1 /* 2 * Copyright (c) 1997-2002 Kungliga Tekniska H�gskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * 3. Neither the name of the Institute nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #include "kuser_locl.h" 35 RCSID("$Id: kinit.c,v 1.90.4.4 2004/01/13 10:13:55 lha Exp $"); 36 37 int forwardable_flag = -1; 38 int proxiable_flag = -1; 39 int renewable_flag = -1; 40 int renew_flag = 0; 41 int validate_flag = 0; 42 int version_flag = 0; 43 int help_flag = 0; 44 int addrs_flag = 1; 45 struct getarg_strings extra_addresses; 46 int anonymous_flag = 0; 47 char *lifetime = NULL; 48 char *renew_life = NULL; 49 char *server = NULL; 50 char *cred_cache = NULL; 51 char *start_str = NULL; 52 struct getarg_strings etype_str; 53 int use_keytab = 0; 54 char *keytab_str = NULL; 55 int do_afslog = -1; 56 #ifdef KRB4 57 int get_v4_tgt = -1; 58 int convert_524; 59 #endif 60 int fcache_version; 61 62 static struct getargs args[] = { 63 #ifdef KRB4 64 { "524init", '4', arg_flag, &get_v4_tgt, 65 "obtain version 4 TGT" }, 66 67 { "524convert", '9', arg_flag, &convert_524, 68 "only convert ticket to version 4" }, 69 #endif 70 { "afslog", 0 , arg_flag, &do_afslog, 71 "obtain afs tokens" }, 72 73 { "cache", 'c', arg_string, &cred_cache, 74 "credentials cache", "cachename" }, 75 76 { "forwardable", 'f', arg_flag, &forwardable_flag, 77 "get forwardable tickets"}, 78 79 { "keytab", 't', arg_string, &keytab_str, 80 "keytab to use", "keytabname" }, 81 82 { "lifetime", 'l', arg_string, &lifetime, 83 "lifetime of tickets", "time"}, 84 85 { "proxiable", 'p', arg_flag, &proxiable_flag, 86 "get proxiable tickets" }, 87 88 { "renew", 'R', arg_flag, &renew_flag, 89 "renew TGT" }, 90 91 { "renewable", 0, arg_flag, &renewable_flag, 92 "get renewable tickets" }, 93 94 { "renewable-life", 'r', arg_string, &renew_life, 95 "renewable lifetime of tickets", "time" }, 96 97 { "server", 'S', arg_string, &server, 98 "server to get ticket for", "principal" }, 99 100 { "start-time", 's', arg_string, &start_str, 101 "when ticket gets valid", "time" }, 102 103 { "use-keytab", 'k', arg_flag, &use_keytab, 104 "get key from keytab" }, 105 106 { "validate", 'v', arg_flag, &validate_flag, 107 "validate TGT" }, 108 109 { "enctypes", 'e', arg_strings, &etype_str, 110 "encryption types to use", "enctypes" }, 111 112 { "fcache-version", 0, arg_integer, &fcache_version, 113 "file cache version to create" }, 114 115 { "addresses", 0, arg_negative_flag, &addrs_flag, 116 "request a ticket with no addresses" }, 117 118 { "extra-addresses",'a', arg_strings, &extra_addresses, 119 "include these extra addresses", "addresses" }, 120 121 { "anonymous", 0, arg_flag, &anonymous_flag, 122 "request an anonymous ticket" }, 123 124 { "version", 0, arg_flag, &version_flag }, 125 { "help", 0, arg_flag, &help_flag } 126 }; 127 128 static void 129 usage (int ret) 130 { 131 arg_printusage (args, 132 sizeof(args)/sizeof(*args), 133 NULL, 134 "[principal [command]]"); 135 exit (ret); 136 } 137 138 #ifdef KRB4 139 /* for when the KDC tells us it's a v4 one, we try to talk that */ 140 141 static int 142 key_to_key(const char *user, 143 char *instance, 144 const char *realm, 145 const void *arg, 146 des_cblock *key) 147 { 148 memcpy(key, arg, sizeof(des_cblock)); 149 return 0; 150 } 151 152 static int 153 do_v4_fallback (krb5_context context, 154 const krb5_principal principal, 155 int lifetime, 156 int use_srvtab, const char *srvtab_str, 157 const char *passwd) 158 { 159 int ret; 160 krb_principal princ; 161 des_cblock