From: Greg Hudson Date: Mon, 15 Dec 2008 19:37:51 +0000 (+0000) Subject: Remove krb4 support from clients. Some of the code has been X-Git-Tag: krb5-1.7-alpha1~164 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=38d175630716003c7c4fe9eb5284a66aedf1e119;p=krb5.git Remove krb4 support from clients. Some of the code has been simplified to remove architectural relics of the -4 and -5 options, but more simplification is likely possible, particularly in kinit. ticket: 6303 status: open git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21449 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/clients/kcpytkt/Makefile.in b/src/clients/kcpytkt/Makefile.in index a47ac5f8f..882b93d72 100644 --- a/src/clients/kcpytkt/Makefile.in +++ b/src/clients/kcpytkt/Makefile.in @@ -20,8 +20,8 @@ all-unix:: kcpytkt ##WIN32##all-windows:: $(KCPYTKT) all-mac:: -kcpytkt: kcpytkt.o $(KRB4COMPAT_DEPLIBS) - $(CC_LINK) -o $@ kcpytkt.o $(KRB4COMPAT_LIBS) +kcpytkt: kcpytkt.o $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $@ kcpytkt.o $(KRB5_BASE_LIBS) ##WIN32##$(KCPYTKT): $(OUTPRE)kcpytkt.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.obj $(KLIB) $(CLIB) $(EXERES) ##WIN32## link $(EXE_LINKOPTS) /out:$@ $** diff --git a/src/clients/kdeltkt/Makefile.in b/src/clients/kdeltkt/Makefile.in index dbd4b7116..fece6d894 100644 --- a/src/clients/kdeltkt/Makefile.in +++ b/src/clients/kdeltkt/Makefile.in @@ -20,8 +20,8 @@ all-unix:: kdeltkt ##WIN32##all-windows:: $(KDELTKT) all-mac:: -kdeltkt: kdeltkt.o $(KRB4COMPAT_DEPLIBS) - $(CC_LINK) -o $@ kdeltkt.o $(KRB4COMPAT_LIBS) +kdeltkt: kdeltkt.o $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $@ kdeltkt.o $(KRB5_BASE_LIBS) ##WIN32##$(KDELTKT): $(OUTPRE)kdeltkt.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.obj $(KLIB) $(CLIB) $(EXERES) ##WIN32## link $(EXE_LINKOPTS) /out:$@ $** diff --git a/src/clients/kdestroy/Makefile.in b/src/clients/kdestroy/Makefile.in index 876951d2b..301893cd8 100644 --- a/src/clients/kdestroy/Makefile.in +++ b/src/clients/kdestroy/Makefile.in @@ -22,8 +22,8 @@ PROG_RPATH=$(KRB5_LIBDIR) all-unix:: kdestroy ##WIN32##all-windows:: $(KDESTROY) -kdestroy: kdestroy.o $(KRB4COMPAT_DEPLIBS) - $(CC_LINK) -o $@ kdestroy.o $(KRB4COMPAT_LIBS) +kdestroy: kdestroy.o $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $@ kdestroy.o $(KRB5_BASE_LIBS) ##WIN32##$(KDESTROY): $(OUTPRE)kdestroy.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.obj $(KLIB) $(CLIB) $(EXERES) ##WIN32## link $(EXE_LINKOPTS) -out:$@ $** diff --git a/src/clients/kdestroy/kdestroy.M b/src/clients/kdestroy/kdestroy.M index c7d0135b7..ada2ae3dc 100644 --- a/src/clients/kdestroy/kdestroy.M +++ b/src/clients/kdestroy/kdestroy.M @@ -26,7 +26,7 @@ kdestroy \- destroy Kerberos tickets .SH SYNOPSIS .B kdestroy -[\fB\-5\fP] [\fB\-4\fP] [\fB\-q\fP] [\fB\-c\fP \fIcache_name] +[\fB\-q\fP] [\fB\-c\fP \fIcache_name] .br .SH DESCRIPTION The @@ -35,24 +35,8 @@ utility destroys the user's active Kerberos authorization tickets by writing zeros to the specified credentials cache that contains them. If the credentials cache is not specified, the default credentials cache is destroyed. -If kdestroy was built with Kerberos 4 support, the default behavior is to -destroy both Kerberos 5 and Kerberos 4 credentials. Otherwise, kdestroy -will default to destroying only Kerberos 5 credentials. .SH OPTIONS .TP -.B \-5 -destroy Kerberos 5 credentials. This overrides whatever the default built-in -behavior may be. This option may be used with -.B \-4 -. -.TP -.B \-4 -destroy Kerberos 4 credentials. This overrides whatever the default built-in -behavior may be. This option is only available if kinit was built -with Kerberos 4 compatibility. This option may be used with -.B \-5 -. -.TP .B \-q Run quietly. Normally .B kdestroy @@ -82,18 +66,11 @@ uses the following environment variables: .TP "\w'.SM KRB5CCNAME\ \ 'u" .SM KRB5CCNAME Location of the Kerberos 5 credentials (ticket) cache. -.TP "\w'.SM KRBTKFILE\ \ 'u" -.SM KRBTKFILE -Filename of the Kerberos 4 credentials (ticket) cache. .SH FILES .TP "\w'/tmp/krb5cc_[uid]\ \ 'u" /tmp/krb5cc_[uid] default location of Kerberos 5 credentials cache ([uid] is the decimal UID of the user). -.TP "\w'/tmp/tkt[uid]\ \ 'u" -/tmp/tkt[uid] -default location of Kerberos 4 credentials cache -([uid] is the decimal UID of the user). .SH SEE ALSO kinit(1), klist(1), krb5(3) .SH BUGS diff --git a/src/clients/kdestroy/kdestroy.c b/src/clients/kdestroy/kdestroy.c index f7bcef7cd..3f2f32682 100644 --- a/src/clients/kdestroy/kdestroy.c +++ b/src/clients/kdestroy/kdestroy.c @@ -36,10 +36,6 @@ #include #endif -#ifdef KRB5_KRB4_COMPAT -#include -#endif - #ifdef __STDC__ #define BELL_CHAR '\a' #else @@ -57,29 +53,12 @@ extern char *optarg; char *progname; -int got_k5 = 0; -int got_k4 = 0; - -int default_k5 = 1; -#ifdef KRB5_KRB4_COMPAT -int default_k4 = 1; -#else -int