Пример #1
0
/*
 * Check if a ccache has any tickets.
 */
static krb5_error_code
cc_has_tickets(krb5_context kcontext, krb5_ccache ccache, int *has_tickets)
{
    krb5_error_code code;
    krb5_cc_cursor cursor;
    krb5_creds creds;
    krb5_timestamp now = time(0);

    *has_tickets = 0;

    code = krb5_cc_set_flags(kcontext, ccache, KRB5_TC_NOTICKET);
    if (code)
        return code;

    code = krb5_cc_start_seq_get(kcontext, ccache, &cursor);
    if (code)
        return code;

    while (!*has_tickets) {
        code = krb5_cc_next_cred(kcontext, ccache, &cursor, &creds);
        if (code)
            break;

        if (!krb5_is_config_principal(kcontext, creds.server) &&
            creds.times.endtime > now)
            *has_tickets = 1;

        krb5_free_cred_contents(kcontext, &creds);
    }
    krb5_cc_end_seq_get(kcontext, ccache, &cursor);

    return 0;
}
Пример #2
0
krb5_error_code KRB5_CALLCONV
krb5_cccol_have_content(krb5_context context)
{
    krb5_cccol_cursor col_cursor;
    krb5_cc_cursor cache_cursor;
    krb5_ccache cache;
    krb5_creds creds;
    krb5_boolean found = FALSE;

    if (krb5_cccol_cursor_new(context, &col_cursor))
        goto no_entries;

    while (!found && !krb5_cccol_cursor_next(context, col_cursor, &cache) &&
            cache != NULL) {
        if (krb5_cc_start_seq_get(context, cache, &cache_cursor))
            continue;
        while (!found &&
                !krb5_cc_next_cred(context, cache, &cache_cursor, &creds)) {
            if (!krb5_is_config_principal(context, creds.server))
                found = TRUE;
            krb5_free_cred_contents(context, &creds);
        }
        krb5_cc_end_seq_get(context, cache, &cache_cursor);
        krb5_cc_close(context, cache);
    }
    krb5_cccol_cursor_free(context, &col_cursor);
    if (found)
        return 0;

no_entries:
    krb5_set_error_message(context, KRB5_CC_NOTFOUND,
                           _("No Kerberos credentials available"));
    return KRB5_CC_NOTFOUND;
}
Пример #3
0
/* Display the contents of cache. */
static int
show_ccache(krb5_ccache cache)
{
    krb5_cc_cursor cur;
    krb5_creds creds;
    krb5_principal princ;
    krb5_error_code ret;

    ret = krb5_cc_get_principal(context, cache, &princ);
    if (ret) {
        com_err(progname, ret, "");
        return 1;
    }
    ret = krb5_unparse_name(context, princ, &defname);
    if (ret) {
        com_err(progname, ret, _("while unparsing principal name"));
        return 1;
    }

    printf(_("Ticket cache: %s:%s\nDefault principal: %s\n\n"),
           krb5_cc_get_type(context, cache), krb5_cc_get_name(context, cache),
           defname);
    /* XXX Translating would disturb table alignment; skip for now. */
    fputs("Valid starting", stdout);
    fillit(stdout, timestamp_width - sizeof("Valid starting") + 3, (int) ' ');
    fputs("Expires", stdout);
    fillit(stdout, timestamp_width - sizeof("Expires") + 3, (int) ' ');
    fputs("Service principal\n", stdout);

    ret = krb5_cc_start_seq_get(context, cache, &cur);
    if (ret) {
        com_err(progname, ret, _("while starting to retrieve tickets"));
        return 1;
    }
    while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) {
        if (show_config || !krb5_is_config_principal(context, creds.server))
            show_credential(&creds);
        krb5_free_cred_contents(context, &creds);
    }
    krb5_free_principal(context, princ);
    krb5_free_unparsed_name(context, defname);
    defname = NULL;
    if (ret == KRB5_CC_END) {
        ret = krb5_cc_end_seq_get(context, cache, &cur);
        if (ret) {
            com_err(progname, ret, _("while finishing ticket retrieval"));
            return 1;
        }
        return 0;
    } else {
        com_err(progname, ret, _("while retrieving a ticket"));
        return 1;
    }
}
 bool next() {
   bool valid = next_any();
   if (include_config_entries_) {
     return valid;
   }
   krb5_context ctx = context_.get();
   while (valid &&
          krb5_is_config_principal(ctx, creds_.server)) {
     valid = next_any();
   }
   return valid;
 }
Пример #5
0
static void
check_ticket_count(gss_cred_id_t cred, int expected)
{
    krb5_error_code ret;
    krb5_context context = NULL;
    krb5_creds kcred;
    krb5_cc_cursor cur;
    krb5_ccache ccache;
    int count = 0;
    gss_key_value_set_desc store;
    gss_key_value_element_desc elem;
    OM_uint32 major, minor;
    const char *ccname = "MEMORY:count";

