/*
* Function: Initializes ccache and catches illegal caches such as
* bad format or no permissions.
*
* Parameters:
* ccache - credential cache structure to use
*
* Returns: krb5_error_code
*/
krb5_error_code
k5_init_ccache(krb5_ccache *ccache)
{
krb5_error_code code;
krb5_principal princ;
FILE *fp;
code = krb5_cc_default(k5_context, ccache); /* Initialize the ccache */
if (code)
return code;
code = krb5_cc_get_principal(k5_context, *ccache, &princ);
if (code == KRB5_FCC_NOFILE) { /* Doesn't exist yet */
fp = fopen(krb5_cc_get_name(k5_context, *ccache), "w");
if (fp == NULL) /* Can't open it */
return KRB5_FCC_PERM;
fclose (fp);
}
if (code) { /* Bad, delete and try again */
remove(krb5_cc_get_name(k5_context, *ccache));
code = krb5_cc_get_principal(k5_context, *ccache, &princ);
if (code == KRB5_FCC_NOFILE) /* Doesn't exist yet */
return 0;
if (code)
return code;
}
/* krb5_free_principal(k5_context, princ); */
return 0;
}
static void
ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
{
krb5_ccache ccache;
krb5_error_code problem;
krb5_principal princ;
OM_uint32 maj_status, min_status;
const char *errmsg;
if (client->creds == NULL) {
debug("No credentials stored");
return;
}
if (ssh_gssapi_krb5_init() == 0)
return;
if ((problem = krb5_cc_new_unique(krb_context, krb5_fcc_ops.prefix,
NULL, &ccache)) != 0) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_cc_new_unique(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
return;
}
if ((problem = krb5_parse_name(krb_context,
client->exportedname.value, &princ))) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_parse_name(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
krb5_cc_destroy(krb_context, ccache);
return;
}
if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_cc_initialize(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
krb5_free_principal(krb_context, princ);
krb5_cc_destroy(krb_context, ccache);
return;
}
krb5_free_principal(krb_context, princ);
if ((maj_status = gss_krb5_copy_ccache(&min_status,
client->creds, ccache))) {
logit("gss_krb5_copy_ccache() failed");
krb5_cc_destroy(krb_context, ccache);
return;
}
client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
client->store.envvar = "KRB5CCNAME";
client->store.envval = xstrdup(client->store.filename);
krb5_cc_close(krb_context, ccache);
return;
}
/*
* krb5_ccache_size() - Determine the size required to externalize
* this krb5_ccache variant.
*/
static krb5_error_code
krb5_ccache_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep)
{
krb5_error_code kret;
krb5_ccache ccache;
size_t required;
kret = EINVAL;
if ((ccache = (krb5_ccache) arg)) {
/*
* Saving FILE: variants of krb5_ccache requires at minimum:
* krb5_int32 for KV5M_CCACHE
* krb5_int32 for length of ccache name.
* krb5_int32 for KV5M_CCACHE
*/
required = sizeof(krb5_int32) * 3;
if (ccache->ops->prefix)
required += (strlen(ccache->ops->prefix)+1);
/*
* The ccache name is formed as follows:
* <prefix>:<name>
*/
required += strlen(krb5_cc_get_name(kcontext, ccache));
kret = 0;
*sizep += required;
}
return(kret);
}
static void
test_mcache(krb5_context context)
{
krb5_error_code ret;
krb5_ccache id, id2;
const char *nc, *tc;
char *c;
krb5_principal p, p2;
ret = krb5_parse_name(context, "*****@*****.**", &p);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &id);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_new_unique");
ret = krb5_cc_initialize(context, id, p);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_initialize");
nc = krb5_cc_get_name(context, id);
if (nc == NULL)
krb5_errx(context, 1, "krb5_cc_get_name");
tc = krb5_cc_get_type(context, id);
if (tc == NULL)
krb5_errx(context, 1, "krb5_cc_get_name");
if (asprintf(&c, "%s:%s", tc, nc) < 0 || c == NULL)
errx(1, "malloc");
krb5_cc_close(context, id);
ret = krb5_cc_resolve(context, c, &id2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_resolve");
ret = krb5_cc_get_principal(context, id2, &p2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_get_principal");
if (krb5_principal_compare(context, p, p2) == FALSE)
krb5_errx(context, 1, "p != p2");
krb5_cc_destroy(context, id2);
krb5_free_principal(context, p);
krb5_free_principal(context, p2);
ret = krb5_cc_resolve(context, c, &id2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_resolve");
ret = krb5_cc_get_principal(context, id2, &p2);
if (ret == 0)
krb5_errx(context, 1, "krb5_cc_get_principal");
krb5_cc_destroy(context, id2);
free(c);
}
static void
test_cache_iter_all(krb5_context context)
{
krb5_cccol_cursor cursor;
krb5_error_code ret;
krb5_ccache id;
ret = krb5_cccol_cursor_new (context, &cursor);
if (ret)
krb5_err(context, 1, ret, "krb5_cccol_cursor_new");
while ((ret = krb5_cccol_cursor_next (context, cursor, &id)) == 0 && id != NULL) {
krb5_principal principal;
char *name;
if (debug_flag)
printf("name: %s\n", krb5_cc_get_name(context, id));
ret = krb5_cc_get_principal(context, id, &principal);
if (ret == 0) {
ret = krb5_unparse_name(context, principal, &name);
if (ret == 0) {
if (debug_flag)
printf("\tprincipal: %s\n", name);
free(name);
}
krb5_free_principal(context, principal);
}
krb5_cc_close(context, id);
}
krb5_cccol_cursor_free(context, &cursor);
}
static int
display_v5_ccache (krb5_context context, krb5_ccache ccache,
int do_test, int do_verbose,
int do_flags, int do_hidden)
{
krb5_error_code ret;
krb5_principal principal;
int exit_status = 0;
ret = krb5_cc_get_principal (context, ccache, &principal);
if (ret) {
if(ret == ENOENT) {
if (!do_test)
krb5_warnx(context, N_("No ticket file: %s", ""),
krb5_cc_get_name(context, ccache));
return 1;
} else
krb5_err (context, 1, ret, "krb5_cc_get_principal");
}
if (do_test)
exit_status = check_for_tgt (context, ccache, principal, NULL);
else
print_tickets (context, ccache, principal, do_verbose,
do_flags, do_hidden);
ret = krb5_cc_close (context, ccache);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_close");
krb5_free_principal (context, principal);
return exit_status;
}
static PyObject *
k5_cc_default(PyObject *self, PyObject *args)
{
krb5_context ctx;
krb5_error_code code;
krb5_ccache ccache;
const char *name;
PyObject *ret;
code = krb5_init_context(&ctx);
RETURN_ON_ERROR("krb5_init_context()", code);
code = krb5_cc_default(ctx, &ccache);
RETURN_ON_ERROR("krb5_cc_default()", code);
name = krb5_cc_get_name(ctx, ccache);
if (name == NULL)
{
PyErr_Format(k5_error, "krb5_cc_default() returned NULL");
return NULL;
}
ret = PyString_FromString(name);
if (ret == NULL)
return ret;
code = krb5_cc_close(ctx, ccache);
RETURN_ON_ERROR("krb5_cc_close()", code);
krb5_free_context(ctx);
return ret;
}
/*
* krb5_ccache_externalize() - Externalize the krb5_ccache.
*/
static krb5_error_code
krb5_ccache_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain)
{
krb5_error_code kret;
krb5_ccache ccache;
size_t required;
krb5_octet *bp;
size_t remain;
char *ccname;
size_t namelen;
const char *fnamep;
required = 0;
bp = *buffer;
remain = *lenremain;
kret = EINVAL;
if ((ccache = (krb5_ccache) arg)) {
kret = ENOMEM;
if (!krb5_ccache_size(kcontext, arg, &required) &&
(required <= remain)) {
/* Our identifier */
(void) krb5_ser_pack_int32(KV5M_CCACHE, &bp, &remain);
/* Calculate the length of the name */
namelen = (ccache->ops && ccache->ops->prefix) ?