default_k4 = 0; -#endif - static void usage() { #define KRB_AVAIL_STRING(x) ((x)?"available":"not available") - fprintf(stderr, "Usage: %s [-5] [-4] [-q] [-c cache_name]\n", progname); - fprintf(stderr, "\t-5 Kerberos 5 (%s)\n", KRB_AVAIL_STRING(got_k5)); - fprintf(stderr, "\t-4 Kerberos 4 (%s)\n", KRB_AVAIL_STRING(got_k4)); - fprintf(stderr, "\t (Default is %s%s%s%s)\n", - default_k5?"Kerberos 5":"", - (default_k5 && default_k4)?" and ":"", - default_k4?"Kerberos 4":"", - (!default_k5 && !default_k4)?"neither":""); + fprintf(stderr, "Usage: %s [-q] [-c cache_name]\n", progname); fprintf(stderr, "\t-q quiet mode\n"); fprintf(stderr, "\t-c specify name of credentials cache\n"); exit(2); @@ -96,23 +75,11 @@ main(argc, argv) krb5_ccache cache = NULL; char *cache_name = NULL; int code = 0; -#ifdef KRB5_KRB4_COMPAT - int v4code = 0; - int v4 = 1; -#endif int errflg = 0; int quiet = 0; - int use_k5 = 0; - int use_k4 = 0; - progname = GET_PROGNAME(argv[0]); - got_k5 = 1; -#ifdef KRB5_KRB4_COMPAT - got_k4 = 1; -#endif - while ((c = getopt(argc, argv, "54qc:")) != -1) { switch (c) { case 'q': @@ -127,24 +94,10 @@ main(argc, argv) } break; case '4': - if (!got_k4) - { -#ifdef KRB5_KRB4_COMPAT - fprintf(stderr, "Kerberos 4 support could not be loaded\n"); -#else - fprintf(stderr, "This was not built with Kerberos 4 support\n"); -#endif - exit(3); - } - use_k4 = 1; + fprintf(stderr, "Kerberos 4 is no longer supported\n"); + exit(3); break; case '5': - if (!got_k5) - { - fprintf(stderr, "Kerberos 5 support could not be loaded\n"); - exit(3); - } - use_k5 = 1; break; case '?': default: @@ -160,69 +113,38 @@ main(argc, argv) usage(); } - if (!use_k5 && !use_k4) - { - use_k5 = default_k5; - use_k4 = default_k4; + retval = krb5_init_context(&kcontext); + if (retval) { + com_err(progname, retval, "while initializing krb5"); + exit(1); } - if (!use_k5) - got_k5 = 0; - if (!use_k4) - got_k4 = 0; - - if (got_k5) { - retval = krb5_init_context(&kcontext); - if (retval) { - com_err(progname, retval, "while initializing krb5"); + if (cache_name) { + code = krb5_cc_resolve (kcontext, cache_name, &cache); + if (code != 0) { + com_err (progname, code, "while resolving %s", cache_name); exit(1); } - - if (cache_name) { -#ifdef KRB5_KRB4_COMPAT - v4 = 0; /* Don't do v4 if doing v5 and cache name given. */ -#endif - code = krb5_cc_resolve (kcontext, cache_name, &cache); - if (code != 0) { - com_err (progname, code, "while resolving %s", cache_name); - exit(1); - } - } else { - code = krb5_cc_default(kcontext, &cache); - if (code) { - com_err(progname, code, "while getting default ccache"); - exit(1); - } - } - - code = krb5_cc_destroy (kcontext, cache); - if (code != 0) { - com_err (progname, code, "while destroying cache"); - if (code != KRB5_FCC_NOFILE) { - if (quiet) - fprintf(stderr, "Ticket cache NOT destroyed!\n"); - else { - fprintf(stderr, "Ticket cache %cNOT%c destroyed!\n", - BELL_CHAR, BELL_CHAR); - } - errflg = 1; - } + } else { + code = krb5_cc_default(kcontext, &cache); + if (code) { + com_err(progname, code, "while getting default ccache"); + exit(1); } } -#ifdef KRB5_KRB4_COMPAT - if (got_k4 && v4) { - v4code = dest_tkt(); - if (v4code == KSUCCESS && code != 0) - fprintf(stderr, "Kerberos 4 ticket cache destroyed.\n"); - if (v4code != KSUCCESS && v4code != RET_TKFIL) { + + code = krb5_cc_destroy (kcontext, cache); + if (code != 0) { + com_err (progname, code, "while destroying cache"); + if (code != KRB5_FCC_NOFILE) { if (quiet) - fprintf(stderr, "Kerberos 4 ticket cache NOT destroyed!\n"); - else - fprintf(stderr, "Kerberos 4 ticket cache %cNOT%c destroyed!\n", + fprintf(stderr, "Ticket cache NOT destroyed!\n"); + else { + fprintf(stderr, "Ticket cache %cNOT%c destroyed!\n", BELL_CHAR, BELL_CHAR); + } errflg = 1; } } -#endif return errflg; } diff --git a/src/clients/kinit/Makefile.in b/src/clients/kinit/Makefile.in index e7318b99a..bcdc97e19 100644 --- a/src/clients/kinit/Makefile.in +++ b/src/clients/kinit/Makefile.in @@ -25,8 +25,8 @@ SRCS=kinit.c all-unix:: kinit ##WIN32##all-windows:: $(KINIT) -kinit: kinit.o $(KRB4COMPAT_DEPLIBS) - $(CC_LINK) -o $@ kinit.o $(KRB4COMPAT_LIBS) +kinit: kinit.o $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $@ kinit.o $(KRB5_BASE_LIBS) ##WIN32##$(KINIT): $(OUTPRE)kinit.