[2077] in Kerberos-V5-bugs
Re: How to renew renewable TGTs?
daemon@ATHENA.MIT.EDU (epeisach@MIT.EDU)
Sun Jul 7 15:34:44 1996
From: epeisach@MIT.EDU
Date: Sun, 7 Jul 1996 15:34:20 -0400
To: P-Pomes@Qualcomm.com (Paul Pomes)
Cc: krb5-bugs@MIT.EDU, hartmans@MIT.EDU
Well... It turns out the KDC code does support renewal of tickets, but
the krb5 library was lacking in how to handle this...
I have written the following patch to allow for kerberos ticket
renewal...
Note 1: There have been some other changes to our source tree so that
patch may fail when applied to the Beta-6 code (I think krb5.hin
will have problems)
Note 2: The distributed kdc in beta-6 works in terms of renewing and
validating tickets, but the server running on kerberos-2.mit.edu does
not... I suspect that this is due to the asn.1 problems that were fixed
last year.
Ezra
Index: include/krb5.hin
===================================================================
RCS file: /mit/krb5/.cvsroot/src/include/krb5.hin,v
retrieving revision 1.51
diff -c -r1.51 krb5.hin
*** krb5.hin 1996/06/12 04:36:22 1.51
--- krb5.hin 1996/06/25 03:27:34
***************
*** 1350,1355 ****
--- 1350,1362 ----
krb5_creds *,
krb5_creds **,
krb5_creds *** ));
+ krb5_error_code krb5_get_cred_from_kdc_renew
+ KRB5_PROTOTYPE((krb5_context,
+ krb5_ccache, /* not const, as reading may save
+ state */
+ krb5_creds *,
+ krb5_creds **,
+ krb5_creds *** ));
void krb5_free_tgt_creds
KRB5_PROTOTYPE((krb5_context,
krb5_creds ** )); /* XXX too hard to do with const */
***************
*** 1364,1369 ****
--- 1371,1382 ----
krb5_creds FAR *,
krb5_creds FAR * FAR *));
KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_get_credentials_validate
+ KRB5_PROTOTYPE((krb5_context,
+ krb5_const krb5_flags,
+ krb5_ccache,
+ krb5_creds FAR *,
+ krb5_creds FAR * FAR *));
+ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_get_credentials_renew
KRB5_PROTOTYPE((krb5_context,
krb5_const krb5_flags,
krb5_ccache,
Index: lib/krb5/krb/gc_frm_kdc.c
===================================================================
RCS file: /mit/krb5/.cvsroot/src/lib/krb5/krb/gc_frm_kdc.c,v
retrieving revision 5.41
diff -c -r5.41 gc_frm_kdc.c
*** gc_frm_kdc.c 1996/05/04 00:17:43 5.41
--- gc_frm_kdc.c 1996/06/25 03:16:23
***************
*** 424,426 ****
--- 424,439 ----
return krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts,
KDC_OPT_VALIDATE);
}
+
+ krb5_error_code
+ krb5_get_cred_from_kdc_renew(context, ccache, in_cred, out_cred, tgts)
+ krb5_context context;
+ krb5_ccache ccache;
+ krb5_creds *in_cred;
+ krb5_creds **out_cred;
+ krb5_creds ***tgts;
+ {
+
+ return krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts,
+ KDC_OPT_RENEW);
+ }
Index: lib/krb5/krb/get_creds.c
===================================================================
RCS file: /mit/krb5/.cvsroot/src/lib/krb5/krb/get_creds.c,v
retrieving revision 5.27
diff -c -r5.27 get_creds.c
*** get_creds.c 1996/06/06 04:08:49 5.27
--- get_creds.c 1996/07/06 15:16:47
***************
*** 143,155 ****
return retval;
}
! krb5_error_code INTERFACE
! krb5_get_credentials_validate(context, options, ccache, in_creds, out_creds)
krb5_context context;
const krb5_flags options;
krb5_ccache ccache;
krb5_creds *in_creds;
krb5_creds **out_creds;
{
krb5_error_code retval;
krb5_creds mcreds;
--- 143,160 ----
return retval;
}
! #define INT_GC_VALIDATE 1
! #define INT_GC_RENEW 2
!
