2 * Copyright (c) 1997-2007 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include "kuser_locl.h"
38 #ifdef HAVE_FRAMEWORK_SECURITY
39 #include <Security/Security.h>
47 #define SIGINFO SIGUSR1
50 int forwardable_flag
= -1;
51 int proxiable_flag
= -1;
52 int renewable_flag
= -1;
55 int validate_flag
= 0;
59 struct getarg_strings extra_addresses
;
60 int anonymous_flag
= 0;
61 char *lifetime
= NULL
;
62 char *renew_life
= NULL
;
63 char *server_str
= NULL
;
64 char *cred_cache
= NULL
;
65 char *start_str
= NULL
;
66 static int switch_cache_flags
= 1;
67 struct getarg_strings etype_str
;
69 char *keytab_str
= NULL
;
70 static krb5_keytab kt
= NULL
;
73 char *password_file
= NULL
;
74 char *pk_user_id
= NULL
;
75 int pk_enterprise_flag
= 0;
76 struct hx509_certs_data
*ent_user_id
= NULL
;
77 char *pk_x509_anchors
= NULL
;
78 int pk_use_enckey
= 0;
79 static int canonicalize_flag
= 0;
80 static int enterprise_flag
= 0;
81 static int ok_as_delegate_flag
= 0;
82 static char *fast_armor_cache_string
= NULL
;
83 static int use_referrals_flag
= 0;
84 static int windows_flag
= 0;
86 static char *ntlm_domain
;
90 static struct getargs args
[] = {
104 { "afslog", 0 , arg_flag
, &do_afslog
,
105 NP_("obtain afs tokens", ""), NULL
},
107 { "cache", 'c', arg_string
, &cred_cache
,
108 NP_("credentials cache", ""), "cachename" },
110 { "forwardable", 'F', arg_negative_flag
, &forwardable_flag
,
111 NP_("get tickets not forwardable", ""), NULL
},
113 { NULL
, 'f', arg_flag
, &forwardable_flag
,
114 NP_("get forwardable tickets", ""), NULL
},
116 { "keytab", 't', arg_string
, &keytab_str
,
117 NP_("keytab to use", ""), "keytabname" },
119 { "lifetime", 'l', arg_string
, &lifetime
,
120 NP_("lifetime of tickets", ""), "time" },
122 { "proxiable", 'p', arg_flag
, &proxiable_flag
,
123 NP_("get proxiable tickets", ""), NULL
},
125 { "renew", 'R', arg_flag
, &renew_flag
,
126 NP_("renew TGT", ""), NULL
},
128 { "renewable", 0, arg_flag
, &renewable_flag
,
129 NP_("get renewable tickets", ""), NULL
},
131 { "renewable-life", 'r', arg_string
, &renew_life
,
132 NP_("renewable lifetime of tickets", ""), "time" },
134 { "server", 'S', arg_string
, &server_str
,
135 NP_("server to get ticket for", ""), "principal" },
137 { "start-time", 's', arg_string
, &start_str
,
138 NP_("when ticket gets valid", ""), "time" },
140 { "use-keytab", 'k', arg_flag
, &use_keytab
,
141 NP_("get key from keytab", ""), NULL
},
143 { "validate", 'v', arg_flag
, &validate_flag
,
144 NP_("validate TGT", ""), NULL
},
146 { "enctypes", 'e', arg_strings
, &etype_str
,
147 NP_("encryption types to use", ""), "enctypes" },
149 { "fcache-version", 0, arg_integer
, &fcache_version
,
150 NP_("file cache version to create", ""), NULL
},
152 { "addresses", 'A', arg_negative_flag
, &addrs_flag
,
153 NP_("request a ticket with no addresses", ""), NULL
},
155 { "extra-addresses",'a', arg_strings
, &extra_addresses
,
156 NP_("include these extra addresses", ""), "addresses" },
158 { "anonymous", 'n', arg_flag
, &anonymous_flag
,
159 NP_("request an anonymous ticket", ""), NULL
},
161 { "request-pac", 0, arg_flag
, &pac_flag
,
162 NP_("request a Windows PAC", ""), NULL
},
164 { "password-file", 0, arg_string
, &password_file
,
165 NP_("read the password from a file", ""), NULL
},
167 { "canonicalize",0, arg_flag
, &canonicalize_flag
,
168 NP_("canonicalize client principal", ""), NULL
},
170 { "enterprise",0, arg_flag
, &enterprise_flag
,
171 NP_("parse principal as a KRB5-NT-ENTERPRISE name", ""), NULL
},
173 { "pk-enterprise", 0, arg_flag
, &pk_enterprise_flag
,
174 NP_("use enterprise name from certificate", ""), NULL
},
176 { "pk-user", 'C', arg_string
, &pk_user_id
,
177 NP_("principal's public/private/certificate identifier", ""), "id" },
179 { "x509-anchors", 'D', arg_string
, &pk_x509_anchors
,
180 NP_("directory with CA certificates", ""), "directory" },
182 { "pk-use-enckey", 0, arg_flag
, &pk_use_enckey
,
183 NP_("Use RSA encrypted reply (instead of DH)", ""), NULL
},
186 { "ntlm-domain", 0, arg_string
, &ntlm_domain
,
187 NP_("NTLM domain", ""), "domain" },
190 { "change-default", 0, arg_negative_flag
, &switch_cache_flags
,
191 NP_("switch the default cache to the new credentials cache", ""), NULL
},
193 { "ok-as-delegate", 0, arg_flag
, &ok_as_delegate_flag
,
194 NP_("honor ok-as-delegate on tickets", ""), NULL
},
196 { "fast-armor-cache", 0, arg_string
, &fast_armor_cache_string
,
197 NP_("use this credential cache as FAST armor cache", ""), "cache" },
