search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert c1423a8 and fix things up
[heimdal.git] / kuser / kinit.c
blobac8cb30bf445826165d1c32b2c00bca5eb346b53
1 /*
2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "kuser_locl.h"
37
38 #ifdef __APPLE__
39 #include <Security/Security.h>
40 #endif
41
42 #ifndef NO_NTLM
43 #include "heimntlm.h"
44 #endif
45
46 int forwardable_flag = -1;
47 int proxiable_flag = -1;
48 int renewable_flag = -1;
49 int renew_flag = 0;
50 int pac_flag = -1;
51 int validate_flag = 0;
52 int version_flag = 0;
53 int help_flag = 0;
54 int addrs_flag = -1;
55 struct getarg_strings extra_addresses;
56 int anonymous_flag = 0;
57 char *lifetime = NULL;
58 char *renew_life = NULL;
59 char *server_str = NULL;
60 char *cred_cache = NULL;
61 char *start_str = NULL;
62 static int switch_cache_flags = 1;
63 struct getarg_strings etype_str;
64 int use_keytab = 0;
65 char *keytab_str = NULL;
66 int do_afslog = -1;
67 int fcache_version;
68 char *password_file = NULL;
69 char *pk_user_id = NULL;
70 int pk_enterprise_flag = 0;
71 struct hx509_certs_data *ent_user_id = NULL;
72 char *pk_x509_anchors = NULL;
73 int pk_use_enckey = 0;
74 static int canonicalize_flag = 0;
75 static int enterprise_flag = 0;
76 static int ok_as_delegate_flag = 0;
77 static char *fast_armor_cache_string = NULL;
78 static int use_referrals_flag = 0;
79 static int windows_flag = 0;
80 #ifndef NO_NTLM
81 static char *ntlm_domain;
82 #endif
83
84
85 static struct getargs args[] = {
86 /*
87 * used by MIT
88 * a: ~A
89 * V: verbose
90 * F: ~f
91 * P: ~p
92 * C: v4 cache name?
93 * 5:
94 *
95 * old flags
96 * 4:
97 * 9:
98 */
99 { "afslog", 0 , arg_flag, &do_afslog,
100 NP_("obtain afs tokens", ""), NULL },
101
102 { "cache", 'c', arg_string, &cred_cache,
103 NP_("credentials cache", ""), "cachename" },
104
105 { "forwardable", 'F', arg_negative_flag, &forwardable_flag,
106 NP_("get tickets not forwardable", ""), NULL },
107
108 { NULL, 'f', arg_flag, &forwardable_flag,
109 NP_("get forwardable tickets", ""), NULL },
110
111 { "keytab", 't', arg_string, &keytab_str,
112 NP_("keytab to use", ""), "keytabname" },
113
114 { "lifetime", 'l', arg_string, &lifetime,
115 NP_("lifetime of tickets", ""), "time" },
116
117 { "proxiable", 'p', arg_flag, &proxiable_flag,
118 NP_("get proxiable tickets", ""), NULL },
119
120 { "renew", 'R', arg_flag, &renew_flag,
121 NP_("renew TGT", ""), NULL },
122
123 { "renewable", 0, arg_flag, &renewable_flag,
124 NP_("get renewable tickets", ""), NULL },
125
126 { "renewable-life", 'r', arg_string, &renew_life,
127 NP_("renewable lifetime of tickets", ""), "time" },
128
129 { "server", 'S', arg_string, &server_str,
130 NP_("server to get ticket for", ""), "principal" },
131
132 { "start-time", 's', arg_string, &start_str,
133 NP_("when ticket gets valid", ""), "time" },
134
135 { "use-keytab", 'k', arg_flag, &use_keytab,
136 NP_("get key from keytab", ""), NULL },
137
138 { "validate", 'v', arg_flag, &validate_flag,
139 NP_("validate TGT", ""), NULL },
140
141 { "enctypes", 'e', arg_strings, &etype_str,
142 NP_("encryption types to use", ""), "enctypes" },
143
144 { "fcache-version", 0, arg_integer, &fcache_version,
145 NP_("file cache version to create", ""), NULL },
146
