/* * Check if a ccache has any tickets. */ static krb5_error_code cc_has_tickets(krb5_context kcontext, krb5_ccache ccache, int *has_tickets) { krb5_error_code code; krb5_cc_cursor cursor; krb5_creds creds; krb5_timestamp now = time(0); *has_tickets = 0; code = krb5_cc_set_flags(kcontext, ccache, KRB5_TC_NOTICKET); if (code) return code; code = krb5_cc_start_seq_get(kcontext, ccache, &cursor); if (code) return code; while (!*has_tickets) { code = krb5_cc_next_cred(kcontext, ccache, &cursor, &creds); if (code) break; if (!krb5_is_config_principal(kcontext, creds.server) && creds.times.endtime > now) *has_tickets = 1; krb5_free_cred_contents(kcontext, &creds); } krb5_cc_end_seq_get(kcontext, ccache, &cursor); return 0; }
krb5_error_code KRB5_CALLCONV krb5_cccol_have_content(krb5_context context) { krb5_cccol_cursor col_cursor; krb5_cc_cursor cache_cursor; krb5_ccache cache; krb5_creds creds; krb5_boolean found = FALSE; if (krb5_cccol_cursor_new(context, &col_cursor)) goto no_entries; while (!found && !krb5_cccol_cursor_next(context, col_cursor, &cache) && cache != NULL) { if (krb5_cc_start_seq_get(context, cache, &cache_cursor)) continue; while (!found && !krb5_cc_next_cred(context, cache, &cache_cursor, &creds)) { if (!krb5_is_config_principal(context, creds.server)) found = TRUE; krb5_free_cred_contents(context, &creds); } krb5_cc_end_seq_get(context, cache, &cache_cursor); krb5_cc_close(context, cache); } krb5_cccol_cursor_free(context, &col_cursor); if (found) return 0; no_entries: krb5_set_error_message(context, KRB5_CC_NOTFOUND, _("No Kerberos credentials available")); return KRB5_CC_NOTFOUND; }
/* Display the contents of cache. */ static int show_ccache(krb5_ccache cache) { krb5_cc_cursor cur; krb5_creds creds; krb5_principal princ; krb5_error_code ret; ret = krb5_cc_get_principal(context, cache, &princ); if (ret) { com_err(progname, ret, ""); return 1; } ret = krb5_unparse_name(context, princ, &defname); if (ret) { com_err(progname, ret, _("while unparsing principal name")); return 1; } printf(_("Ticket cache: %s:%s\nDefault principal: %s\n\n"), krb5_cc_get_type(context, cache), krb5_cc_get_name(context, cache), defname); /* XXX Translating would disturb table alignment; skip for now. */ fputs("Valid starting", stdout); fillit(stdout, timestamp_width - sizeof("Valid starting") + 3, (int) ' '); fputs("Expires", stdout); fillit(stdout, timestamp_width - sizeof("Expires") + 3, (int) ' '); fputs("Service principal\n", stdout); ret = krb5_cc_start_seq_get(context, cache, &cur); if (ret) { com_err(progname, ret, _("while starting to retrieve tickets")); return 1; } while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) { if (show_config || !krb5_is_config_principal(context, creds.server)) show_credential(&creds); krb5_free_cred_contents(context, &creds); } krb5_free_principal(context, princ); krb5_free_unparsed_name(context, defname); defname = NULL; if (ret == KRB5_CC_END) { ret = krb5_cc_end_seq_get(context, cache, &cur); if (ret) { com_err(progname, ret, _("while finishing ticket retrieval")); return 1; } return 0; } else { com_err(progname, ret, _("while retrieving a ticket")); return 1; } }
bool next() { bool valid = next_any(); if (include_config_entries_) { return valid; } krb5_context ctx = context_.get(); while (valid && krb5_is_config_principal(ctx, creds_.server)) { valid = next_any(); } return valid; }