    store.count = 1;
    store.elements = &elem;
    elem.key = "ccache";
    elem.value = ccname;
    major = gss_store_cred_into(&minor, cred, GSS_C_INITIATE, &mech_krb5, 1, 0,
                                &store, NULL, NULL);
    check_gsserr("gss_store_cred_into", major, minor);

    ret = krb5_init_context(&context);
    check_k5err(context, "krb5_init_context", ret);

    ret = krb5_cc_resolve(context, ccname, &ccache);
    check_k5err(context, "krb5_cc_resolve", ret);

    ret = krb5_cc_start_seq_get(context, ccache, &cur);
    check_k5err(context, "krb5_cc_start_seq_get", ret);

    while (!krb5_cc_next_cred(context, ccache, &cur, &kcred)) {
        if (!krb5_is_config_principal(context, kcred.server))
            count++;
        krb5_free_cred_contents(context, &kcred);
    }

    ret = krb5_cc_end_seq_get(context, ccache, &cur);
    check_k5err(context, "krb5_cc_end_seq_get", ret);

    if (expected != count) {
        printf("Expected %d tickets but got %d\n", expected, count);
        exit(1);
    }

    krb5_cc_destroy(context, ccache);
    krb5_free_context(context);
}
Пример #6
0
/*
 * The default unset code path depends on the underlying ccache implementation
 * knowing how to remove a credential, which most types don't actually support,
 * so we have to jump through some hoops to ensure that when we set a value for
 * a key, it'll be the only value for that key that'll be found later.  The
 * ccache portions of libkrb5 will currently duplicate some of the actual
 * tickets.
 */
static void
unset_config(krb5_context context, krb5_ccache ccache,
             krb5_principal server, const char *key)
{
    krb5_ccache tmp1, tmp2;
    krb5_cc_cursor cursor;
    krb5_creds mcreds, creds;

    memset(&mcreds, 0, sizeof(mcreds));
    memset(&creds, 0, sizeof(creds));
    bail_on_err(context, "Error while deriving configuration principal names",
                k5_build_conf_principals(context, ccache, server, key,
                                         &mcreds));
    bail_on_err(context, "Error resolving first in-memory ccache",
                krb5_cc_resolve(context, "MEMORY:tmp1", &tmp1));
    bail_on_err(context, "Error initializing first in-memory ccache",
                krb5_cc_initialize(context, tmp1, mcreds.client));
    bail_on_err(context, "Error resolving second in-memory ccache",
                krb5_cc_resolve(context, "MEMORY:tmp2", &tmp2));
    bail_on_err(context, "Error initializing second in-memory ccache",
                krb5_cc_initialize(context, tmp2, mcreds.client));
    bail_on_err(context, "Error copying credentials to first in-memory ccache",
                krb5_cc_copy_creds(context, ccache, tmp1));
    bail_on_err(context, "Error starting traversal of first in-memory ccache",
                krb5_cc_start_seq_get(context, tmp1, &cursor));
    while (krb5_cc_next_cred(context, tmp1, &cursor, &creds) == 0) {
        if (!krb5_is_config_principal(context, creds.server) ||
            !krb5_principal_compare(context, mcreds.server, creds.server) ||
            !krb5_principal_compare(context, mcreds.client, creds.client)) {
            bail_on_err(context,
                        "Error storing non-config item to in-memory ccache",
                        krb5_cc_store_cred(context, tmp2, &creds));
        }
    }
    bail_on_err(context, "Error ending traversal of first in-memory ccache",
                krb5_cc_end_seq_get(context, tmp1, &cursor));
    bail_on_err(context, "Error clearing ccache",
                krb5_cc_initialize(context, ccache, mcreds.client));
    bail_on_err(context, "Error storing creds to the ccache",
                krb5_cc_copy_creds(context, tmp2, ccache));
    bail_on_err(context, "Error cleaning up first in-memory ccache",
                krb5_cc_destroy(context, tmp1));
    bail_on_err(context, "Error cleaning up second in-memory ccache",
                krb5_cc_destroy(context, tmp2));
}
Пример #7
0
/* Return 0 if cache is accessible, present, and unexpired; return 1 if not. */
static int
check_ccache(krb5_ccache cache)
{
    krb5_error_code ret;
    krb5_cc_cursor cur;
    krb5_creds creds;
    krb5_principal princ;
    krb5_boolean found_tgt, found_current_tgt, found_current_cred;

    if (krb5_cc_get_principal(context, cache, &princ) != 0)
        return 1;
    if (krb5_cc_start_seq_get(context, cache, &cur) != 0)
        return 1;
    found_tgt = found_current_tgt = found_current_cred = FALSE;
    while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) {
        if (is_local_tgt(creds.server, &princ->realm)) {
            found_tgt = TRUE;
            if (ts_after(creds.times.endtime, now))
                found_current_tgt = TRUE;
        } else if (!krb5_is_config_principal(context, creds.server) &&
                   ts_after(creds.times.endtime, now)) {
            found_current_cred = TRUE;
        }
        krb5_free_cred_contents(context, &creds);
    }
    krb5_free_principal(context, princ);
    if (ret != KRB5_CC_END)
        return 1;
    if (krb5_cc_end_seq_get(context, cache, &cur) != 0)
        return 1;