key; 162 krb5_error_code kret; 163 164 if (lifetime == 0) 165 lifetime = DEFAULT_TKT_LIFE; 166 else 167 lifetime = krb_time_to_life (0, lifetime); 168 169 kret = krb5_524_conv_principal (context, principal, 170 princ.name, 171 princ.instance, 172 princ.realm); 173 if (kret) { 174 krb5_warn (context, kret, "krb5_524_conv_principal"); 175 return 1; 176 } 177 178 if (use_srvtab || srvtab_str) { 179 if (srvtab_str == NULL) 180 srvtab_str = KEYFILE; 181 182 ret = read_service_key (princ.name, princ.instance, princ.realm, 183 0, srvtab_str, (char *)&key); 184 if (ret) { 185 warnx ("read_service_key %s: %s", srvtab_str, 186 krb_get_err_text (ret)); 187 return 1; 188 } 189 ret = krb_get_in_tkt (princ.name, princ.instance, princ.realm, 190 KRB_TICKET_GRANTING_TICKET, princ.realm, 191 lifetime, key_to_key, NULL, key); 192 } else { 193 ret = krb_get_pw_in_tkt(princ.name, princ.instance, princ.realm, 194 KRB_TICKET_GRANTING_TICKET, princ.realm, 195 lifetime, passwd); 196 } 197 memset (key, 0, sizeof(key)); 198 if (ret) { 199 warnx ("%s", krb_get_err_text(ret)); 200 return 1; 201 } 202 if (do_afslog && k_hasafs()) { 203 if ((ret = krb_afslog(NULL, NULL)) != 0 && ret != KDC_PR_UNKNOWN) { 204 if(ret > 0) 205 warnx ("%s", krb_get_err_text(ret)); 206 else 207 warnx ("failed to store AFS token"); 208 } 209 } 210 return 0; 211 } 212 213 214 /* 215 * the special version of get_default_principal that takes v4 into account 216 */ 217 218 static krb5_error_code 219 kinit_get_default_principal (krb5_context context, 220 krb5_principal *princ) 221 { 222 krb5_error_code ret; 223 krb5_ccache id; 224 krb_principal v4_princ; 225 int kret; 226 227 ret = krb5_cc_default (context, &id); 228 if (ret == 0) { 229 ret = krb5_cc_get_principal (context, id, princ); 230 krb5_cc_close (context, id); 231 if (ret == 0) 232 return 0; 233 } 234 235 kret = krb_get_tf_fullname (tkt_string(), 236 v4_princ.name, 237 v4_princ.instance, 238 v4_princ.realm); 239 if (kret == KSUCCESS) { 240 ret = krb5_425_conv_principal (context, 241 v4_princ.name, 242 v4_princ.instance, 243 v4_princ.realm, 244 princ); 245 if (ret == 0) 246 return 0; 247 } 248 return krb5_get_default_principal (context, princ); 249 } 250 251 #else /* !KRB4 */ 252 253 static krb5_error_code 254 kinit_get_default_principal (krb5_context context, 255 krb5_principal *princ) 256 { 257 return krb5_get_default_principal (context, princ); 258 } 259 260 #endif /* !KRB4 */ 261 262 static krb5_error_code 263 get_server(krb5_context context, 264 krb5_principal client, 265 const char *server, 266 krb5_principal *princ) 267 { 268 krb5_realm *client_realm; 269 if(server) 270 return krb5_parse_name(context, server, princ); 271 272 client_realm = krb5_princ_realm (context, client); 273 return krb5_make_principal(context, princ, *client_realm, 274 KRB5_TGS_NAME, *client_realm, NULL); 275 } 276 277 #ifdef KRB4 278 static krb5_error_code 279 do_524init(krb5_context context, krb5_ccache ccache, 280 krb5_creds *creds, const char *server) 281 { 282 krb5_error_code ret; 283 CREDENTIALS c; 284 krb5_creds in_creds, *real_creds; 285 286 if(creds != NULL) 287 real_creds = creds; 288 else { 289 krb5_principal client; 290 krb5_cc_get_principal(context, ccache, &client); 291 memset(&in_creds, 0, sizeof(in_creds)); 292 ret = get_server(context, client, server, &in_creds.server); 293 if(ret) { 294 krb5_free_principal(context, client); 295 return ret; 296 } 297 in_creds.client = client; 298 ret = krb5_get_credentials(context, 0, ccache, &in_creds, &real_creds); 299 