1/* 2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan 3 * (Royal Institute of Technology, Stockholm, Sweden). 4 * All rights reserved. 5 * 6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 19 * 3. Neither the name of the Institute nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36#include "kuser_locl.h" 37#include "rtbl.h" 38#include "parse_units.h" 39#include "kcc-commands.h" 40 41static char* 42printable_time_internal(time_t t, int x) 43{ 44 static char s[128]; 45 char *p; 46 47 if ((p = ctime(&t)) == NULL) 48 strlcpy(s, "?", sizeof(s)); 49 else 50 strlcpy(s, p + 4, sizeof(s)); 51 s[x] = 0; 52 return s; 53} 54 55static char* 56printable_time(time_t t) 57{ 58 return printable_time_internal(t, 20); 59} 60 61static char* 62printable_time_long(time_t t) 63{ 64 return printable_time_internal(t, 20); 65} 66 67#define COL_ISSUED NP_(" Issued","") 68#define COL_EXPIRES NP_(" Expires", "") 69#define COL_FLAGS NP_("Flags", "") 70#define COL_NAME NP_(" Name", "") 71#define COL_PRINCIPAL NP_(" Principal", "in klist output") 72#define COL_PRINCIPAL_KVNO NP_(" Principal (kvno)", "in klist output") 73#define COL_CACHENAME NP_(" Cache name", "name in klist output") 74#define COL_DEFCACHE NP_("", "") 75 76static void 77print_cred(krb5_context context, krb5_creds *cred, rtbl_t ct, int do_flags) 78{ 79 char *str; 80 krb5_error_code ret; 81 krb5_timestamp sec; 82 83 krb5_timeofday (context, &sec); 84 85 86 if(cred->times.starttime) 87 rtbl_add_column_entry(ct, COL_ISSUED, 88 printable_time(cred->times.starttime)); 89 else 90 rtbl_add_column_entry(ct, COL_ISSUED, 91 printable_time(cred->times.authtime)); 92 93 if(cred->times.endtime > sec) 94 rtbl_add_column_entry(ct, COL_EXPIRES, 95 printable_time(cred->times.endtime)); 96 else 97 rtbl_add_column_entry(ct, COL_EXPIRES, N_(">>>Expired<<<", "")); 98 ret = krb5_unparse_name (context, cred->server, &str); 99 if (ret) 100 krb5_err(context, 1, ret, "krb5_unparse_name"); 101 rtbl_add_column_entry(ct, COL_PRINCIPAL, str); 102 if(do_flags) { 103 char s[16], *sp = s; 104 if(cred->flags.b.forwardable) 105 *sp++ = 'F'; 106 if(cred->flags.b.forwarded) 107 *sp++ = 'f'; 108 if(cred->flags.b.proxiable) 109 *sp++ = 'P'; 110 if(cred->flags.b.proxy) 111 *sp++ = 'p'; 112 if(cred->flags.b.may_postdate) 113 *sp++ = 'D'; 114 if(cred->flags.b.postdated) 115 *sp++ = 'd'; 116 if(cred->flags.b.renewable) 117 *sp++ = 'R'; 118 if(cred->flags.b.initial) 119 *sp++ = 'I'; 120 if(cred->flags.b.invalid) 121 *sp++ = 'i'; 122 if(cred->flags.b.pre_authent) 123 *sp++ = 'A'; 124 if(cred->flags.b.hw_authent) 125 *sp++ = 'H'; 126 *sp = '\0'; 127 rtbl_add_column_entry(ct, COL_FLAGS, s); 128 } 129 free(str); 130} 131 132static void 133print_cred_verbose(krb5_context context, krb5_creds *cred) 134{ 135 size_t j; 136 char *str; 137 krb5_error_code ret; 138 krb5_timestamp sec; 139 140 krb5_timeofday (context, &sec); 141 142 ret = krb5_unparse_name(context, cred->server, &str); 143 if(ret) 144 exit(1); 145 printf(N_("Server: %s\n", ""), str); 146 free (str); 147 148 ret = krb5_unparse_name(context, cred->client, &str); 149 if(ret) 150 