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.lib $(KLIB) $(CLIB) $(EXERES) ##WIN32## link $(EXE_LINKOPTS) -out:$@ $** advapi32.lib diff --git a/src/clients/kinit/kinit.M b/src/clients/kinit/kinit.M index eca8be341..60336a24e 100644 --- a/src/clients/kinit/kinit.M +++ b/src/clients/kinit/kinit.M @@ -28,8 +28,6 @@ kinit \- obtain and cache Kerberos ticket-granting ticket .TP .B kinit .ad l -[\fB\-5\fP] -[\fB\-4\fP] [\fB\-V\fP] [\fB\-l\fP \fIlifetime\fP] [\fB\-s\fP \fIstart_time\fP] [\fB\-r\fP \fIrenewable_life\fP] @@ -48,28 +46,8 @@ kinit \- obtain and cache Kerberos ticket-granting ticket .I kinit obtains and caches an initial ticket-granting ticket for .IR principal . -The typical default behavior is to acquire only -Kerberos 5 tickets. However, if kinit was built with both -Kerberos 4 support and with the default behavior of acquiring both -types of tickets, it will try to acquire both Kerberos 5 and Kerberos 4 -by default. -Any documentation particular to Kerberos 4 does not apply if Kerberos 4 -support was not built into kinit. .SH OPTIONS .TP -.B \-5 -get Kerberos 5 tickets. This overrides whatever the default built-in -behavior may be. This option may be used with -.B \-4 -. -.TP -.B \-4 -get Kerberos 4 tickets. This overrides whatever the default built-in -behavior may be. This option is only available if kinit was built -with Kerberos 4 compatibility. This option may be used with -.B \-5 -. -.TP .B \-V display verbose output. .TP @@ -105,45 +83,43 @@ requests a postdated ticket, valid starting at Postdated tickets are issued with the .I invalid flag set, and need to be fed back to the kdc before use. -(Not applicable to Kerberos 4.) .TP \fB\-r\fP \fIrenewable_life\fP requests renewable tickets, with a total lifetime of .IR renewable_life . The duration is in the same format as the .B \-l -option, with the same delimiters. (Not applicable to Kerberos 4.) +option, with the same delimiters. .TP .B \-f -request forwardable tickets. (Not applicable to Kerberos 4.) +request forwardable tickets. .TP .B \-F -do not request forwardable tickets. (Not applicable to Kerberos 4.) +do not request forwardable tickets. .TP .B \-p -request proxiable tickets. (Not applicable to Kerberos 4.) +request proxiable tickets. .TP .B \-P -do not request proxiable tickets. (Not applicable to Kerberos 4.) +do not request proxiable tickets. .TP .B \-a -request tickets with the local address[es]. (Not applicable to Kerberos 4.) +request tickets with the local address[es]. .TP .B \-A -request address-less tickets. (Not applicable to Kerberos 4.) +request address-less tickets. .TP .B \-v requests that the ticket granting ticket in the cache (with the .I invalid flag set) be passed to the kdc for validation. If the ticket is within its requested time range, the cache is replaced with the validated -ticket. (Not applicable to Kerberos 4.) +ticket. .TP .B \-R requests renewal of the ticket-granting ticket. Note that an expired ticket cannot be renewed, even if the ticket is still within its -renewable life. When using this option with Kerberos 4, the kdc must -support Kerberos 5 to Kerberos 4 ticket conversion. +renewable life. .TP \fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP] requests a host ticket, obtained from a key in the local host's @@ -152,9 +128,7 @@ file. The name and location of the keytab file may be specified with the .B \-t .I keytab_file -option; otherwise the default name and location will be used. When using -this option with Kerberos 4, the kdc must support Kerberos 5 to Kerberos 4 -ticket conversion. +option; otherwise the default name and location will be used. .TP \fB\-c\fP \fIcache_name\fP use @@ -167,15 +141,10 @@ The default credentials cache may vary between systems. If the environment variable is set, its value is used to name the default ticket cache. Any existing contents of the cache are destroyed by .IR kinit . -(Note: The default name for Kerberos 4 comes from the -.B KRBTKFILE -environment variable. This option does not apply to Kerberos 4.) .TP \fB\-S\fP \fIservice_name\fP specify an alternate service name to use when -getting initial tickets. (Applicable to Kerberos 5 or if using both -Kerberos 5 and Kerberos 4 with a kdc that supports Kerberos 5 to Kerberos 4 -ticket conversion.) +getting initial tickets. .TP \fB\-X\fP \fIattribute\fP[=\fIvalue\fP] specify a pre\-authentication attribute and value to be passed to @@ -204,18 +173,11 @@ uses the following environment variables: .TP "\w'.SM KRB5CCNAME\ \ 'u" .SM KRB5CCNAME Location of the Kerberos 5 credentials (ticket) cache. -.TP "\w'.SM KRBTKFILE\ \ 'u" -.SM KRBTKFILE -Filename of the Kerberos 4 credentials (ticket) cache. .SH FILES .TP "\w'/tmp/krb5cc_[uid]\ \ 'u" /tmp/krb5cc_[uid] default location of Kerberos 5 credentials cache ([uid] is the decimal UID of the user). -.TP "\w'/tmp/tkt[uid]\ \ 'u" -/tmp/tkt[uid] -default location of Kerberos 4 credentials cache -([uid] is the decimal UID of the user). .TP /etc/krb5.keytab default location for the local host's diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c index 506f551c1..58ebec132 100644 --- a/src/clients/kinit/kinit.c +++ b/src/clients/kinit/kinit.c @@ -30,12 +30,6 @@ #include "autoconf.h" #include "k5-platform.h" /* for asprintf */ #include -#ifdef KRB5_KRB4_COMPAT -#include -#define HAVE_KRB524 -#else -#undef HAVE_KRB524 -#endif #include #include #include @@ -98,26 +92,7 @@ char * get_name_from_os() #endif /* _WIN32 */ #endif /* HAVE_PWD_H */ -static char* progname_v5 = 0; -#ifdef KRB5_KRB4_COMPAT -static char* progname_v4 = 0; -static char* progname_v524 = 0; -#endif - -static int got_k5 = 0; -static int got_k4 = 0; - -static int default_k5 = 1; -#if defined(KRB5_KRB4_COMPAT) && defined(KINIT_DEFAULT_BOTH) -static int default_k4 = 1; -#else -static int default_k4 = 0; -#endif - -static int authed_k5 = 0; -static int authed_k4 = 0; - -#define KRB4_BACKUP_DEFAULT_LIFE_SECS 24*60*60 /* 1 day */ +static char *progname; typedef enum { INIT_PW, INIT_KT, RENEW, VALIDATE } action_type; @@ -142,7 +117,6 @@ struct k_opts char* service_name; char* keytab_name; char* k5_cache_name; - char* k4_cache_name; action_type action; @@ -158,17 +132,6 @@ struct k5_data char* name; }; -struct k4_data -{ - krb5_deltat lifetime; -#ifdef KRB5_KRB4_COMPAT - char aname[ANAME_SZ + 1]; - char inst[INST_SZ + 1]; - char realm[REALM_SZ + 1]; - char name[ANAME_SZ + 1 + INST_SZ + 1 + REALM_SZ + 1]; -#endif -}; - #ifdef GETOPT_LONG /* if struct[2] == NULL, then long_getopt acts as if the short flag struct[3] was specified. If struct[2] != NULL, then struct[3] is @@ -191,8 +154,7 @@ struct option long_options[] = { #endif static void -usage(progname) - char *progname; +usage() { #define USAGE_BREAK "\n\t" @@ -208,7 +170,7 @@ usage(progname) #define USAGE_BREAK_LONG "" #endif - fprintf(stderr, "Usage: %s [-5] [-4] [-V] " + fprintf(stderr, "Usage: %s [-V] " "[-l lifetime] [-s start_time] " USAGE_BREAK "[-r renewable_life] " @@ -227,54 +189,24 @@ usage(progname) "\n\n", progname); -#define KRB_AVAIL_STRING(x) ((x)?"available":"not available") - -#define OPTTYPE_KRB5 "5" -#define OPTTYPE_KRB4 "4" -#define OPTTYPE_EITHER "Either 4 or 5" -#ifdef HAVE_KRB524 -#define OPTTYPE_BOTH "5, or both 5 and 4" -#else -#define OPTTYPE_BOTH "5" -#endif - -#ifdef KRB5_KRB4_COMPAT -#define USAGE_OPT_FMT "%s%-50s%s\n" -#define ULINE(indent, col1, col2) \ -fprintf(stderr, USAGE_OPT_FMT, indent, col1, col2) -#else -#define USAGE_OPT_FMT "%s%s\n" -#define ULINE(indent, col1, col2) \ -fprintf(stderr, USAGE_OPT_FMT, indent, col1) -#endif - - ULINE(" ", "options:", "valid with Kerberos:"); - fprintf(stderr, "\t-5 Kerberos 5 (%s)\n", KRB_AVAIL_STRING(got_k5)); - fprintf(stderr, "\t-4 Kerberos 4 (%s)\n", KRB_AVAIL_STRING(got_k4)); - fprintf(stderr, "\t (Default behavior is to try %s%s%s%s)\n", - default_k5?"Kerberos 5":"", - (default_k5 && default_k4)?" and ":"", - default_k4?"Kerberos 4":"", - (!default_k5 && !default_k4)?"neither":""); - ULINE("\t", "-V verbose", OPTTYPE_EITHER); - ULINE("\t", "-l lifetime", OPTTYPE_EITHER); - ULINE("\t", "-s start time", OPTTYPE_KRB5); - ULINE("\t", "-r renewable lifetime", OPTTYPE_KRB5); - ULINE("\t", "-f forwardable", OPTTYPE_KRB5); - ULINE("\t", "-F not forwardable", OPTTYPE_KRB5); - ULINE("\t", "-p proxiable", OPTTYPE_KRB5); - ULINE("\t", "-P not proxiable", OPTTYPE_KRB5); - ULINE("\t", "-a include addresses", OPTTYPE_KRB5); - ULINE("\t", "-A do not include addresses", OPTTYPE_KRB5); - ULINE("\t", "-v validate", OPTTYPE_KRB5); - ULINE("\t", "-R renew", OPTTYPE_BOTH); - ULINE("\t", "-k use keytab", OPTTYPE_BOTH); - ULINE("\t", "-t filename of keytab to use", OPTTYPE_BOTH); - ULINE("\t", "-c Kerberos 5 cache name", OPTTYPE_KRB5); - /* This options is not yet available: */ - /* ULINE("\t", "-C Kerberos 4 cache name", OPTTYPE_KRB4); */ - ULINE("\t", "-S service", OPTTYPE_BOTH); - ULINE("\t", "-X [=]", OPTTYPE_KRB5); + fprintf(stderr, " options:"); + fprintf(stderr, "\t-V verbose\n"); + fprintf(stderr, "\t-l lifetime\n"); + fprintf(stderr, "\t-s start time\n"); + fprintf(stderr, "\t-r renewable lifetime\n"); + fprintf(stderr, "\t-f forwardable\n"); + fprintf(stderr, "\t-F not forwardable\n"); + fprintf(stderr, "\t-p proxiable\n"); + fprintf(stderr, "\t-P not proxiable\n"); + fprintf(stderr, "\t-a include addresses\n"); + fprintf(stderr, "\t-A do not include addresses\n"); + fprintf(stderr, "\t-v validate\n"); + fprintf(stderr, "\t-R renew\n"); + fprintf(stderr, "\t-k use keytab\n"); + fprintf(stderr, "\t-t filename of keytab to use\n"); + fprintf(stderr, "\t-c Kerberos 5 cache name\n"); + fprintf(stderr, "\t-S service\n"); + fprintf(stderr, "\t-X [=]\n"); exit(2); } @@ -322,16 +254,13 @@ add_preauth_opt(struct k_opts *opts, char *av) } static char * -parse_options(argc, argv, opts, progname) +parse_options(argc, argv, opts) int argc; char **argv; struct k_opts* opts; - char *progname; { krb5_error_code code; int errflg = 0; - int use_k4 = 0; - int use_k5 = 0; int i; while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:RS:vX:")) @@ -426,40 +355,11 @@ parse_options(argc, argv, opts, progname) errflg++; } break; -#if 0 - /* - A little more work is needed before we can enable this - option. - */ - case 'C': - if (opts->k4_cache_name) - { - fprintf(stderr, "Only one -C option allowed\n"); - errflg++; - } else { - opts->k4_cache_name = optarg; - } - break; -#endif