From fc1c0beceb4ad04123dc41e112bea022236a9673 Mon Sep 17 00:00:00 2001 From: gibbs Date: Fri, 15 Sep 1995 06:11:53 +0000 Subject: Rkinit allows you to safely forward tickets to other kerberos hosts. Obtained from: MIT --- eBones/usr.bin/rkinit/Makefile | 11 +++ eBones/usr.bin/rkinit/rkinit.1 | 206 +++++++++++++++++++++++++++++++++++++++ eBones/usr.bin/rkinit/rkinit.c | 216 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 433 insertions(+) create mode 100644 eBones/usr.bin/rkinit/Makefile create mode 100644 eBones/usr.bin/rkinit/rkinit.1 create mode 100644 eBones/usr.bin/rkinit/rkinit.c diff --git a/eBones/usr.bin/rkinit/Makefile b/eBones/usr.bin/rkinit/Makefile new file mode 100644 index 0000000..b910742 --- /dev/null +++ b/eBones/usr.bin/rkinit/Makefile @@ -0,0 +1,11 @@ +# Makefile,v 1.2 1995/01/20 22:08:14 wollman Exp + +PROG= rkinit +SRCS= ${RKINITOBJDIR}/rkinit_err.h rkinit.c +CFLAGS+= -I${KRBOBJDIR} -I${RKINITOBJDIR} +LDADD+= -L${RKINITOBJDIR} -lrkinit -L${KRBOBJDIR} -lkrb -L${DESOBJDIR} -ldes +LDADD+= -lss -lcom_err + +MAN1= rkinit.1 + +.include diff --git a/eBones/usr.bin/rkinit/rkinit.1 b/eBones/usr.bin/rkinit/rkinit.1 new file mode 100644 index 0000000..5634d2b --- /dev/null +++ b/eBones/usr.bin/rkinit/rkinit.1 @@ -0,0 +1,206 @@ +.\" +.\" $Header: /local/cvsfiles/kerberos/src/appl/rkinit/man/rkinit.1,v 1.1 1991/12/03 23:21:25 eichin Exp $ +.\" $Source: /local/cvsfiles/kerberos/src/appl/rkinit/man/rkinit.1,v $ +.\" $Author: eichin $ +.\" +.\" +.TH RKINIT 1 "November 12, 1989" +.UC 4 +.SH NAME +rkinit \- establish kerberos tickets safely on a remote host +.SH SYNOPSIS +.B rkinit [ host ] +[ -p +.B principal +] [ -l +.B username +] [ -k +.B kerberos_realm +] [ -f +.B ticket_file +] [ -h +.B remote_host +] [ -t +.B ticket_lifetime +] [ +.B \-notimeout +] + +A host name must be specified either as the first command line +argument or following a \-h flag. If redundant command line +arguments are given, the last one to appear takes precedence. + +.SH DESCRIPTION +.I rkinit +is a program that allows a user to establish kerberos tickets on +a remote host registered for +rlogin service. This can be done without the user's kerberos +password ever leaving the client machine. + +In order to establish tickets remotely +without the use of something like +.I rkinit, +one would have to log in to the +remote host and run +.IR kinit (1). +.I rkinit +followed by +.I rlogin +can be thought of as a safe substitute for +.I rlogin +followed +.I kinit. + +.I rkinit +uses the same access checking mechanism as +.I rlogin. +That means that +.I rkinit +can be used to create any tickets for user +.I A +on remote host +.I B +if and only if +.IR A 's +tickets would entitle a login to +.I B. +This means that one can create remote tickets for himself or for +another user if he is in that user's .klogin file. + +.I rkinit +understands the following command line options: + +.TP 4 +.B \-p \fIprincipal\fR +If +.I principal, +in the format +.I name[.inst][@realm] +is specified, the tickets created on the remote host will be the +tickets indicated by the +.I principal +field. If this option is not given, the following defaults are +used: If the user running +.I rkinit +does not have tickets on the client machine, +.I rkinit +will prompt for a password and behave effectively as if the user +had invoked +.I kinit +on the specified +remote host; i.e., +the tickets established will be owned on the remote host +by the user who invoked +.I rkinit +and will be for the local realm of the +remote host. +If the user running +.I rkinit +already has tickets, +.I rkinit +will prompt for a password and create tickets whose principal +matches that of the +tickets that the user already has. + + +.TP +.B \-l \fIusername\fR +If +.I username +is specified, the ticket file on the remote