199 { "use-referrals", 0, arg_flag
, &use_referrals_flag
,
200 NP_("only use referrals, no dns canalisation", ""), NULL
},
202 { "windows", 0, arg_flag
, &windows_flag
,
203 NP_("get windows behavior", ""), NULL
},
205 { "version", 0, arg_flag
, &version_flag
, NULL
, NULL
},
206 { "help", 0, arg_flag
, &help_flag
, NULL
, NULL
}
210 get_default_realm(krb5_context context
);
215 arg_printusage_i18n(args
, sizeof(args
)/sizeof(*args
), N_("Usage: ", ""),
216 NULL
, "[principal [command]]", getarg_i18n
);
220 static krb5_error_code
221 get_server(krb5_context context
,
222 krb5_principal client
,
224 krb5_principal
*princ
)
226 krb5_const_realm realm
;
228 return krb5_parse_name(context
, server
, princ
);
230 realm
= krb5_principal_get_realm(context
, client
);
231 return krb5_make_principal(context
, princ
, realm
,
232 KRB5_TGS_NAME
, realm
, NULL
);
235 static krb5_error_code
236 copy_configs(krb5_context context
,
239 krb5_principal start_ticket_server
)
242 const char *cfg_names
[] = {"realm-config", "FriendlyName", "anon_pkinit_realm", NULL
};
243 const char *cfg_names_w_pname
[] = {"fast_avail", NULL
};
247 for (i
= 0; cfg_names
[i
]; i
++) {
248 ret
= krb5_cc_get_config(context
, src
, NULL
, cfg_names
[i
], &cfg_data
);
249 if (ret
== KRB5_CC_NOTFOUND
|| ret
== KRB5_CC_END
) {
252 krb5_warn(context
, ret
, "krb5_cc_get_config");
255 ret
= krb5_cc_set_config(context
, dst
, NULL
, cfg_names
[i
], &cfg_data
);
257 krb5_warn(context
, ret
, "krb5_cc_set_config");
259 for (i
= 0; start_ticket_server
&& cfg_names_w_pname
[i
]; i
++) {
260 ret
= krb5_cc_get_config(context
, src
, start_ticket_server
,
261 cfg_names_w_pname
[i
], &cfg_data
);
262 if (ret
== KRB5_CC_NOTFOUND
|| ret
== KRB5_CC_END
) {
265 krb5_warn(context
, ret
, "krb5_cc_get_config");
268 ret
= krb5_cc_set_config(context
, dst
, start_ticket_server
,
269 cfg_names_w_pname
[i
], &cfg_data
);
270 if (ret
&& ret
!= KRB5_CC_NOTFOUND
)
271 krb5_warn(context
, ret
, "krb5_cc_set_config");
274 * We don't copy cc configs for any other principals though (mostly
275 * those are per-target time offsets and the like, so it's bad to
276 * lose them, but hardly the end of the world, and as they may not
277 * expire anyways, it's good to let them go).
282 static krb5_error_code
283 get_anon_pkinit_tgs_name(krb5_context context
,
285 krb5_principal
*tgs_name
)
291 ret
= krb5_cc_get_config(context
, ccache
, NULL
, "anon_pkinit_realm", &data
);
293 realm
= strndup(data
.data
, data
.length
);
295 realm
= get_default_realm(context
);
297 krb5_data_free(&data
);
300 return krb5_enomem(context
);
302 ret
= krb5_make_principal(context
, tgs_name
, realm
,
303 KRB5_TGS_NAME
, realm
, NULL
);
310 static krb5_error_code
311 renew_validate(krb5_context context
,
319 krb5_ccache tempccache
= NULL
;
320 krb5_creds in
, *out
= NULL
;
321 krb5_kdc_flags flags
;
323 memset(&in
, 0, sizeof(in
));
325 ret
= krb5_cc_get_principal(context
, cache
, &in
.client
);
327 krb5_warn(context
, ret
, "krb5_cc_get_principal");
331 if (server
== NULL
&&
332 krb5_principal_is_anonymous(context
, in
.client
,
333 KRB5_ANON_MATCH_UNAUTHENTICATED
))
334 ret
= get_anon_pkinit_tgs_name(context
, cache
, &in
.server
);
336 ret
= get_server(context
, in
.client
, server
, &in
.server
);
338 krb5_warn(context
, ret
, "get_server");
344 * no need to check the error here, it's only to be
345 * friendly to the user
347 krb5_get_credentials(context
, KRB5_GC_CACHED
, cache
, &in
, &out
);
351 flags
.b
.renewable
= flags
.b
.renew
= renew
;
352 flags
.b
.validate
= validate
;
354 if (forwardable_flag
!= -1)
355 flags
.b
.forwardable
= forwardable_flag
;
357 flags
.b
.forwardable
= out
->flags
.b
.forwardable
;
359 if (proxiable_flag
!= -1)
360 flags
.b
.proxiable
= proxiable_flag
;
362 flags
.b
.proxiable
= out
->flags
.b
.proxiable
;
365 flags
.b
.request_anonymous
= anonymous_flag
;
367 in
.times
.endtime
= time(NULL
) + life
;
370 krb5_free_creds(context
, out
);
375 ret
= krb5_get_kdc_cred(context
,
383 krb5_warn(context
, ret
, "krb5_get_kdc_cred");
387 ret
= krb5_cc_new_unique(context
, krb5_cc_get_type(context
, cache
),
390 krb5_warn(context
, ret
, "krb5_cc_new_unique");
394 ret
= krb5_cc_initialize(context
, tempccache
, in
.client
);
396 krb5_warn(context
, ret
, "krb5_cc_initialize");
400 ret
= krb5_cc_store_cred(context
, tempccache
, out
);
402 krb5_warn(context
, ret
, "krb5_cc_store_cred");
407 * We want to preserve cc configs as some are security-relevant, and
408 * anyways it's the friendly thing to do.