case '4': - if (!got_k4) - { -#ifdef KRB5_KRB4_COMPAT - fprintf(stderr, "Kerberos 4 support could not be loaded\n"); -#else - fprintf(stderr, "This was not built with Kerberos 4 support\n"); -#endif - exit(3); - } - use_k4 = 1; + fprintf(stderr, "Kerberos 4 is no longer supported\n"); + exit(3); break; case '5': - if (!got_k5) - { - fprintf(stderr, "Kerberos 5 support could not be loaded\n"); - exit(3); - } - use_k5 = 1; break; default: errflg++; @@ -489,66 +389,21 @@ parse_options(argc, argv, opts, progname) errflg++; } - /* At this point, if errorless, we know we only have one option - selection */ - if (!use_k5 && !use_k4) { - use_k5 = default_k5; - use_k4 = default_k4; - } - - /* Now, we encode the OPTTYPE stuff here... */ - if (!use_k5 && - (opts->starttime || opts->rlife || opts->forwardable || - opts->proxiable || opts->addresses || opts->not_forwardable || - opts->not_proxiable || opts->no_addresses || - (opts->action == VALIDATE) || opts->k5_cache_name)) - { - fprintf(stderr, "Specified option that requires Kerberos 5\n"); - errflg++; - } - if (!use_k4 && - opts->k4_cache_name) - { - fprintf(stderr, "Specified option that require Kerberos 4\n"); - errflg++; - } - if ( -#ifdef HAVE_KRB524 - !use_k5 -#else - use_k4 -#endif - && (opts->service_name || opts->keytab_name || - (opts->action == INIT_KT) || (opts->action == RENEW)) - ) - { - fprintf(stderr, "Specified option that requires Kerberos 5\n"); - errflg++; - } - if (errflg) { - usage(progname); + usage(); } - got_k5 = got_k5 && use_k5; - got_k4 = got_k4 && use_k4; - opts->principal_name = (optind == argc-1) ? argv[optind] : 0; return opts->principal_name; } static int -k5_begin(opts, k5, k4) +k5_begin(opts, k5) struct k_opts* opts; -struct k5_data* k5; -struct k4_data* k4; + struct k5_data* k5; { - char* progname = progname_v5; krb5_error_code code = 0; - if (!got_k5) - return 0; - code = krb5_init_context(&k5->ctx); if (code) { com_err(progname, code, "while initializing Kerberos 5 library"); @@ -624,19 +479,6 @@ struct k4_data* k4; } opts->principal_name = k5->name; -#ifdef KRB5_KRB4_COMPAT - if (got_k4) - { - /* Translate to a Kerberos 4 principal */ - code = krb5_524_conv_principal(k5->ctx, k5->me, - k4->aname, k4->inst, k4->realm); - if (code) { - k4->aname[0] = 0; - k4->inst[0] = 0; - k4->realm[0] = 0; - } - } -#endif return 1; } @@ -656,110 +498,6 @@ k5_end(k5) memset(k5, 0, sizeof(*k5)); } -static int -k4_begin(opts, k4) - struct k_opts* opts; - struct k4_data* k4; -{ -#ifdef KRB5_KRB4_COMPAT - char* progname = progname_v4; - int k_errno = 0; -#endif - - if (!got_k4) - return 0; - -#ifdef KRB5_KRB4_COMPAT - if (k4->aname[0]) - goto skip; - - if (opts->principal_name) - { - /* Use specified name */ - k_errno = kname_parse(k4->aname, k4->inst, k4->realm, - opts->principal_name); - if (k_errno) - { - fprintf(stderr, "%s: %s\n", progname, - krb_get_err_text(k_errno)); - return 0; - } - } else { - /* No principal name specified */ - if (opts->action == INIT_KT) { - /* Use the default host/service name */ - /* XXX - need to add this functionality */ - fprintf(stderr, "%s: Kerberos 4 srvtab support is not " - "implemented\n", progname); - return 0; - } else { - /* Get default principal from cache if one exists */ - k_errno = krb_get_tf_fullname(tkt_string(), k4->aname, - k4->inst, k4->realm); - if (k_errno) - { - char *name = get_name_from_os(); - if (!name) - { - fprintf(stderr, "Unable to identify user\n"); - return 0; - } - k_errno = kname_parse(k4->aname, k4->inst, k4->realm, - name); - if (k_errno) - { - fprintf(stderr, "%s: %s\n", progname, - krb_get_err_text(k_errno)); - return 0; - } - } - } - } - - if (!k4->realm[0]) - krb_get_lrealm(k4->realm, 1); - - if (k4->inst[0]) - snprintf(k4->name, sizeof(k4->name), "%s.%s@%s", - k4->aname, k4->inst, k4->realm); - else - snprintf(k4->name, sizeof(k4->name), "%s@%s", k4->aname, k4->realm); - opts->principal_name = k4->name; - - skip: - if (k4->aname[0] && !k_isname(k4->aname)) - { - fprintf(stderr, "%s: bad Kerberos 4 name format\n", progname); - return 0; - } - - if (k4->inst[0] && !k_isinst(k4->inst)) - { - fprintf(stderr, "%s: bad Kerberos 4 instance format\n", progname); - return 0; - } - - if (k4->realm[0] && !k_isrealm(k4->realm)) - { - fprintf(stderr, "%s: bad Kerberos 4 realm format\n", progname); - return 0; - } -#endif /* KRB5_KRB4_COMPAT */ - return 1; -} - -static void -k4_end(k4) - struct k4_data* k4; -{ - memset(k4, 0, sizeof(*k4)); -} - -#ifdef KRB5_KRB4_COMPAT -static char stash_password[1024]; -static int got_password = 0; -#endif /* KRB5_KRB4_COMPAT */ - static krb5_error_code KRB5_CALLCONV kinit_prompter( @@ -771,21 +509,8 @@ kinit_prompter( krb5_prompt prompts[] ) { - int i; - krb5_prompt_type *types; krb5_error_code rc = krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts); - if (!rc && (types = krb5_get_prompt_types(ctx))) - for (i = 0; i < num_prompts; i++) - if ((types[i] == KRB5_PROMPT_TYPE_PASSWORD) || - (types[i] == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN)) - { -#ifdef KRB5_KRB4_COMPAT - strncpy(stash_password, prompts[i].reply->data, - sizeof(stash_password)); - got_password = 1; -#endif - } return rc; } @@ -794,7 +519,6 @@ k5_kinit(opts, k5) struct k_opts* opts; struct k5_data* k5; { - char* progname = progname_v5; int notix = 1; krb5_keytab keytab = 0; krb5_creds my_creds; @@ -802,9 +526,6 @@ k5_kinit(opts, k5) krb5_get_init_creds_opt *options = NULL; int i; - if (!got_k5) - return 0; - memset(&my_creds, 0, sizeof(my_creds)); code = krb5_get_init_creds_opt_alloc(k5->ctx, &options); @@ -902,14 +623,7 @@ k5_kinit(opts, k5) break; } - /* If got code == KRB5_AP_ERR_V4_REPLY && got_k4, we should - let the user know that maybe he/she wants -4. */ - if (code == KRB5KRB_AP_ERR_V4_REPLY && got_k4) - com_err(progname, code, "while %s\n" - "The KDC doesn't support v5. " - "You may want the -4 option in the future", - doing); - else if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) + if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) fprintf(stderr, "%s: Password incorrect while %s\n", progname, doing); else @@ -917,11 +631,6 @@ k5_kinit(opts, k5) goto cleanup; } - if (!opts->lifetime) { - /* We need to figure out what lifetime to use for Kerberos 4. */ - opts->lifetime = my_creds.times.endtime - my_creds.times.authtime; - } - code = krb5_cc_initialize(k5->ctx, k5->cc, k5->me); if (code) { com_err(progname, code, "when initializing cache %s", @@ -954,194 +663,6 @@ k5_kinit(opts, k5) return notix?0:1; } -static int -k4_kinit(opts, k4, ctx) - struct k_opts* opts; - struct k4_data* k4; - krb5_context ctx; -{ -#ifdef KRB5_KRB4_COMPAT - char* progname = progname_v4; - int k_errno = 0; -#endif - - if (!got_k4) - return 0; - - if (opts->starttime) - return 0; - -#ifdef KRB5_KRB4_COMPAT - if (!k4->lifetime) - k4->lifetime = opts->lifetime; - if (!k4->lifetime) - k4->lifetime = KRB4_BACKUP_DEFAULT_LIFE_SECS; - - k4->lifetime = krb_time_to_life(0, k4->lifetime); - - switch (opts->action) - { - case INIT_PW: - if (!got_password) { - unsigned int pwsize = sizeof(stash_password); - krb5_error_code code; - char prompt[1024]; - - snprintf(prompt, sizeof(prompt), - "Password for %s", opts->principal_name); - stash_password[0] = 0; - /* - Note: krb5_read_password does not actually look at the - context, so we're ok even if we don't have a context. If - we cannot dynamically load krb5, we can substitute any - decent read password function instead of the krb5 one. - */ - code = krb5_read_password(ctx, prompt, 0, stash_password, &pwsize); - if (code || pwsize == 0) - { - fprintf(stderr, "Error while reading password for '%s'\n", - opts->principal_name); - memset(stash_password, 0, sizeof(stash_password)); - return 0; - } - got_password = 1; - } - k_errno = krb_get_pw_in_tkt(k4->aname, k4->inst, k4->realm, "krbtgt", - k4->realm, k4->lifetime, stash_password); - - if (k_errno) { - fprintf(stderr, "%s: %s\n", progname, - krb_get_err_text(k_errno)); - if (authed_k5) - fprintf(stderr, "Maybe your KDC does not support v4. " - "Try the -5 option next time.\n"); - return 0; - } - return 1; -#ifndef HAVE_KRB524 - case INIT_KT: - fprintf(stderr, "%s: srvtabs are not supported\n", progname); - return 0; - case RENEW: - fprintf(stderr, "%s: renewal of krb4 tickets is not supported\n", - progname); - return 0; -#else - /* These cases are handled by the 524 code - this prevents the compiler - warnings of not using all the enumerated types. - */ - case INIT_KT: - case RENEW: - case VALIDATE: - return 0; -#endif - } -#endif - return 0; -} - -static char* -getvprogname(v, progname) - char *v, *progname; -{ - char *ret; - - if (asprintf(&ret, "%s(v%s)", progname, v) < 0) - return progname; - else - return ret; -} - -#ifdef HAVE_KRB524 -/* Convert krb5 tickets to krb4. */ -static int try_convert524(k5) - struct k5_data* k5; -{ - char * progname = progname_v524; - krb5_error_code code = 0; - int icode = 0; - krb5_principal kpcserver = 0; - krb5_creds *v5creds = 0; - krb5_creds increds; - CREDENTIALS v4creds; - - if (!got_k4 || !got_k5) - return 0; - - memset((char *) &increds, 0, sizeof(increds)); - /* - From this point on, we can goto cleanup because increds is - initialized. - */ - - if ((code = krb5_build_principal(k5->ctx, - &kpcserver, - krb5_princ_realm(k5->ctx, k5->me)->length, - krb5_princ_realm(k5->ctx, k5->me)->data, - "krbtgt", - krb5_princ_realm(k5->ctx, k5->me)->data, - NULL))) { - com_err(progname, code, - "while creating service principal name"); - goto cleanup; - } - - increds.client = k5->me; - increds.server = kpcserver; - /* Prevent duplicate free calls. */ - kpcserver = 0; - - increds.times.endtime = 0; - increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC; - if ((code = krb5_get_credentials(k5->ctx, 