search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
kuser: use anon_pkinit_realm instead of anon-pkinit-realm
[heimdal.git] / kuser / kinit.c
blobb8244f7e23aae7d70605b72c26121a02235cd135
1 /*
2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 *
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 *
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
18 *
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33 * SUCH DAMAGE.
34 */
35
36 #include "kuser_locl.h"
37
38 #ifdef HAVE_FRAMEWORK_SECURITY
39 #include <Security/Security.h>
40 #endif
41
42 #ifndef NO_NTLM
43 #include "heimntlm.h"
44 #endif
45
46 #ifndef SIGINFO
47 #define SIGINFO SIGUSR1
48 #endif
49
50 int forwardable_flag = -1;
51 int proxiable_flag = -1;
52 int renewable_flag = -1;
53 int renew_flag = 0;
54 int pac_flag = -1;
55 int validate_flag = 0;
56 int version_flag = 0;
57 int help_flag = 0;
58 int addrs_flag = -1;
59 struct getarg_strings extra_addresses;
60 int anonymous_flag = 0;
61 char *lifetime = NULL;
62 char *renew_life = NULL;
63 char *server_str = NULL;
64 char *cred_cache = NULL;
65 char *start_str = NULL;
66 static int switch_cache_flags = 1;
67 struct getarg_strings etype_str;
68 int use_keytab = 0;
69 char *keytab_str = NULL;
70 static krb5_keytab kt = NULL;
71 int do_afslog = -1;
72 int fcache_version;
73 char *password_file = NULL;
74 char *pk_user_id = NULL;
75 int pk_enterprise_flag = 0;
76 struct hx509_certs_data *ent_user_id = NULL;
77 char *pk_x509_anchors = NULL;
78 int pk_use_enckey = 0;
79 static int canonicalize_flag = 0;
80 static int enterprise_flag = 0;
81 static int ok_as_delegate_flag = 0;
82 static char *fast_armor_cache_string = NULL;
83 static int use_referrals_flag = 0;
84 static int windows_flag = 0;
85 #ifndef NO_NTLM
86 static char *ntlm_domain;
87 #endif
88
89
90 static struct getargs args[] = {
91 /*
92 * used by MIT
93 * a: ~A
94 * V: verbose
95 * F: ~f
96 * P: ~p
97 * C: v4 cache name?
98 * 5:
99 *
100 * old flags
101 * 4:
102 * 9:
103 */
104 { "afslog", 0 , arg_flag, &do_afslog,
105 NP_("obtain afs tokens", ""), NULL },
106
107 { "cache", 'c', arg_string, &cred_cache,
108 NP_("credentials cache", ""), "cachename" },
109
110 { "forwardable", 'F', arg_negative_flag, &forwardable_flag,
111 NP_("get tickets not forwardable", ""), NULL },
112
113 { NULL, 'f', arg_flag, &forwardable_flag,
114 NP_("get forwardable tickets", ""), NULL },
115
116 { "keytab", 't', arg_string, &keytab_str,
117 NP_("keytab to use", ""), "keytabname" },
118
119 { "lifetime", 'l', arg_string, &lifetime,
120 NP_("lifetime of tickets", ""), "time" },
121
122 { "proxiable", 'p', arg_flag, &proxiable_flag,
123 NP_("get proxiable tickets", ""), NULL },
124
125 { "renew", 'R', arg_flag, &renew_flag,
126 NP_("renew TGT", ""), NULL },
127
128 { "renewable", 0, arg_flag, &renewable_flag,
129 NP_("get renewable tickets", ""), NULL },
130
131 { "renewable-life", 'r', arg_string, &renew_life,
132 NP_("renewable lifetime of tickets", ""), "time" },
133
134 { "server", 'S', arg_string, &server_str,
135 NP_("server to get ticket for", ""), "principal" },
136
137 { "start-time", 's', arg_string, &start_str,
138 NP_("when ticket gets valid", ""), "time" },
139
140 { "use-keytab", 'k', arg_flag, &use_keytab,
141 NP_("get key from keytab", ""), NULL },
142
143 { "validate", 'v', arg_flag, &validate_flag,
144 NP_("validate TGT", ""), NULL },
145
146 { "enctypes", 'e', arg_strings, &etype_str,
147 NP_("encryption types to use", ""), "enctypes" },
148
149 { "fcache-version", 0, arg_integer, &fcache_version,
150 NP_("file cache version to create", ""), NULL },
151
152 { "addresses", 'A', arg_negative_flag, &addrs_flag,
153 NP_("request a ticket with no addresses", ""), NULL },
154
155 { "extra-addresses",'a', arg_strings, &extra_addresses,
156 NP_("include these extra addresses", ""), "addresses" },
157
158 { "anonymous", 'n', arg_flag, &anonymous_flag,
159 NP_("request an anonymous ticket", ""), NULL },
160
161 { "request-pac", 0, arg_flag, &pac_flag,
162 NP_("request a Windows PAC", ""), NULL },
163
164 { "password-file", 0, arg_string, &password_file,
165 NP_("read the password from a file", ""), NULL },
166
167 { "canonicalize",0, arg_flag, &canonicalize_flag,
168 NP_("canonicalize client principal", ""), NULL },
169
170 { "enterprise",0, arg_flag, &enterprise_flag,
171 NP_("parse principal as a KRB5-NT-ENTERPRISE name", ""), NULL },
172 #ifdef PKINIT
173 { "pk-enterprise", 0, arg_flag, &pk_enterprise_flag,
174 NP_("use enterprise name from certificate", ""), NULL },
175
176 { "pk-user", 'C', arg_string, &pk_user_id,
177 NP_("principal's public/private/certificate identifier", ""), "id" },
178
179 { "x509-anchors", 'D', arg_string, &pk_x509_anchors,
180 NP_("directory with CA certificates", ""), "directory" },
181
182 { "pk-use-enckey", 0, arg_flag, &pk_use_enckey,
183 NP_("Use RSA encrypted reply (instead of DH)", ""), NULL },
184 #endif
185 #ifndef NO_NTLM
186 { "ntlm-domain", 0, arg_string, &ntlm_domain,
187 NP_("NTLM domain", ""), "domain" },
188 #endif
189
190 { "change-default", 0, arg_negative_flag, &switch_cache_flags,
191 NP_("switch the default cache to the new credentials cache", ""), NULL },
192
193 { "ok-as-delegate", 0, arg_flag, &ok_as_delegate_flag,
194 NP_("honor ok-as-delegate on tickets", ""), NULL },
195
196 { "fast-armor-cache", 0, arg_string, &fast_armor_cache_string,
197 NP_("use this credential cache as FAST armor cache", ""), "cache" },
198
199 { "use-referrals", 0, arg_flag, &use_referrals_flag,
200 NP_("only use referrals, no dns canalisation", ""), NULL },