strlen(ccache->ops->prefix)+1 : 0;
fnamep = krb5_cc_get_name(kcontext, ccache);
namelen += (strlen(fnamep)+1);
if ((ccname = (char *) malloc(namelen))) {
/* Format the ccache name. */
if (ccache->ops && ccache->ops->prefix)
sprintf(ccname, "%s:%s", ccache->ops->prefix, fnamep);
else
strcpy(ccname, fnamep);
/* Put the length of the file name */
(void) krb5_ser_pack_int32((krb5_int32) strlen(ccname),
&bp, &remain);
/* Put the name */
(void) krb5_ser_pack_bytes((krb5_octet *) ccname,
strlen(ccname),
&bp, &remain);
/* Put the trailer */
(void) krb5_ser_pack_int32(KV5M_CCACHE, &bp, &remain);
kret = 0;
*buffer = bp;
*lenremain = remain;
free(ccname);
}
}
}
return(kret);
}
/* Display the contents of cache. */
static int
show_ccache(krb5_ccache cache)
{
krb5_cc_cursor cur;
krb5_creds creds;
krb5_principal princ;
krb5_error_code ret;
ret = krb5_cc_get_principal(context, cache, &princ);
if (ret) {
com_err(progname, ret, "");
return 1;
}
ret = krb5_unparse_name(context, princ, &defname);
if (ret) {
com_err(progname, ret, _("while unparsing principal name"));
return 1;
}
printf(_("Ticket cache: %s:%s\nDefault principal: %s\n\n"),
krb5_cc_get_type(context, cache), krb5_cc_get_name(context, cache),
defname);
/* XXX Translating would disturb table alignment; skip for now. */
fputs("Valid starting", stdout);
fillit(stdout, timestamp_width - sizeof("Valid starting") + 3, (int) ' ');
fputs("Expires", stdout);
fillit(stdout, timestamp_width - sizeof("Expires") + 3, (int) ' ');
fputs("Service principal\n", stdout);
ret = krb5_cc_start_seq_get(context, cache, &cur);
if (ret) {
com_err(progname, ret, _("while starting to retrieve tickets"));
return 1;
}
while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) {
if (show_config || !krb5_is_config_principal(context, creds.server))
show_credential(&creds);
krb5_free_cred_contents(context, &creds);
}
krb5_free_principal(context, princ);
krb5_free_unparsed_name(context, defname);
defname = NULL;
if (ret == KRB5_CC_END) {
ret = krb5_cc_end_seq_get(context, cache, &cur);
if (ret) {
com_err(progname, ret, _("while finishing ticket retrieval"));
return 1;
}
return 0;
} else {
com_err(progname, ret, _("while retrieving a ticket"));
return 1;
}
}
/*
* krb5_ccache_externalize() - Externalize the krb5_ccache.
*/
static krb5_error_code
krb5_ccache_externalize(krb5_context kcontext, krb5_pointer arg, krb5_octet **buffer, size_t *lenremain)
{
krb5_error_code kret;
krb5_ccache ccache;
size_t required;
krb5_octet *bp;
size_t remain;
char *ccname;
const char *fnamep;
required = 0;
bp = *buffer;
remain = *lenremain;
kret = EINVAL;
if ((ccache = (krb5_ccache) arg)) {
kret = ENOMEM;
if (!krb5_ccache_size(kcontext, arg, &required) &&
(required <= remain)) {
/* Our identifier */
(void) krb5_ser_pack_int32(KV5M_CCACHE, &bp, &remain);
fnamep = krb5_cc_get_name(kcontext, ccache);
if (ccache->ops->prefix) {
if (asprintf(&ccname, "%s:%s", ccache->ops->prefix, fnamep) < 0)
ccname = NULL;
} else
ccname = strdup(fnamep);
if (ccname) {
/* Put the length of the file name */
(void) krb5_ser_pack_int32((krb5_int32) strlen(ccname),
&bp, &remain);
/* Put the name */
(void) krb5_ser_pack_bytes((krb5_octet *) ccname,
strlen(ccname),
&bp, &remain);
/* Put the trailer */
(void) krb5_ser_pack_int32(KV5M_CCACHE, &bp, &remain);
kret = 0;
*buffer = bp;
*lenremain = remain;
free(ccname);
}
}
}
return(kret);
}
static int
print_tickets (krb5_context context,
krb5_ccache ccache,
krb5_principal principal)
{
krb5_error_code ret;
krb5_cc_cursor cursor;
krb5_creds cred;
char *str;
ret = krb5_unparse_name (context, principal, &str);
if (ret) {
lreply(500, "krb5_unparse_name: %d", ret);
return 500;
}
lreply(200, "%17s: %s:%s",
"Credentials cache",
krb5_cc_get_type(context, ccache),
krb5_cc_get_name(context, ccache));
lreply(200, "%17s: %s", "Principal", str);
free (str);
ret = krb5_cc_start_seq_get (context, ccache, &cursor);
if (ret) {
lreply(500, "krb5_cc_start_seq_get: %d", ret);
return 500;
}
lreply(200, " Issued Expires Principal");
while ((ret = krb5_cc_next_cred (context,
ccache,
&cursor,
&cred)) == 0) {
if (print_cred(context, &cred))
return 500;
krb5_free_cred_contents (context, &cred);
}
if (ret != KRB5_CC_END) {
lreply(500, "krb5_cc_get_next: %d", ret);
return 500;
}
ret = krb5_cc_end_seq_get (context, ccache, &cursor);
if (ret) {
lreply(500, "krb5_cc_end_seq_get: %d", ret);
return 500;
}
return 200;
}
static int
klist5(void)
{
krb5_error_code ret;
krb5_context context;
krb5_ccache ccache;
krb5_principal principal;
int exit_status = 200;
ret = krb5_init_context (&context);
if (ret) {
lreply(500, "krb5_init_context failed: %d", ret);
return 500;
}
if (k5ccname)
ret = krb5_cc_resolve(context, k5ccname, &ccache);
else
ret = krb5_cc_default (context, &ccache);
if (ret) {
lreply(500, "krb5_cc_default: %d", ret);
return 500;
}
ret = krb5_cc_get_principal (context, ccache, &principal);
if (ret) {
if(ret == ENOENT)
lreply(500, "No ticket file: %s",
krb5_cc_get_name(context, ccache));
else
lreply(500, "krb5_cc_get_principal: %d", ret);
return 500;
}
exit_status = print_tickets (context, ccache, principal);
ret = krb5_cc_close (context, ccache);
if (ret) {
lreply(500, "krb5_cc_close: %d", ret);
exit_status = 500;
}
krb5_free_principal (context, principal);
krb5_free_context (context);
return exit_status;
}
static void
test_init_vs_destroy(krb5_context context, const char *type)
{
krb5_error_code ret;
krb5_ccache id, id2;
krb5_principal p, p2;
char *n = NULL;
ret = krb5_parse_name(context, "*****@*****.**", &p);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_cc_new_unique(context, type, NULL, &id);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_new_unique");
if (asprintf(&n, "%s:%s",
krb5_cc_get_type(context, id),
krb5_cc_get_name(context, id)) < 0 || n == NULL)
errx(1, "malloc");
ret = krb5_cc_resolve(context, n, &id2);
free(n);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_resolve");
krb5_cc_destroy(context, id);
ret = krb5_cc_initialize(context, id2, p);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_initialize");
ret = krb5_cc_get_principal(context, id2, &p2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_get_principal");
krb5_cc_destroy(context, id2);
krb5_free_principal(context, p);
krb5_free_principal(context, p2);
}
krb5_error_code KRB5_CALLCONV
krb5_get_init_creds_opt_set_fast_ccache(krb5_context context,
krb5_get_init_creds_opt *opt,
krb5_ccache ccache)
{
krb5_error_code retval = 0;
struct k5buf buf;
char *cc_name;
krb5int_buf_init_dynamic(&buf);
krb5int_buf_add(&buf, krb5_cc_get_type(context, ccache));
krb5int_buf_add(&buf, ":");
krb5int_buf_add(&buf, krb5_cc_get_name(context, ccache));
cc_name = krb5int_buf_data(&buf);
if (cc_name)
retval = krb5_get_init_creds_opt_set_fast_ccache_name(context, opt,
cc_name);
else
retval = ENOMEM;
krb5int_free_buf(&buf);
return retval;
}
static int
krb5_start_session(void)
{
krb5_ccache ccache2;
char *cc_name;
int ret;
ret = krb5_cc_new_unique(context, krb5_cc_type_file, NULL, &ccache2);
if (ret) {
krb5_cc_destroy(context, ccache);
return 1;
}
ret = krb5_cc_copy_cache(context, ccache, ccache2);
if (ret) {
krb5_cc_destroy(context, ccache);
krb5_cc_destroy(context, ccache2);
return 1;
}
ret = asprintf(&cc_name, "%s:%s", krb5_cc_get_type(context, ccache2),
krb5_cc_get_name(context, ccache2));
if (ret == -1) {
krb5_cc_destroy(context, ccache);
krb5_cc_destroy(context, ccache2);
errx(1, "malloc - out of memory");
}
esetenv("KRB5CCNAME", cc_name, 1);
/* convert creds? */
if(k_hasafs()) {
if (k_setpag() == 0)
krb5_afslog(context, ccache2, NULL, NULL);
}
krb5_cc_close(context, ccache2);
krb5_cc_destroy(context, ccache);
return 0;
}
static void
test_init_vs_destroy(krb5_context context, const krb5_cc_ops *ops)
{
krb5_error_code ret;
krb5_ccache id, id2;
krb5_principal p, p2;
char *n;
ret = krb5_parse_name(context, "*****@*****.**", &p);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_cc_gen_new(context, ops, &id);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_gen_new");
asprintf(&n, "%s:%s",
krb5_cc_get_type(context, id),
krb5_cc_get_name(context, id));
ret = krb5_cc_resolve(context, n, &id2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_resolve");
krb5_cc_destroy(context, id);
ret = krb5_cc_initialize(context, id2, p);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_initialize");
ret = krb5_cc_get_principal(context, id2, &p2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_get_principal");
krb5_cc_destroy(context, id2);
krb5_free_principal(context, p);
krb5_free_principal(context, p2);
}
static void
test_cache_iter(krb5_context context, const char *type, int destroy)
{
krb5_cc_cache_cursor cursor;
krb5_error_code ret;
krb5_ccache id;
ret = krb5_cc_cache_get_first (context, type, &cursor);
if (ret == KRB5_CC_NOSUPP)
return;
else if (ret)
krb5_err(context, 1, ret, "krb5_cc_cache_get_first(%s)", type);
while ((ret = krb5_cc_cache_next (context, cursor, &id)) == 0) {
krb5_principal principal;
char *name;
if (debug_flag)
printf("name: %s\n", krb5_cc_get_name(context, id));
ret = krb5_cc_get_principal(context, id, &principal);
if (ret == 0) {
ret = krb5_unparse_name(context, principal, &name);
if (ret == 0) {
if (debug_flag)
printf("\tprincipal: %s\n", name);
free(name);
}
krb5_free_principal(context, principal);
}
if (destroy)
krb5_cc_destroy(context, id);
else
krb5_cc_close(context, id);
}
krb5_cc_cache_end_seq_get(context, cursor);
}
static BOOL ads_cleanup_expired_creds(krb5_context context,
krb5_ccache ccache,
krb5_creds *credsp)
{
krb5_error_code retval;
const char *cc_type = krb5_cc_get_type(context, ccache);
DEBUG(3, ("ads_cleanup_expired_creds: Ticket in ccache[%s:%s] expiration %s\n",
cc_type, krb5_cc_get_name(context, ccache),
http_timestring(credsp->times.endtime)));
/* we will probably need new tickets if the current ones
will expire within 10 seconds.