410 ret
= copy_configs(context
, tempccache
, cache
, out
->server
);
414 ret
= krb5_cc_move(context
, tempccache
, cache
);
416 krb5_warn(context
, ret
, "krb5_cc_move");
423 krb5_cc_destroy(context
, tempccache
);
425 krb5_free_creds(context
, out
);
426 krb5_free_cred_contents(context
, &in
);
432 static krb5_error_code
433 store_ntlmkey(krb5_context context
, krb5_ccache id
,
434 const char *domain
, struct ntlm_buf
*buf
)
441 ret
= krb5_cc_get_config(context
, id
, NULL
, "default-ntlm-domain", &data
);
443 krb5_data_free(&data
);
445 data
.length
= strlen(domain
);
446 data
.data
= rk_UNCONST(domain
);
447 ret
= krb5_cc_set_config(context
, id
, NULL
, "default-ntlm-domain", &data
);
452 aret
= asprintf(&name
, "ntlm-key-%s", domain
);
453 if (aret
== -1 || name
== NULL
)
454 return krb5_enomem(context
);
456 data
.length
= buf
->length
;
457 data
.data
= buf
->data
;
459 ret
= krb5_cc_set_config(context
, id
, NULL
, name
, &data
);
465 static krb5_error_code
466 get_new_tickets(krb5_context context
,
467 krb5_principal principal
,
469 krb5_deltat ticket_life
,
471 int anonymous_pkinit
)
476 krb5_deltat start_time
= 0;
477 krb5_deltat renew
= 0;
478 const char *renewstr
= NULL
;
479 krb5_enctype
*enctype
= NULL
;
480 krb5_ccache tempccache
= NULL
;
481 krb5_init_creds_context ctx
= NULL
;
482 krb5_get_init_creds_opt
*opt
= NULL
;
483 krb5_prompter_fct prompter
= krb5_prompter_posix
;
485 struct ntlm_buf ntlmkey
;
486 memset(&ntlmkey
, 0, sizeof(ntlmkey
));
496 if (strcasecmp("STDIN", password_file
) == 0)
499 f
= fopen(password_file
, "r");
501 krb5_warnx(context
, N_("Failed to open the password file %s", ""),
506 if (fgets(passwd
, sizeof(passwd
), f
) == NULL
) {
507 krb5_warnx(context
, N_("Failed to read password from file %s", ""),
511 return EINVAL
; /* XXX Need a better error */
515 passwd
[strcspn(passwd
, "\n")] = '\0';
518 #ifdef HAVE_FRAMEWORK_SECURITY
519 if (passwd
[0] == '\0') {
526 realm
= krb5_principal_get_realm(context
, principal
);
528 ret
= krb5_unparse_name_flags(context
, principal
,
529 KRB5_PRINCIPAL_UNPARSE_NO_REALM
, &name
);
533 osret
= SecKeychainFindGenericPassword(NULL
, strlen(realm
), realm
,
535 &length
, &buffer
, NULL
);
537 if (osret
== noErr
&& length
< sizeof(passwd
) - 1) {
538 memcpy(passwd
, buffer
, length
);
539 passwd
[length
] = '\0';
546 memset(&cred
, 0, sizeof(cred
));
548 ret
= krb5_get_init_creds_opt_alloc(context
, &opt
);
550 krb5_warn(context
, ret
, "krb5_get_init_creds_opt_alloc");
554 krb5_get_init_creds_opt_set_default_flags(context
, "kinit",
555 krb5_principal_get_realm(context
, principal
), opt
);
557 if (forwardable_flag
!= -1)
558 krb5_get_init_creds_opt_set_forwardable(opt
, forwardable_flag
);
559 if (proxiable_flag
!= -1)
560 krb5_get_init_creds_opt_set_proxiable(opt
, proxiable_flag
);
562 krb5_get_init_creds_opt_set_anonymous(opt
, anonymous_flag
);
564 krb5_get_init_creds_opt_set_pac_request(context
, opt
,
565 pac_flag
? TRUE
: FALSE
);
566 if (canonicalize_flag
)
567 krb5_get_init_creds_opt_set_canonicalize(context
, opt
, TRUE
);
568 if (pk_enterprise_flag
|| enterprise_flag
|| canonicalize_flag
|| windows_flag
)
569 krb5_get_init_creds_opt_set_win2k(context
, opt
, TRUE
);
570 if (pk_user_id
|| ent_user_id
|| anonymous_pkinit
) {
571 ret
= krb5_get_init_creds_opt_set_pkinit(context
, opt
,
577 pk_use_enckey
? KRB5_GIC_OPT_PKINIT_USE_ENCKEY
: 0 |
578 anonymous_pkinit
? KRB5_GIC_OPT_PKINIT_ANONYMOUS
: 0,
583 krb5_warn(context
, ret
, "krb5_get_init_creds_opt_set_pkinit");
587 krb5_get_init_creds_opt_set_pkinit_user_certs(context
, opt
, ent_user_id
);
590 if (addrs_flag
!= -1)
591 krb5_get_init_creds_opt_set_addressless(context
, opt
,
592 addrs_flag
