KRB5_LIB_FUNCTION void KRB5_LIB_CALL
krb5_get_init_creds_opt_set_default_flags(krb5_context context,
const char *appname,
krb5_const_realm realm,
krb5_get_init_creds_opt *opt)
{
krb5_boolean b;
time_t t;
b = get_config_bool (context, KRB5_FORWARDABLE_DEFAULT,
realm, "forwardable");
krb5_appdefault_boolean(context, appname, realm, "forwardable", b, &b);
krb5_get_init_creds_opt_set_forwardable(opt, b);
b = get_config_bool (context, FALSE, realm, "proxiable");
krb5_appdefault_boolean(context, appname, realm, "proxiable", b, &b);
krb5_get_init_creds_opt_set_proxiable (opt, b);
krb5_appdefault_time(context, appname, realm, "ticket_lifetime", 0, &t);
if (t == 0)
t = get_config_time (context, realm, "ticket_lifetime", 0);
if(t != 0)
krb5_get_init_creds_opt_set_tkt_life(opt, t);
krb5_appdefault_time(context, appname, realm, "renew_lifetime", 0, &t);
if (t == 0)
t = get_config_time (context, realm, "renew_lifetime", 0);
if(t != 0)
krb5_get_init_creds_opt_set_renew_life(opt, t);
krb5_appdefault_boolean(context, appname, realm, "no-addresses",
KRB5_ADDRESSLESS_DEFAULT, &b);
krb5_get_init_creds_opt_set_addressless (context, opt, b);
#if 0
krb5_appdefault_boolean(context, appname, realm, "anonymous", FALSE, &b);
krb5_get_init_creds_opt_set_anonymous (opt, b);
krb5_get_init_creds_opt_set_etype_list(opt, enctype,
etype_str.num_strings);
krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt *opt,
krb5_data *salt);
krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt *opt,
krb5_preauthtype *preauth_list,
int preauth_list_length);
#endif
}
/*
* Test whether anonymous authentication works. If this doesn't, we need to
* skip the tests of anonymous FAST.
*/
static bool
anon_fast_works(void)
{
krb5_context ctx;
krb5_error_code retval;
krb5_principal princ = NULL;
char *realm;
krb5_creds creds;
krb5_get_init_creds_opt *opts = NULL;
/* Construct the anonymous principal name. */
retval = krb5_init_context(&ctx);
if (retval != 0)
bail("cannot initialize Kerberos");
retval = krb5_get_default_realm(ctx, &realm);
if (retval != 0)
bail("cannot get default realm");
retval = krb5_build_principal_ext(ctx, &princ, strlen(realm), realm,
strlen(KRB5_WELLKNOWN_NAME), KRB5_WELLKNOWN_NAME,
strlen(KRB5_ANON_NAME), KRB5_ANON_NAME, NULL);
if (retval != 0)
bail("cannot construct anonymous principal");
krb5_free_default_realm(ctx, realm);
/* Obtain the credentials. */
memset(&creds, 0, sizeof(creds));
retval = krb5_get_init_creds_opt_alloc(ctx, &opts);
if (retval != 0)
bail("cannot create credential options");
krb5_get_init_creds_opt_set_anonymous(opts, 1);
krb5_get_init_creds_opt_set_tkt_life(opts, 60);
retval = krb5_get_init_creds_password(ctx, &creds, princ, NULL, NULL,
NULL, 0, NULL, opts);
/* Clean up. */
if (princ != NULL)
krb5_free_principal(ctx, princ);
if (opts != NULL)
krb5_get_init_creds_opt_free(ctx, opts);
krb5_free_cred_contents(ctx, &creds);
return (retval == 0);
}
static krb5_error_code
get_new_tickets(krb5_context context,
krb5_principal principal,
krb5_ccache ccache,
krb5_deltat ticket_life,
int interactive)
{
krb5_error_code ret;
krb5_creds cred;
char passwd[256];
krb5_deltat start_time = 0;
krb5_deltat renew = 0;
const char *renewstr = NULL;
krb5_enctype *enctype = NULL;
krb5_ccache tempccache = NULL;
krb5_init_creds_context ctx = NULL;
krb5_get_init_creds_opt *opt = NULL;
krb5_prompter_fct prompter = krb5_prompter_posix;
#ifndef NO_NTLM
struct ntlm_buf ntlmkey;
memset(&ntlmkey, 0, sizeof(ntlmkey));
#endif
passwd[0] = '\0';
if (!interactive)
prompter = NULL;
