2 * Copyright (c) 1997-2008 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Portions Copyright (c) 2009 Apple Inc. All rights reserved.
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
15 * 2. Redistributions in binary form must reproduce the above copyright
16 * notice, this list of conditions and the following disclaimer in the
17 * documentation and/or other materials provided with the distribution.
19 * 3. Neither the name of the Institute nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
23 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #include "kuser_locl.h"
38 #include "parse_units.h"
41 printable_time(time_t t)
44 strlcpy(s, ctime(&t)+ 4, sizeof(s));
50 printable_time_long(time_t t)
53 strlcpy(s, ctime(&t)+ 4, sizeof(s));
58 #define COL_ISSUED NP_(" Issued","")
59 #define COL_EXPIRES NP_(" Expires", "")
60 #define COL_FLAGS NP_("Flags", "")
61 #define COL_NAME NP_(" Name", "")
62 #define COL_PRINCIPAL NP_(" Principal", "in klist output")
63 #define COL_PRINCIPAL_KVNO NP_(" Principal (kvno)", "in klist output")
64 #define COL_CACHENAME NP_(" Cache name", "name in klist output")
65 #define COL_DEFCACHE NP_("", "")
68 print_cred(krb5_context context, krb5_creds *cred, rtbl_t ct, int do_flags)
74 krb5_timeofday (context, &sec);
77 if(cred->times.starttime)
78 rtbl_add_column_entry(ct, COL_ISSUED,
79 printable_time(cred->times.starttime));
81 rtbl_add_column_entry(ct, COL_ISSUED,
82 printable_time(cred->times.authtime));
84 if(cred->times.endtime > sec)
85 rtbl_add_column_entry(ct, COL_EXPIRES,
86 printable_time(cred->times.endtime));
88 rtbl_add_column_entry(ct, COL_EXPIRES, N_(">>>Expired<<<", ""));
89 ret = krb5_unparse_name (context, cred->server, &str);
91 krb5_err(context, 1, ret, "krb5_unparse_name");
92 rtbl_add_column_entry(ct, COL_PRINCIPAL, str);
95 if(cred->flags.b.forwardable)
97 if(cred->flags.b.forwarded)
99 if(cred->flags.b.proxiable)
101 if(cred->flags.b.proxy)
103 if(cred->flags.b.may_postdate)
105 if(cred->flags.b.postdated)
107 if(cred->flags.b.renewable)
109 if(cred->flags.b.initial)
111 if(cred->flags.b.invalid)
113 if(cred->flags.b.pre_authent)
115 if(cred->flags.b.hw_authent)
118 rtbl_add_column_entry(ct, COL_FLAGS, s);
124 print_cred_verbose(krb5_context context, krb5_creds *cred)
131 krb5_timeofday (context, &sec);
133 ret = krb5_unparse_name(context, cred->server, &str);
136 printf(N_("Server: %s\n", ""), str);
139 ret = krb5_unparse_name(context, cred->client, &str);
142 printf(N_("Client: %s\n", ""), str);
150 decode_Ticket(cred->ticket.data, cred->ticket.length, &t, &len);
151 ret = krb5_enctype_to_string(context, t.enc_part.etype, &s);
152 printf(N_("Ticket etype: ", ""));
157 printf(N_("unknown-enctype(%d)", ""), t.enc_part.etype);
160 printf(N_(", kvno %d", ""), *t.enc_part.kvno);
162 if(cred->session.keytype != t.enc_part.etype) {
163 ret = krb5_enctype_to_string(context, cred->session.keytype, &str);
165 krb5_warn(context, ret, "session keytype");
167 printf(N_("Session key: %s\n", "enctype"), str);
172 printf(N_("Ticket length: %lu\n", ""),
173 (unsigned long)cred->ticket.length);
175 printf(N_("Auth time: %s\n", ""),
176 printable_time_long(cred->times.authtime));
177 if(cred->times.authtime != cred->times.starttime)
178 printf(N_("Start time: %s\n", ""),
179 printable_time_long(cred->times.starttime));
180 printf(N_("End time: %s", ""),
181 printable_time_long(cred->times.endtime));
182 if(sec > cred->times.endtime)
183 printf(N_(" (expired)", ""));
185 if(cred->flags.b.renewable)
186 printf(N_("Renew till: %s\n", ""),
187 printable_time_long(cred->times.renew_till));
190 unparse_flags(TicketFlags2int(cred->flags.b),
191 asn1_TicketFlags_units(),
192 flags, sizeof(flags));
193 printf(N_("Ticket flags: %s\n", ""), flags);
195 printf(N_("Addresses: ", ""));
196 if (cred->addresses.len != 0) {
197 for(j = 0; j < cred->addresses.len; j++){
201 ret = krb5_print_address(&cred->addresses.val[j],
202 buf, sizeof(buf), &len);
208 printf(N_("addressless", ""));
214 * Print all tickets in `ccache' on stdout, verbosily iff do_verbose.