    /* If the cache contains at least one local TGT, require that it be
     * current.  Otherwise accept any current cred. */
    if (found_tgt)
        return found_current_tgt ? 0 : 1;
    return found_current_cred ? 0 : 1;
}
Пример #8
0
static int
kinit_check_tgt(kinit_data *kid, int *remaining)
{
	int ret=3;
	krb5_principal princ;
	krb5_error_code rc;
	krb5_cc_cursor cursor;
	krb5_creds creds;
	char *name;
	time_t now=time(NULL);

	rc = krb5_cc_get_principal(kid->ctx, kid->ccache, &princ);
	if (rc) {
		log_krb5_errmsg(kid->ctx, "krb5_cc_get_principal", rc);
		return 2;
	} else {
		if (!krb5_principal_compare(kid->ctx, kid->princ, princ)) {
			Log(LDAP_DEBUG_ANY, LDAP_LEVEL_ERR,
					"Principal in ccache does not match requested principal\n");
			krb5_free_principal(kid->ctx, princ);
			return 2;
		}
	}

	rc = krb5_cc_start_seq_get(kid->ctx, kid->ccache, &cursor);
	if (rc) {
		log_krb5_errmsg(kid->ctx, "krb5_cc_start_seq_get", rc);
		krb5_free_principal(kid->ctx, princ);
		return -1;
	}

	while (!(rc = krb5_cc_next_cred(kid->ctx, kid->ccache, &cursor, &creds))) {
		if (krb5_is_config_principal(kid->ctx, creds.server)) {
			krb5_free_cred_contents(kid->ctx, &creds);
			continue;
		}

		if (creds.server->length==2 &&
				(!strcmp(creds.server->data[0].data, "krbtgt")) &&
				(!strcmp(creds.server->data[1].data, princ->realm.data))) {

			krb5_unparse_name(kid->ctx, creds.server, &name);

			*remaining = (time_t)creds.times.endtime-now;
			if ( *remaining <= 0) {
				Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG,
						"kinit_qtask: TGT (%s) expired\n", name);
			} else {
				Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG,
						"kinit_qtask: TGT (%s) expires in %dh:%02dm:%02ds\n",
						name, *remaining/3600, (*remaining%3600)/60, *remaining%60);
			}
			free(name);

			if (*remaining <= 30) {
				if (creds.times.renew_till-60 > now) {
					int renewal=creds.times.renew_till-now;
					Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG,
							"kinit_qtask: Time remaining for renewal: %dh:%02dm:%02ds\n",
							renewal/3600, (renewal%3600)/60,  renewal%60);
					ret = 1;
				} else {
					Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG,
							"kinit_qtask: Only short time left for renewal. "
							"Trying to re-init.\n");
					ret = 2;
				}
			} else {
				ret=0;
			}
			krb5_free_cred_contents(kid->ctx, &creds);
			break;
		}
		krb5_free_cred_contents(kid->ctx, &creds);

	}
	krb5_cc_end_seq_get(kid->ctx, kid->ccache, &cursor);
	krb5_free_principal(kid->ctx, princ);
	return ret;
}
Пример #9
0
int print_ccache (kim_ccache in_ccache, int *out_found_valid_tgt)
{
    kim_error err = 0;
    kim_credential_iterator iterator = NULL;
    kim_identity ccache_identity = NULL;
    kim_string type = NULL;
    kim_string name = NULL;
    kim_string ccache_identity_string = NULL;
    int found_tickets = 0;

    *out_found_valid_tgt = 0;
    
    if (!err) {
        err = kim_ccache_get_type (in_ccache, &type);
        printiferr (err, "while getting the ccache type");
    }
    
    if (!err) {
        err = kim_ccache_get_name (in_ccache, &name);
        printiferr (err, "while getting the ccache name");
    }
    
    if (!err) {
        err = kim_ccache_get_client_identity (in_ccache, &ccache_identity);
        printiferr (err, "while getting the ccache principal");
   }
    
    if (!err) {
        err = kim_identity_get_display_string (ccache_identity, 
                                               &ccache_identity_string);
        printiferr (err, "while unparsing the ccache principal name");
    }
    
    if (!err) {
        printmsg ("Kerberos 5 ticket cache: '%s:%s'\nDefault principal: %s\n\n",
                  type, name, ccache_identity_string);
        printmsg ("Valid Starting");
        printfiller (' ', get_timestamp_width () - sizeof ("Valid Starting") + 3);
        printmsg ("Expires");
        printfiller (' ', get_timestamp_width () - sizeof ("Expires") + 3);
        printmsg ("Service Principal\n");
        
        err = kim_credential_iterator_create (&iterator, in_ccache);
    }
    
    while (!err) {
        kim_credential credential = NULL;
        kim_identity client = NULL;
        kim_identity service = NULL;
        kim_string client_string = NULL;
        kim_string service_string = NULL;
        krb5_creds *creds = NULL;
        int extra_field = 0;
        