if (password_file) {
FILE *f;
if (strcasecmp("STDIN", password_file) == 0)
f = stdin;
else
f = fopen(password_file, "r");
if (f == NULL) {
krb5_warnx(context, "Failed to open the password file %s",
password_file);
return errno;
}
if (fgets(passwd, sizeof(passwd), f) == NULL) {
krb5_warnx(context, N_("Failed to read password from file %s", ""),
password_file);
fclose(f);
return EINVAL; /* XXX Need a better error */
}
if (f != stdin)
fclose(f);
passwd[strcspn(passwd, "\n")] = '\0';
}
#ifdef __APPLE__
if (passwd[0] == '\0') {
const char *realm;
OSStatus osret;
UInt32 length;
void *buffer;
char *name;
realm = krb5_principal_get_realm(context, principal);
ret = krb5_unparse_name_flags(context, principal,
KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
if (ret)
goto nopassword;
osret = SecKeychainFindGenericPassword(NULL, strlen(realm), realm,
strlen(name), name,
&length, &buffer, NULL);
free(name);
if (osret == noErr && length < sizeof(passwd) - 1) {
memcpy(passwd, buffer, length);
passwd[length] = '\0';
}
nopassword:
do { } while(0);
}
#endif
memset(&cred, 0, sizeof(cred));
ret = krb5_get_init_creds_opt_alloc(context, &opt);
if (ret) {
krb5_warn(context, ret, "krb5_get_init_creds_opt_alloc");
goto out;
}
krb5_get_init_creds_opt_set_default_flags(context, "kinit",
krb5_principal_get_realm(context, principal), opt);
if (forwardable_flag != -1)
krb5_get_init_creds_opt_set_forwardable(opt, forwardable_flag);
if (proxiable_flag != -1)
krb5_get_init_creds_opt_set_proxiable(opt, proxiable_flag);
if (anonymous_flag)
krb5_get_init_creds_opt_set_anonymous(opt, anonymous_flag);
if (pac_flag != -1)
krb5_get_init_creds_opt_set_pac_request(context, opt,
pac_flag ? TRUE : FALSE);
if (canonicalize_flag)
krb5_get_init_creds_opt_set_canonicalize(context, opt, TRUE);
if (pk_enterprise_flag || enterprise_flag || canonicalize_flag || windows_flag)
krb5_get_init_creds_opt_set_win2k(context, opt, TRUE);
if (pk_user_id || ent_user_id || anonymous_flag) {
ret = krb5_get_init_creds_opt_set_pkinit(context, opt,
principal,
pk_user_id,
pk_x509_anchors,
NULL,
NULL,
pk_use_enckey ? 2 : 0 |
anonymous_flag ? 4 : 0,
prompter,
NULL,
passwd);
if (ret) {
krb5_warn(context, ret, "krb5_get_init_creds_opt_set_pkinit");
goto out;
}
if (ent_user_id)
krb5_get_init_creds_opt_set_pkinit_user_certs(context, opt, ent_user_id);
}
if (addrs_flag != -1)
krb5_get_init_creds_opt_set_addressless(context, opt,
addrs_flag ? FALSE : TRUE);
if (renew_life == NULL && renewable_flag)
renewstr = "1 month";
if (renew_life)
renewstr = renew_life;
if (renewstr) {
renew = parse_time(renewstr, "s");
if (renew < 0)
errx(1, "unparsable time: %s", renewstr);
krb5_get_init_creds_opt_set_renew_life(opt, renew);
}
if (ticket_life != 0)
krb5_get_init_creds_opt_set_tkt_life(opt, ticket_life);
if (start_str) {
int tmp = parse_time(start_str, "s");
if (tmp < 0)
errx(1, N_("unparsable time: %s", ""), start_str);
start_time = tmp;
}
if (etype_str.num_strings) {
int i;
enctype = malloc(etype_str.num_strings * sizeof(*enctype));
if (enctype == NULL)
errx(1, "out of memory");
for(i = 0; i < etype_str.num_strings; i++) {
ret = krb5_string_to_enctype(context,
etype_str.strings[i],
&enctype[i]);
if (ret)
errx(1, "unrecognized enctype: %s", etype_str.strings[i]);
}
krb5_get_init_creds_opt_set_etype_list(opt, enctype,
etype_str.num_strings);
}
ret = krb5_init_creds_init(context, principal, prompter, NULL, start_time, opt, &ctx);
if (ret) {
krb5_warn(context, ret, "krb5_init_creds_init");
goto out;
}
if (server_str) {