218 print_tickets (krb5_context context,
220 krb5_principal principal,
227 krb5_cc_cursor cursor;
233 ret = krb5_unparse_name (context, principal, &str);
235 krb5_err (context, 1, ret, "krb5_unparse_name");
237 printf ("%17s: %s:%s\n",
238 N_("Credentials cache", ""),
239 krb5_cc_get_type(context, ccache),
240 krb5_cc_get_name(context, ccache));
241 printf ("%17s: %s\n", N_("Principal", ""), str);
243 ret = krb5_cc_get_friendly_name(context, ccache, &name);
245 if (strcmp(name, str) != 0)
246 printf ("%17s: %s\n", N_("Friendly name", ""), name);
252 printf ("%17s: %d\n", N_("Cache version", ""),
253 krb5_cc_get_version(context, ccache));
255 ret = krb5_cc_get_kdc_offset(context, ccache, &sec);
257 if (ret == 0 && do_verbose && sec != 0) {
269 unparse_time (val, buf, sizeof(buf));
271 printf ("%17s: %s%s\n", N_("KDC time offset", ""),
272 sig == -1 ? "-" : "", buf);
277 ret = krb5_cc_start_seq_get (context, ccache, &cursor);
279 krb5_err(context, 1, ret, "krb5_cc_start_seq_get");
283 rtbl_add_column(ct, COL_ISSUED, 0);
284 rtbl_add_column(ct, COL_EXPIRES, 0);
286 rtbl_add_column(ct, COL_FLAGS, 0);
287 rtbl_add_column(ct, COL_PRINCIPAL, 0);
288 rtbl_set_separator(ct, " ");
290 while ((ret = krb5_cc_next_cred (context,
294 if (!do_hidden && krb5_is_config_principal(context, creds.server)) {
296 }else if(do_verbose){
297 print_cred_verbose(context, &creds);
299 print_cred(context, &creds, ct, do_flags);
301 krb5_free_cred_contents (context, &creds);
303 if(ret != KRB5_CC_END)
304 krb5_err(context, 1, ret, "krb5_cc_get_next");
305 ret = krb5_cc_end_seq_get (context, ccache, &cursor);
307 krb5_err (context, 1, ret, "krb5_cc_end_seq_get");
309 rtbl_format(ct, stdout);
315 * Check if there's a tgt for the realm of `principal' and ccache and
316 * if so return 0, else 1
320 check_for_tgt (krb5_context context,
322 krb5_principal principal,
328 krb5_const_realm client_realm;
331 krb5_cc_clear_mcred(&pattern);
333 client_realm = krb5_principal_get_realm(context, principal);
335 ret = krb5_make_principal (context, &pattern.server,
336 client_realm, KRB5_TGS_NAME, client_realm, NULL);
338 krb5_err (context, 1, ret, "krb5_make_principal");
339 pattern.client = principal;
341 ret = krb5_cc_retrieve_cred (context, ccache, 0, &pattern, &creds);
342 krb5_free_principal (context, pattern.server);
344 if (ret == KRB5_CC_END)
346 krb5_err (context, 1, ret, "krb5_cc_retrieve_cred");
349 expired = time(NULL) > creds.times.endtime;
352 *expiration = creds.times.endtime;
354 krb5_free_cred_contents (context, &creds);
360 * Print a list of all AFS tokens
366 display_tokens(int do_verbose)
369 unsigned char t[4096];
370 struct ViceIoctl parms;
372 parms.in = (void *)&i;
373 parms.in_size = sizeof(i);
374 parms.out = (void *)t;
375 parms.out_size = sizeof(t);
378 int32_t size_secret_tok, size_public_tok;
380 struct ClearToken ct;
381 unsigned char *r = t;
383 char buf1[20], buf2[20];
385 if(k_pioctl(NULL, VIOCGETTOK, &parms, 0) < 0) {
390 if(parms.out_size > sizeof(t))
