#include <afs/cmd.h>
#include <afs/ptuser.h>
+#define KERBEROS_APPLE_DEPRECATED(x)
#include <krb5.h>
#ifdef HAVE_KRB5_CREDS_KEYBLOCK
#define USING_HEIMDAL 1
#endif
-#include "assert.h"
#include "skipwrap.h"
/* This code borrowed heavily from the previous version of log. Here is the
zero_argc = argc;
zero_argv = argv;
- ts = cmd_CreateSyntax(NULL, CommandProc, NULL,
+ ts = cmd_CreateSyntax(NULL, CommandProc, NULL, 0,
"obtain Kerberos authentication");
#define aXFLAG 0
#define aK5 12
#define aK4 13
- cmd_AddParm(ts, "-x", CMD_FLAG, CMD_OPTIONAL|CMD_HIDDEN, 0);
+ cmd_AddParm(ts, "-x", CMD_FLAG, CMD_OPTIONAL, "obsolete, noop");
cmd_Seek(ts, aPRINCIPAL);
cmd_AddParm(ts, "-principal", CMD_SINGLE, CMD_OPTIONAL, "user name");
cmd_AddParm(ts, "-password", CMD_SINGLE, CMD_OPTIONAL, "user's password");
cmd_AddParm(ts, "-pipe", CMD_FLAG, CMD_OPTIONAL,
"read password from stdin");
cmd_AddParm(ts, "-silent", CMD_FLAG, CMD_OPTIONAL, "silent operation");
+ /* Note: -lifetime is not implemented in this version of klog. */
cmd_AddParm(ts, "-lifetime", CMD_SINGLE, CMD_OPTIONAL,
"ticket lifetime in hh[:mm[:ss]]");
cmd_AddParm(ts, "-setpag", CMD_FLAG, CMD_OPTIONAL,
int authtype;
#endif
krb5_data enc_part[1];
- time_t lifetime; /* requested ticket lifetime */
krb5_prompter_fct pf = NULL;
char *pass = 0;
void *pa = 0;
pass = passwd;
}
- if (as->parms[aLIFETIME].items) {
- char *life = as->parms[aLIFETIME].items->data;
- char *sp; /* string ptr to rest of life */
- lifetime = 3600 * strtol(life, &sp, 0); /* hours */
- if (sp == life) {
- bad_lifetime:
- if (!Silent)
- fprintf(stderr, "%s: translating '%s' to lifetime failed\n",
- rn, life);
- return 1;
- }
- if (*sp == ':') {
- life = sp + 1; /* skip the colon */
- lifetime += 60 * strtol(life, &sp, 0); /* minutes */
- if (sp == life)
- goto bad_lifetime;
- if (*sp == ':') {
- life = sp + 1;
- lifetime += strtol(life, &sp, 0); /* seconds */
- if (sp == life)
- goto bad_lifetime;
- if (*sp)
- goto bad_lifetime;
- } else if (*sp)
- goto bad_lifetime;
- } else if (*sp)
- goto bad_lifetime;
- } else
- lifetime = 0;
-
/* Get the password if it wasn't provided. */
if (!pass) {
if (Pipe) {
} else
#endif
snprintf (service_temp, sizeof service_temp, "afs/%s", cellconfig->name);
- if (writeTicketFile)
- service = 0;
- else
- service = service_temp;
klog_arg->pp = &pass;
klog_arg->pstore = passwd;
#else
krb5_get_init_creds_opt_init(gic_opts);
#endif
+
for (;;) {
- code = krb5_get_init_creds_password(k5context,
+ code = krb5_get_init_creds_password(k5context,
incred,
princ,
pass,
pf, /* prompter */
pa, /* data */
0, /* start_time */
- service, /* in_tkt_service */
+ 0, /* in_tkt_service */
gic_opts);
- if (code != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN || service != service_temp) break;
-#ifdef AFS_RXK5
- if (authtype & FORCE_RXK5) break;
-#endif
- service = "afs";
+ if (code != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN)
+ break;
}
memset(passwd, 0, sizeof(passwd));
if (code) {
char *r = 0;
if (krb5_get_default_realm(k5context, &r))
r = 0;
- if (service)
- afs_com_err(rn, code, "Unable to authenticate to use %s", service);
- else if (r)
+ if (r)
afs_com_err(rn, code, "Unable to authenticate in realm %s", r);
else
afs_com_err(rn, code, "Unable to authenticate to use cell %s",
KLOGEXIT(code);
}
- if (service) {
- afscred = incred;
- } else {
- for (;;writeTicketFile = 0) {
- if (writeTicketFile) {
- what = "getting default ccache";
- code = krb5_cc_default(k5context, &cc);
- } else {
- what = "krb5_cc_resolve";
