#ifndef _WIN32
#define GET_PROGNAME(x) (strrchr((x), '/') ? strrchr((x), '/')+1 : (x))
#else
-#define GET_PROGNAME(x) (max(strrchr((x), '/'), strrchr((x), '\\')) + 1, (x))
+#define GET_PROGNAME(x) max(max(strrchr((x), '/'), strrchr((x), '\\')) + 1,(x))
#endif
#ifdef HAVE_PWD_H
char* principal_name;
char* service_name;
char* keytab_name;
- char* cache_name;
+ char* k5_cache_name;
+ char* k4_cache_name;
action_type action;
};
};
#define GETOPT(argc, argv, str) getopt_long(argc, argv, str, long_options, 0)
-#define USAGE_LONG_FORWARDABLE " | --forwardable | --noforwardable"
-#define USAGE_LONG_PROXIABLE " | --proxiable | --noproxiable"
-#define USAGE_LONG_ADDRESSES " | --addresses | --noaddresses"
#else
#define GETOPT(argc, argv, str) getopt(argc, argv, str)
-#define USAGE_LONG_FORWARDABLE ""
-#define USAGE_LONG_PROXIABLE ""
-#define USAGE_LONG_ADDRESSES ""
#endif
void
-usage()
+usage(have_k4, have_k5)
+ int have_k4;
+int have_k5;
{
-#ifdef KRB5_KRB4_COMPAT
-#define USAGE_K54_OPT "[-4] [-5] "
-#define USAGE_K54_SRVTAB "/srvtab"
+ char* k4_default = 0;
+ char* k5_default = 0;
+
+#define USAGE_BREAK "\n\t"
+
+#ifdef GETOPT_LONG
+#define USAGE_LONG_FORWARDABLE " | --forwardable | --noforwardable"
+#define USAGE_LONG_PROXIABLE " | --proxiable | --noproxiable"
+#define USAGE_LONG_ADDRESSES " | --addresses | --noaddresses"
+#define USAGE_BREAK_LONG USAGE_BREAK
#else
-#define USAGE_K54_OPT ""
-#define USAGE_K54_SRVTAB ""
+#define USAGE_LONG_FORWARDABLE ""
+#define USAGE_LONG_PROXIABLE ""
+#define USAGE_LONG_ADDRESSES ""
+#define USAGE_BREAK_LONG ""
#endif
- fprintf(stderr, "Usage: %s [-V] " USAGE_K54_OPT
- "[-l lifetime] [-r renewable_life] "
+ fprintf(stderr, "Usage: %s [-5] [-4] [-V] "
+ "[-l lifetime] [-s start_time] "
+ USAGE_BREAK
+ "[-r renewable_life] "
"[-f | -F" USAGE_LONG_FORWARDABLE "] "
+ USAGE_BREAK_LONG
"[-p | -P" USAGE_LONG_PROXIABLE "] "
+ USAGE_BREAK_LONG
"[-A" USAGE_LONG_ADDRESSES "] "
- "[-s start_time] [-S target_service] "
- "[-k [-t keytab_file]] [-R] [-v] [-c cachename] [principal]\n",
+ USAGE_BREAK
+ "[-v] [-R] "
+ "[-k [-t keytab_file]] "
+ USAGE_BREAK
+ "[-c cachename] "
+ "[-S service_name] [principal]"
+ "\n\n",
progname);
- fprintf(stderr,
-#ifdef KRB5_KRB4_COMPAT
- "\t-4 Kerberos 4 only, -5 Kerberos 5 only, default is both\n"
- "\toptions applicable to Kerberos 5 only:\n"
+
+#define DEFAULT_BOTH "(default is Kerberos 4 & 5)"
+#define DEFAULT "(default)"
+#define NOT_AVAILABLE "(not available)"
+
+ if (have_k4 && have_k5)
+ {
+ k4_default = k5_default = DEFAULT_BOTH;
+ }
+ else if (have_k5)
+ {
+ k4_default = NOT_AVAILABLE;
+ k5_default = DEFAULT;
+ }
+ else if (have_k4)
+ {
+ k4_default = DEFAULT;
+ k5_default = NOT_AVAILABLE;
+ }
+ else
+ {
+ k4_default = k5_default = NOT_AVAILABLE;
+ }
+
+#define OPTTYPE_KRB5 "5"
+#define OPTTYPE_KRB4 "4"
+#define OPTTYPE_EITHER "Either 4 or 5"
+#ifdef HAVE_KRB524
+#define OPTTYPE_BOTH "5, or both 5 and 4"
+#else
+#define OPTTYPE_BOTH "5"
#endif
- "\t\t-v validate\n"
- "\t\t-c cache name\n"
- "\t\t-f forwardable\n"
- "\t\t-F not forwardable\n"
- "\t\t-p proxiable\n"
- "\t\t-P not proxiable\n"
- "\t\t-A do not include addresses\n"