? FALSE
: TRUE
);
594 if (renew_life
== NULL
&& renewable_flag
)
595 renewstr
= "6 months";
597 renewstr
= renew_life
;
599 renew
= parse_time(renewstr
, "s");
601 errx(1, "unparsable time: %s", renewstr
);
603 krb5_get_init_creds_opt_set_renew_life(opt
, renew
);
606 if (ticket_life
!= 0)
607 krb5_get_init_creds_opt_set_tkt_life(opt
, ticket_life
);
610 int tmp
= parse_time(start_str
, "s");
612 errx(1, N_("unparsable time: %s", ""), start_str
);
617 if (etype_str
.num_strings
) {
620 enctype
= malloc(etype_str
.num_strings
* sizeof(*enctype
));
622 errx(1, "out of memory");
623 for(i
= 0; i
< etype_str
.num_strings
; i
++) {
624 ret
= krb5_string_to_enctype(context
,
625 etype_str
.strings
[i
],
628 errx(1, "unrecognized enctype: %s", etype_str
.strings
[i
]);
630 krb5_get_init_creds_opt_set_etype_list(opt
, enctype
,
631 etype_str
.num_strings
);
634 ret
= krb5_init_creds_init(context
, principal
, prompter
, NULL
, start_time
, opt
, &ctx
);
636 krb5_warn(context
, ret
, "krb5_init_creds_init");
641 ret
= krb5_init_creds_set_service(context
, ctx
, server_str
);
643 krb5_warn(context
, ret
, "krb5_init_creds_set_service");
648 if (fast_armor_cache_string
) {
651 ret
= krb5_cc_resolve(context
, fast_armor_cache_string
, &fastid
);
653 krb5_warn(context
, ret
, "krb5_cc_resolve(FAST cache)");
657 ret
= krb5_init_creds_set_fast_ccache(context
, ctx
, fastid
);
659 krb5_warn(context
, ret
, "krb5_init_creds_set_fast_ccache");
664 if (use_keytab
|| keytab_str
) {
665 ret
= krb5_init_creds_set_keytab(context
, ctx
, kt
);
667 krb5_warn(context
, ret
, "krb5_init_creds_set_keytab");
670 } else if (pk_user_id
|| ent_user_id
||
671 krb5_principal_is_anonymous(context
, principal
, KRB5_ANON_MATCH_ANY
)) {
673 } else if (!interactive
&& passwd
[0] == '\0') {
674 static int already_warned
= 0;
677 krb5_warnx(context
, "Not interactive, failed to get "
679 krb5_get_init_creds_opt_free(context
, opt
);
684 if (passwd
[0] == '\0') {
688 ret
= krb5_unparse_name(context
, principal
, &p
);
690 errx(1, "failed to generate passwd prompt: not enough memory");
692 aret
= asprintf(&prompt
, N_("%s's Password: ", ""), p
);
695 errx(1, "failed to generate passwd prompt: not enough memory");
697 if (UI_UTIL_read_pw_string(passwd
, sizeof(passwd
)-1, prompt
, 0)){
698 memset(passwd
, 0, sizeof(passwd
));
699 errx(1, "failed to read password");
705 ret
= krb5_init_creds_set_password(context
, ctx
, passwd
);
707 krb5_warn(context
, ret
, "krb5_init_creds_set_password");
713 ret
= krb5_init_creds_get(context
, ctx
);
716 if (ntlm_domain
&& passwd
[0])
717 heim_ntlm_nt_key(passwd
, &ntlmkey
);
719 memset_s(passwd
, sizeof(passwd
), 0, sizeof(passwd
));
724 case KRB5_LIBOS_PWDINTR
: /* don't print anything if it was just C-c:ed */
726 case KRB5KRB_AP_ERR_BAD_INTEGRITY
:
727 case KRB5KRB_AP_ERR_MODIFIED
:
728 case KRB5KDC_ERR_PREAUTH_FAILED
:
729 case KRB5_GET_IN_TKT_LOOP
:
730 krb5_warnx(context
, N_("Password incorrect", ""));
732 case KRB5KRB_AP_ERR_V4_REPLY
:
733 krb5_warnx(context
, N_("Looks like a Kerberos 4 reply", ""));
735 case KRB5KDC_ERR_KEY_EXPIRED
:
736 krb5_warnx(context
, N_("Password expired", ""));
739 krb5_warn(context
, ret
, "krb5_get_init_creds");
743 krb5_process_last_request(context
, opt
, ctx
);
745 ret
= krb5_init_creds_get_creds(context
, ctx
, &cred
);
747 krb5_warn(context
, ret
, "krb5_init_creds_get_creds");
751 if (ticket_life
!= 0) {
752 if (labs(cred
.times
.endtime
- cred
.times
.starttime
- ticket_life
) > 30) {
754 unparse_time_approx(cred
.times
.endtime
- cred
.times
.starttime
,
756 krb5_warnx(context
, N_("NOTICE: ticket lifetime is %s", ""), life
);
760 if (labs(cred
.times
.renew_till
- cred
.times
.starttime
- renew