! static krb5_error_code
! krb5_get_credentials_val_renew_core(context, options, ccache,
! in_creds, out_creds, which)
krb5_context context;
const krb5_flags options;
krb5_ccache ccache;
krb5_creds *in_creds;
krb5_creds **out_creds;
+ int which;
{
krb5_error_code retval;
krb5_creds mcreds;
***************
*** 163,170 ****
if (retval) return retval;
! retval = krb5_get_cred_from_kdc_validate(context, ccache,
in_creds, out_creds, &tgts);
if (retval) return retval;
if (tgts) krb5_free_tgt_creds(context, tgts);
--- 168,187 ----
if (retval) return retval;
! switch(which) {
! case INT_GC_VALIDATE:
! retval = krb5_get_cred_from_kdc_validate(context, ccache,
in_creds, out_creds, &tgts);
+ break;
+ case INT_GC_RENEW:
+ retval = krb5_get_cred_from_kdc_renew(context, ccache,
+ in_creds, out_creds, &tgts);
+ break;
+ default:
+ /* Should never happen */
+ retval = 255;
+ break;
+ }
if (retval) return retval;
if (tgts) krb5_free_tgt_creds(context, tgts);
***************
*** 176,179 ****
--- 193,223 ----
retval = krb5_cc_store_cred(context, ccache, *out_creds);
return retval;
+ }
+
+ krb5_error_code INTERFACE
+ krb5_get_credentials_validate(context, options, ccache, in_creds, out_creds)
+ krb5_context context;
+ const krb5_flags options;
+ krb5_ccache ccache;
+ krb5_creds *in_creds;
+ krb5_creds **out_creds;
+ {
+ return(krb5_get_credentials_val_renew_core(context, options, ccache,
+ in_creds, out_creds,
+ INT_GC_VALIDATE));
+ }
+
+ krb5_error_code INTERFACE
+ krb5_get_credentials_renew(context, options, ccache, in_creds, out_creds)
+ krb5_context context;
+ const krb5_flags options;
+ krb5_ccache ccache;
+ krb5_creds *in_creds;
+ krb5_creds **out_creds;
+ {
+
+ return(krb5_get_credentials_val_renew_core(context, options, ccache,
+ in_creds, out_creds,
+ INT_GC_RENEW));
}
Index: lib/krb5/clients/kinit/kinit.M
===================================================================
RCS file: /mit/krb5/.cvsroot/src/clients/kinit/kinit.M,v
retrieving revision 5.6
diff -c -r5.6 kinit.M
*** kinit.M 1996/05/02 22:53:32 5.6
--- kinit.M 1996/07/06 15:28:45
***************
*** 31,36 ****
--- 31,38 ----
.B \-s
.I starttime
] [
+ .B \-v
+ ] [
.B \-p
] [
.B \-f
***************
*** 38,43 ****
--- 40,47 ----
.B \-r
.I rlife
] [
+ .B \-R
+ ] [
.B \-c
.I cachename
]
***************
*** 58,64 ****
option specifies the start time, and causes you to get a postdated ticket.
Postdated tickets are issued with the
.I invalid
! flag set, and needs to be fed back to the kdc before use.
The
.B \-p
option specifies that the PROXIABLE option should be requested for the
--- 62,72 ----
option specifies the start time, and causes you to get a postdated ticket.
Postdated tickets are issued with the
.I invalid
! flag set, and needs to be fed back to the kdc before use. This may be
! accomplished by using the
! .B \-v
! option.
! .PP
The
.B \-p
option specifies that the PROXIABLE option should be requested for the
***************
*** 73,79 ****
.B \-r
.I rlife
option specifies that the RENEWABLE option should be requested for the
! ticket, and specifies the desired total lifetime of the ticket.
.PP
The
.B \-c
--- 81,91 ----
.B \-r
.I rlife
option specifies that the RENEWABLE option should be requested for the
! ticket, and specifies the desired total lifetime of the ticket. To renew
! the ticket, the
! .B \-R
! option is used. Note that you must renew the ticket before it has
! expired.