201
202 { "windows", 0, arg_flag, &windows_flag,
203 NP_("get windows behavior", ""), NULL },
204
205 { "version", 0, arg_flag, &version_flag, NULL, NULL },
206 { "help", 0, arg_flag, &help_flag, NULL, NULL }
207 };
208
209 static char *
210 get_default_realm(krb5_context context);
211
212 static void
213 usage(int ret)
214 {
215 arg_printusage_i18n(args, sizeof(args)/sizeof(*args), N_("Usage: ", ""),
216 NULL, "[principal [command]]", getarg_i18n);
217 exit(ret);
218 }
219
220 static krb5_error_code
221 get_server(krb5_context context,
222 krb5_principal client,
223 const char *server,
224 krb5_principal *princ)
225 {
226 krb5_const_realm realm;
227 if (server)
228 return krb5_parse_name(context, server, princ);
229
230 realm = krb5_principal_get_realm(context, client);
231 return krb5_make_principal(context, princ, realm,
232 KRB5_TGS_NAME, realm, NULL);
233 }
234
235 static krb5_error_code
236 copy_configs(krb5_context context,
237 krb5_ccache dst,
238 krb5_ccache src,
239 krb5_principal start_ticket_server)
240 {
241 krb5_error_code ret;
242 const char *cfg_names[] = {"realm-config", "FriendlyName", "anon_pkinit_realm", NULL};
243 const char *cfg_names_w_pname[] = {"fast_avail", NULL};
244 krb5_data cfg_data;
245 size_t i;
246
247 for (i = 0; cfg_names[i]; i++) {
248 ret = krb5_cc_get_config(context, src, NULL, cfg_names[i], &cfg_data);
249 if (ret == KRB5_CC_NOTFOUND || ret == KRB5_CC_END) {
250 continue;
251 } else if (ret) {
252 krb5_warn(context, ret, "krb5_cc_get_config");
253 return ret;
254 }
255 ret = krb5_cc_set_config(context, dst, NULL, cfg_names[i], &cfg_data);
256 if (ret)
257 krb5_warn(context, ret, "krb5_cc_set_config");
258 }
259 for (i = 0; start_ticket_server && cfg_names_w_pname[i]; i++) {
260 ret = krb5_cc_get_config(context, src, start_ticket_server,
261 cfg_names_w_pname[i], &cfg_data);
262 if (ret == KRB5_CC_NOTFOUND || ret == KRB5_CC_END) {
263 continue;
264 } else if (ret) {
265 krb5_warn(context, ret, "krb5_cc_get_config");
266 return ret;
267 }
268 ret = krb5_cc_set_config(context, dst, start_ticket_server,
269 cfg_names_w_pname[i], &cfg_data);
270 if (ret && ret != KRB5_CC_NOTFOUND)
271 krb5_warn(context, ret, "krb5_cc_set_config");
272 }
273 /*
274 * We don't copy cc configs for any other principals though (mostly
275 * those are per-target time offsets and the like, so it's bad to
276 * lose them, but hardly the end of the world, and as they may not
277 * expire anyways, it's good to let them go).
278 */
279 return 0;
280 }
281
282 static krb5_error_code
283 get_anon_pkinit_tgs_name(krb5_context context,
284 krb5_ccache ccache,
285 krb5_principal *tgs_name)
286 {
287 krb5_error_code ret;
288 krb5_data data;
289 char *realm;
290
291 ret = krb5_cc_get_config(context, ccache, NULL, "anon_pkinit_realm", &data);
292 if (ret == 0)
293 realm = strndup(data.data, data.length);
294 else
295 realm = get_default_realm(context);
296
297 krb5_data_free(&data);
298
299 if (realm == NULL)
300 return krb5_enomem(context);
301
302 ret = krb5_make_principal(context, tgs_name, realm,
303 KRB5_TGS_NAME, realm, NULL);
304
305 free(realm);
306
307 return ret;
308 }
309
310 static krb5_error_code
311 renew_validate(krb5_context context,
312 int renew,
313 int validate,
314 krb5_ccache cache,
315 const char *server,
316 krb5_deltat life)
317 {
318 krb5_error_code ret;
319 krb5_ccache tempccache = NULL;
320 krb5_creds in, *out = NULL;
321 krb5_kdc_flags flags;
322
323 memset(&in, 0, sizeof(in));
324
325 ret = krb5_cc_get_principal(context, cache, &in.client);
326 if (ret) {
327 krb5_warn(context, ret, "krb5_cc_get_principal");
328 return ret;
329 }
330
331 if (server == NULL &&
332 krb5_principal_is_anonymous(context, in.client,
333 KRB5_ANON_MATCH_UNAUTHENTICATED))
334 ret = get_anon_pkinit_tgs_name(context, cache, &in.server);
335 else
336 ret = get_server(context, in.client, server, &in.server);
337 if (ret) {
338 krb5_warn(context, ret, "get_server");
339 goto out;
340 }
341
342 if (renew) {
343 /*
344 * no need to check the error here, it's only to be
345 * friendly to the user
346 */
347 krb5_get_credentials(context, KRB5_GC_CACHED, cache, &in, &out);
348 }
349
350 flags.i = 0;
351 flags.b.renewable = flags.b.renew = renew;
352 flags.b.validate = validate;
353
354 if (forwardable_flag != -1)
355 flags.b.forwardable = forwardable_flag;
356 else if (out)
357 flags.b.forwardable = out->flags.b.forwardable;
358
359 if (proxiable_flag != -1)
360 flags.b.proxiable = proxiable_flag;
361 else if (out)
362 flags.b.proxiable = out->flags.b.proxiable;
363
364 if (anonymous_flag)
365 flags.b.request_anonymous = anonymous_flag;
366 if (life)
367 in.times.endtime = time(NULL) + life;
368
369 if (out) {
370 krb5_free_creds(context, out);
371 out = NULL;
372 }
373
374
375 ret = krb5_get_kdc_cred(context,
376 cache,
377 flags,
378 NULL,
379 NULL,
380 &in,
381 &out);
382 if (ret) {
383 krb5_warn(context, ret, "krb5_get_kdc_cred");
384 goto out;
385 }
386
387 ret = krb5_cc_new_unique(context, krb5_cc_get_type(context, cache),
388 NULL, &tempccache);
389 if (ret) {
390 krb5_warn(context, ret, "krb5_cc_new_unique");
391 goto out;
392 }
393
394 ret = krb5_cc_initialize(context, tempccache, in.client);
395 if (ret) {
396 krb5_warn(context, ret, "krb5_cc_initialize");
397 goto out;
398 }
399
400 ret = krb5_cc_store_cred(context, tempccache, out);
401 if (ret) {
402 krb5_warn(context, ret, "krb5_cc_store_cred");
403 goto out;
404 }
405
406 /*
407 * We want to preserve cc configs as some are security-relevant, and
408 * anyways it's the friendly thing to do.
