[30398] in CVS-changelog-for-Kerberos-V5
krb5 commit: Add ksu option for non-forwardable tickets
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Dec 19 12:37:48 2018
Date: Wed, 19 Dec 2018 12:37:19 -0500
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <201812191737.wBJHbJgx028081@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/0e4932982665c69cc4417eb7dbf0eda87fe5bd3e
commit 0e4932982665c69cc4417eb7dbf0eda87fe5bd3e
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Nov 29 11:59:25 2018 -0500
Add ksu option for non-forwardable tickets
Add ksu -F and -P options to explicitly not request forwardable and
proxiable tickets.
ticket: 8761
doc/user/user_commands/ksu.rst | 15 +++++++++++++--
src/clients/ksu/main.c | 11 +++++++++--
2 files changed, 22 insertions(+), 4 deletions(-)
diff --git a/doc/user/user_commands/ksu.rst b/doc/user/user_commands/ksu.rst
index 29487a8..8d6c7ef 100644
--- a/doc/user/user_commands/ksu.rst
+++ b/doc/user/user_commands/ksu.rst
@@ -12,7 +12,8 @@ SYNOPSIS
[ **-c** *source_cache_name* ]
[ **-k** ]
[ **-r** time ]
-[ **-pf** ]
+[ **-p** | **-P**]
+[ **-f** | **-F**]
[ **-l** *lifetime* ]
[ **-z | Z** ]
[ **-q** ]
@@ -247,7 +248,7 @@ OPTIONS
Ticket granting ticket options:
-**-l** *lifetime* **-r** *time* **-pf**
+**-l** *lifetime* **-r** *time* **-p** **-P** **-f** **-F**
The ticket granting ticket options only apply to the case where
there are no appropriate tickets in the cache to authenticate the
source user. In this case if ksu is configured to prompt users
@@ -269,10 +270,20 @@ Ticket granting ticket options:
specifies that the **proxiable** option should be requested for
the ticket.
+**-P**
+ specifies that the **proxiable** option should not be requested
+ for the ticket, even if the default configuration is to ask for
+ proxiable tickets.
+
**-f**
option specifies that the **forwardable** option should be
requested for the ticket.
+**-F**
+ option specifies that the **forwardable** option should not be
+ requested for the ticket, even if the default configuration is to
+ ask for forwardable tickets.
+
**-e** *command* [*args* ...]
ksu proceeds exactly the same as if it was invoked without the
**-e** option, except instead of executing the target shell, ksu
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index d9596d9..4f03dd8 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -66,7 +66,7 @@ static krb5_error_code resolve_target_cache(krb5_context ksu_context,
void usage (){
fprintf(stderr,
_("Usage: %s [target user] [-n principal] [-c source cachename] "
- "[-k] [-r time] [-pf] [-l lifetime] [-zZ] [-q] "
+ "[-k] [-r time] [-p|-P] [-f|-F] [-l lifetime] [-zZ] [-q] "
"[-e command [args... ] ] [-a [args... ] ]\n"), prog_name);
}
@@ -189,7 +189,8 @@ main (argc, argv)
com_err (prog_name, errno, _("while setting euid to source user"));
exit (1);
}
- while(!done && ((option = getopt(pargc, pargv,"n:c:r:a:zZDfpkql:e:")) != -1)){
+ while (!done &&
+ (option = getopt(pargc, pargv,"n:c:r:a:zZDfFpPkql:e:")) != -1) {
switch (option) {
case 'r':
if (strlen (optarg) >= 14)
@@ -217,9 +218,15 @@ main (argc, argv)
case 'p':
krb5_get_init_creds_opt_set_proxiable(options, 1);
break;
+ case 'P':
+ krb5_get_init_creds_opt_set_proxiable(options, 0);
+ break;
case 'f':
krb5_get_init_creds_opt_set_forwardable(options, 1);
break;
+ case 'F':
+ krb5_get_init_creds_opt_set_forwardable(options, 0);
+ break;
case 'k':
keep_target_cache =1;
break;
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
