diff options
| author | Jeffrey Altman <jaltman@secure-endpoints.com> | 2007-01-16 04:18:02 +0000 |
|---|---|---|
| committer | Jeffrey Altman <jaltman@secure-endpoints.com> | 2007-01-16 04:18:02 +0000 |
| commit | 7e0c27f227983df21297953d756746eeaab3204e (patch) | |
| tree | ced61e5e3b20af7f5a665c336f69f3d44ed58162 /src/clients/kvno | |
| parent | c30ec9459203c1130366f7339024b5460181e077 (diff) | |
| download | krb5-7e0c27f227983df21297953d756746eeaab3204e.zip krb5-7e0c27f227983df21297953d756746eeaab3204e.tar.gz krb5-7e0c27f227983df21297953d756746eeaab3204e.tar.bz2 | |
This commit adds two new functions, krb5_server_decrypt_ticket_keyblock
(private) and krb5_server_decrypt_ticket_keytab (public). These
functions take a krb5_ticket as input and decrypt it using the provided
key data. The public function is useful for higher level application
protocols such a TLS-KRB5 and AFS RX-KRB5 which exchange a service
but do not use the AP-REQ/AP-REP messages.
This commit also adds new functionality to kvno which permits kvno
when provided a keytab as input to verify whether or not the keytab
contains a key that can successfully decrypt the obtains service ticket.
ticket: 5349
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19062 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/clients/kvno')
| -rw-r--r-- | src/clients/kvno/kvno.c | 52 |
1 files changed, 41 insertions, 11 deletions
diff --git a/src/clients/kvno/kvno.c b/src/clients/kvno/kvno.c index a6620b9..3b22747 100644 --- a/src/clients/kvno/kvno.c +++ b/src/clients/kvno/kvno.c @@ -41,10 +41,10 @@ static void xusage() { #ifdef KRB5_KRB4_COMPAT fprintf(stderr, - "usage: %s [-4 | [-c ccache] [-e etype]] service1 service2 ...\n", + "usage: %s [-4 | [-c ccache] [-e etype] [-k keytab]] service1 service2 ...\n", prog); #else - fprintf(stderr, "usage: %s [-c ccache] [-e etype] service1 service2 ...\n", + fprintf(stderr, "usage: %s [-c ccache] [-e etype] [-k keytab] service1 service2 ...\n", prog); #endif exit(1); @@ -54,7 +54,7 @@ int quiet = 0; static void do_v4_kvno (int argc, char *argv[]); static void do_v5_kvno (int argc, char *argv[], - char *ccachestr, char *etypestr); + char *ccachestr, char *etypestr, char *keytab_name); #include <com_err.h> static void extended_com_err_fn (const char *, errcode_t, const char *, @@ -63,7 +63,7 @@ static void extended_com_err_fn (const char *, errcode_t, const char *, int main(int argc, char *argv[]) { int option; - char *etypestr = 0, *ccachestr = 0; + char *etypestr = NULL, *ccachestr = NULL, *keytab_name = NULL; int v4 = 0; set_com_err_hook (extended_com_err_fn); @@ -71,7 +71,7 @@ int main(int argc, char *argv[]) prog = strrchr(argv[0], '/'); prog = prog ? (prog + 1) : argv[0]; - while ((option = getopt(argc, argv, "c:e:hq4")) != -1) { + while ((option = getopt(argc, argv, "c:e:hk:q4")) != -1) { switch (option) { case 'c': ccachestr = optarg; @@ -82,6 +82,9 @@ int main(int argc, char *argv[]) case 'h': xusage(); break; + case 'k': + keytab_name = optarg; + break; case 'q': quiet = 1; break; @@ -97,13 +100,13 @@ int main(int argc, char *argv[]) if ((argc - optind) < 1) xusage(); - if ((ccachestr != 0 || etypestr != 0) && v4) + if ((ccachestr != NULL || etypestr != NULL || keytab_name != NULL) && v4) xusage(); if (v4) do_v4_kvno(argc - optind, argv + optind); else - do_v5_kvno(argc - optind, argv + optind, ccachestr, etypestr); + do_v5_kvno(argc - optind, argv + optind, ccachestr, etypestr, keytab_name); return 0; } @@ -169,7 +172,7 @@ static void extended_com_err_fn (const char *myprog, errcode_t code, } static void do_v5_kvno (int count, char *names[], - char * ccachestr, char *etypestr) + char * ccachestr, char *etypestr, char *keytab_name) { krb5_error_code ret; int i, errors; @@ -179,6 +182,7 @@ static void do_v5_kvno (int count, char *names[], krb5_creds in_creds, *out_creds; krb5_ticket *ticket; char *princ; + krb5_keytab keytab = NULL; ret = krb5_init_context(&context); if (ret) { @@ -205,6 +209,14 @@ static void do_v5_kvno (int count, char *names[], exit(1); } + if (keytab_name) { + ret = krb5_kt_resolve(context, keytab_name, &keytab); + if (ret) { + com_err(prog, ret, "resolving keytab %s", keytab_name); + exit(1); + } + } + ret = krb5_cc_get_principal(context, ccache, &me); if (ret) { com_err(prog, ret, "while getting client principal name"); @@ -261,14 +273,32 @@ static void do_v5_kvno (int count, char *names[], continue; } - if (!quiet) - printf("%s: kvno = %d\n", princ, ticket->enc_part.kvno); + if (keytab) { + ret = krb5_server_decrypt_ticket_keytab(context, keytab, ticket); + if (ret) { + if (!quiet) + printf("%s: kvno = %d, keytab entry invalid", princ, ticket->enc_part.kvno); + com_err(prog, ret, "while decrypting ticket for %s", princ); + krb5_free_ticket(context, ticket); + krb5_free_creds(context, out_creds); + krb5_free_unparsed_name(context, princ); + + errors++; + continue; + } + if (!quiet) + printf("%s: kvno = %d, keytab entry valid\n", princ, ticket->enc_part.kvno); + } else { + if (!quiet) + printf("%s: kvno = %d\n", princ, ticket->enc_part.kvno); + } - krb5_free_ticket(context, ticket); krb5_free_creds(context, out_creds); krb5_free_unparsed_name(context, princ); } + if (keytab) + krb5_kt_close(context, keytab); krb5_free_principal(context, me); krb5_cc_close(context, ccache); krb5_free_context(context); |