409 */
410 ret = copy_configs(context, tempccache, cache, out->server);
411 if (ret)
412 goto out;
413
414 ret = krb5_cc_move(context, tempccache, cache);
415 if (ret) {
416 krb5_warn(context, ret, "krb5_cc_move");
417 goto out;
418 }
419 tempccache = NULL;
420
421 out:
422 if (tempccache)
423 krb5_cc_destroy(context, tempccache);
424 if (out)
425 krb5_free_creds(context, out);
426 krb5_free_cred_contents(context, &in);
427 return ret;
428 }
429
430 #ifndef NO_NTLM
431
432 static krb5_error_code
433 store_ntlmkey(krb5_context context, krb5_ccache id,
434 const char *domain, struct ntlm_buf *buf)
435 {
436 krb5_error_code ret;
437 krb5_data data;
438 char *name;
439 int aret;
440
441 ret = krb5_cc_get_config(context, id, NULL, "default-ntlm-domain", &data);
442 if (ret == 0) {
443 krb5_data_free(&data);
444 } else {
445 data.length = strlen(domain);
446 data.data = rk_UNCONST(domain);
447 ret = krb5_cc_set_config(context, id, NULL, "default-ntlm-domain", &data);
448 if (ret != 0)
449 return ret;
450 }
451
452 aret = asprintf(&name, "ntlm-key-%s", domain);
453 if (aret == -1 || name == NULL)
454 return krb5_enomem(context);
455
456 data.length = buf->length;
457 data.data = buf->data;
458
459 ret = krb5_cc_set_config(context, id, NULL, name, &data);
460 free(name);
461 return ret;
462 }
463 #endif
464
465 static krb5_error_code
466 get_new_tickets(krb5_context context,
467 krb5_principal principal,
468 krb5_ccache ccache,
469 krb5_deltat ticket_life,
470 int interactive,
471 int anonymous_pkinit)
472 {
473 krb5_error_code ret;
474 krb5_creds cred;
475 char passwd[256];
476 krb5_deltat start_time = 0;
477 krb5_deltat renew = 0;
478 const char *renewstr = NULL;
479 krb5_enctype *enctype = NULL;
480 krb5_ccache tempccache = NULL;
481 krb5_init_creds_context ctx = NULL;
482 krb5_get_init_creds_opt *opt = NULL;
483 krb5_prompter_fct prompter = krb5_prompter_posix;
484 #ifndef NO_NTLM
485 struct ntlm_buf ntlmkey;
486 memset(&ntlmkey, 0, sizeof(ntlmkey));
487 #endif
488 passwd[0] = '\0';
489
490 if (!interactive)
491 prompter = NULL;
492
493 if (password_file) {
494 FILE *f;
495
496 if (strcasecmp("STDIN", password_file) == 0)
497 f = stdin;
498 else
499 f = fopen(password_file, "r");
500 if (f == NULL) {
501 krb5_warnx(context, N_("Failed to open the password file %s", ""),
502 password_file);
503 return errno;
504 }
505
506 if (fgets(passwd, sizeof(passwd), f) == NULL) {
507 krb5_warnx(context, N_("Failed to read password from file %s", ""),
508 password_file);
509 if (f != stdin)
510 fclose(f);
511 return EINVAL; /* XXX Need a better error */
512 }
513 if (f != stdin)
514 fclose(f);
515 passwd[strcspn(passwd, "\n")] = '\0';
516 }
517
518 #ifdef HAVE_FRAMEWORK_SECURITY
519 if (passwd[0] == '\0') {
520 const char *realm;
521 OSStatus osret;
522 UInt32 length;
523 void *buffer;
524 char *name;
525
526 realm = krb5_principal_get_realm(context, principal);
527
528 ret = krb5_unparse_name_flags(context, principal,
529 KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
530 if (ret)
531 goto nopassword;
532
533 osret = SecKeychainFindGenericPassword(NULL, strlen(realm), realm,
534 strlen(name), name,
535 &length, &buffer, NULL);
536 free(name);
537 if (osret == noErr && length < sizeof(passwd) - 1) {
538 memcpy(passwd, buffer, length);
539 passwd[length] = '\0';
540 }
541 nopassword:
542 do { } while(0);
543 }
544 #endif
545
546 memset(&cred, 0, sizeof(cred));
547
548 ret = krb5_get_init_creds_opt_alloc(context, &opt);
549 if (ret) {
550 krb5_warn(context, ret, "krb5_get_init_creds_opt_alloc");
551 goto out;
552 }
553
554 krb5_get_init_creds_opt_set_default_flags(context, "kinit",
555 krb5_principal_get_realm(context, principal), opt);
556
557 if (forwardable_flag != -1)
558 krb5_get_init_creds_opt_set_forwardable(opt, forwardable_flag);
559 if (proxiable_flag != -1)
560 krb5_get_init_creds_opt_set_proxiable(opt, proxiable_flag);
561 if (anonymous_flag)
562 krb5_get_init_creds_opt_set_anonymous(opt, anonymous_flag);
563 if (pac_flag != -1)
564 krb5_get_init_creds_opt_set_pac_request(context, opt,
565 pac_flag ? TRUE : FALSE);
566 if (canonicalize_flag)
567 krb5_get_init_creds_opt_set_canonicalize(context, opt, TRUE);
568 if (pk_enterprise_flag || enterprise_flag || canonicalize_flag || windows_flag)
569 krb5_get_init_creds_opt_set_win2k(context, opt, TRUE);
570 if (pk_user_id || ent_user_id || anonymous_pkinit) {
571 ret = krb5_get_init_creds_opt_set_pkinit(context, opt,
572 principal,
573 pk_user_id,
574 pk_x509_anchors,
575 NULL,
576 NULL,
577 pk_use_enckey ? KRB5_GIC_OPT_PKINIT_USE_ENCKEY : 0 |
578 anonymous_pkinit ? KRB5_GIC_OPT_PKINIT_ANONYMOUS : 0,
579 prompter,
580 NULL,
581 passwd);
582 if (ret) {
583 krb5_warn(context, ret, "krb5_get_init_creds_opt_set_pkinit");
584 goto out;
585 }
586 if (ent_user_id)
587 krb5_get_init_creds_opt_set_pkinit_user_certs(context, opt, ent_user_id);
588 }
