Add kinit/klist -i options to use client keytab

In combination with -k, -i will cause kinit or klist to use the default client keytab instead of the default acceptor keytab. This gives an easy way to figure out what default client keytab name is in use and to get credentials using it. ticket: 7216 (new)
author: Greg Hudson <ghudson@mit.edu> 2012-07-16 10:13:29 -0400
committer: Greg Hudson <ghudson@mit.edu> 2012-07-16 10:24:17 -0400
commit: 194e0433f07e244aab59edcb22ea0c6e359f9f0d (patch)
tree: e8c550ea4ee37b439de81b94e5541771a9f28a95 /src/clients
parent: 6931507c87d6139b1dcea2ea97a6e3b145287438 (diff)
download: krb5-194e0433f07e244aab59edcb22ea0c6e359f9f0d.tar.gz
krb5-194e0433f07e244aab59edcb22ea0c6e359f9f0d.tar.xz
krb5-194e0433f07e244aab59edcb22ea0c6e359f9f0d.zip
2 files changed, 25 insertions, 5 deletions
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
index 256f165fe9..a315173b60 100644
--- a/src/clients/kinit/kinit.c
+++ b/src/clients/kinit/kinit.c
@@ -120,6 +120,7 @@ struct k_opts
     char *armor_ccache;
 
     action_type action;
+    int use_client_keytab;
 
     int num_pa_opts;
     krb5_gic_opt_pa_data *pa_opts;
@@ -197,7 +198,7 @@ usage()
             "[-E" USAGE_LONG_ENTERPRISE "] "
             USAGE_BREAK
             "[-v] [-R] "
-            "[-k [-t keytab_file]] "
+            "[-k [-i|-t keytab_file]] "
             "[-c cachename] "
             USAGE_BREAK
             "[-S service_name] [-T ticket_armor_cache]"
@@ -223,6 +224,7 @@ usage()
     fprintf(stderr, _("\t-C canonicalize\n"));
     fprintf(stderr, _("\t-E client is enterprise principal name\n"));
     fprintf(stderr, _("\t-k use keytab\n"));
+    fprintf(stderr, _("\t-i use default client keytab (with -k)\n"));
     fprintf(stderr, _("\t-t filename of keytab to use\n"));
     fprintf(stderr, _("\t-c Kerberos 5 cache name\n"));
     fprintf(stderr, _("\t-S service\n"));
@@ -284,7 +286,7 @@ parse_options(argc, argv, opts)
     int errflg = 0;
     int i;
 
-    while ((i = GETOPT(argc, argv, "r:fpFPn54aAVl:s:c:kt:T:RS:vX:CE"))
+    while ((i = GETOPT(argc, argv, "r:fpFPn54aAVl:s:c:kit:T:RS:vX:CE"))
            != -1) {
         switch (i) {
         case 'V':
@@ -349,6 +351,9 @@ parse_options(argc, argv, opts)
         case 'k':
             opts->action = INIT_KT;
             break;
+        case 'i':
+            opts->use_client_keytab = 1;
+            break;
         case 't':
             if (opts->keytab_name)
             {
@@ -700,6 +705,12 @@ k5_kinit(opts, k5)
         }
         if (opts->verbose)
             fprintf(stderr, _("Using keytab: %s\n"), opts->keytab_name);
+    } else if (opts->action == INIT_KT && opts->use_client_keytab) {
+        code = krb5_kt_client_default(k5->ctx, &keytab);
+        if (code != 0) {
+            com_err(progname, code, _("resolving default client keytab"));
+            goto cleanup;
+        }
     }
 
     for (i = 0; i < opts->num_pa_opts; i++) {
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index fefd895d18..3f633fd906 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -58,7 +58,7 @@ extern int optind;
 
 int show_flags = 0, show_time = 0, status_only = 0, show_keys = 0;
 int show_etype = 0, show_addresses = 0, no_resolve = 0, print_version = 0;
-int show_adtype = 0, show_all = 0, list_all = 0;
+int show_adtype = 0, show_all = 0, list_all = 0, use_client_keytab = 0;
 char *defname;
 char *progname;
 krb5_int32 now;
@@ -92,6 +92,7 @@ static void usage()
     fprintf(stderr, _("\t-c specifies credentials cache\n"));
     fprintf(stderr, _("\t-k specifies keytab\n"));
     fprintf(stderr, _("\t   (Default is credentials cache)\n"));
+    fprintf(stderr, _("\t-i uses default client keytab if no name given\n"));
     fprintf(stderr, _("\t-l lists credential caches in collection\n"));
     fprintf(stderr, _("\t-A shows content of all credential caches\n"));
     fprintf(stderr, _("\t-e shows the encryption type\n"));
@@ -125,7 +126,7 @@ main(argc, argv)
     name = NULL;
     mode = DEFAULT;
     /* V=version so v can be used for verbose later if desired.  */
-    while ((c = getopt(argc, argv, "dfetKsnack45lAV")) != -1) {
+    while ((c = getopt(argc, argv, "dfetKsnacki45lAV")) != -1) {
         switch (c) {
         case 'd':
             show_adtype = 1;
@@ -159,6 +160,9 @@ main(argc, argv)
             if (mode != DEFAULT) usage();
             mode = KEYTAB;
             break;
+        case 'i':
+            use_client_keytab = 1;
+            break;
         case '4':
             fprintf(stderr, _("Kerberos 4 is no longer supported\n"));
             exit(3);
@@ -255,7 +259,12 @@ void do_keytab(name)
     char *pname;
     int code;
 
-    if (name == NULL) {
+    if (name == NULL && use_client_keytab) {
+        if ((code = krb5_kt_client_default(kcontext, &kt))) {
+            com_err(progname, code, _("while getting default client keytab"));
+            exit(1);
+        }
+    } else if (name == NULL) {
         if ((code = krb5_kt_default(kcontext, &kt))) {
             com_err(progname, code, _("while getting default keytab"));
             exit(1);
author	Greg Hudson <ghudson@mit.edu>	2012-07-16 10:13:29 -0400
committer	Greg Hudson <ghudson@mit.edu>	2012-07-16 10:24:17 -0400
commit	194e0433f07e244aab59edcb22ea0c6e359f9f0d (patch)
tree	e8c550ea4ee37b439de81b94e5541771a9f28a95 /src/clients
parent	6931507c87d6139b1dcea2ea97a6e3b145287438 (diff)
download	krb5-194e0433f07e244aab59edcb22ea0c6e359f9f0d.tar.gz krb5-194e0433f07e244aab59edcb22ea0c6e359f9f0d.tar.xz krb5-194e0433f07e244aab59edcb22ea0c6e359f9f0d.zip