static void check_ticket_count(gss_cred_id_t cred, int expected) { krb5_error_code ret; krb5_context context = NULL; krb5_creds kcred; krb5_cc_cursor cur; krb5_ccache ccache; int count = 0; gss_key_value_set_desc store; gss_key_value_element_desc elem; OM_uint32 major, minor; const char *ccname = "MEMORY:count"; store.count = 1; store.elements = &elem; elem.key = "ccache"; elem.value = ccname; major = gss_store_cred_into(&minor, cred, GSS_C_INITIATE, &mech_krb5, 1, 0, &store, NULL, NULL); check_gsserr("gss_store_cred_into", major, minor); ret = krb5_init_context(&context); check_k5err(context, "krb5_init_context", ret); ret = krb5_cc_resolve(context, ccname, &ccache); check_k5err(context, "krb5_cc_resolve", ret); ret = krb5_cc_start_seq_get(context, ccache, &cur); check_k5err(context, "krb5_cc_start_seq_get", ret); while (!krb5_cc_next_cred(context, ccache, &cur, &kcred)) { if (!krb5_is_config_principal(context, kcred.server)) count++; krb5_free_cred_contents(context, &kcred); } ret = krb5_cc_end_seq_get(context, ccache, &cur); check_k5err(context, "krb5_cc_end_seq_get", ret); if (expected != count) { printf("Expected %d tickets but got %d\n", expected, count); exit(1); } krb5_cc_destroy(context, ccache); krb5_free_context(context); }
/* * The default unset code path depends on the underlying ccache implementation * knowing how to remove a credential, which most types don't actually support, * so we have to jump through some hoops to ensure that when we set a value for * a key, it'll be the only value for that key that'll be found later. The * ccache portions of libkrb5 will currently duplicate some of the actual * tickets. */ static void unset_config(krb5_context context, krb5_ccache ccache, krb5_principal server, const char *key) { krb5_ccache tmp1, tmp2; krb5_cc_cursor cursor; krb5_creds mcreds, creds; memset(&mcreds, 0, sizeof(mcreds)); memset(&creds, 0, sizeof(creds)); bail_on_err(context, "Error while deriving configuration principal names", k5_build_conf_principals(context, ccache, server, key, &mcreds)); bail_on_err(context, "Error resolving first in-memory ccache", krb5_cc_resolve(context, "MEMORY:tmp1", &tmp1)); bail_on_err(context, "Error initializing first in-memory ccache", krb5_cc_initialize(context, tmp1, mcreds.client)); bail_on_err(context, "Error resolving second in-memory ccache", krb5_cc_resolve(context, "MEMORY:tmp2", &tmp2)); bail_on_err(context, "Error initializing second in-memory ccache", krb5_cc_initialize(context, tmp2, mcreds.client)); bail_on_err(context, "Error copying credentials to first in-memory ccache", krb5_cc_copy_creds(context, ccache, tmp1)); bail_on_err(context, "Error starting traversal of first in-memory ccache", krb5_cc_start_seq_get(context, tmp1, &cursor)); while (krb5_cc_next_cred(context, tmp1, &cursor, &creds) == 0) { if (!krb5_is_config_principal(context, creds.server) || !krb5_principal_compare(context, mcreds.server, creds.server) || !krb5_principal_compare(context, mcreds.client, creds.client)) { bail_on_err(context, "Error storing non-config item to in-memory ccache", krb5_cc_store_cred(context, tmp2, &creds)); } } bail_on_err(context, "Error ending traversal of first in-memory ccache", krb5_cc_end_seq_get(context, tmp1, &cursor)); bail_on_err(context, "Error clearing ccache", krb5_cc_initialize(context, ccache, mcreds.client)); bail_on_err(context, "Error storing creds to the ccache", krb5_cc_copy_creds(context, tmp2, ccache)); bail_on_err(context, "Error cleaning up first in-memory ccache", krb5_cc_destroy(context, tmp1)); bail_on_err(context, "Error cleaning up second in-memory ccache", krb5_cc_destroy(context, tmp2)); }
