diff options
| author | Ben Kaduk <kaduk@mit.edu> | 2014-05-19 16:23:45 -0400 |
|---|---|---|
| committer | Ben Kaduk <kaduk@mit.edu> | 2014-05-22 17:33:14 -0400 |
| commit | 6c4bd36bd000c8f5ab1b8dacd5d4101831fe576e (patch) | |
| tree | 1730beb6aab8d3d4d83aad651b880a16411e2c01 /src | |
| parent | 6e8b2fba84df2ef74ce071330b4c3f843f4b7541 (diff) | |
| download | krb5-6c4bd36bd000c8f5ab1b8dacd5d4101831fe576e.tar.gz krb5-6c4bd36bd000c8f5ab1b8dacd5d4101831fe576e.tar.xz krb5-6c4bd36bd000c8f5ab1b8dacd5d4101831fe576e.zip | |
Do not default to host/ for client keytabs
When the normal (acceptor) keytab is being used to obtain initial
credentials, it is reasonable to use the default hostbased service
principal (host/fully.qualified.localhost.domain) when no client
principal is given. This behavior is not very reasonable when
the default client keytab is being used, as host/ credentials are
not normally client credentials.
Make kinit -i match up with the GSS-API behavior when client keytabs
are in use, using the name of the first entry in the keytab when
no name is explicitly given.
ticket: 7892
Diffstat (limited to 'src')
| -rw-r--r-- | src/clients/kinit/kinit.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c index d9033eca9..c442c5371 100644 --- a/src/clients/kinit/kinit.c +++ b/src/clients/kinit/kinit.c @@ -25,6 +25,7 @@ */ #include "autoconf.h" +#include <k5-int.h> #include "k5-platform.h" /* for asprintf */ #include <krb5.h> #include "extern.h" @@ -470,6 +471,7 @@ k5_begin(opts, k5) int flags = opts->enterprise ? KRB5_PRINCIPAL_PARSE_ENTERPRISE : 0; krb5_ccache defcache = NULL; krb5_principal defcache_princ = NULL, princ; + krb5_keytab keytab; const char *deftype = NULL; char *defrealm, *name; @@ -533,6 +535,21 @@ k5_begin(opts, k5) com_err(progname, code, _("while building principal")); goto cleanup; } + } else if (opts->action == INIT_KT && opts->use_client_keytab) { + /* Use the first entry from the client keytab. */ + code = krb5_kt_client_default(k5->ctx, &keytab); + if (code) { + com_err(progname, code, + _("When resolving the default client keytab")); + goto cleanup; + } + code = k5_kt_get_principal(k5->ctx, keytab, &k5->me); + krb5_kt_close(k5->ctx, keytab); + if (code) { + com_err(progname, code, + _("When determining client principal name from keytab")); + goto cleanup; + } } else if (opts->action == INIT_KT) { /* Use the default host/service name. */ code = krb5_sname_to_principal(k5->ctx, NULL, NULL, KRB5_NT_SRV_HST, |