- "\t\t-r renewable lifetime\n"
- "\t\t-s start time\n"
+
#ifdef KRB5_KRB4_COMPAT
- "\toptions potentially applicable to both:\n"
+#define USAGE_OPT_FMT "%s%-50s%s\n"
+#else
+#define USAGE_OPT_FMT "%s%s\n"
#endif
- "\t\t-R renew\n"
- "\t\t-l lifetime\n"
- "\t\t-S service\n"
- "\t\t-k use keytab" USAGE_K54_SRVTAB "\n"
- "\t\t-t filename of keytab" USAGE_K54_SRVTAB " to use\n"
- "\t\t-V verbose\n"
- );
+
+#define ULINE(indent, col1, col2) \
+fprintf(stderr, USAGE_OPT_FMT, indent, col1, col2)
+
+ ULINE(" ", "options:", "valid with Kerberos:");
+ fprintf(stderr, "\t-5 Kerberos 5 only %s\n", k5_default);
+ fprintf(stderr, "\t-4 Kerberos 4 only %s\n", k4_default);
+ ULINE("\t", "-V verbose", OPTTYPE_EITHER);
+ ULINE("\t", "-l lifetime", OPTTYPE_EITHER);
+ ULINE("\t", "-s start time", OPTTYPE_KRB5);
+ ULINE("\t", "-r renewable lifetime", OPTTYPE_KRB5);
+ ULINE("\t", "-f forwardable", OPTTYPE_KRB5);
+ ULINE("\t", "-F not forwardable", OPTTYPE_KRB5);
+ ULINE("\t", "-p proxiable", OPTTYPE_KRB5);
+ ULINE("\t", "-P not proxiable", OPTTYPE_KRB5);
+ ULINE("\t", "-A do not include addresses", OPTTYPE_KRB5);
+ ULINE("\t", "-v validate", OPTTYPE_KRB5);
+ ULINE("\t", "-R renew", OPTTYPE_BOTH);
+ ULINE("\t", "-k use keytab", OPTTYPE_BOTH);
+ ULINE("\t", "-t filename of keytab to use", OPTTYPE_BOTH);
+ ULINE("\t", "-c Kerberos 5 cache name", OPTTYPE_KRB5);
+ /* This options is not yet available: */
+ /* ULINE("\t", "-C Kerberos 4 cache name", OPTTYPE_KRB4); */
+ ULINE("\t", "-S service", OPTTYPE_BOTH);
exit(2);
}
char *
parse_options(argc, argv, opts)
int argc;
- char **argv;
- struct k_opts* opts;
+char **argv;
+struct k_opts* opts;
{
krb5_error_code code;
int errflg = 0;
int use_k4_only = 0;
int use_k5_only = 0;
+ int old_got_k4 = got_k4;
+ int old_got_k5 = got_k5;
int i;
-#ifdef KRB5_KRB4_COMPAT
-#define GETOPT_K54 "45"
-#else
-#define GETOPT_K54 ""
-#endif
-
- while ((i = GETOPT(argc, argv, "r:fpFP" GETOPT_K54 "AVl:s:c:kt:RS:v"))
+ while ((i = GETOPT(argc, argv, "r:fpFP54AVl:s:c:kt:RS:v"))
!= -1) {
switch (i) {
- case 'V':
- opts->verbose = 1;
- break;
- case 'l':
- /* Lifetime */
- code = krb5_string_to_deltat(optarg, &opts->lifetime);
- if (code != 0 || opts->lifetime == 0) {
- fprintf(stderr, "Bad lifetime value %s\n", optarg);
- errflg++;
- }
- break;
+ case 'V':
+ opts->verbose = 1;
+ break;
+ case 'l':
+ /* Lifetime */
+ code = krb5_string_to_deltat(optarg, &opts->lifetime);
+ if (code != 0 || opts->lifetime == 0) {
+ fprintf(stderr, "Bad lifetime value %s\n", optarg);
+ errflg++;
+ }
+ break;
case 'r':
- /* Renewable Time */
- code = krb5_string_to_deltat(optarg, &opts->rlife);
- if (code != 0 || opts->rlife == 0) {
- fprintf(stderr, "Bad lifetime value %s\n", optarg);
- errflg++;
- }
- break;
+ /* Renewable Time */
+ code = krb5_string_to_deltat(optarg, &opts->rlife);
+ if (code != 0 || opts->rlife == 0) {
+ fprintf(stderr, "Bad lifetime value %s\n", optarg);
+ errflg++;
+ }
+ break;
case 'f':
- opts->forwardable = 1;
- break;
- case 'F':
- opts->not_forwardable = 1;
- break;
+ opts->forwardable = 1;
+ break;
+ case 'F':
+ opts->not_forwardable = 1;
+ break;
