search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
gss: free user keytab before resolving system keytab
[heimdal.git] / kuser / kinit.c
blobc08ae4a65ab0d6c9c4e55c3dedb102a776e8c259
1 /*
2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "kuser_locl.h"
37
38 #ifdef HAVE_FRAMEWORK_SECURITY
39 #include <Security/Security.h>
40 #endif
41
42 #ifndef NO_NTLM
43 #include "heimntlm.h"
44 #endif
45
46 #ifndef SIGINFO
47 #define SIGINFO SIGUSR1
48 #endif
49
50 int forwardable_flag = -1;
51 int proxiable_flag = -1;
52 int renewable_flag = -1;
53 int renew_flag = 0;
54 int pac_flag = -1;
55 int validate_flag = 0;
56 int version_flag = 0;
57 int help_flag = 0;
58 int addrs_flag = -1;
59 struct getarg_strings extra_addresses;
60 int anonymous_flag = 0;
61 char *lifetime = NULL;
62 char *renew_life = NULL;
63 char *server_str = NULL;
64 static krb5_principal tgs_service;
65 char *cred_cache = NULL;
66 char *start_str = NULL;
67 static int switch_cache_flags = 1;
68 struct getarg_strings etype_str;
69 int use_keytab = 0;
70 char *keytab_str = NULL;
71 static krb5_keytab kt = NULL;
72 int do_afslog = -1;
73 int fcache_version;
74 char *password_file = NULL;
75 char *pk_user_id = NULL;
76 int pk_enterprise_flag = 0;
77 struct hx509_certs_data *ent_user_id = NULL;
78 char *pk_x509_anchors = NULL;
79 int pk_use_enckey = 0;
80 static int canonicalize_flag = 0;
81 static int enterprise_flag = 0;
82 static int ok_as_delegate_flag = 0;
83 static char *fast_armor_cache_string = NULL;
84 static int use_referrals_flag = 0;
85 static int windows_flag = 0;
86 #ifndef NO_NTLM
87 static char *ntlm_domain;
88 #endif
89
90
91 static struct getargs args[] = {
92 /*
93 * used by MIT
94 * a: ~A
95 * V: verbose
96 * F: ~f
97 * P: ~p
98 * C: v4 cache name?
99 * 5:
100 *
101 * old flags
102 * 4:
103 * 9:
104 */
105 { "afslog", 0 , arg_flag, &do_afslog,
106 NP_("obtain afs tokens", ""), NULL },
107
108 { "cache", 'c', arg_string, &cred_cache,
109 NP_("credentials cache", ""), "cachename" },
110
111 { "forwardable", 'F', arg_negative_flag, &forwardable_flag,
112 NP_("get tickets not forwardable", ""), NULL },
113
114 { NULL, 'f', arg_flag, &forwardable_flag,
115 NP_("get forwardable tickets", ""), NULL },
116
117 { "keytab", 't', arg_string, &keytab_str,
118 NP_("keytab to use", ""), "keytabname" },
119
120 { "lifetime", 'l', arg_string, &lifetime,
121 NP_("lifetime of tickets", ""), "time" },
122
123 { "proxiable", 'p', arg_flag, &proxiable_flag,
124 NP_("get proxiable tickets", ""), NULL },
125
126 { "renew", 'R', arg_flag, &renew_flag,
127 NP_("renew TGT", ""), NULL },
128
129 { "renewable", 0, arg_flag, &renewable_flag,
130 NP_("get renewable tickets", ""), NULL },
131
132 { "renewable-life", 'r', arg_string, &renew_life,
133 NP_("renewable lifetime of tickets", ""), "time" },
134
135 { "server", 'S', arg_string, &server_str,
136 NP_("server to get ticket for", ""), "principal" },
137
138 { "start-time", 's', arg_string, &start_str,
139 NP_("when ticket gets valid", ""), "time" },
140
141 { "use-keytab", 'k', arg_flag, &use_keytab,
142 NP_("get key from keytab", ""), NULL },
143
144 { "validate", 'v', arg_flag, &validate_flag,
145 NP_("validate TGT", ""), NULL },
146
147 { "enctypes", 'e', arg_strings, &etype_str,
148 NP_("encryption types to use", ""), "enctypes" },
149
150 { "fcache-version", 0, arg_integer, &fcache_version,
151 NP_("file cache version to create", ""), NULL },
152
153 { "addresses", 'A', arg_negative_flag, &addrs_flag,
154 NP_("request a ticket with no addresses", ""), NULL },
155
156 { "extra-addresses",'a', arg_strings, &extra_addresses,
157 NP_("include these extra addresses", ""), "addresses" },
158
159 { "anonymous", 'n', arg_flag, &anonymous_flag,
160 NP_("request an anonymous ticket", ""), NULL },
161
162 { "request-pac", 0, arg_flag, &pac_flag,
163 NP_("request a Windows PAC", ""), NULL },
164
165 { "password-file", 0, arg_string, &password_file,
166 NP_("read the password from a file", ""), NULL },
167
168 { "canonicalize",0, arg_flag, &canonicalize_flag,
169 NP_("canonicalize client principal", ""), NULL },
170
171 { "enterprise",0, arg_flag, &enterprise_flag,
172 NP_("parse principal as a KRB5-NT-ENTERPRISE name", ""), NULL },
173 #ifdef PKINIT
174 { "pk-enterprise", 0, arg_flag, &pk_enterprise_flag,
175 NP_("use enterprise name from certificate", ""), NULL },
176
177 { "pk-user", 'C', arg_string, &pk_user_id,
178 NP_("principal's public/private/certificate identifier", ""), "id" },
179
180 { "x509-anchors", 'D', arg_string, &pk_x509_anchors,
181 NP_("directory with CA certificates", ""), "directory" },
182
183 { "pk-use-enckey", 0, arg_flag, &pk_use_enckey,
184 NP_("Use RSA encrypted reply (instead of DH)", ""), NULL },
185 #endif
186 #ifndef NO_NTLM
187 { "ntlm-domain", 0, arg_string, &ntlm_domain,
188 NP_("NTLM domain", ""), "domain" },
189 #endif
190
191 { "change-default", 0, arg_negative_flag, &switch_cache_flags,
192 NP_("switch the default cache to the new credentials cache", ""), NULL },
193
194 { "ok-as-delegate", 0, arg_flag, &ok_as_delegate_flag,
195 NP_("honor ok-as-delegate on tickets", ""), NULL },
196
197 { "fast-armor-cache", 0, arg_string, &fast_armor_cache_string,
198 NP_("use this credential cache as FAST armor cache", ""), "cache" },
199
200 { "use-referrals", 0, arg_flag, &use_referrals_flag,
201 NP_("only use referrals, no dns canalisation", ""), NULL },
202
203 { "windows", 0, arg_flag, &windows_flag,
204 NP_("get windows behavior", ""), NULL },
205
206 { "version", 0, arg_flag, &version_flag, NULL, NULL },
207 { "help", 0, arg_flag, &help_flag, NULL, NULL }
208 };
209
210 static char *
211 get_default_realm(krb5_context context);
212
213 static void
214 usage(int ret)
215 {
216 arg_printusage_i18n(args, sizeof(args)/sizeof(*args), N_("Usage: ", ""),
217 NULL, "[principal [command]]", getarg_i18n);
218 exit(ret);
219 }
220
221 static krb5_error_code
222 tgs_principal(krb5_context context,
223 krb5_ccache cache,
224 krb5_principal client,
225 krb5_const_realm tgs_realm,
226 krb5_principal *out_princ)
227 {
228 krb5_error_code ret;
229 krb5_principal tgs_princ;
230 krb5_creds creds;
231 krb5_creds *tick;
232 krb5_flags options;
233
234 ret = krb5_make_principal(context, &tgs_princ, tgs_realm,
235 KRB5_TGS_NAME, tgs_realm, NULL);
236 if (ret)
237 return ret;
238
239 /*
240 * Don't fail-over to a different realm just because a TGT expired
241 */
242 options = KRB5_GC_CACHED | KRB5_GC_EXPIRED_OK;
243
244 memset(&creds, 0, sizeof(creds));
245 creds.client = client;
246 creds.server = tgs_princ;
247 ret = krb5_get_credentials(context, options, cache, &creds, &tick);
248 if (ret == 0) {
249 krb5_free_creds(context, tick);
250 *out_princ = tgs_princ;
251 } else {
252 krb5_free_principal(context, tgs_princ);
253 }
254
255 return ret;
256 }
257
258
259 /*
260 * Try TGS specified with '-S',
261 * then TGS of client realm,
262 * then if fallback is FALSE: fail,
263 * otherwise try TGS of default realm,
264 * and finally first TGT in ccache.