ret = krb5_init_creds_set_service(context, ctx, server_str);
if (ret) {
krb5_warn(context, ret, "krb5_init_creds_set_service");
goto out;
}
}
if (fast_armor_cache_string) {
krb5_ccache fastid;
ret = krb5_cc_resolve(context, fast_armor_cache_string, &fastid);
if (ret) {
krb5_warn(context, ret, "krb5_cc_resolve(FAST cache)");
goto out;
}
ret = krb5_init_creds_set_fast_ccache(context, ctx, fastid);
if (ret) {
krb5_warn(context, ret, "krb5_init_creds_set_fast_ccache");
goto out;
}
}
if (use_keytab || keytab_str) {
ret = krb5_init_creds_set_keytab(context, ctx, kt);
if (ret) {
krb5_warn(context, ret, "krb5_init_creds_set_keytab");
goto out;
}
} else if (pk_user_id || ent_user_id || anonymous_flag) {
} else if (!interactive && passwd[0] == '\0') {
static int already_warned = 0;
if (!already_warned)
krb5_warnx(context, "Not interactive, failed to get "
"initial ticket");
krb5_get_init_creds_opt_free(context, opt);
already_warned = 1;
return 0;
} else {
if (passwd[0] == '\0') {
char *p, *prompt;
int aret = 0;
ret = krb5_unparse_name(context, principal, &p);
if (ret)
errx(1, "failed to generate passwd prompt: not enough memory");
aret = asprintf(&prompt, N_("%s's Password: "******""), p);
free(p);
if (aret == -1)
errx(1, "failed to generate passwd prompt: not enough memory");
if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
memset(passwd, 0, sizeof(passwd));
errx(1, "failed to read password");
}
free(prompt);
}
if (passwd[0]) {
ret = krb5_init_creds_set_password(context, ctx, passwd);
if (ret) {
krb5_warn(context, ret, "krb5_init_creds_set_password");
goto out;
}
}
}
ret = krb5_init_creds_get(context, ctx);
#ifndef NO_NTLM
if (ntlm_domain && passwd[0])
heim_ntlm_nt_key(passwd, &ntlmkey);
#endif
memset(passwd, 0, sizeof(passwd));
switch(ret){
case 0:
break;
case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */
exit(1);
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
case KRB5KRB_AP_ERR_MODIFIED:
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5_GET_IN_TKT_LOOP:
krb5_warnx(context, N_("Password incorrect", ""));
goto out;
case KRB5KRB_AP_ERR_V4_REPLY:
krb5_warnx(context, N_("Looks like a Kerberos 4 reply", ""));
goto out;
case KRB5KDC_ERR_KEY_EXPIRED:
krb5_warnx(context, N_("Password expired", ""));
goto out;
default:
krb5_warn(context, ret, "krb5_get_init_creds");
goto out;
}
krb5_process_last_request(context, opt, ctx);
ret = krb5_init_creds_get_creds(context, ctx, &cred);
if (ret) {
krb5_warn(context, ret, "krb5_init_creds_get_creds");
goto out;
}
if (ticket_life != 0) {
if (abs(cred.times.endtime - cred.times.starttime - ticket_life) > 30) {
char life[64];
unparse_time_approx(cred.times.endtime - cred.times.starttime,
life, sizeof(life));
krb5_warnx(context, N_("NOTICE: ticket lifetime is %s", ""), life);
}
}
if (renew_life) {
if (abs(cred.times.renew_till - cred.times.starttime - renew) > 30) {
char life[64];
unparse_time_approx(cred.times.renew_till - cred.times.starttime,
life, sizeof(life));
krb5_warnx(context,
N_("NOTICE: ticket renewable lifetime is %s", ""),
life);
}
}
krb5_free_cred_contents(context, &cred);
ret = krb5_cc_new_unique(context, krb5_cc_get_type(context, ccache),
NULL, &tempccache);
if (ret) {
krb5_warn(context, ret, "krb5_cc_new_unique");
goto out;
}
ret = krb5_init_creds_store(context, ctx, tempccache);
if (ret) {
krb5_warn(context, ret, "krb5_init_creds_store");
goto out;
}
krb5_init_creds_free(context, ctx);
ctx = NULL;
ret = krb5_cc_move(context, tempccache, ccache);
if (ret) {
krb5_warn(context, ret, "krb5_cc_move");