392 if(parms.out_size < sizeof(size_secret_tok))
394 t[min(parms.out_size,sizeof(t)-1)] = 0;
395 memcpy(&size_secret_tok, r, sizeof(size_secret_tok));
396 /* dont bother about the secret token */
397 r += size_secret_tok + sizeof(size_secret_tok);
398 if (parms.out_size < (r - t) + sizeof(size_public_tok))
400 memcpy(&size_public_tok, r, sizeof(size_public_tok));
401 r += sizeof(size_public_tok);
402 if (parms.out_size < (r - t) + size_public_tok + sizeof(int32_t))
404 memcpy(&ct, r, size_public_tok);
405 r += size_public_tok;
406 /* there is a int32_t with length of cellname, but we dont read it */
407 r += sizeof(int32_t);
410 gettimeofday (&tv, NULL);
411 strlcpy (buf1, printable_time(ct.BeginTimestamp),
413 if (do_verbose || tv.tv_sec < ct.EndTimestamp)
414 strlcpy (buf2, printable_time(ct.EndTimestamp),
417 strlcpy (buf2, N_(">>> Expired <<<", ""), sizeof(buf2));
419 printf("%s %s ", buf1, buf2);
421 if ((ct.EndTimestamp - ct.BeginTimestamp) & 1)
422 printf(N_("User's (AFS ID %d) tokens for %s", ""), ct.ViceId, cell);
424 printf(N_("Tokens for %s", ""), cell);
426 printf(" (%d)", ct.AuthHandle);
433 * display the ccache in `cred_cache'
437 display_v5_ccache (krb5_context context, krb5_ccache ccache,
438 int do_test, int do_verbose,
439 int do_flags, int do_hidden)
442 krb5_principal principal;
446 ret = krb5_cc_get_principal (context, ccache, &principal);
450 krb5_warnx(context, N_("No ticket file: %s", ""),
451 krb5_cc_get_name(context, ccache));
454 krb5_err (context, 1, ret, "krb5_cc_get_principal");
457 exit_status = check_for_tgt (context, ccache, principal, NULL);
459 print_tickets (context, ccache, principal, do_verbose,
460 do_flags, do_hidden);
462 ret = krb5_cc_close (context, ccache);
464 krb5_err (context, 1, ret, "krb5_cc_close");
466 krb5_free_principal (context, principal);
476 list_caches(krb5_context context)
478 krb5_cc_cache_cursor cursor;
479 const char *cdef_name;
485 cdef_name = krb5_cc_default_name(context);
486 if (cdef_name == NULL)
487 krb5_errx(context, 1, "krb5_cc_default_name");
488 def_name = strdup(cdef_name);
490 ret = krb5_cc_cache_get_first (context, NULL, &cursor);
491 if (ret == KRB5_CC_NOSUPP)
494 krb5_err (context, 1, ret, "krb5_cc_cache_get_first");
497 rtbl_add_column(ct, COL_NAME, 0);
498 rtbl_add_column(ct, COL_CACHENAME, 0);
499 rtbl_add_column(ct, COL_EXPIRES, 0);
500 rtbl_add_column(ct, COL_DEFCACHE, 0);
501 rtbl_set_prefix(ct, " ");
502 rtbl_set_column_prefix(ct, COL_NAME, "");
504 while (krb5_cc_cache_next (context, cursor, &id) == 0) {
505 krb5_principal principal = NULL;
510 ret = krb5_cc_get_principal(context, id, &principal);
514 expired = check_for_tgt (context, id, principal, &t);
516 ret = krb5_cc_get_friendly_name(context, id, &name);
520 rtbl_add_column_entry(ct, COL_NAME, name);
521 rtbl_add_column_entry(ct, COL_CACHENAME,
522 krb5_cc_get_name(context, id));
524 str = N_(">>> Expired <<<", "");
526 str = printable_time(t);
527 rtbl_add_column_entry(ct, COL_EXPIRES, str);