- code = krb5_cc_resolve(k5context, "MEMORY:core", &cc);
- if (code) goto Failed;
- }
- what = "initializing ccache";
- code = krb5_cc_initialize(k5context, cc, princ);
- if (code) goto Failed;
- what = "writing Kerberos ticket file";
- code = krb5_cc_store_cred(k5context, cc, incred);
- if (code) goto Failed;
- if (writeTicketFile)
- fprintf(stderr,
- "Wrote ticket file to %s\n",
- krb5_cc_get_name(k5context, cc));
- break;
- Failed:
- if (code)
- afs_com_err(rn, code, "%s", what);
- if (writeTicketFile) {
- if (cc) {
- krb5_cc_close(k5context, cc);
- cc = 0;
- }
- continue;
- }
- KLOGEXIT(code);
- }
+ for (;;writeTicketFile = 0) {
+ if (writeTicketFile) {
+ what = "getting default ccache";
+ code = krb5_cc_default(k5context, &cc);
+ } else {
+ what = "krb5_cc_resolve";
+ code = krb5_cc_resolve(k5context, "MEMORY:core", &cc);
+ if (code) goto Failed;
+ }
+ what = "initializing ccache";
+ code = krb5_cc_initialize(k5context, cc, princ);
+ if (code) goto Failed;
+ what = "writing Kerberos ticket file";
+ code = krb5_cc_store_cred(k5context, cc, incred);
+ if (code) goto Failed;
+ if (writeTicketFile)
+ fprintf(stderr,
+ "Wrote ticket file to %s\n",
+ krb5_cc_get_name(k5context, cc));
+ break;
+ Failed:
+ if (code)
+ afs_com_err(rn, code, "%s", what);
+ if (writeTicketFile) {
+ if (cc) {
+ krb5_cc_close(k5context, cc);
+ cc = 0;
+ }
+ continue;
+ }
+ KLOGEXIT(code);
+ }
- for (service = service_temp;;service = "afs") {
- memset(mcred, 0, sizeof *mcred);
- mcred->client = princ;
- code = krb5_parse_name(k5context, service, &mcred->server);
- if (code) {
- afs_com_err(rn, code, "Unable to parse service <%s>\n", service);
- KLOGEXIT(code);
- }
- if (tofree) { free(tofree); tofree = 0; }
- if (!(code = krb5_unparse_name(k5context, mcred->server, &outname)))
- tofree = outname;
- else outname = service;
- code = krb5_get_credentials(k5context, 0, cc, mcred, &outcred);
- krb5_free_principal(k5context, mcred->server);
- if (code != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN || service != service_temp) break;
+ for (service = service_temp;;service = "afs") {
+ memset(mcred, 0, sizeof *mcred);
+ mcred->client = princ;
+ code = krb5_parse_name(k5context, service, &mcred->server);
+ if (code) {
+ afs_com_err(rn, code, "Unable to parse service <%s>\n", service);
+ KLOGEXIT(code);
+ }
+ if (tofree) { free(tofree); tofree = 0; }
+ if (!(code = krb5_unparse_name(k5context, mcred->server, &outname)))
+ tofree = outname;
+ else outname = service;
+ code = krb5_get_credentials(k5context, 0, cc, mcred, &outcred);
+ krb5_free_principal(k5context, mcred->server);
+ if (code != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN || service != service_temp) break;
#ifdef AFS_RXK5
- if (authtype & FORCE_RXK5) break;
+ if (authtype & FORCE_RXK5)
+ break;
#endif
- }
- afscred = outcred;
}
+ afscred = outcred;
+
if (code) {
afs_com_err(rn, code, "Unable to get credentials to use %s", outname);
KLOGEXIT(code);
}
atoken->startTime = afscred->times.starttime;
atoken->endTime = afscred->times.endtime;
- memcpy(&atoken->sessionKey, get_cred_keydata(afscred),
- get_cred_keylen(afscred));
+ if (tkt_DeriveDesKey(get_creds_enctype(afscred),
+ get_cred_keydata(afscred),
+ get_cred_keylen(afscred), &atoken->sessionKey)) {
+ afs_com_err(rn, 0,
+ "Cannot derive DES key from enctype %i of length %u",
+ get_creds_enctype(afscred),
+ (unsigned)get_cred_keylen(afscred));
+ KLOGEXIT(1);
+ }
memcpy(atoken->ticket, enc_part->data,
atoken->ticketLen = enc_part->length);
memset(aserver, 0, sizeof *aserver);