exit(1); 151 printf(N_("Client: %s\n", ""), str); 152 free (str); 153 154 { 155 Ticket t; 156 size_t len; 157 char *s; 158 159 decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len); 160 ret = krb5_enctype_to_string(context, t.enc_part.etype, &s); 161 printf(N_("Ticket etype: ", "")); 162 if (ret == 0) { 163 printf("%s", s); 164 free(s); 165 } else { 166 printf(N_("unknown-enctype(%d)", ""), t.enc_part.etype); 167 } 168 if(t.enc_part.kvno) 169 printf(N_(", kvno %d", ""), *t.enc_part.kvno); 170 printf("\n"); 171 if(cred->session.keytype != t.enc_part.etype) { 172 ret = krb5_enctype_to_string(context, cred->session.keytype, &str); 173 if(ret) 174 krb5_warn(context, ret, "session keytype"); 175 else { 176 printf(N_("Session key: %s\n", "enctype"), str); 177 free(str); 178 } 179 } 180 free_Ticket(&t); 181 printf(N_("Ticket length: %lu\n", ""), 182 (unsigned long)cred->ticket.length); 183 } 184 printf(N_("Auth time: %s\n", ""), 185 printable_time_long(cred->times.authtime)); 186 if(cred->times.authtime != cred->times.starttime) 187 printf(N_("Start time: %s\n", ""), 188 printable_time_long(cred->times.starttime)); 189 printf(N_("End time: %s", ""), 190 printable_time_long(cred->times.endtime)); 191 if(sec > cred->times.endtime) 192 printf(N_(" (expired)", "")); 193 printf("\n"); 194 if(cred->flags.b.renewable) 195 printf(N_("Renew till: %s\n", ""), 196 printable_time_long(cred->times.renew_till)); 197 { 198 char flags[1024]; 199 unparse_flags(TicketFlags2int(cred->flags.b), 200 asn1_TicketFlags_units(), 201 flags, sizeof(flags)); 202 printf(N_("Ticket flags: %s\n", ""), flags); 203 } 204 printf(N_("Addresses: ", "")); 205 if (cred->addresses.len != 0) { 206 for(j = 0; j < cred->addresses.len; j++){ 207 char buf[128]; 208 size_t len; 209 if(j) printf(", "); 210 ret = krb5_print_address(&cred->addresses.val[j], 211 buf, sizeof(buf), &len); 212 213 if(ret == 0) 214 printf("%s", buf); 215 } 216 } else { 217 printf(N_("addressless", "")); 218 } 219 printf("\n\n"); 220} 221 222/* 223 * Print all tickets in `ccache' on stdout, verbosily iff do_verbose. 224 */ 225 226static void 227print_tickets (krb5_context context, 228 krb5_ccache ccache, 229 krb5_principal principal, 230 int do_verbose, 231 int do_flags, 232 int do_hidden) 233{ 234 krb5_error_code ret; 235 char *str, *name; 236 krb5_cc_cursor cursor; 237 krb5_creds creds; 238 krb5_deltat sec; 239 240 rtbl_t ct = NULL; 241 242 ret = krb5_unparse_name (context, principal, &str); 243 if (ret) 244 krb5_err (context, 1, ret, "krb5_unparse_name"); 245 246 printf ("%17s: %s:%s\n", 247 N_("Credentials cache", ""), 248 krb5_cc_get_type(context, ccache), 249 krb5_cc_get_name(context, ccache)); 250 printf ("%17s: %s\n", N_("Principal", ""), str); 251 252 ret = krb5_cc_get_friendly_name(context, ccache, &name); 253 if (ret == 0) { 254 if (strcmp(name, str) != 0) 255 printf ("%17s: %s\n", N_("Friendly name", ""), name); 256 free(name); 257 } 258 free (str); 259 260 if(do_verbose) { 261 printf ("%17s: %d\n", N_("Cache version", ""), 262 krb5_cc_get_version(context, ccache)); 263 } else { 264 