*/
if (credsp->times.endtime >= (time(NULL) + 10))
return False;
/* heimdal won't remove creds from a file ccache, and
perhaps we shouldn't anyway, since internally we
use memory ccaches, and a FILE one probably means that
we're using creds obtained outside of our exectuable
*/
if (strequal(cc_type, "FILE")) {
DEBUG(5, ("ads_cleanup_expired_creds: We do not remove creds from a %s ccache\n", cc_type));
return False;
}
retval = krb5_cc_remove_cred(context, ccache, 0, credsp);
if (retval) {
DEBUG(1, ("ads_cleanup_expired_creds: krb5_cc_remove_cred failed, err %s\n",
error_message(retval)));
/* If we have an error in this, we want to display it,
but continue as though we deleted it */
}
return True;
}
static void
store_tickets(struct passwd *pwd, int ticket_newfiles, int ticket_store,
int token_install)
{
char cc_file[MAXPATHLEN];
krb5_ccache ccache_store;
#ifdef KRB524
int get_krb4_ticket = 0;
char krb4_ticket_file[MAXPATHLEN];
#endif
if (ticket_newfiles)
snprintf(cc_file, sizeof(cc_file), "FILE:/tmp/krb5cc_%d",
pwd->pw_uid);
else
snprintf(cc_file, sizeof(cc_file), "%s",
krb5_cc_default_name(context));
if (ticket_store) {
ret = krb5_cc_resolve(context, cc_file, &ccache_store);
if (ret != 0) {
krb5_syslog(context, LOG_ERR, ret,
"krb5_cc_gen_new");
exit(1);
}
ret = krb5_cc_copy_cache(context, ccache, ccache_store);
if (ret != 0)
krb5_syslog(context, LOG_ERR, ret,
"krb5_cc_copy_cache");
chown(krb5_cc_get_name(context, ccache_store),
pwd->pw_uid, pwd->pw_gid);
fprintf(back, BI_SETENV " KRB5CCNAME %s:%s\n",
krb5_cc_get_type(context, ccache_store),
krb5_cc_get_name(context, ccache_store));
#ifdef KRB524
get_krb4_ticket = krb5_config_get_bool_default (context,
NULL, get_krb4_ticket, "libdefaults",
"krb4_get_tickets", NULL);
if (get_krb4_ticket) {
CREDENTIALS c;
krb5_creds cred;
krb5_cc_cursor cursor;
ret = krb5_cc_start_seq_get(context, ccache, &cursor);
if (ret != 0) {
krb5_syslog(context, LOG_ERR, ret,
"start seq");
exit(1);
}
ret = krb5_cc_next_cred(context, ccache,
&cursor, &cred);
if (ret != 0) {
krb5_syslog(context, LOG_ERR, ret,
"next cred");
exit(1);
}
ret = krb5_cc_end_seq_get(context, ccache,
&cursor);
if (ret != 0) {
krb5_syslog(context, LOG_ERR, ret,
"end seq");
exit(1);
}
ret = krb524_convert_creds_kdc_ccache(context, ccache,
&cred, &c);
if (ret != 0) {
krb5_syslog(context, LOG_ERR, ret,
"convert");
} else {
snprintf(krb4_ticket_file,
sizeof(krb4_ticket_file),
"%s%d", TKT_ROOT, pwd->pw_uid);
krb_set_tkt_string(krb4_ticket_file);
tf_setup(&c, c.pname, c.pinst);
chown(krb4_ticket_file,
pwd->pw_uid, pwd->pw_gid);
}
}
#endif
}
/* Need to chown the ticket file */
#ifdef KRB524
if (get_krb4_ticket)
fprintf(back, BI_SETENV " KRBTKFILE %s\n",
krb4_ticket_file);
#endif
}
int
main(int argc, char **argv)
{
int f;
char tf[1024];
char *p;
char *path;
char **args;
int i;
int optind = 0;
setprogname(argv[0]);
if(getarg(getargs, num_args, argc, argv, &optind))
usage(1);
if(help_flag)
usage(0);
if(version_flag) {
print_version(NULL);
exit(0);
}
argc -= optind;
argv += optind;
#ifdef KRB5
{
const krb5_cc_ops *type;
krb5_error_code ret;
krb5_context context;
krb5_ccache id;
const char *name;
ret = krb5_init_context(&context);
if (ret) /* XXX should this really call exit ? */
errx(1, "no kerberos 5 support");
if (typename_arg == NULL) {
char *s;
name = krb5_cc_default_name(context);
if (name == NULL)
krb5_errx(context, 1, "Failed getting default "
"credential cache type");
typename_arg = strdup(name);
if (typename_arg == NULL)
errx(1, "strdup");
s = strchr(typename_arg, ':');
if (s)
*s = '\0';
}
type = krb5_cc_get_prefix_ops(context, typename_arg);
if (type == NULL)
krb5_err(context, 1, ret, "Failed getting ops for %s "
"credential cache", typename_arg);
ret = krb5_cc_gen_new(context, type, &id);
if (ret)
krb5_err(context, 1, ret, "Failed generating credential cache");
name = krb5_cc_get_name(context, id);
if (name == NULL)
krb5_errx(context, 1, "Generated credential cache have no name");
snprintf(tf, sizeof(tf), "%s:%s", typename_arg, name);
ret = krb5_cc_close(context, id);
if (ret)
krb5_err(context, 1, ret, "Failed closing credential cache");
krb5_free_context(context);
esetenv("KRB5CCNAME", tf, 1);
}
#endif
snprintf (tf, sizeof(tf), "%s_XXXXXX", TKT_ROOT);
f = mkstemp (tf);
if (f < 0)
err(1, "mkstemp failed");
close (f);
unlink (tf);
esetenv("KRBTKFILE", tf, 1);
i = 0;
args = (char **) malloc((argc + 10)*sizeof(char *));
if (args == NULL)
errx (1, "Out of memory allocating %lu bytes",
(unsigned long)((argc + 10)*sizeof(char *)));
if(*argv == NULL) {
path = getenv("SHELL");
if(path == NULL){
struct passwd *pw = k_getpwuid(geteuid());
path = strdup(pw->pw_shell);
}
} else {
path = strdup(*argv++);
}
if (path == NULL)
errx (1, "Out of memory copying path");
p=strrchr(path, '/');
if(p)
args[i] = strdup(p+1);
else
args[i] = strdup(path);
if (args[i++] == NULL)
errx (1, "Out of memory copying arguments");
while(*argv)
args[i++] = *argv++;
args[i++] = NULL;
if(k_hasafs())
k_setpag();
unsetenv("PAGPID");
execvp(path, args);
if (errno == ENOENT || c_flag) {
char **sh_args = malloc ((i + 2) * sizeof(char *));
