From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 16 Jul 2012 14:13:29 +0000 (-0400)
Subject: Add kinit/klist -i options to use client keytab
X-Git-Tag: krb5-1.11-alpha1~399
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=194e0433f07e244aab59edcb22ea0c6e359f9f0d;p=thirdparty%2Fkrb5.git

Add kinit/klist -i options to use client keytab

In combination with -k, -i will cause kinit or klist to use the
default client keytab instead of the default acceptor keytab.  This
gives an easy way to figure out what default client keytab name is in
use and to get credentials using it.

ticket: 7216 (new)
---

diff --git a/doc/rst_source/krb_users/user_commands/kinit.rst b/doc/rst_source/krb_users/user_commands/kinit.rst
index 6143c95e47..783bd77699 100644
--- a/doc/rst_source/krb_users/user_commands/kinit.rst
+++ b/doc/rst_source/krb_users/user_commands/kinit.rst
@@ -118,14 +118,15 @@ OPTIONS
     expired ticket cannot be renewed, even if the ticket is still
     within its renewable life.
 
-**-k** [**-t** *keytab_file*]
+**-k** [**-i** | **-t** *keytab_file*]
     requests a ticket, obtained from a key in the local host's keytab.
     The location of the keytab may be specified with the **-t**
-    *keytab_file* option; otherwise the default keytab will be used.
-    By default, a host ticket for the local host is requested, but any
-    principal may be specified.  On a KDC, the special keytab location
-    ``KDB:`` can be used to indicate that kinit should open the KDC
-    database and look up the key directly.  This permits an
+    *keytab_file* option, or with the **-i** option to specify the use
+    of the default client keytab; otherwise the default keytab will be
+    used.  By default, a host ticket for the local host is requested,
+    but any principal may be specified.  On a KDC, the special keytab
+    location ``KDB:`` can be used to indicate that kinit should open
+    the KDC database and look up the key directly.  This permits an
     administrator to obtain tickets as any principal that supports
     authentication based on the key.
 
diff --git a/doc/rst_source/krb_users/user_commands/klist.rst b/doc/rst_source/krb_users/user_commands/klist.rst
index 5a9a076f40..0b867a867c 100644
--- a/doc/rst_source/krb_users/user_commands/klist.rst
+++ b/doc/rst_source/krb_users/user_commands/klist.rst
@@ -77,6 +77,11 @@ OPTIONS
 **-k**
     List keys held in a keytab file.
 
+**-i**
+    In combination with **-k**, defaults to using the default client
+    keytab instead of the default acceptor keytab, if no name is
+    given.
+
 **-t**
     Display the time entry timestamps for each keytab entry in the
     keytab file.
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
index 256f165fe9..a315173b60 100644
--- a/src/clients/kinit/kinit.c
+++ b/src/clients/kinit/kinit.c
@@ -120,6 +120,7 @@ struct k_opts
     char *armor_ccache;
 
     action_type action;
+    int use_client_keytab;
 
     int num_pa_opts;
     krb5_gic_opt_pa_data *pa_opts;
@@ -197,7 +198,7 @@ usage()
             "[-E" USAGE_LONG_ENTERPRISE "] "
             USAGE_BREAK
             "[-v] [-R] "
-            "[-k [-t keytab_file]] "
+            "[-k [-i|-t keytab_file]] "
             "[-c cachename] "
             USAGE_BREAK
             "[-S service_name] [-T ticket_armor_cache]"
@@ -223,6 +224,7 @@ usage()
     fprintf(stderr, _("\t-C canonicalize\n"));
     fprintf(stderr, _("\t-E client is enterprise principal name\n"));
     fprintf(stderr, _("\t-k use keytab\n"));
+    fprintf(stderr, _("\t-i use default client keytab (with -k)\n"));
     fprintf(stderr, _("\t-t filename of keytab to use\n"));
     fprintf(stderr, _("\t-c Kerberos 5 cache name\n"));
     fprintf(stderr, _("\t-S service\n"));
@@ -284,7 +286,7 @@ parse_options(argc, argv, opts)
     int errflg = 0;
     int i;
 