265 */
266 static krb5_error_code
267 get_server(krb5_context context,
268 krb5_ccache cache,
269 krb5_principal client,
270 const char *server,
271 krb5_boolean fallback,
272 krb5_principal *princ)
273 {
274 krb5_error_code ret = 0;
275 krb5_const_realm realm;
276 krb5_realm def_realm;
277 krb5_cc_cursor cursor;
278 krb5_creds creds;
279 const char *pcomp;
280
281 if (tgs_service)
282 goto done;
283
284 if (server) {
285 ret = krb5_parse_name(context, server, &tgs_service);
286 goto done;
287 }
288
289 /* Try the client realm first */
290 realm = krb5_principal_get_realm(context, client);
291 ret = tgs_principal(context, cache, client, realm, &tgs_service);
292 if (ret == 0 || ret != KRB5_CC_NOTFOUND)
293 goto done;
294
295 if (!fallback)
296 return ret;
297
298 /* Next try the default realm */
299 ret = krb5_get_default_realm(context, &def_realm);
300 if (ret)
301 return ret;
302 ret = tgs_principal(context, cache, client, def_realm, &tgs_service);
303 free(def_realm);
304 if (ret == 0 || ret != KRB5_CC_NOTFOUND)
305 goto done;
306
307 /* Finally try the first TGT with instance == realm in the cache */
308 ret = krb5_cc_start_seq_get(context, cache, &cursor);
309 if (ret)
310 return ret;
311
312 for (/**/; ret == 0; krb5_free_cred_contents (context, &creds)) {
313
314 ret = krb5_cc_next_cred(context, cache, &cursor, &creds);
315 if (ret)
316 break;
317 if (creds.server->name.name_string.len != 2)
318 continue;
319 pcomp = krb5_principal_get_comp_string(context, creds.server, 0);
320 if (strcmp(pcomp, KRB5_TGS_NAME) != 0)
321 continue;
322 realm = krb5_principal_get_realm(context, creds.server);
323 pcomp = krb5_principal_get_comp_string(context, creds.server, 1);
324 if (strcmp(realm, pcomp) != 0)
325 continue;
326 ret = krb5_copy_principal(context, creds.server, &tgs_service);
327 break;
328 }
329 if (ret == KRB5_CC_END) {
330 ret = KRB5_CC_NOTFOUND;
331 krb5_set_error_message(context, ret,
332 N_("Credential cache contains no TGTs", ""));
333 }
334 krb5_cc_end_seq_get(context, cache, &cursor);
335
336 done:
337 if (!ret)
338 ret = krb5_copy_principal(context, tgs_service, princ);
339 return ret;
340 }
341
342 static krb5_error_code
343 copy_configs(krb5_context context,
344 krb5_ccache dst,
345 krb5_ccache src,
346 krb5_principal start_ticket_server)
347 {
348 krb5_error_code ret;
349 const char *cfg_names[] = {"realm-config", "FriendlyName", "anon_pkinit_realm", NULL};
350 const char *cfg_names_w_pname[] = {"fast_avail", NULL};
351 krb5_data cfg_data;
352 size_t i;
353
354 for (i = 0; cfg_names[i]; i++) {
355 ret = krb5_cc_get_config(context, src, NULL, cfg_names[i], &cfg_data);
356 if (ret == KRB5_CC_NOTFOUND || ret == KRB5_CC_END) {
357 continue;
358 } else if (ret) {
359 krb5_warn(context, ret, "krb5_cc_get_config");
360 return ret;
361 }
362 ret = krb5_cc_set_config(context, dst, NULL, cfg_names[i], &cfg_data);
363 if (ret)
364 krb5_warn(context, ret, "krb5_cc_set_config");
365 }
366 for (i = 0; start_ticket_server && cfg_names_w_pname[i]; i++) {
367 ret = krb5_cc_get_config(context, src, start_ticket_server,
368 cfg_names_w_pname[i], &cfg_data);
369 if (ret == KRB5_CC_NOTFOUND || ret == KRB5_CC_END) {
370 continue;
371 } else if (ret) {
372 krb5_warn(context, ret, "krb5_cc_get_config");
373 return ret;
374 }
375 ret = krb5_cc_set_config(context, dst, start_ticket_server,
376 cfg_names_w_pname[i], &cfg_data);
377 if (ret && ret != KRB5_CC_NOTFOUND)
378 krb5_warn(context, ret, "krb5_cc_set_config");
379 }
380 /*
381 * We don't copy cc configs for any other principals though (mostly
382 * those are per-target time offsets and the like, so it's bad to
383 * lose them, but hardly the end of the world, and as they may not
384 * expire anyways, it's good to let them go).