) > 30) {
762 unparse_time_approx(cred
.times
.renew_till
- cred
.times
.starttime
,
765 N_("NOTICE: ticket renewable lifetime is %s", ""),
769 krb5_free_cred_contents(context
, &cred
);
771 ret
= krb5_cc_new_unique(context
, krb5_cc_get_type(context
, ccache
),
774 krb5_warn(context
, ret
, "krb5_cc_new_unique");
778 ret
= krb5_init_creds_store(context
, ctx
, tempccache
);
780 krb5_warn(context
, ret
, "krb5_init_creds_store");
784 krb5_init_creds_free(context
, ctx
);
787 ret
= krb5_cc_move(context
, tempccache
, ccache
);
789 krb5_warn(context
, ret
, "krb5_cc_move");
794 if (switch_cache_flags
)
795 krb5_cc_switch(context
, ccache
);
798 if (ntlm_domain
&& ntlmkey
.data
)
799 store_ntlmkey(context
, ccache
, ntlm_domain
, &ntlmkey
);
802 if (ok_as_delegate_flag
|| windows_flag
|| use_referrals_flag
) {
806 if (ok_as_delegate_flag
|| windows_flag
)
808 if (use_referrals_flag
|| windows_flag
)
814 krb5_cc_set_config(context
, ccache
, NULL
, "realm-config", &data
);
817 if (anonymous_pkinit
) {
820 data
.length
= strlen(principal
->realm
);
821 data
.data
= principal
->realm
;
823 krb5_cc_set_config(context
, ccache
, NULL
, "anon_pkinit_realm", &data
);
827 krb5_get_init_creds_opt_free(context
, opt
);
829 krb5_init_creds_free(context
, ctx
);
831 krb5_cc_destroy(context
, tempccache
);
840 ticket_lifetime(krb5_context context
, krb5_ccache cache
, krb5_principal client
,
841 const char *server
, time_t *renew
)
843 krb5_creds in_cred
, *cred
;
848 memset(&in_cred
, 0, sizeof(in_cred
));
853 ret
= krb5_cc_get_principal(context
, cache
, &in_cred
.client
);
855 krb5_warn(context
, ret
, "krb5_cc_get_principal");
858 ret
= get_server(context
, in_cred
.client
, server
, &in_cred
.server
);
860 krb5_free_principal(context
, in_cred
.client
);
861 krb5_warn(context
, ret
, "get_server");
865 ret
= krb5_get_credentials(context
, KRB5_GC_CACHED
,
866 cache
, &in_cred
, &cred
);
867 krb5_free_principal(context
, in_cred
.client
);
868 krb5_free_principal(context
, in_cred
.server
);
870 krb5_warn(context
, ret
, "krb5_get_credentials");
873 curtime
= time(NULL
);
874 timeout
= cred
->times
.endtime
- curtime
;
878 *renew
= cred
->times
.renew_till
- curtime
;
882 krb5_free_creds(context
, cred
);
886 static time_t expire
;
888 static char siginfo_msg
[1024] = "No credentials\n";
891 update_siginfo_msg(time_t exp
, const char *srv
)
893 /* Note that exp is relative time */
894 memset(siginfo_msg
, 0, sizeof(siginfo_msg
));
895 memcpy(&siginfo_msg
, "Updating...\n", sizeof("Updating...\n"));
898 snprintf(siginfo_msg
, sizeof(siginfo_msg
),
899 N_("kinit: TGT expires in %llu seconds\n", ""),
900 (unsigned long long)expire
);
902 snprintf(siginfo_msg
, sizeof(siginfo_msg
),
903 N_("kinit: Ticket for %s expired\n", ""), srv
);
910 snprintf(siginfo_msg
, sizeof(siginfo_msg
),
911 N_("kinit: TGT expired\n", ""));
913 snprintf(siginfo_msg
, sizeof(siginfo_msg
),
914 N_("kinit: Ticket for %s expired\n", ""), srv
);
918 #ifdef HAVE_SIGACTION
920 handle_siginfo(int sig
)
924 iov
[0].iov_base
= rk_UNCONST(siginfo_msg
);
925 iov
[0].iov_len
= strlen(siginfo_msg
);
926 iov
[1].iov_base
= "\n";
929 writev(STDERR_FILENO
, iov
, sizeof(iov
)/sizeof(iov
[0]));
934 krb5_context context
;
936 krb5_principal principal
;
937 krb5_deltat ticket_life
;
942 renew_func(void *ptr
)
945 struct renew_ctx
*ctx
= ptr
;
947 static time_t exp_delay
= 1;
950 * NOTE: We count on the ccache implementation to notice changes to the
951 * actual ccache filesystem/whatever objects. There should be no ccache
952 * types for which this is not the case, but it might not hurt to
953 * re-krb5_cc_resolve() after each successful renew_validate()/
954 * get_new_tickets() call.
