diff options
Diffstat (limited to 'src/clients/kinit/kinit.c')
-rw-r--r-- | src/clients/kinit/kinit.c | 761 |
1 files changed, 432 insertions, 329 deletions
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c index 6eb39515a..5f281e3a2 100644 --- a/src/clients/kinit/kinit.c +++ b/src/clients/kinit/kinit.c @@ -58,7 +58,7 @@ extern int getopt(); #ifndef _WIN32 #define GET_PROGNAME(x) (strrchr((x), '/') ? strrchr((x), '/')+1 : (x)) #else -#define GET_PROGNAME(x) (max(strrchr((x), '/'), strrchr((x), '\\')) + 1, (x)) +#define GET_PROGNAME(x) max(max(strrchr((x), '/'), strrchr((x), '\\')) + 1,(x)) #endif #ifdef HAVE_PWD_H @@ -127,7 +127,8 @@ struct k_opts char* principal_name; char* service_name; char* keytab_name; - char* cache_name; + char* k5_cache_name; + char* k4_cache_name; action_type action; }; @@ -168,114 +169,162 @@ struct option long_options[] = { }; #define GETOPT(argc, argv, str) getopt_long(argc, argv, str, long_options, 0) -#define USAGE_LONG_FORWARDABLE " | --forwardable | --noforwardable" -#define USAGE_LONG_PROXIABLE " | --proxiable | --noproxiable" -#define USAGE_LONG_ADDRESSES " | --addresses | --noaddresses" #else #define GETOPT(argc, argv, str) getopt(argc, argv, str) -#define USAGE_LONG_FORWARDABLE "" -#define USAGE_LONG_PROXIABLE "" -#define USAGE_LONG_ADDRESSES "" #endif void -usage() +usage(have_k4, have_k5) + int have_k4; +int have_k5; { -#ifdef KRB5_KRB4_COMPAT -#define USAGE_K54_OPT "[-4] [-5] " -#define USAGE_K54_SRVTAB "/srvtab" + char* k4_default = 0; + char* k5_default = 0; + +#define USAGE_BREAK "\n\t" + +#ifdef GETOPT_LONG +#define USAGE_LONG_FORWARDABLE " | --forwardable | --noforwardable" +#define USAGE_LONG_PROXIABLE " | --proxiable | --noproxiable" +#define USAGE_LONG_ADDRESSES " | --addresses | --noaddresses" +#define USAGE_BREAK_LONG USAGE_BREAK #else -#define USAGE_K54_OPT "" -#define USAGE_K54_SRVTAB "" +#define USAGE_LONG_FORWARDABLE "" +#define USAGE_LONG_PROXIABLE "" +#define USAGE_LONG_ADDRESSES "" +#define USAGE_BREAK_LONG "" #endif - fprintf(stderr, "Usage: %s [-V] " USAGE_K54_OPT - "[-l lifetime] [-r renewable_life] " + fprintf(stderr, "Usage: %s [-5] [-4] [-V] " + "[-l lifetime] [-s start_time] " + USAGE_BREAK + "[-r renewable_life] " "[-f | -F" USAGE_LONG_FORWARDABLE "] " + USAGE_BREAK_LONG "[-p | -P" USAGE_LONG_PROXIABLE "] " + USAGE_BREAK_LONG "[-A" USAGE_LONG_ADDRESSES "] " - "[-s start_time] [-S target_service] " - "[-k [-t keytab_file]] [-R] [-v] [-c cachename] [principal]\n", + USAGE_BREAK + "[-v] [-R] " + "[-k [-t keytab_file]] " + USAGE_BREAK + "[-c cachename] " + "[-S service_name] [principal]" + "\n\n", progname); - fprintf(stderr, -#ifdef KRB5_KRB4_COMPAT - "\t-4 Kerberos 4 only, -5 Kerberos 5 only, default is both\n" - "\toptions applicable to Kerberos 5 only:\n" + +#define DEFAULT_BOTH "(default is Kerberos 4 & 5)" +#define DEFAULT "(default)" +#define NOT_AVAILABLE "(not available)" + + if (have_k4 && have_k5) + { + k4_default = k5_default = DEFAULT_BOTH; + } + else if (have_k5) + { + k4_default = NOT_AVAILABLE; + k5_default = DEFAULT; + } + else if (have_k4) + { + k4_default = DEFAULT; + k5_default = NOT_AVAILABLE; + } + else + { + k4_default = k5_default = NOT_AVAILABLE; + } + +#define OPTTYPE_KRB5 "5" +#define OPTTYPE_KRB4 "4" +#define OPTTYPE_EITHER "Either 4 or 5" +#ifdef