589
590 if (addrs_flag != -1)
591 krb5_get_init_creds_opt_set_addressless(context, opt,
592 addrs_flag ? FALSE : TRUE);
593
594 if (renew_life == NULL && renewable_flag)
595 renewstr = "6 months";
596 if (renew_life)
597 renewstr = renew_life;
598 if (renewstr) {
599 renew = parse_time(renewstr, "s");
600 if (renew < 0)
601 errx(1, "unparsable time: %s", renewstr);
602
603 krb5_get_init_creds_opt_set_renew_life(opt, renew);
604 }
605
606 if (ticket_life != 0)
607 krb5_get_init_creds_opt_set_tkt_life(opt, ticket_life);
608
609 if (start_str) {
610 int tmp = parse_time(start_str, "s");
611 if (tmp < 0)
612 errx(1, N_("unparsable time: %s", ""), start_str);
613
614 start_time = tmp;
615 }
616
617 if (etype_str.num_strings) {
618 int i;
619
620 enctype = malloc(etype_str.num_strings * sizeof(*enctype));
621 if (enctype == NULL)
622 errx(1, "out of memory");
623 for(i = 0; i < etype_str.num_strings; i++) {
624 ret = krb5_string_to_enctype(context,
625 etype_str.strings[i],
626 &enctype[i]);
627 if (ret)
628 errx(1, "unrecognized enctype: %s", etype_str.strings[i]);
629 }
630 krb5_get_init_creds_opt_set_etype_list(opt, enctype,
631 etype_str.num_strings);
632 }
633
634 ret = krb5_init_creds_init(context, principal, prompter, NULL, start_time, opt, &ctx);
635 if (ret) {
636 krb5_warn(context, ret, "krb5_init_creds_init");
637 goto out;
638 }
639
640 if (server_str) {
641 ret = krb5_init_creds_set_service(context, ctx, server_str);
642 if (ret) {
643 krb5_warn(context, ret, "krb5_init_creds_set_service");
644 goto out;
645 }
646 }
647
648 if (fast_armor_cache_string) {
649 krb5_ccache fastid;
650
651 ret = krb5_cc_resolve(context, fast_armor_cache_string, &fastid);
652 if (ret) {
653 krb5_warn(context, ret, "krb5_cc_resolve(FAST cache)");
654 goto out;
655 }
656
657 ret = krb5_init_creds_set_fast_ccache(context, ctx, fastid);
658 if (ret) {
659 krb5_warn(context, ret, "krb5_init_creds_set_fast_ccache");
660 goto out;
661 }
662 }
663
664 if (use_keytab || keytab_str) {
665 ret = krb5_init_creds_set_keytab(context, ctx, kt);
666 if (ret) {
667 krb5_warn(context, ret, "krb5_init_creds_set_keytab");
668 goto out;
669 }
670 } else if (pk_user_id || ent_user_id ||
671 krb5_principal_is_anonymous(context, principal, KRB5_ANON_MATCH_ANY)) {
672
673 } else if (!interactive && passwd[0] == '\0') {
674 static int already_warned = 0;
675
676 if (!already_warned)
677 krb5_warnx(context, "Not interactive, failed to get "
678 "initial ticket");
679 krb5_get_init_creds_opt_free(context, opt);
680 already_warned = 1;
681 return 0;
682 } else {
683
684 if (passwd[0] == '\0') {
685 char *p, *prompt;
686 int aret = 0;
687
688 ret = krb5_unparse_name(context, principal, &p);
689 if (ret)
690 errx(1, "failed to generate passwd prompt: not enough memory");
691
692 aret = asprintf(&prompt, N_("%s's Password: ", ""), p);
693 free(p);
694 if (aret == -1)
695 errx(1, "failed to generate passwd prompt: not enough memory");
696
697 if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
698 memset(passwd, 0, sizeof(passwd));
699 errx(1, "failed to read password");
700 }
701 free(prompt);
702 }
703
704 if (passwd[0]) {
705 ret = krb5_init_creds_set_password(context, ctx, passwd);
706 if (ret) {
707 krb5_warn(context, ret, "krb5_init_creds_set_password");
708 goto out;
709 }
710 }
711 }
712
713 ret = krb5_init_creds_get(context, ctx);
714
715 #ifndef NO_NTLM
716 if (ntlm_domain && passwd[0])
717 heim_ntlm_nt_key(passwd, &ntlmkey);
718 #endif
719 memset_s(passwd, sizeof(passwd), 0, sizeof(passwd));
720
721 switch(ret){
722 case 0:
723 break;
724 case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */
725 exit(1);
726 case KRB5KRB_AP_ERR_BAD_INTEGRITY:
727 case KRB5KRB_AP_ERR_MODIFIED:
728 case KRB5KDC_ERR_PREAUTH_FAILED:
729 case KRB5_GET_IN_TKT_LOOP:
730 krb5_warnx(context, N_("Password incorrect", ""));
731 goto out;
732 case KRB5KRB_AP_ERR_V4_REPLY:
733 krb5_warnx(context, N_("Looks like a Kerberos 4 reply", ""));
734 goto out;
735 case KRB5KDC_ERR_KEY_EXPIRED:
736 krb5_warnx(context, N_("Password expired", ""));
737 goto out;
738 default:
739 krb5_warn(context, ret, "krb5_get_init_creds");
740 goto out;
741 }
742
743 krb5_process_last_request(context, opt, ctx);
744
745 ret = krb5_init_creds_get_creds(context, ctx, &cred);
746 if (ret) {
747 krb5_warn(context, ret, "krb5_init_creds_get_creds");
748 goto out;
749 }
750
751 if (ticket_life != 0) {
752 if (labs(cred.times.endtime - cred.times.starttime - ticket_life) > 30) {
753 char life[64];
754 unparse_time_approx(cred.times.endtime - cred.times.starttime,
755 life, sizeof(life));
756 krb5_warnx(context, N_("NOTICE: ticket lifetime is %s", ""), life);
757 }
758 }
759 if (renew_life) {
760 if (labs(cred.times.renew_till - cred.times.starttime - renew) > 30) {
761 char life[64];
762 unparse_time_approx(cred.times.renew_till - cred.times.starttime,
763 life, sizeof(life));