957 expire
= ticket_lifetime(ctx
->context
, ctx
->ccache
, ctx
->principal
,
958 server_str
, &renew_expire
);
961 * When a keytab is available to obtain new tickets, if we are within
962 * half of the original ticket lifetime of the renew limit, get a new
963 * TGT instead of renewing the existing TGT. Note, ctx->ticket_life
964 * is zero by default (without a '-l' option) and cannot be used to
965 * set the time scale on which we decide whether we're "close to the
968 if (use_keytab
|| keytab_str
)
969 expire
+= ctx
->timeout
;
970 if (renew_expire
> expire
) {
971 ret
= renew_validate(ctx
->context
, 1, validate_flag
, ctx
->ccache
,
972 server_str
, ctx
->ticket_life
);
974 ret
= get_new_tickets(ctx
->context
, ctx
->principal
, ctx
->ccache
,
975 ctx
->ticket_life
, 0, 0);
977 expire
= ticket_lifetime(ctx
->context
, ctx
->ccache
, ctx
->principal
,
978 server_str
, &renew_expire
);
981 if (ret
== 0 && server_str
== NULL
&& do_afslog
&& k_hasafs())
982 krb5_afslog(ctx
->context
, ctx
->ccache
, NULL
, NULL
);
985 update_siginfo_msg(expire
, server_str
);
988 * If our tickets have expired and we been able to either renew them
989 * or obtain new tickets, then we still call this function but we use
990 * an exponential backoff. This should take care of the case where
991 * we are using stored credentials but the KDC has been unavailable
997 * We can't ask to keep spamming stderr but not syslog, so we warn
1000 if (exp_delay
== 1) {
1001 krb5_warnx(ctx
->context
, N_("NOTICE: Could not renew/refresh "
1004 if (exp_delay
< 7200)
1005 exp_delay
+= exp_delay
/ 2 + 1;
1010 return expire
/ 2 + 1;
1014 set_princ_realm(krb5_context context
,
1015 krb5_principal principal
,
1018 krb5_error_code ret
;
1020 if ((ret
= krb5_principal_set_realm(context
, principal
, realm
)) != 0)
1021 krb5_err(context
, 1, ret
, "krb5_principal_set_realm");
1025 parse_name_realm(krb5_context context
,
1029 krb5_principal
*princ
)
1031 krb5_error_code ret
;
1034 flags
|= KRB5_PRINCIPAL_PARSE_NO_DEF_REALM
;
1035 if ((ret
= krb5_parse_name_flags(context
, name
, flags
, princ
)) != 0)
1036 krb5_err(context
, 1, ret
, "krb5_parse_name_flags");
1037 if (realm
&& krb5_principal_get_realm(context
, *princ
) == NULL
)
1038 set_princ_realm(context
, *princ
, realm
);
1042 get_default_realm(krb5_context context
)
1045 krb5_error_code ret
;
1047 if ((ret
= krb5_get_default_realm(context
, &realm
)) != 0)
1048 krb5_err(context
, 1, ret
, "krb5_get_default_realm");
1053 get_default_principal(krb5_context context
, krb5_principal
*princ
)
1055 krb5_error_code ret
;
1057 if ((ret
= krb5_get_default_principal(context
, princ
)) != 0)
1058 krb5_err(context
, 1, ret
, "krb5_get_default_principal");
1062 get_user_realm(krb5_context context
)
1064 krb5_error_code ret
;
1065 char *user_realm
= NULL
;
1068 * If memory allocation fails, we don't try to use the wrong realm,
1069 * that will trigger misleading error messages complicate support.
1071 krb5_appdefault_string(context
, "kinit", NULL
, "user_realm", "",
1073 if (user_realm
== NULL
) {
1074 ret
= krb5_enomem(context
);
1075 krb5_err(context
, 1, ret
, "krb5_appdefault_string");
1078 if (*user_realm
== 0) {
1087 get_princ(krb5_context context
, krb5_principal
*principal
, const char *name
)
1089 krb5_error_code ret
;
1097 /* If credential cache provides a client principal, use that. */
1098 if (krb5_cc_default(context
, &ccache
) == 0) {
1099 ret
= krb5_cc_get_principal(context
, ccache
, principal
);
1100 krb5_cc_close(context
, ccache
);
1106 user_realm
= get_user_realm(context
);
1109 if (enterprise_flag
)
1110 parseflags
|= KRB5_PRINCIPAL_PARSE_ENTERPRISE
;
1112 parse_name_realm(context
, name
, parseflags
, user_realm
, &tmp
);
1114 if (user_realm
&& krb5_principal_get_num_comp(context
, tmp
) > 1) {
1115 /* Principal is instance qualified, reparse with default realm. */
1116 krb5_free_principal(context
, tmp
);
1117 parse_name_realm(context
, name
, parseflags
, NULL
, principal
);
1122 get_default_principal(context
, principal
);
1124 set_princ_realm(context
, *principal
, user_realm
);
1132 get_princ_kt(krb5_context context