case 'p':
- opts->proxiable = 1;
- break;
+ opts->proxiable = 1;
+ break;
case 'P':
- opts->not_proxiable = 1;
- break;
+ opts->not_proxiable = 1;
+ break;
case 'a':
/* Note: This is supported only with GETOPT_LONG */
opts->addresses = 1;
}
}
break;
- case 'S':
- opts->service_name = optarg;
+ case 'S':
+ opts->service_name = optarg;
break;
- case 'k':
- opts->action = INIT_KT;
+ case 'k':
+ opts->action = INIT_KT;
+ break;
+ case 't':
+ if (opts->keytab_name)
+ {
+ fprintf(stderr, "Only one -t option allowed.\n");
+ errflg++;
+ } else {
+ opts->keytab_name = optarg;
+ }
break;
- case 't':
- if (opts->keytab_name)
- {
- fprintf(stderr, "Only one -t option allowed.\n");
- errflg++;
- } else {
- opts->keytab_name = optarg;
- }
- break;
case 'R':
opts->action = RENEW;
break;
opts->action = VALIDATE;
break;
case 'c':
- if (opts->cache_name)
- {
- fprintf(stderr, "Only one -c option allowed\n");
- errflg++;
- } else {
- opts->cache_name = optarg;
- }
+ if (opts->k5_cache_name)
+ {
+ fprintf(stderr, "Only one -c option allowed\n");
+ errflg++;
+ } else {
+ opts->k5_cache_name = optarg;
+ }
+ break;
+#if 0
+ /*
+ A little more work is needed before we can enable this
+ option.
+ */
+ case 'C':
+ if (opts->k4_cache_name)
+ {
+ fprintf(stderr, "Only one -C option allowed\n");
+ errflg++;
+ } else {
+ opts->k4_cache_name = optarg;
+ }
break;
+#endif
+ case '4':
+ if (!got_k4)
+ {
#ifdef KRB5_KRB4_COMPAT
- case '4':
- if (!got_k4)
- {
- fprintf(stderr, "Kerberos 4 support could not be loaded\n");
- exit(3);
- }
- use_k4_only = 1;
- break;
- case '5':
- if (!got_k5)
- {
- fprintf(stderr, "Kerberos 5 support could not be loaded\n");
- exit(3);
- }
- use_k5_only = 1;
- break;
+ fprintf(stderr, "Kerberos 4 support could not be loaded\n");
+#else
+ fprintf(stderr, "This kinit was not built with Kerberos 4 support\n");
#endif
+ exit(3);
+ }
+ use_k4_only = 1;
+ break;
+ case '5':
+ if (!got_k5)
+ {
+ fprintf(stderr, "Kerberos 5 support could not be loaded\n");
+ exit(3);
+ }
+ use_k5_only = 1;
+ break;
default:
errflg++;
break;
if (use_k5_only && use_k4_only)
{
- fprintf(stderr, "Only one of -4 and -5 allowed\n");
- errflg++;
+ fprintf(stderr, "Only one of -4 and -5 allowed\n");
+ errflg++;
}
if (opts->forwardable && opts->not_forwardable)
{
- fprintf(stderr, "Only one of -f and -F allowed\n");
- errflg++;
+ fprintf(stderr, "Only one of -f and -F allowed\n");
+ errflg++;
}
if (opts->proxiable && opts->not_proxiable)
{
- fprintf(stderr, "Only one of -p and -P allowed\n");
- errflg++;
+ fprintf(stderr, "Only one of -p and -P allowed\n");
+ errflg++;
}
if (opts->addresses && opts->no_addresses)
{
- fprintf(stderr, "Only one of -a and -A allowed\n");
- errflg++;
+ fprintf(stderr, "Only one of -a and -A allowed\n");
+ errflg++;
}
if (argc - optind > 1) {
errflg++;
}
- if (errflg) {
- usage();
- }
-
- /* At this point, we know we only have one option selection */
+ /* At this point, if errorless, we know we only have one option
+ selection */
if (use_k4_only)
- got_k5 = 0;
+ got_k5 = 0;
if (use_k5_only)
- got_k4 = 0;
+ got_k4 = 0;
+
+ /* Now, we encode the OPTTYPE stuff here... */
+ if (!got_k5 &&
