, &sec
);
153 ret
= krb5_unparse_name(context
, cred
->server
, &str
);
156 printf(N_("Server: %s\n", ""), str
);
159 ret
= krb5_unparse_name(context
, cred
->client
, &str
);
162 printf(N_("Client: %s\n", ""), str
);
165 if (krb5_is_config_principal(context
, cred
->server
)) {
166 if (krb5_principal_get_num_comp(context
, cred
->server
) > 1) {
169 /* If the payload is text and not secret/sensitive, print it */
170 s
= krb5_principal_get_comp_string(context
, cred
->server
, 1);
171 if (strcmp(s
, "start_realm") == 0 ||
172 strcmp(s
, "anon_pkinit_realm") == 0 ||
173 strcmp(s
, "default-ntlm-domain") == 0 ||
174 strcmp(s
, "FriendlyName") == 0 ||
175 strcmp(s
, "fast_avail") == 0 ||
176 strcmp(s
, "kx509store") == 0 ||
177 strcmp(s
, "kx509_service_realm") == 0 ||
178 strcmp(s
, "kx509_service_status") == 0)
179 printf(N_("Configuration item payload: %.*s\n", ""),
180 (int)cred
->ticket
.length
,
181 (const char *)cred
->ticket
.data
);
183 printf(N_("Configuration item payload length: %lu\n", ""),
184 (unsigned long)cred
->ticket
.length
);
185 } /* else... this is a meaningless entry; nothing would create it */
191 decode_Ticket(cred
->ticket
.data
, cred
->ticket
.length
, &t
, &len
);
192 ret
= krb5_enctype_to_string(context
, t
.enc_part
.etype
, &s
);
193 printf(N_("Ticket etype: ", ""));
198 printf(N_("unknown-enctype(%d)", ""), t
.enc_part
.etype
);
201 printf(N_(", kvno %d", ""), *t
.enc_part
.kvno
);
203 if(cred
->session
.keytype
!= t
.enc_part
.etype
) {
204 ret
= krb5_enctype_to_string(context
, cred
->session
.keytype
, &str
);
206 krb5_warn(context
, ret
, "session keytype");
208 printf(N_("Session key: %s\n", "enctype"), str
);
213 printf(N_("Ticket length: %lu\n", ""),
214 (unsigned long)cred
->ticket
.length
);
215 printf(N_("Auth time: %s\n", ""),
216 printable_time_long(cred
->times
.authtime
));
217 if(cred
->times
.authtime
!= cred
->times
.starttime
)
218 printf(N_("Start time: %s\n", ""),
219 printable_time_long(cred
->times
.starttime
));
220 printf(N_("End time: %s", ""),
221 printable_time_long(cred
->times
.endtime
));
222 if(sec
> cred
->times
.endtime
)
223 printf(N_(" (expired)", ""));
225 if(cred
->flags
.b
.renewable
)
226 printf(N_("Renew till: %s\n", ""),
227 printable_time_long(cred
->times
.renew_till
));
230 unparse_flags(TicketFlags2int(cred
->flags
.b
),
231 asn1_TicketFlags_units(),
232 flags
, sizeof(flags
));
233 printf(N_("Ticket flags: %s\n", ""), flags
);
235 printf(N_("Addresses: ", ""));
236 if (cred
->addresses
.len
!= 0) {
237 for(j
= 0; j
< cred
->addresses
.len
; j
++){
240 ret
= krb5_print_address(&cred
->addresses
.val
[j
],
241 buf
, sizeof(buf
), &len
);
247 printf(N_("addressless", ""));
254 * Print all tickets in `ccache' on stdout, verbosely if do_verbose.