int j;
if (sh_args == NULL)
errx (1, "Out of memory copying sh arguments");
for (j = 1; j < i; ++j)
sh_args[j + 2] = args[j];
sh_args[0] = "sh";
sh_args[1] = "-c";
sh_args[2] = path;
execv ("/bin/sh", sh_args);
}
err (1, "execvp");
}
static int
list_caches(krb5_context context)
{
krb5_cc_cache_cursor cursor;
const char *cdef_name;
char *def_name;
krb5_error_code ret;
krb5_ccache id;
rtbl_t ct;
cdef_name = krb5_cc_default_name(context);
if (cdef_name == NULL)
krb5_errx(context, 1, "krb5_cc_default_name");
def_name = strdup(cdef_name);
ret = krb5_cc_cache_get_first (context, NULL, &cursor);
if (ret == KRB5_CC_NOSUPP)
return 0;
else if (ret)
krb5_err (context, 1, ret, "krb5_cc_cache_get_first");
ct = rtbl_create();
rtbl_add_column(ct, COL_NAME, 0);
rtbl_add_column(ct, COL_CACHENAME, 0);
rtbl_add_column(ct, COL_EXPIRES, 0);
rtbl_add_column(ct, COL_DEFCACHE, 0);
rtbl_set_prefix(ct, " ");
rtbl_set_column_prefix(ct, COL_NAME, "");
while (krb5_cc_cache_next (context, cursor, &id) == 0) {
krb5_principal principal = NULL;
int expired = 0;
char *name;
time_t t;
ret = krb5_cc_get_principal(context, id, &principal);
if (ret)
continue;
expired = check_for_tgt (context, id, principal, &t);
ret = krb5_cc_get_friendly_name(context, id, &name);
if (ret == 0) {
const char *str;
char *fname;
rtbl_add_column_entry(ct, COL_NAME, name);
rtbl_add_column_entry(ct, COL_CACHENAME,
krb5_cc_get_name(context, id));
if (expired)
str = N_(">>> Expired <<<", "");
else
str = printable_time(t);
rtbl_add_column_entry(ct, COL_EXPIRES, str);
free(name);
ret = krb5_cc_get_full_name(context, id, &fname);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_get_full_name");
if (strcmp(fname, def_name) == 0)
rtbl_add_column_entry(ct, COL_DEFCACHE, "*");
else
rtbl_add_column_entry(ct, COL_DEFCACHE, "");
krb5_xfree(fname);
}
krb5_cc_close(context, id);
krb5_free_principal(context, principal);
}
krb5_cc_cache_end_seq_get(context, cursor);
free(def_name);
rtbl_format(ct, stdout);
rtbl_destroy(ct);
return 0;
}
static void
print_tickets (krb5_context context,
krb5_ccache ccache,
krb5_principal principal,
int do_verbose,
int do_flags,
int do_hidden)
{
krb5_error_code ret;
char *str, *name;
krb5_cc_cursor cursor;
krb5_creds creds;
krb5_deltat sec;
rtbl_t ct = NULL;
ret = krb5_unparse_name (context, principal, &str);
if (ret)
krb5_err (context, 1, ret, "krb5_unparse_name");
printf ("%17s: %s:%s\n",
N_("Credentials cache", ""),
krb5_cc_get_type(context, ccache),
krb5_cc_get_name(context, ccache));
printf ("%17s: %s\n", N_("Principal", ""), str);
ret = krb5_cc_get_friendly_name(context, ccache, &name);
if (ret == 0) {
if (strcmp(name, str) != 0)
printf ("%17s: %s\n", N_("Friendly name", ""), name);
free(name);
}
free (str);
if(do_verbose) {
printf ("%17s: %d\n", N_("Cache version", ""),
krb5_cc_get_version(context, ccache));
} else {
krb5_cc_set_flags(context, ccache, KRB5_TC_NOTICKET);
}
ret = krb5_cc_get_kdc_offset(context, ccache, &sec);
if (ret == 0 && do_verbose && sec != 0) {
char buf[BUFSIZ];
int val;
int sig;
val = sec;
sig = 1;
if (val < 0) {
sig = -1;
val = -val;
}
unparse_time (val, buf, sizeof(buf));
printf ("%17s: %s%s\n", N_("KDC time offset", ""),
sig == -1 ? "-" : "", buf);
}
printf("\n");
ret = krb5_cc_start_seq_get (context, ccache, &cursor);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_start_seq_get");
if(!do_verbose) {
ct = rtbl_create();
rtbl_add_column(ct, COL_ISSUED, 0);
rtbl_add_column(ct, COL_EXPIRES, 0);
if(do_flags)
rtbl_add_column(ct, COL_FLAGS, 0);
rtbl_add_column(ct, COL_PRINCIPAL, 0);
rtbl_set_separator(ct, " ");
}
while ((ret = krb5_cc_next_cred (context,
ccache,
&cursor,
&creds)) == 0) {
if (!do_hidden && krb5_is_config_principal(context, creds.server)) {
;
}else if(do_verbose){
print_cred_verbose(context, &creds);
}else{
print_cred(context, &creds, ct, do_flags);
}
krb5_free_cred_contents (context, &creds);
}
if(ret != KRB5_CC_END)
krb5_err(context, 1, ret, "krb5_cc_get_next");
ret = krb5_cc_end_seq_get (context, ccache, &cursor);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_end_seq_get");
if(!do_verbose) {
rtbl_format(ct, stdout);
rtbl_destroy(ct);
}
}
/* Get initial credentials for authenticating to server. Perform fallback from
* kadmin/fqdn to kadmin/admin if svcname_in is NULL. */
static kadm5_ret_t
get_init_creds(kadm5_server_handle_t handle, krb5_principal client,
enum init_type init_type, char *pass, krb5_ccache ccache_in,
char *svcname_in, char *realm, krb5_principal *server_out)
{
kadm5_ret_t code;
krb5_ccache ccache = NULL;
char svcname[BUFSIZ];
*server_out = NULL;
/* NULL svcname means use host-based. */
if (svcname_in == NULL) {
code = kadm5_get_admin_service_name(handle->context,
handle->params.realm,
svcname, sizeof(svcname));
if (code)
goto error;
} else {
strncpy(svcname, svcname_in, sizeof(svcname));
svcname[sizeof(svcname)-1] = '\0';
}
/*
* Acquire a service ticket for svcname@realm for client, using password
* pass (which could be NULL), and create a ccache to store them in. If
* INIT_CREDS, use the ccache we were provided instead.