        err = kim_credential_iterator_next (iterator, &credential);
        if (!err && !credential) { break; }
        
        if (!err) {
            err = kim_credential_get_client_identity (credential, &client);
            printiferr (err, "while getting the client principal");
        }

        if (!err) {
            err = kim_identity_get_display_string (client, &client_string);
            printiferr (err, "while unparsing the client principal name");
        }
        
        if (!err) {
            err = kim_credential_get_service_identity (credential, &service);
            printiferr (err, "while getting the service principal");
        }
        
        if (!err) {
            err = kim_identity_get_display_string (service, &service_string);
            printiferr (err, "while unparsing the service principal name");
        }
        
        if (!err) {
            err = kim_credential_get_krb5_creds (credential, kcontext, &creds);
            printiferr (err, "while getting krb5 creds");
        }
                
	if (!err && krb5_is_config_principal(kcontext, creds->server))
	    goto next;

        if (!err) {
            found_tickets = 1;
            
            printtime (creds->times.starttime ? creds->times.starttime : creds->times.authtime);
            printmsg ("  ");
            printtime (creds->times.endtime);
            printmsg ("  ");
            printmsg ("%s\n", service_string);
            
            if (strcmp (ccache_identity_string, client_string)) {
                if (!extra_field) {
                    printmsg ("\t");
                }
                printmsg ("for client %s", client_string);
                extra_field++;
            }
            
            if (creds->ticket_flags & TKT_FLG_RENEWABLE) {
                printmsg (extra_field ? ", " : "\t");
                printmsg ("renew until ");
                printtime (creds->times.renew_till);
                extra_field += 2;
            }
            
            if (extra_field > 2) {
                printmsg ("\n");
                extra_field = 0;
            }
            
            if (show_flags) {
                printmsg (extra_field ? ", " : "\t");
                printflags (creds->ticket_flags);
                extra_field++;
            }
            
            if (extra_field > 2) {
                printmsg ("\n");
                extra_field = 0;
            }
            
            if (show_enctypes) {
                krb5_ticket *ticket_rep;
                
                if (krb5_decode_ticket (&creds->ticket, &ticket_rep) == 0) {
                    if (!extra_field) {
                        printmsg ("\t");
                    } else {
                        printmsg (", ");
                    }
                    printmsg ("Etype (skey, tkt): %s, ", 
                              enctype_to_string (creds->keyblock.enctype));
                    printmsg ("%s ", 
                              enctype_to_string (ticket_rep->enc_part.enctype));
                    extra_field++;
                    
                    krb5_free_ticket (kcontext, ticket_rep);
                }
            }
            
            if (extra_field) {
                printmsg ("\n");
            }
            
            if (show_address_list) {
                printmsg ("\tAddresses: ");
                if (!creds->addresses || !creds->addresses[0]) {
                    printmsg ("(none)\n");
                } else {
                    int i;
                    
                    for (i = 0; creds->addresses[i]; i++) {
                        if (i > 0) {
                            printmsg (", ");
                        }
                        printaddress (*creds->addresses[i]);
                    }
                    printmsg ("\n");
                }
            }
            if (extra_field) {
                printmsg ("\n");
            }
            
        }
        
        if (!err) {
            kim_boolean is_tgt = 0;
            kim_credential_state state;
            
            err = kim_credential_is_tgt (credential, &is_tgt);
            printiferr (err, "while checking if creds are valid");
           
            if (!err) {
                err = kim_credential_get_state (credential, &state);
            }
            
            if (!err && is_tgt && state == kim_credentials_state_valid) { 
                *out_found_valid_tgt = 1;
            }
        }
        
    next:
        if (creds) { krb5_free_creds (kcontext, creds); }
        kim_string_free (&client_string);
        kim_string_free (&service_string);
        kim_identity_free (&client);
        kim_identity_free (&service);
        kim_credential_free (&credential);
    }
        
    kim_string_free (&type);
    kim_string_free (&name);
    kim_string_free (&ccache_identity_string);
    kim_identity_free (&ccache_identity);
    kim_credential_iterator_free (&iterator);
    
    if (!err) {
        if (!found_tickets) {
            printerr ("No Kerberos 5 tickets in credentials cache\n");
        } else {
            printmsg ("\n");
        }
    }

    return err;
}
Пример #10
0
static void
print_tickets (krb5_context context,
	       krb5_ccache ccache,
	       krb5_principal principal,
	       int do_verbose,
	       int do_flags,
	       int do_hidden)
{
    krb5_error_code ret;
    char *str, *name;
    krb5_cc_cursor cursor;
    krb5_creds creds;
    krb5_deltat sec;

    rtbl_t ct = NULL;

    ret = krb5_unparse_name (context, principal, &str);
    if (ret)
	krb5_err (context, 1, ret, "krb5_unparse_name");

    printf ("%17s: %s:%s\n",
	    N_("Credentials cache", ""),
	    krb5_cc_get_type(context, ccache),
	    krb5_cc_get_name(context, ccache));
    printf ("%17s: %s\n", N_("Principal", ""), str);