258 print_tickets(krb5_context context
,
260 krb5_principal principal
,
266 char *str
, *name
, *fullname
;
268 krb5_cc_cursor cursor
;
274 ret
= krb5_unparse_name (context
, principal
, &str
);
276 krb5_err (context
, 1, ret
, "krb5_unparse_name");
278 ret
= krb5_cc_get_full_name(context
, ccache
, &fullname
);
280 krb5_err (context
, 1, ret
, "krb5_cc_get_full_name");
283 printf ("%17s: %s\n", N_("Credentials cache", ""), fullname
);
284 printf ("%17s: %s\n", N_("Principal", ""), str
);
286 ret
= krb5_cc_get_friendly_name(context
, ccache
, &name
);
288 if (strcmp(name
, str
) != 0)
289 printf ("%17s: %s\n", N_("Friendly name", ""), name
);
294 printf ("%17s: %d\n", N_("Cache version", ""),
295 krb5_cc_get_version(context
, ccache
));
297 krb5_cc_set_flags(context
, ccache
, KRB5_TC_NOTICKET
);
300 ret
= krb5_cc_get_kdc_offset(context
, ccache
, &sec
);
302 if (ret
== 0 && do_verbose
&& sec
!= 0) {
314 unparse_time (val
, buf
, sizeof(buf
));
316 printf ("%17s: %s%s\n", N_("KDC time offset", ""),
317 sig
== -1 ? "-" : "", buf
);
321 printf ("{ \"cache\" : \"%s\", \"principal\" : \"%s\", ", fullname
, str
);
325 ret
= krb5_cc_start_seq_get (context
, ccache
, &cursor
);
327 krb5_err(context
, 1, ret
, "krb5_cc_start_seq_get");
331 rtbl_add_column(ct
, COL_ISSUED
, 0);
332 rtbl_add_column(ct
, COL_EXPIRES
, 0);
334 rtbl_add_column(ct
, COL_FLAGS
, 0);
335 rtbl_add_column(ct
, COL_PRINCIPAL
, 0);
336 rtbl_set_separator(ct
, " ");
338 rtbl_set_flags(ct
, RTBL_JSON
);
339 printf("\"tickets\" : ");
342 if (do_verbose
&& do_json
)
343 printf("\"tickets\" : [");
344 while ((ret
= krb5_cc_next_cred(context
, ccache
, &cursor
, &creds
)) == 0) {
345 if (!do_hidden
&& krb5_is_config_principal(context
, creds
.server
)) {
347 } else if (do_verbose
) {
348 if (do_json
&& print_comma
)
350 print_cred_verbose(context
, &creds
, do_json
);
353 print_cred(context
, &creds
, ct
, do_flags
);
355 krb5_free_cred_contents(context
, &creds
);
357 if (ret
!= KRB5_CC_END
)
358 krb5_err(context
, 1, ret
, "krb5_cc_get_next");
359 ret
= krb5_cc_end_seq_get (context
, ccache
, &cursor
);
361 krb5_err(context
, 1, ret
, "krb5_cc_end_seq_get");
365 rtbl_format(ct
, stdout
);
377 * Check if there's a tgt for the realm of `principal' and ccache and
378 * if so return 0, else 1
382 check_expiration(krb5_context context
,
389 ret
= krb5_cc_get_lifetime(context
, ccache
, &t
);
394 *expiration
= time(NULL
) + t
;
400 * Print a list of all AFS tokens
406 display_tokens(int do_verbose
)
409 unsigned char t
[4096];
410 struct ViceIoctl parms
;
412 parms
.in
= (void *)&i
;
413 parms
.in_size
= sizeof(i
);
414 parms
.out
= (void *)t
;
415 parms
.out_size
= sizeof(t
);
418 int32_t size_secret_tok
, size_public_tok
;
420 struct ClearToken ct
;
421 unsigned char *r
= t
;
423 char buf1
[20], buf2
[20];
425 if(k_pioctl(NULL
, VIOCGETTOK
, &parms
, 0) < 0) {
430 if(parms
.out_size
> sizeof(t
))
432 if(parms
.out_size
< sizeof(size_secret_tok
))
434 t
[min(parms
.out_size
,sizeof(t
)-1)] = 0;
435 memcpy(&size_secret_tok
, r
, sizeof(size_secret_tok
));
436 /* don't bother about the secret token */
437 r
+= size_secret_tok
+ sizeof(size_secret_tok
);
438 if (parms
.out_size
< (r
- t
) + sizeof(size_public_tok
))
440 memcpy(&size_public_tok
, r
, sizeof(size_public_tok
));
441 r
+= sizeof(size_public_tok
);
442 if (parms
.out_size
< (r
- t
) + size_public_tok
+ sizeof(int32_t))
444 memcpy(&ct
, r
, size_public_tok
);
445 r
+= size_public_tok
;
446 /* there is a int32_t with length of cellname, but we don't read it */
447 r
+= sizeof(int32_t);
450 gettimeofday (&tv
, NULL
);
451 strlcpy (buf1
, printable_time(ct
.BeginTimestamp
),
453 if (do_verbose
|| tv
.tv_sec
< ct
.EndTimestamp
)
454 strlcpy (buf2
, printable_time(ct
.EndTimestamp
),
457 strlcpy (buf2
, N_(">>> Expired <<<", ""), sizeof(buf2