/* Return 0 if cache is accessible, present, and unexpired; return 1 if not. */ static int check_ccache(krb5_ccache cache) { krb5_error_code ret; krb5_cc_cursor cur; krb5_creds creds; krb5_principal princ; krb5_boolean found_tgt, found_current_tgt, found_current_cred; if (krb5_cc_get_principal(context, cache, &princ) != 0) return 1; if (krb5_cc_start_seq_get(context, cache, &cur) != 0) return 1; found_tgt = found_current_tgt = found_current_cred = FALSE; while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) { if (is_local_tgt(creds.server, &princ->realm)) { found_tgt = TRUE; if (ts_after(creds.times.endtime, now)) found_current_tgt = TRUE; } else if (!krb5_is_config_principal(context, creds.server) && ts_after(creds.times.endtime, now)) { found_current_cred = TRUE; } krb5_free_cred_contents(context, &creds); } krb5_free_principal(context, princ); if (ret != KRB5_CC_END) return 1; if (krb5_cc_end_seq_get(context, cache, &cur) != 0) return 1; /* If the cache contains at least one local TGT, require that it be * current. Otherwise accept any current cred. */ if (found_tgt) return found_current_tgt ? 0 : 1; return found_current_cred ? 0 : 1; }
static int kinit_check_tgt(kinit_data *kid, int *remaining) { int ret=3; krb5_principal princ; krb5_error_code rc; krb5_cc_cursor cursor; krb5_creds creds; char *name; time_t now=time(NULL); rc = krb5_cc_get_principal(kid->ctx, kid->ccache, &princ); if (rc) { log_krb5_errmsg(kid->ctx, "krb5_cc_get_principal", rc); return 2; } else { if (!krb5_principal_compare(kid->ctx, kid->princ, princ)) { Log(LDAP_DEBUG_ANY, LDAP_LEVEL_ERR, "Principal in ccache does not match requested principal\n"); krb5_free_principal(kid->ctx, princ); return 2; } } rc = krb5_cc_start_seq_get(kid->ctx, kid->ccache, &cursor); if (rc) { log_krb5_errmsg(kid->ctx, "krb5_cc_start_seq_get", rc); krb5_free_principal(kid->ctx, princ); return -1; } while (!(rc = krb5_cc_next_cred(kid->ctx, kid->ccache, &cursor, &creds))) { if (krb5_is_config_principal(kid->ctx, creds.server)) { krb5_free_cred_contents(kid->ctx, &creds); continue; } if (creds.server->length==2 && (!strcmp(creds.server->data[0].data, "krbtgt")) && (!strcmp(creds.server->data[1].data, princ->realm.data))) { krb5_unparse_name(kid->ctx, creds.server, &name); *remaining = (time_t)creds.times.endtime-now; if ( *remaining <= 0) { Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, "kinit_qtask: TGT (%s) expired\n", name); } else { Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, "kinit_qtask: TGT (%s) expires in %dh:%02dm:%02ds\n", name, *remaining/3600, (*remaining%3600)/60, *remaining%60); } free(name); if (*remaining <= 30) { if (creds.times.renew_till-60 > now) { int renewal=creds.times.renew_till-now; Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, "kinit_qtask: Time remaining for renewal: %dh:%02dm:%02ds\n", renewal/3600, (renewal%3600)/60, renewal%60); ret = 1; } else { Log(LDAP_DEBUG_TRACE, LDAP_LEVEL_DEBUG, "kinit_qtask: Only short time left for renewal. " "Trying to re-init.\n"); ret = 2; } } else { ret=0; } krb5_free_cred_contents(kid->ctx, &creds); break; } krb5_free_cred_contents(kid->ctx, &creds); } krb5_cc_end_seq_get(kid->ctx, kid->ccache, &cursor); krb5_free_principal(kid->ctx, princ); return ret; }
int print_ccache (kim_ccache in_ccache, int *out_found_valid_tgt) { kim_error err = 0; kim_credential_iterator iterator = NULL; kim_identity ccache_identity = NULL; kim_string type = NULL; kim_string name = NULL; kim_string ccache_identity_string = NULL; int found_tickets = 0; *out_found_valid_tgt = 0; if (!err) { err = kim_ccache_get_type (in_ccache, &type); printiferr (err, "while getting the ccache type"); } if (!err) { err = kim_ccache_get_name (in_ccache, &name); printiferr (err, "while getting the ccache name"); } if (!err) { err = kim_ccache_get_client_identity (in_ccache, &ccache_identity); printiferr (err, "while getting the ccache principal"); } if (!err) { err = kim_identity_get_display_string (ccache_identity, &ccache_identity_string); printiferr (err, "while unparsing the ccache principal name"); } if (!err) { printmsg ("Kerberos 5 ticket cache: '%s:%s'\nDefault principal: %s\n\n", type, name, ccache_identity_string); printmsg ("Valid Starting"); printfiller (' ', get_timestamp_width () - sizeof ("Valid Starting") + 3); printmsg ("Expires"); printfiller (' ', get_timestamp_width () - sizeof ("Expires") + 3); printmsg ("Service Principal\n"); err = kim_credential_iterator_create (&iterator, in_ccache); } while (!err) { kim_credential credential = NULL; kim_identity client = NULL; kim_identity service = NULL; kim_string client_string = NULL; kim_string service_string = NULL; krb5_creds *creds = NULL; int extra_field = 0; err = kim_credential_iterator_next (iterator, &credential); if (!err && !credential) { break; } if (!err) { err = kim_credential_get_client_identity (credential, &client); printiferr (err, "while getting the client principal"); } if (!err) { err = kim_identity_get_display_string (client, &client_string); printiferr (err, "while unparsing the client principal name"); } if (!err) { err = kim_credential_get_service_identity (credential, &service); printiferr (err, "while getting the service principal"); } if (!err) { err = kim_identity_get_display_string (service, &service_string); printiferr (err, "while unparsing the service principal name"); } if (!err) { err = kim_credential_get_krb5_creds (credential, kcontext, &creds); printiferr (err, "while getting krb5 creds"); } if (!err && krb5_is_config_principal(kcontext, creds->server)) goto next; if (!err) { found_tickets = 1; printtime (creds->times.starttime ? creds->times.starttime : creds->times.authtime); printmsg (" "); printtime (creds->times.endtime); printmsg (" "); printmsg ("%s\n", service_string); if (strcmp (ccache_identity_string, client_string)) { if (!extra_field) { printmsg ("\t"); } printmsg ("for client %s", client_string); extra_field++; } if (creds->ticket_flags & TKT_FLG_RENEWABLE) { printmsg (extra_field ? ", " : "\t"); printmsg ("renew until "); printtime (creds->times.renew_till); extra_field += 2; } if (extra_field > 2) { printmsg ("\n"); extra_field = 0; } if (show_flags) { printmsg (extra_field ? ", " : "\t"); printflags (creds->ticket_flags); extra_field++; } if (extra_field > 2) { printmsg ("\n"); extra_field = 0; } if (show_enctypes) { krb5_ticket *ticket_rep; if (krb5_decode_ticket (&creds->ticket, &ticket_rep) == 0) { if (!extra_field) { printmsg ("\t"); } else { printmsg (", "); } printmsg ("Etype (skey, tkt): %s, ", enctype_to_string (creds->keyblock.enctype)); printmsg ("%s ", enctype_to_string (ticket_rep->enc_part.enctype)); extra_field++; krb5_free_ticket (kcontext, ticket_rep); } } if (extra_field) { printmsg ("\n"); } if (show_address_list) { printmsg ("\tAddresses: "); if (!creds->addresses || !creds->addresses[0]) { printmsg ("(none)\n"); } else { int i; for (i = 0; creds->addresses[i]; i++) { if (i > 0) { printmsg (", "); } printaddress (*creds->addresses[i]); } printmsg ("\n"); } } if (extra_field) { printmsg ("\n"); } } if (!err) { kim_boolean is_tgt = 0; kim_credential_state state; err = kim_credential_is_tgt (credential, &is_tgt); printiferr (err, "while checking if creds are valid"); if (!err) { err = kim_credential_get_state (credential, &state); } if (!err && is_tgt && state == kim_credentials_state_valid) { *out_found_valid_tgt = 1; } } next: if (creds) { krb5_free_creds (kcontext, creds); } kim_string_free (&client_string); kim_string_free (&service_string); kim_identity_free (&client); kim_identity_free (&service); kim_credential_free (&credential); } kim_string_free (&type); kim_string_free (&name); kim_string_free (&ccache_identity_string); kim_identity_free (&ccache_identity); kim_credential_iterator_free (&iterator); if (!err) { if (!found_tickets) { printerr ("No Kerberos 5 tickets in credentials cache\n"); } else { printmsg ("\n"); } } return err; }