385 */
386 return 0;
387 }
388
389 static krb5_error_code
390 get_anon_pkinit_tgs_name(krb5_context context,
391 krb5_ccache ccache,
392 krb5_principal *tgs_name)
393 {
394 krb5_error_code ret;
395 krb5_data data;
396 char *realm;
397
398 ret = krb5_cc_get_config(context, ccache, NULL, "anon_pkinit_realm", &data);
399 if (ret == 0)
400 realm = strndup(data.data, data.length);
401 else
402 realm = get_default_realm(context);
403
404 krb5_data_free(&data);
405
406 if (realm == NULL)
407 return krb5_enomem(context);
408
409 ret = krb5_make_principal(context, tgs_name, realm,
410 KRB5_TGS_NAME, realm, NULL);
411
412 free(realm);
413
414 return ret;
415 }
416
417 static krb5_error_code
418 renew_validate(krb5_context context,
419 int renew,
420 int validate,
421 krb5_ccache *cachep,
422 krb5_const_principal principal,
423 krb5_boolean cache_is_default_for,
424 const char *server,
425 krb5_deltat life)
426 {
427 krb5_error_code ret;
428 krb5_ccache tempccache = NULL;
429 krb5_ccache cache = *cachep;
430 krb5_creds in, *out = NULL;
431 krb5_kdc_flags flags;
432
433 memset(&in, 0, sizeof(in));
434
435 ret = krb5_cc_get_principal(context, cache, &in.client);
436 if (ret && cache_is_default_for && principal) {
437 krb5_error_code ret2;
438 krb5_ccache def_ccache = NULL;
439
440 ret2 = krb5_cc_default(context, &def_ccache);
441 if (ret2 == 0)
442 ret2 = krb5_cc_get_principal(context, def_ccache, &in.client);
443 if (ret2 == 0 &&
444 krb5_principal_compare(context, principal, in.client)) {
445 krb5_cc_close(context, *cachep);
446 *cachep = def_ccache;
447 def_ccache = NULL;
448 ret = 0;
449 }
450 krb5_cc_close(context, def_ccache);
451 }
452 if (ret) {
453 krb5_warn(context, ret, "krb5_cc_get_principal");
454 return ret;
455 }
456
457 if (principal && !krb5_principal_compare(context, principal, in.client)) {
458 char *ccname = NULL;
459
460 (void) krb5_cc_get_full_name(context, cache, &ccname);
461 krb5_errx(context, 1, "Credentials in cache %s do not match requested "
462 "principal", ccname ? ccname : "requested");
463 free(ccname);
464 }
465
466 if (server == NULL &&
467 krb5_principal_is_anonymous(context, in.client,
468 KRB5_ANON_MATCH_UNAUTHENTICATED))
469 ret = get_anon_pkinit_tgs_name(context, cache, &in.server);
470 else
471 ret = get_server(context, cache, in.client, server, TRUE, &in.server);
472 if (ret) {
473 krb5_warn(context, ret, "get_server");
474 goto out;
475 }
476
477 if (renew) {
478 /*
479 * no need to check the error here, it's only to be
480 * friendly to the user
481 */
482 krb5_get_credentials(context, KRB5_GC_CACHED, cache, &in, &out);
483 }
484
485 flags.i = 0;
486 flags.b.renewable = flags.b.renew = renew;
487 flags.b.validate = validate;
488
489 if (forwardable_flag != -1)
490 flags.b.forwardable = forwardable_flag;
491 else if (out)
492 flags.b.forwardable = out->flags.b.forwardable;
493
494 if (proxiable_flag != -1)
495 flags.b.proxiable = proxiable_flag;
496 else if (out)
497 flags.b.proxiable = out->flags.b.proxiable;
498
499 if (anonymous_flag)
500 flags.b.request_anonymous = anonymous_flag;
501 if (life)
502 in.times.endtime = time(NULL) + life;
503
504 if (out) {
505 krb5_free_creds(context, out);
506 out = NULL;
507 }
508
509
510 ret = krb5_get_kdc_cred(context,
511 cache,
512 flags,
513 NULL,
514 NULL,
515 &in,
516 &out);
517 if (ret) {
518 krb5_warn(context, ret, "krb5_get_kdc_cred");
519 goto out;
520 }
521
522 ret = krb5_cc_new_unique(context, krb5_cc_get_type(context, cache),
523 NULL, &tempccache);
524 if (ret) {
525 krb5_warn(context, ret, "krb5_cc_new_unique");
526 goto out;
527 }
528
529 ret = krb5_cc_initialize(context, tempccache, in.client);
530 if (ret) {
531 krb5_warn(context, ret, "krb5_cc_initialize");
532 goto out;
533 }
534
535 ret = krb5_cc_store_cred(context, tempccache, out);
536 if (ret) {
537 krb5_warn(context, ret, "krb5_cc_store_cred");
538 goto out;
539 }
540
541 /*
542 * We want to preserve cc configs as some are security-relevant, and
543 * anyways it's the friendly thing to do.
544 */
545 ret = copy_configs(context, tempccache, cache, out->server);
546 if (ret)
547 goto out;
548
549 ret = krb5_cc_move(context, tempccache, cache);
550 if (ret) {
551 krb5_warn(context, ret, "krb5_cc_move");
552 goto out;
553 }
554 tempccache = NULL;
555
556 out:
557 if (tempccache)
558 krb5_cc_destroy(context, tempccache);
559 if (out)
560 krb5_free_creds(context, out);
561 krb5_free_cred_contents(context, &in);
562 return ret;
563 }
564
565 #ifndef NO_NTLM
566
567 static krb5_error_code
568 store_ntlmkey(krb5_context context, krb5_ccache id,
569 const char *domain, struct ntlm_buf *buf)
570 {
571 krb5_error_code ret;
572 krb5_data data;
573 char *name;
574 int aret;
575
576 ret = krb5_cc_get_config(context, id, NULL, "default-ntlm-domain", &data);
577 if (ret == 0) {
578 krb5_data_free(&data);
579 } else {
580 data.length = strlen(domain);
581 data.data = rk_UNCONST(domain);
582 ret = krb5_cc_set_config(context, id, NULL, "default-ntlm-domain", &data);
583 if (ret != 0)
584 return ret;
585 }
586
587 aret = asprintf(&name, "ntlm-key-%s", domain);
588 if (aret == -1 || name == NULL)
589 return krb5_enomem(context);
590
591 data.length = buf->length;
592 data.data = buf->data;
593
594 ret = krb5_cc_set_config(context, id, NULL, name, &data);
595 free(name);
596 return ret;
597 }
598 #endif
599
600 static krb5_error_code
601 get_new_tickets(krb5_context context,
602 krb5_principal principal,
603 krb5_ccache ccache,
604 krb5_deltat ticket_life,
605 int interactive,
606 int anonymous_pkinit)
607 {
608 krb5_error_code ret;
609 krb5_creds cred;
610 char passwd[256];