goto out;
}
tempccache = NULL;
if (switch_cache_flags)
krb5_cc_switch(context, ccache);
#ifndef NO_NTLM
if (ntlm_domain && ntlmkey.data)
store_ntlmkey(context, ccache, ntlm_domain, &ntlmkey);
#endif
if (ok_as_delegate_flag || windows_flag || use_referrals_flag) {
unsigned char d = 0;
krb5_data data;
if (ok_as_delegate_flag || windows_flag)
d |= 1;
if (use_referrals_flag || windows_flag)
d |= 2;
data.length = 1;
data.data = &d;
krb5_cc_set_config(context, ccache, NULL, "realm-config", &data);
}
out:
krb5_get_init_creds_opt_free(context, opt);
if (ctx)
krb5_init_creds_free(context, ctx);
if (tempccache)
krb5_cc_close(context, tempccache);
if (enctype)
free(enctype);
return ret;
}
/* Perform one iteration of attempting to get credentials. This includes
* searching existing ccache for requested service if INIT_CREDS. */
static kadm5_ret_t
gic_iter(kadm5_server_handle_t handle, enum init_type init_type,
krb5_ccache ccache, krb5_principal client, char *pass, char *svcname,
char *realm, krb5_principal *server_out)
{
kadm5_ret_t code;
krb5_context ctx;
krb5_keytab kt;
krb5_get_init_creds_opt *opt = NULL;
krb5_creds mcreds, outcreds;
*server_out = NULL;
ctx = handle->context;
kt = NULL;
memset(&opt, 0, sizeof(opt));
memset(&mcreds, 0, sizeof(mcreds));
memset(&outcreds, 0, sizeof(outcreds));
/* Credentials for kadmin don't need to be forwardable or proxiable. */
if (init_type != INIT_CREDS) {
code = krb5_get_init_creds_opt_alloc(ctx, &opt);
krb5_get_init_creds_opt_set_forwardable(opt, 0);
krb5_get_init_creds_opt_set_proxiable(opt, 0);
krb5_get_init_creds_opt_set_out_ccache(ctx, opt, ccache);
if (init_type == INIT_ANONYMOUS)
krb5_get_init_creds_opt_set_anonymous(opt, 1);
}
if (init_type == INIT_PASS || init_type == INIT_ANONYMOUS) {
code = krb5_get_init_creds_password(ctx, &outcreds, client, pass,
krb5_prompter_posix,
NULL, 0, svcname, opt);
if (code)
goto error;
} else if (init_type == INIT_SKEY) {
if (pass) {
code = krb5_kt_resolve(ctx, pass, &kt);
if (code)
goto error;
}
code = krb5_get_init_creds_keytab(ctx, &outcreds, client, kt,
0, svcname, opt);
if (pass)
krb5_kt_close(ctx, kt);
if (code)
goto error;
} else if (init_type == INIT_CREDS) {
mcreds.client = client;
code = krb5_parse_name_flags(ctx, svcname,
KRB5_PRINCIPAL_PARSE_IGNORE_REALM,
&mcreds.server);
if (code)
goto error;
code = krb5_set_principal_realm(ctx, mcreds.server, realm);
if (code)
goto error;
code = krb5_cc_retrieve_cred(ctx, ccache, 0,
&mcreds, &outcreds);
krb5_free_principal(ctx, mcreds.server);
if (code)
goto error;
} else {
code = EINVAL;
goto error;
}
/* Steal the server principal of the creds we acquired and return it to the
* caller, which needs to knows what service to authenticate to. */
*server_out = outcreds.server;
outcreds.server = NULL;
error:
krb5_free_cred_contents(ctx, &outcreds);
if (opt)
krb5_get_init_creds_opt_free(ctx, opt);
return code;
}
static krb5_error_code
get_new_tickets(krb5_context context,
krb5_principal principal,
krb5_ccache ccache,
krb5_deltat ticket_life,
int interactive)
{
krb5_error_code ret;
krb5_get_init_creds_opt *opt;
krb5_creds cred;
char passwd[256];
krb5_deltat start_time = 0;
krb5_deltat renew = 0;
const char *renewstr = NULL;
krb5_enctype *enctype = NULL;
krb5_ccache tempccache;
krb5_init_creds_context icc;
krb5_keytab kt = NULL;
int will_use_keytab = (use_keytab || keytab_str);
krb5_prompter_fct prompter = NULL;
int need_prompt;
passwd[0] = '\0';
if (password_file) {
FILE *f;
if (strcasecmp("STDIN", password_file) == 0)
f = stdin;