krb5_cc_set_flags(context, ccache, KRB5_TC_NOTICKET); 265 } 266 267 ret = krb5_cc_get_kdc_offset(context, ccache, &sec); 268 269 if (ret == 0 && do_verbose && sec != 0) { 270 char buf[BUFSIZ]; 271 int val; 272 int sig; 273 274 val = sec; 275 sig = 1; 276 if (val < 0) { 277 sig = -1; 278 val = -val; 279 } 280 281 unparse_time (val, buf, sizeof(buf)); 282 283 printf ("%17s: %s%s\n", N_("KDC time offset", ""), 284 sig == -1 ? "-" : "", buf); 285 } 286 287 printf("\n"); 288 289 ret = krb5_cc_start_seq_get (context, ccache, &cursor); 290 if (ret) 291 krb5_err(context, 1, ret, "krb5_cc_start_seq_get"); 292 293 if(!do_verbose) { 294 ct = rtbl_create(); 295 rtbl_add_column(ct, COL_ISSUED, 0); 296 rtbl_add_column(ct, COL_EXPIRES, 0); 297 if(do_flags) 298 rtbl_add_column(ct, COL_FLAGS, 0); 299 rtbl_add_column(ct, COL_PRINCIPAL, 0); 300 rtbl_set_separator(ct, " "); 301 } 302 while ((ret = krb5_cc_next_cred (context, 303 ccache, 304 &cursor, 305 &creds)) == 0) { 306 if (!do_hidden && krb5_is_config_principal(context, creds.server)) { 307 ; 308 }else if(do_verbose){ 309 print_cred_verbose(context, &creds); 310 }else{ 311 print_cred(context, &creds, ct, do_flags); 312 } 313 krb5_free_cred_contents (context, &creds); 314 } 315 if(ret != KRB5_CC_END) 316 krb5_err(context, 1, ret, "krb5_cc_get_next"); 317 ret = krb5_cc_end_seq_get (context, ccache, &cursor); 318 if (ret) 319 krb5_err (context, 1, ret, "krb5_cc_end_seq_get"); 320 if(!do_verbose) { 321 rtbl_format(ct, stdout); 322 rtbl_destroy(ct); 323 } 324} 325 326/* 327 * Check if there's a tgt for the realm of `principal' and ccache and 328 * if so return 0, else 1 329 */ 330 331static int 332check_for_tgt (krb5_context context, 333 krb5_ccache ccache, 334 krb5_principal principal, 335 time_t *expiration) 336{ 337 krb5_error_code ret; 338 krb5_creds pattern; 339 krb5_creds creds; 340 krb5_const_realm client_realm; 341 int expired; 342 343 krb5_cc_clear_mcred(&pattern); 344 345 client_realm = krb5_principal_get_realm(context, principal); 346 347 ret = krb5_make_principal (context, &pattern.server, 348 client_realm, KRB5_TGS_NAME, client_realm, NULL); 349 if (ret) 350 krb5_err (context, 1, ret, "krb5_make_principal"); 351 pattern.client = principal; 352 353 ret = krb5_cc_retrieve_cred (context, ccache, 0, &pattern, &creds); 354 krb5_free_principal (context, pattern.server); 355 if (ret) { 356 if (ret == KRB5_CC_END) 357 return 1; 358 krb5_err (context, 1, ret, "krb5_cc_retrieve_cred"); 359 } 360 361 expired = time(NULL) > creds.times.endtime; 362 363 if (expiration) 364 *expiration = creds.times.endtime; 365 366 krb5_free_cred_contents (context, &creds); 367 368 return expired; 369} 370 371/* 372 * Print a list of all AFS tokens 373 */ 374 375#ifndef NO_AFS 376 377static void 378display_tokens(int do_verbose) 379{ 380 uint32_t i; 381 unsigned char t[4096]; 382 struct ViceIoctl parms; 383 384 parms.in = (void *)&i; 385 parms.in_size = sizeof(i); 386 parms.out = (void *)t; 387 parms.out_size = sizeof(t); 388 389 for (i = 0;; i++) { 390 int32_t size_secret_tok, size_public_tok; 391 unsigned char *cell; 392 struct ClearToken ct; 393 