krb5_free_principal(context, client); 300 krb5_free_principal(context, in_creds.server); 301 if(ret) 302 return ret; 303 } 304 ret = krb524_convert_creds_kdc_ccache(context, ccache, real_creds, &c); 305 if(ret) 306 krb5_warn(context, ret, "converting creds"); 307 else { 308 int tret = tf_setup(&c, c.pname, c.pinst); 309 if(tret) 310 krb5_warnx(context, "saving v4 creds: %s", krb_get_err_text(tret)); 311 } 312 313 if(creds == NULL) 314 krb5_free_creds(context, real_creds); 315 memset(&c, 0, sizeof(c)); 316 317 return ret; 318 } 319 #endif 320 321 static int 322 renew_validate(krb5_context context, 323 int renew, 324 int validate, 325 krb5_ccache cache, 326 const char *server, 327 krb5_deltat life) 328 { 329 krb5_error_code ret; 330 krb5_creds in, *out; 331 krb5_kdc_flags flags; 332 333 memset(&in, 0, sizeof(in)); 334 335 ret = krb5_cc_get_principal(context, cache, &in.client); 336 if(ret) { 337 krb5_warn(context, ret, "krb5_cc_get_principal"); 338 return ret; 339 } 340 ret = get_server(context, in.client, server, &in.server); 341 if(ret) { 342 krb5_warn(context, ret, "get_server"); 343 goto out; 344 } 345 flags.i = 0; 346 flags.b.renewable = flags.b.renew = renew; 347 flags.b.validate = validate; 348 if (forwardable_flag != -1) 349 flags.b.forwardable = forwardable_flag; 350 if (proxiable_flag != -1) 351 flags.b.proxiable = proxiable_flag; 352 if (anonymous_flag != -1) 353 flags.b.request_anonymous = anonymous_flag; 354 if(life) 355 in.times.endtime = time(NULL) + life; 356 357 ret = krb5_get_kdc_cred(context, 358 cache, 359 flags, 360 NULL, 361 NULL, 362 &in, 363 &out); 364 if(ret) { 365 krb5_warn(context, ret, "krb5_get_kdc_cred"); 366 goto out; 367 } 368 ret = krb5_cc_initialize(context, cache, in.client); 369 if(ret) { 370 krb5_free_creds (context, out); 371 krb5_warn(context, ret, "krb5_cc_initialize"); 372 goto out; 373 } 374 ret = krb5_cc_store_cred(context, cache, out); 375 376 if(ret == 0 && server == NULL) { 377 #ifdef KRB4 378 /* only do this if it's a general renew-my-tgt request */ 379 if(get_v4_tgt) 380 do_524init(context, cache, out, NULL); 381 #endif 382 if(do_afslog && k_hasafs()) 383 krb5_afslog(context, cache, NULL, NULL); 384 } 385 386 krb5_free_creds (context, out); 387 if(ret) { 388 krb5_warn(context, ret, "krb5_cc_store_cred"); 389 goto out; 390 } 391 out: 392 krb5_free_creds_contents(context, &in); 393 return ret; 394 } 395 396 static krb5_error_code 397 get_new_tickets(krb5_context context, 398 krb5_principal principal, 399 krb5_ccache ccache, 400 krb5_deltat ticket_life) 401 { 402 krb5_error_code ret; 403 krb5_get_init_creds_opt opt; 404 krb5_addresses no_addrs; 405 krb5_creds cred; 406 char passwd[256]; 407 krb5_deltat start_time = 0; 408 krb5_deltat renew = 0; 409 410 memset(&cred, 0, sizeof(cred)); 411 412 krb5_get_init_creds_opt_init (&opt); 413 414 krb5_get_init_creds_opt_set_default_flags(context, "kinit", 415 /* XXX */principal->realm, &opt); 416 417 if(forwardable_flag != -1) 418 krb5_get_init_creds_opt_set_forwardable (&opt, forwardable_flag); 419 if(proxiable_flag != -1) 420 krb5_get_init_creds_opt_set_proxiable (&opt, proxiable_flag); 421 if(anonymous_flag != -1) 422 krb5_get_init_creds_opt_set_anonymous (&opt, anonymous_flag); 423 424 if (!addrs_flag) { 425 no_addrs.len = 0; 426 no_addrs.val = NULL; 427 428 krb5_get_init_creds_opt_set_address_list (&opt, &no_addrs); 429 } 430 431 if (renew_life == NULL && renewable_flag) 432 renew_life = "1 month"; 433 if(renew_life) { 434 renew = parse_time (renew_life, "s"); 435 if (renew < 0) 436 errx (1, "unparsable time: %s", renew_life); 437 438 krb5_get_init_creds_opt_set_renew_life (&opt, renew); 439 } 440 441 if(ticket_life != 0) 442 krb5_get_init_creds_opt_set_tkt_life (&opt, ticket_life); 443 444 if(start_str) { 445 int tmp = parse_time (start_str, "s"); 446 if (tmp < 0) 447 errx (1, "unparsable time: %s", start_str); 448 449 start_time = tmp; 450 } 451 452 if(etype_str.num_strings) { 453 krb5_enctype *enctype = NULL; 454 int i; 455 enctype = malloc(etype_str.num_strings * sizeof(*enctype)); 456 if(enctype == NULL) 457 errx(1, "out of memory"); 458 for(i = 0; i < etype_str.num_strings; i++) { 459 ret = krb5_string_to_enctype(context, 460 etype_str.strings[i], 461 &enctype[i]); 462 if(ret) 463 errx(1, "unrecognized enctype: %s", etype_str.strings[i]); 464 } 465 krb5_get_init_creds_opt_set_etype_list(&opt, enctype, 466 etype_str.num_strings); 467 } 468 469 if(use_keytab || keytab_str) { 470 krb5_keytab kt; 471 if(keytab_str) 472 ret = krb5_kt_resolve(context, keytab_str, &kt); 473 else 474 ret = krb5_kt_default(context, &kt); 475 if (ret) 476 krb5_err (context, 1, ret, "resolving keytab"); 477 ret = krb5_get_init_creds_keytab (context, 478 &cred, 479 principal, 480 kt, 481 start_time, 482 server, 483 &opt); 484 krb5_kt_close(context, kt); 485 } else { 486 char *p, *prompt; 487 488 krb5_unparse_name (context, principal, &p); 489 asprintf (&prompt, "%s's Password: ", p); 490 free (p); 491 492 if (des_read_pw_string(passwd, sizeof(passwd)-1, prompt, 0)){ 493 memset(passwd, 0, sizeof(passwd)); 494 exit(1); 495 } 496 497 free (prompt); 498 499 ret = krb5_get_init_creds_password (context, 500 &cred, 501 principal, 502 passwd, 503 krb5_prompter_posix, 504 NULL, 505 start_time, 506 server, 507 &opt); 508 } 509 #ifdef KRB4 510 if (ret == KRB5KRB_AP_ERR_V4_REPLY || ret == KRB5_KDC_UNREACH) { 511 int exit_val; 512 513 exit_val = do_v4_fallback (context, principal, ticket_life, 514 use_keytab, keytab_str, passwd); 515 get_v4_tgt = 0; 516 do_afslog = 0; 517 memset(passwd, 0, sizeof(passwd)); 518 if (exit_val == 0 || ret == KRB5KRB_AP_ERR_V4_REPLY) 519 return exit_val; 520 } 521 #endif 522 memset(passwd, 0, sizeof(passwd)); 523 524 switch(ret){ 525 case 0: 526 break; 527 case KRB5_LIBOS_PWDINTR: /* don't print anything if it was just C-c:ed */ 528 exit(1); 529 case KRB5KRB_AP_ERR_BAD_INTEGRITY: 530 case KRB5KRB_AP_ERR_MODIFIED: 531 krb5_errx(context, 1, "Password incorrect"); 532 break; 533 default: 534 krb5_err(context, 1, ret, "krb5_get_init_creds"); 535 } 536 537 if(ticket_life != 0) { 538 if(abs(cred.times.endtime - cred.times.starttime - ticket_life) > 30) { 539 char life[32]; 540 unparse_time(cred.times.endtime - cred.times.starttime, 541 life, sizeof(life)); 542 krb5_warnx(context, "NOTICE: ticket lifetime is %s", life); 543 } 544 } 545 if(renew != 0) { 546 if(abs(cred.times.renew_till - cred.times.starttime - renew) > 30) { 547 char life[32]; 548 unparse_time(cred.times.renew_till - cred.times.starttime, 549 life, sizeof(life)); 550 krb5_warnx(context, "NOTICE: ticket renewable lifetime is %s", 551 life); 552 } 553 } 554 555 ret = krb5_cc_initialize (context, ccache, cred.client); 556 if (ret) 557 krb5_err (context, 1, ret, "krb5_cc_initialize"); 558 559 ret = krb5_cc_store_cred (context, ccache, &cred); 560 if (ret) 561 krb5_err (context, 1, ret, "krb5_cc_store_cred"); 562 563 krb5_free_creds_contents (context, &cred); 564 565 return 0; 566 } 567 568 int 569 main (int argc, char **argv) 570 { 571 krb5_error_code ret; 572 krb5_context