147 { "addresses", 'A', arg_negative_flag, &addrs_flag,
148 NP_("request a ticket with no addresses", ""), NULL },
149
150 { "extra-addresses",'a', arg_strings, &extra_addresses,
151 NP_("include these extra addresses", ""), "addresses" },
152
153 { "anonymous", 0, arg_flag, &anonymous_flag,
154 NP_("request an anonymous ticket", ""), NULL },
155
156 { "request-pac", 0, arg_flag, &pac_flag,
157 NP_("request a Windows PAC", ""), NULL },
158
159 { "password-file", 0, arg_string, &password_file,
160 NP_("read the password from a file", ""), NULL },
161
162 { "canonicalize",0, arg_flag, &canonicalize_flag,
163 NP_("canonicalize client principal", ""), NULL },
164
165 { "enterprise",0, arg_flag, &enterprise_flag,
166 NP_("parse principal as a KRB5-NT-ENTERPRISE name", ""), NULL },
167 #ifdef PKINIT
168 { "pk-enterprise", 0, arg_flag, &pk_enterprise_flag,
169 NP_("use enterprise name from certificate", ""), NULL },
170
171 { "pk-user", 'C', arg_string, &pk_user_id,
172 NP_("principal's public/private/certificate identifier", ""), "id" },
173
174 { "x509-anchors", 'D', arg_string, &pk_x509_anchors,
175 NP_("directory with CA certificates", ""), "directory" },
176
177 { "pk-use-enckey", 0, arg_flag, &pk_use_enckey,
178 NP_("Use RSA encrypted reply (instead of DH)", ""), NULL },
179 #endif
180 #ifndef NO_NTLM
181 { "ntlm-domain", 0, arg_string, &ntlm_domain,
182 NP_("NTLM domain", ""), "domain" },
183 #endif
184
185 { "change-default", 0, arg_negative_flag, &switch_cache_flags,
186 NP_("switch the default cache to the new credentials cache", ""), NULL },
187
188 { "ok-as-delegate", 0, arg_flag, &ok_as_delegate_flag,
189 NP_("honor ok-as-delegate on tickets", ""), NULL },
190
191 { "fast-armor-cache", 0, arg_string, &fast_armor_cache_string,
192 NP_("use this credential cache as FAST armor cache", ""), "cache" },
193
194 { "use-referrals", 0, arg_flag, &use_referrals_flag,
195 NP_("only use referrals, no dns canalisation", ""), NULL },
196
197 { "windows", 0, arg_flag, &windows_flag,
198 NP_("get windows behavior", ""), NULL },
199
200 { "version", 0, arg_flag, &version_flag, NULL, NULL },
201 { "help", 0, arg_flag, &help_flag, NULL, NULL }
202 };
203
204 static void
205 usage (int ret)
206 {
207 arg_printusage_i18n (args,
208 sizeof(args)/sizeof(*args),
209 N_("Usage: ", ""),
210 NULL,
211 "[principal [command]]",
212 getarg_i18n);
213 exit (ret);
214 }
215
216 static krb5_error_code
217 get_server(krb5_context context,
218 krb5_principal client,
219 const char *server,
220 krb5_principal *princ)
221 {
222 krb5_const_realm realm;
223 if(server)
224 return krb5_parse_name(context, server, princ);
225
226 realm = krb5_principal_get_realm(context, client);
227 return krb5_make_principal(context, princ, realm,
228 KRB5_TGS_NAME, realm, NULL);
229 }
230
231 static int
232 renew_validate(krb5_context context,
233 int renew,
234 int validate,
235 krb5_ccache cache,
236 const char *server,
237 krb5_deltat life)
238 {
239 krb5_error_code ret;
240 krb5_creds in, *out = NULL;
241 krb5_kdc_flags flags;
242
243 memset(&in, 0, sizeof(in));
244
245 ret = krb5_cc_get_principal(context, cache, &in.client);
246 if(ret) {
247 krb5_warn(context, ret, "krb5_cc_get_principal");
248 return ret;
249 }
250 ret = get_server(context, in.client, server, &in.server);