host will be owned by the +user +.I username. +If it is not specified, the tickets will be owned by +the remote user whose login name matches that of the user invoking +.I rkinit. + +.TP +.B \-r \fIrealm\fR +.I realm +is used to tell +.I rkinit +what realm the remote host is in. This +option should not usually have to be used since +.I rkinit +uses +.IR krb_realmofhost (3) +to determine the remote host's kerberos realm. Note that this +is distinct from realm as specified in +.I principal, +which refers to the realm of the remote tickets. + +.TP +.B \-f \fIticket_file\fR +This option is used to specify the name of the ticket file that +should be used on the remote host. Note that if you +specify a location for the ticket file that is other +than the default, you will have to set the environment variable +KRBTKFILE to that filename once you get to the remote host in +order for you to use the tickets. +If a ticket file is not specified, the tickets will +be placed in the +default location as specified by +.IR tkt_file (3). +On a UNIX host, this is /tmp/tkt, where + is the user id of the person who owns the remote ticket file. + +.TP +.B \-h \fIremote_host\fR +.I remote host +is the host on which remote tickets are being obtained. This +option can be used in place of specifying the host as the first +command line argument. + +.TP +.B \-t \fIticket_lifetime\fR +.I ticket lifetime +is the lifetime in minutes of the remote tickets. If it is not +specified, the default ticket life time (as defined in krb.h) is +used. + +.TP +.B \-notimeout +prevents the client from timing out. This is mainly useful only +for debugging since the rkinit server also times out. + +.SH EXAMPLES + +In the following examples, +.B tabetha +and +.B soup +are machines in the +.B ATHENA.MIT.EDU +kerberos realm and +.B local +is a user who can log in +to +.B soup +and has +.B qjb.root@ATHENA.MIT.EDU +in his .klogin file. + + +% rkinit tabetha +.br +Kerberos initialization (tabetha) +.br +Password for qjb@ATHENA.MIT.EDU: +.br +% +.br + +.br +% rkinit soup -p qjb.root -l local +.br +Kerberos initialization (soup): tickets will be owned by local +.br +Password for qjb.root@ATHENA.MIT.EDU: +.br +% + +.SH SEE ALSO +rkinitd(8), kerberos(1), kerberos(3), kinit(1) + +.SH AUTHOR +Emanuel Jay Berkenbilt (MIT-Project Athena) diff --git a/eBones/usr.bin/rkinit/rkinit.c b/eBones/usr.bin/rkinit/rkinit.c new file mode 100644 index 0000000..35a0eeb --- /dev/null +++ b/eBones/usr.bin/rkinit/rkinit.c @@ -0,0 +1,216 @@ +/* + * $Id: rkinit.c,v 1.1 1993/12/10 18:41:00 dglo Exp gibbs $ + * $Source: /usr/src/eBones/rkinit/RCS/rkinit.c,v $ + * $Author: dglo $ + * + * This is an rkinit client + */ + +#if !defined(lint) && !defined(SABER) && !defined(LOCORE) && defined(RCS_HDRS) +static char *rcsid = "$Id: rkinit.c,v 1.1 1993/12/10 18:41:00 dglo Exp gibbs $"; +#endif /* lint || SABER || LOCORE || RCS_HDRS */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include + +#ifndef TRUE +#define TRUE 1 +#endif + +#ifndef FALSE +#define FALSE 0 +#endif + +#ifdef __STDC__ +static void usage(void) +#else +static void usage() +#endif /* __STDC__ */ +{ + fprintf(stderr,"Usage: rkinit [host] options\n"); + fprintf(stderr, + "Options: [-l username] [-k krb_realm] [-p principal] [-f tktfile]\n"); + fprintf(stderr, " [-t lifetime] [-h host] [-notimeout]\n"); + fprintf(stderr, "A host must be specified either with the -h option "); + fprintf(stderr, "or as the first argument.