context; 573 krb5_ccache ccache; 574 krb5_principal principal; 575 int optind = 0; 576 krb5_deltat ticket_life = 0; 577 578 setprogname (argv[0]); 579 580 ret = krb5_init_context (&context); 581 if (ret) 582 errx(1, "krb5_init_context failed: %d", ret); 583 584 if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optind)) 585 usage(1); 586 587 if (help_flag) 588 usage (0); 589 590 if(version_flag) { 591 print_version(NULL); 592 exit(0); 593 } 594 595 argc -= optind; 596 argv += optind; 597 598 if (argv[0]) { 599 ret = krb5_parse_name (context, argv[0], &principal); 600 if (ret) 601 krb5_err (context, 1, ret, "krb5_parse_name"); 602 } else { 603 ret = kinit_get_default_principal (context, &principal); 604 if (ret) 605 krb5_err (context, 1, ret, "krb5_get_default_principal"); 606 } 607 608 if(fcache_version) 609 krb5_set_fcache_version(context, fcache_version); 610 611 if(cred_cache) 612 ret = krb5_cc_resolve(context, cred_cache, &ccache); 613 else { 614 if(argc > 1) { 615 char s[1024]; 616 ret = krb5_cc_gen_new(context, &krb5_fcc_ops, &ccache); 617 if(ret) 618 krb5_err(context, 1, ret, "creating cred cache"); 619 snprintf(s, sizeof(s), "%s:%s", 620 krb5_cc_get_type(context, ccache), 621 krb5_cc_get_name(context, ccache)); 622 setenv("KRB5CCNAME", s, 1); 623 #ifdef KRB4 624 { 625 int fd; 626 snprintf(s, sizeof(s), "%s_XXXXXX", TKT_ROOT); 627 if((fd = mkstemp(s)) >= 0) { 628 close(fd); 629 setenv("KRBTKFILE", s, 1); 630 if (k_hasafs ()) 631 k_setpag(); 632 } 633 } 634 #endif 635 } else 636 ret = krb5_cc_default (context, &ccache); 637 } 638 if (ret) 639 krb5_err (context, 1, ret, "resolving credentials cache"); 640 641 if (lifetime) { 642 int tmp = parse_time (lifetime, "s"); 643 if (tmp < 0) 644 errx (1, "unparsable time: %s", lifetime); 645 646 ticket_life = tmp; 647 } 648 #ifdef KRB4 649 if(get_v4_tgt == -1) 650 krb5_appdefault_boolean(context, "kinit", 651 krb5_principal_get_realm(context, principal), 652 "krb4_get_tickets", TRUE, &get_v4_tgt); 653 #endif 654 if(do_afslog == -1) 655 krb5_appdefault_boolean(context, "kinit", 656 krb5_principal_get_realm(context, principal), 657 "afslog", TRUE, &do_afslog); 658 659 if(!addrs_flag && extra_addresses.num_strings > 0) 660 krb5_errx(context, 1, "specifying both extra addresses and " 661 "no addresses makes no sense"); 662 { 663 int i; 664 krb5_addresses addresses; 665 memset(&addresses, 0, sizeof(addresses)); 666 for(i = 0; i < extra_addresses.num_strings; i++) { 667 ret = krb5_parse_address(context, extra_addresses.strings[i], 668 &addresses); 669 if (ret == 0) { 670 krb5_add_extra_addresses(context, &addresses); 671 krb5_free_addresses(context, &addresses); 672 } 673 } 674 free_getarg_strings(&extra_addresses); 675 } 676 677 678 if(renew_flag || validate_flag) { 679 ret = renew_validate(context, renew_flag, validate_flag, 680 ccache, server, ticket_life); 681 exit(ret != 0); 682 } 683 684 #ifdef KRB4 685 if(!convert_524) 686 #endif 687 get_new_tickets(context, principal, ccache, ticket_life); 688 689 #ifdef KRB4 690 if(get_v4_tgt) 691 do_524init(context, ccache, NULL, server); 692 #endif 693 if(do_afslog && k_hasafs()) 694 krb5_afslog(context, ccache, NULL, NULL); 695 if(argc > 1) { 696 ret = simple_execvp(argv[1], argv+1); 697 krb5_cc_destroy(context, ccache); 698 #ifdef KRB4 699 dest_tkt(); 700 #endif 701 if(k_hasafs()) 702 k_unlog(); 703 } else { 704 krb5_cc_close (context, ccache); 705 ret = 0; 706 } 707 krb5_free_principal(context, principal); 708 krb5_free_context (context); 709 return ret; 710 } 711