611 krb5_deltat start_time = 0;
612 krb5_deltat renew = 0;
613 const char *renewstr = NULL;
614 krb5_enctype *enctype = NULL;
615 krb5_ccache tempccache = NULL;
616 krb5_init_creds_context ctx = NULL;
617 krb5_get_init_creds_opt *opt = NULL;
618 krb5_prompter_fct prompter = krb5_prompter_posix;
619 #ifndef NO_NTLM
620 struct ntlm_buf ntlmkey;
621 memset(&ntlmkey, 0, sizeof(ntlmkey));
622 #endif
623 passwd[0] = '\0';
624
625 if (!interactive)
626 prompter = NULL;
627
628 if (password_file) {
629 FILE *f;
630
631 if (strcasecmp("STDIN", password_file) == 0)
632 f = stdin;
633 else
634 f = fopen(password_file, "r");
635 if (f == NULL) {
636 krb5_warnx(context, N_("Failed to open the password file %s", ""),
637 password_file);
638 return errno;
639 }
640
641 if (fgets(passwd, sizeof(passwd), f) == NULL) {
642 krb5_warnx(context, N_("Failed to read password from file %s", ""),
643 password_file);
644 if (f != stdin)
645 fclose(f);
646 return EINVAL; /* XXX Need a better error */
647 }
648 if (f != stdin)
649 fclose(f);
650 passwd[strcspn(passwd, "\n")] = '\0';
651 }
652
653 #ifdef HAVE_FRAMEWORK_SECURITY
654 if (passwd[0] == '\0') {
655 const char *realm;
656 OSStatus osret;
657 UInt32 length;
658 void *buffer;
659 char *name;
660
661 realm = krb5_principal_get_realm(context, principal);
662
663 ret = krb5_unparse_name_flags(context, principal,
664 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
665 if (ret)
666 goto nopassword;
667
668 osret = SecKeychainFindGenericPassword(NULL, strlen(realm), realm,
669 strlen(name), name,
670 &length, &buffer, NULL);
671 free(name);
672 if (osret == noErr && length < sizeof(passwd) - 1) {
673 memcpy(passwd, buffer, length);
674 passwd[length] = '\0';
675 }
676 nopassword:
677 do { } while(0);
678 }
679 #endif
680
681 memset(&cred, 0, sizeof(cred));
682
683 ret = krb5_get_init_creds_opt_alloc(context, &opt);
684 if (ret) {
685 krb5_warn(context, ret, "krb5_get_init_creds_opt_alloc");
686 goto out;
687 }
688
689 krb5_get_init_creds_opt_set_default_flags(context, "kinit",
690 krb5_principal_get_realm(context, principal), opt);
691
692 if (forwardable_flag != -1)
693 krb5_get_init_creds_opt_set_forwardable(opt, forwardable_flag);
694 if (proxiable_flag != -1)
695 krb5_get_init_creds_opt_set_proxiable(opt, proxiable_flag);
696 if (anonymous_flag)
697 krb5_get_init_creds_opt_set_anonymous(opt, anonymous_flag);
698 if (pac_flag != -1)
699 krb5_get_init_creds_opt_set_pac_request(context, opt,
700 pac_flag ? TRUE : FALSE);
701 if (canonicalize_flag)
702 krb5_get_init_creds_opt_set_canonicalize(context, opt, TRUE);
703 if (pk_enterprise_flag || enterprise_flag || canonicalize_flag || windows_flag)
704 krb5_get_init_creds_opt_set_win2k(context, opt, TRUE);
705 if (pk_user_id || ent_user_id || anonymous_pkinit) {
706 ret = krb5_get_init_creds_opt_set_pkinit(context, opt,
707 principal,
708 pk_user_id,
709 pk_x509_anchors,
710 NULL,
711 NULL,
712 pk_use_enckey ? KRB5_GIC_OPT_PKINIT_USE_ENCKEY : 0 |
713 anonymous_pkinit ? KRB5_GIC_OPT_PKINIT_ANONYMOUS : 0,
714 prompter,
715 NULL,
716 passwd);
717 if (ret) {
718 krb5_warn(context, ret, "krb5_get_init_creds_opt_set_pkinit");
719 goto out;
720 }
721 if (ent_user_id)
722 krb5_get_init_creds_opt_set_pkinit_user_certs(context, opt, ent_user_id);
723 }
724
725 if (addrs_flag != -1)
726 krb5_get_init_creds_opt_set_addressless(context, opt,
727 addrs_flag ? FALSE : TRUE);
728
729 if (renew_life == NULL && renewable_flag)
730 renewstr = "6 months";
731 if (renew_life)
732 renewstr = renew_life;
733 if (renewstr) {
734 renew = parse_time(renewstr, "s");
735 if (renew < 0)
736 errx(1, "unparsable time: %s", renewstr);
737
738 krb5_get_init_creds_opt_set_renew_life(opt, renew);
739 }
740
741 if (ticket_life != 0)
742 krb5_get_init_creds_opt_set_tkt_life(opt, ticket_life);
743
744 if (start_str) {
745 int tmp = parse_time(start_str, "s");
746 if (tmp < 0)
747 errx(1, N_("unparsable time: %s", ""), start_str);
748
749 start_time = tmp;
750 }
751
752 if (etype_str.num_strings) {
753 int i;
754
755 enctype = malloc(etype_str.num_strings * sizeof(*enctype));
756 if (enctype == NULL)
757 errx(1, "out of memory");
758 for(i = 0; i < etype_str.num_strings; i++) {
759 ret = krb5_string_to_enctype(context,
760 etype_str.strings[i],
761 &enctype[i]);
762 if (ret)
763 errx(1, "unrecognized enctype: %s", etype_str.strings[i]);
764 }
765 krb5_get_init_creds_opt_set_etype_list(opt, enctype,
766 etype_str.num_strings);
767 }
768
769 ret = krb5_init_creds_init(context, principal, prompter, NULL, start_time, opt, &ctx);
770 if (ret) {
771 krb5_warn(context, ret, "krb5_init_creds_init");
772 goto out;
773 }
774
775 if (server_str) {
776 ret = krb5_init_creds_set_service(context, ctx, server_str);
777 if (ret) {
778 krb5_warn(context, ret, "krb5_init_creds_set_service");
779 goto out;
780 }
781 }
782
783 if (fast_armor_cache_string) {
784 krb5_ccache fastid;
785
786 ret = krb5_cc_resolve(context, fast_armor_cache_string, &fastid);
787 if (ret) {
788 krb5_warn(context, ret, "krb5_cc_resolve(FAST cache)");
789 goto out;
790 }
791
792 ret = krb5_init_creds_set_fast_ccache(context, ctx, fastid);
793 if (ret) {
794 krb5_warn(context, ret, "krb5_init_creds_set_fast_ccache");
795 goto out;
796 }
797 }
798
799 if (use_keytab || keytab_str) {
800 ret = krb5_init_creds_set_keytab(context, ctx, kt);
801 if (ret) {
802 krb5_warn(context, ret, "krb5_init_creds_set_keytab");
803 goto out;
804 }
805 } else if (pk_user_id || ent_user_id ||
806 krb5_principal_is_anonymous(context, principal, KRB5_ANON_MATCH_ANY)) {
807 /* nop */;