764 krb5_warnx(context,
765 N_("NOTICE: ticket renewable lifetime is %s", ""),
766 life);
767 }
768 }
769 krb5_free_cred_contents(context, &cred);
770
771 ret = krb5_cc_new_unique(context, krb5_cc_get_type(context, ccache),
772 NULL, &tempccache);
773 if (ret) {
774 krb5_warn(context, ret, "krb5_cc_new_unique");
775 goto out;
776 }
777
778 ret = krb5_init_creds_store(context, ctx, tempccache);
779 if (ret) {
780 krb5_warn(context, ret, "krb5_init_creds_store");
781 goto out;
782 }
783
784 krb5_init_creds_free(context, ctx);
785 ctx = NULL;
786
787 ret = krb5_cc_move(context, tempccache, ccache);
788 if (ret) {
789 krb5_warn(context, ret, "krb5_cc_move");
790 goto out;
791 }
792 tempccache = NULL;
793
794 if (switch_cache_flags)
795 krb5_cc_switch(context, ccache);
796
797 #ifndef NO_NTLM
798 if (ntlm_domain && ntlmkey.data)
799 store_ntlmkey(context, ccache, ntlm_domain, &ntlmkey);
800 #endif
801
802 if (ok_as_delegate_flag || windows_flag || use_referrals_flag) {
803 unsigned char d = 0;
804 krb5_data data;
805
806 if (ok_as_delegate_flag || windows_flag)
807 d |= 1;
808 if (use_referrals_flag || windows_flag)
809 d |= 2;
810
811 data.length = 1;
812 data.data = &d;
813
814 krb5_cc_set_config(context, ccache, NULL, "realm-config", &data);
815 }
816
817 if (anonymous_pkinit) {
818 krb5_data data;
819
820 data.length = strlen(principal->realm);
821 data.data = principal->realm;
822
823 krb5_cc_set_config(context, ccache, NULL, "anon_pkinit_realm", &data);
824 }
825
826 out:
827 krb5_get_init_creds_opt_free(context, opt);
828 if (ctx)
829 krb5_init_creds_free(context, ctx);
830 if (tempccache)
831 krb5_cc_destroy(context, tempccache);
832
833 if (enctype)
834 free(enctype);
835
836 return ret;
837 }
838
839 static time_t
840 ticket_lifetime(krb5_context context, krb5_ccache cache, krb5_principal client,
841 const char *server, time_t *renew)
842 {
843 krb5_creds in_cred, *cred;
844 krb5_error_code ret;
845 time_t timeout;
846 time_t curtime;
847
848 memset(&in_cred, 0, sizeof(in_cred));
849
850 if (renew != NULL)
851 *renew = 0;
852
853 ret = krb5_cc_get_principal(context, cache, &in_cred.client);
854 if (ret) {
855 krb5_warn(context, ret, "krb5_cc_get_principal");
856 return 0;
857 }
858 ret = get_server(context, in_cred.client, server, &in_cred.server);
859 if (ret) {
860 krb5_free_principal(context, in_cred.client);
861 krb5_warn(context, ret, "get_server");
862 return 0;
863 }
864
865 ret = krb5_get_credentials(context, KRB5_GC_CACHED,
866 cache, &in_cred, &cred);
867 krb5_free_principal(context, in_cred.client);
868 krb5_free_principal(context, in_cred.server);
869 if (ret) {
870 krb5_warn(context, ret, "krb5_get_credentials");
871 return 0;
872 }
873 curtime = time(NULL);
874 timeout = cred->times.endtime - curtime;
875 if (timeout < 0)
876 timeout = 0;
877 if (renew) {
878 *renew = cred->times.renew_till - curtime;
879 if (*renew < 0)
880 *renew = 0;
881 }
882 krb5_free_creds(context, cred);
883 return timeout;
884 }
885
886 static time_t expire;
887
888 static char siginfo_msg[1024] = "No credentials\n";
889
890 static void
891 update_siginfo_msg(time_t exp, const char *srv)
892 {
893 /* Note that exp is relative time */
894 memset(siginfo_msg, 0, sizeof(siginfo_msg));
895 memcpy(&siginfo_msg, "Updating...\n", sizeof("Updating...\n"));
896 if (exp) {
897 if (srv == NULL) {
898 snprintf(siginfo_msg, sizeof(siginfo_msg),
899 N_("kinit: TGT expires in %llu seconds\n", ""),
900 (unsigned long long)expire);
901 } else {
902 snprintf(siginfo_msg, sizeof(siginfo_msg),
903 N_("kinit: Ticket for %s expired\n", ""), srv);
904 }
905 return;
906 }
907
908 /* Expired creds */
909 if (srv == NULL) {
910 snprintf(siginfo_msg, sizeof(siginfo_msg),
911 N_("kinit: TGT expired\n", ""));
912 } else {
913 snprintf(siginfo_msg, sizeof(siginfo_msg),
914 N_("kinit: Ticket for %s expired\n", ""), srv);
915 }
916 }
917
918 #ifdef HAVE_SIGACTION
919 static void
920 handle_siginfo(int sig)
921 {
922 struct iovec iov[2];
923
924 iov[0].iov_base = rk_UNCONST(siginfo_msg);
925 iov[0].iov_len = strlen(siginfo_msg);
926 iov[1].iov_base = "\n";
927 iov[1].iov_len = 1;
928
929 writev(STDERR_FILENO, iov, sizeof(iov)/sizeof(iov[0]));
930 }
931 #endif
932
933 struct renew_ctx {
934 krb5_context context;
935 krb5_ccache ccache;
936 krb5_principal principal;
937 krb5_deltat ticket_life;
938 krb5_deltat timeout;
939 };
940
941 static time_t
942 renew_func(void *ptr)
943 {
944 krb5_error_code ret;
945 struct renew_ctx *ctx = ptr;
946 time_t renew_expire;
947 static time_t exp_delay = 1;
948
949 /*
950 * NOTE: We count on the ccache implementation to notice changes to the
951 * actual ccache filesystem/whatever objects. There should be no ccache
952 * types for which this is not the case, but it might not hurt to
953 * re-krb5_cc_resolve() after each successful renew_validate()/
954 * get_new_tickets() call.
