krb5 commit: Do not default to host/ for client keytabs

Benjamin Kaduk kaduk at MIT.EDU
Thu May 22 17:34:36 EDT 2014 

https://github.com/krb5/krb5/commit/6c4bd36bd000c8f5ab1b8dacd5d4101831fe576e
commit 6c4bd36bd000c8f5ab1b8dacd5d4101831fe576e
Author: Ben Kaduk <kaduk at mit.edu>
Date:   Mon May 19 16:23:45 2014 -0400

    Do not default to host/ for client keytabs
    
    When the normal (acceptor) keytab is being used to obtain initial
    credentials, it is reasonable to use the default hostbased service
    principal (host/fully.qualified.localhost.domain) when no client
    principal is given.  This behavior is not very reasonable when
    the default client keytab is being used, as host/ credentials are
    not normally client credentials.
    
    Make kinit -i match up with the GSS-API behavior when client keytabs
    are in use, using the name of the first entry in the keytab when
    no name is explicitly given.
    
    ticket: 7892

 src/clients/kinit/kinit.c |   17 +++++++++++++++++
 1 files changed, 17 insertions(+), 0 deletions(-)

diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
index d9033ec..c442c53 100644
--- a/src/clients/kinit/kinit.c
+++ b/src/clients/kinit/kinit.c
@@ -25,6 +25,7 @@
  */
 
 #include "autoconf.h"
+#include <k5-int.h>
 #include "k5-platform.h"        /* for asprintf */
 #include <krb5.h>
 #include "extern.h"
@@ -470,6 +471,7 @@ k5_begin(opts, k5)
     int flags = opts->enterprise ? KRB5_PRINCIPAL_PARSE_ENTERPRISE : 0;
     krb5_ccache defcache = NULL;
     krb5_principal defcache_princ = NULL, princ;
+    krb5_keytab keytab;
     const char *deftype = NULL;
     char *defrealm, *name;
 
@@ -533,6 +535,21 @@ k5_begin(opts, k5)
             com_err(progname, code, _("while building principal"));
             goto cleanup;
         }
+    } else if (opts->action == INIT_KT && opts->use_client_keytab) {
+        /* Use the first entry from the client keytab. */
+        code = krb5_kt_client_default(k5->ctx, &keytab);
+        if (code) {
+            com_err(progname, code,
+                    _("When resolving the default client keytab"));
+            goto cleanup;
+        }
+        code = k5_kt_get_principal(k5->ctx, keytab, &k5->me);
+        krb5_kt_close(k5->ctx, keytab);
+        if (code) {
+            com_err(progname, code,
+                    _("When determining client principal name from keytab"));
+            goto cleanup;
+        }
     } else if (opts->action == INIT_KT) {
         /* Use the default host/service name. */
         code = krb5_sname_to_principal(k5->ctx, NULL, NULL, KRB5_NT_SRV_HST,

More information about the cvs-krb5 mailing list