\n"); + + exit(1); +} + +int +#ifdef __STDC__ +main(int argc, char *argv[]) +#else +main(argc, argv) + int argc; + char *argv[]; +#endif /* __STDC__ */ +{ + char *whoami; /* Name of this program */ + + char principal[MAX_K_NAME_SZ]; /* Principal for which to get tickets */ + char *host = NULL; /* Remote host */ + char *username = 0; /* Username of owner of ticket */ + char r_krealm[REALM_SZ]; /* Kerberos realm of remote host */ + char aname[ANAME_SZ]; /* Aname of remote ticket file */ + char inst[INST_SZ]; /* Instance of remote ticket file */ + char realm[REALM_SZ]; /* Realm of remote ticket file */ + char *tktfilename = NULL; /* Name of ticket file on remote host */ + u_long lifetime = DEFAULT_TKT_LIFE; /* Lifetime of remote tickets */ + int timeout = TRUE; /* Should we time out? */ + rkinit_info info; /* Information needed by rkinit */ + + struct passwd *localid; /* To determine local id */ + + int status = 0; /* general error number */ + + int i; + + bzero(r_krealm, sizeof(r_krealm)); + bzero(principal, sizeof(principal)); + bzero(aname, sizeof(aname)); + bzero(inst, sizeof(inst)); + bzero(realm, sizeof(realm)); + + /* Parse commandline arguements. */ + if ((whoami = rindex(argv[0], '/')) == 0) + whoami = argv[0]; + else + whoami++; + + if (argc < 2) usage(); + + if (argv[1][0] != '-') { + host = argv[1]; + i = 2; + } + else + i = 1; + + for (/* i initialized above */; i < argc; i++) { + if (strcmp(argv[i], "-h") == NULL) { + if (++i >= argc) + usage(); + else + host = argv[i]; + } + else if (strcmp(argv[i], "-l") == NULL) { + if (++i >= argc) + usage(); + else + username = argv[i]; + } + else if (strcmp(argv[i], "-k") == NULL) { + if (++i >= argc) + usage(); + else + strncpy(r_krealm, argv[i], sizeof(r_krealm) - 1); + } + else if (strcmp(argv[i], "-p") == NULL) { + if (++i >= argc) + usage(); + else + strncpy(principal, argv[i], sizeof(principal) - 1); + } + else if (strcmp(argv[i], "-f") == NULL) { + if (++i >= argc) + usage(); + else + tktfilename = argv[i]; + } + else if (strcmp(argv[i], "-t") == NULL) { + if (++i >= argc) + usage(); + else { + lifetime = atoi(argv[i])/5; + if (lifetime == 0) + lifetime = 1; + else if (lifetime > 255) + lifetime = 255; + } + } + else if (strcmp(argv[i], "-notimeout") == NULL) + timeout = FALSE; + else + usage(); + } + + if (host == NULL) + usage(); + + /* Initialize the realm of the remote host if necessary */ + if (r_krealm[0] == 0) { + /* + * Try to figure out the realm of the remote host. If the + * remote host is unknown, don't worry about it; the library + * will handle the error better and print a good error message. + */ + struct hostent *hp; + if ((hp = gethostbyname(host))) + strcpy(r_krealm, krb_realmofhost(hp->h_name)); + } + + /* If no username was specified, use local id on client host */ + if (username == 0) { + if ((localid = getpwuid(getuid())) == 0) { + fprintf(stderr, "You can not be found in the password file.\n"); + exit(1); + } + username = localid->pw_name; + } + + /* Find out who will go in the ticket file */ + if (! principal[0]) { + if ((status = krb_get_tf_fullname(TKT_FILE, aname, inst, realm)) + != KSUCCESS) { + /* + * If user has no ticket file and principal was not specified, + * we will try to get tickets for username@remote_realm + */ + strcpy(aname, username); + strcpy(realm, r_krealm); + } + } + else { + if ((status = kname_parse(aname, inst, realm, principal)) + != KSUCCESS) { + fprintf(stderr, "%s\n", krb_err_txt[status]); + exit(1); + } + if (strlen(realm) == 0) { + if (krb_get_lrealm(realm, 1) != KSUCCESS) + strcpy(realm, KRB_REALM); + } + } + + bzero((char *)&info, sizeof(info)); + + strcpy(info.aname, aname); + strcpy(info.inst, inst); + strcpy(info.realm, realm); + strcpy(info.sname, "krbtgt"); + strcpy(info.sinst, realm); + strncpy(info.username, username, sizeof(info.username) - 1); + if (tktfilename) + strncpy(info.tktfilename, tktfilename, sizeof(info.tktfilename) - 1); + info.lifetime = lifetime; + + if ((status = rkinit(host, r_krealm, &info, timeout))) { + com_err(whoami, status, "while obtaining remote tickets:"); + fprintf(stderr, "%s\n", rkinit_errmsg(0)); + exit(1); + } + + exit(0); +} -- cgit v1.1