955 */
956
957 expire = ticket_lifetime(ctx->context, ctx->ccache, ctx->principal,
958 server_str, &renew_expire);
959
960 /*
961 * When a keytab is available to obtain new tickets, if we are within
962 * half of the original ticket lifetime of the renew limit, get a new
963 * TGT instead of renewing the existing TGT. Note, ctx->ticket_life
964 * is zero by default (without a '-l' option) and cannot be used to
965 * set the time scale on which we decide whether we're "close to the
966 * renew limit".
967 */
968 if (use_keytab || keytab_str)
969 expire += ctx->timeout;
970 if (renew_expire > expire) {
971 ret = renew_validate(ctx->context, 1, validate_flag, ctx->ccache,
972 server_str, ctx->ticket_life);
973 } else {
974 ret = get_new_tickets(ctx->context, ctx->principal, ctx->ccache,
975 ctx->ticket_life, 0, 0);
976 }
977 expire = ticket_lifetime(ctx->context, ctx->ccache, ctx->principal,
978 server_str, &renew_expire);
979
980 #ifndef NO_AFS
981 if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())
982 krb5_afslog(ctx->context, ctx->ccache, NULL, NULL);
983 #endif
984
985 update_siginfo_msg(expire, server_str);
986
987 /*
988 * If our tickets have expired and we been able to either renew them
989 * or obtain new tickets, then we still call this function but we use
990 * an exponential backoff. This should take care of the case where
991 * we are using stored credentials but the KDC has been unavailable
992 * for some reason...
993 */
994
995 if (expire < 1) {
996 /*
997 * We can't ask to keep spamming stderr but not syslog, so we warn
998 * only once.
999 */
1000 if (exp_delay == 1) {
1001 krb5_warnx(ctx->context, N_("NOTICE: Could not renew/refresh "
1002 "tickets", ""));
1003 }
1004 if (exp_delay < 7200)
1005 exp_delay += exp_delay / 2 + 1;
1006 return exp_delay;
1007 }
1008 exp_delay = 1;
1009
1010 return expire / 2 + 1;
1011 }
1012
1013 static void
1014 set_princ_realm(krb5_context context,
1015 krb5_principal principal,
1016 const char *realm)
1017 {
1018 krb5_error_code ret;
1019
1020 if ((ret = krb5_principal_set_realm(context, principal, realm)) != 0)
1021 krb5_err(context, 1, ret, "krb5_principal_set_realm");
1022 }
1023
1024 static void
1025 parse_name_realm(krb5_context context,
1026 const char *name,
1027 int flags,
1028 const char *realm,
1029 krb5_principal *princ)
1030 {
1031 krb5_error_code ret;
1032
1033 if (realm)
1034 flags |= KRB5_PRINCIPAL_PARSE_NO_DEF_REALM;
1035 if ((ret = krb5_parse_name_flags(context, name, flags, princ)) != 0)
1036 krb5_err(context, 1, ret, "krb5_parse_name_flags");
1037 if (realm && krb5_principal_get_realm(context, *princ) == NULL)
1038 set_princ_realm(context, *princ, realm);
1039 }
1040
1041 static char *
1042 get_default_realm(krb5_context context)
1043 {
1044 char *realm;
1045 krb5_error_code ret;
1046
1047 if ((ret = krb5_get_default_realm(context, &realm)) != 0)
1048 krb5_err(context, 1, ret, "krb5_get_default_realm");
1049 return realm;
1050 }
1051
1052 static void
1053 get_default_principal(krb5_context context, krb5_principal *princ)
1054 {
1055 krb5_error_code ret;
1056
1057 if ((ret = krb5_get_default_principal(context, princ)) != 0)
1058 krb5_err(context, 1, ret, "krb5_get_default_principal");
1059 }
1060
1061 static char *
1062 get_user_realm(krb5_context context)
1063 {
1064 krb5_error_code ret;
1065 char *user_realm = NULL;
1066
1067 /*
1068 * If memory allocation fails, we don't try to use the wrong realm,
1069 * that will trigger misleading error messages complicate support.
1070 */
1071 krb5_appdefault_string(context, "kinit", NULL, "user_realm", "",
1072 &user_realm);
1073 if (user_realm == NULL) {
1074 ret = krb5_enomem(context);
1075 krb5_err(context, 1, ret, "krb5_appdefault_string");
1076 }
1077
1078 if (*user_realm == 0) {
1079 free(user_realm);
1080 user_realm = NULL;
1081 }
1082
1083 return user_realm;
1084 }
1085
1086 static void
1087 get_princ(krb5_context context, krb5_principal *principal, const char *name)
1088 {
1089 krb5_error_code ret;
1090 krb5_principal tmp;
1091 int parseflags = 0;
1092 char *user_realm;
1093
1094 if (name == NULL) {
1095 krb5_ccache ccache;
1096
1097 /* If credential cache provides a client principal, use that. */
1098 if (krb5_cc_default(context, &ccache) == 0) {
1099 ret = krb5_cc_get_principal(context, ccache, principal);
1100 krb5_cc_close(context, ccache);
1101 if (ret == 0)
1102 return;
1103 }
1104 }
1105
1106 user_realm = get_user_realm(context);
1107
1108 if (name) {
1109 if (enterprise_flag)
1110 parseflags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
1111
1112 parse_name_realm(context, name, parseflags, user_realm, &tmp);
1113
1114 if (user_realm && krb5_principal_get_num_comp(context, tmp) > 1) {
1115 /* Principal is instance qualified, reparse with default realm. */
1116 krb5_free_principal(context, tmp);
1117 parse_name_realm(context, name, parseflags, NULL, principal);
1118 } else {
1119 *principal = tmp;
1120 }
1121 } else {
1122 get_default_principal(context, principal);
1123 if (user_realm)
1124 set_princ_realm(context, *principal, user_realm);
1125 }
1126
1127 if (user_realm)
1128 free(user_realm);
1129 }
1130
1131 static void
1132 get_princ_kt(krb5_context context,
1133 krb5_principal *principal,
1134 char *name)
1135 {
1136 krb5_error_code ret;
1137 krb5_principal tmp;
1138 krb5_ccache ccache;
1139 krb5_kt_cursor cursor;
1140 krb5_keytab_entry entry;
1141 char *def_realm;
1142
1143 if (name == NULL) {
1144 /*
1145 * If the credential cache exists and specifies a client principal,
1146 * use that.