HAVE_KRB524 +#define OPTTYPE_BOTH "5, or both 5 and 4" +#else +#define OPTTYPE_BOTH "5" #endif - "\t\t-v validate\n" - "\t\t-c cache name\n" - "\t\t-f forwardable\n" - "\t\t-F not forwardable\n" - "\t\t-p proxiable\n" - "\t\t-P not proxiable\n" - "\t\t-A do not include addresses\n" - "\t\t-r renewable lifetime\n" - "\t\t-s start time\n" + #ifdef KRB5_KRB4_COMPAT - "\toptions potentially applicable to both:\n" +#define USAGE_OPT_FMT "%s%-50s%s\n" +#else +#define USAGE_OPT_FMT "%s%s\n" #endif - "\t\t-R renew\n" - "\t\t-l lifetime\n" - "\t\t-S service\n" - "\t\t-k use keytab" USAGE_K54_SRVTAB "\n" - "\t\t-t filename of keytab" USAGE_K54_SRVTAB " to use\n" - "\t\t-V verbose\n" - ); + +#define ULINE(indent, col1, col2) \ +fprintf(stderr, USAGE_OPT_FMT, indent, col1, col2) + + ULINE(" ", "options:", "valid with Kerberos:"); + fprintf(stderr, "\t-5 Kerberos 5 only %s\n", k5_default); + fprintf(stderr, "\t-4 Kerberos 4 only %s\n", k4_default); + ULINE("\t", "-V verbose", OPTTYPE_EITHER); + ULINE("\t", "-l lifetime", OPTTYPE_EITHER); + ULINE("\t", "-s start time", OPTTYPE_KRB5); + ULINE("\t", "-r renewable lifetime", OPTTYPE_KRB5); + ULINE("\t", "-f forwardable", OPTTYPE_KRB5); + ULINE("\t", "-F not forwardable", OPTTYPE_KRB5); + ULINE("\t", "-p proxiable", OPTTYPE_KRB5); + ULINE("\t", "-P not proxiable", OPTTYPE_KRB5); + ULINE("\t", "-A do not include addresses", OPTTYPE_KRB5); + ULINE("\t", "-v validate", OPTTYPE_KRB5); + ULINE("\t", "-R renew", OPTTYPE_BOTH); + ULINE("\t", "-k use keytab", OPTTYPE_BOTH); + ULINE("\t", "-t filename of keytab to use", OPTTYPE_BOTH); + ULINE("\t", "-c Kerberos 5 cache name", OPTTYPE_KRB5); + /* This options is not yet available: */ + /* ULINE("\t", "-C Kerberos 4 cache name", OPTTYPE_KRB4); */ + ULINE("\t", "-S service", OPTTYPE_BOTH); exit(2); } char * parse_options(argc, argv, opts) int argc; - char **argv; - struct k_opts* opts; +char **argv; +struct k_opts* opts; { krb5_error_code code; int errflg = 0; int use_k4_only = 0; int use_k5_only = 0; + int old_got_k4 = got_k4; + int old_got_k5 = got_k5; int i; -#ifdef KRB5_KRB4_COMPAT -#define GETOPT_K54 "45" -#else -#define GETOPT_K54 "" -#endif - - while ((i = GETOPT(argc, argv, "r:fpFP" GETOPT_K54 "AVl:s:c:kt:RS:v")) + while ((i = GETOPT(argc, argv, "r:fpFP54AVl:s:c:kt:RS:v")) != -1) { switch (i) { - case 'V': - opts->verbose = 1; - break; - case 'l': - /* Lifetime */ - code = krb5_string_to_deltat(optarg, &opts->lifetime); - if (code != 0 || opts->lifetime == 0) { - fprintf(stderr, "Bad lifetime value %s\n", optarg); - errflg++; - } - break; + case 'V': + opts->verbose = 1; + break; + case 'l': + /* Lifetime */ + code = krb5_string_to_deltat(optarg, &opts->lifetime); + if (code != 0 || opts->lifetime == 0) { + fprintf(stderr, "Bad lifetime value %s\n", optarg); + errflg++; + } + break; case 'r': - /* Renewable Time */ - code = krb5_string_to_deltat(optarg, &opts->rlife); - if (code != 0 || opts->rlife == 0) { - fprintf(stderr, "Bad lifetime value %s\n", optarg); - errflg++; - } - break; + /* Renewable Time */ + code = krb5_string_to_deltat(optarg, &opts->rlife); + if (code != 0 || opts->rlife == 0) { + fprintf(stderr, "Bad lifetime value %s\n", optarg); + errflg++; + } + break; case 'f': - opts->forwardable = 1; - break; - case 'F': - opts->not_forwardable = 