int
main(int argc, char **argv)
{
krb5_context context;
krb5_principal server;
krb5_ccache ccache;
krb5_data data;
krb5_error_code ret;
char *perr;
int c;
unsigned int i;
bail_on_err(NULL, "Error initializing Kerberos library",
krb5_init_context(&context));
bail_on_err(context, "Error getting location of default ccache",
krb5_cc_default(context, &ccache));
server = NULL;
while ((c = getopt(argc, argv, "p:")) != -1) {
switch (c) {
case 'p':
if (asprintf(&perr, "Error parsing principal name \"%s\"",
optarg) < 0)
perr = "Error parsing principal name";
bail_on_err(context, perr,
krb5_parse_name(context, optarg, &server));
break;
}
}
if (argc - optind < 1 || argc - optind > 2) {
fprintf(stderr, "Usage: %s [-p principal] key [value]\n", argv[0]);
return 1;
}
memset(&data, 0, sizeof(data));
if (argc - optind == 2) {
unset_config(context, ccache, server, argv[optind]);
data = string2data(argv[optind + 1]);
bail_on_err(context, "Error adding configuration data to ccache",
krb5_cc_set_config(context, ccache, server, argv[optind],
&data));
} else {
ret = krb5_cc_get_config(context, ccache, server, argv[optind], &data);
if (ret == 0) {
for (i = 0; i < data.length; i++)
putc((unsigned int)data.data[i], stdout);
}
}
krb5_free_principal(context, server);
krb5_cc_close(context, ccache);
krb5_free_context(context);
return 0;
}
int
main(int argc, char **argv)
{
krb5_context ctx;
krb5_ccache in_ccache, out_ccache, armor_ccache;
krb5_get_init_creds_opt *opt;
char *user, *password, *armor_ccname = NULL, *in_ccname = NULL, *perr;
const char *err;
krb5_principal client;
krb5_creds creds;
krb5_flags fast_flags;
krb5_error_code ret;
int c;
while ((c = getopt(argc, argv, "I:A:")) != -1) {
switch (c) {
case 'A':
armor_ccname = optarg;
break;
case 'I':
in_ccname = optarg;
break;
}
}
if (argc - optind < 2) {
fprintf(stderr, "Usage: %s [-A armor_ccache] [-I in_ccache] "
"username password\n", argv[0]);
return 1;
}
user = argv[optind];
password = argv[optind + 1];
bail_on_err(NULL, "Error initializing Kerberos", krb5_init_context(&ctx));
bail_on_err(ctx, "Error allocating space for get_init_creds options",
krb5_get_init_creds_opt_alloc(ctx, &opt));
if (in_ccname != NULL) {
bail_on_err(ctx, "Error resolving input ccache",
krb5_cc_resolve(ctx, in_ccname, &in_ccache));
bail_on_err(ctx, "Error setting input_ccache option",
krb5_get_init_creds_opt_set_in_ccache(ctx, opt,
in_ccache));
} else {
in_ccache = NULL;
}
if (armor_ccname != NULL) {
bail_on_err(ctx, "Error resolving armor ccache",
krb5_cc_resolve(ctx, armor_ccname, &armor_ccache));
bail_on_err(ctx, "Error setting fast_ccache option",
krb5_get_init_creds_opt_set_fast_ccache(ctx, opt,
armor_ccache));
fast_flags = KRB5_FAST_REQUIRED;
bail_on_err(ctx, "Error setting option to force use of FAST",
krb5_get_init_creds_opt_set_fast_flags(ctx, opt,
fast_flags));
} else {
armor_ccache = NULL;
}
bail_on_err(ctx, "Error resolving output (default) ccache",
krb5_cc_default(ctx, &out_ccache));
bail_on_err(ctx, "Error setting output ccache option",
krb5_get_init_creds_opt_set_out_ccache(ctx, opt, out_ccache));
if (asprintf(&perr, "Error parsing principal name \"%s\"", user) < 0)
abort();
bail_on_err(ctx, perr, krb5_parse_name(ctx, user, &client));
ret = krb5_get_init_creds_password(ctx, &creds, client, password,
prompter_cb, NULL, 0, NULL, opt);
if (ret) {
err = krb5_get_error_message(ctx, ret);
printf("%s\n", err);
krb5_free_error_message(ctx, err);
} else {
krb5_free_cred_contents(ctx, &creds);
}
krb5_get_init_creds_opt_free(ctx, opt);
krb5_free_principal(ctx, client);
krb5_cc_close(ctx, out_ccache);
if (armor_ccache != NULL)
krb5_cc_close(ctx, armor_ccache);
if (in_ccache != NULL)
krb5_cc_close(ctx, in_ccache);
krb5_free_context(ctx);
free(perr);
return ret ? (ret - KRB5KDC_ERR_NONE) : 0;
}
/*
* The default unset code path depends on the underlying ccache implementation
* knowing how to remove a credential, which most types don't actually support,
* so we have to jump through some hoops to ensure that when we set a value for
* a key, it'll be the only value for that key that'll be found later. The
* ccache portions of libkrb5 will currently duplicate some of the actual
* tickets.
*/
static void
unset_config(krb5_context context, krb5_ccache ccache,
krb5_principal server, const char *key)
{
krb5_ccache tmp1, tmp2;
krb5_cc_cursor cursor;
krb5_creds mcreds, creds;
memset(&mcreds, 0, sizeof(mcreds));
memset(&creds, 0, sizeof(creds));
bail_on_err(context, "Error while deriving configuration principal names",
k5_build_conf_principals(context, ccache, server, key,
&mcreds));
bail_on_err(context, "Error resolving first in-memory ccache",
krb5_cc_resolve(context, "MEMORY:tmp1", &tmp1));
bail_on_err(context, "Error initializing first in-memory ccache",
krb5_cc_initialize(context, tmp1, mcreds.client));
bail_on_err(context, "Error resolving second in-memory ccache",
krb5_cc_resolve(context, "MEMORY:tmp2", &tmp2));
bail_on_err(context, "Error initializing second in-memory ccache",
krb5_cc_initialize(context, tmp2, mcreds.client));
bail_on_err(context, "Error copying credentials to first in-memory ccache",
krb5_cc_copy_creds(context, ccache, tmp1));
bail_on_err(context, "Error starting traversal of first in-memory ccache",
krb5_cc_start_seq_get(context, tmp1, &cursor));
while (krb5_cc_next_cred(context, tmp1, &cursor, &creds) == 0) {
if (!krb5_is_config_principal(context, creds.server) ||
!krb5_principal_compare(context, mcreds.server, creds.server) ||
!krb5_principal_compare(context, mcreds.client, creds.client)) {
bail_on_err(context,
"Error storing non-config item to in-memory ccache",
krb5_cc_store_cred(context, tmp2, &creds));
}
}
bail_on_err(context, "Error ending traversal of first in-memory ccache",
krb5_cc_end_seq_get(context, tmp1, &cursor));
bail_on_err(context, "Error clearing ccache",
krb5_cc_initialize(context, ccache, mcreds.client));
bail_on_err(context, "Error storing creds to the ccache",
krb5_cc_copy_creds(context, tmp2, ccache));
bail_on_err(context, "Error cleaning up first in-memory ccache",
krb5_cc_destroy(context, tmp1));
bail_on_err(context, "Error cleaning up second in-memory ccache",
krb5_cc_destroy(context, tmp2));
}