1147 */
1148 if (krb5_cc_default(context, &ccache) == 0) {
1149 ret = krb5_cc_get_principal(context, ccache, principal);
1150 krb5_cc_close(context, ccache);
1151 if (ret == 0)
1152 return;
1153 }
1154 }
1155
1156 if (name) {
1157 /* If the principal specifies an explicit realm, just use that. */
1158 int parseflags = KRB5_PRINCIPAL_PARSE_NO_DEF_REALM;
1159
1160 parse_name_realm(context, name, parseflags, NULL, &tmp);
1161 if (krb5_principal_get_realm(context, tmp) != NULL) {
1162 *principal = tmp;
1163 return;
1164 }
1165 } else {
1166 /* Otherwise, search keytab for bare name of the default principal. */
1167 get_default_principal(context, &tmp);
1168 set_princ_realm(context, tmp, NULL);
1169 }
1170
1171 def_realm = get_default_realm(context);
1172
1173 ret = krb5_kt_start_seq_get(context, kt, &cursor);
1174 if (ret)
1175 krb5_err(context, 1, ret, "krb5_kt_start_seq_get");
1176
1177 while (ret == 0 &&
1178 krb5_kt_next_entry(context, kt, &entry, &cursor) == 0) {
1179 const char *realm;
1180
1181 if (!krb5_principal_compare_any_realm(context, tmp, entry.principal))
1182 continue;
1183 if (*principal &&
1184 krb5_principal_compare(context, *principal, entry.principal))
1185 continue;
1186 /* The default realm takes precedence */
1187 realm = krb5_principal_get_realm(context, entry.principal);
1188 if (*principal && strcmp(def_realm, realm) == 0) {
1189 krb5_free_principal(context, *principal);
1190 ret = krb5_copy_principal(context, entry.principal, principal);
1191 break;
1192 }
1193 if (!*principal)
1194 ret = krb5_copy_principal(context, entry.principal, principal);
1195 }
1196 if (ret != 0 || (ret = krb5_kt_end_seq_get(context, kt, &cursor)) != 0)
1197 krb5_err(context, 1, ret, "get_princ_kt");
1198 if (!*principal) {
1199 if (name)
1200 parse_name_realm(context, name, 0, NULL, principal);
1201 else
1202 krb5_err(context, 1, KRB5_CC_NOTFOUND, "get_princ_kt");
1203 }
1204
1205 krb5_free_principal(context, tmp);
1206 free(def_realm);
1207 }
1208
1209 static krb5_error_code
1210 get_switched_ccache(krb5_context context,
1211 const char * type,
1212 krb5_principal principal,
1213 krb5_ccache *ccache)
1214 {
1215 krb5_error_code ret;
1216
1217 #ifdef _WIN32
1218 if (strcmp(type, "API") == 0) {
1219 /*
1220 * Windows stores the default ccache name in the
1221 * registry which is shared across multiple logon
1222 * sessions for the same user. The API credential
1223 * cache provides a unique name space per logon
1224 * session. Therefore there is no need to generate
1225 * a unique ccache name. Instead use the principal
1226 * name. This provides a friendlier user experience.
1227 */
1228 char * unparsed_name;
1229 char * cred_cache;
1230
1231 ret = krb5_unparse_name(context, principal,
1232 &unparsed_name);
1233 if (ret)
1234 krb5_err(context, 1, ret,
1235 N_("unparsing principal name", ""));
1236
1237 ret = asprintf(&cred_cache, "API:%s", unparsed_name);
1238 krb5_free_unparsed_name(context, unparsed_name);
1239 if (ret == -1 || cred_cache == NULL)
1240 krb5_err(context, 1, ret,
1241 N_("building credential cache name", ""));
1242
1243 ret = krb5_cc_resolve(context, cred_cache, ccache);
1244 free(cred_cache);
1245 } else if (strcmp(type, "MSLSA") == 0) {
1246 /*
1247 * The Windows MSLSA cache when it is writeable
1248 * stores tickets for multiple client principals
1249 * in a single credential cache.
1250 */
1251 ret = krb5_cc_resolve(context, "MSLSA:", ccache);
1252 } else {
1253 ret = krb5_cc_new_unique(context, type, NULL, ccache);
1254 }
1255 #else /* !_WIN32 */
1256 ret = krb5_cc_new_unique(context, type, NULL, ccache);
1257 #endif /* _WIN32 */
1258
1259 return ret;
1260 }
1261
1262 int
1263 main(int argc, char **argv)
1264 {
1265 krb5_error_code ret;
1266 krb5_context context;
1267 krb5_ccache ccache;
1268 krb5_principal principal = NULL;
1269 int optidx = 0;
1270 krb5_deltat ticket_life = 0;
1271 #ifdef HAVE_SIGACTION
1272 struct sigaction sa;
1273 #endif
1274 krb5_boolean unique_ccache = FALSE;
1275 int anonymous_pkinit = FALSE;
1276
1277 setprogname(argv[0]);
1278
1279 setlocale(LC_ALL, "");
1280 bindtextdomain("heimdal_kuser", HEIMDAL_LOCALEDIR);
1281 textdomain("heimdal_kuser");
1282
1283 ret = krb5_init_context(&context);
1284 if (ret == KRB5_CONFIG_BADFORMAT)
1285 errx(1, "krb5_init_context failed to parse configuration file");
1286 else if (ret)
1287 errx(1, "krb5_init_context failed: %d", ret);
1288
1289 if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
1290 usage(1);
1291
1292 if (help_flag)
1293 usage(0);
1294
1295 if (version_flag) {
1296 print_version(NULL);
1297 exit(0);
1298 }
1299
1300 argc -= optidx;
1301 argv += optidx;
1302
1303 /*
1304 * Open the keytab now, we use the keytab to determine the principal's
1305 * realm when the requested principal has no realm.