));
459 printf("%s %s ", buf1
, buf2
);
461 if ((ct
.EndTimestamp
- ct
.BeginTimestamp
) & 1)
462 printf(N_("User's (AFS ID %d) tokens for %s", ""), ct
.ViceId
, cell
);
464 printf(N_("Tokens for %s", ""), cell
);
466 printf(" (%d)", ct
.AuthHandle
);
473 * display the ccache in `cred_cache'
477 display_v5_ccache (krb5_context context
, krb5_ccache ccache
,
478 int do_test
, int do_verbose
,
479 int do_flags
, int do_hidden
,
483 krb5_principal principal
;
487 ret
= krb5_cc_get_principal (context
, ccache
, &principal
);
495 krb5_warnx(context
, N_("No ticket file: %s", ""),
496 krb5_cc_get_name(context
, ccache
));
499 krb5_err (context
, 1, ret
, "krb5_cc_get_principal");
502 exit_status
= check_expiration(context
, ccache
, NULL
);
504 print_tickets (context
, ccache
, principal
, do_verbose
,
505 do_flags
, do_hidden
, do_json
);
507 ret
= krb5_cc_close (context
, ccache
);
509 krb5_err (context
, 1, ret
, "krb5_cc_close");
511 krb5_free_principal (context
, principal
);
521 list_caches(krb5_context context
, struct klist_options
*opt
)
523 krb5_cccol_cursor cursor
;
524 const char *cdef_name
;
530 cdef_name
= krb5_cc_default_name(context
);
531 if (cdef_name
== NULL
)
532 krb5_errx(context
, 1, "krb5_cc_default_name");
533 def_name
= strdup(cdef_name
);
535 ret
= krb5_cccol_cursor_new(context
, &cursor
);
536 if (ret
== KRB5_CC_NOSUPP
) {
541 krb5_err (context
, 1, ret
, "krb5_cc_cache_get_first");
544 rtbl_add_column(ct
, COL_DEFCACHE
, 0);
545 rtbl_add_column(ct
, COL_NAME
, 0);
546 rtbl_add_column(ct
, COL_CACHENAME
, 0);
547 rtbl_add_column(ct
, COL_EXPIRES
, 0);
548 rtbl_add_column(ct
, COL_DEFCACHE
, 0);
549 rtbl_set_prefix(ct
, " ");
550 rtbl_set_column_prefix(ct
, COL_DEFCACHE
, "");
551 rtbl_set_column_prefix(ct
, COL_NAME
, " ");
553 rtbl_set_flags(ct
, RTBL_JSON
);
555 while (krb5_cccol_cursor_next(context
, cursor
, &id
) == 0) {
560 expired
= check_expiration(context
, id
, &t
);
562 ret
= krb5_cc_get_friendly_name(context
, id
, &name
);
567 rtbl_add_column_entry(ct
, COL_NAME
, name
);
571 str
= N_(">>> Expired <<<", "");
573 str
= printable_time(t
);
574 rtbl_add_column_entry(ct
, COL_EXPIRES
, str
);
576 ret
= krb5_cc_get_full_name(context
, id
, &fname
);
578 krb5_err (context
, 1, ret
, "krb5_cc_get_full_name");
580 rtbl_add_column_entry(ct
, COL_CACHENAME
, fname
);
583 else if (strcmp(fname
, def_name
) == 0)
584 rtbl_add_column_entry(ct
, COL_DEFCACHE
, "*");
586 rtbl_add_column_entry(ct
, COL_DEFCACHE
, "");
590 krb5_cc_close(context
, id
);
593 krb5_cccol_cursor_free(context
, &cursor
);
596 rtbl_format(ct
, stdout
);
610 klist(struct klist_options
*opt
, int argc
, char **argv
)
623 if(opt
->version_flag
) {
628 if (opt
->list_all_flag
) {
629 exit_status
= list_caches(heimtools_context
, opt
);
636 if (opt
->all_content_flag
) {
637 krb5_cc_cache_cursor cursor
;
640 ret
= krb5_cc_cache_get_first(heimtools_context
, NULL
, &cursor
);
642 krb5_err(heimtools_context
, 1, ret
, "krb5_cc_cache_get_first");
646 while (krb5_cc_cache_next(heimtools_context
, cursor
, &id
) == 0) {
647 if (opt
->json_flag
&& !first
)
650 exit_status
|= display_v5_ccache(heimtools_context
, id
, do_test
,
651 do_verbose
, opt
->flags_flag
,
659 krb5_cc_cache_end_seq_get(heimtools_context
, cursor
);
663 if(opt
->cache_string
) {
664 ret
= krb5_cc_resolve(heimtools_context
, opt
->cache_string
, &id
);
666 krb5_err(heimtools_context
, 1, ret
, "%s", opt
->cache_string
);
668 ret
= krb5_cc_default(heimtools_context
, &id
);
670 krb5_err(heimtools_context
, 1, ret
, "krb5_cc_resolve");
672 exit_status
= display_v5_ccache(heimtools_context
, id
, do_test
,
673 do_verbose
, opt
->flags_flag
,
674 opt
->hidden_flag
, opt
->json_flag
);
680 if (opt
->tokens_flag
&& k_hasafs()) {
683 display_tokens(opt
->verbose_flag
);