svn rev #22209: trunk/src/clients/kinit/

Tue Apr 14 11:05:22 EDT 2009

http://src.mit.edu/fisheye/changelog/krb5/?cs=22209
Commit By: hartmans
Log Message:
ticket: 6460
subject: Implement kinit option for FAST armor ccache
Target_version: 1.7
tags: pullup

Implement the -T option to kinit to specify the FAST armor ccache.


Changed Files:
U   trunk/src/clients/kinit/kinit.M
U   trunk/src/clients/kinit/kinit.c
Modified: trunk/src/clients/kinit/kinit.M
===================================================================

--- trunk/src/clients/kinit/kinit.M	2009-04-13 22:15:05 UTC (rev 22208)
+++ trunk/src/clients/kinit/kinit.M	2009-04-14 15:05:21 UTC (rev 22209)
@@ -37,7 +37,7 @@
 [\fB\-A\fP]
 [\fB\-v\fP] [\fB\-R\fP]
 [\fB\-k\fP [\fB\-t\fP \fIkeytab_file\fP]] [\fB\-c\fP \fIcache_name\fP]
-[\fB\-S\fP \fIservice_name\fP]
+[\fB\-S\fP \fIservice_name\fP][\fB\-T\fP \fIarmor_ccache\fP] 
 [\fB\-X\fP \fIattribute\fP[=\fIvalue\fP]]
 [\fIprincipal\fP]
 .ad b
@@ -130,6 +130,10 @@
 .I keytab_file
 option; otherwise the default name and location will be used.
 .TP
+\fB\-T\fP \fIarmor_ccache\fP
+Specifies the name of a credential cache that already contains a ticket.  This ccache
+will be used to armor the request  Ideally, an attacker should have to attack both the armor ticket and the key of the principal.
+.TP
 \fB\-c\fP \fIcache_name\fP
 use
 .I cache_name

Modified: trunk/src/clients/kinit/kinit.c
===================================================================
--- trunk/src/clients/kinit/kinit.c	2009-04-13 22:15:05 UTC (rev 22208)
+++ trunk/src/clients/kinit/kinit.c	2009-04-14 15:05:21 UTC (rev 22209)
@@ -117,6 +117,7 @@
     char* service_name;
     char* keytab_name;
     char* k5_cache_name;
+    char *armor_ccache;
 
     action_type action;
 
@@ -195,9 +196,10 @@
 	    USAGE_BREAK
 	    "[-v] [-R] "
 	    "[-k [-t keytab_file]] "
-	    "[-c cachename] "
+	    "[-c cachename] " 
 	    USAGE_BREAK
-	    "[-S service_name]"
+	    "[-S service_name]""-T ticket_armor_cache"
+	    USAGE_BREAK
 	    "[-X <attribute>[=<value>]] [principal]"
 	    "\n\n", 
 	    progname);
@@ -278,7 +280,7 @@
     int errflg = 0;
     int i;
 
-    while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:RS:vX:CE"))
+    while ((i = GETOPT(argc, argv, "r:fpFP54aAVl:s:c:kt:T:RS:vX:CE"))
 	   != -1) {
 	switch (i) {
 	case 'V':
@@ -347,6 +349,12 @@
 		opts->keytab_name = optarg;
 	    }
 	    break;
+	case 'T':
+	    if (opts->armor_ccache) {
+		fprintf(stderr, "Only one armor_ccache\n");
+		errflg++;
+	    } else opts->armor_ccache = optarg;
+	    break;
 	case 'R':
 	    opts->action = RENEW;
 	    break;
@@ -585,6 +593,9 @@
     }
     if (opts->no_addresses)
 	krb5_get_init_creds_opt_set_address_list(options, NULL);
+    if (opts->armor_ccache)
+    krb5_get_init_creds_opt_set_fast_ccache_name(k5->ctx, options, opts->armor_ccache);
+						 
 
     if ((opts->action == INIT_KT) && opts->keytab_name)
     {


