[735] in Kerberos-V5-bugs
kinit -k should use most recent key in keytab, not first one
daemon@ATHENA.MIT.EDU (Jonathan I. Kamens)
Sun Sep 11 18:56:40 1994
Date: Sun, 11 Sep 1994 18:58:07 -0400
From: "Jonathan I. Kamens" <jik@cam.ov.com>
To: krb5-bugs@MIT.EDU
"kinit -k" should use the key in the keytab that has the highest
version number, not whatever key appears in the keytab first.
The following patch changes kinit's behavior to do this.
Jonathan Kamens | OpenVision Technologies, Inc. | jik@cam.ov.com
--- src/clients/kinit/kinit.c Mon Aug 8 22:45:16 1994
+++ kinit.c Sun Sep 11 18:56:26 1994
@@ -91,7 +91,6 @@
int use_keytab = 0; /* -k option */
int preauth_type = -1;
krb5_keytab keytab = NULL;
- krb5_keytab_entry kt_ent;
struct passwd *pw = 0;
int pwsize;
int i;
@@ -296,12 +295,40 @@
}
memset(password, 0, sizeof(password));
} else {
+ krb5_keytab_entry kt_ent, new_kt_ent;
+ kt_ent.vno = 0;
+
if (keytab != NULL) {
- code = krb5_kt_get_entry(keytab, my_creds.client, 0,
- &kt_ent);
- if (code) {
- com_err(argv[0], code, "reading keytab entry %s",
- client_name);
+ krb5_kt_cursor cursor;
+
+ if (code = krb5_kt_start_seq_get(keytab, &cursor)) {
+ com_err(argv[0], code, "starting to read keytab %s",
+ keytab_name);
+ exit(1);
+ }
+ while (! (code = krb5_kt_next_entry(keytab, &new_kt_ent,
+ &cursor))) {
+ if ((new_kt_ent.vno > kt_ent.vno) &&
+ krb5_principal_compare(my_creds.client,
+ new_kt_ent.principal)) {
+ if (kt_ent.vno)
+ krb5_kt_free_entry(&kt_ent);
+ kt_ent = new_kt_ent;
+ }
+ }
+ if (code && (code != KRB5_KT_END)) {
+ com_err(argv[0], code, "reading keytab %s", keytab_name);
+ exit(1);
+ }
+ if (! kt_ent.vno) {
+ com_err(argv[0], KRB5_KT_NOTFOUND,
+ "reading keytab entry %s in keytab %s",
+ client_name, keytab_name);
+ exit(1);
+ }
+ if (code = krb5_kt_end_seq_get(keytab, &cursor)) {
+ com_err(argv[0], code, "finishing reading keytab %s",
+ keytab_name);
exit(1);
}
}