*/
if (init_type == INIT_CREDS) {
ccache = ccache_in;
if (asprintf(&handle->cache_name, "%s:%s",
krb5_cc_get_type(handle->context, ccache),
krb5_cc_get_name(handle->context, ccache)) < 0) {
handle->cache_name = NULL;
code = ENOMEM;
goto error;
}
} else {
static int counter = 0;
if (asprintf(&handle->cache_name, "MEMORY:kadm5_%u", counter++) < 0) {
handle->cache_name = NULL;
code = ENOMEM;
goto error;
}
code = krb5_cc_resolve(handle->context, handle->cache_name,
&ccache);
if (code)
goto error;
code = krb5_cc_initialize (handle->context, ccache, client);
if (code)
goto error;
handle->destroy_cache = 1;
}
handle->lhandle->cache_name = handle->cache_name;
code = gic_iter(handle, init_type, ccache, client, pass, svcname, realm,
server_out);
if ((code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN
|| code == KRB5_CC_NOTFOUND) && svcname_in == NULL) {
/* Retry with old host-independent service principal. */
code = gic_iter(handle, init_type, ccache, client, pass,
KADM5_ADMIN_SERVICE, realm, server_out);
}
/* Improved error messages */
if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) code = KADM5_BAD_PASSWORD;
if (code == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN)
code = KADM5_SECURE_PRINC_MISSING;
error:
if (ccache != NULL && init_type != INIT_CREDS)
krb5_cc_close(handle->context, ccache);
return code;
}
static void
ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
{
krb5_ccache ccache;
krb5_error_code problem;
krb5_principal princ;
OM_uint32 maj_status, min_status;
int len;
if (client->creds == NULL) {
debug("No credentials stored");
return;
}
if (ssh_gssapi_krb5_init() == 0)
return;
#ifdef HEIMDAL
if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
logit("krb5_cc_gen_new(): %.100s",
krb5_get_err_text(krb_context, problem));
return;
}
#else
{
int tmpfd;
char ccname[40];
snprintf(ccname, sizeof(ccname),
"FILE:/tmp/krb5cc_%d_XXXXXX", geteuid());
if ((tmpfd = mkstemp(ccname + strlen("FILE:"))) == -1) {
logit("mkstemp(): %.100s", strerror(errno));
problem = errno;
return;
}
if (fchmod(tmpfd, S_IRUSR | S_IWUSR) == -1) {
logit("fchmod(): %.100s", strerror(errno));
close(tmpfd);
problem = errno;
return;
}
close(tmpfd);
if ((problem = krb5_cc_resolve(krb_context, ccname, &ccache))) {
logit("krb5_cc_resolve(): %.100s",
krb5_get_err_text(krb_context, problem));
return;
}
}
#endif /* #ifdef HEIMDAL */
if ((problem = krb5_parse_name(krb_context,
client->exportedname.value, &princ))) {
logit("krb5_parse_name(): %.100s",
krb5_get_err_text(krb_context, problem));
krb5_cc_destroy(krb_context, ccache);
return;
}
if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
logit("krb5_cc_initialize(): %.100s",
krb5_get_err_text(krb_context, problem));
krb5_free_principal(krb_context, princ);
krb5_cc_destroy(krb_context, ccache);
return;
}
krb5_free_principal(krb_context, princ);
if ((maj_status = gss_krb5_copy_ccache(&min_status,
client->creds, ccache))) {
logit("gss_krb5_copy_ccache() failed");
krb5_cc_destroy(krb_context, ccache);
return;
}
client->store.filename = xstrdup(krb5_cc_get_name(krb_context, ccache));
client->store.envvar = "KRB5CCNAME";
len = strlen(client->store.filename) + 6;
client->store.envval = xmalloc(len);
snprintf(client->store.envval, len, "FILE:%s", client->store.filename);
#ifdef USE_PAM
if (options.use_pam)
do_pam_putenv(client->store.envvar, client->store.envval);
#endif
krb5_cc_close(krb_context, ccache);
return;
}
static void
test_mcache(krb5_context context)
{
krb5_error_code ret;
krb5_ccache id, id2;
const char *nc, *tc;
char *n, *t, *c;
krb5_principal p, p2;
ret = krb5_parse_name(context, "*****@*****.**", &p);
if (ret)
krb5_err(context, 1, ret, "krb5_parse_name");
ret = krb5_cc_gen_new(context, &krb5_mcc_ops, &id);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_gen_new");
ret = krb5_cc_initialize(context, id, p);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_initialize");
nc = krb5_cc_get_name(context, id);
if (nc == NULL)
krb5_errx(context, 1, "krb5_cc_get_name");
tc = krb5_cc_get_type(context, id);
if (tc == NULL)
krb5_errx(context, 1, "krb5_cc_get_name");
n = estrdup(nc);
t = estrdup(tc);
asprintf(&c, "%s:%s", t, n);
krb5_cc_close(context, id);
ret = krb5_cc_resolve(context, c, &id2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_resolve");
ret = krb5_cc_get_principal(context, id2, &p2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_get_principal");
if (krb5_principal_compare(context, p, p2) == FALSE)
krb5_errx(context, 1, "p != p2");
krb5_cc_destroy(context, id2);
krb5_free_principal(context, p);
krb5_free_principal(context, p2);
ret = krb5_cc_resolve(context, c, &id2);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_resolve");
ret = krb5_cc_get_principal(context, id2, &p2);
if (ret == 0)
krb5_errx(context, 1, "krb5_cc_get_principal");
krb5_cc_destroy(context, id2);
}
OM_uint32 GSSAPI_CALLCONV _gsskrb5_add_cred (
OM_uint32 *minor_status,
const gss_cred_id_t input_cred_handle,
const gss_name_t desired_name,
const gss_OID desired_mech,
gss_cred_usage_t cred_usage,
OM_uint32 initiator_time_req,
OM_uint32 acceptor_time_req,
gss_cred_id_t *output_cred_handle,
gss_OID_set *actual_mechs,
OM_uint32 *initiator_time_rec,
OM_uint32 *acceptor_time_rec)
{
krb5_context context;
OM_uint32 ret, lifetime;
gsskrb5_cred cred, handle;
krb5_const_principal dname;
handle = NULL;
cred = (gsskrb5_cred)input_cred_handle;
dname = (krb5_const_principal)desired_name;
GSSAPI_KRB5_INIT (&context);
if (gss_oid_equal(desired_mech, GSS_KRB5_MECHANISM) == 0) {
*minor_status = 0;
return GSS_S_BAD_MECH;
}
if (cred == NULL && output_cred_handle == NULL) {
*minor_status = 0;
return GSS_S_NO_CRED;
}
if (cred == NULL) { /* XXX standard conformance failure */
*minor_status = 0;
return GSS_S_NO_CRED;
}
/* check if requested output usage is compatible with output usage */
if (output_cred_handle != NULL) {
HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
if (cred->usage != cred_usage && cred->usage != GSS_C_BOTH) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = GSS_KRB5_S_G_BAD_USAGE;
return(GSS_S_FAILURE);
}
}
/* check that we have the same name */
if (dname != NULL &&
krb5_principal_compare(context, dname,
cred->principal) != FALSE) {
if (output_cred_handle)
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = 0;
return GSS_S_BAD_NAME;
}
/* make a copy */
if (output_cred_handle) {
krb5_error_code kret;
handle = calloc(1, sizeof(*handle));
if (handle == NULL) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
*minor_status = ENOMEM;
return (GSS_S_FAILURE);
}
handle->usage = cred_usage;
handle->endtime = cred->endtime;
handle->principal = NULL;
handle->keytab = NULL;
handle->ccache = NULL;
HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
kret = krb5_copy_principal(context, cred->principal,
&handle->principal);
if (kret) {
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
free(handle);
*minor_status = kret;
return GSS_S_FAILURE;
}
if (cred->keytab) {
char *name = NULL;
ret = GSS_S_FAILURE;
kret = krb5_kt_get_full_name(context, cred->keytab, &name);
if (kret) {
*minor_status = kret;
goto failure;
}
kret = krb5_kt_resolve(context, name,
&handle->keytab);
krb5_xfree(name);
if (kret){
*minor_status = kret;
goto failure;
}
}
if (cred->ccache) {
const char *type, *name;
char *type_name = NULL;
ret = GSS_S_FAILURE;
type = krb5_cc_get_type(context, cred->ccache);
if (type == NULL){
*minor_status = ENOMEM;
goto failure;
}
if (strcmp(type, "MEMORY") == 0) {
ret = krb5_cc_new_unique(context, type,
NULL, &handle->ccache);
if (ret) {
*minor_status = ret;
goto failure;
}
ret = krb5_cc_copy_cache(context, cred->ccache,
handle->ccache);
if (ret) {
*minor_status = ret;
goto failure;
}
} else {
name = krb5_cc_get_name(context, cred->ccache);
if (name == NULL) {
*minor_status = ENOMEM;
goto failure;
}
kret = asprintf(&type_name, "%s:%s", type, name);
if (kret < 0 || type_name == NULL) {
*minor_status = ENOMEM;
goto failure;
}
kret = krb5_cc_resolve(context, type_name,
&handle->ccache);
free(type_name);
if (kret) {
*minor_status = kret;
goto failure;
}
}
}
}
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
ret = _gsskrb5_inquire_cred(minor_status, (gss_cred_id_t)cred,