,
1133 krb5_principal
*principal
,
1136 krb5_error_code ret
;
1139 krb5_kt_cursor cursor
;
1140 krb5_keytab_entry entry
;
1145 * If the credential cache exists and specifies a client principal,
1148 if (krb5_cc_default(context
, &ccache
) == 0) {
1149 ret
= krb5_cc_get_principal(context
, ccache
, principal
);
1150 krb5_cc_close(context
, ccache
);
1157 /* If the principal specifies an explicit realm, just use that. */
1158 int parseflags
= KRB5_PRINCIPAL_PARSE_NO_DEF_REALM
;
1160 parse_name_realm(context
, name
, parseflags
, NULL
, &tmp
);
1161 if (krb5_principal_get_realm(context
, tmp
) != NULL
) {
1166 /* Otherwise, search keytab for bare name of the default principal. */
1167 get_default_principal(context
, &tmp
);
1168 set_princ_realm(context
, tmp
, NULL
);
1171 def_realm
= get_default_realm(context
);
1173 ret
= krb5_kt_start_seq_get(context
, kt
, &cursor
);
1175 krb5_err(context
, 1, ret
, "krb5_kt_start_seq_get");
1178 krb5_kt_next_entry(context
, kt
, &entry
, &cursor
) == 0) {
1181 if (!krb5_principal_compare_any_realm(context
, tmp
, entry
.principal
))
1184 krb5_principal_compare(context
, *principal
, entry
.principal
))
1186 /* The default realm takes precedence */
1187 realm
= krb5_principal_get_realm(context
, entry
.principal
);
1188 if (*principal
&& strcmp(def_realm
, realm
) == 0) {
1189 krb5_free_principal(context
, *principal
);
1190 ret
= krb5_copy_principal(context
, entry
.principal
, principal
);
1194 ret
= krb5_copy_principal(context
, entry
.principal
, principal
);
1196 if (ret
!= 0 || (ret
= krb5_kt_end_seq_get(context
, kt
, &cursor
)) != 0)
1197 krb5_err(context
, 1, ret
, "get_princ_kt");
1200 parse_name_realm(context
, name
, 0, NULL
, principal
);
1202 krb5_err(context
, 1, KRB5_CC_NOTFOUND
, "get_princ_kt");
1205 krb5_free_principal(context
, tmp
);
1209 static krb5_error_code
1210 get_switched_ccache(krb5_context context
,
1212 krb5_principal principal
,
1213 krb5_ccache
*ccache
)
1215 krb5_error_code ret
;
1218 if (strcmp(type
, "API") == 0) {
1220 * Windows stores the default ccache name in the
1221 * registry which is shared across multiple logon
1222 * sessions for the same user. The API credential
1223 * cache provides a unique name space per logon
1224 * session. Therefore there is no need to generate
1225 * a unique ccache name. Instead use the principal
1226 * name. This provides a friendlier user experience.
1228 char * unparsed_name
;
1231 ret
= krb5_unparse_name(context
, principal
,
1234 krb5_err(context
, 1, ret
,
1235 N_("unparsing principal name", ""));
1237 ret
= asprintf(&cred_cache
, "API:%s", unparsed_name
);
1238 krb5_free_unparsed_name(context
, unparsed_name
);
1239 if (ret
== -1 || cred_cache
== NULL
)
1240 krb5_err(context
, 1, ret
,
1241 N_("building credential cache name", ""));
1243 ret
= krb5_cc_resolve(context
, cred_cache
, ccache
);
1245 } else if (strcmp(type
, "MSLSA") == 0) {
1247 * The Windows MSLSA cache when it is writeable
1248 * stores tickets for multiple client principals
1249 * in a single credential cache.
1251 ret
= krb5_cc_resolve(context
, "MSLSA:", ccache
);
1253 ret
= krb5_cc_new_unique(context
, type
, NULL
, ccache
);
1256 ret
= krb5_cc_new_unique(context
, type
, NULL
, ccache
);
1263 main(int argc
, char **argv
)
1265 krb5_error_code ret
;
1266 krb5_context context
;
1268 krb5_principal principal
= NULL
;
1270 krb5_deltat ticket_life
= 0;
1271 #ifdef HAVE_SIGACTION
1272 struct sigaction sa
;
1274 krb5_boolean unique_ccache
= FALSE
;
1275 int anonymous_pkinit
= FALSE
;
1277 setprogname(argv
[0]);
1279 setlocale(LC_ALL
, "");
1280 bindtextdomain("heimdal_kuser", HEIMDAL_LOCALEDIR
);
1281 textdomain("heimdal_kuser");
1283 ret
= krb5_init_context(&context
);
1284 if (ret
== KRB5_CONFIG_BADFORMAT
)
1285 errx(1, "krb5_init_context failed to parse configuration file");
1287 errx(1, "krb5_init_context failed: %d", ret
);
1289 if (getarg(args
, sizeof(args
) / sizeof(args
[0]), argc
, argv
, &optidx
))
1296 print_version(NULL
);
1304 * Open the keytab now, we use the keytab to determine the principal's
1305 * realm when the requested principal has no realm.