251 if(ret) {
252 krb5_warn(context, ret, "get_server");
253 goto out;
254 }
255
256 if (renew) {
257 /*
258 * no need to check the error here, it's only to be
259 * friendly to the user
260 */
261 krb5_get_credentials(context, KRB5_GC_CACHED, cache, &in, &out);
262 }
263
264 flags.i = 0;
265 flags.b.renewable = flags.b.renew = renew;
266 flags.b.validate = validate;
267
268 if (forwardable_flag != -1)
269 flags.b.forwardable = forwardable_flag;
270 else if (out)
271 flags.b.forwardable = out->flags.b.forwardable;
272
273 if (proxiable_flag != -1)
274 flags.b.proxiable = proxiable_flag;
275 else if (out)
276 flags.b.proxiable = out->flags.b.proxiable;
277
278 if (anonymous_flag)
279 flags.b.request_anonymous = anonymous_flag;
280 if(life)
281 in.times.endtime = time(NULL) + life;
282
283 if (out) {
284 krb5_free_creds (context, out);
285 out = NULL;
286 }
287
288
289 ret = krb5_get_kdc_cred(context,
290 cache,
291 flags,
292 NULL,
293 NULL,
294 &in,
295 &out);
296 if(ret) {
297 krb5_warn(context, ret, "krb5_get_kdc_cred");
298 goto out;
299 }
300 ret = krb5_cc_initialize(context, cache, in.client);
301 if(ret) {
302 krb5_free_creds (context, out);
303 krb5_warn(context, ret, "krb5_cc_initialize");
304 goto out;
305 }
306 ret = krb5_cc_store_cred(context, cache, out);
307
308 if(ret == 0 && server == NULL) {
309 /* only do this if it's a general renew-my-tgt request */
310 #ifndef NO_AFS
311 if(do_afslog && k_hasafs())
312 krb5_afslog(context, cache, NULL, NULL);
313 #endif
314 }
315
316 krb5_free_creds (context, out);
317 if(ret) {
318 krb5_warn(context, ret, "krb5_cc_store_cred");
319 goto out;
320 }
321 out:
322 krb5_free_cred_contents(context, &in);
323 return ret;
324 }
325
326 #ifndef NO_NTLM
327
328 static krb5_error_code
329 store_ntlmkey(krb5_context context, krb5_ccache id,
330 const char *domain, struct ntlm_buf *buf)
331 {
332 krb5_error_code ret;
333 krb5_data data;
334 char *name;
335 int aret;
336
337 aret = asprintf(&name, "ntlm-key-%s", domain);
338 if (aret == -1 || name == NULL) {
339 krb5_clear_error_message(context);
340 return ENOMEM;
341 }
342
343 data.length = buf->length;
344 data.data = buf->data;
345
346 ret = krb5_cc_set_config(context, id, NULL, name, &data);
347 free(name);
348 return ret;
349 }
350 #endif
351
352 static krb5_error_code
353 get_new_tickets(krb5_context context,
354 krb5_principal principal,
355 krb5_ccache ccache,
356 krb5_deltat ticket_life,
357 int interactive)
358 {
359 krb5_error_code ret;
360 krb5_get_init_creds_opt *opt;
361 krb5_creds cred;
362 char passwd[256];
363 krb5_deltat start_time = 0;
364 krb5_deltat renew = 0;
365 const char *renewstr = NULL;
366 krb5_enctype *enctype = NULL;
367 krb5_ccache tempccache;
368 krb5_keytab kt = NULL;
369 krb5_init_creds_context ctx;
370 #ifndef NO_NTLM
371 struct ntlm_buf ntlmkey;
372 memset(&ntlmkey, 0, sizeof(ntlmkey));
373 #endif
374 passwd[0] = '\0';
375
376 if (password_file) {
377 FILE *f;
378
379 if (strcasecmp("STDIN", password_file) == 0)
380 f = stdin;
381 else
382 f = fopen(password_file, "r");
383 if (f == NULL)
384 krb5_errx(context, 1, "Failed to open the password file %s",
385 password_file);
386
387 if (fgets(passwd, sizeof(passwd), f) == NULL)
388 krb5_errx(context, 1,
389 N_("Failed to read password from file %s", ""),
