From 2e6de997360ecefbe42d58af88f275939c4b5266 Mon Sep 17 00:00:00 2001
From: Sam Hartman <hartmans@mit.edu>
Date: Tue, 14 Apr 2009 15:05:21 +0000
Subject: [PATCH] Implement kinit option for FAST armor ccache

Implement the -T option to kinit to specify the FAST armor ccache.

ticket: 6460
Target_version: 1.7
tags: pullup

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22209 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/clients/kinit/kinit.M |  6 +++++-
 src/clients/kinit/kinit.c | 17 ++++++++++++++---
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/src/clients/kinit/kinit.M b/src/clients/kinit/kinit.M
index 60336a24e..05a5ae890 100644
--- a/src/clients/kinit/kinit.M
+++ b/src/clients/kinit/kinit.M
@@ -37,7 +37,7 @@ kinit \- obtain and cache Kerberos ticket-granting ticket
 [\fB\-A\fP]
 [\fB\-v\fP] [\fB\-R\fP]
 [\fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP]] [\fB\-c\fP \fIcache_name\fP]
-[\fB\-S\fP \fIservice_name\fP]
+[\fB\-S\fP \fIservice_name\fP][\fB\-T\fP \fIarmor_ccache\fP] 
 [\fB\-X\fP \fIattribute\fP[=\fIvalue\fP]]
 [\fIprincipal\fP]
 .ad b
@@ -130,6 +130,10 @@ the
 .I keytab_file
 option; otherwise the default name and location will be used.
 .TP
+\fB\-T\fP \fIarmor_ccache\fP
+Specifies the name of a credential cache that already contains a ticket.  This ccache
+will be used to armor the request  Ideally, an attacker should have to attack both the armor ticket and the key of the principal.
+.TP
 \fB\-c\fP \fIcache_name\fP
 use
 .I cache_name
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
index e2a0f089b..42896122a 100644
--- a/src/clients/kinit/kinit.c
+++ b/src/clients/kinit/kinit.c
@@ -117,6 +117,7 @@ struct k_opts
     char* service_name;
     char* keytab_name;
     char* k5_cache_name;
+    char *armor_ccache;
 
     action_type action;
 
@@ -195,9 +196,10 @@ usage()
 	    USAGE_BREAK
 	    "[-v] [-R] "
 	    "[-k [-t keytab_file]] "
-	    "[-c cachename] "
+	    "[-c cachename] " 
+	    USAGE_BREAK
+	    "[-S service_name]""-T ticket_armor_cache"
 	    USAGE_BREAK
-	    "[-S service_name]"
 	    "[-X <attribute>[=<value>]] [principal]"
 	    "\n\n", 
 	    progname);
@@ -278,7 +280,7 @@ parse_options(argc, argv, opts)
     int errflg = 0;
     int i;
 
-    while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:RS:vX:CE"))
+    while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:T:RS:vX:CE"))
 	   != -1) {
 	switch (i) {
 	case 'V':
@@ -347,6 +349,12 @@ parse_options(argc, argv, opts)
 		opts->keytab_name = optarg;
 	    }
 	    break;
+	case 'T':
+	    if (opts->armor_ccache) {
+		fprintf(stderr, "Only one armor_ccache\n");
+		errflg++;
+	    } else opts->armor_ccache = optarg;
+	    break;
 	case 'R':
 	    opts->action = RENEW;
 	    break;
@@ -585,6 +593,9 @@ k5_kinit(opts, k5)
     }
     if (opts->no_addresses)
 	krb5_get_init_creds_opt_set_address_list(options, NULL);
+    if (opts->armor_ccache)
+    krb5_get_init_creds_opt_set_fast_ccache_name(k5->ctx, options, opts->armor_ccache);
+						 
 
     if ((opts->action == INIT_KT) && opts->keytab_name)
     {
-- 
2.26.2