else
f = fopen(password_file, "r");
if (f == NULL)
krb5_errx(context, 1, "Failed to open the password file %s",
password_file);
if (fgets(passwd, sizeof(passwd), f) == NULL)
krb5_errx(context, 1,
N_("Failed to read password from file %s", ""),
password_file);
if (f != stdin)
fclose(f);
passwd[strcspn(passwd, "\n")] = '\0';
}
#if defined(__APPLE__) && !defined(__APPLE_TARGET_EMBEDDED__)
if (passwd[0] == '\0' && !will_use_keytab && home_directory_flag) {
const char *realm;
OSStatus osret;
UInt32 length;
void *buffer;
char *name;
realm = krb5_principal_get_realm(context, principal);
ret = krb5_unparse_name_flags(context, principal,
KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
if (ret)
goto nopassword;
osret = SecKeychainFindGenericPassword(NULL, (UInt32)strlen(realm), realm,
(UInt32)strlen(name), name,
&length, &buffer, &passwordItem);
free(name);
if (osret != noErr)
goto nopassword;
if (length < sizeof(passwd) - 1) {
memcpy(passwd, buffer, length);
passwd[length] = '\0';
}
SecKeychainItemFreeContent(NULL, buffer);
nopassword:
do { } while(0);
}
#endif
need_prompt = !(pk_user_id || ent_user_id || anonymous_flag || will_use_keytab || passwd[0] != '\0') && interactive;
if (need_prompt)
prompter = krb5_prompter_posix;
else
prompter = krb5_prompter_print_only;
memset(&cred, 0, sizeof(cred));
ret = krb5_get_init_creds_opt_alloc (context, &opt);
if (ret)
krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
krb5_get_init_creds_opt_set_default_flags(context, "kinit",
krb5_principal_get_realm(context, principal), opt);
if(forwardable_flag != -1)
krb5_get_init_creds_opt_set_forwardable (opt, forwardable_flag);
if(proxiable_flag != -1)
krb5_get_init_creds_opt_set_proxiable (opt, proxiable_flag);
if(anonymous_flag)
krb5_get_init_creds_opt_set_anonymous (opt, anonymous_flag);
if (pac_flag != -1)
krb5_get_init_creds_opt_set_pac_request(context, opt,
pac_flag ? TRUE : FALSE);
if (canonicalize_flag)
krb5_get_init_creds_opt_set_canonicalize(context, opt, TRUE);
if (pk_enterprise_flag || enterprise_flag || canonicalize_flag || windows_flag)
krb5_get_init_creds_opt_set_win2k(context, opt, TRUE);
if (pk_user_id || ent_user_id || anonymous_flag) {
ret = krb5_get_init_creds_opt_set_pkinit(context, opt,
principal,
pk_user_id,
pk_x509_anchors,
NULL,
NULL,
pk_use_enckey ? 2 : 0 |
anonymous_flag ? 4 : 0,
interactive ? krb5_prompter_posix : krb5_prompter_print_only,
NULL,
passwd);
if (ret)
krb5_err(context, 1, ret, "krb5_get_init_creds_opt_set_pkinit");
if (ent_user_id)
krb5_get_init_creds_opt_set_pkinit_user_cert(context, opt, ent_user_id);
}
if (addrs_flag != -1)
krb5_get_init_creds_opt_set_addressless(context, opt,
addrs_flag ? FALSE : TRUE);
if (renew_life == NULL && renewable_flag)
renewstr = "1 month";
if (renew_life)
renewstr = renew_life;
if (renewstr) {
renew = parse_time (renewstr, "s");
if (renew < 0)
errx (1, "unparsable time: %s", renewstr);
krb5_get_init_creds_opt_set_renew_life (opt, renew);
}
if(ticket_life != 0)
krb5_get_init_creds_opt_set_tkt_life (opt, ticket_life);
if(start_str) {
int tmp = parse_time (start_str, "s");
if (tmp < 0)
errx (1, N_("unparsable time: %s", ""), start_str);
start_time = tmp;
}
if(etype_str.num_strings) {
int i;
enctype = malloc(etype_str.num_strings * sizeof(*enctype));
if(enctype == NULL)
errx(1, "out of memory");
for(i = 0; i < etype_str.num_strings; i++) {
ret = krb5_string_to_enctype(context,
etype_str.strings[i],
&enctype[i]);
if(ret)
krb5_err(context, 1, ret, "unrecognized enctype: %s",
etype_str.strings[i]);