NULL, &lifetime, NULL, actual_mechs);
if (ret)
goto failure;
if (initiator_time_rec)
*initiator_time_rec = lifetime;
if (acceptor_time_rec)
*acceptor_time_rec = lifetime;
if (output_cred_handle) {
*output_cred_handle = (gss_cred_id_t)handle;
}
*minor_status = 0;
return ret;
failure:
if (handle) {
if (handle->principal)
krb5_free_principal(context, handle->principal);
if (handle->keytab)
krb5_kt_close(context, handle->keytab);
if (handle->ccache)
krb5_cc_destroy(context, handle->ccache);
free(handle);
}
if (output_cred_handle)
HEIMDAL_MUTEX_unlock(&cred->cred_id_mutex);
return ret;
}
static void
ssh_gssapi_krb5_storecreds(ssh_gssapi_client *client)
{
krb5_ccache ccache;
krb5_error_code problem;
krb5_principal princ;
OM_uint32 maj_status, min_status;
const char *errmsg;
const char *new_ccname;
if (client->creds == NULL) {
debug("No credentials stored");
return;
}
if (ssh_gssapi_krb5_init() == 0)
return;
#ifdef HEIMDAL
# ifdef HAVE_KRB5_CC_NEW_UNIQUE
if ((problem = krb5_cc_new_unique(krb_context, krb5_fcc_ops.prefix,
NULL, &ccache)) != 0) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_cc_new_unique(): %.100s", errmsg);
# else
if ((problem = krb5_cc_gen_new(krb_context, &krb5_fcc_ops, &ccache))) {
logit("krb5_cc_gen_new(): %.100s",
krb5_get_err_text(krb_context, problem));
# endif
krb5_free_error_message(krb_context, errmsg);
return;
}
#else
if ((problem = ssh_krb5_cc_gen(krb_context, &ccache))) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("ssh_krb5_cc_gen(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
return;
}
#endif /* #ifdef HEIMDAL */
if ((problem = krb5_parse_name(krb_context,
client->exportedname.value, &princ))) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_parse_name(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
return;
}
if ((problem = krb5_cc_initialize(krb_context, ccache, princ))) {
errmsg = krb5_get_error_message(krb_context, problem);
logit("krb5_cc_initialize(): %.100s", errmsg);
krb5_free_error_message(krb_context, errmsg);
krb5_free_principal(krb_context, princ);
krb5_cc_destroy(krb_context, ccache);
return;
}
krb5_free_principal(krb_context, princ);
if ((maj_status = gss_krb5_copy_ccache(&min_status,
client->creds, ccache))) {
logit("gss_krb5_copy_ccache() failed");
krb5_cc_destroy(krb_context, ccache);
return;
}
new_ccname = krb5_cc_get_name(krb_context, ccache);
client->store.envvar = "KRB5CCNAME";
#ifdef USE_CCAPI
xasprintf(&client->store.envval, "API:%s", new_ccname);
client->store.filename = NULL;
#else
xasprintf(&client->store.envval, "FILE:%s", new_ccname);
client->store.filename = xstrdup(new_ccname);
#endif
#ifdef USE_PAM
if (options.use_pam)
do_pam_putenv(client->store.envvar, client->store.envval);
#endif
krb5_cc_close(krb_context, ccache);
return;
}
int
ssh_gssapi_krb5_updatecreds(ssh_gssapi_ccache *store,
ssh_gssapi_client *client)
{
krb5_ccache ccache = NULL;
krb5_principal principal = NULL;
char *name = NULL;
krb5_error_code problem;
OM_uint32 maj_status, min_status;
if ((problem = krb5_cc_resolve(krb_context, store->envval, &ccache))) {
logit("krb5_cc_resolve(): %.100s",
krb5_get_err_text(krb_context, problem));
return 0;
}
/* Find out who the principal in this cache is */
if ((problem = krb5_cc_get_principal(krb_context, ccache,
&principal))) {
logit("krb5_cc_get_principal(): %.100s",
krb5_get_err_text(krb_context, problem));
krb5_cc_close(krb_context, ccache);
return 0;
}
if ((problem = krb5_unparse_name(krb_context, principal, &name))) {
logit("krb5_unparse_name(): %.100s",
krb5_get_err_text(krb_context, problem));
krb5_free_principal(krb_context, principal);
krb5_cc_close(krb_context, ccache);
return 0;
}
if (strcmp(name,client->exportedname.value)!=0) {
debug("Name in local credentials cache differs. Not storing");
krb5_free_principal(krb_context, principal);
krb5_cc_close(krb_context, ccache);
krb5_free_unparsed_name(krb_context, name);
return 0;
}
krb5_free_unparsed_name(krb_context, name);
/* Name matches, so lets get on with it! */
if ((problem = krb5_cc_initialize(krb_context, ccache, principal))) {
logit("krb5_cc_initialize(): %.100s",
krb5_get_err_text(krb_context, problem));
krb5_free_principal(krb_context, principal);
krb5_cc_close(krb_context, ccache);
return 0;
}
krb5_free_principal(krb_context, principal);
if ((maj_status = gss_krb5_copy_ccache(&min_status, client->creds,
ccache))) {
logit("gss_krb5_copy_ccache() failed. Sorry!");
krb5_cc_close(krb_context, ccache);
return 0;
}
return 1;
}
int
auth_krb5_password(Authctxt *authctxt, const char *password)
{
#ifndef HEIMDAL
krb5_creds creds;
krb5_principal server;
#endif
krb5_error_code problem;
krb5_ccache ccache = NULL;
int len;
char *client, *platform_client;
/* get platform-specific kerberos client principal name (if it exists) */
platform_client = platform_krb5_get_principal_name(authctxt->pw->pw_name);
client = platform_client ? platform_client : authctxt->pw->pw_name;
temporarily_use_uid(authctxt->pw);
problem = krb5_init(authctxt);
if (problem)
goto out;
problem = krb5_parse_name(authctxt->krb5_ctx, client,
&authctxt->krb5_user);
if (problem)
goto out;
#ifdef HEIMDAL
problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
if (problem)
goto out;
problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
authctxt->krb5_user);
if (problem)
goto out;
restore_uid();
problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
ccache, password, 1, NULL);
temporarily_use_uid(authctxt->pw);
if (problem)
goto out;
problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
&authctxt->krb5_fwd_ccache);
if (problem)
goto out;
problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
authctxt->krb5_fwd_ccache);
krb5_cc_destroy(authctxt->krb5_ctx, ccache);
ccache = NULL;
if (problem)
goto out;
#else
problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
if (problem)
goto out;
problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
KRB5_NT_SRV_HST, &server);
if (problem)
goto out;
restore_uid();
problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server,
NULL, NULL, NULL);
krb5_free_principal(authctxt->krb5_ctx, server);
temporarily_use_uid(authctxt->pw);
if (problem)
goto out;
if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user, client)) {
problem = -1;
goto out;
}
problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
if (problem)
goto out;
problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
authctxt->krb5_user);
if (problem)
goto out;
problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
&creds);
if (problem)
goto out;
#endif
authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
len = strlen(authctxt->krb5_ticket_file) + 6;
authctxt->krb5_ccname = xmalloc(len);
snprintf(authctxt->krb5_ccname, len, "FILE:%s",
authctxt->krb5_ticket_file);
#ifdef USE_PAM
if (options.use_pam)
do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
#endif
out:
restore_uid();
if (platform_client != NULL)
xfree(platform_client);
if (problem) {
if (ccache)
krb5_cc_destroy(authctxt->krb5_ctx, ccache);
if (authctxt->krb5_ctx != NULL && problem!=-1)
debug("Kerberos password authentication failed: %s",
krb5_get_err_text(authctxt->krb5_ctx, problem));
else
debug("Kerberos password authentication failed: %d",
problem);
krb5_cleanup_proc(authctxt);
if (options.kerberos_or_local_passwd)
return (-1);
else
return (0);
}
return (authctxt->valid ? 1 : 0);
}
int
main(int argc, char **argv)
{
krb5_error_code ret;
krb5_context context;
krb5_ccache ccache;
krb5_principal principal = NULL;
int optidx = 0;
krb5_deltat ticket_life = 0;
#ifdef HAVE_SIGACTION
struct sigaction sa;
#endif
setprogname(argv[0]);
setlocale(LC_ALL, "");
bindtextdomain("heimdal_kuser", HEIMDAL_LOCALEDIR);
textdomain("heimdal_kuser");
ret = krb5_init_context(&context);
if (ret == KRB5_CONFIG_BADFORMAT)
errx(1, "krb5_init_context failed to parse configuration file");
else if (ret)
errx(1, "krb5_init_context failed: %d", ret);
if (getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
usage(1);
if (help_flag)
usage(0);
if (version_flag) {
print_version(NULL);
exit(0);
}
argc -= optidx;
argv += optidx;
/*
* Open the keytab now, we use the keytab to determine the principal's
* realm when the requested principal has no realm.
