* kinit.c (krb5_validate_tgt): new function, takes a credential cache with an

tgt with the "invalid flag" set, and asks the kdc to validate it. Wipes cache
and stores only the newly validated credential. (After all, there won't be any
others, because the invalid krbtgt couldn't have gotten them.) Most of the code
is taken from krb5_mk_req, since it did the right thing.
(main): add -v option, validates the ticket already in the selected cache.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7894 dc483132-0cff-0310-8789-dd5450dbe970

diff --git a/src/clients/kinit/ChangeLog b/src/clients/kinit/ChangeLog
index b4e064f3d1d1dadf3e1085bcb50e7b51fa75048b..85330fb88869579bad26c205601f60b01c31e793 100644 (file)
--- a/src/clients/kinit/ChangeLog
+++ b/src/clients/kinit/ChangeLog
@@ -1,3 +1,14 @@
+Fri May  3 00:28:10 1996  Mark Eichin  <eichin@cygnus.com>
+
+       * kinit.c (krb5_validate_tgt): new function, takes a credential
+       cache with an tgt with the "invalid flag" set, and asks the kdc to
+       validate it. Wipes cache and stores only the newly validated
+       credential. (After all, there won't be any others, because the
+       invalid krbtgt couldn't have gotten them.) Most of the code is
+       taken from krb5_mk_req, since it did the right thing.
+       (main): add -v option, validates the ticket already in the
+       selected cache.
+
 Wed May  1 02:37:17 1996  Mark Eichin  <eichin@cygnus.com>
 
        * kinit.c (main): add -s starttime option. Have it accept a delta

diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
index 6c24adfd17653cbc5b82fda8d694ce43c335a411..bb2109e0bf5677eef8b4adbbc90401731da36c6d 100644 (file)
--- a/src/clients/kinit/kinit.c
+++ b/src/clients/kinit/kinit.c
@@ -90,7 +90,7 @@ main(argc, argv)
     if (strrchr(argv[0], '/'))
        argv[0] = strrchr(argv[0], '/')+1;
 
-    while ((option = getopt(argc, argv, "r:fpl:s:c:kt:")) != EOF) {
+    while ((option = getopt(argc, argv, "r:fpl:s:c:kt:v")) != EOF) {
        switch (option) {
        case 'r':
            options |= KDC_OPT_RENEWABLE;
@@ -100,6 +100,10 @@ main(argc, argv)
                errflg++;
            }
            break;
+       case 'v':
+           /* validate the ticket */
+           options |= KDC_OPT_VALIDATE;
+           break;
        case 'p':
            options |= KDC_OPT_PROXIABLE;
            break;
@@ -268,6 +272,18 @@ main(argc, argv)
     } else
        my_creds.times.renew_till = 0;
 
+    if (options & KDC_OPT_VALIDATE) {
+        /* don't use get_in_tkt, just use mk_req... */
+        krb5_data outbuf;
+
+        code = krb5_validate_tgt(kcontext, ccache, server, &outbuf);
+       if (code) {
+         com_err (argv[0], code, "validating tgt");
+         exit(1);
+       }
+       /* should be done... */
+       exit(0);
+    }
 #ifndef NO_KEYTAB
     if (!use_keytab)
 #endif
@@ -324,3 +340,39 @@ main(argc, argv)
     
     exit(0);
 }
+
+/* stripped down version of krb5_mk_req */
+krb5_error_code krb5_validate_tgt(context, ccache, server, outbuf)
+     krb5_context context;
+     krb5_ccache ccache;
+     krb5_principal      server; /* tgtname */
+     krb5_data *outbuf;
+{
+    krb5_auth_context   * auth_context = 0;
+    const krb5_flags      ap_req_options;
+    krb5_data           * in_data;
+
+    krb5_error_code      retval;
+    krb5_creds                 * credsp;
+    krb5_creds                   creds;
+
+    /* obtain ticket & session key */
+    memset((char *)&creds, 0, sizeof(creds));
+    if ((retval = krb5_copy_principal(context, server, &creds.server)))
+       goto cleanup;
+
+    if ((retval = krb5_cc_get_principal(context, ccache, &creds.client)))
+       goto cleanup_creds;
+
+    if ((retval = krb5_get_credentials_validate(context, 0,
+                                               ccache, &creds, &credsp)))
+       goto cleanup_creds;
+
+    /* we don't actually need to do the mk_req, just get the creds. */
+cleanup_creds:
+    krb5_free_cred_contents(context, &creds);
+
+cleanup:
+
+    return retval;
+}