}
krb5_get_init_creds_opt_set_etype_list(opt, enctype,
etype_str.num_strings);
}
ret = krb5_init_creds_init(context, principal,
prompter, NULL,
start_time, opt, &icc);
if (ret)
krb5_err (context, 1, ret, "krb5_init_creds_init");
if (server_str) {
ret = krb5_init_creds_set_service(context, icc, server_str);
if (ret)
krb5_err (context, 1, ret, "krb5_init_creds_set_service");
}
if (kdc_hostname)
krb5_init_creds_set_kdc_hostname(context, icc, kdc_hostname);
if (fast_armor_cache_string) {
krb5_ccache fastid;
ret = krb5_cc_resolve(context, fast_armor_cache_string, &fastid);
if (ret)
krb5_err(context, 1, ret, "krb5_cc_resolve(FAST cache)");
ret = krb5_init_creds_set_fast_ccache(context, icc, fastid);
if (ret)
krb5_err(context, 1, ret, "krb5_init_creds_set_fast_ccache");
}
if(will_use_keytab) {
if(keytab_str)
ret = krb5_kt_resolve(context, keytab_str, &kt);
else
ret = krb5_kt_default(context, &kt);
if (ret)
krb5_err (context, 1, ret, "resolving keytab");
ret = krb5_init_creds_set_keytab(context, icc, kt);
if (ret)
krb5_err (context, 1, ret, "krb5_init_creds_set_keytab");
}
if (passwd[0] == '\0' && need_prompt) {
char *p, *prompt;
krb5_unparse_name(context, principal, &p);
asprintf (&prompt, N_("%s's Password: "******""), p);
free(p);
if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
memset(passwd, 0, sizeof(passwd));
errx(1, "failed to read password");
}
free (prompt);
}
if (passwd[0]) {
ret = krb5_init_creds_set_password(context, icc, passwd);
if (ret)
krb5_err(context, 1, ret, "krb5_init_creds_set_password");
}
ret = krb5_init_creds_get(context, icc);
#ifdef __APPLE__
/*
* Save password in Keychain
*/
if (ret == 0 && keychain_flag && passwordItem == NULL) {
krb5_error_code ret2;
const char *realm;
char *name;
realm = krb5_principal_get_realm(context, principal);
ret2 = krb5_unparse_name_flags(context, principal, KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name);
if (ret2 == 0) {
(void)SecKeychainAddGenericPassword(NULL,
(UInt32)strlen(realm), realm,
(UInt32)strlen(name), name,
(UInt32)strlen(passwd), passwd,
NULL);
free(name);
}
}
#endif
memset(passwd, 0, sizeof(passwd));
switch(ret){
case 0:
break;
case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */
exit(1);
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
case KRB5KRB_AP_ERR_MODIFIED:
case KRB5KDC_ERR_PREAUTH_FAILED:
case KRB5_GET_IN_TKT_LOOP:
#ifdef __APPLE__
if (passwordItem)
SecKeychainItemDelete(passwordItem);
#endif
krb5_errx(context, 1, N_("Password incorrect", ""));
case KRB5KRB_AP_ERR_V4_REPLY:
krb5_errx(context, 1, N_("Looks like a Kerberos 4 reply", ""));
case KRB5KDC_ERR_KEY_EXPIRED:
krb5_errx(context, 1, N_("Password expired", ""));
default:
krb5_err(context, 1, ret, "krb5_get_init_creds");
}
ret = krb5_init_creds_get_creds(context, icc, &cred);
if (ret)
krb5_err(context, 1, ret, "krb5_init_creds_get_creds");
krb5_process_last_request(context, opt, icc);
ret = krb5_cc_new_unique(context, krb5_cc_get_type(context, ccache),
NULL, &tempccache);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_new_unique");
ret = krb5_init_creds_store(context, icc, tempccache);
if (ret)
krb5_err(context, 1, ret, "krb5_init_creds_store");
ret = krb5_init_creds_store_config(context, icc, tempccache);
if (ret)
krb5_warn(context, ret, "krb5_init_creds_store_config");
ret = krb5_init_creds_warn_user(context, icc);
if (ret)
krb5_warn(context, ret, "krb5_init_creds_warn_user");
#ifdef __APPLE__
/*
* Set for this case, default to * so that all processes can use
* this cache.