390 password_file);
391 if (f != stdin)
392 fclose(f);
393 passwd[strcspn(passwd, "\n")] = '\0';
394 }
395
396 #ifdef __APPLE__
397 if (passwd[0] == '\0') {
398 const char *realm;
399 OSStatus osret;
400 UInt32 length;
401 void *buffer;
402 char *name;
403
404 realm = krb5_principal_get_realm(context, principal);
405
406 ret = krb5_unparse_name_flags(context, principal,
407 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
408 if (ret)
409 goto nopassword;
410
411 osret = SecKeychainFindGenericPassword(NULL, strlen(realm), realm,
412 strlen(name), name,
413 &length, &buffer, NULL);
414 free(name);
415 if (osret == noErr && length < sizeof(passwd) - 1) {
416 memcpy(passwd, buffer, length);
417 passwd[length] = '\0';
418 }
419 nopassword:
420 do { } while(0);
421 }
422 #endif
423
424 memset(&cred, 0, sizeof(cred));
425
426 ret = krb5_get_init_creds_opt_alloc (context, &opt);
427 if (ret)
428 krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
429
430 krb5_get_init_creds_opt_set_default_flags(context, "kinit",
431 krb5_principal_get_realm(context, principal), opt);
432
433 if(forwardable_flag != -1)
434 krb5_get_init_creds_opt_set_forwardable (opt, forwardable_flag);
435 if(proxiable_flag != -1)
436 krb5_get_init_creds_opt_set_proxiable (opt, proxiable_flag);
437 if(anonymous_flag)
438 krb5_get_init_creds_opt_set_anonymous (opt, anonymous_flag);
439 if (pac_flag != -1)
440 krb5_get_init_creds_opt_set_pac_request(context, opt,
441 pac_flag ? TRUE : FALSE);
442 if (canonicalize_flag)
443 krb5_get_init_creds_opt_set_canonicalize(context, opt, TRUE);
444 if (pk_enterprise_flag || enterprise_flag || canonicalize_flag || windows_flag)
445 krb5_get_init_creds_opt_set_win2k(context, opt, TRUE);
446 if (pk_user_id || ent_user_id || anonymous_flag) {
447 ret = krb5_get_init_creds_opt_set_pkinit(context, opt,
448 principal,
449 pk_user_id,
450 pk_x509_anchors,
451 NULL,
452 NULL,
453 pk_use_enckey ? 2 : 0 |
454 anonymous_flag ? 4 : 0,
455 krb5_prompter_posix,
456 NULL,
457 passwd);
458 if (ret)
459 krb5_err(context, 1, ret, "krb5_get_init_creds_opt_set_pkinit");
460 if (ent_user_id)
461 krb5_get_init_creds_opt_set_pkinit_user_certs(context, opt, ent_user_id);
462 }
463
464 if (addrs_flag != -1)
465 krb5_get_init_creds_opt_set_addressless(context, opt,
466 addrs_flag ? FALSE : TRUE);
467
468 if (renew_life == NULL && renewable_flag)
469 renewstr = "1 month";
470 if (renew_life)
471 renewstr = renew_life;
472 if (renewstr) {
473 renew = parse_time (renewstr, "s");
474 if (renew < 0)
475 errx (1, "unparsable time: %s", renewstr);
476
477 krb5_get_init_creds_opt_set_renew_life (opt, renew);
478 }
479
480 if(ticket_life != 0)
481 krb5_get_init_creds_opt_set_tkt_life (opt, ticket_life);
482
483 if(start_str) {
484 int tmp = parse_time (start_str, "s");
485 if (tmp < 0)
486 errx (1, N_("unparsable time: %s", ""), start_str);
487
488 start_time = tmp;
489 }
490
491 if(etype_str.num_strings) {
492 int i;
493
494 enctype = malloc(etype_str.num_strings * sizeof(*enctype));
495 if(enctype == NULL)
496 errx(1, "out of memory");
497 for(i = 0; i < etype_str.num_strings; i++) {
498 ret = krb5_string_to_enctype(context,
499 etype_str.strings[i],
500 &enctype[i]);
501 if(ret)
502 errx(1, "unrecognized enctype: %s", etype_str.strings[i]);