1; - break; + opts->forwardable = 1; + break; + case 'F': + opts->not_forwardable = 1; + break; case 'p': - opts->proxiable = 1; - break; + opts->proxiable = 1; + break; case 'P': - opts->not_proxiable = 1; - break; + opts->not_proxiable = 1; + break; case 'a': /* Note: This is supported only with GETOPT_LONG */ opts->addresses = 1; @@ -297,21 +346,21 @@ parse_options(argc, argv, opts) } } break; - case 'S': - opts->service_name = optarg; + case 'S': + opts->service_name = optarg; break; - case 'k': - opts->action = INIT_KT; + case 'k': + opts->action = INIT_KT; + break; + case 't': + if (opts->keytab_name) + { + fprintf(stderr, "Only one -t option allowed.\n"); + errflg++; + } else { + opts->keytab_name = optarg; + } break; - case 't': - if (opts->keytab_name) - { - fprintf(stderr, "Only one -t option allowed.\n"); - errflg++; - } else { - opts->keytab_name = optarg; - } - break; case 'R': opts->action = RENEW; break; @@ -319,32 +368,49 @@ parse_options(argc, argv, opts) opts->action = VALIDATE; break; case 'c': - if (opts->cache_name) - { - fprintf(stderr, "Only one -c option allowed\n"); - errflg++; - } else { - opts->cache_name = optarg; - } + if (opts->k5_cache_name) + { + fprintf(stderr, "Only one -c option allowed\n"); + errflg++; + } else { + opts->k5_cache_name = optarg; + } + break; +#if 0 + /* + A little more work is needed before we can enable this + option. + */ + case 'C': + if (opts->k4_cache_name) + { + fprintf(stderr, "Only one -C option allowed\n"); + errflg++; + } else { + opts->k4_cache_name = optarg; + } break; +#endif + case '4': + if (!got_k4) + { #ifdef KRB5_KRB4_COMPAT - case '4': - if (!got_k4) - { - fprintf(stderr, "Kerberos 4 support could not be loaded\n"); - exit(3); - } - use_k4_only = 1; - break; - case '5': - if (!got_k5) - { - fprintf(stderr, "Kerberos 5 support could not be loaded\n"); - exit(3); - } - use_k5_only = 1; - break; + fprintf(stderr, "Kerberos 4 support could not be loaded\n"); +#else + fprintf(stderr, "This kinit was not built with Kerberos 4 support\n"); #endif + exit(3); + } + use_k4_only = 1; + break; + case '5': + if (!got_k5) + { + fprintf(stderr, "Kerberos 5 support could not be loaded\n"); + exit(3); + } + use_k5_only = 1; + break; default: errflg++; break; @@ -353,23 +419,23 @@ parse_options(argc, argv, opts) if (use_k5_only && use_k4_only) { - fprintf(stderr, "Only one of -4 and -5 allowed\n"); - errflg++; + fprintf(stderr, "Only one of -4 and -5 allowed\n"); + errflg++; } if (opts->forwardable && opts->not_forwardable) { - fprintf(stderr, "Only one of -f and -F allowed\n"); - errflg++; + fprintf(stderr, "Only one of -f and -F allowed\n"); + errflg++; } if (opts->proxiable && opts->not_proxiable) { - fprintf(stderr, "Only one of -p and -P allowed\n"); - errflg++; + fprintf(stderr, "Only one of -p and -P allowed\n"); + errflg++; } if (opts->addresses && opts->no_addresses) { - fprintf(stderr, "Only one of -a and -A allowed\n"); - errflg++; + fprintf(stderr, "Only one of -a and -A allowed\n"); + errflg++; } if (argc - optind > 1) { @@ -378,15 +444,46 @@ parse_options(argc, argv, opts) errflg++; } - if (errflg) { - usage(); - } - - /* At this point, we know we only have one option selection */ + /* At this point, if errorless, we know we only have one option + selection */ if (use_k4_only) - got_k5 = 0; + got_k5 = 0; if (use_k5_only) - got_k4 = 0; + got_k4 = 0; + + /* Now, we encode the OPTTYPE stuff here... */ + if (!got_k5 && + (opts->starttime || opts->rlife || opts->forwardable || + opts->proxiable || opts->addresses || opts->not_forwardable || + opts->not_proxiable || opts->no_addresses || + (opts->action == VALIDATE) || opts->k5_cache_name)) + { + fprintf(stderr, "Specified option that requires Kerberos 5\n"); + errflg++; + } + if (!got_k4 && + opts->k4_cache_name) + { + fprintf(stderr, "Specified option that require Kerberos 4\n"); + errflg++; + } + if ( +#ifdef HAVE_KRB524 + !got_k5 +#else + got_k4 +#endif + && (opts->service_name || opts->keytab_name || + (opts->action == INIT_KT) || (opts->action == RENEW)) + ) + { + fprintf(stderr, "Specified option that requires Kerberos 5\n"); + errflg++; + } + + if (errflg) { + usage(old_got_k4, old_got_k5); + } opts->principal_name = (optind == argc-1) ? argv[optind] : 0; return opts->principal_name; @@ -395,82 +492,82 @@ parse_options(argc, argv, opts) int k5_begin(opts, k5, k4) struct k_opts* opts; - struct k5_data* k5; - struct k4_data* k4; +struct k5_data* k5; +struct k4_data* k4; { char* progname = progname_v5; krb5_error_code code = 0; if (!got_k5) - return 0; + return 0; if (code = krb5_init_context(&k5->ctx)) { - com_err(progname, code, "while initializing Kerberos 5 library"); - return 0; + com_err(progname, code, "while initializing Kerberos 5 library"); + return 0; } - if (opts->cache_name) + if (opts->k5_cache_name) { - code = krb5_cc_resolve(k5->ctx, opts->cache_name, &k5->cc); - if (code != 0) { - com_err(progname, code, "resolving ccache %s", - opts->cache_name); - return 0; - } + code = krb5_cc_resolve(k5->ctx, opts->k5_cache_name, &k5->cc); + if (code != 0) { + com_err(progname, code, "resolving ccache %s", + opts->k5_cache_name); + return 0; + } } else { - if ((code = krb5_cc_default(k5->ctx, &k5->cc))) { - com_err(progname, code, "while getting default ccache"); - return 0; - } + if ((code = krb5_cc_default(k5->ctx, &k5->cc))) { + com_err(progname, code, "while getting default ccache"); + return 0; + } } if (opts->principal_name) { - /* Use specified name */ - if ((code = krb5_parse_name(k5->ctx, opts->principal_name, - &k5->me))) { - com_err(progname, code, "when parsing name %s", - opts->principal_name); - return 0; - } + /* Use specified name */ + if ((code = krb5_parse_name(k5->ctx, opts->principal_name, + &k5->me))) { + com_err(progname, code, "when parsing name %s", + opts->principal_name); + return 0; + } } else { - /* No principal name specified */ - if (opts->action == INIT_KT) { - /* Use the default host/service name */ - if (code = krb5_sname_to_principal(k5->ctx, NULL, NULL, + /* No principal name specified */ + if (opts->action == INIT_KT) { + /* Use the default host/service name */ + if (code = krb5_sname_to_principal(k5->ctx, NULL, NULL, KRB5_NT_SRV_HST, &k5->me)) { - com_err(progname, code, + com_err(progname, code, "when creating default server principal name"); - return 0; - } - } else { - /* Get default principal from cache if one exists */ - if (code = krb5_cc_get_principal(k5->ctx, k5->cc, - &k5->me)) - { - char *name = get_name_from_os(); - if (!name) - { - fprintf(stderr, "Unable to identify user\n"); - return 0; - } - if ((code = krb5_parse_name(k5->ctx, name, - &k5->me))) - { - com_err(progname, code, "when parsing name %s", + return 0; + } + } else { + /* Get default principal from cache if one exists */ + if (code = krb5_cc_get_principal(k5->ctx, k5->cc, + &k5->me)) + { + char *name = get_name_from_os(); + if (!name) + { + fprintf(stderr, "Unable to identify user\n"); + return 0; + } + if ((code = krb5_parse_name(k5->ctx, name, + &k5->me))) + { + com_err(progname, code, "when parsing name %s", name); - return 0; - } - } - } + return 0; + } + } + } } if (code = krb5_unparse_name(k5->ctx, k5->me, &k5->name)) { - com_err(progname, code, "when unparsing name"); - return 0; + com_err(progname, code, "when unparsing name"); + return 0; } opts->principal_name = k5->name; @@ -495,97 +592,97 @@ k5_end(k5) struct k5_data* k5; { if (k5->name) - krb5_free_unparsed_name(k5->ctx, k5->name); + krb5_free_unparsed_name(k5->ctx, k5->name); if (k5->me) - krb5_free_principal(k5->ctx, k5->me); + krb5_free_principal(k5->ctx, k5->me); if (k5->cc) - krb5_cc_close(k5->ctx, k5->cc); + krb5_cc_close(k5->ctx, k5->cc); if (k5->ctx) - krb5_free_context(k5->ctx); + krb5_free_context(k5->ctx); memset(k5, 0, sizeof(*k5)); } int k4_begin(opts, k4) struct k_opts* opts; - struct k4_data* k4; +struct k4_data* k4; { char* progname = progname_v4; int k_errno = 0; if (!got_k4) - return 0; + return 0; #ifdef KRB5_KRB4_COMPAT if (k4->aname[0]) - goto skip; + goto skip; if (opts->principal_name) { - /* Use specified name */ - if (k_errno = kname_parse(k4->aname, k4->inst, k4->realm, - opts->principal_name)) - { - fprintf(stderr, "%s: %s\n", progname, - krb_get_err_text(k_errno)); - return 0; - } + /* Use specified name */ + if (k_errno = kname_parse(k4->aname, k4->inst, k4->realm, + opts->principal_name)) + { + fprintf(stderr, "%s: %s\n", progname, + krb_get_err_text(k_errno)); + return 0; + } } else { - /* No principal name specified */ - if (opts->action == INIT_KT) { - /* Use the default host/service name */ - /* XXX - need to add this functionality */ - fprintf(stderr, "%s: Kerberos 4 srvtab support is not " - "implemented\n", progname); - return 0; - } else { - /* Get default principal from cache if one exists */ - if (k_errno = krb_get_tf_fullname(tkt_string(), k4->aname, - k4->inst, k4->realm)) - { - char *name = get_name_from_os(); - if (!name) - { - fprintf(stderr, "Unable to identify user\n"); - return 0; - } - if (k_errno = kname_parse(k4->aname, k4->inst, k4->realm, - name)) - { - fprintf(stderr, "%s: %s\n", progname, - krb_get_err_text(k_errno)); - return 0; - } - } - } + /* No principal name specified */ + if (opts->action == INIT_KT) { + /* Use the default host/service name */ + /* XXX - need to add this functionality */ + fprintf(stderr, "%s: Kerberos 4 srvtab support is not " + "implemented\n", progname); + return 0; + } else { + /* Get default principal from cache if one exists */ + if (k_errno = krb_get_tf_fullname(tkt_string(), k4->aname, + k4->inst, k4->realm)) + { + char *name = get_name_from_os(); + if (!name) + { + fprintf(stderr, "Unable to identify user\n"); + return 0; + } + if (k_errno = kname_parse(k4->aname, k4->inst, k4->realm, + name)) + { + fprintf(stderr, "%s: %s\n", progname, + krb_get_err_text(k_errno)); + return 0; + } + } + } } if (!k4->realm[0]) - krb_get_lrealm(k4->realm, 1); + krb_get_lrealm(k4->realm, 1); if (k4->inst[0]) - sprintf(k4->name, "%s.