1306 */
1307 if (use_keytab || keytab_str) {
1308 if (keytab_str)
1309 ret = krb5_kt_resolve(context, keytab_str, &kt);
1310 else
1311 ret = krb5_kt_default(context, &kt);
1312 if (ret)
1313 krb5_err(context, 1, ret, "resolving keytab");
1314 }
1315
1316 if (pk_enterprise_flag) {
1317 ret = krb5_pk_enterprise_cert(context, pk_user_id,
1318 argv[0], &principal,
1319 &ent_user_id);
1320 if (ret)
1321 krb5_err(context, 1, ret, "krb5_pk_enterprise_certs");
1322
1323 pk_user_id = NULL;
1324
1325 } else if (anonymous_flag && argc && argv[0][0] == '@') {
1326 /* If principal argument as @REALM, try anonymous PKINIT */
1327
1328 ret = krb5_make_principal(context, &principal, &argv[0][1],
1329 KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME,
1330 NULL);
1331 if (ret)
1332 krb5_err(context, 1, ret, "krb5_make_principal");
1333 krb5_principal_set_type(context, principal, KRB5_NT_WELLKNOWN);
1334 anonymous_pkinit = TRUE;
1335 } else if (use_keytab || keytab_str) {
1336 get_princ_kt(context, &principal, argv[0]);
1337 } else {
1338 get_princ(context, &principal, argv[0]);
1339 }
1340
1341 if (fcache_version)
1342 krb5_set_fcache_version(context, fcache_version);
1343
1344 if (renewable_flag == -1)
1345 /* this seems somewhat pointless, but whatever */
1346 krb5_appdefault_boolean(context, "kinit",
1347 krb5_principal_get_realm(context, principal),
1348 "renewable", FALSE, &renewable_flag);
1349 if (do_afslog == -1)
1350 krb5_appdefault_boolean(context, "kinit",
1351 krb5_principal_get_realm(context, principal),
1352 "afslog", TRUE, &do_afslog);
1353
1354 if (cred_cache)
1355 ret = krb5_cc_resolve(context, cred_cache, &ccache);
1356 else {
1357 if (argc > 1) {
1358 char s[1024];
1359 ret = krb5_cc_new_unique(context, NULL, NULL, &ccache);
1360 if (ret)
1361 krb5_err(context, 1, ret, "creating cred cache");
1362 snprintf(s, sizeof(s), "%s:%s",
1363 krb5_cc_get_type(context, ccache),
1364 krb5_cc_get_name(context, ccache));
1365 setenv("KRB5CCNAME", s, 1);
1366 unique_ccache = TRUE;
1367 } else {
1368 ret = krb5_cc_cache_match(context, principal, &ccache);
1369 if (ret) {
1370 const char *type;
1371 ret = krb5_cc_default(context, &ccache);
1372 if (ret)
1373 krb5_err(context, 1, ret,
1374 N_("resolving credentials cache", ""));
1375
1376 /*
1377 * Check if the type support switching, and we do,
1378 * then do that instead over overwriting the current
1379 * default credential
1380 */
1381 type = krb5_cc_get_type(context, ccache);
1382 if (krb5_cc_support_switch(context, type)) {
1383 krb5_cc_close(context, ccache);
1384 ret = get_switched_ccache(context, type, principal,
1385 &ccache);
1386 if (ret == 0)
1387 unique_ccache = TRUE;
1388 }
1389 }
1390 }
1391 }
1392 if (ret)
1393 krb5_err(context, 1, ret, N_("resolving credentials cache", ""));
1394
1395 #ifndef NO_AFS
1396 if (argc > 1 && k_hasafs())
1397 k_setpag();
1398 #endif
1399
1400 if (lifetime) {
1401 int tmp = parse_time(lifetime, "s");
1402 if (tmp < 0)
1403 errx(1, N_("unparsable time: %s", ""), lifetime);
1404
1405 ticket_life = tmp;
1406 }
1407
1408 if (addrs_flag == 0 && extra_addresses.num_strings > 0)
1409 krb5_errx(context, 1,
1410 N_("specifying both extra addresses and "
1411 "no addresses makes no sense", ""));
1412 {
1413 int i;
1414 krb5_addresses addresses;
1415 memset(&addresses, 0, sizeof(addresses));
1416 for(i = 0; i < extra_addresses.num_strings; i++) {
1417 ret = krb5_parse_address(context, extra_addresses.strings[i],
1418 &addresses);
1419 if (ret == 0) {
1420 krb5_add_extra_addresses(context, &addresses);
1421 krb5_free_addresses(context, &addresses);
1422 }
1423 }
1424 free_getarg_strings(&extra_addresses);
1425 }
1426
1427 if (renew_flag || validate_flag) {
1428 ret = renew_validate(context, renew_flag, validate_flag,
1429 ccache, server_str, ticket_life);
1430
1431 #ifndef NO_AFS
1432 if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())
1433 krb5_afslog(context, ccache, NULL, NULL);
1434 #endif
1435
1436 if (unique_ccache)
1437 krb5_cc_destroy(context, ccache);
1438 exit(ret != 0);
1439 }
1440
1441 ret = get_new_tickets(context, principal, ccache, ticket_life,
1442 1, anonymous_pkinit);
1443 if (ret) {
1444 if (unique_ccache)
1445 krb5_cc_destroy(context, ccache);
1446 exit(1);
1447 }
1448
1449 #ifndef NO_AFS
1450 if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())
1451 krb5_afslog(context, ccache, NULL, NULL);
1452 #endif
1453
1454 if (argc > 1) {
1455 struct renew_ctx ctx;
1456 time_t timeout;
1457
1458 timeout = ticket_lifetime(context, ccache, principal,
1459 server_str, NULL) / 2;
1460
1461 ctx.context = context;
1462 ctx.ccache = ccache;
1463 ctx.principal = principal;
1464 ctx.ticket_life = ticket_life;
1465 ctx.timeout = timeout;
1466
1467 #ifdef HAVE_SIGACTION
1468 memset(&sa, 0, sizeof(sa));
1469 sigemptyset(&sa.sa_mask);
1470 sa.sa_handler = handle_siginfo;
1471
1472 sigaction(SIGINFO, &sa, NULL);
1473 #endif
1474
1475 ret = simple_execvp_timed(argv[1], argv+1,
1476 renew_func, &ctx, timeout);
1477 #define EX_NOEXEC 126
1478 #define EX_NOTFOUND 127
1479 if (ret == EX_NOEXEC)
1480 krb5_warnx(context, N_("permission denied: %s", ""), argv[1]);
1481 else if (ret == EX_NOTFOUND)
1482 krb5_warnx(context, N_("command not found: %s", ""), argv[1]);
1483
1484 krb5_cc_destroy(context, ccache);
1485 #ifndef NO_AFS
1486 if (k_hasafs())
1487 k_unlog();
1488 #endif
1489 } else {
1490 krb5_cc_close(context, ccache);
1491 ret = 0;
1492 }
1493 krb5_free_principal(context, principal);
1494 if (kt)
1495 krb5_kt_close(context, kt);
1496 krb5_free_context(context);
1497 return ret;
1498 }
Heimdal