#include <afs/cmd.h>
#include <afs/ptuser.h>
+#define KERBEROS_APPLE_DEPRECATED(x)
#include <krb5.h>
#ifdef HAVE_KRB5_CREDS_KEYBLOCK
#define USING_HEIMDAL 1
#endif
-#include "assert.h"
#include "skipwrap.h"
/* This code borrowed heavily from the previous version of log. Here is the
zero_argc = argc;
zero_argv = argv;
- ts = cmd_CreateSyntax(NULL, CommandProc, NULL,
+ ts = cmd_CreateSyntax(NULL, CommandProc, NULL, 0,
"obtain Kerberos authentication");
#define aXFLAG 0
#define aUNWRAP 11
#define aK5 12
#define aK4 13
+#define aDES 14
- cmd_AddParm(ts, "-x", CMD_FLAG, CMD_OPTIONAL|CMD_HIDDEN, 0);
+ cmd_AddParm(ts, "-x", CMD_FLAG, CMD_OPTIONAL, "obsolete, noop");
cmd_Seek(ts, aPRINCIPAL);
cmd_AddParm(ts, "-principal", CMD_SINGLE, CMD_OPTIONAL, "user name");
cmd_AddParm(ts, "-password", CMD_SINGLE, CMD_OPTIONAL, "user's password");
cmd_AddParm(ts, "-pipe", CMD_FLAG, CMD_OPTIONAL,
"read password from stdin");
cmd_AddParm(ts, "-silent", CMD_FLAG, CMD_OPTIONAL, "silent operation");
+ /* Note: -lifetime is not implemented in this version of klog. */
cmd_AddParm(ts, "-lifetime", CMD_SINGLE, CMD_OPTIONAL,
"ticket lifetime in hh[:mm[:ss]]");
cmd_AddParm(ts, "-setpag", CMD_FLAG, CMD_OPTIONAL,
++ts->nParms; /* skip -k5 */
cmd_AddParm(ts, "-k4", CMD_FLAG, CMD_OPTIONAL|CMD_HIDDEN, 0);
#endif
+ cmd_AddParm(ts, "-insecure_des", CMD_FLAG, CMD_OPTIONAL,
+ "enable insecure single-DES for krb5");
code = cmd_Dispatch(argc, argv);
KLOGEXIT(code);
int *vicep)
{
int code;
- char tempname[PR_MAXNAMELEN + 1];
+ char tempname[2*PR_MAXNAMELEN];
code = pr_Initialize(0, AFSDIR_CLIENT_ETC_DIRPATH, cellconfig->name);
if (code)
int authtype;
#endif
krb5_data enc_part[1];
- time_t lifetime; /* requested ticket lifetime */
krb5_prompter_fct pf = NULL;
char *pass = 0;
void *pa = 0;
* krb5_allow_weak_crypto is MIT Kerberos 1.8. krb5_enctype_enable is
* Heimdal.
*/
+ if (as->parms[aDES].items) {
#if defined(HAVE_KRB5_ENCTYPE_ENABLE)
- i = krb5_enctype_valid(k5context, ETYPE_DES_CBC_CRC);
- if (i)
- krb5_enctype_enable(k5context, ETYPE_DES_CBC_CRC);
+ i = krb5_enctype_valid(k5context, ETYPE_DES_CBC_CRC);
+ if (i)
+ krb5_enctype_enable(k5context, ETYPE_DES_CBC_CRC);
#elif defined(HAVE_KRB5_ALLOW_WEAK_CRYPTO)
- krb5_allow_weak_crypto(k5context, 1);
+ krb5_allow_weak_crypto(k5context, 1);
#endif
+ }
/* Parse remaining arguments. */
pass = passwd;
}
- if (as->parms[aLIFETIME].items) {
- char *life = as->parms[aLIFETIME].items->data;
- char *sp; /* string ptr to rest of life */
- lifetime = 3600 * strtol(life, &sp, 0); /* hours */
- if (sp == life) {
- bad_lifetime:
- if (!Silent)
- fprintf(stderr, "%s: translating '%s' to lifetime failed\n",
- rn, life);
- return 1;
- }
- if (*sp == ':') {
- life = sp + 1; /* skip the colon */
- lifetime += 60 * strtol(life, &sp, 0); /* minutes */
- if (sp == life)
- goto bad_lifetime;
- if (*sp == ':') {
- life = sp + 1;
- lifetime += strtol(life, &sp, 0); /* seconds */
- if (sp == life)
- goto bad_lifetime;
- if (*sp)
- goto bad_lifetime;
- } else if (*sp)
- goto bad_lifetime;
- } else if (*sp)
- goto bad_lifetime;
- } else
- lifetime = 0;
-
/* Get the password if it wasn't provided. */
if (!pass) {
if (Pipe) {
for (service = service_temp;;service = "afs") {
memset(mcred, 0, sizeof *mcred);
mcred->client = princ;
- /* Ask for DES since that is what rxkad understands */
- if (service && !strncmp(service, "afs", 3))
- get_creds_enctype(mcred) = ENCTYPE_DES_CBC_CRC;
code = krb5_parse_name(k5context, service, &mcred->server);
if (code) {
afs_com_err(rn, code, "Unable to parse service <%s>\n", service);
struct ktc_principal aserver[1], aclient[1];
struct ktc_token atoken[1];
- if (get_cred_keylen(afscred) != sizeof(atoken->sessionKey)) {
- afs_com_err(rn, 0, "Invalid rxkad key length (%u != 8) key type (%u)",
- get_cred_keylen(afscred),
- get_creds_enctype(afscred));
- KLOGEXIT(1);
- }
-
memset(atoken, 0, sizeof *atoken);
if (evil) {
size_t elen = enc_part->length;
}
atoken->startTime = afscred->times.starttime;
atoken->endTime = afscred->times.endtime;
- memcpy(&atoken->sessionKey, get_cred_keydata(afscred),
- get_cred_keylen(afscred));
+ if (tkt_DeriveDesKey(get_creds_enctype(afscred),
+ get_cred_keydata(afscred),
+ get_cred_keylen(afscred), &atoken->sessionKey)) {
+ afs_com_err(rn, 0,
+ "Cannot derive DES key from enctype %i of length %u",
+ get_creds_enctype(afscred),
+ (unsigned)get_cred_keylen(afscred));
+ KLOGEXIT(1);
+ }
memcpy(atoken->ticket, enc_part->data,
atoken->ticketLen = enc_part->length);
memset(aserver, 0, sizeof *aserver);