unsigned char *r = t; 394 struct timeval tv; 395 char buf1[20], buf2[20]; 396 397 if(k_pioctl(NULL, VIOCGETTOK, &parms, 0) < 0) { 398 if(errno == EDOM) 399 break; 400 continue; 401 } 402 if(parms.out_size > sizeof(t)) 403 continue; 404 if(parms.out_size < sizeof(size_secret_tok)) 405 continue; 406 t[min(parms.out_size,sizeof(t)-1)] = 0; 407 memcpy(&size_secret_tok, r, sizeof(size_secret_tok)); 408 /* dont bother about the secret token */ 409 r += size_secret_tok + sizeof(size_secret_tok); 410 if (parms.out_size < (r - t) + sizeof(size_public_tok)) 411 continue; 412 memcpy(&size_public_tok, r, sizeof(size_public_tok)); 413 r += sizeof(size_public_tok); 414 if (parms.out_size < (r - t) + size_public_tok + sizeof(int32_t)) 415 continue; 416 memcpy(&ct, r, size_public_tok); 417 r += size_public_tok; 418 /* there is a int32_t with length of cellname, but we dont read it */ 419 r += sizeof(int32_t); 420 cell = r; 421 422 gettimeofday (&tv, NULL); 423 strlcpy (buf1, printable_time(ct.BeginTimestamp), 424 sizeof(buf1)); 425 if (do_verbose || tv.tv_sec < ct.EndTimestamp) 426 strlcpy (buf2, printable_time(ct.EndTimestamp), 427 sizeof(buf2)); 428 else 429 strlcpy (buf2, N_(">>> Expired <<<", ""), sizeof(buf2)); 430 431 printf("%s %s ", buf1, buf2); 432 433 if ((ct.EndTimestamp - ct.BeginTimestamp) & 1) 434 printf(N_("User's (AFS ID %d) tokens for %s", ""), ct.ViceId, cell); 435 else 436 printf(N_("Tokens for %s", ""), cell); 437 if (do_verbose) 438 printf(" (%d)", ct.AuthHandle); 439 putchar('\n'); 440 } 441} 442#endif 443 444/* 445 * display the ccache in `cred_cache' 446 */ 447 448static int 449display_v5_ccache (krb5_context context, krb5_ccache ccache, 450 int do_test, int do_verbose, 451 int do_flags, int do_hidden) 452{ 453 krb5_error_code ret; 454 krb5_principal principal; 455 int exit_status = 0; 456 457 458 ret = krb5_cc_get_principal (context, ccache, &principal); 459 if (ret) { 460 if(ret == ENOENT) { 461 if (!do_test) 462 krb5_warnx(context, N_("No ticket file: %s", ""), 463 krb5_cc_get_name(context, ccache)); 464 return 1; 465 } else 466 krb5_err (context, 1, ret, "krb5_cc_get_principal"); 467 } 468 if (do_test) 469 exit_status = check_for_tgt (context, ccache, principal, NULL); 470 else 471 print_tickets (context, ccache, principal, do_verbose, 472 do_flags, do_hidden); 473 474 ret = krb5_cc_close (context, ccache); 475 if (ret) 476 krb5_err (context, 1, ret, "krb5_cc_close"); 477 478 krb5_free_principal (context, principal); 479 480 return exit_status; 481} 482 483/* 484 * 485 */ 486 487static int 488list_caches(krb5_context context) 489{ 490 krb5_cc_cache_cursor cursor; 491 const char *cdef_name; 492 char *def_name; 493 krb5_error_code ret; 494 krb5_ccache id; 495 rtbl_t ct; 496 497 cdef_name = krb5_cc_default_name(context); 498 if (cdef_name == NULL) 499 krb5_errx(context, 1, "krb5_cc_default_name"); 500 def_name = strdup(cdef_name); 501 502 ret = krb5_cc_cache_get_first (context, NULL, &cursor); 503 if (ret == KRB5_CC_NOSUPP) 504 return 0; 505 else if (ret) 506 krb5_err (context, 1, ret, "krb5_cc_cache_get_first"); 507 508 ct = rtbl_create(); 509 rtbl_add_column(ct, COL_NAME, 0); 510 rtbl_add_column(ct, COL_CACHENAME, 0); 511 rtbl_add_column(ct, COL_EXPIRES, 0); 512 rtbl_add_column(ct, COL_DEFCACHE, 0); 513 rtbl_set_prefix(ct, " "); 514 rtbl_set_column_prefix(ct, COL_NAME, ""); 515 516 while (krb5_cc_cache_next (context, cursor, &id) == 0) { 517 krb5_principal principal = NULL; 518 int expired = 0; 519 char *name; 520 time_t t; 521 522 ret = krb5_cc_get_principal(context, id, &principal); 523 if (ret) 524 continue; 525 526 expired = check_for_tgt (context, id, principal, &t); 527 528 ret = krb5_cc_get_friendly_name(context, id, &name); 529 if (ret == 0) { 530 const char *str; 531 char *fname; 532 rtbl_add_column_entry(ct, COL_NAME, name); 533 rtbl_add_column_entry(ct, COL_CACHENAME, 534 krb5_cc_get_name(context, id)); 535 if (expired) 536 str = N_(">>> Expired <<<", ""); 537 else 538 str = printable_time(t); 539 rtbl_add_column_entry(ct, COL_EXPIRES, str); 540 free(name); 541 542 ret = krb5_cc_get_full_name(context, id, &fname); 543 if (ret) 544 krb5_err (context, 1, ret, "krb5_cc_get_full_name"); 545 546 if (strcmp(fname, def_name) == 0) 547 rtbl_add_column_entry(ct, COL_DEFCACHE, "*"); 548 else 549 rtbl_add_column_entry(ct, COL_DEFCACHE, ""); 550 551 krb5_xfree(fname); 552 } 553 krb5_cc_close(context, id); 554 555 krb5_free_principal(context, principal); 556 } 557 558 krb5_cc_cache_end_seq_get(context, cursor); 559 560 free(def_name); 561 rtbl_format(ct, stdout); 562 rtbl_destroy(ct); 563 564 return 0; 565} 566 567/* 568 * 569 */ 570 571int 572klist(struct klist_options *opt, int argc, char **argv) 573{ 574 krb5_error_code ret; 575 int exit_status = 0; 576 577 int do_verbose = 578 opt->verbose_flag || 579 opt->a_flag || 580 opt->n_flag; 581 int do_test = 582 opt->test_flag || 583 opt->s_flag; 584 585 if (opt->list_all_flag) { 586 exit_status = list_caches(kcc_context); 587 return exit_status; 588 } 589 590 if (opt->v5_flag) { 591 krb5_ccache id; 592 593 if (opt->all_content_flag) { 594 krb5_cc_cache_cursor cursor; 595 596 ret = krb5_cc_cache_get_first(kcc_context, NULL, &cursor); 597 if (ret) 598 krb5_err(kcc_context, 1, ret, "krb5_cc_cache_get_first"); 599 600 601 while (krb5_cc_cache_next(kcc_context, cursor, &id) == 0) { 602 exit_status |= display_v5_ccache(kcc_context, id, do_test, 603 do_verbose, opt->flags_flag, 604 opt->hidden_flag); 605 printf("\n\n"); 606 } 607 krb5_cc_cache_end_seq_get(kcc_context, cursor); 608 609 } else { 610 if(opt->cache_string) { 611 ret = krb5_cc_resolve(kcc_context, opt->cache_string, &id); 612 if (ret) 613 krb5_err(kcc_context, 1, ret, "%s", opt->cache_string); 614 } else { 615 ret = krb5_cc_default(kcc_context, &id); 616 if (ret) 617 krb5_err(kcc_context, 1, ret, "krb5_cc_resolve"); 618 } 619 exit_status = display_v5_ccache(kcc_context, id, do_test, 620 do_verbose, opt->flags_flag, 621 opt->hidden_flag); 622 } 623 } 624 625 if (!do_test) { 626#ifndef NO_AFS 627 if (opt->tokens_flag && k_hasafs()) { 628 if (opt->v5_flag) 629 printf("\n"); 630 display_tokens(opt->verbose_flag); 631 } 632#endif 633 } 634 635 return exit_status; 636} 637