static void print_tickets (krb5_context context, krb5_ccache ccache, krb5_principal principal, int do_verbose, int do_flags, int do_hidden) { krb5_error_code ret; char *str, *name; krb5_cc_cursor cursor; krb5_creds creds; krb5_deltat sec; rtbl_t ct = NULL; ret = krb5_unparse_name (context, principal, &str); if (ret) krb5_err (context, 1, ret, "krb5_unparse_name"); printf ("%17s: %s:%s\n", N_("Credentials cache", ""), krb5_cc_get_type(context, ccache), krb5_cc_get_name(context, ccache)); printf ("%17s: %s\n", N_("Principal", ""), str); ret = krb5_cc_get_friendly_name(context, ccache, &name); if (ret == 0) { if (strcmp(name, str) != 0) printf ("%17s: %s\n", N_("Friendly name", ""), name); free(name); } free (str); if(do_verbose) { printf ("%17s: %d\n", N_("Cache version", ""), krb5_cc_get_version(context, ccache)); } else { krb5_cc_set_flags(context, ccache, KRB5_TC_NOTICKET); } ret = krb5_cc_get_kdc_offset(context, ccache, &sec); if (ret == 0 && do_verbose && sec != 0) { char buf[BUFSIZ]; int val; int sig; val = sec; sig = 1; if (val < 0) { sig = -1; val = -val; } unparse_time (val, buf, sizeof(buf)); printf ("%17s: %s%s\n", N_("KDC time offset", ""), sig == -1 ? "-" : "", buf); } printf("\n"); ret = krb5_cc_start_seq_get (context, ccache, &cursor); if (ret) krb5_err(context, 1, ret, "krb5_cc_start_seq_get"); if(!do_verbose) { ct = rtbl_create(); rtbl_add_column(ct, COL_ISSUED, 0); rtbl_add_column(ct, COL_EXPIRES, 0); if(do_flags) rtbl_add_column(ct, COL_FLAGS, 0); rtbl_add_column(ct, COL_PRINCIPAL, 0); rtbl_set_separator(ct, " "); } while ((ret = krb5_cc_next_cred (context, ccache, &cursor, &creds)) == 0) { if (!do_hidden && krb5_is_config_principal(context, creds.server)) { ; }else if(do_verbose){ print_cred_verbose(context, &creds); }else{ print_cred(context, &creds, ct, do_flags); } krb5_free_cred_contents (context, &creds); } if(ret != KRB5_CC_END) krb5_err(context, 1, ret, "krb5_cc_get_next"); ret = krb5_cc_end_seq_get (context, ccache, &cursor); if (ret) krb5_err (context, 1, ret, "krb5_cc_end_seq_get"); if(!do_verbose) { rtbl_format(ct, stdout); rtbl_destroy(ct); } }
/* * Request: * NameZ * WhichFields * MatchCreds * * Response: * Creds * */ static krb5_error_code kcm_op_retrieve(krb5_context context, kcm_client *client, kcm_operation opcode, krb5_storage *request, krb5_storage *response) { uint32_t flags; krb5_creds mcreds; krb5_error_code ret; kcm_ccache ccache; char *name; krb5_creds *credp; int free_creds = 0; ret = krb5_ret_stringz(request, &name); if (ret) return ret; KCM_LOG_REQUEST_NAME(context, client, opcode, name); ret = krb5_ret_uint32(request, &flags); if (ret) { free(name); return ret; } ret = krb5_ret_creds_tag(request, &mcreds); if (ret) { free(name); return ret; } if (disallow_getting_krbtgt && mcreds.server->name.name_string.len == 2 && strcmp(mcreds.server->name.name_string.val[0], KRB5_TGS_NAME) == 0) { free(name); krb5_free_cred_contents(context, &mcreds); return KRB5_FCC_PERM; } ret = kcm_ccache_resolve_client(context, client, opcode, name, &ccache); if (ret) { free(name); krb5_free_cred_contents(context, &mcreds); return ret; } ret = kcm_ccache_retrieve_cred(context, ccache, flags, &mcreds, &credp); if (ret && ((flags & KRB5_GC_CACHED) == 0) && !krb5_is_config_principal(context, mcreds.server)) { krb5_ccache_data ccdata; /* try and acquire */ HEIMDAL_MUTEX_lock(&ccache->mutex); /* Fake up an internal ccache */ kcm_internal_ccache(context, ccache, &ccdata); /* glue cc layer will store creds */ ret = krb5_get_credentials(context, 0, &ccdata, &mcreds, &credp); if (ret == 0) free_creds = 1; HEIMDAL_MUTEX_unlock(&ccache->mutex); } if (ret == 0) { ret = krb5_store_creds(response, credp); } free(name); krb5_free_cred_contents(context, &mcreds); kcm_release_ccache(context, ccache); if (free_creds) krb5_free_cred_contents(context, credp); return ret; }
