aklog: avoid infinite lifetime tokens by default

[openafs.git] / src / aklog / aklog.c

diff --git a/src/aklog/aklog.c b/src/aklog/aklog.c
index 26a27f5..c16a600 100644 (file)
--- a/src/aklog/aklog.c
+++ b/src/aklog/aklog.c
@@ -119,6 +119,7 @@
 #define DIRSTRING "/"          /* String form of above */
 #define VOLMARKER ':'          /* Character separating cellname from mntpt */
 #define VOLMARKERSTRING ":"    /* String form of above */
+#define AKIMP_LIFETIME_MAX 720  /* Max token lifetime for akimpersonate in hours (30 days) */
 
 typedef struct {
     char cell[BUFSIZ];
@@ -303,6 +304,8 @@ static char *client = NULL;     /* client principal for akimpersonate */
 static linked_list zsublist;   /* List of zephyr subscriptions */
 static linked_list hostlist;   /* List of host addresses */
 static linked_list authedcells;        /* List of cells already logged to */
+static int akimp_lifetime = 36000;  /* Lifetime for akimpersonate tokens. Default 10 hrs */ 
+static int akimplifetime_present = 0; /* Whether a lifetime was specified for akimpersonate */
 
 /* A com_error bodge. The idea here is that this routine lets us lookup
  * things in the system com_err, if the AFS one just tells us the error
@@ -1588,6 +1591,28 @@ main(int argc, char *argv[])
            }
            else
                usage();
+        else if ((strcmp(argv[i], "-token-lifetime") == 0))
+           if (++i < argc) {
+               status = util_GetInt32(argv[i], &akimp_lifetime);
+               if (status) {
+                   fprintf(stderr,
+                           "%s: invalid value specified for token-lifetime.\n",
+                           progname);
+                   exit(AKLOG_MISC);
+               }
+
+               if (akimp_lifetime < 0 || akimp_lifetime > AKIMP_LIFETIME_MAX) {
+                   fprintf(stderr,
+                            "%s: token-lifetime must be within 0 and %d hrs.\n",
+                           progname, AKIMP_LIFETIME_MAX);
+                   exit(AKLOG_MISC);
+               }
+
+               akimp_lifetime = akimp_lifetime * 60 * 60;
+               akimplifetime_present = TRUE;
+           }
+           else
+               usage();
        else if ((strcmp(argv[i], "-principal") == 0))
            if (++i < argc) {
                client = argv[i];
@@ -1699,6 +1724,13 @@ main(int argc, char *argv[])
        }
     }
 
+    if (akimplifetime_present && !keytab) {
+       fprintf(stderr,
+               "%s: -token-lifetime is valid only if -keytab is specified.\n",
+               progname);
+       exit(AKLOG_MISC);
+    }
+
     /* If nothing was given, log to the local cell. */
     if ((cells.nelements + paths.nelements) == 0) {
        struct passwd *pwd;
@@ -2138,12 +2170,20 @@ get_credv5(krb5_context context, char *name, char *inst, char *realm,
        get_creds_enctype((&increds)) = ENCTYPE_DES_CBC_CRC;
 
     if (keytab) {
+       afs_int32 start, end;
+       start = time(NULL);
+
+       if (akimp_lifetime == 0) {
+           end = MAX_AFS_INT32;
+       } else {
+           end = start + akimp_lifetime;
+       }
 
        r = get_credv5_akimpersonate(context,
                                     keytab,
                                     increds.server,
                                     increds.client,
-                                    300, ((~0U)>>1),
+                                    start, end,
                                     0 /* paddress */,
                                     creds /* out */);
     } else {