%s@%s", k4->aname, k4->inst, k4->realm); + sprintf(k4->name, "%s.%s@%s", k4->aname, k4->inst, k4->realm); else - sprintf(k4->name, "%s@%s", k4->aname, k4->realm); + sprintf(k4->name, "%s@%s", k4->aname, k4->realm); opts->principal_name = k4->name; skip: if (k4->aname[0] && !k_isname(k4->aname)) { fprintf(stderr, "%s: bad Kerberos 4 name format\n", progname); - return 0; + return 0; } if (k4->inst[0] && !k_isinst(k4->inst)) { - fprintf(stderr, "%s: bad Kerberos 4 instance format\n", progname); - return 0; + fprintf(stderr, "%s: bad Kerberos 4 instance format\n", progname); + return 0; } if (k4->realm[0] && !k_isrealm(k4->realm)) { - fprintf(stderr, "%s: bad Kerberos 4 realm format\n", progname); - return 0; + fprintf(stderr, "%s: bad Kerberos 4 realm format\n", progname); + return 0; } #endif /* KRB5_KRB4_COMPAT */ return 1; @@ -601,8 +698,8 @@ k4_end(k4) int k5_kinit(opts, k5, password) struct k_opts* opts; - struct k5_data* k5; - char* password; +struct k5_data* k5; +char* password; { char* progname = progname_v5; int notix = 1; @@ -612,7 +709,7 @@ k5_kinit(opts, k5, password) krb5_get_init_creds_opt options; if (!got_k5) - return 0; + return 0; krb5_get_init_creds_opt_init(&options); memset(&my_creds, 0, sizeof(my_creds)); @@ -639,8 +736,8 @@ k5_kinit(opts, k5, password) krb5_address **addresses = NULL; code = krb5_os_localaddr(k5->ctx, &addresses); if (code != 0) { - com_err(progname, code, "getting local addresses"); - goto cleanup; + com_err(progname, code, "getting local addresses"); + goto cleanup; } krb5_get_init_creds_opt_set_address_list(&options, addresses); krb5_free_addresses(k5->ctx, addresses); @@ -650,12 +747,12 @@ k5_kinit(opts, k5, password) if ((opts->action == INIT_KT) && opts->keytab_name) { - code = krb5_kt_resolve(k5->ctx, opts->keytab_name, &keytab); - if (code != 0) { - com_err(progname, code, "resolving keytab %s", - opts->keytab_name); - goto cleanup; - } + code = krb5_kt_resolve(k5->ctx, opts->keytab_name, &keytab); + if (code != 0) { + com_err(progname, code, "resolving keytab %s", + opts->keytab_name); + goto cleanup; + } } switch (opts->action) { @@ -684,56 +781,56 @@ k5_kinit(opts, k5, password) } if (code) { - char *doing = 0; - switch (opts->action) { - case INIT_PW: - case INIT_KT: - doing = "getting initial credentials"; - break; - case VALIDATE: - doing = "validating credentials"; - break; - case RENEW: - doing = "renewing credentials"; - break; - } + char *doing = 0; + switch (opts->action) { + case INIT_PW: + case INIT_KT: + doing = "getting initial credentials"; + break; + case VALIDATE: + doing = "validating credentials"; + break; + case RENEW: + doing = "renewing credentials"; + break; + } /* If got code == KRB5_AP_ERR_V4_REPLY && got_k4, we should let the user know that maybe he/she wants -4. */ - if (code == KRB5KRB_AP_ERR_V4_REPLY && got_k4) - com_err(progname, code, "while %s\n" - "The KDC doesn't support v5. " - "You may want the -4 option in the future", - doing); - else if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) - fprintf(stderr, "%s: Password incorrect while %s\n", progname, - doing); + if (code == KRB5KRB_AP_ERR_V4_REPLY && got_k4) + com_err(progname, code, "while %s\n" + "The KDC doesn't