808 } else if (!interactive && passwd[0] == '\0') {
809 static int already_warned = 0;
810
811 if (!already_warned)
812 krb5_warnx(context, "Not interactive, failed to get "
813 "initial ticket");
814 krb5_get_init_creds_opt_free(context, opt);
815 already_warned = 1;
816 return 0;
817 } else {
818
819 if (passwd[0] == '\0') {
820 char *p, *prompt;
821 int aret = 0;
822
823 ret = krb5_unparse_name(context, principal, &p);
824 if (ret)
825 errx(1, "failed to generate passwd prompt: not enough memory");
826
827 aret = asprintf(&prompt, N_("%s's Password: ", ""), p);
828 free(p);
829 if (aret == -1)
830 errx(1, "failed to generate passwd prompt: not enough memory");
831
832 if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
833 memset(passwd, 0, sizeof(passwd));
834 errx(1, "failed to read password");
835 }
836 free(prompt);
837 }
838
839 if (passwd[0]) {
840 ret = krb5_init_creds_set_password(context, ctx, passwd);
841 if (ret) {
842 krb5_warn(context, ret, "krb5_init_creds_set_password");
843 goto out;
844 }
845 }
846 }
847
848 ret = krb5_init_creds_get(context, ctx);
849
850 #ifndef NO_NTLM
851 if (ntlm_domain && passwd[0])
852 heim_ntlm_nt_key(passwd, &ntlmkey);
853 #endif
854 memset_s(passwd, sizeof(passwd), 0, sizeof(passwd));
855
856 switch(ret){
857 case 0:
858 break;
859 case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */
860 exit(1);
861 case KRB5KRB_AP_ERR_BAD_INTEGRITY:
862 case KRB5KRB_AP_ERR_MODIFIED:
863 case KRB5KDC_ERR_PREAUTH_FAILED:
864 case KRB5_GET_IN_TKT_LOOP:
865 krb5_warnx(context, N_("Password incorrect", ""));
866 goto out;
867 case KRB5KRB_AP_ERR_V4_REPLY:
868 krb5_warnx(context, N_("Looks like a Kerberos 4 reply", ""));
869 goto out;
870 case KRB5KDC_ERR_KEY_EXPIRED:
871 krb5_warnx(context, N_("Password expired", ""));
872 goto out;
873 default:
874 krb5_warn(context, ret, "krb5_get_init_creds");
875 goto out;
876 }
877
878 krb5_process_last_request(context, opt, ctx);
879
880 ret = krb5_init_creds_get_creds(context, ctx, &cred);
881 if (ret) {
882 krb5_warn(context, ret, "krb5_init_creds_get_creds");
883 goto out;
884 }
885
886 if (ticket_life != 0) {
887 if (labs(cred.times.endtime - cred.times.starttime - ticket_life) > 30) {
888 char life[64];
889 unparse_time_approx(cred.times.endtime - cred.times.starttime,
890 life, sizeof(life));
891 krb5_warnx(context, N_("NOTICE: ticket lifetime is %s", ""), life);
892 }
893 }
894 if (renew_life) {
895 if (labs(cred.times.renew_till - cred.times.starttime - renew) > 30) {
896 char life[64];
897 unparse_time_approx(cred.times.renew_till - cred.times.starttime,
898 life, sizeof(life));
899 krb5_warnx(context,
900 N_("NOTICE: ticket renewable lifetime is %s", ""),
901 life);
902 }
903 }
904 krb5_free_cred_contents(context, &cred);
905
906 ret = krb5_cc_new_unique(context, krb5_cc_get_type(context, ccache),
907 NULL, &tempccache);
908 if (ret) {
909 krb5_warn(context, ret, "krb5_cc_new_unique");
910 goto out;
911 }
912
913 ret = krb5_init_creds_store(context, ctx, tempccache);
914 if (ret) {
915 krb5_warn(context, ret, "krb5_init_creds_store");
916 goto out;
917 }
918
919 krb5_init_creds_free(context, ctx);
920 ctx = NULL;
921
922 ret = krb5_cc_move(context, tempccache, ccache);
923 if (ret) {
924 krb5_warn(context, ret, "krb5_cc_move");
925 goto out;
926 }
927 tempccache = NULL;
928
929 if (switch_cache_flags)
930 krb5_cc_switch(context, ccache);
931
932 #ifndef NO_NTLM
933 if (ntlm_domain && ntlmkey.data)
934 store_ntlmkey(context, ccache, ntlm_domain, &ntlmkey);
935 #endif
936
937 if (ok_as_delegate_flag || windows_flag || use_referrals_flag) {
938 unsigned char d = 0;
939 krb5_data data;
940
941 if (ok_as_delegate_flag || windows_flag)
942 d |= 1;
943 if (use_referrals_flag || windows_flag)
944 d |= 2;
945
946 data.length = 1;
947 data.data = &d;
948
949 krb5_cc_set_config(context, ccache, NULL, "realm-config", &data);
950 }
951
952 if (anonymous_pkinit) {
953 krb5_data data;
954
955 data.length = strlen(principal->realm);
956 data.data = principal->realm;
957
958 krb5_cc_set_config(context, ccache, NULL, "anon_pkinit_realm", &data);
959 }
960
961 out:
962 krb5_get_init_creds_opt_free(context, opt);
963 if (ctx)
964 krb5_init_creds_free(context, ctx);
965 if (tempccache)
966 krb5_cc_destroy(context, tempccache);
967
968 if (enctype)
969 free(enctype);
970
971 return ret;
972 }
973
974 static time_t
975 ticket_lifetime(krb5_context context, krb5_ccache cache, krb5_principal client,
976 const char *server, time_t *renew)
977 {
978 krb5_creds in_cred, *cred;
979 krb5_error_code ret;
980 time_t timeout;
981 time_t curtime;
982
983 memset(&in_cred, 0, sizeof(in_cred));
984
985 if (renew != NULL)
986 *renew = 0;
987
988 ret = krb5_cc_get_principal(context, cache, &in_cred.client);
989 if (ret) {
990 krb5_warn(context, ret, "krb5_cc_get_principal");
991 return 0;
992 }
993
994 /* Determine TGS principal without fallback */
995 ret = get_server(context, cache, in_cred.client, server, FALSE,
996 &in_cred.server);
997 if (ret) {
998 krb5_free_principal(context, in_cred.client);
999 krb5_warn(context, ret, "get_server");
1000 return 0;
1001 }
1002
1003 ret = krb5_get_credentials(context, KRB5_GC_CACHED,
1004 cache, &in_cred, &cred);
1005 krb5_free_principal(context, in_cred.client);
1006 krb5_free_principal(context, in_cred.server);
1007 if (ret) {
1008 krb5_warn(context, ret, "krb5_get_credentials");
1009 return 0;
1010 }
1011 curtime = time(NULL);
1012 timeout = cred->times.endtime - curtime;
1013 if (timeout < 0)
1014 timeout = 0;
1015 if (renew) {
1016 *renew = cred->times.renew_till - curtime;
1017 if (*renew < 0)
1018 *renew = 0;