0, - k5->cc, - &increds, - &v5creds))) { - com_err(progname, code, - "getting V5 credentials"); - goto cleanup; - } - if ((icode = krb524_convert_creds_kdc(k5->ctx, - v5creds, - &v4creds))) { - com_err(progname, icode, - "converting to V4 credentials"); - goto cleanup; - } - /* this is stolen from the v4 kinit */ - /* initialize ticket cache */ - if ((icode = in_tkt(v4creds.pname, v4creds.pinst) - != KSUCCESS)) { - com_err(progname, icode, - "trying to create the V4 ticket file"); - goto cleanup; - } - /* stash ticket, session key, etc. for future use */ - if ((icode = krb_save_credentials(v4creds.service, - v4creds.instance, - v4creds.realm, - v4creds.session, - v4creds.lifetime, - v4creds.kvno, - &(v4creds.ticket_st), - v4creds.issue_date))) { - com_err(progname, icode, - "trying to save the V4 ticket"); - goto cleanup; - } - - cleanup: - memset(&v4creds, 0, sizeof(v4creds)); - if (v5creds) - krb5_free_creds(k5->ctx, v5creds); - increds.client = 0; - krb5_free_cred_contents(k5->ctx, &increds); - if (kpcserver) - krb5_free_principal(k5->ctx, kpcserver); - return !(code || icode); -} -#endif /* HAVE_KRB524 */ - int main(argc, argv) int argc; @@ -1149,16 +670,9 @@ main(argc, argv) { struct k_opts opts; struct k5_data k5; - struct k4_data k4; - char *progname; - + int authed_k5 = 0; progname = GET_PROGNAME(argv[0]); - progname_v5 = getvprogname("5", progname); -#ifdef KRB5_KRB4_COMPAT - progname_v4 = getvprogname("4", progname); - progname_v524 = getvprogname("524", progname); -#endif /* Ensure we can be driven from a pipe */ if(!isatty(fileno(stdin))) @@ -1168,49 +682,24 @@ main(argc, argv) if(!isatty(fileno(stderr))) setvbuf(stderr, 0, _IONBF, 0); - /* - This is where we would put in code to dynamically load Kerberos - libraries. Currenlty, we just get them implicitly. - */ - got_k5 = 1; -#ifdef KRB5_KRB4_COMPAT - got_k4 = 1; -#endif - memset(&opts, 0, sizeof(opts)); opts.action = INIT_PW; memset(&k5, 0, sizeof(k5)); - memset(&k4, 0, sizeof(k4)); set_com_err_hook (extended_com_err_fn); - parse_options(argc, argv, &opts, progname); - - got_k5 = k5_begin(&opts, &k5, &k4); - got_k4 = k4_begin(&opts, &k4); + parse_options(argc, argv, &opts); - authed_k5 = k5_kinit(&opts, &k5); -#ifdef HAVE_KRB524 - if (authed_k5) - authed_k4 = try_convert524(&k5); -#endif - if (!authed_k4) - authed_k4 = k4_kinit(&opts, &k4, k5.ctx); -#ifdef KRB5_KRB4_COMPAT - memset(stash_password, 0, sizeof(stash_password)); -#endif + if (k5_begin(&opts, &k5)) + authed_k5 = k5_kinit(&opts, &k5); if (authed_k5 && opts.verbose) fprintf(stderr, "Authenticated to Kerberos v5\n"); - if (authed_k4 && opts.verbose) - fprintf(stderr, "Authenticated to Kerberos v4\n"); k5_end(&k5); - k4_end(&k4); - if ((got_k5 && !authed_k5) || (got_k4 && !authed_k4) || - (!got_k5 && !got_k4)) + if (!authed_k5) exit(1); return 0; } diff --git a/src/clients/klist/Makefile.in b/src/clients/klist/Makefile.in index 2a4977bba..6ec90b1b4 100644 --- a/src/clients/klist/Makefile.in +++ b/src/clients/klist/Makefile.in @@ -22,8 +22,8 @@ SRCS = klist.c all-unix:: klist ##WIN32##all-windows:: $(KLIST) -klist: klist.o $(KRB4COMPAT_DEPLIBS) - $(CC_LINK) -o $@ klist.o $(KRB4COMPAT_LIBS) +klist: klist.o $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $@ klist.o $(KRB5_BASE_LIBS) ##WIN32##$(KLIST): $(OUTPRE)klist.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.lib $(SLIB) $(KLIB) $(CLIB) $(EXERES) ##WIN32## link $(EXE_LINKOPTS) -out:$@ $** ws2_32.lib $(SCLIB) diff --git a/src/clients/klist/klist.M b/src/clients/klist/klist.M index c5f66d525..b3603fd5f 100644 --- a/src/clients/klist/klist.M +++ b/src/clients/klist/klist.M @@ -25,7 +25,7 @@ .SH NAME klist \- list cached Kerberos tickets .SH SYNOPSIS -\fBklist\fP [\fB\-5\fP] [\fB\-4\fP] [\fB\-e\fP] [[\fB\-c\fP] [\fB\-f\fP] +\fBklist\fP [\fB\-e\fP] [[\fB\-c\fP] [\fB\-f\fP] [\fB\-s\fP] [\fB\-a\fP [\fB\-n\fP]]] [\fB\-k\fP [\fB\-t\fP] [\fB\-K\fP]] [\fIcache_name\fP | \fIkeytab_name\fP] @@ -36,24 +36,8 @@ lists the Kerberos principal and Kerberos tickets held in a credentials cache, or the keys held in a .B keytab file. -If klist was built with Kerberos 4 support, the default behavior is to list -both Kerberos 5 and Kerberos 4 credentials. Otherwise, klist will default -to listing only Kerberos 5 credentials. .SH OPTIONS .TP -.B \-5 -list Kerberos 5 credentials. This overrides whatever the default built-in -behavior may be. This option may be used with -.B \-4 -. -.TP -.B \-4 -list Kerberos 4 credentials. This overrides whatever the default built-in -behavior may be. This option is only available if kinit was built -with Kerberos 4 compatibility. This option may be used with -.B \-5 -. -.TP .B \-e displays the encryption types of the session key and the ticket for each credential in the credential cache, or each key in the keytab file. @@ -133,18 +117,11 @@ uses the following environment variables: .TP "\w'.SM KRB5CCNAME\ \ 