+ (opts->starttime || opts->rlife || opts->forwardable ||
+ opts->proxiable || opts->addresses || opts->not_forwardable ||
+ opts->not_proxiable || opts->no_addresses ||
+ (opts->action == VALIDATE) || opts->k5_cache_name))
+ {
+ fprintf(stderr, "Specified option that requires Kerberos 5\n");
+ errflg++;
+ }
+ if (!got_k4 &&
+ opts->k4_cache_name)
+ {
+ fprintf(stderr, "Specified option that require Kerberos 4\n");
+ errflg++;
+ }
+ if (
+#ifdef HAVE_KRB524
+ !got_k5
+#else
+ got_k4
+#endif
+ && (opts->service_name || opts->keytab_name ||
+ (opts->action == INIT_KT) || (opts->action == RENEW))
+ )
+ {
+ fprintf(stderr, "Specified option that requires Kerberos 5\n");
+ errflg++;
+ }
+
+ if (errflg) {
+ usage(old_got_k4, old_got_k5);
+ }
opts->principal_name = (optind == argc-1) ? argv[optind] : 0;
return opts->principal_name;
int
k5_begin(opts, k5, k4)
struct k_opts* opts;
- struct k5_data* k5;
- struct k4_data* k4;
+struct k5_data* k5;
+struct k4_data* k4;
{
char* progname = progname_v5;
krb5_error_code code = 0;
if (!got_k5)
- return 0;
+ return 0;
if (code = krb5_init_context(&k5->ctx)) {
- com_err(progname, code, "while initializing Kerberos 5 library");
- return 0;
+ com_err(progname, code, "while initializing Kerberos 5 library");
+ return 0;
}
- if (opts->cache_name)
+ if (opts->k5_cache_name)
{
- code = krb5_cc_resolve(k5->ctx, opts->cache_name, &k5->cc);
- if (code != 0) {
- com_err(progname, code, "resolving ccache %s",
- opts->cache_name);
- return 0;
- }
+ code = krb5_cc_resolve(k5->ctx, opts->k5_cache_name, &k5->cc);
+ if (code != 0) {
+ com_err(progname, code, "resolving ccache %s",
+ opts->k5_cache_name);
+ return 0;
+ }
}
else
{
- if ((code = krb5_cc_default(k5->ctx, &k5->cc))) {
- com_err(progname, code, "while getting default ccache");
- return 0;
- }
+ if ((code = krb5_cc_default(k5->ctx, &k5->cc))) {
+ com_err(progname, code, "while getting default ccache");
+ return 0;
+ }
}
if (opts->principal_name)
{
- /* Use specified name */
- if ((code = krb5_parse_name(k5->ctx, opts->principal_name,
- &k5->me))) {
- com_err(progname, code, "when parsing name %s",
- opts->principal_name);
- return 0;
- }
+ /* Use specified name */
+ if ((code = krb5_parse_name(k5->ctx, opts->principal_name,
+ &k5->me))) {
+ com_err(progname, code, "when parsing name %s",
+ opts->principal_name);
+ return 0;
+ }
}
else
{
- /* No principal name specified */
- if (opts->action == INIT_KT) {
- /* Use the default host/service name */
- if (code = krb5_sname_to_principal(k5->ctx, NULL, NULL,
+ /* No principal name specified */
+ if (opts->action == INIT_KT) {
+ /* Use the default host/service name */
+ if (code = krb5_sname_to_principal(k5->ctx, NULL, NULL,
KRB5_NT_SRV_HST, &k5->me)) {
- com_err(progname, code,
+ com_err(progname, code,
"when creating default server principal name");
- return 0;
- }
- } else {
- /* Get default principal from cache if one exists */
- if (code = krb5_cc_get_principal(k5->ctx, k5->cc,
- &k5->me))
- {
- char *name = get_name_from_os();
- if (!name)
- {
- fprintf(stderr, "Unable to identify user\n");
- return 0;
- }
- if ((code = krb5_parse_name(k5->ctx, name,
