kinit: Make default-for-princ behavior optional

We can't just default to useing the krb5_cc_default_for() ccache for a
principal -- that breaks a number of uses of kinit.
This commit is contained in:
Nicolas Williams
2020-05-25 14:07:05 -05:00
parent 1243ea6a9a
commit d1d900034f
3 changed files with 47 additions and 7 deletions

View File

@@ -40,6 +40,7 @@
.Sh SYNOPSIS
.Nm kinit
.Op Fl Fl no-change-default
.Op Fl Fl default-for-principal
.Op Fl Fl afslog
.Oo Fl c Ar cachename \*(Ba Xo
.Fl Fl cache= Ns Ar cachename
@@ -114,6 +115,32 @@ the name of the principal whose credentials are stored therein. This
option is ignored if the
.Fl c Ar cachename | Fl Fl cache= Ns Ar cachename
option is given.
See also
.Xr kswitch 1 .
.It Fl Fl default-for-principal
If this option is given and
.Fl c Ar cachename | Fl Fl cache= Ns Ar cachename
is not given, then the cache that will be used will be one that
is appropriate for the client principal. For example, if the
default cache type is
.Ar FILE
then the default cache may be either
.Ar FILE:/tmp/krb5cc_%{uid}+%{principal_name}
or
.Ar FILE:/tmp/krb5cc_%{uid}
if the principal is the default principal for the user, meaning
that it is of rht form
.Ar ${USER}@${user_realm}
or
.Ar ${USER}@${default_realm} .
This option implies
.Fl Fl no-change-default
unless
.Fl Fl change-default
is given. Caches for the user can be listed with the
.Fl l
option to
.Xr klist 1 .
.It Fl f Fl Fl forwardable
Obtain a ticket than can be forwarded to another host.
.It Fl F Fl Fl no-forwardable
@@ -253,6 +280,7 @@ the default being
.Sh SEE ALSO
.Xr kdestroy 1 ,
.Xr klist 1 ,
.Xr kswitch 1 ,
.Xr krb5_appdefault 3 ,
.Xr krb5.conf 5
.\".Sh STANDARDS

View File

@@ -64,7 +64,8 @@ char *server_str = NULL;
static krb5_principal tgs_service;
char *cred_cache = NULL;
char *start_str = NULL;
static int switch_cache_flags = 1;
static int switch_cache_flags = -1;
static int default_for = 0;
struct getarg_strings etype_str;
int use_keytab = 0;
char *keytab_str = NULL;
@@ -191,6 +192,9 @@ static struct getargs args[] = {
{ "change-default", 0, arg_negative_flag, &switch_cache_flags,
NP_("switch the default cache to the new credentials cache", ""), NULL },
{ "default-for-principal", 0, arg_negative_flag, &default_for,
NP_("use a default cache appropriate for the client principal name", ""), NULL },
{ "ok-as-delegate", 0, arg_flag, &ok_as_delegate_flag,
NP_("honor ok-as-delegate on tickets", ""), NULL },
@@ -1364,7 +1368,6 @@ main(int argc, char **argv)
#endif
krb5_boolean unique_ccache = FALSE;
krb5_boolean historical_anon_pkinit = FALSE;
krb5_boolean default_for = FALSE;
int anonymous_pkinit = FALSE;
setprogname(argv[0]);
@@ -1493,11 +1496,19 @@ main(int argc, char **argv)
krb5_cc_get_name(context, ccache));
setenv("KRB5CCNAME", s, 1);
unique_ccache = TRUE;
} else {
} else if (default_for) {
ret = krb5_cc_default_for(context, principal, &ccache);
default_for = TRUE;
if (switch_cache_flags == -1)
switch_cache_flags = 0;
} else {
ret = krb5_cc_default(context, &ccache);
if (switch_cache_flags == -1)
switch_cache_flags = 0;
}
if (switch_cache_flags == -1)
switch_cache_flags = 1;
if (ret)
krb5_err(context, 1, ret, N_("resolving credentials cache", ""));
@@ -1535,7 +1546,8 @@ main(int argc, char **argv)
if (renew_flag || validate_flag) {
ret = renew_validate(context, renew_flag, validate_flag,
&ccache, principal, default_for, server_str,
&ccache, principal,
default_for ? TRUE : FALSE, server_str,
ticket_life);
#ifndef NO_AFS

View File

@@ -139,8 +139,8 @@ export KRB5_CONFIG
unset KRB5CCNAME
rm -rf ${objdir}/kt ${objdir}/cc_dir
mkdir ${objdir}/cc_dir || { ec=1 ; eval "${testfailed}"; }
${kinit} foo@${R} || { ec=1 ; eval "${testfailed}"; }
${kinit} --no-change-default bar@${R} || { ec=1 ; eval "${testfailed}"; }
${kinit} --default-for-principal foo@${R} || { ec=1 ; eval "${testfailed}"; }
${kinit} --default-for-principal --no-change-default bar@${R} || { ec=1 ; eval "${testfailed}"; }
primary=`cat ${objdir}/cc_dir/primary`
[ "x$primary" = xtkt.foo@${R} ] || { ec=1 ; eval "${testfailed}"; }
${klist} -l |