503 }
504 krb5_get_init_creds_opt_set_etype_list(opt, enctype,
505 etype_str.num_strings);
506 }
507
508 ret = krb5_init_creds_init(context, principal, krb5_prompter_posix, NULL, start_time, opt, &ctx);
509 if (ret)
510 krb5_err(context, 1, ret, "krb5_init_creds_init");
511
512 if (server_str) {
513 ret = krb5_init_creds_set_service(context, ctx, server_str);
514 if (ret)
515 krb5_err(context, 1, ret, "krb5_init_creds_set_service");
516 }
517
518 if (fast_armor_cache_string) {
519 krb5_ccache fastid;
520
521 ret = krb5_cc_resolve(context, fast_armor_cache_string, &fastid);
522 if (ret)
523 krb5_err(context, 1, ret, "krb5_cc_resolve(FAST cache)");
524
525 ret = krb5_init_creds_set_fast_ccache(context, ctx, fastid);
526 if (ret)
527 krb5_err(context, 1, ret, "krb5_init_creds_set_fast_ccache");
528 }
529
530 if(use_keytab || keytab_str) {
531
532 if(keytab_str)
533 ret = krb5_kt_resolve(context, keytab_str, &kt);
534 else
535 ret = krb5_kt_default(context, &kt);
536 if (ret)
537 krb5_err(context, 1, ret, "resolving keytab");
538
539 ret = krb5_init_creds_set_keytab(context, ctx, kt);
540 if (ret)
541 krb5_err(context, 1, ret, "krb5_init_creds_set_keytab");
542
543 } else if (pk_user_id || ent_user_id || anonymous_flag) {
544
545 } else if (!interactive) {
546 static int already_warned = 0;
547
548 if (!already_warned)
549 krb5_warnx(context, "Not interactive, failed to get "
550 "initial ticket");
551 krb5_get_init_creds_opt_free(context, opt);
552 already_warned = 1;
553 return 0;
554 } else {
555
556 if (passwd[0] == '\0') {
557 char *p, *prompt;
558 int aret = 0;
559
560 ret = krb5_unparse_name (context, principal, &p);
561 if (!ret) {
562 aret = asprintf (&prompt, N_("%s's Password: ", ""), p);
563 free (p);
564 }
565 if (ret || aret == -1)
566 errx(1, "failed to generate passwd prompt: not enough memory");
567
568 if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
569 memset(passwd, 0, sizeof(passwd));
570 errx(1, "failed to read password");
571 }
572 free (prompt);
573 }
574
575 if (passwd[0]) {
576 ret = krb5_init_creds_set_password(context, ctx, passwd);
577 if (ret)
578 krb5_err(context, 1, ret, "krb5_init_creds_set_password");
579 }
580 }
581
582 ret = krb5_init_creds_get(context, ctx);
583
584 #ifndef NO_NTLM
585 if (ntlm_domain && passwd[0])
586 heim_ntlm_nt_key(passwd, &ntlmkey);
587 #endif
588 memset(passwd, 0, sizeof(passwd));
589
590 switch(ret){
591 case 0:
592 break;
593 case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */
594 exit(1);
595 case KRB5KRB_AP_ERR_BAD_INTEGRITY:
596 case KRB5KRB_AP_ERR_MODIFIED:
597 case KRB5KDC_ERR_PREAUTH_FAILED:
598 case KRB5_GET_IN_TKT_LOOP:
599 krb5_errx(context, 1, N_("Password incorrect", ""));
600 break;
601 case KRB5KRB_AP_ERR_V4_REPLY:
602 krb5_errx(context, 1, N_("Looks like a Kerberos 4 reply", ""));
603 break;
604 default:
605 krb5_err(context, 1, ret, "krb5_get_init_creds");
606 }
607
608 krb5_process_last_request(context, opt, ctx);
609
610 ret = krb5_init_creds_get_creds(context, ctx, &cred);
611 if (ret)
612 krb5_err(context, 1, ret, "krb5_init_creds_get_creds");
613
614 if(ticket_life != 0) {
615 if(abs(cred.times.endtime - cred.times.starttime - ticket_life) > 30) {
616 char life[64];