.PP
The
.B \-c
Index: lib/krb5/clients/kinit/kinit.c
===================================================================
RCS file: /mit/krb5/.cvsroot/src/clients/kinit/kinit.c,v
retrieving revision 5.43
diff -c -r5.43 kinit.c
*** kinit.c 1996/05/04 00:42:57 5.43
--- kinit.c 1996/07/06 15:44:21
***************
*** 90,96 ****
if (strrchr(argv[0], '/'))
argv[0] = strrchr(argv[0], '/')+1;
! while ((option = getopt(argc, argv, "r:fpl:s:c:kt:v")) != EOF) {
switch (option) {
case 'r':
options |= KDC_OPT_RENEWABLE;
--- 90,96 ----
if (strrchr(argv[0], '/'))
argv[0] = strrchr(argv[0], '/')+1;
! while ((option = getopt(argc, argv, "r:Rfpl:s:c:kt:v")) != EOF) {
switch (option) {
case 'r':
options |= KDC_OPT_RENEWABLE;
***************
*** 100,105 ****
--- 100,109 ----
errflg++;
}
break;
+ case 'R':
+ /* renew the ticket */
+ options |= KDC_OPT_RENEW;
+ break;
case 'v':
/* validate the ticket */
options |= KDC_OPT_VALIDATE;
***************
*** 182,188 ****
}
if (errflg) {
! fprintf(stderr, "Usage: %s [-r time] [-puf] [-l lifetime] [-c cachename] [-k] [-t keytab] [principal]\n", argv[0]);
exit(2);
}
--- 186,192 ----
}
if (errflg) {
! fprintf(stderr, "Usage: %s [-r time] [-R] [-s time] [-v] [-puf] [-l lifetime] [-c cachename] [-k] [-t keytab] [principal]\n", argv[0]);
exit(2);
}
***************
*** 284,289 ****
--- 288,306 ----
/* should be done... */
exit(0);
}
+
+ if (options & KDC_OPT_RENEW) {
+ /* don't use get_in_tkt, just use mk_req... */
+ krb5_data outbuf;
+
+ code = krb5_renew_tgt(kcontext, ccache, server, &outbuf);
+ if (code) {
+ com_err (argv[0], code, "renewing tgt");
+ exit(1);
+ }
+ /* should be done... */
+ exit(0);
+ }
#ifndef NO_KEYTAB
if (!use_keytab)
#endif
***************
*** 341,346 ****
--- 358,366 ----
exit(0);
}
+ #define VALIDATE 0
+ #define RENEW 1
+
/* stripped down version of krb5_mk_req */
krb5_error_code krb5_validate_tgt(context, ccache, server, outbuf)
krb5_context context;
***************
*** 348,353 ****
--- 368,395 ----
krb5_principal server; /* tgtname */
krb5_data *outbuf;
{
+ return krb5_tgt_gen(context, ccache, server, outbuf, VALIDATE);
+ }
+
+ /* stripped down version of krb5_mk_req */
+ krb5_error_code krb5_renew_tgt(context, ccache, server, outbuf)
+ krb5_context context;
+ krb5_ccache ccache;
+ krb5_principal server; /* tgtname */
+ krb5_data *outbuf;
+ {
+ return krb5_tgt_gen(context, ccache, server, outbuf, RENEW);
+ }
+
+
+ /* stripped down version of krb5_mk_req */
+ krb5_error_code krb5_tgt_gen(context, ccache, server, outbuf, opt)
+ krb5_context context;
+ krb5_ccache ccache;
+ krb5_principal server; /* tgtname */
+ krb5_data *outbuf;
+ int opt;
+ {
krb5_auth_context * auth_context = 0;
const krb5_flags ap_req_options;
krb5_data * in_data;
***************
*** 364,372 ****
if ((retval = krb5_cc_get_principal(context, ccache, &creds.client)))
goto cleanup_creds;
! if ((retval = krb5_get_credentials_validate(context, 0,
! ccache, &creds, &credsp)))
! goto cleanup_creds;
/* we don't actually need to do the mk_req, just get the creds. */
cleanup_creds:
--- 406,420 ----
if ((retval = krb5_cc_get_principal(context, ccache, &creds.client)))
goto cleanup_creds;
! if(opt == VALIDATE) {
! if ((retval = krb5_get_credentials_validate(context, 0,
! ccache, &creds, &credsp)))
! goto cleanup_creds;
! } else {
! if ((retval = krb5_get_credentials_renew(context, 0,
! ccache, &creds, &credsp)))
! goto cleanup_creds;
! }
/* we don't actually need to do the mk_req, just get the creds. */
cleanup_creds:
