From 7c5b0c7ac67d9df2b230f8888f542c1db30fb647 Mon Sep 17 00:00:00 2001 From: Paul Park Date: Mon, 5 Jun 1995 18:26:36 +0000 Subject: [PATCH] Add support for specifiable ccache and lifetime for admin principal git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5946 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kadmin/v5client/ChangeLog | 8 ++++ src/kadmin/v5client/kadmin5.M | 31 ++++++++++++++ src/kadmin/v5client/kadmin5.c | 80 ++++++++++++++++++++++++++++++++--- src/kadmin/v5client/kadmin5.h | 4 ++ src/kadmin/v5client/network.c | 10 ++++- 5 files changed, 126 insertions(+), 7 deletions(-) diff --git a/src/kadmin/v5client/ChangeLog b/src/kadmin/v5client/ChangeLog index 4188e06b8..792bd8193 100644 --- a/src/kadmin/v5client/ChangeLog +++ b/src/kadmin/v5client/ChangeLog @@ -1,4 +1,12 @@ +Mon Jun 5 14:11:58 EDT 1995 Paul Park (pjpark@mit.edu) + * kadmin5.c - Add support for specifiable credentials caches and + ticket lifetimes. + * network.c - Use new krb5_adm_connect() calling sequence. + * kadmin5.h - Update prototypes and externals. + * kadmin5.M - Update description to add -c -l -d and -s flags. + + Thu Jun 1 14:31:49 EDT 1995 Paul Park (pjpark@mit.edu) * kadmin5.c: Change the default admin instance name to "kadmin" * kadmin5.c(kadmin_list): Compare principals to each of the supplied diff --git a/src/kadmin/v5client/kadmin5.M b/src/kadmin/v5client/kadmin5.M index 63a5cf79c..527cc2722 100644 --- a/src/kadmin/v5client/kadmin5.M +++ b/src/kadmin/v5client/kadmin5.M @@ -32,6 +32,16 @@ kadmin5 \- administer a Kerberos principal database over the network. .B \-p .I principal ] [ +.B \-c +.I ccache +] [ +.B \-l +.I [hours:]minutes +] [ +.B \-d +] [ +.B \-s +] [ .B \-m ] [ command ... ] @@ -46,6 +56,17 @@ specifies the default realm. specifies a principal name to use instead of the default .I user .B /kadmin@realm. +.IP \-c +.B ccache +specifies a credentials cache to use instead of the default. +.IP \-l +.B [hours:]minutes +specifies the lifetime for an administrative ticket, if one needs to be +acquired. +.IP \-d +specifies that the credentials cache is to be deleted after use. +.IP \-s +specifies that the credentials cache is to be saved for further use. .IP \-m specifies that multiple operations will be permitted for only one entry of the administrative principal's password. @@ -78,6 +99,16 @@ access control list. The default administrative principal is One command may be specified on the command line, or if no command is provided, an interactive command loop is entered for the administrator to enter commands. .PP +If a credentials cache is specified with +.I \-c +.B ccache, +then the default is not to delete the credentials cache. Otherwise, the +default is to delete it. The use of the +.I \-d +and +.I \-s +flags override this default behavior. +.PP .SH AVAILABLE COMMANDS The following is a list of commands and their aliases that the system diff --git a/src/kadmin/v5client/kadmin5.c b/src/kadmin/v5client/kadmin5.c index 5aa9fd039..47e5b8942 100644 --- a/src/kadmin/v5client/kadmin5.c +++ b/src/kadmin/v5client/kadmin5.c @@ -42,11 +42,15 @@ */ int exit_status = 0; krb5_context kcontext; +krb5_ccache ccache2use = (krb5_ccache) NULL; char *programname = (char *) NULL; char *requestname = (char *) NULL; krb5_boolean multiple = 0; char *principal_name = (char *) NULL; char *password_prompt = (char *) NULL; +char *ccname2use = (char *) NULL; +krb5_timestamp ticket_life = 0; +krb5_boolean delete_ccache = 0; extern krb5_kt_ops krb5_ktf_writable_ops; @@ -145,9 +149,12 @@ static const char *cd_usage_fmt = "usage is %s directory"; static const char *pwd_mess_fmt = "Current directory is %s\n"; static const char *pwd_err_fmt = "cannot get current directory: %s"; static const char *pwd_usage_fmt = "usage is %s"; -static const char *kadmin_usage_fmt = "usage is %s [-r realm] [-p principal] [-m] [command ...]"; +static const char *kadmin_badtime_fmt = "%s is a bad time value"; +static const char *kadmin_usage_fmt = "usage is %s [-c ccache] [-r realm] [-p principal] [-l lifetime] [-dms] [command ...]"; +static const char *kadmin_sd_err_fmt = "-d and -s are mutually exclusive"; static const char *kadmin_defrealm_msg = ": cannot get default realm"; static const char *kadmin_srealm_fmt = ": cannot set realm to \"%s\""; +static const char *kadmin_ccache_fmt = ": cannot find credential cache %s"; static const char *kadmin_nopname_msg = ": cannot find a principal name"; static const char *kadmin_unparse_msg = ": cannot flatten principal name"; static const char *kadmin_nocomp_msg = ": no components in principal name"; @@ -1267,11 +1274,36 @@ kadmin_startup(argc, argv) extern char *optarg; extern int optind; char *action = (char *) NULL; + krb5_boolean saveit = 0; + krb5_boolean delit = 0; programname = strrchr(argv[0], (int) '/'); programname = (programname) ? programname+1 : argv[0]; - while ((option = getopt(argc, argv, "r:p:mt:")) != EOF) { + while ((option = getopt(argc, argv, "c:dsl:r:p:m")) != EOF) { switch (option) { + case 'c': + ccname2use = optarg; + break; + case 'd': + delit = 1; + break; + case 's': + saveit = 1; + break; + case 'l': + { + int hours, minutes; + + if (sscanf(optarg, "%d:%d", &hours, &minutes) == 2) + ticket_life = (hours * 3600) + (minutes * 60); + else if (sscanf(optarg, "%d", &minutes) == 1) + ticket_life = minutes * 60; + else { + com_err(argv[0], 0, kadmin_badtime_fmt, optarg); + exit(1); + } + } + break; case 'r': realm_name = optarg; break; @@ -1287,6 +1319,14 @@ kadmin_startup(argc, argv) } } + if (delit && saveit) { + com_err(argv[0], 0, kadmin_sd_err_fmt); + exit(1); + } + + delete_ccache = (delit || saveit) ? (delit & !saveit) : + ((ccname2use) ? 0 : 1); + /* Now we do some real work */ krb5_init_context(&kcontext); krb5_init_ets(kcontext); @@ -1307,6 +1347,14 @@ kadmin_startup(argc, argv) } } + /* Verify ccache name if supplied. */ + if (ccname2use) { + if (kret = krb5_cc_resolve(kcontext, ccname2use, &ccache2use)) { + com_err(argv[0], kret, kadmin_ccache_fmt, ccname2use); + exit(4); + } + } + /* If no principal name, formulate a reasonable response */ if (!principal_name) { krb5_principal me; @@ -1320,9 +1368,31 @@ kadmin_startup(argc, argv) ccache = (krb5_ccache) NULL; user = (char *) NULL; - /* First try our default credentials cache */ - if (!(kret = krb5_cc_default(kcontext, &ccache)) && - !(kret = krb5_cc_get_principal(kcontext, ccache, &me))) { + /* First try supplied credentials cache */ + if (ccache2use && + !(kret = krb5_cc_get_principal(kcontext, ccache2use, &me))) { + + /* Use our first component, if it exists. */ + if (krb5_princ_size(kcontext, me) > 0) { + krb5_data *dp; + + dp = krb5_princ_component(kcontext, me, 0); + if (user = (char *) malloc((size_t) dp->length + 1)) { + strncpy(user, dp->data, (size_t) dp->length); + user[dp->length] = '\0'; + } + else { + kret = ENOMEM; + } + } + else { + com_err(argv[0], 0, kadmin_nocomp_msg); + exit(1); + } + } + /* Then try our default credentials cache */ + else if (!(kret = krb5_cc_default(kcontext, &ccache)) && + !(kret = krb5_cc_get_principal(kcontext, ccache, &me))) { /* Use our first component, if it exists. */ if (krb5_princ_size(kcontext, me) > 0) { diff --git a/src/kadmin/v5client/kadmin5.h b/src/kadmin/v5client/kadmin5.h index 85d6a6239..b1b52c2ee 100644 --- a/src/kadmin/v5client/kadmin5.h +++ b/src/kadmin/v5client/kadmin5.h @@ -38,6 +38,10 @@ extern char *requestname; extern krb5_boolean multiple; extern char *principal_name; extern char *password_prompt; +extern char *ccname2use; +extern krb5_ccache ccache2use; +extern krb5_timestamp ticket_life; +extern krb5_boolean delete_ccache; /* * Function prototypes. diff --git a/src/kadmin/v5client/network.c b/src/kadmin/v5client/network.c index 2c8b5b844..b5c1d3ea2 100644 --- a/src/kadmin/v5client/network.c +++ b/src/kadmin/v5client/network.c @@ -155,13 +155,16 @@ net_connect() if (!multiple || !server_active) { char opassword[KRB5_ADM_MAX_PASSWORD_LEN]; + server_ccache = (ccache2use) ? ccache2use : (krb5_ccache) NULL; if (!(kret = server_stat = krb5_adm_connect(kcontext, principal_name, password_prompt, opassword, &server_socket, &server_auth_context, - &server_ccache))) { + &server_ccache, + ccname2use, + ticket_life))) { server_active = 1; memset(opassword, 0, KRB5_ADM_MAX_PASSWORD_LEN); } @@ -223,7 +226,10 @@ net_disconnect(force) krb5_adm_disconnect(kcontext, &server_socket, server_auth_context, - server_ccache); + (delete_ccache) ? server_ccache : + (krb5_ccache) NULL); + if (!delete_ccache) + krb5_cc_close(kcontext, server_ccache); /* Clean up our state. */ server_socket = -1; -- 2.26.2