617 unparse_time_approx(cred.times.endtime - cred.times.starttime,
618 life, sizeof(life));
619 krb5_warnx(context, N_("NOTICE: ticket lifetime is %s", ""), life);
620 }
621 }
622 if(renew_life) {
623 if(abs(cred.times.renew_till - cred.times.starttime - renew) > 30) {
624 char life[64];
625 unparse_time_approx(cred.times.renew_till - cred.times.starttime,
626 life, sizeof(life));
627 krb5_warnx(context,
628 N_("NOTICE: ticket renewable lifetime is %s", ""),
629 life);
630 }
631 }
632
633 ret = krb5_cc_new_unique(context, krb5_cc_get_type(context, ccache),
634 NULL, &tempccache);
635 if (ret)
636 krb5_err (context, 1, ret, "krb5_cc_new_unique");
637
638 ret = krb5_init_creds_store(context, ctx, tempccache);
639 if (ret)
640 krb5_err(context, 1, ret, "krb5_init_creds_store");
641
642 krb5_init_creds_free(context, ctx);
643
644 ret = krb5_cc_move(context, tempccache, ccache);
645 if (ret)
646 krb5_err (context, 1, ret, "krb5_cc_move");
647
648 if (switch_cache_flags)
649 krb5_cc_switch(context, ccache);
650
651 #ifndef NO_NTLM
652 if (ntlm_domain && ntlmkey.data)
653 store_ntlmkey(context, ccache, ntlm_domain, &ntlmkey);
654 #endif
655
656 if (ok_as_delegate_flag || windows_flag || use_referrals_flag) {
657 unsigned char d = 0;
658 krb5_data data;
659
660 if (ok_as_delegate_flag || windows_flag)
661 d |= 1;
662 if (use_referrals_flag || windows_flag)
663 d |= 2;
664
665 data.length = 1;
666 data.data = &d;
667
668 krb5_cc_set_config(context, ccache, NULL, "realm-config", &data);
669 }
670
671 krb5_get_init_creds_opt_free(context, opt);
672
673 if (kt)
674 krb5_kt_close(context, kt);
675 if (enctype)
676 free(enctype);
677
678 return 0;
679 }
680
681 static time_t
682 ticket_lifetime(krb5_context context, krb5_ccache cache, krb5_principal client,
683 const char *server, time_t *renew)
684 {
685 krb5_creds in_cred, *cred;
686 krb5_error_code ret;
687 time_t timeout;
688 time_t curtime;
689
690 memset(&in_cred, 0, sizeof(in_cred));
691
692 ret = krb5_cc_get_principal(context, cache, &in_cred.client);
693 if(ret) {
694 krb5_warn(context, ret, "krb5_cc_get_principal");
695 return 0;
696 }
697 ret = get_server(context, in_cred.client, server, &in_cred.server);
698 if(ret) {
699 krb5_free_principal(context, in_cred.client);
700 krb5_warn(context, ret, "get_server");
701 return 0;
702 }
703
704 ret = krb5_get_credentials(context, KRB5_GC_CACHED,
705 cache, &in_cred, &cred);
706 krb5_free_principal(context, in_cred.client);
707 krb5_free_principal(context, in_cred.server);
708 if(ret) {
709 krb5_warn(context, ret, "krb5_get_credentials");
710 return 0;
711 }
712 curtime = time(NULL);
713 timeout = cred->times.endtime - curtime;
714 if (timeout < 0)
715 timeout = 0;
716 if (renew) {
717 *renew = cred->times.renew_till - curtime;
718 if (*renew < 0)
719 *renew = 0;
720 }
721 krb5_free_creds(context, cred);
722 return timeout;
723 }
724
725 struct renew_ctx {
726 krb5_context context;
727 krb5_ccache ccache;
728 krb5_principal principal;
729 krb5_deltat ticket_life;
730 };
731
732 static time_t
733 renew_func(void *ptr)
734 {
735 struct renew_ctx *ctx = ptr;
736 time_t expire;
737 time_t renew_expire;
738 static time_t exp_delay = 1;
739
740 expire = ticket_lifetime(ctx->context, ctx->ccache, ctx->principal,
741 server_str, &renew_expire);
742