*/
{
heim_array_t bundleacl = heim_array_create();
heim_string_t ace;
if (bundle_acl_strings.num_strings > 0) {
int i;
for (i = 0; i < bundle_acl_strings.num_strings; i++) {
ace = heim_string_create(bundle_acl_strings.strings[i]);
heim_array_append_value(bundleacl, ace);
heim_release(ace);
}
} else {
ace = heim_string_create("*");
heim_array_append_value(bundleacl, ace);
heim_release(ace);
}
krb5_cc_set_acl(context, tempccache, "kHEIMAttrBundleIdentifierACL", bundleacl);
heim_release(bundleacl);
}
#endif
ret = krb5_cc_move(context, tempccache, ccache);
if (ret) {
(void)krb5_cc_destroy(context, tempccache);
krb5_err (context, 1, ret, "krb5_cc_move");
}
if (switch_cache_flags)
krb5_cc_switch(context, ccache);
if (ok_as_delegate_flag || windows_flag || use_referrals_flag) {
unsigned char d = 0;
krb5_data data;
if (ok_as_delegate_flag || windows_flag)
d |= 1;
if (use_referrals_flag || windows_flag)
d |= 2;
data.length = 1;
data.data = &d;
krb5_cc_set_config(context, ccache, NULL, "realm-config", &data);
}
if (enctype)
free(enctype);
krb5_init_creds_free(context, icc);
krb5_get_init_creds_opt_free(context, opt);
if (kt)
krb5_kt_close(context, kt);
#ifdef __APPLE__
if (passwordItem)
CFRelease(passwordItem);
#endif
return 0;
}
static krb5_error_code
get_new_tickets(krb5_context context,
krb5_principal principal,
krb5_ccache ccache,
krb5_deltat ticket_life,
int interactive)
{
krb5_error_code ret;
krb5_get_init_creds_opt *opt;
krb5_creds cred;
char passwd[256];
krb5_deltat start_time = 0;
krb5_deltat renew = 0;
char *renewstr = NULL;
krb5_enctype *enctype = NULL;
struct ntlm_buf ntlmkey;
krb5_ccache tempccache;
memset(&ntlmkey, 0, sizeof(ntlmkey));
passwd[0] = '\0';
if (password_file) {
FILE *f;
if (strcasecmp("STDIN", password_file) == 0)
f = stdin;
else
f = fopen(password_file, "r");
if (f == NULL)
krb5_errx(context, 1, "Failed to open the password file %s",
password_file);
if (fgets(passwd, sizeof(passwd), f) == NULL)
krb5_errx(context, 1,
N_("Failed to read password from file %s", ""),
password_file);
if (f != stdin)
fclose(f);
passwd[strcspn(passwd, "\n")] = '\0';
}
memset(&cred, 0, sizeof(cred));
ret = krb5_get_init_creds_opt_alloc (context, &opt);
if (ret)
krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
krb5_get_init_creds_opt_set_default_flags(context, "kinit",
krb5_principal_get_realm(context, principal), opt);
if(forwardable_flag != -1)
krb5_get_init_creds_opt_set_forwardable (opt, forwardable_flag);
if(proxiable_flag != -1)
krb5_get_init_creds_opt_set_proxiable (opt, proxiable_flag);
if(anonymous_flag != -1)
krb5_get_init_creds_opt_set_anonymous (opt, anonymous_flag);
if (pac_flag != -1)
krb5_get_init_creds_opt_set_pac_request(context, opt,
pac_flag ? TRUE : FALSE);
if (canonicalize_flag)
krb5_get_init_creds_opt_set_canonicalize(context, opt, TRUE);
if (pk_user_id) {
ret = krb5_get_init_creds_opt_set_pkinit(context, opt,
principal,
pk_user_id,
pk_x509_anchors,
NULL,
NULL,
pk_use_enckey ? 2 : 0,
krb5_prompter_posix,
NULL,
passwd);
if (ret)
krb5_err(context, 1, ret, "krb5_get_init_creds_opt_set_pkinit");
}
if (addrs_flag != -1)
krb5_get_init_creds_opt_set_addressless(context, opt,
addrs_flag ? FALSE : TRUE);
if (renew_life == NULL && renewable_flag)
renewstr = "1 month";
if (renew_life)
renewstr = renew_life;
if (renewstr) {
renew = parse_time (renewstr, "s");
if (renew < 0)
errx (1, "unparsable time: %s", renewstr);
krb5_get_init_creds_opt_set_renew_life (opt, renew);
}
if(ticket_life != 0)
krb5_get_init_creds_opt_set_tkt_life (opt, ticket_life);
if(start_str) {
int tmp = parse_time (start_str, "s");
if (tmp < 0)