    ret = krb5_cc_get_friendly_name(context, ccache, &name);
    if (ret == 0) {
	if (strcmp(name, str) != 0)
	    printf ("%17s: %s\n", N_("Friendly name", ""), name);
	free(name);
    }
    free (str);

    if(do_verbose) {
	printf ("%17s: %d\n", N_("Cache version", ""),
		krb5_cc_get_version(context, ccache));
    } else {
        krb5_cc_set_flags(context, ccache, KRB5_TC_NOTICKET);
    }

    ret = krb5_cc_get_kdc_offset(context, ccache, &sec);

    if (ret == 0 && do_verbose && sec != 0) {
	char buf[BUFSIZ];
	int val;
	int sig;

	val = sec;
	sig = 1;
	if (val < 0) {
	    sig = -1;
	    val = -val;
	}
	
	unparse_time (val, buf, sizeof(buf));

	printf ("%17s: %s%s\n", N_("KDC time offset", ""),
		sig == -1 ? "-" : "", buf);
    }

    printf("\n");

    ret = krb5_cc_start_seq_get (context, ccache, &cursor);
    if (ret)
	krb5_err(context, 1, ret, "krb5_cc_start_seq_get");

    if(!do_verbose) {
	ct = rtbl_create();
	rtbl_add_column(ct, COL_ISSUED, 0);
	rtbl_add_column(ct, COL_EXPIRES, 0);
	if(do_flags)
	    rtbl_add_column(ct, COL_FLAGS, 0);
	rtbl_add_column(ct, COL_PRINCIPAL, 0);
	rtbl_set_separator(ct, "  ");
    }
    while ((ret = krb5_cc_next_cred (context,
				     ccache,
				     &cursor,
				     &creds)) == 0) {
	if (!do_hidden && krb5_is_config_principal(context, creds.server)) {
	    ;
	}else if(do_verbose){
	    print_cred_verbose(context, &creds);
	}else{
	    print_cred(context, &creds, ct, do_flags);
	}
	krb5_free_cred_contents (context, &creds);
    }
    if(ret != KRB5_CC_END)
	krb5_err(context, 1, ret, "krb5_cc_get_next");
    ret = krb5_cc_end_seq_get (context, ccache, &cursor);
    if (ret)
	krb5_err (context, 1, ret, "krb5_cc_end_seq_get");
    if(!do_verbose) {
	rtbl_format(ct, stdout);
	rtbl_destroy(ct);
    }
}
Пример #11
0
/*
 * Request:
 *	NameZ
 *	WhichFields
 *	MatchCreds
 *
 * Response:
 *	Creds
 *	
 */
static krb5_error_code
kcm_op_retrieve(krb5_context context,
		kcm_client *client,
		kcm_operation opcode,
		krb5_storage *request,
		krb5_storage *response)
{
    uint32_t flags;
    krb5_creds mcreds;
    krb5_error_code ret;
    kcm_ccache ccache;
    char *name;
    krb5_creds *credp;
    int free_creds = 0;

    ret = krb5_ret_stringz(request, &name);
    if (ret)
	return ret;

    KCM_LOG_REQUEST_NAME(context, client, opcode, name);

    ret = krb5_ret_uint32(request, &flags);
    if (ret) {
	free(name);
	return ret;
    }

    ret = krb5_ret_creds_tag(request, &mcreds);
    if (ret) {
	free(name);
	return ret;
    }

    if (disallow_getting_krbtgt &&
	mcreds.server->name.name_string.len == 2 &&
	strcmp(mcreds.server->name.name_string.val[0], KRB5_TGS_NAME) == 0)
    {
	free(name);
	krb5_free_cred_contents(context, &mcreds);
	return KRB5_FCC_PERM;
    }

    ret = kcm_ccache_resolve_client(context, client, opcode,
				    name, &ccache);
    if (ret) {
	free(name);
	krb5_free_cred_contents(context, &mcreds);
	return ret;
    }

    ret = kcm_ccache_retrieve_cred(context, ccache, flags,
				   &mcreds, &credp);
    if (ret && ((flags & KRB5_GC_CACHED) == 0) &&
	!krb5_is_config_principal(context, mcreds.server)) {
	krb5_ccache_data ccdata;

	/* try and acquire */
	HEIMDAL_MUTEX_lock(&ccache->mutex);

	/* Fake up an internal ccache */
	kcm_internal_ccache(context, ccache, &ccdata);

	/* glue cc layer will store creds */
	ret = krb5_get_credentials(context, 0, &ccdata, &mcreds, &credp);
	if (ret == 0)
	    free_creds = 1;