743 if (renew_expire > expire) {
744 renew_validate(ctx->context, 1, validate_flag, ctx->ccache,
745 server_str, ctx->ticket_life);
746 expire = ticket_lifetime(ctx->context, ctx->ccache, ctx->principal,
747 server_str, &renew_expire);
748 }
749
750 if (expire < ctx->ticket_life / 2) {
751 get_new_tickets(ctx->context, ctx->principal,
752 ctx->ccache, ctx->ticket_life, 0);
753 expire = ticket_lifetime(ctx->context, ctx->ccache, ctx->principal,
754 server_str, &renew_expire);
755 }
756
757 #ifndef NO_AFS
758 if(do_afslog && k_hasafs())
759 krb5_afslog(ctx->context, ctx->ccache, NULL, NULL);
760 #endif
761
762 /*
763 * If our tickets have expired and we been able to either renew them
764 * or obtain new tickets, then we still call this function but we use
765 * an exponential backoff. This should take care of the case where
766 * we are using stored credentials but the KDC has been unavailable
767 * for some reason...
768 */
769
770 if (expire < 1) {
771 if (exp_delay < 7200)
772 exp_delay *= 2;
773 return exp_delay;
774 }
775 exp_delay = 1;
776
777 return expire / 2 + 1;
778 }
779
780 int
781 main (int argc, char **argv)
782 {
783 krb5_error_code ret;
784 krb5_context context;
785 krb5_ccache ccache;
786 krb5_principal principal;
787 int optidx = 0;
788 krb5_deltat ticket_life = 0;
789 int parseflags = 0;
790
791 setprogname (argv[0]);
792
793 setlocale (LC_ALL, "");
794 bindtextdomain ("heimdal_kuser", HEIMDAL_LOCALEDIR);
795 textdomain("heimdal_kuser");
796
797 ret = krb5_init_context (&context);
798 if (ret == KRB5_CONFIG_BADFORMAT)
799 errx (1, "krb5_init_context failed to parse configuration file");
800 else if (ret)
801 errx(1, "krb5_init_context failed: %d", ret);
802
803 if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
804 usage(1);
805
806 if (help_flag)
807 usage (0);
808
809 if(version_flag) {
810 print_version(NULL);
811 exit(0);
812 }
813
814 argc -= optidx;
815 argv += optidx;
816
817 if (canonicalize_flag || enterprise_flag)
818 parseflags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
819
820 if (pk_enterprise_flag) {
821 ret = krb5_pk_enterprise_cert(context, pk_user_id,
822 argv[0], &principal,
823 &ent_user_id);
824 if (ret)
825 krb5_err(context, 1, ret, "krb5_pk_enterprise_certs");
826
827 pk_user_id = NULL;
828
829 } else if (anonymous_flag) {
830
831 ret = krb5_make_principal(context, &principal, argv[0],
832 KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME,
833 NULL);
834 if (ret)
835 krb5_err(context, 1, ret, "krb5_make_principal");
836 krb5_principal_set_type(context, principal, KRB5_NT_WELLKNOWN);
837
838 } else {
839 if (argv[0]) {
840 ret = krb5_parse_name_flags (context, argv[0], parseflags,
841 &principal);
842 if (ret)
843 krb5_err (context, 1, ret, "krb5_parse_name");
844 } else {
845 ret = krb5_get_default_principal (context, &principal);
846 if (ret)
847 krb5_err (context, 1, ret, "krb5_get_default_principal");
848 }
849 }
850
851 if(fcache_version)
852 krb5_set_fcache_version(context, fcache_version);
853
854 if(renewable_flag == -1)
855 /* this seems somewhat pointless, but whatever */
856 krb5_appdefault_boolean(context, "kinit",
857 krb5_principal_get_realm(context, principal),
858 "renewable", FALSE, &renewable_flag);
859 if(do_afslog == -1)
860 krb5_appdefault_boolean(context, "kinit",