bool Krb5CCache::Iterator::isConfigEntry() { return state_ && krb5_is_config_principal( state_->context_.get(), state_->creds_.server); }
static void show_credential(krb5_creds *cred) { krb5_error_code ret; krb5_ticket *tkt; char *name, *sname, *flags; int extra_field = 0, ccol = 0, i; ret = krb5_unparse_name(context, cred->client, &name); if (ret) { com_err(progname, ret, _("while unparsing client name")); return; } ret = krb5_unparse_name(context, cred->server, &sname); if (ret) { com_err(progname, ret, _("while unparsing server name")); krb5_free_unparsed_name(context, name); return; } if (!cred->times.starttime) cred->times.starttime = cred->times.authtime; if (!krb5_is_config_principal(context, cred->server)) { printtime(cred->times.starttime); putchar(' '); putchar(' '); printtime(cred->times.endtime); putchar(' '); putchar(' '); printf("%s\n", sname); } else { fputs("config: ", stdout); ccol = 8; for (i = 1; i < cred->server->length; i++) { ccol += printf("%s%.*s%s", i > 1 ? "(" : "", (int)cred->server->data[i].length, cred->server->data[i].data, i > 1 ? ")" : ""); } fputs(" = ", stdout); ccol += 3; } if (strcmp(name, defname)) { printf(_("\tfor client %s"), name); extra_field++; } if (krb5_is_config_principal(context, cred->server)) print_config_data(ccol, &cred->ticket); if (cred->times.renew_till) { if (!extra_field) fputs("\t",stdout); else fputs(", ",stdout); fputs(_("renew until "), stdout); printtime(cred->times.renew_till); extra_field += 2; } if (extra_field > 3) { fputs("\n", stdout); extra_field = 0; } if (show_flags) { flags = flags_string(cred); if (flags && *flags) { if (!extra_field) fputs("\t",stdout); else fputs(", ",stdout); printf(_("Flags: %s"), flags); extra_field++; } } if (extra_field > 2) { fputs("\n", stdout); extra_field = 0; } if (show_etype) { ret = krb5_decode_ticket(&cred->ticket, &tkt); if (ret) goto err_tkt; if (!extra_field) fputs("\t",stdout); else fputs(", ",stdout); printf(_("Etype (skey, tkt): %s, "), etype_string(cred->keyblock.enctype)); printf("%s ", etype_string(tkt->enc_part.enctype)); extra_field++; err_tkt: if (tkt != NULL) krb5_free_ticket(context, tkt); } if (show_adtype) { if (cred->authdata != NULL) { if (!extra_field) fputs("\t",stdout); else fputs(", ",stdout); printf(_("AD types: ")); for (i = 0; cred->authdata[i] != NULL; i++) { if (i) printf(", "); printf("%d", cred->authdata[i]->ad_type); } extra_field++; } } /* If any additional info was printed, extra_field is non-zero. */ if (extra_field) putchar('\n'); if (show_addresses) { if (cred->addresses == NULL || cred->addresses[0] == NULL) { printf(_("\tAddresses: (none)\n")); } else { printf(_("\tAddresses: ")); one_addr(cred->addresses[0]); for (i = 1; cred->addresses[i] != NULL; i++) { printf(", "); one_addr(cred->addresses[i]); } printf("\n"); } } krb5_free_unparsed_name(context, name); krb5_free_unparsed_name(context, sname); }
static void print_cred_verbose(krb5_context context, krb5_creds *cred, int do_json) { size_t j; char *str; krb5_error_code ret; krb5_timestamp sec; if (do_json) { /* XXX support more json formating later */ printf("{ \"verbose-supported\" : false }"); return; } krb5_timeofday (context, &sec); ret = krb5_unparse_name(context, cred->server, &str); if(ret) exit(1); printf(N_("Server: %s\n", ""), str); free (str); ret = krb5_unparse_name(context, cred->client, &str); if(ret) exit(1); printf(N_("Client: %s\n", ""), str); free (str); if (!krb5_is_config_principal(context, cred->client)) { Ticket t; size_t len; char *s; decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len); ret = krb5_enctype_to_string(context, t.enc_part.etype, &s); printf(N_("Ticket