	HEIMDAL_MUTEX_unlock(&ccache->mutex);
    }

    if (ret == 0) {
	ret = krb5_store_creds(response, credp);
    }

    free(name);
    krb5_free_cred_contents(context, &mcreds);
    kcm_release_ccache(context, ccache);

    if (free_creds)
	krb5_free_cred_contents(context, credp);

    return ret;
}
bool Krb5CCache::Iterator::isConfigEntry() {
  return state_ && krb5_is_config_principal(
    state_->context_.get(), state_->creds_.server);
}
Пример #13
0
static void
show_credential(krb5_creds *cred)
{
    krb5_error_code ret;
    krb5_ticket *tkt;
    char *name, *sname, *flags;
    int extra_field = 0, ccol = 0, i;

    ret = krb5_unparse_name(context, cred->client, &name);
    if (ret) {
        com_err(progname, ret, _("while unparsing client name"));
        return;
    }
    ret = krb5_unparse_name(context, cred->server, &sname);
    if (ret) {
        com_err(progname, ret, _("while unparsing server name"));
        krb5_free_unparsed_name(context, name);
        return;
    }
    if (!cred->times.starttime)
        cred->times.starttime = cred->times.authtime;

    if (!krb5_is_config_principal(context, cred->server)) {
        printtime(cred->times.starttime);
        putchar(' ');
        putchar(' ');
        printtime(cred->times.endtime);
        putchar(' ');
        putchar(' ');
        printf("%s\n", sname);
    } else {
        fputs("config: ", stdout);
        ccol = 8;
        for (i = 1; i < cred->server->length; i++) {
            ccol += printf("%s%.*s%s",
                           i > 1 ? "(" : "",
                           (int)cred->server->data[i].length,
                           cred->server->data[i].data,
                           i > 1 ? ")" : "");
        }
        fputs(" = ", stdout);
        ccol += 3;
    }

    if (strcmp(name, defname)) {
        printf(_("\tfor client %s"), name);
        extra_field++;
    }

    if (krb5_is_config_principal(context, cred->server))
        print_config_data(ccol, &cred->ticket);

    if (cred->times.renew_till) {
        if (!extra_field)
            fputs("\t",stdout);
        else
            fputs(", ",stdout);
        fputs(_("renew until "), stdout);
        printtime(cred->times.renew_till);
        extra_field += 2;
    }

    if (extra_field > 3) {
        fputs("\n", stdout);
        extra_field = 0;
    }

    if (show_flags) {
        flags = flags_string(cred);
        if (flags && *flags) {
            if (!extra_field)
                fputs("\t",stdout);
            else
                fputs(", ",stdout);
            printf(_("Flags: %s"), flags);
            extra_field++;
        }
    }

    if (extra_field > 2) {
        fputs("\n", stdout);
        extra_field = 0;
    }

    if (show_etype) {
        ret = krb5_decode_ticket(&cred->ticket, &tkt);
        if (ret)
            goto err_tkt;

        if (!extra_field)
            fputs("\t",stdout);
        else
            fputs(", ",stdout);
        printf(_("Etype (skey, tkt): %s, "),
               etype_string(cred->keyblock.enctype));
        printf("%s ", etype_string(tkt->enc_part.enctype));
        extra_field++;

    err_tkt:
        if (tkt != NULL)
            krb5_free_ticket(context, tkt);
    }

    if (show_adtype) {
        if (cred->authdata != NULL) {
            if (!extra_field)
                fputs("\t",stdout);
            else
                fputs(", ",stdout);
            printf(_("AD types: "));
            for (i = 0; cred->authdata[i] != NULL; i++) {
                if (i)
                    printf(", ");
                printf("%d", cred->authdata[i]->ad_type);
            }
            extra_field++;
        }
    }

    /* If any additional info was printed, extra_field is non-zero. */
    if (extra_field)
        putchar('\n');

    if (show_addresses) {
        if (cred->addresses == NULL || cred->addresses[0] == NULL) {
            printf(_("\tAddresses: (none)\n"));
        } else {
            printf(_("\tAddresses: "));
            one_addr(cred->addresses[0]);

            for (i = 1; cred->addresses[i] != NULL; i++) {
                printf(", ");
                one_addr(cred->addresses[i]);
            }

            printf("\n");
        }
    }

    krb5_free_unparsed_name(context, name);
    krb5_free_unparsed_name(context, sname);
}
Пример #14
0
static void
print_cred_verbose(krb5_context context, krb5_creds *cred, int do_json)
{
    size_t j;
    char *str;
    krb5_error_code ret;
    krb5_timestamp sec;

    if (do_json) { /* XXX support more json formating later */
	printf("{ \"verbose-supported\" : false }");
	return;
    }

    krb5_timeofday (context, &sec);

    ret = krb5_unparse_name(context, cred->server, &str);
    if(ret)
	exit(1);
    printf(N_("Server: %s\n", ""), str);
    free (str);

    ret = krb5_unparse_name(context, cred->client, &str);
    if(ret)
	exit(1);
    printf(N_("Client: %s\n", ""), str);
    free (str);
    
    if (!krb5_is_config_principal(context, cred->client)) {
	Ticket t;
	size_t len;
	char *s;

	decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len);
	ret = krb5_enctype_to_string(context, t.enc_part.etype, &s);
	printf(N_("Ticket etype: ", ""));
	if (ret == 0) {
	    printf("%s", s);
	    free(s);
	} else {
	    printf(N_("unknown-enctype(%d)", ""), t.enc_part.etype);
	}
	if(t.enc_part.kvno)
	    printf(N_(", kvno %d", ""), *t.enc_part.kvno);
	printf("\n");
	if(cred->session.keytype != t.enc_part.etype) {
	    ret = krb5_enctype_to_string(context, cred->session.keytype, &str);
	    if(ret)
		krb5_warn(context, ret, "session keytype");
	    else {
		printf(N_("Session key: %s\n", "enctype"), str);
		free(str);
	    }
	}
	free_Ticket(&t);
	printf(N_("Ticket length: %lu\n", ""),
	       (unsigned long)cred->ticket.length);
    }
    printf(N_("Auth time:  %s\n", ""),
	   printable_time_long(cred->times.authtime));
    if(cred->times.authtime != cred->times.starttime)
	printf(N_("Start time: %s\n", ""),
	       printable_time_long(cred->times.starttime));
    printf(N_("End time:   %s", ""),
	   printable_time_long(cred->times.endtime));
    if(sec > cred->times.endtime)
	printf(N_(" (expired)", ""));
    printf("\n");
    if(cred->flags.b.renewable)
	printf(N_("Renew till: %s\n", ""),
	       printable_time_long(cred->times.renew_till));
    {
	char flags[1024];
	unparse_flags(TicketFlags2int(cred->flags.b),
		      asn1_TicketFlags_units(),
		      flags, sizeof(flags));
	printf(N_("Ticket flags: %s\n", ""), flags);
    }
    printf(N_("Addresses: ", ""));
    if (cred->addresses.len != 0) {
	for(j = 0; j < cred->addresses.len; j++){
	    char buf[128];
	    size_t len;
	    if(j) printf(", ");
	    ret = krb5_print_address(&cred->addresses.val[j],
				     buf, sizeof(buf), &len);

	    if(ret == 0)
		printf("%s", buf);
	}
    } else {
	printf(N_("addressless", ""));
    }
    printf("\n\n");
}
Пример #15
0
/* fill in service tickets data */
gboolean
ka_get_service_tickets (GtkListStore * tickets, gboolean hide_conf_tickets)
{
    krb5_cc_cursor cursor;
    krb5_creds creds;
    krb5_error_code ret;
    GtkTreeIter iter;
    krb5_ccache ccache;
    char *name;
    krb5_timestamp sec;
    gchar start_time[128], end_time[128], end_time_markup[256];
    gboolean retval = FALSE;

    gtk_list_store_clear (tickets);

    krb5_timeofday (kcontext, &sec);
    ret = krb5_cc_default (kcontext, &ccache);
    g_return_val_if_fail (!ret, FALSE);

    ret = krb5_cc_start_seq_get (kcontext, ccache, &cursor);
    if (ret == KRB5_FCC_NOFILE) {
        ka_log_error_message_at_level (G_LOG_LEVEL_INFO, "krb5_cc_start_seq_get", kcontext, ret);

        gtk_list_store_append (tickets, &iter);
        gtk_list_store_set (tickets, &iter,
                            PRINCIPAL_COLUMN, _("Your ticket cache is currently empty"),
                            FORWARDABLE_COLUMN, FALSE,
                            RENEWABLE_COLUMN, FALSE,
                            PROXIABLE_COLUMN, FALSE, -1);
        retval = TRUE;
        goto out;
    } else if (ret) {
        goto out;
    }


    while ((ret = krb5_cc_next_cred (kcontext, ccache, &cursor, &creds)) == 0) {
        gboolean renewable, proxiable, forwardable;


        if (hide_conf_tickets && krb5_is_config_principal (kcontext,
                                                           creds.server)) {
            krb5_free_cred_contents (kcontext, &creds);
            continue;
        }

        if (creds.times.starttime)
            ka_format_time (creds.times.starttime, start_time,
                            sizeof (start_time));
        else
            ka_format_time (creds.times.authtime, start_time,
                            sizeof (start_time));

        ka_format_time (creds.times.endtime, end_time, sizeof (end_time));
        if (creds.times.endtime > sec)
            strcpy (end_time_markup, end_time);
        else
            g_snprintf (end_time_markup, sizeof (end_time_markup),
                        "%s <span foreground=\"red\" style=\"italic\">(%s)</span>",
                        end_time, _("Expired"));

        forwardable = get_cred_forwardable (&creds);
        renewable = get_cred_renewable (&creds);
        proxiable = get_cred_proxiable (&creds);

        ret = krb5_unparse_name (kcontext, creds.server, &name);
        if (!ret) {
            gtk_list_store_append (tickets, &iter);
            gtk_list_store_set (tickets, &iter,
                                PRINCIPAL_COLUMN, name,
                                START_TIME_COLUMN, start_time,
                                END_TIME_COLUMN, end_time_markup,
                                FORWARDABLE_COLUMN, forwardable,
                                RENEWABLE_COLUMN, renewable,
                                PROXIABLE_COLUMN, proxiable, -1);
            free (name);
        } else
            ka_log_error_message ("krb5_unparse_name", kcontext, ret);
        krb5_free_cred_contents (kcontext, &creds);
    }
    if (ret != KRB5_CC_END)
        ka_log_error_message ("krb5_cc_get_next", kcontext, ret);