861 krb5_principal_get_realm(context, principal),
862 "afslog", TRUE, &do_afslog);
863
864 if(cred_cache)
865 ret = krb5_cc_resolve(context, cred_cache, &ccache);
866 else {
867 if(argc > 1) {
868 char s[1024];
869 ret = krb5_cc_new_unique(context, NULL, NULL, &ccache);
870 if(ret)
871 krb5_err(context, 1, ret, "creating cred cache");
872 snprintf(s, sizeof(s), "%s:%s",
873 krb5_cc_get_type(context, ccache),
874 krb5_cc_get_name(context, ccache));
875 setenv("KRB5CCNAME", s, 1);
876 } else {
877 ret = krb5_cc_cache_match(context, principal, &ccache);
878 if (ret) {
879 const char *type;
880 ret = krb5_cc_default (context, &ccache);
881 if (ret)
882 krb5_err (context, 1, ret, N_("resolving credentials cache", ""));
883
884 /*
885 * Check if the type support switching, and we do,
886 * then do that instead over overwriting the current
887 * default credential
888 */
889 type = krb5_cc_get_type(context, ccache);
890 if (krb5_cc_support_switch(context, type)) {
891 krb5_cc_close(context, ccache);
892 ret = krb5_cc_new_unique(context, type, NULL, &ccache);
893 }
894 }
895 }
896 }
897 if (ret)
898 krb5_err (context, 1, ret, N_("resolving credentials cache", ""));
899
900 #ifndef NO_AFS
901 if(argc > 1 && k_hasafs ())
902 k_setpag();
903 #endif
904
905 if (lifetime) {
906 int tmp = parse_time (lifetime, "s");
907 if (tmp < 0)
908 errx (1, N_("unparsable time: %s", ""), lifetime);
909
910 ticket_life = tmp;
911 }
912
913 if(addrs_flag == 0 && extra_addresses.num_strings > 0)
914 krb5_errx(context, 1,
915 N_("specifying both extra addresses and "
916 "no addresses makes no sense", ""));
917 {
918 int i;
919 krb5_addresses addresses;
920 memset(&addresses, 0, sizeof(addresses));
921 for(i = 0; i < extra_addresses.num_strings; i++) {
922 ret = krb5_parse_address(context, extra_addresses.strings[i],
923 &addresses);
924 if (ret == 0) {
925 krb5_add_extra_addresses(context, &addresses);
926 krb5_free_addresses(context, &addresses);
927 }
928 }
929 free_getarg_strings(&extra_addresses);
930 }
931
932 if(renew_flag || validate_flag) {
933 ret = renew_validate(context, renew_flag, validate_flag,
934 ccache, server_str, ticket_life);
935 exit(ret != 0);
936 }
937
938 get_new_tickets(context, principal, ccache, ticket_life, 1);
939
940 #ifndef NO_AFS
941 if(do_afslog && k_hasafs())
942 krb5_afslog(context, ccache, NULL, NULL);
943 #endif
944 if(argc > 1) {
945 struct renew_ctx ctx;
946 time_t timeout;
947
948 timeout = ticket_lifetime(context, ccache, principal,
949 server_str, NULL) / 2;
950
951 ctx.context = context;
952 ctx.ccache = ccache;
953 ctx.principal = principal;
954 ctx.ticket_life = ticket_life;
955
956 ret = simple_execvp_timed(argv[1], argv+1,
957 renew_func, &ctx, timeout);
958 #define EX_NOEXEC 126
959 #define EX_NOTFOUND 127
960 if(ret == EX_NOEXEC)
961 krb5_warnx(context, N_("permission denied: %s", ""), argv[1]);
962 else if(ret == EX_NOTFOUND)
963 krb5_warnx(context, N_("command not found: %s", ""), argv[1]);
964
965 krb5_cc_destroy(context, ccache);
966 #ifndef NO_AFS
967 if(k_hasafs())
968 k_unlog();
969 #endif
970 } else {
971 krb5_cc_close (context, ccache);
972 ret = 0;
973 }
974 krb5_free_principal(context, principal);
975 krb5_free_context (context);
976 return ret;
977 }
Heimdal