summaryrefslogtreecommitdiffstats
path: root/src/clients/kinit
diff options
context:
space:
mode:
Diffstat (limited to 'src/clients/kinit')
-rw-r--r--src/clients/kinit/kinit.M6
-rw-r--r--src/clients/kinit/kinit.c17
2 files changed, 19 insertions, 4 deletions
diff --git a/src/clients/kinit/kinit.M b/src/clients/kinit/kinit.M
index 60336a24ea..05a5ae8902 100644
--- a/src/clients/kinit/kinit.M
+++ b/src/clients/kinit/kinit.M
@@ -37,7 +37,7 @@ kinit \- obtain and cache Kerberos ticket-granting ticket
[\fB\-A\fP]
[\fB\-v\fP] [\fB\-R\fP]
[\fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP]] [\fB\-c\fP \fIcache_name\fP]
-[\fB\-S\fP \fIservice_name\fP]
+[\fB\-S\fP \fIservice_name\fP][\fB\-T\fP \fIarmor_ccache\fP]
[\fB\-X\fP \fIattribute\fP[=\fIvalue\fP]]
[\fIprincipal\fP]
.ad b
@@ -130,6 +130,10 @@ the
.I keytab_file
option; otherwise the default name and location will be used.
.TP
+\fB\-T\fP \fIarmor_ccache\fP
+Specifies the name of a credential cache that already contains a ticket. This ccache
+will be used to armor the request Ideally, an attacker should have to attack both the armor ticket and the key of the principal.
+.TP
\fB\-c\fP \fIcache_name\fP
use
.I cache_name
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
index e2a0f089b3..42896122a5 100644
--- a/src/clients/kinit/kinit.c
+++ b/src/clients/kinit/kinit.c
@@ -117,6 +117,7 @@ struct k_opts
char* service_name;
char* keytab_name;
char* k5_cache_name;
+ char *armor_ccache;
action_type action;
@@ -195,9 +196,10 @@ usage()
USAGE_BREAK
"[-v] [-R] "
"[-k [-t keytab_file]] "
- "[-c cachename] "
+ "[-c cachename] "
+ USAGE_BREAK
+ "[-S service_name]""-T ticket_armor_cache"
USAGE_BREAK
- "[-S service_name]"
"[-X <attribute>[=<value>]] [principal]"
"\n\n",
progname);
@@ -278,7 +280,7 @@ parse_options(argc, argv, opts)
int errflg = 0;
int i;
- while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:RS:vX:CE"))
+ while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:T:RS:vX:CE"))
!= -1) {
switch (i) {
case 'V':
@@ -347,6 +349,12 @@ parse_options(argc, argv, opts)
opts->keytab_name = optarg;
}
break;
+ case 'T':
+ if (opts->armor_ccache) {
+ fprintf(stderr, "Only one armor_ccache\n");
+ errflg++;
+ } else opts->armor_ccache = optarg;
+ break;
case 'R':
opts->action = RENEW;
break;
@@ -585,6 +593,9 @@ k5_kinit(opts, k5)
}
if (opts->no_addresses)
krb5_get_init_creds_opt_set_address_list(options, NULL);
+ if (opts->armor_ccache)
+ krb5_get_init_creds_opt_set_fast_ccache_name(k5->ctx, options, opts->armor_ccache);
+
if ((opts->action == INIT_KT) && opts->keytab_name)
{
generated by cgit (git 2.34.1) at 2024-09-20 09:37:24 +0000