    ret = krb5_cc_end_seq_get (kcontext, ccache, &cursor);
    if (ret)
        ka_log_error_message ("krb5_cc_end_seq_get", kcontext, ret);

    retval = TRUE;
  out:
    ret = krb5_cc_close (kcontext, ccache);
    g_return_val_if_fail (!ret, FALSE);

    return retval;
}
Пример #16
0
/*
 * output a single credential (ticket)
 */
void show_cred(register krb5_creds *cred) {
	krb5_error_code	retval;
	char		*clientname = NULL;
	char		*servername = NULL;
	char		*flags;
	int		is_config;
	int		i;

	is_config = krb5_is_config_principal(ctx, cred->server);
	if (is_config && !show_cfg_tkts)
		return;

	retval = krb5_unparse_name(ctx, cred->client, &clientname);
	if (retval) {
		com_err(progname, retval, "while unparsing client name");
		goto cleanup;
	}

	retval = krb5_unparse_name(ctx, cred->server, &servername);
	if (retval) {
		com_err(progname, retval, "while unparsing server name");
		goto cleanup;
	}

	if (show_names_only) {
		printf("%s\n", servername);
		goto cleanup;
	}

	if (!cred->times.starttime)
		cred->times.starttime = cred->times.authtime;
	
	if (is_config && show_cfg_tkts == 1) {
		// "config" <arg>+ <value>
		printf("config");
#ifdef KRB5_MIT
		printf("\t%d", cred->server->length-1);
		for (i = 1; i < cred->server->length; i++)
			printf("\t%s", cred->server->data[i].data);
#else
		printf("\t%d", cred->server->name.name_string.len-1);
		for (i = 1; i < cred->server->name.name_string.len; i++)
			printf("\t%s", cred->server->name.name_string.val[i]);
#endif
		printf("\t");
		print_data(&cred->ticket);
		printf("\n");
	} else {
		// "ticket" <server> <client> <start> <renew> <flags> [data]
		printf(is_config ? "cfgticket" : "ticket");
		printf("\t%s", clientname);
		printf("\t%s", servername);
		printf("\t%ld", (unsigned long) cred->times.starttime);
		printf("\t%ld", (unsigned long) cred->times.endtime);
		printf("\t%ld", (unsigned long) cred->times.renew_till);

		flags = strflags(cred);
		if (flags && *flags)
			printf("\t%s", flags);
		else if (flags)
			printf("\t-");
		else
			printf("\t?");

		if (is_config || show_tktdata) {
			printf("\t");
			print_data(&cred->ticket);
		} else
			printf("\t-");

		printf("\n");
	}

cleanup:
	if (clientname)
		krb5_free_unparsed_name(ctx, clientname);
	if (servername)
		krb5_free_unparsed_name(ctx, servername);
}
Пример #17
0
krb5_error_code KRB5_CALLCONV
krb5_cccol_have_content(krb5_context context)
{
    krb5_error_code ret;
    krb5_cccol_cursor col_cursor;
    krb5_cc_cursor cache_cursor;
    krb5_ccache cache;
    krb5_creds creds;
    krb5_boolean found = FALSE;
    struct errinfo errsave = EMPTY_ERRINFO;
    const char *defname;

    ret = krb5_cccol_cursor_new(context, &col_cursor);
    save_first_error(context, ret, &errsave);
    if (ret)
        goto no_entries;

    while (!found) {
        ret = krb5_cccol_cursor_next(context, col_cursor, &cache);
        save_first_error(context, ret, &errsave);
        if (ret || cache == NULL)
            break;

        ret = krb5_cc_start_seq_get(context, cache, &cache_cursor);
        save_first_error(context, ret, &errsave);
        if (ret)
            continue;
        while (!found) {
            ret = krb5_cc_next_cred(context, cache, &cache_cursor, &creds);
            save_first_error(context, ret, &errsave);
            if (ret)
                break;

            if (!krb5_is_config_principal(context, creds.server))
                found = TRUE;
            krb5_free_cred_contents(context, &creds);
        }
        krb5_cc_end_seq_get(context, cache, &cache_cursor);
        krb5_cc_close(context, cache);
    }
    krb5_cccol_cursor_free(context, &col_cursor);
    if (found)
        return 0;

no_entries:
    if (errsave.code) {
        /* Report the first error we encountered. */
        ret = k5_restore_ctx_error(context, &errsave);
        k5_wrapmsg(context, ret, KRB5_CC_NOTFOUND,
                   _("No Kerberos credentials available"));
    } else {
        /* Report the default cache name. */
        defname = krb5_cc_default_name(context);
        if (defname != NULL) {
            k5_setmsg(context, KRB5_CC_NOTFOUND,
                      _("No Kerberos credentials available "
                        "(default cache: %s)"), defname);
        }
    }
    return KRB5_CC_NOTFOUND;
}