*/
if (use_keytab || keytab_str) {
if (keytab_str)
ret = krb5_kt_resolve(context, keytab_str, &kt);
else
ret = krb5_kt_default(context, &kt);
if (ret)
krb5_err(context, 1, ret, "resolving keytab");
}
if (pk_enterprise_flag) {
ret = krb5_pk_enterprise_cert(context, pk_user_id,
argv[0], &principal,
&ent_user_id);
if (ret)
krb5_err(context, 1, ret, "krb5_pk_enterprise_certs");
pk_user_id = NULL;
} else if (anonymous_flag) {
ret = krb5_make_principal(context, &principal, argv[0],
KRB5_WELLKNOWN_NAME, KRB5_ANON_NAME,
NULL);
if (ret)
krb5_err(context, 1, ret, "krb5_make_principal");
krb5_principal_set_type(context, principal, KRB5_NT_WELLKNOWN);
} else if (use_keytab || keytab_str) {
get_princ_kt(context, &principal, argv[0]);
} else {
get_princ(context, &principal, argv[0]);
}
if (fcache_version)
krb5_set_fcache_version(context, fcache_version);
if (renewable_flag == -1)
/* this seems somewhat pointless, but whatever */
krb5_appdefault_boolean(context, "kinit",
krb5_principal_get_realm(context, principal),
"renewable", FALSE, &renewable_flag);
if (do_afslog == -1)
krb5_appdefault_boolean(context, "kinit",
krb5_principal_get_realm(context, principal),
"afslog", TRUE, &do_afslog);
if (cred_cache)
ret = krb5_cc_resolve(context, cred_cache, &ccache);
else {
if (argc > 1) {
char s[1024];
ret = krb5_cc_new_unique(context, NULL, NULL, &ccache);
if (ret)
krb5_err(context, 1, ret, "creating cred cache");
snprintf(s, sizeof(s), "%s:%s",
krb5_cc_get_type(context, ccache),
krb5_cc_get_name(context, ccache));
setenv("KRB5CCNAME", s, 1);
} else {
ret = krb5_cc_cache_match(context, principal, &ccache);
if (ret) {
const char *type;
ret = krb5_cc_default(context, &ccache);
if (ret)
krb5_err(context, 1, ret,
N_("resolving credentials cache", ""));
/*
* Check if the type support switching, and we do,
* then do that instead over overwriting the current
* default credential
*/
type = krb5_cc_get_type(context, ccache);
if (krb5_cc_support_switch(context, type)) {
krb5_cc_close(context, ccache);
ret = get_switched_ccache(context, type, principal,
&ccache);
}
}
}
}
if (ret)
krb5_err(context, 1, ret, N_("resolving credentials cache", ""));
#ifndef NO_AFS
if (argc > 1 && k_hasafs())
k_setpag();
#endif
if (lifetime) {
int tmp = parse_time(lifetime, "s");
if (tmp < 0)
errx(1, N_("unparsable time: %s", ""), lifetime);
ticket_life = tmp;
}
if (addrs_flag == 0 && extra_addresses.num_strings > 0)
krb5_errx(context, 1,
N_("specifying both extra addresses and "
"no addresses makes no sense", ""));
{
int i;
krb5_addresses addresses;
memset(&addresses, 0, sizeof(addresses));
for(i = 0; i < extra_addresses.num_strings; i++) {
ret = krb5_parse_address(context, extra_addresses.strings[i],
&addresses);
if (ret == 0) {
krb5_add_extra_addresses(context, &addresses);
krb5_free_addresses(context, &addresses);
}
}
free_getarg_strings(&extra_addresses);
}
if (renew_flag || validate_flag) {
ret = renew_validate(context, renew_flag, validate_flag,
ccache, server_str, ticket_life);
#ifndef NO_AFS
if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())
krb5_afslog(context, ccache, NULL, NULL);
#endif
exit(ret != 0);
}
ret = get_new_tickets(context, principal, ccache, ticket_life, 1);
if (ret)
exit(1);
#ifndef NO_AFS
if (ret == 0 && server_str == NULL && do_afslog && k_hasafs())
krb5_afslog(context, ccache, NULL, NULL);
#endif
if (argc > 1) {
struct renew_ctx ctx;
time_t timeout;
timeout = ticket_lifetime(context, ccache, principal,
server_str, NULL) / 2;
ctx.context = context;
ctx.ccache = ccache;
ctx.principal = principal;
ctx.ticket_life = ticket_life;
ctx.timeout = timeout;
#ifdef HAVE_SIGACTION
memset(&sa, 0, sizeof(sa));
sigemptyset(&sa.sa_mask);
sa.sa_handler = handle_siginfo;
sigaction(SIGINFO, &sa, NULL);
#endif
ret = simple_execvp_timed(argv[1], argv+1,
renew_func, &ctx, timeout);
#define EX_NOEXEC 126
#define EX_NOTFOUND 127
if (ret == EX_NOEXEC)
krb5_warnx(context, N_("permission denied: %s", ""), argv[1]);
else if (ret == EX_NOTFOUND)
krb5_warnx(context, N_("command not found: %s", ""), argv[1]);
krb5_cc_destroy(context, ccache);
#ifndef NO_AFS
if (k_hasafs())
k_unlog();
#endif
} else {
krb5_cc_close(context, ccache);
ret = 0;
}
krb5_free_principal(context, principal);
if (kt)
krb5_kt_close(context, kt);
krb5_free_context(context);
return ret;
}
static int
CommandProc(struct cmd_syndesc *as, void *arock)
{
krb5_principal princ = 0;
char *cell, *pname, **hrealms, *service;
char service_temp[MAXKTCREALMLEN + 20];
krb5_creds incred[1], mcred[1], *outcred = 0, *afscred;
krb5_ccache cc = 0;
#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
krb5_get_init_creds_opt *gic_opts;
#else
krb5_get_init_creds_opt gic_opts[1];
#endif
char *tofree = NULL, *outname;
int code;
char *what;
int i, dosetpag, evil, noprdb, id;
#ifdef AFS_RXK5
int authtype;
#endif
krb5_data enc_part[1];
krb5_prompter_fct pf = NULL;
char *pass = 0;
void *pa = 0;
struct kp_arg klog_arg[1];
char passwd[BUFSIZ];
struct afsconf_cell cellconfig[1];
static char rn[] = "klog"; /*Routine name */
static int Pipe = 0; /* reading from a pipe */
static int Silent = 0; /* Don't want error messages */
int writeTicketFile = 0; /* write ticket file to /tmp */
service = 0;
memset(incred, 0, sizeof *incred);
/* blow away command line arguments */
for (i = 1; i < zero_argc; i++)
memset(zero_argv[i], 0, strlen(zero_argv[i]));
zero_argc = 0;
memset(klog_arg, 0, sizeof *klog_arg);
/* first determine quiet flag based on -silent switch */
Silent = (as->parms[aSILENT].items ? 1 : 0);
if (Silent) {
afs_set_com_err_hook(silent_errors);
}
if ((code = krb5_init_context(&k5context))) {
afs_com_err(rn, code, "while initializing Kerberos 5 library");
KLOGEXIT(code);
}
if ((code = rx_Init(0))) {
afs_com_err(rn, code, "while initializing rx");
KLOGEXIT(code);
}
initialize_U_error_table();
/*initialize_krb5_error_table();*/
initialize_RXK_error_table();
initialize_KTC_error_table();
initialize_ACFG_error_table();
/* initialize_rx_error_table(); */
if (!(tdir = afsconf_Open(AFSDIR_CLIENT_ETC_DIRPATH))) {
afs_com_err(rn, 0, "can't get afs configuration (afsconf_Open(%s))",
AFSDIR_CLIENT_ETC_DIRPATH);
KLOGEXIT(1);
}
/*
* Enable DES enctypes, which are currently still required for AFS.
* krb5_allow_weak_crypto is MIT Kerberos 1.8. krb5_enctype_enable is
* Heimdal.