etype: ", "")); if (ret == 0) { printf("%s", s); free(s); } else { printf(N_("unknown-enctype(%d)", ""), t.enc_part.etype); } if(t.enc_part.kvno) printf(N_(", kvno %d", ""), *t.enc_part.kvno); printf("\n"); if(cred->session.keytype != t.enc_part.etype) { ret = krb5_enctype_to_string(context, cred->session.keytype, &str); if(ret) krb5_warn(context, ret, "session keytype"); else { printf(N_("Session key: %s\n", "enctype"), str); free(str); } } free_Ticket(&t); printf(N_("Ticket length: %lu\n", ""), (unsigned long)cred->ticket.length); } printf(N_("Auth time: %s\n", ""), printable_time_long(cred->times.authtime)); if(cred->times.authtime != cred->times.starttime) printf(N_("Start time: %s\n", ""), printable_time_long(cred->times.starttime)); printf(N_("End time: %s", ""), printable_time_long(cred->times.endtime)); if(sec > cred->times.endtime) printf(N_(" (expired)", "")); printf("\n"); if(cred->flags.b.renewable) printf(N_("Renew till: %s\n", ""), printable_time_long(cred->times.renew_till)); { char flags[1024]; unparse_flags(TicketFlags2int(cred->flags.b), asn1_TicketFlags_units(), flags, sizeof(flags)); printf(N_("Ticket flags: %s\n", ""), flags); } printf(N_("Addresses: ", "")); if (cred->addresses.len != 0) { for(j = 0; j < cred->addresses.len; j++){ char buf[128]; size_t len; if(j) printf(", "); ret = krb5_print_address(&cred->addresses.val[j], buf, sizeof(buf), &len); if(ret == 0) printf("%s", buf); } } else { printf(N_("addressless", "")); } printf("\n\n"); }
/* fill in service tickets data */ gboolean ka_get_service_tickets (GtkListStore * tickets, gboolean hide_conf_tickets) { krb5_cc_cursor cursor; krb5_creds creds; krb5_error_code ret; GtkTreeIter iter; krb5_ccache ccache; char *name; krb5_timestamp sec; gchar start_time[128], end_time[128], end_time_markup[256]; gboolean retval = FALSE; gtk_list_store_clear (tickets); krb5_timeofday (kcontext, &sec); ret = krb5_cc_default (kcontext, &ccache); g_return_val_if_fail (!ret, FALSE); ret = krb5_cc_start_seq_get (kcontext, ccache, &cursor); if (ret == KRB5_FCC_NOFILE) { ka_log_error_message_at_level (G_LOG_LEVEL_INFO, "krb5_cc_start_seq_get", kcontext, ret); gtk_list_store_append (tickets, &iter); gtk_list_store_set (tickets, &iter, PRINCIPAL_COLUMN, _("Your ticket cache is currently empty"), FORWARDABLE_COLUMN, FALSE, RENEWABLE_COLUMN, FALSE, PROXIABLE_COLUMN, FALSE, -1); retval = TRUE; goto out; } else if (ret) { goto out; } while ((ret = krb5_cc_next_cred (kcontext, ccache, &cursor, &creds)) == 0) { gboolean renewable, proxiable, forwardable; if (hide_conf_tickets && krb5_is_config_principal (kcontext, creds.server)) { krb5_free_cred_contents (kcontext, &creds); continue; } if (creds.times.starttime) ka_format_time (creds.times.starttime, start_time, sizeof (start_time)); else ka_format_time (creds.times.authtime, start_time, sizeof (start_time)); ka_format_time (creds.times.endtime, end_time, sizeof (end_time)); if (creds.times.endtime > sec) strcpy (end_time_markup, end_time); else g_snprintf (end_time_markup, sizeof (end_time_markup), "%s <span foreground=\"red\" style=\"italic\">(%s)</span>", end_time, _("Expired")); forwardable = get_cred_forwardable (&creds); renewable = get_cred_renewable (&creds); proxiable = get_cred_proxiable (&creds); ret = krb5_unparse_name (kcontext, creds.server, &name); if (!ret) { gtk_list_store_append (tickets, &iter); gtk_list_store_set (tickets, &iter, PRINCIPAL_COLUMN, name, START_TIME_COLUMN, start_time, END_TIME_COLUMN, end_time_markup, FORWARDABLE_COLUMN, forwardable, RENEWABLE_COLUMN, renewable, PROXIABLE_COLUMN, proxiable, -1); free (name); } else ka_log_error_message ("krb5_unparse_name", kcontext, ret); krb5_free_cred_contents (kcontext, &creds); } if (ret != KRB5_CC_END) ka_log_error_message ("krb5_cc_get_next", kcontext, ret); ret = krb5_cc_end_seq_get (kcontext, ccache, &cursor); if (ret) ka_log_error_message ("krb5_cc_end_seq_get", kcontext, ret); retval = TRUE; out: ret = krb5_cc_close (kcontext, ccache); g_return_val_if_fail (!ret, FALSE); return retval; }