1019 }
1020 krb5_free_creds(context, cred);
1021 return timeout;
1022 }
1023
1024 static time_t expire;
1025
1026 static char siginfo_msg[1024] = "No credentials\n";
1027
1028 static void
1029 update_siginfo_msg(time_t exp, const char *srv)
1030 {
1031 /* Note that exp is relative time */
1032 memset(siginfo_msg, 0, sizeof(siginfo_msg));
1033 memcpy(&siginfo_msg, "Updating...\n", sizeof("Updating...\n"));
1034 if (exp) {
1035 if (srv == NULL) {
1036 snprintf(siginfo_msg, sizeof(siginfo_msg),
1037 N_("kinit: TGT expires in %llu seconds\n", ""),
1038 (unsigned long long)expire);
1039 } else {
1040 snprintf(siginfo_msg, sizeof(siginfo_msg),
1041 N_("kinit: Ticket for %s expired\n", ""), srv);
1042 }
1043 return;
1044 }
1045
1046 /* Expired creds */
1047 if (srv == NULL) {
1048 snprintf(siginfo_msg, sizeof(siginfo_msg),
1049 N_("kinit: TGT expired\n", ""));
1050 } else {
1051 snprintf(siginfo_msg, sizeof(siginfo_msg),
1052 N_("kinit: Ticket for %s expired\n", ""), srv);
1053 }
1054 }
1055
1056 #ifdef HAVE_SIGACTION
1057 static void
1058 handle_siginfo(int sig)
1059 {
1060 struct iovec iov[2];
1061
1062 iov[0].iov_base = rk_UNCONST(siginfo_msg);
1063 iov[0].iov_len = strlen(siginfo_msg);
1064 iov[1].iov_base = "\n";
1065 iov[1].iov_len = 1;
1066
1067 writev(STDERR_FILENO, iov, sizeof(iov)/sizeof(iov[0]));
1068 }
1069 #endif
1070
1071 struct renew_ctx {
1072 krb5_context context;
1073 krb5_ccache ccache;
1074 krb5_principal principal;
1075 krb5_deltat ticket_life;
1076 krb5_deltat timeout;
1077 };
1078
1079 static time_t
1080 renew_func(void *ptr)
1081 {
1082 krb5_error_code ret;
1083 struct renew_ctx *ctx = ptr;
1084 time_t renew_expire;
1085 static time_t exp_delay = 1;
1086
1087 /*
1088 * NOTE: We count on the ccache implementation to notice changes to the
1089 * actual ccache filesystem/whatever objects. There should be no ccache
1090 * types for which this is not the case, but it might not hurt to
1091 * re-krb5_cc_resolve() after each successful renew_validate()/
1092 * get_new_tickets() call.
1093 */
1094
1095 expire = ticket_lifetime(ctx->context, ctx->ccache, ctx->principal,
1096 server_str, &renew_expire);
1097
1098 /*
1099 * When a keytab is available to obtain new tickets, if we are within
1100 * half of the original ticket lifetime of the renew limit, get a new
1101 * TGT instead of renewing the existing TGT. Note, ctx->ticket_life
1102 * is zero by default (without a '-l' option) and cannot be used to
1103 * set the time scale on which we decide whether we're "close to the
1104 * renew limit".
1105 */
1106 if (use_keytab || keytab_str)
1107 expire += ctx->timeout;
1108 if (renew_expire > expire) {
1109 ret = renew_validate(ctx->context, 1, validate_flag, &ctx->ccache,
1110 NULL, FALSE, server_str, ctx->ticket_life);
1111 } else {
1112 ret = get_new_tickets(ctx->context, ctx->principal, ctx->ccache,
1113 ctx->ticket_life, 0, 0);
1114 }
1115 expire = ticket_lifetime(ctx->context, ctx->ccache, ctx->principal,
1116 server_str, &renew_expire);
1117
1118 #ifndef NO_AFS
1119 if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())
1120 krb5_afslog(ctx->context, ctx->ccache, NULL, NULL);
1121 #endif
1122
1123 update_siginfo_msg(expire, server_str);
1124
1125 /*
1126 * If our tickets have expired and we been able to either renew them
1127 * or obtain new tickets, then we still call this function but we use
1128 * an exponential backoff. This should take care of the case where
1129 * we are using stored credentials but the KDC has been unavailable
1130 * for some reason...
1131 */
1132
1133 if (expire < 1) {
1134 /*
1135 * We can't ask to keep spamming stderr but not syslog, so we warn
1136 * only once.
1137 */
1138 if (exp_delay == 1) {
1139 krb5_warnx(ctx->context, N_("NOTICE: Could not renew/refresh "
1140 "tickets", ""));
1141 }
1142 if (exp_delay < 7200)
1143 exp_delay += exp_delay / 2 + 1;
1144 return exp_delay;
1145 }
1146 exp_delay = 1;
1147
1148 return expire / 2 + 1;
1149 }
1150
1151 static void
1152 set_princ_realm(krb5_context context,
1153 krb5_principal principal,
1154 const char *realm)
1155 {
1156 krb5_error_code ret;
1157
1158 if ((ret = krb5_principal_set_realm(context, principal, realm)) != 0)
1159 krb5_err(context, 1, ret, "krb5_principal_set_realm");
1160 }
1161
1162 static void
1163 parse_name_realm(krb5_context context,
1164 const char *name,
1165 int flags,
1166 const char *realm,
1167 krb5_principal *princ)
1168 {
1169 krb5_error_code ret;
1170
1171 if (realm)
1172 flags |= KRB5_PRINCIPAL_PARSE_NO_DEF_REALM;
1173 if ((ret = krb5_parse_name_flags(context, name, flags, princ)) != 0)
1174 krb5_err(context, 1, ret, "krb5_parse_name_flags");
1175 if (realm && krb5_principal_get_realm(context, *princ) == NULL)
1176 set_princ_realm(context, *princ, realm);
1177 }
1178
1179 static char *
1180 get_default_realm(krb5_context context)
1181 {
1182 char *realm;
1183 krb5_error_code ret;
1184
1185 if ((ret = krb5_get_default_realm(context, &realm)) != 0)
1186 krb5_err(context, 1, ret, "krb5_get_default_realm");
1187 return realm;
1188 }
1189
1190 static void
1191 get_default_principal(krb5_context context, krb5_principal *princ)
1192 {
1193 krb5_error_code ret;
1194
1195 if ((ret = krb5_get_default_principal(context, princ)) != 0)
1196 krb5_err(context, 1, ret, "krb5_get_default_principal");
1197 }
1198
1199 static char *
1200 get_user_realm(krb5_context context)
1201 {
1202 krb5_error_code ret;
1203 char *user_realm = NULL;
1204
1205 /*
1206 * If memory allocation fails, we don't try to use the wrong realm,
1207 * that will trigger misleading error messages complicate support.