'u" .SM KRB5CCNAME Location of the Kerberos 5 credentials (ticket) cache. -.TP "\w'.SM KRBTKFILE\ \ 'u" -.SM KRBTKFILE -Filename of the Kerberos 4 credentials (ticket) cache. .SH FILES .TP "\w'/tmp/krb5cc_[uid]\ \ 'u" /tmp/krb5cc_[uid] default location of Kerberos 5 credentials cache ([uid] is the decimal UID of the user). -.TP "\w'/tmp/tkt[uid]\ \ 'u" -/tmp/tkt[uid] -default location of Kerberos 4 credentials cache -([uid] is the decimal UID of the user). .TP /etc/krb5.keytab default location for the local host's diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c index f1a251c66..70ca604e5 100644 --- a/src/clients/klist/klist.c +++ b/src/clients/klist/klist.c @@ -29,9 +29,6 @@ #include "autoconf.h" #include -#ifdef KRB5_KRB4_COMPAT -#include -#endif #include #include #ifdef HAVE_UNISTD_H @@ -76,43 +73,16 @@ void printtime (time_t); void one_addr (krb5_address *); void fillit (FILE *, unsigned int, int); -#ifdef KRB5_KRB4_COMPAT -void do_v4_ccache (char *); -#endif /* KRB5_KRB4_COMPAT */ - #define DEFAULT 0 #define CCACHE 1 #define KEYTAB 2 -/* - * The reason we start out with got_k4 and got_k5 as zero (false) is - * so that we can easily add dynamic loading support for determining - * whether Kerberos 4 and Keberos 5 libraries are available - */ - -static int got_k5 = 0; -static int got_k4 = 0; - -static int default_k5 = 1; -#ifdef KRB5_KRB4_COMPAT -static int default_k4 = 1; -#else -static int default_k4 = 0; -#endif - static void usage() { #define KRB_AVAIL_STRING(x) ((x)?"available":"not available") - fprintf(stderr, "Usage: %s [-5] [-4] [-e] [[-c] [-f] [-s] [-a [-n]]] %s", + fprintf(stderr, "Usage: %s [-e] [[-c] [-f] [-s] [-a [-n]]] %s", progname, "[-k [-t] [-K]] [name]\n"); - fprintf(stderr, "\t-5 Kerberos 5 (%s)\n", KRB_AVAIL_STRING(got_k5)); - fprintf(stderr, "\t-4 Kerberos 4 (%s)\n", KRB_AVAIL_STRING(got_k4)); - fprintf(stderr, "\t (Default is %s%s%s%s)\n", - default_k5?"Kerberos 5":"", - (default_k5 && default_k4)?" and ":"", - default_k4?"Kerberos 4":"", - (!default_k5 && !default_k4)?"neither":""); fprintf(stderr, "\t-c specifies credentials cache\n"); fprintf(stderr, "\t-k specifies keytab\n"); fprintf(stderr, "\t (Default is credentials cache)\n"); @@ -136,12 +106,6 @@ main(argc, argv) int c; char *name; int mode; - int use_k5 = 0, use_k4 = 0; - - got_k5 = 1; -#ifdef KRB5_KRB4_COMPAT - got_k4 = 1; -#endif progname = GET_PROGNAME(argv[0]); @@ -179,24 +143,10 @@ main(argc, argv) mode = KEYTAB; break; case '4': - if (!got_k4) - { -#ifdef KRB5_KRB4_COMPAT - fprintf(stderr, "Kerberos 4 support could not be loaded\n"); -#else - fprintf(stderr, "This was not built with Kerberos 4 support\n"); -#endif - exit(3); - } - use_k4 = 1; + fprintf(stderr, "Kerberos 4 is no longer supported\n"); + exit(3); break; case '5': - if (!got_k5) - { - fprintf(stderr, "Kerberos 5 support could not be loaded\n"); - exit(3); - } - use_k5 = 1; break; default: usage(); @@ -224,17 +174,6 @@ main(argc, argv) name = (optind == argc-1) ? argv[optind] : 0; - if (!use_k5 && !use_k4) - { - use_k5 = default_k5; - use_k4 = default_k4; - } - - if (!use_k5) - got_k5 = 0; - if (!use_k4) - got_k4 = 0; - now = time(0); { char tmp[BUFSIZ]; @@ -247,7 +186,6 @@ main(argc, argv) timestamp_width = 15; } - if (got_k5) { krb5_error_code retval; retval = krb5_init_context(&kcontext); @@ -260,18 +198,6 @@ main(argc, argv) do_ccache(name); else do_keytab(name); - } else { -#ifdef KRB5_KRB4_COMPAT - if (mode == DEFAULT || mode == CCACHE) - do_v4_ccache(name); - else { - /* We may want to add v4 srvtab support */ - fprintf(stderr, - "%s: srvtab option not supported for Kerberos 4\n", - progname); - exit(1); - } -#endif /* KRB4_KRB5_COMPAT */ } return 0; @@ -733,105 +659,3 @@ fillit(f, num, c) for (i=0; i -#endif -static void do_v4_kvno (int count, char *names[]) -{ -#ifdef KRB5_KRB4_COMPAT - int i; - - for (i = 0; i < count; i++) { - int err; - char name[ANAME_SZ], inst[INST_SZ], realm[REALM_SZ]; - KTEXT_ST req; - CREDENTIALS creds; - *name = *inst = *realm = '\0'; - err = kname_parse (name, inst, realm, names[i]); - if (err) { - fprintf(stderr, "%s: error parsing name '%s': %s\n", - prog, names[i], krb_get_err_text(err)); - exit(1); - } - if (realm[0] == 0) { - err = krb_get_lrealm(realm, 1); - if (err) { - fprintf(stderr, "%s: error looking up local realm: %s\n", - prog, krb_get_err_text(err)); - exit(1); - } - } - err = krb_mk_req(&req, name, inst, realm, 0); - if (err) { - fprintf(stderr, "%s: krb_mk_req error: %s\n", prog, - krb_get_err_text(err)); - exit(1); - } - err = krb_get_cred(name, inst, realm, &creds); - if (err) { - fprintf(stderr, "%s: krb_get_cred error: %s\n", prog, - krb_get_err_text(err)); - exit(1); - } - if (!quiet) - printf("%s: kvno = %d\n", names[i], creds.kvno); - } -#else - xusage(); -#endif -} - #include static krb5_context context; static void extended_com_err_fn (const char *myprog, errcode_t code,