/* * output a single credential (ticket) */ void show_cred(register krb5_creds *cred) { krb5_error_code retval; char *clientname = NULL; char *servername = NULL; char *flags; int is_config; int i; is_config = krb5_is_config_principal(ctx, cred->server); if (is_config && !show_cfg_tkts) return; retval = krb5_unparse_name(ctx, cred->client, &clientname); if (retval) { com_err(progname, retval, "while unparsing client name"); goto cleanup; } retval = krb5_unparse_name(ctx, cred->server, &servername); if (retval) { com_err(progname, retval, "while unparsing server name"); goto cleanup; } if (show_names_only) { printf("%s\n", servername); goto cleanup; } if (!cred->times.starttime) cred->times.starttime = cred->times.authtime; if (is_config && show_cfg_tkts == 1) { // "config" <arg>+ <value> printf("config"); #ifdef KRB5_MIT printf("\t%d", cred->server->length-1); for (i = 1; i < cred->server->length; i++) printf("\t%s", cred->server->data[i].data); #else printf("\t%d", cred->server->name.name_string.len-1); for (i = 1; i < cred->server->name.name_string.len; i++) printf("\t%s", cred->server->name.name_string.val[i]); #endif printf("\t"); print_data(&cred->ticket); printf("\n"); } else { // "ticket" <server> <client> <start> <renew> <flags> [data] printf(is_config ? "cfgticket" : "ticket"); printf("\t%s", clientname); printf("\t%s", servername); printf("\t%ld", (unsigned long) cred->times.starttime); printf("\t%ld", (unsigned long) cred->times.endtime); printf("\t%ld", (unsigned long) cred->times.renew_till); flags = strflags(cred); if (flags && *flags) printf("\t%s", flags); else if (flags) printf("\t-"); else printf("\t?"); if (is_config || show_tktdata) { printf("\t"); print_data(&cred->ticket); } else printf("\t-"); printf("\n"); } cleanup: if (clientname) krb5_free_unparsed_name(ctx, clientname); if (servername) krb5_free_unparsed_name(ctx, servername); }
krb5_error_code KRB5_CALLCONV krb5_cccol_have_content(krb5_context context) { krb5_error_code ret; krb5_cccol_cursor col_cursor; krb5_cc_cursor cache_cursor; krb5_ccache cache; krb5_creds creds; krb5_boolean found = FALSE; struct errinfo errsave = EMPTY_ERRINFO; const char *defname; ret = krb5_cccol_cursor_new(context, &col_cursor); save_first_error(context, ret, &errsave); if (ret) goto no_entries; while (!found) { ret = krb5_cccol_cursor_next(context, col_cursor, &cache); save_first_error(context, ret, &errsave); if (ret || cache == NULL) break; ret = krb5_cc_start_seq_get(context, cache, &cache_cursor); save_first_error(context, ret, &errsave); if (ret) continue; while (!found) { ret = krb5_cc_next_cred(context, cache, &cache_cursor, &creds); save_first_error(context, ret, &errsave); if (ret) break; if (!krb5_is_config_principal(context, creds.server)) found = TRUE; krb5_free_cred_contents(context, &creds); } krb5_cc_end_seq_get(context, cache, &cache_cursor); krb5_cc_close(context, cache); } krb5_cccol_cursor_free(context, &col_cursor); if (found) return 0; no_entries: if (errsave.code) { /* Report the first error we encountered. */ ret = k5_restore_ctx_error(context, &errsave); k5_wrapmsg(context, ret, KRB5_CC_NOTFOUND, _("No Kerberos credentials available")); } else { /* Report the default cache name. */ defname = krb5_cc_default_name(context); if (defname != NULL) { k5_setmsg(context, KRB5_CC_NOTFOUND, _("No Kerberos credentials available " "(default cache: %s)"), defname); } } return KRB5_CC_NOTFOUND; }