support v5. " + "You may want the -4 option in the future", + doing); + else if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) + fprintf(stderr, "%s: Password incorrect while %s\n", progname, + doing); else - com_err(progname, code, "while %s", doing); - goto cleanup; + com_err(progname, code, "while %s", doing); + goto cleanup; } if (!opts->lifetime) { /* We need to figure out what lifetime to use for Kerberos 4. */ - opts->lifetime = my_creds.times.endtime - my_creds.times.authtime; + opts->lifetime = my_creds.times.endtime - my_creds.times.authtime; } if (code = krb5_cc_initialize(k5->ctx, k5->cc, k5->me)) { - com_err(progname, code, "when initializing cache %s", - opts->cache_name?opts->cache_name:""); - goto cleanup; + com_err(progname, code, "when initializing cache %s", + opts->k5_cache_name?opts->k5_cache_name:""); + goto cleanup; } if (code = krb5_cc_store_cred(k5->ctx, k5->cc, &my_creds)) { - com_err(progname, code, "while storing credentials"); - goto cleanup; + com_err(progname, code, "while storing credentials"); + goto cleanup; } notix = 0; cleanup: if (my_creds.client == k5->me) { - my_creds.client = 0; + my_creds.client = 0; } krb5_free_cred_contents(k5->ctx, &my_creds); if (keytab) @@ -744,17 +841,17 @@ k5_kinit(opts, k5, password) int k4_kinit(opts, k4, password) struct k_opts* opts; - struct k4_data* k4; - char* password; +struct k4_data* k4; +char* password; { char* progname = progname_v4; int k_errno = 0; if (!got_k4) - return 0; + return 0; if (opts->starttime) - return 0; + return 0; #ifdef KRB5_KRB4_COMPAT if (!k4->lifetime) @@ -764,33 +861,35 @@ k4_kinit(opts, k4, password) k4->lifetime /= (5 * 60); if (k4->lifetime < 1) - k4->lifetime = 1; + k4->lifetime = 1; if (k4->lifetime > 255) - k4->lifetime = 255; + k4->lifetime = 255; switch (opts->action) { case INIT_PW: - k_errno = krb_get_pw_in_tkt(k4->aname, k4->inst, k4->realm, "krbtgt", - k4->realm, k4->lifetime, password); - - if (k_errno) { - fprintf(stderr, "%s: %s\n", progname, - krb_get_err_text(k_errno)); - if (authed_k5) - fprintf(stderr, "Maybe your KDC does not support v4. " - "Try the -5 option next time.\n"); - return 0; - } - return 1; + k_errno = krb_get_pw_in_tkt(k4->aname, k4->inst, k4->realm, "krbtgt", + k4->realm, k4->lifetime, password); + + if (k_errno) { +#ifndef HAVE_KRB524 + fprintf(stderr, "%s: %s\n", progname, + krb_get_err_text(k_errno)); + if (authed_k5) + fprintf(stderr, "Maybe your KDC does not support v4. " + "Try the -5 option next time.\n"); +#endif + return 0; + } + return 1; #ifndef HAVE_KRB524 case INIT_KT: - fprintf(stderr, "%s: srvtabs are not supported\n", progname); - return 0; + fprintf(stderr, "%s: srvtabs are not supported\n", progname); + return 0; case RENEW: - fprintf(stderr, "%s: renewal of krb4 tickets is not supported\n", - progname); - return 0; + fprintf(stderr, "%s: renewal of krb4 tickets is not supported\n", + progname); + return 0; #endif } #endif @@ -804,9 +903,9 @@ getvprogname(v) int len = strlen(progname) + 2 + strlen(v) + 2; char *ret = malloc(len); if (ret) - sprintf(ret, "%s(v%s)", progname, v); + sprintf(ret, "%s(v%s)", progname, v); else - ret = progname; + ret = progname; return ret; } @@ -879,13 +978,13 @@ int try_convert524(k5) } /* stash ticket, session key, etc. for future use */ if ((icode = krb_save_credentials(v4creds.service, - v4creds.instance, - v4creds.realm, - v4creds.session, - v4creds.lifetime, - v4creds.kvno, - &(v4creds.ticket_st), - v4creds.issue_date))) { + v4creds.instance, + v4creds.realm, + v4creds.session, + v4creds.lifetime, + v4creds.kvno, + &(v4creds.ticket_st), + v4creds.issue_date))) { com_err(progname, icode, "trying to save the V4 ticket"); goto cleanup; @@ -894,11 +993,11 @@ int try_convert524(k5) cleanup: memset(&v4creds, 0, sizeof(v4creds)); if (v5creds) - krb5_free_creds(k5->ctx, v5creds); + krb5_free_creds(k5->ctx, v5creds); increds.client = 0; krb5_free_cred_contents(k5->ctx, &increds); if (kpcserver) - krb5_free_principal(k5->ctx, kpcserver); + krb5_free_principal(k5->ctx, kpcserver); return !(code || icode); } #endif /* HAVE_KRB524 */ @@ -906,7 +1005,7 @@ int try_convert524(k5) int main(argc, argv) int argc; - char **argv; +char **argv; { struct k_opts opts; struct k5_data k5; @@ -920,12 +1019,16 @@ main(argc, argv) /* Ensure we can be driven from a pipe */ if(!isatty(fileno(stdin))) - setvbuf(stdin, 0, _IONBF, 0); + setvbuf(stdin, 0, _IONBF, 0); if(!isatty(fileno(stdout))) - setvbuf(stdout, 0, _IONBF, 0); + setvbuf(stdout, 0, _IONBF, 0); if(!isatty(fileno(stderr))) - setvbuf(stderr, 0, _IONBF, 0); + setvbuf(stderr, 0, _IONBF, 0); + /* + This is where we would put in code to dynamically load Kerberos + libraries. Currenlty, we just get them implicitly. + */ got_k5 = 1; #ifdef KRB5_KRB4_COMPAT got_k4 = 1; @@ -944,26 +1047,26 @@ main(argc, argv) if (opts.action == INIT_PW) { - char prompt[255]; - int pwsize = sizeof(password); - krb5_error_code code; - - sprintf(prompt, "Password for %s: ", opts.principal_name); - password[0] = 0; - /* - Note: krb5_read_password does not actually look at the - context, so we're ok even if we don't have a context. If - we cannot dynamically load krb5, we can substitute any - decent read password function instead of the krb5 one. - */ - code = krb5_read_password(k5.ctx, prompt, 0, password, &pwsize); - if (code || pwsize == 0) - { - fprintf(stderr, "Error while reading password for '%s'\n", - opts.principal_name); - memset(password, 0, sizeof(password)); - exit(1); - } + char prompt[255]; + int pwsize = sizeof(password); + krb5_error_code code; + + sprintf(prompt, "Password for %s: ", opts.principal_name); + password[0] = 0; + /* + Note: krb5_read_password does not actually look at the + context, so we're ok even if we don't have a context. If + we cannot dynamically load krb5, we can substitute any + decent read password function instead of the krb5 one. + */ + code = krb5_read_password(k5.ctx, prompt, 0, password, &pwsize); + if (code || pwsize == 0) + { + fprintf(stderr, "Error while reading password for '%s'\n", + opts.principal_name); + memset(password, 0, sizeof(password)); + exit(1); + } } authed_k5 = k5_kinit(&opts, &k5, password); @@ -976,14 +1079,14 @@ main(argc, argv) #endif if (authed_k5 && opts.verbose) - fprintf(stderr, "Authenticated to Kerberos v5\n"); + fprintf(stderr, "Authenticated to Kerberos v5\n"); if (authed_k4 && opts.verbose) - fprintf(stderr, "Authenticated to Kerberos v4\n"); + fprintf(stderr, "Authenticated to Kerberos v4\n"); k5_end(&k5); k4_end(&k4); if ((got_k5 && !authed_k5) || (got_k4 && !authed_k4)) - exit(1); + exit(1); return 0; } |