1208 */
1209 krb5_appdefault_string(context, "kinit", NULL, "user_realm", "",
1210 &user_realm);
1211 if (user_realm == NULL) {
1212 ret = krb5_enomem(context);
1213 krb5_err(context, 1, ret, "krb5_appdefault_string");
1214 }
1215
1216 if (*user_realm == 0) {
1217 free(user_realm);
1218 user_realm = NULL;
1219 }
1220
1221 return user_realm;
1222 }
1223
1224 static void
1225 get_princ(krb5_context context,
1226 krb5_principal *principal,
1227 const char *ccname,
1228 const char *name)
1229 {
1230 krb5_error_code ret = 0;
1231 krb5_principal tmp;
1232 int parseflags = 0;
1233 char *user_realm;
1234
1235 if (name == NULL) {
1236 krb5_ccache ccache = NULL;
1237
1238 /* If credential cache provides a client principal, use that. */
1239 if (ccname)
1240 ret = krb5_cc_resolve(context, ccname, &ccache);
1241 else
1242 ret = krb5_cc_default(context, &ccache);
1243 if (ret == 0)
1244 ret = krb5_cc_get_principal(context, ccache, principal);
1245 krb5_cc_close(context, ccache);
1246 if (ret == 0)
1247 return;
1248 }
1249
1250 user_realm = get_user_realm(context);
1251
1252 if (name) {
1253 if (enterprise_flag)
1254 parseflags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
1255
1256 parse_name_realm(context, name, parseflags, user_realm, &tmp);
1257
1258 if (user_realm && krb5_principal_get_num_comp(context, tmp) > 1) {
1259 /* Principal is instance qualified, reparse with default realm. */
1260 krb5_free_principal(context, tmp);
1261 parse_name_realm(context, name, parseflags, NULL, principal);
1262 } else {
1263 *principal = tmp;
1264 }
1265 } else {
1266 get_default_principal(context, principal);
1267 if (user_realm)
1268 set_princ_realm(context, *principal, user_realm);
1269 }
1270
1271 if (user_realm)
1272 free(user_realm);
1273 }
1274
1275 static void
1276 get_princ_kt(krb5_context context,
1277 krb5_principal *principal,
1278 char *name)
1279 {
1280 krb5_error_code ret;
1281 krb5_principal tmp;
1282 krb5_ccache ccache;
1283 krb5_kt_cursor cursor;
1284 krb5_keytab_entry entry;
1285 char *def_realm;
1286
1287 if (name == NULL) {
1288 /*
1289 * If the credential cache exists and specifies a client principal,
1290 * use that.
1291 */
1292 if (krb5_cc_default(context, &ccache) == 0) {
1293 ret = krb5_cc_get_principal(context, ccache, principal);
1294 krb5_cc_close(context, ccache);
1295 if (ret == 0)
1296 return;
1297 }
1298 }
1299
1300 if (name) {
1301 /* If the principal specifies an explicit realm, just use that. */
1302 int parseflags = KRB5_PRINCIPAL_PARSE_NO_DEF_REALM;
1303
1304 parse_name_realm(context, name, parseflags, NULL, &tmp);
1305 if (krb5_principal_get_realm(context, tmp) != NULL) {
1306 *principal = tmp;
1307 return;
1308 }
1309 } else {
1310 /* Otherwise, search keytab for bare name of the default principal. */
1311 get_default_principal(context, &tmp);
1312 set_princ_realm(context, tmp, NULL);
1313 }
1314
1315 def_realm = get_default_realm(context);
1316
1317 ret = krb5_kt_start_seq_get(context, kt, &cursor);
1318 if (ret)
1319 krb5_err(context, 1, ret, "krb5_kt_start_seq_get");
1320
1321 while (ret == 0 &&
1322 krb5_kt_next_entry(context, kt, &entry, &cursor) == 0) {
1323 const char *realm;
1324
1325 if (!krb5_principal_compare_any_realm(context, tmp, entry.principal))
1326 continue;
1327 if (*principal &&
1328 krb5_principal_compare(context, *principal, entry.principal))
1329 continue;
1330 /* The default realm takes precedence */
1331 realm = krb5_principal_get_realm(context, entry.principal);
1332 if (*principal && strcmp(def_realm, realm) == 0) {
1333 krb5_free_principal(context, *principal);
1334 ret = krb5_copy_principal(context, entry.principal, principal);
1335 break;
1336 }
1337 if (!*principal)
1338 ret = krb5_copy_principal(context, entry.principal, principal);
1339 }
1340 if (ret != 0 || (ret = krb5_kt_end_seq_get(context, kt, &cursor)) != 0)
1341 krb5_err(context, 1, ret, "get_princ_kt");
1342 if (!*principal) {
1343 if (name)
1344 parse_name_realm(context, name, 0, NULL, principal);
1345 else
1346 krb5_err(context, 1, KRB5_CC_NOTFOUND, "get_princ_kt");
1347 }
1348
1349 krb5_free_principal(context, tmp);
1350 free(def_realm);
1351 }
1352
1353 int
1354 main(int argc, char **argv)
1355 {
1356 krb5_error_code ret;
1357 krb5_context context;
1358 krb5_ccache ccache;
1359 krb5_principal principal = NULL;
1360 int optidx = 0;
1361 krb5_deltat ticket_life = 0;
1362 #ifdef HAVE_SIGACTION
1363 struct sigaction sa;
1364 #endif
1365 krb5_boolean unique_ccache = FALSE;
1366 krb5_boolean historical_anon_pkinit = FALSE;
1367 krb5_boolean default_for = FALSE;
1368 int anonymous_pkinit = FALSE;
1369
1370 setprogname(argv[0]);
1371
1372 setlocale(LC_ALL, "");
1373 bindtextdomain("heimdal_kuser", HEIMDAL_LOCALEDIR);
1374 textdomain("heimdal_kuser");
1375
1376 ret = krb5_init_context(&context);
1377 if (ret == KRB5_CONFIG_BADFORMAT)
1378 errx(1, "krb5_init_context failed to parse configuration file");
1379 else if (ret)
1380 errx(1, "krb5_init_context failed: %d", ret);
1381
1382 if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
1383 usage(1);
1384
1385 if (help_flag)
1386 usage(0);
1387
1388 if (version_flag) {
1389 print_version(NULL);
1390 exit(0);
1391 }
1392
1393 argc -= optidx;
1394 argv += optidx;
1395
1396 krb5_appdefault_boolean(context, "kinit", NULL, "historical_anon_pkinit",
1397 FALSE, &historical_anon_pkinit);
1398
1399 /*
1400 * Open the keytab now, we use the keytab to determine the principal's
1401 * realm when the requested principal has no realm.
