oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kinit: Make default-for-princ behavior optional

Browse Source 
We can't just default to useing the krb5_cc_default_for() ccache for a
principal -- that breaks a number of uses of kinit.
This commit is contained in:
Nicolas Williams
2020-05-25 14:07:05 -05:00
parent 1243ea6a9a
commit d1d900034f
3 changed files with 47 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
kuser/kinit.1
View File

@@ -40,6 +40,7 @@
.Sh SYNOPSIS .Sh SYNOPSIS
.Nm kinit .Nm kinit
.Op Fl Fl no-change-default .Op Fl Fl no-change-default
.Op Fl Fl default-for-principal
.Op Fl Fl afslog .Op Fl Fl afslog
.Oo Fl c Ar cachename \*(Ba Xo .Oo Fl c Ar cachename \*(Ba Xo
.Fl Fl cache= Ns Ar cachename .Fl Fl cache= Ns Ar cachename
@@ -114,6 +115,32 @@ the name of the principal whose credentials are stored therein. This
option is ignored if the option is ignored if the
.Fl c Ar cachename | Fl Fl cache= Ns Ar cachename .Fl c Ar cachename | Fl Fl cache= Ns Ar cachename
option is given. option is given.
See also
.Xr kswitch 1 .
.It Fl Fl default-for-principal
If this option is given and
.Fl c Ar cachename | Fl Fl cache= Ns Ar cachename
is not given, then the cache that will be used will be one that
is appropriate for the client principal. For example, if the
default cache type is
.Ar FILE
then the default cache may be either
.Ar FILE:/tmp/krb5cc_%{uid}+%{principal_name}
or
.Ar FILE:/tmp/krb5cc_%{uid}
if the principal is the default principal for the user, meaning
that it is of rht form
.Ar ${USER}@${user_realm}
or
.Ar ${USER}@${default_realm} .
This option implies
.Fl Fl no-change-default
unless
.Fl Fl change-default
is given. Caches for the user can be listed with the
.Fl l
option to
.Xr klist 1 .
.It Fl f Fl Fl forwardable .It Fl f Fl Fl forwardable
Obtain a ticket than can be forwarded to another host. Obtain a ticket than can be forwarded to another host.
.It Fl F Fl Fl no-forwardable .It Fl F Fl Fl no-forwardable
@@ -253,6 +280,7 @@ the default being
.Sh SEE ALSO .Sh SEE ALSO
.Xr kdestroy 1 , .Xr kdestroy 1 ,
.Xr klist 1 , .Xr klist 1 ,
.Xr kswitch 1 ,
.Xr krb5_appdefault 3 , .Xr krb5_appdefault 3 ,
.Xr krb5.conf 5 .Xr krb5.conf 5
.\".Sh STANDARDS .\".Sh STANDARDS

22
kuser/kinit.c
View File

@@ -64,7 +64,8 @@ char *server_str = NULL;
static krb5_principal tgs_service; static krb5_principal tgs_service;
char *cred_cache = NULL; char *cred_cache = NULL;
char *start_str = NULL; char *start_str = NULL;
static int switch_cache_flags = 1; static int switch_cache_flags = -1;
static int default_for = 0;
struct getarg_strings etype_str; struct getarg_strings etype_str;
int use_keytab = 0; int use_keytab = 0;
char *keytab_str = NULL; char *keytab_str = NULL;
@@ -191,6 +192,9 @@ static struct getargs args[] = {
{ "change-default", 0, arg_negative_flag, &switch_cache_flags, { "change-default", 0, arg_negative_flag, &switch_cache_flags,
NP_("switch the default cache to the new credentials cache", ""), NULL }, NP_("switch the default cache to the new credentials cache", ""), NULL },
{ "default-for-principal", 0, arg_negative_flag, &default_for,
NP_("use a default cache appropriate for the client principal name", ""), NULL },
{ "ok-as-delegate", 0, arg_flag, &ok_as_delegate_flag, { "ok-as-delegate", 0, arg_flag, &ok_as_delegate_flag,
NP_("honor ok-as-delegate on tickets", ""), NULL }, NP_("honor ok-as-delegate on tickets", ""), NULL },
@@ -1364,7 +1368,6 @@ main(int argc, char **argv)
#endif #endif
krb5_boolean unique_ccache = FALSE; krb5_boolean unique_ccache = FALSE;
krb5_boolean historical_anon_pkinit = FALSE; krb5_boolean historical_anon_pkinit = FALSE;
krb5_boolean default_for = FALSE;
int anonymous_pkinit = FALSE; int anonymous_pkinit = FALSE;
setprogname(argv[0]); setprogname(argv[0]);
@@ -1493,11 +1496,19 @@ main(int argc, char **argv)
krb5_cc_get_name(context, ccache)); krb5_cc_get_name(context, ccache));
setenv("KRB5CCNAME", s, 1); setenv("KRB5CCNAME", s, 1);
unique_ccache = TRUE; unique_ccache = TRUE;
} else { } else if (default_for) {
ret = krb5_cc_default_for(context, principal, &ccache); ret = krb5_cc_default_for(context, principal, &ccache);
default_for = TRUE; if (switch_cache_flags == -1)
switch_cache_flags = 0;
} else {
ret = krb5_cc_default(context, &ccache);
if (switch_cache_flags == -1)
switch_cache_flags = 0;
} }
if (switch_cache_flags == -1)
switch_cache_flags = 1;
if (ret) if (ret)
krb5_err(context, 1, ret, N_("resolving credentials cache", "")); krb5_err(context, 1, ret, N_("resolving credentials cache", ""));
@@ -1535,7 +1546,8 @@ main(int argc, char **argv)
if (renew_flag || validate_flag) { if (renew_flag || validate_flag) {
ret = renew_validate(context, renew_flag, validate_flag, ret = renew_validate(context, renew_flag, validate_flag,
&ccache, principal, default_for, server_str, &ccache, principal,
default_for ? TRUE : FALSE, server_str,
ticket_life); ticket_life);
#ifndef NO_AFS #ifndef NO_AFS

4
tests/kdc/check-cc.in
View File

@@ -139,8 +139,8 @@ export KRB5_CONFIG
unset KRB5CCNAME unset KRB5CCNAME
rm -rf ${objdir}/kt ${objdir}/cc_dir rm -rf ${objdir}/kt ${objdir}/cc_dir
mkdir ${objdir}/cc_dir || { ec=1 ; eval "${testfailed}"; } mkdir ${objdir}/cc_dir || { ec=1 ; eval "${testfailed}"; }
${kinit} foo@${R} || { ec=1 ; eval "${testfailed}"; } ${kinit} --default-for-principal foo@${R} || { ec=1 ; eval "${testfailed}"; }
${kinit} --no-change-default bar@${R} || { ec=1 ; eval "${testfailed}"; } ${kinit} --default-for-principal --no-change-default bar@${R} || { ec=1 ; eval "${testfailed}"; }
primary=`cat ${objdir}/cc_dir/primary` primary=`cat ${objdir}/cc_dir/primary`
[ "x$primary" = xtkt.foo@${R} ] || { ec=1 ; eval "${testfailed}"; } [ "x$primary" = xtkt.foo@${R} ] || { ec=1 ; eval "${testfailed}"; }
${klist} -l | ${klist} -l |