530 ret = krb5_cc_get_full_name(context, id, &fname);
532 krb5_err (context, 1, ret, "krb5_cc_get_full_name");
534 if (strcmp(fname, def_name) == 0)
535 rtbl_add_column_entry(ct, COL_DEFCACHE, "*");
537 rtbl_add_column_entry(ct, COL_DEFCACHE, "");
541 krb5_cc_close(context, id);
543 krb5_free_principal(context, principal);
546 krb5_cc_cache_end_seq_get(context, cursor);
549 rtbl_format(ct, stdout);
559 static int version_flag = 0;
560 static int help_flag = 0;
561 static int do_verbose = 0;
562 static int do_list_caches = 0;
563 static int do_all_content = 0;
564 static int do_test = 0;
566 static int do_tokens = 0;
568 static int do_v5 = 1;
569 static char *cred_cache;
570 static int do_flags = 0;
571 static int do_hidden = 0;
573 static struct getargs args[] = {
574 { NULL, 'f', arg_flag, &do_flags },
575 { "cache", 'c', arg_string, &cred_cache,
576 NP_("credentials cache to list", ""), "cache" },
577 { "test", 't', arg_flag, &do_test,
578 NP_("test for having tickets", ""), NULL },
579 { NULL, 's', arg_flag, &do_test },
581 { "tokens", 'T', arg_flag, &do_tokens,
582 NP_("display AFS tokens", ""), NULL },
584 { "v5", '5', arg_flag, &do_v5,
585 NP_("display v5 cred cache", ""), NULL},
586 { "all-content", 'A', arg_flag, &do_all_content,
587 NP_("all caches with their content", ""), NULL },
588 { "list-caches", 'l', arg_flag, &do_list_caches,
589 NP_("list all caches", ""), NULL },
590 { "verbose", 'v', arg_flag, &do_verbose,
591 NP_("verbose output", ""), NULL },
592 { "hidden", 0, arg_flag, &do_hidden,
593 NP_("display hidden credentials", ""), NULL },
594 { NULL, 'a', arg_flag, &do_verbose },
595 { NULL, 'n', arg_flag, &do_verbose },
596 { "version", 0, arg_flag, &version_flag,
597 NP_("print version", ""), NULL },
598 { "help", 0, arg_flag, &help_flag,
605 arg_printusage_i18n (args,
606 sizeof(args)/sizeof(*args),
615 main (int argc, char **argv)
617 krb5_context context;
622 setprogname (argv[0]);
624 setlocale (LC_ALL, "");
625 bindtextdomain ("heimdal_kuser", HEIMDAL_LOCALEDIR);
626 textdomain("heimdal_kuser");
628 if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
644 ret = krb5_init_context (&context);
646 errx (1, "krb5_init_context failed: %d", ret);
649 if (do_list_caches) {
650 exit_status = list_caches(context);
657 if (do_all_content) {
658 krb5_cc_cache_cursor cursor;
660 ret = krb5_cc_cache_get_first (context, NULL, &cursor);
662 krb5_err (context, 1, ret, "krb5_cc_cache_get_first");
665 while (krb5_cc_cache_next (context, cursor, &id) == 0) {
666 exit_status |= display_v5_ccache(context, id, do_test,
667 do_verbose, do_flags,
671 krb5_cc_cache_end_seq_get(context, cursor);
675 ret = krb5_cc_resolve(context, cred_cache, &id);
677 krb5_err (context, 1, ret, "%s", cred_cache);
679 ret = krb5_cc_default (context, &id);
681 krb5_err (context, 1, ret, "krb5_cc_resolve");
683 exit_status = display_v5_ccache(context, id, do_test,
684 do_verbose, do_flags,
691 if (do_tokens && k_hasafs ()) {
694 display_tokens (do_verbose);
699 krb5_free_context(context);