errx (1, N_("unparsable time: %s", ""), start_str);
start_time = tmp;
}
if(etype_str.num_strings) {
int i;
enctype = malloc(etype_str.num_strings * sizeof(*enctype));
if(enctype == NULL)
errx(1, "out of memory");
for(i = 0; i < etype_str.num_strings; i++) {
ret = krb5_string_to_enctype(context,
etype_str.strings[i],
&enctype[i]);
if(ret)
errx(1, "unrecognized enctype: %s", etype_str.strings[i]);
}
krb5_get_init_creds_opt_set_etype_list(opt, enctype,
etype_str.num_strings);
}
if(use_keytab || keytab_str) {
krb5_keytab kt;
if(keytab_str)
ret = krb5_kt_resolve(context, keytab_str, &kt);
else
ret = krb5_kt_default(context, &kt);
if (ret)
krb5_err (context, 1, ret, "resolving keytab");
ret = krb5_get_init_creds_keytab (context,
&cred,
principal,
kt,
start_time,
server_str,
opt);
krb5_kt_close(context, kt);
} else if (pk_user_id) {
ret = krb5_get_init_creds_password (context,
&cred,
principal,
passwd,
krb5_prompter_posix,
NULL,
start_time,
server_str,
opt);
} else if (!interactive) {
krb5_warnx(context, "Not interactive, failed to get initial ticket");
krb5_get_init_creds_opt_free(context, opt);
return 0;
} else {
if (passwd[0] == '\0') {
char *p, *prompt;
krb5_unparse_name (context, principal, &p);
asprintf (&prompt, N_("%s's Password: "******""), p);
free (p);
if (UI_UTIL_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){
memset(passwd, 0, sizeof(passwd));
exit(1);
}
free (prompt);
}
ret = krb5_get_init_creds_password (context,
&cred,
principal,
passwd,
krb5_prompter_posix,
NULL,
start_time,
server_str,
opt);
}
krb5_get_init_creds_opt_free(context, opt);
if (ntlm_domain && passwd[0])
heim_ntlm_nt_key(passwd, &ntlmkey);
memset(passwd, 0, sizeof(passwd));
switch(ret){
case 0:
break;
case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */
exit(1);
case KRB5KRB_AP_ERR_BAD_INTEGRITY:
case KRB5KRB_AP_ERR_MODIFIED:
case KRB5KDC_ERR_PREAUTH_FAILED:
krb5_errx(context, 1, N_("Password incorrect", ""));
break;
case KRB5KRB_AP_ERR_V4_REPLY:
krb5_errx(context, 1, N_("Looks like a Kerberos 4 reply", ""));
break;
default:
krb5_err(context, 1, ret, "krb5_get_init_creds");
}
if(ticket_life != 0) {
if(abs(cred.times.endtime - cred.times.starttime - ticket_life) > 30) {
char life[64];
unparse_time_approx(cred.times.endtime - cred.times.starttime,
life, sizeof(life));
krb5_warnx(context, N_("NOTICE: ticket lifetime is %s", ""), life);
}
}
if(renew_life) {
if(abs(cred.times.renew_till - cred.times.starttime - renew) > 30) {
char life[64];
unparse_time_approx(cred.times.renew_till - cred.times.starttime,
life, sizeof(life));
krb5_warnx(context,
N_("NOTICE: ticket renewable lifetime is %s", ""),
life);
}
}
ret = krb5_cc_new_unique(context, krb5_cc_get_type(context, ccache),
NULL, &tempccache);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_new_unique");
ret = krb5_cc_initialize (context, tempccache, cred.client);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_initialize");
ret = krb5_cc_store_cred (context, tempccache, &cred);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_store_cred");
krb5_free_cred_contents (context, &cred);
ret = krb5_cc_move(context, tempccache, ccache);
if (ret)
krb5_err (context, 1, ret, "krb5_cc_move");
if (ntlm_domain && ntlmkey.data)
store_ntlmkey(context, ccache, ntlm_domain, &ntlmkey);
if (ok_as_delegate_flag || windows_flag || use_referrals_flag) {
unsigned char d = 0;
krb5_data data;
if (ok_as_delegate_flag || windows_flag)
d |= 1;
if (use_referrals_flag || windows_flag)
d |= 2;
data.length = 1;
data.data = &d;
krb5_cc_set_config(context, ccache, NULL, "realm-config", &data);
}
if (enctype)
free(enctype);
return 0;
}