*/
#if defined(HAVE_KRB5_ENCTYPE_ENABLE)
i = krb5_enctype_valid(k5context, ETYPE_DES_CBC_CRC);
if (i)
krb5_enctype_enable(k5context, ETYPE_DES_CBC_CRC);
#elif defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO)
krb5_allow_weak_crypto(k5context, 1);
#endif
/* Parse remaining arguments. */
dosetpag = !! as->parms[aSETPAG].items;
Pipe = !! as->parms[aPIPE].items;
writeTicketFile = !! as->parms[aTMP].items;
noprdb = !! as->parms[aNOPRDB].items;
evil = (always_evil&1) || !! as->parms[aUNWRAP].items;
#ifdef AFS_RXK5
authtype = 0;
if (as->parms[aK5].items)
authtype |= FORCE_RXK5;
if (as->parms[aK4].items)
authtype |= FORCE_RXKAD;
if (!authtype)
authtype |= env_afs_rxk5_default();
#endif
cell = as->parms[aCELL].items ? as->parms[aCELL].items->data : 0;
if ((code = afsconf_GetCellInfo(tdir, cell, "afsprot", cellconfig))) {
if (cell)
afs_com_err(rn, code, "Can't get cell information for '%s'", cell);
else
afs_com_err(rn, code, "Can't get determine local cell!");
KLOGEXIT(code);
}
if (as->parms[aKRBREALM].items) {
code = krb5_set_default_realm(k5context,
as->parms[aKRBREALM].items->data);
if (code) {
afs_com_err(rn, code, "Can't make <%s> the default realm",
as->parms[aKRBREALM].items->data);
KLOGEXIT(code);
}
}
else if ((code = krb5_get_host_realm(k5context, cellconfig->hostName[0], &hrealms))) {
afs_com_err(rn, code, "Can't get realm for host <%s> in cell <%s>\n",
cellconfig->hostName[0], cellconfig->name);
KLOGEXIT(code);
} else {
if (hrealms && *hrealms) {
code = krb5_set_default_realm(k5context,
*hrealms);
if (code) {
afs_com_err(rn, code, "Can't make <%s> the default realm",
*hrealms);
KLOGEXIT(code);
}
}
if (hrealms) krb5_free_host_realm(k5context, hrealms);
}
id = getuid();
if (as->parms[aPRINCIPAL].items) {
pname = as->parms[aPRINCIPAL].items->data;
} else {
/* No explicit name provided: use Unix uid. */
struct passwd *pw;
pw = getpwuid(id);
if (pw == 0) {
afs_com_err(rn, 0,
"Can't figure out your name from your user id (%d).", id);
if (!Silent)
fprintf(stderr, "%s: Try providing the user name.\n", rn);
KLOGEXIT(1);
}
pname = pw->pw_name;
}
code = krb5_parse_name(k5context, pname, &princ);
if (code) {
afs_com_err(rn, code, "Can't parse principal <%s>", pname);
KLOGEXIT(code);
}
if (as->parms[aPASSWORD].items) {
/*
* Current argument is the desired password string. Remember it in
* our local buffer, and zero out the argument string - anyone can
* see it there with ps!
*/
strncpy(passwd, as->parms[aPASSWORD].items->data, sizeof(passwd));
memset(as->parms[aPASSWORD].items->data, 0,
strlen(as->parms[aPASSWORD].items->data));
pass = passwd;
}
/* Get the password if it wasn't provided. */
if (!pass) {
if (Pipe) {
strncpy(passwd, getpipepass(), sizeof(passwd));
pass = passwd;
} else {
pf = klog_prompter;
pa = klog_arg;
}
}
service = 0;
#ifdef AFS_RXK5
if (authtype & FORCE_RXK5) {
tofree = get_afs_krb5_svc_princ(cellconfig);
snprintf(service_temp, sizeof service_temp, "%s", tofree);
} else
#endif
snprintf (service_temp, sizeof service_temp, "afs/%s", cellconfig->name);
klog_arg->pp = &pass;
klog_arg->pstore = passwd;
klog_arg->allocated = sizeof(passwd);
/* XXX should allow k5 to prompt in most cases -- what about expired pw?*/
#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_ALLOC
code = krb5_get_init_creds_opt_alloc(k5context, &gic_opts);
if (code) {
afs_com_err(rn, code, "Can't allocate get_init_creds options");
KLOGEXIT(code);
}
#else
krb5_get_init_creds_opt_init(gic_opts);
#endif
for (;;) {
code = krb5_get_init_creds_password(k5context,
incred,
princ,
pass,
pf, /* prompter */
pa, /* data */
0, /* start_time */
0, /* in_tkt_service */
gic_opts);
if (code != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN)
break;
}
memset(passwd, 0, sizeof(passwd));
if (code) {
char *r = 0;
if (krb5_get_default_realm(k5context, &r))
r = 0;
if (r)
afs_com_err(rn, code, "Unable to authenticate in realm %s", r);
else
afs_com_err(rn, code, "Unable to authenticate to use cell %s",
cellconfig->name);
if (r) free(r);
KLOGEXIT(code);
}
for (;;writeTicketFile = 0) {
if (writeTicketFile) {
what = "getting default ccache";
code = krb5_cc_default(k5context, &cc);
} else {
what = "krb5_cc_resolve";
code = krb5_cc_resolve(k5context, "MEMORY:core", &cc);
if (code) goto Failed;
}
what = "initializing ccache";
code = krb5_cc_initialize(k5context, cc, princ);
if (code) goto Failed;
what = "writing Kerberos ticket file";
code = krb5_cc_store_cred(k5context, cc, incred);
if (code) goto Failed;
if (writeTicketFile)
fprintf(stderr,
"Wrote ticket file to %s\n",
krb5_cc_get_name(k5context, cc));
break;
Failed:
if (code)
afs_com_err(rn, code, "%s", what);
if (writeTicketFile) {
if (cc) {
krb5_cc_close(k5context, cc);
cc = 0;
}
continue;
}
KLOGEXIT(code);
}
for (service = service_temp;;service = "afs") {
memset(mcred, 0, sizeof *mcred);
mcred->client = princ;
code = krb5_parse_name(k5context, service, &mcred->server);
if (code) {
afs_com_err(rn, code, "Unable to parse service <%s>\n", service);
KLOGEXIT(code);
}
if (tofree) { free(tofree); tofree = 0; }
if (!(code = krb5_unparse_name(k5context, mcred->server, &outname)))
tofree = outname;
else outname = service;
code = krb5_get_credentials(k5context, 0, cc, mcred, &outcred);
krb5_free_principal(k5context, mcred->server);
if (code != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN || service != service_temp) break;
#ifdef AFS_RXK5
if (authtype & FORCE_RXK5)
break;
#endif
}
afscred = outcred;
if (code) {
afs_com_err(rn, code, "Unable to get credentials to use %s", outname);
KLOGEXIT(code);
}
#ifdef AFS_RXK5
if (authtype & FORCE_RXK5) {
struct ktc_principal aserver[1];
int viceid = 555;
memset(aserver, 0, sizeof *aserver);
strncpy(aserver->cell, cellconfig->name, MAXKTCREALMLEN-1);
code = ktc_SetK5Token(k5context, aserver, afscred, viceid, dosetpag);
if (code) {
afs_com_err(rn, code, "Unable to store tokens for cell %s\n",
cellconfig->name);
KLOGEXIT(1);
}
} else
#endif
{
struct ktc_principal aserver[1], aclient[1];
struct ktc_token atoken[1];
memset(atoken, 0, sizeof *atoken);
if (evil) {
size_t elen = enc_part->length;
atoken->kvno = RXKAD_TKT_TYPE_KERBEROS_V5_ENCPART_ONLY;
if (afs_krb5_skip_ticket_wrapper(afscred->ticket.data,
afscred->ticket.length, (char **) &enc_part->data,
&elen)) {
afs_com_err(rn, 0, "Can't unwrap %s AFS credential",
cellconfig->name);
KLOGEXIT(1);
}
} else {
atoken->kvno = RXKAD_TKT_TYPE_KERBEROS_V5;
*enc_part = afscred->ticket;
}
atoken->startTime = afscred->times.starttime;
atoken->endTime = afscred->times.endtime;
if (tkt_DeriveDesKey(get_creds_enctype(afscred),
get_cred_keydata(afscred),
get_cred_keylen(afscred), &atoken->sessionKey)) {
afs_com_err(rn, 0,
"Cannot derive DES key from enctype %i of length %u",
get_creds_enctype(afscred),
(unsigned)get_cred_keylen(afscred));
KLOGEXIT(1);
}
memcpy(atoken->ticket, enc_part->data,
atoken->ticketLen = enc_part->length);
memset(aserver, 0, sizeof *aserver);
strncpy(aserver->name, "afs", 4);
strncpy(aserver->cell, cellconfig->name, MAXKTCREALMLEN-1);
memset(aclient, 0, sizeof *aclient);
i = realm_len(k5context, afscred->client);
if (i > MAXKTCREALMLEN-1) i = MAXKTCREALMLEN-1;
memcpy(aclient->cell, realm_data(k5context, afscred->client), i);
if (!noprdb) {
int viceid = 0;
k5_to_k4_name(k5context, afscred->client, aclient);
code = whoami(atoken, cellconfig, aclient, &viceid);
if (code) {
afs_com_err(rn, code, "Can't get your viceid for cell %s", cellconfig->name);
*aclient->name = 0;
} else
snprintf(aclient->name, MAXKTCNAMELEN-1, "AFS ID %d", viceid);
}
if (!*aclient->name)
k5_to_k4_name(k5context, afscred->client, aclient);
code = ktc_SetToken(aserver, atoken, aclient, dosetpag);
if (code) {
afs_com_err(rn, code, "Unable to store tokens for cell %s\n",
cellconfig->name);
KLOGEXIT(1);
}
}
krb5_free_principal(k5context, princ);
krb5_free_cred_contents(k5context, incred);
if (outcred) krb5_free_creds(k5context, outcred);
if (cc)
krb5_cc_close(k5context, cc);
if (tofree) free(tofree);
return 0;
}