1402 */
1403 if (use_keytab || keytab_str) {
1404 if (keytab_str)
1405 ret = krb5_kt_resolve(context, keytab_str, &kt);
1406 else
1407 ret = krb5_kt_default(context, &kt);
1408 if (ret)
1409 krb5_err(context, 1, ret, "resolving keytab");
1410 }
1411
1412 if (pk_enterprise_flag) {
1413 ret = krb5_pk_enterprise_cert(context, pk_user_id,
1414 argv[0], &principal,
1415 &ent_user_id);
1416 if (ret)
1417 krb5_err(context, 1, ret, "krb5_pk_enterprise_certs");
1418
1419 pk_user_id = NULL;
1420
1421 } else if (anonymous_flag && argc && argv[0][0] == '@') {
1422 /* If principal argument as @REALM, try anonymous PKINIT */
1423
1424 ret = krb5_make_principal(context, &principal, &argv[0][1],
1425 KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME,
1426 NULL);
1427 if (ret)
1428 krb5_err(context, 1, ret, "krb5_make_principal");
1429 krb5_principal_set_type(context, principal, KRB5_NT_WELLKNOWN);
1430 anonymous_pkinit = TRUE;
1431 } else if (anonymous_flag && historical_anon_pkinit) {
1432 char *realm = argc == 0 ? get_default_realm(context) :
1433 argv[0][0] == '@' ? &argv[0][1] : argv[0];
1434
1435 ret = krb5_make_principal(context, &principal, realm,
1436 KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME, NULL);
1437 if (ret)
1438 krb5_err(context, 1, ret, "krb5_make_principal");
1439 krb5_principal_set_type(context, principal, KRB5_NT_WELLKNOWN);
1440 anonymous_pkinit = TRUE;
1441 } else if (use_keytab || keytab_str) {
1442 get_princ_kt(context, &principal, argv[0]);
1443 } else {
1444 get_princ(context, &principal, cred_cache, argv[0]);
1445 }
1446
1447 if (fcache_version)
1448 krb5_set_fcache_version(context, fcache_version);
1449
1450 if (renewable_flag == -1)
1451 /* this seems somewhat pointless, but whatever */
1452 krb5_appdefault_boolean(context, "kinit",
1453 krb5_principal_get_realm(context, principal),
1454 "renewable", FALSE, &renewable_flag);
1455 if (do_afslog == -1)
1456 krb5_appdefault_boolean(context, "kinit",
1457 krb5_principal_get_realm(context, principal),
1458 "afslog", TRUE, &do_afslog);
1459
1460 /*
1461 * Cases:
1462 *
1463 * - use the given ccache
1464 * - use a new unique ccache for running a command with (in this case we
1465 * get to set KRB5CCNAME, so a new unique ccache makes sense)
1466 * - use the default ccache for the given principal and maybe later switch
1467 * the collection's default/primary to it
1468 *
1469 * The important thing is that, except for the case where we're running a
1470 * command, we _can't set KRB5CCNAME_, and we can't expect the user to read
1471 * our output and figure out to set it (we could have an output-for-shell-
1472 * eval mode, like ssh-agent and such, but we don't). Therefore, in all
1473 * cases where we can't set KRB5CCNAME we must do something that makes
1474 * sense to the user, and that is to either initialize a given ccache, use
1475 * the default, or use a subsidiary ccache named after the principal whose
1476 * creds we're initializing.
1477 */
1478 if (cred_cache) {
1479 /* Use the given ccache */
1480 ret = krb5_cc_resolve(context, cred_cache, &ccache);
1481 } else if (argc > 1) {
1482 char s[1024];
1483
1484 /*
1485 * A command was given, so use a new unique ccache (and destroy it
1486 * later).
1487 */
1488 ret = krb5_cc_new_unique(context, NULL, NULL, &ccache);
1489 if (ret)
1490 krb5_err(context, 1, ret, "creating cred cache");
1491 snprintf(s, sizeof(s), "%s:%s",
1492 krb5_cc_get_type(context, ccache),
1493 krb5_cc_get_name(context, ccache));
1494 setenv("KRB5CCNAME", s, 1);
1495 unique_ccache = TRUE;
1496 } else {
1497 ret = krb5_cc_default_for(context, principal, &ccache);
1498 default_for = TRUE;
1499 }
1500
1501 if (ret)
1502 krb5_err(context, 1, ret, N_("resolving credentials cache", ""));
1503
1504 #ifndef NO_AFS
1505 if (argc > 1 && k_hasafs())
1506 k_setpag();
1507 #endif
1508
1509 if (lifetime) {
1510 int tmp = parse_time(lifetime, "s");
1511 if (tmp < 0)
1512 errx(1, N_("unparsable time: %s", ""), lifetime);
1513
1514 ticket_life = tmp;
1515 }
1516
1517 if (addrs_flag == 0 && extra_addresses.num_strings > 0)
1518 krb5_errx(context, 1,
1519 N_("specifying both extra addresses and "
1520 "no addresses makes no sense", ""));
1521 {
1522 int i;
1523 krb5_addresses addresses;
1524 memset(&addresses, 0, sizeof(addresses));
1525 for(i = 0; i < extra_addresses.num_strings; i++) {
1526 ret = krb5_parse_address(context, extra_addresses.strings[i],
1527 &addresses);
1528 if (ret == 0) {
1529 krb5_add_extra_addresses(context, &addresses);
1530 krb5_free_addresses(context, &addresses);
1531 }
1532 }
1533 free_getarg_strings(&extra_addresses);
1534 }
1535
1536 if (renew_flag || validate_flag) {
1537 ret = renew_validate(context, renew_flag, validate_flag,
1538 &ccache, principal, default_for, server_str,
1539 ticket_life);
1540
1541 #ifndef NO_AFS
1542 if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())
1543 krb5_afslog(context, ccache, NULL, NULL);
1544 #endif
1545
1546 if (unique_ccache)
1547 krb5_cc_destroy(context, ccache);
1548 exit(ret != 0);
1549 }
1550
1551 ret = get_new_tickets(context, principal, ccache, ticket_life,
1552 1, anonymous_pkinit);
1553 if (ret) {
1554 if (unique_ccache)
1555 krb5_cc_destroy(context, ccache);
1556 exit(1);
1557 }
1558
1559 #ifndef NO_AFS
1560 if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())
1561 krb5_afslog(context, ccache, NULL, NULL);
1562 #endif
1563
1564 if (argc > 1) {
1565 struct renew_ctx ctx;
1566 time_t timeout;
1567
1568 timeout = ticket_lifetime(context, ccache, principal,
1569 server_str, NULL) / 2;
1570
1571 ctx.context = context;
1572 ctx.ccache = ccache;
1573 ctx.principal = principal;
1574 ctx.ticket_life = ticket_life;
1575 ctx.timeout = timeout;
1576
1577 #ifdef HAVE_SIGACTION
1578 memset(&sa, 0, sizeof(sa));
1579 sigemptyset(&sa.sa_mask);
1580 sa.sa_handler = handle_siginfo;
1581
1582 sigaction(SIGINFO, &sa, NULL);
1583 #endif
1584
1585 ret = simple_execvp_timed(argv[1], argv+1,
1586 renew_func, &ctx, timeout);
1587 #define EX_NOEXEC 126
1588 #define EX_NOTFOUND 127
1589 if (ret == EX_NOEXEC)
1590 krb5_warnx(context, N_("permission denied: %s", ""), argv[1]);
1591 else if (ret == EX_NOTFOUND)
1592 krb5_warnx(context, N_("command not found: %s", ""), argv[1]);
1593
1594 krb5_cc_destroy(context, ccache);
1595 #ifndef NO_AFS
1596 if (k_hasafs())
1597 k_unlog();
1598 #endif
1599 } else {
1600 krb5_cc_close(context, ccache);
1601 ret = 0;
1602 }
1603 krb5_free_principal(context, principal);
1604 if (kt)
1605 krb5_kt_close(context, kt);
1606 krb5_free_context(context);
1607 return ret;
1608 }
Heimdal