-    while ((i = GETOPT(argc, argv, "r:fpFPn54aAVl:s:c:kt:T:RS:vX:CE"))
+    while ((i = GETOPT(argc, argv, "r:fpFPn54aAVl:s:c:kit:T:RS:vX:CE"))
            != -1) {
         switch (i) {
         case 'V':
@@ -349,6 +351,9 @@ parse_options(argc, argv, opts)
         case 'k':
             opts->action = INIT_KT;
             break;
+        case 'i':
+            opts->use_client_keytab = 1;
+            break;
         case 't':
             if (opts->keytab_name)
             {
@@ -700,6 +705,12 @@ k5_kinit(opts, k5)
         }
         if (opts->verbose)
             fprintf(stderr, _("Using keytab: %s\n"), opts->keytab_name);
+    } else if (opts->action == INIT_KT && opts->use_client_keytab) {
+        code = krb5_kt_client_default(k5->ctx, &keytab);
+        if (code != 0) {
+            com_err(progname, code, _("resolving default client keytab"));
+            goto cleanup;
+        }
     }
 
     for (i = 0; i < opts->num_pa_opts; i++) {
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index fefd895d18..3f633fd906 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -58,7 +58,7 @@ extern int optind;
 
 int show_flags = 0, show_time = 0, status_only = 0, show_keys = 0;
 int show_etype = 0, show_addresses = 0, no_resolve = 0, print_version = 0;
-int show_adtype = 0, show_all = 0, list_all = 0;
+int show_adtype = 0, show_all = 0, list_all = 0, use_client_keytab = 0;
 char *defname;
 char *progname;
 krb5_int32 now;
@@ -92,6 +92,7 @@ static void usage()
     fprintf(stderr, _("\t-c specifies credentials cache\n"));
     fprintf(stderr, _("\t-k specifies keytab\n"));
     fprintf(stderr, _("\t   (Default is credentials cache)\n"));
+    fprintf(stderr, _("\t-i uses default client keytab if no name given\n"));
     fprintf(stderr, _("\t-l lists credential caches in collection\n"));
     fprintf(stderr, _("\t-A shows content of all credential caches\n"));
     fprintf(stderr, _("\t-e shows the encryption type\n"));
@@ -125,7 +126,7 @@ main(argc, argv)
     name = NULL;
     mode = DEFAULT;
     /* V=version so v can be used for verbose later if desired.  */
-    while ((c = getopt(argc, argv, "dfetKsnack45lAV")) != -1) {
+    while ((c = getopt(argc, argv, "dfetKsnacki45lAV")) != -1) {
         switch (c) {
         case 'd':
             show_adtype = 1;
@@ -159,6 +160,9 @@ main(argc, argv)
             if (mode != DEFAULT) usage();
             mode = KEYTAB;
             break;
+        case 'i':
+            use_client_keytab = 1;
+            break;
         case '4':
             fprintf(stderr, _("Kerberos 4 is no longer supported\n"));
             exit(3);
@@ -255,7 +259,12 @@ void do_keytab(name)
     char *pname;
     int code;
 
-    if (name == NULL) {
+    if (name == NULL && use_client_keytab) {
+        if ((code = krb5_kt_client_default(kcontext, &kt))) {
+            com_err(progname, code, _("while getting default client keytab"));
+            exit(1);
+        }
+    } else if (name == NULL) {
         if ((code = krb5_kt_default(kcontext, &kt))) {
             com_err(progname, code, _("while getting default keytab"));
             exit(1);
diff --git a/src/tests/t_keytab.py b/src/tests/t_keytab.py
index ef303f1975..8d73636c8d 100644
--- a/src/tests/t_keytab.py
+++ b/src/tests/t_keytab.py
@@ -18,6 +18,14 @@ output = realm.kinit(realm.user_princ, flags=['-k'], expected_code=1)
 if 'no suitable keys' not in output:
     fail('Expected error not seen in kinit output')
 
+# Test kinit and klist with client keytab defaults.
+realm.extract_keytab(realm.user_princ, realm.client_keytab);
+realm.kinit(realm.user_princ, flags=['-k', '-i'])
+realm.klist(realm.user_princ)
+out = realm.run_as_client([klist, '-k', '-i'])
+if realm.client_keytab not in out or realm.user_princ not in out:
+    fail('Expected output not seen from klist -k -i')
+
 # Test handling of kvno values beyond 255.
 princ = 'foo/bar@%s' % realm.realm
 realm.addprinc(princ)