- &k5->me)))
- {
- com_err(progname, code, "when parsing name %s",
+ return 0;
+ }
+ } else {
+ /* Get default principal from cache if one exists */
+ if (code = krb5_cc_get_principal(k5->ctx, k5->cc,
+ &k5->me))
+ {
+ char *name = get_name_from_os();
+ if (!name)
+ {
+ fprintf(stderr, "Unable to identify user\n");
+ return 0;
+ }
+ if ((code = krb5_parse_name(k5->ctx, name,
+ &k5->me)))
+ {
+ com_err(progname, code, "when parsing name %s",
name);
- return 0;
- }
- }
- }
+ return 0;
+ }
+ }
+ }
}
if (code = krb5_unparse_name(k5->ctx, k5->me,
&k5->name)) {
- com_err(progname, code, "when unparsing name");
- return 0;
+ com_err(progname, code, "when unparsing name");
+ return 0;
}
opts->principal_name = k5->name;
struct k5_data* k5;
{
if (k5->name)
- krb5_free_unparsed_name(k5->ctx, k5->name);
+ krb5_free_unparsed_name(k5->ctx, k5->name);
if (k5->me)
- krb5_free_principal(k5->ctx, k5->me);
+ krb5_free_principal(k5->ctx, k5->me);
if (k5->cc)
- krb5_cc_close(k5->ctx, k5->cc);
+ krb5_cc_close(k5->ctx, k5->cc);
if (k5->ctx)
- krb5_free_context(k5->ctx);
+ krb5_free_context(k5->ctx);
memset(k5, 0, sizeof(*k5));
}
int
k4_begin(opts, k4)
struct k_opts* opts;
- struct k4_data* k4;
+struct k4_data* k4;
{
char* progname = progname_v4;
int k_errno = 0;
if (!got_k4)
- return 0;
+ return 0;
#ifdef KRB5_KRB4_COMPAT
if (k4->aname[0])
- goto skip;
+ goto skip;
if (opts->principal_name)
{
- /* Use specified name */
- if (k_errno = kname_parse(k4->aname, k4->inst, k4->realm,
- opts->principal_name))
- {
- fprintf(stderr, "%s: %s\n", progname,
- krb_get_err_text(k_errno));
- return 0;
- }
+ /* Use specified name */
+ if (k_errno = kname_parse(k4->aname, k4->inst, k4->realm,
+ opts->principal_name))
+ {
+ fprintf(stderr, "%s: %s\n", progname,
+ krb_get_err_text(k_errno));
+ return 0;
+ }
} else {
- /* No principal name specified */
- if (opts->action == INIT_KT) {
- /* Use the default host/service name */
- /* XXX - need to add this functionality */
- fprintf(stderr, "%s: Kerberos 4 srvtab support is not "
- "implemented\n", progname);
- return 0;
- } else {
- /* Get default principal from cache if one exists */
- if (k_errno = krb_get_tf_fullname(tkt_string(), k4->aname,
- k4->inst, k4->realm))
- {
- char *name = get_name_from_os();
- if (!name)
- {
- fprintf(stderr, "Unable to identify user\n");
- return 0;
- }
- if (k_errno = kname_parse(k4->aname, k4->inst, k4->realm,
- name))
- {
- fprintf(stderr, "%s: %s\n", progname,
- krb_get_err_text(k_errno));
- return 0;
- }
- }
- }
+ /* No principal name specified */
+ if (opts->action == INIT_KT) {
+ /* Use the default host/service name */
+ /* XXX - need to add this functionality */
+ fprintf(stderr, "%s: Kerberos 4 srvtab support is not "
+ "implemented\n", progname);
+ return 0;
+ } else {
+ /* Get default principal from cache if one exists */
+ if (k_errno = krb_get_tf_fullname(tkt_string(), k4->aname,
+ k4->inst, k4->realm))
+ {
+ char *name = get_name_from_os();
+ if (!name)
+ {
+ fprintf(stderr, "Unable to identify user\n");
+ return 0;
+ }
+ if (k_errno = kname_parse(k4->aname, k4->inst, k4->realm,
+ name))
+ {
+ fprintf(stderr, "%s: %s\n", progname,
+ krb_get_err_text(k_errno));
+ return 0;
+ }
+ }
+ }
}
if (!k4->realm[0])
- krb_get_lrealm(k4->realm, 1);
+ krb_get_lrealm(k4->realm, 1);
if (k4->inst[0])
- sprintf(k4->name, "%s.%s@%s", k4->aname, k4->inst, k4->realm);
+ sprintf(k4->name, "%s.%s@%s", k4->aname, k4->inst, k4->realm);
else
- sprintf(k4->name, "%s@%s", k4->aname, k4->realm);
+ sprintf(k4->name, "%s@%s", k4->aname, k4->realm);
opts->principal_name = k4->name;
skip:
if (k4->aname[0] && !k_isname(k4->aname))
{
fprintf(stderr, "%s: bad Kerberos 4 name format\n", progname);
- return 0;
+ return 0;
}
if (k4->inst[0] && !k_isinst(k4->inst))
{
- fprintf(stderr, "%s: bad Kerberos 4 instance format\n", progname);
- return 0;
+ fprintf(stderr, "%s: bad Kerberos 4 instance format\n", progname);
+ return 0;
}
if (k4->realm[0] && !k_isrealm(k4->realm))
{
- fprintf(stderr, "%s: bad Kerberos 4 realm format\n", progname);
- return 0;
+ fprintf(stderr, "%s: bad Kerberos 4 realm format\n", progname);
+ return 0;
}
#endif /* KRB5_KRB4_COMPAT */
return 1;
int
k5_kinit(opts, k5, password)
struct k_opts* opts;
- struct k5_data* k5;
- char* password;
+struct k5_data* k5;
+char* password;
{
char* progname = progname_v5;
int notix = 1;
krb5_get_init_creds_opt options;
if (!got_k5)
- return 0;
+ return 0;
krb5_get_init_creds_opt_init(&options);
memset(&my_creds, 0, sizeof(my_creds));
krb5_address **addresses = NULL;
code = krb5_os_localaddr(k5->ctx, &addresses);
if (code != 0) {
- com_err(progname, code, "getting local addresses");
- goto cleanup;
+ com_err(progname, code, "getting local addresses");
+ goto cleanup;
}
krb5_get_init_creds_opt_set_address_list(&options, addresses);
krb5_free_addresses(k5->ctx, addresses);
if ((opts->action == INIT_KT) && opts->keytab_name)
{
- code = krb5_kt_resolve(k5->ctx, opts->keytab_name, &keytab);
- if (code != 0) {
- com_err(progname, code, "resolving keytab %s",
- opts->keytab_name);
- goto cleanup;
- }
+ code = krb5_kt_resolve(k5->ctx, opts->keytab_name, &keytab);
+ if (code != 0) {
+ com_err(progname, code, "resolving keytab %s",
+ opts->keytab_name);
+ goto cleanup;
+ }
}
switch (opts->action) {
}
if (code) {
- char *doing = 0;
- switch (opts->action) {
- case INIT_PW:
- case INIT_KT:
- doing = "getting initial credentials";
- break;
- case VALIDATE:
- doing = "validating credentials";
- break;
- case RENEW:
- doing = "renewing credentials";
- break;
- }
+ char *doing = 0;
+ switch (opts->action) {
+ case INIT_PW:
+ case INIT_KT:
+ doing = "getting initial credentials";
+ break;
+ case VALIDATE:
+ doing = "validating credentials";
+ break;
+ case RENEW:
+ doing = "renewing credentials";
+ break;
+ }
/* If got code == KRB5_AP_ERR_V4_REPLY && got_k4, we should
let the user know that maybe he/she wants -4. */
- if (code == KRB5KRB_AP_ERR_V4_REPLY && got_k4)
- com_err(progname, code, "while %s\n"
- "The KDC doesn't support v5. "
- "You may want the -4 option in the future",
- doing);
- else if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
- fprintf(stderr, "%s: Password incorrect while %s\n", progname,
- doing);
+ if (code == KRB5KRB_AP_ERR_V4_REPLY && got_k4)
+ com_err(progname, code, "while %s\n"
+ "The KDC doesn't support v5. "
+ "You may want the -4 option in the future",
+ doing);
+ else if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
+ fprintf(stderr, "%s: Password incorrect while %s\n", progname,
+ doing);
else
- com_err(progname, code, "while %s", doing);
- goto cleanup;
+ com_err(progname, code, "while %s", doing);
+ goto cleanup;
}
if (!opts->lifetime) {
/* We need to figure out what lifetime to use for Kerberos 4. */
- opts->lifetime = my_creds.times.endtime - my_creds.times.authtime;
+ opts->lifetime = my_creds.times.endtime - my_creds.times.authtime;
}
if (code = krb5_cc_initialize(k5->ctx, k5->cc, k5->me)) {
- com_err(progname, code, "when initializing cache %s",
- opts->cache_name?opts->cache_name:"");
- goto cleanup;
+ com_err(progname, code, "when initializing cache %s",
+ opts->k5_cache_name?opts->k5_cache_name:"");
+ goto cleanup;
}
if (code = krb5_cc_store_cred(k5->ctx, k5->cc, &my_creds)) {
- com_err(progname, code, "while storing credentials");
- goto cleanup;
+ com_err(progname, code, "while storing credentials");
+ goto cleanup;
}
notix = 0;
cleanup:
if (my_creds.client == k5->me) {
- my_creds.client = 0;
+ my_creds.client = 0;
}
krb5_free_cred_contents(k5->ctx, &my_creds);
if (keytab)
int
k4_kinit(opts, k4, password)
struct k_opts* opts;
- struct k4_data* k4;
- char* password;
+struct k4_data* k4;
+char* password;
{
char* progname = progname_v4;
int k_errno = 0;
if (!got_k4)
- return 0;
+ return 0;
if (opts->starttime)
- return 0;
+ return 0;
#ifdef KRB5_KRB4_COMPAT
if (!k4->lifetime)
k4->lifetime /= (5 * 60);
if (k4->lifetime < 1)
- k4->lifetime = 1;
+ k4->lifetime = 1;
if (k4->lifetime > 255)
- k4->lifetime = 255;
+ k4->lifetime = 255;
switch (opts->action)
{
case INIT_PW:
- k_errno = krb_get_pw_in_tkt(k4->aname, k4->inst, k4->realm, "krbtgt",
- k4->realm, k4->lifetime, password);
-
- if (k_errno) {
- fprintf(stderr, "%s: %s\n", progname,
- krb_get_err_text(k_errno));
- if (authed_k5)
- fprintf(stderr, "Maybe your KDC does not support v4. "
- "Try the -5 option next time.\n");
- return 0;
- }
- return 1;
+ k_errno = krb_get_pw_in_tkt(k4->aname, k4->inst, k4->realm, "krbtgt",
+ k4->realm, k4->lifetime, password);
+
+ if (k_errno) {
+#ifndef HAVE_KRB524
+ fprintf(stderr, "%s: %s\n", progname,
+ krb_get_err_text(k_errno));
+ if (authed_k5)
+ fprintf(stderr, "Maybe your KDC does not support v4. "
+ "Try the -5 option next time.\n");
+#endif
+ return 0;
+ }
+ return 1;
#ifndef HAVE_KRB524
case INIT_KT:
- fprintf(stderr, "%s: srvtabs are not supported\n", progname);
- return 0;
+ fprintf(stderr, "%s: srvtabs are not supported\n", progname);
+ return 0;
case RENEW:
- fprintf(stderr, "%s: renewal of krb4 tickets is not supported\n",
- progname);
- return 0;
+ fprintf(stderr, "%s: renewal of krb4 tickets is not supported\n",
+ progname);
+ return 0;
#endif
}
#endif
int len = strlen(progname) + 2 + strlen(v) + 2;
char *ret = malloc(len);
if (ret)
- sprintf(ret, "%s(v%s)", progname, v);
+ sprintf(ret, "%s(v%s)", progname, v);
else
- ret = progname;
+ ret = progname;
return ret;
}
}
/* stash ticket, session key, etc. for future use */
if ((icode = krb_save_credentials(v4creds.service,
- v4creds.instance,
- v4creds.realm,
- v4creds.session,
- v4creds.lifetime,
- v4creds.kvno,
- &(v4creds.ticket_st),
- v4creds.issue_date))) {
+ v4creds.instance,
+ v4creds.realm,
+ v4creds.session,
+ v4creds.lifetime,
+ v4creds.kvno,
+ &(v4creds.ticket_st),
+ v4creds.issue_date))) {
com_err(progname, icode,
"trying to save the V4 ticket");
goto cleanup;
cleanup:
memset(&v4creds, 0, sizeof(v4creds));
if (v5creds)
- krb5_free_creds(k5->ctx, v5creds);
+ krb5_free_creds(k5->ctx, v5creds);
increds.client = 0;
krb5_free_cred_contents(k5->ctx, &increds);
if (kpcserver)
- krb5_free_principal(k5->ctx, kpcserver);
+ krb5_free_principal(k5->ctx, kpcserver);
return !(code || icode);
}
#endif /* HAVE_KRB524 */
int
main(argc, argv)
int argc;
- char **argv;
+char **argv;
{
struct k_opts opts;
struct k5_data k5;
/* Ensure we can be driven from a pipe */
if(!isatty(fileno(stdin)))
- setvbuf(stdin, 0, _IONBF, 0);
+ setvbuf(stdin, 0, _IONBF, 0);
if(!isatty(fileno(stdout)))
- setvbuf(stdout, 0, _IONBF, 0);
+ setvbuf(stdout, 0, _IONBF, 0);
if(!isatty(fileno(stderr)))
- setvbuf(stderr, 0, _IONBF, 0);
+ setvbuf(stderr, 0, _IONBF, 0);
+ /*
+ This is where we would put in code to dynamically load Kerberos
+ libraries. Currenlty, we just get them implicitly.
+ */
got_k5 = 1;
#ifdef KRB5_KRB4_COMPAT
got_k4 = 1;
if (opts.action == INIT_PW)
{
- char prompt[255];
- int pwsize = sizeof(password);
- krb5_error_code code;
-
- sprintf(prompt, "Password for %s: ", opts.principal_name);
- password[0] = 0;
- /*
- Note: krb5_read_password does not actually look at the
- context, so we're ok even if we don't have a context. If
- we cannot dynamically load krb5, we can substitute any
- decent read password function instead of the krb5 one.
- */
- code = krb5_read_password(k5.ctx, prompt, 0, password, &pwsize);
- if (code || pwsize == 0)
- {
- fprintf(stderr, "Error while reading password for '%s'\n",
- opts.principal_name);
- memset(password, 0, sizeof(password));
- exit(1);
- }
+ char prompt[255];
+ int pwsize = sizeof(password);
+ krb5_error_code code;
+
+ sprintf(prompt, "Password for %s: ", opts.principal_name);
+ password[0] = 0;
+ /*
+ Note: krb5_read_password does not actually look at the
+ context, so we're ok even if we don't have a context. If
+ we cannot dynamically load krb5, we can substitute any
+ decent read password function instead of the krb5 one.
+ */
+ code = krb5_read_password(k5.ctx, prompt, 0, password, &pwsize);
+ if (code || pwsize == 0)
+ {
+ fprintf(stderr, "Error while reading password for '%s'\n",
+ opts.principal_name);
+ memset(password, 0, sizeof(password));
+ exit(1);
+ }
}
authed_k5 = k5_kinit(&opts, &k5, password);
#endif
if (authed_k5 && opts.verbose)
- fprintf(stderr, "Authenticated to Kerberos v5\n");
+ fprintf(stderr, "Authenticated to Kerberos v5\n");
if (authed_k4 && opts.verbose)
- fprintf(stderr, "Authenticated to Kerberos v4\n");
+ fprintf(stderr, "Authenticated to Kerberos v4\n");
k5_end(&k5);
k4_end(&k4);
if ((got_k5 && !authed_k5) || (got_k4 && !authed_k4))
- exit(1);
+ exit(1);
return 0;
}