1307 if (use_keytab
|| keytab_str
) {
1309 ret
= krb5_kt_resolve(context
, keytab_str
, &kt
);
1311 ret
= krb5_kt_default(context
, &kt
);
1313 krb5_err(context
, 1, ret
, "resolving keytab");
1316 if (pk_enterprise_flag
) {
1317 ret
= krb5_pk_enterprise_cert(context
, pk_user_id
,
1318 argv
[0], &principal
,
1321 krb5_err(context
, 1, ret
, "krb5_pk_enterprise_certs");
1325 } else if (anonymous_flag
&& argc
&& argv
[0][0] == '@') {
1326 /* If principal argument as @REALM, try anonymous PKINIT */
1328 ret
= krb5_make_principal(context
, &principal
, &argv
[0][1],
1329 KRB5_WELLKNOWN_NAME
, KRB5_ANON_NAME
,
1332 krb5_err(context
, 1, ret
, "krb5_make_principal");
1333 krb5_principal_set_type(context
, principal
, KRB5_NT_WELLKNOWN
);
1334 anonymous_pkinit
= TRUE
;
1335 } else if (use_keytab
|| keytab_str
) {
1336 get_princ_kt(context
, &principal
, argv
[0]);
1338 get_princ(context
, &principal
, argv
[0]);
1342 krb5_set_fcache_version(context
, fcache_version
);
1344 if (renewable_flag
== -1)
1345 /* this seems somewhat pointless, but whatever */
1346 krb5_appdefault_boolean(context
, "kinit",
1347 krb5_principal_get_realm(context
, principal
),
1348 "renewable", FALSE
, &renewable_flag
);
1349 if (do_afslog
== -1)
1350 krb5_appdefault_boolean(context
, "kinit",
1351 krb5_principal_get_realm(context
, principal
),
1352 "afslog", TRUE
, &do_afslog
);
1355 ret
= krb5_cc_resolve(context
, cred_cache
, &ccache
);
1359 ret
= krb5_cc_new_unique(context
, NULL
, NULL
, &ccache
);
1361 krb5_err(context
, 1, ret
, "creating cred cache");
1362 snprintf(s
, sizeof(s
), "%s:%s",
1363 krb5_cc_get_type(context
, ccache
),
1364 krb5_cc_get_name(context
, ccache
));
1365 setenv("KRB5CCNAME", s
, 1);
1366 unique_ccache
= TRUE
;
1368 ret
= krb5_cc_cache_match(context
, principal
, &ccache
);
1371 ret
= krb5_cc_default(context
, &ccache
);
1373 krb5_err(context
, 1, ret
,
1374 N_("resolving credentials cache", ""));
1377 * Check if the type support switching, and we do,
1378 * then do that instead over overwriting the current
1379 * default credential
1381 type
= krb5_cc_get_type(context
, ccache
);
1382 if (krb5_cc_support_switch(context
, type
)) {
1383 krb5_cc_close(context
, ccache
);
1384 ret
= get_switched_ccache(context
, type
, principal
,
1387 unique_ccache
= TRUE
;
1393 krb5_err(context
, 1, ret
, N_("resolving credentials cache", ""));
1396 if (argc
> 1 && k_hasafs())
1401 int tmp
= parse_time(lifetime
, "s");
1403 errx(1, N_("unparsable time: %s", ""), lifetime
);
1408 if (addrs_flag
== 0 && extra_addresses
.num_strings
> 0)
1409 krb5_errx(context
, 1,
1410 N_("specifying both extra addresses and "
1411 "no addresses makes no sense", ""));
1414 krb5_addresses addresses
;
1415 memset(&addresses
, 0, sizeof(addresses
));
1416 for(i
= 0; i
< extra_addresses
.num_strings
; i
++) {
1417 ret
= krb5_parse_address(context
, extra_addresses
.strings
[i
],
1420 krb5_add_extra_addresses(context
, &addresses
);
1421 krb5_free_addresses(context
, &addresses
);
1424 free_getarg_strings(&extra_addresses
);
1427 if (renew_flag
|| validate_flag
) {
1428 ret
= renew_validate(context
, renew_flag
, validate_flag
,
1429 ccache
, server_str
, ticket_life
);
1432 if (ret
== 0 && server_str
== NULL
&& do_afslog
&& k_hasafs())
1433 krb5_afslog(context
, ccache
, NULL
, NULL
);
1437 krb5_cc_destroy(context
, ccache
);
1441 ret
= get_new_tickets(context
, principal
, ccache
, ticket_life
,
1442 1, anonymous_pkinit
);
1445 krb5_cc_destroy(context
, ccache
);
1450 if (ret
== 0 && server_str
== NULL
&& do_afslog
&& k_hasafs())
1451 krb5_afslog(context
, ccache
, NULL
, NULL
);
1455 struct renew_ctx ctx
;
1458 timeout
= ticket_lifetime(context
, ccache
, principal
,
1459 server_str
, NULL
) / 2;
1461 ctx
.context
= context
;
1462 ctx
.ccache
= ccache
;
1463 ctx
.principal
= principal
;
1464 ctx
.ticket_life
= ticket_life
;
1465 ctx
.timeout
= timeout
;
1467 #ifdef HAVE_SIGACTION
1468 memset(&sa
, 0, sizeof(sa
));
1469 sigemptyset(&sa
.sa_mask
);
1470 sa
.sa_handler
= handle_siginfo
;
1472 sigaction(SIGINFO
, &sa
, NULL
);
1475 ret
= simple_execvp_timed(argv
[1], argv
+1,
1476 renew_func
, &ctx
, timeout
);
1477 #define EX_NOEXEC 126
1478 #define EX_NOTFOUND 127
1479 if (ret
== EX_NOEXEC
)
1480 krb5_warnx(context
, N_("permission denied: %s", ""), argv
[1]);
1481 else if (ret
== EX_NOTFOUND
)
1482 krb5_warnx(context
, N_("command not found: %s", ""), argv
[1]);
1484 krb5_cc_destroy(context
, ccache
);
1490 krb5_cc_close(context
, ccache
);
1493 krb5_free_principal(context
, principal
);
1495 krb5_kt_close(context
, kt
);
1496 krb5_free_context(context
);