--- ./clients/kinit/,kinit.c Tue Feb 3 10:35:37 2004 +++ ./clients/kinit/kinit.c Tue Feb 3 10:35:37 2004 @@ -127,6 +127,7 @@ int forwardable; int proxiable; int addresses; + int pstdin; int not_forwardable; int not_proxiable; @@ -141,6 +142,9 @@ char* k4_cache_name; action_type action; +#ifdef NOMSPAC + int nomspac; +#endif }; struct k5_data @@ -211,10 +215,12 @@ USAGE_BREAK_LONG "[-A" USAGE_LONG_ADDRESSES "] " USAGE_BREAK + "[-m] " "[-v] [-R] " "[-k [-t keytab_file]] " USAGE_BREAK "[-c cachename] " + "[-Z] " "[-S service_name] [principal]" "\n\n", progname); @@ -257,10 +263,14 @@ ULINE("\t", "-p proxiable", OPTTYPE_KRB5); ULINE("\t", "-P not proxiable", OPTTYPE_KRB5); ULINE("\t", "-A do not include addresses", OPTTYPE_KRB5); +#ifdef NOMSPAC + ULINE("\t", "-m No PAC in ticket", OPTTYPE_KRB5); +#endif ULINE("\t", "-v validate", OPTTYPE_KRB5); ULINE("\t", "-R renew", OPTTYPE_BOTH); ULINE("\t", "-k use keytab", OPTTYPE_BOTH); ULINE("\t", "-t filename of keytab to use", OPTTYPE_BOTH); + ULINE("\t", "-Z get password from stdin", OPTTYPE_KRB5); ULINE("\t", "-c Kerberos 5 cache name", OPTTYPE_KRB5); /* This options is not yet available: */ /* ULINE("\t", "-C Kerberos 4 cache name", OPTTYPE_KRB4); */ @@ -281,9 +291,14 @@ int use_k5 = 0; int i; - while ((i = GETOPT(argc, argv, "r:fpFP54AVl:s:c:kt:RS:v")) + while ((i = GETOPT(argc, argv, "r:fpFP54AVl:s:c:kt:RS:vZm")) != -1) { switch (i) { +#ifdef NOMSPAC + case 'm': + opts->nomspac = 1; + break; +#endif case 'V': opts->verbose = 1; break; @@ -401,6 +416,9 @@ } use_k5 = 1; break; + case 'Z': + opts->pstdin++; + break; default: errflg++; break; @@ -737,6 +755,8 @@ krb5_creds my_creds; krb5_error_code code = 0; krb5_get_init_creds_opt options; + char pstdin_pw[1024]; + int pstdin_pw_size = 0; if (!got_k5) return 0; @@ -749,6 +769,10 @@ initialized. */ +#ifdef NOMSPAC + if (opts->nomspac) + krb5_get_init_creds_opt_set_pa_pac_request(&options); +#endif if (opts->lifetime) krb5_get_init_creds_opt_set_tkt_life(&options, opts->lifetime); if (opts->rlife) @@ -787,8 +811,21 @@ switch (opts->action) { case INIT_PW: + if (opts->pstdin) { + pstdin_pw_size = read(0,pstdin_pw,sizeof(pstdin_pw)-1); + if (pstdin_pw_size > 0) { + if (pstdin_pw[pstdin_pw_size-1] == '\n') { + pstdin_pw_size--; + } + pstdin_pw[pstdin_pw_size] = '\0'; + } else { + pstdin_pw_size = 0; + } + } + code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me, - 0, kinit_prompter, 0, + (pstdin_pw_size > 0)? pstdin_pw: 0, + kinit_prompter, 0, opts->starttime, opts->service_name, &options); --- ./include/,krb5.hin Tue Feb 3 10:38:08 2004 +++ ./include/krb5.hin Tue Feb 3 10:38:09 2004 @@ -876,6 +876,9 @@ #define KRB5_PADATA_SAM_CHALLENGE_2 30 /* draft challenge system, updated */ #define KRB5_PADATA_SAM_RESPONSE_2 31 /* draft challenge system, updated */ +#ifdef NOMSPAC +#define KRB5_PADATA_PAC_REQUEST 128 +#endif #define KRB5_SAM_USE_SAD_AS_KEY 0x80000000 #define KRB5_SAM_SEND_ENCRYPTED_SAD 0x40000000 #define KRB5_SAM_MUST_PK_ENCRYPT_SAD 0x20000000 /* currently must be zero */ @@ -2415,6 +2418,9 @@ #define KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST 0x0020 #define KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST 0x0040 #define KRB5_GET_INIT_CREDS_OPT_SALT 0x0080 +#ifdef NOMSPAC +#define KRB5_GET_INIT_CREDS_OPT_PA_PAC_REQUEST 0x0100 +#endif void KRB5_CALLCONV @@ -2462,6 +2468,13 @@ krb5_get_init_creds_opt_set_salt (krb5_get_init_creds_opt *opt, krb5_data *salt); + +#ifdef NOMSPAC +void KRB5_CALLCONV +krb5_get_init_creds_opt_set_pa_pac_request +(krb5_get_init_creds_opt *opt); +#endif + krb5_error_code KRB5_CALLCONV krb5_get_init_creds_password --- ./lib/krb5/krb/,gic_opt.c Tue Feb 3 11:02:10 2004 +++ ./lib/krb5/krb/gic_opt.c Tue Feb 3 11:02:10 2004 @@ -63,3 +63,11 @@ opt->flags |= KRB5_GET_INIT_CREDS_OPT_SALT; opt->salt = salt; } + +#ifdef NOMSPAC +void KRB5_CALLCONV +krb5_get_init_creds_opt_set_pa_pac_request(krb5_get_init_creds_opt *opt) +{ + opt->flags |= KRB5_GET_INIT_CREDS_OPT_PA_PAC_REQUEST; +} +#endif --- ./lib/krb5/krb/,get_in_tkt.c Tue Feb 3 11:02:25 2004 +++ ./lib/krb5/krb/get_in_tkt.c Tue Feb 3 11:02:26 2004 @@ -78,6 +78,70 @@ static krb5_error_code make_preauth_list (krb5_context, krb5_preauthtype *, int, krb5_pa_data ***); +#ifdef NOMSPAC + /* Add the Microsoft PA_PAC_REQUEST to the AS + * request. Since this needs to be sent on each AS_REQ + * the krb5_preauth routines can not be used, as they + * add a list the first time, but then only respond to the + * pa-data in the error response. + * See draft-brezak-win2k-krb-authz-01.txt section 6 + * Also see MSDN for SEC_WINNT_AUTH_IDENTITY_ONLY + */ +static krb5_error_code add_ms_pac_req(krb5_context context, + krb5_pa_data *** padata) +{ + int i; + /* ASN1 for: + * KERB-PA-PAC-REQUEST ::= SEQUENCE { + * include-pac[0] BOOLEAN + * } + * where the value is false + */ + static krb5_octet booldata[] = {"\x30\x05\xa0\x03\x01\x01\x00"}; + void * tmp; + krb5_pa_data * pa; + krb5_pa_data * * new_padata; + + if ((tmp = (void *)malloc(sizeof(booldata)-1)) == NULL) + return(ENOMEM); + memcpy(tmp, booldata, sizeof(booldata)-1); + + if ((pa = (krb5_pa_data *)malloc(sizeof(krb5_pa_data))) == NULL) { + krb5_xfree(tmp); + return(ENOMEM); + } + + pa->magic = KV5M_PA_DATA; + pa->pa_type = KRB5_PADATA_PAC_REQUEST; + pa->length = sizeof(booldata)-1; + pa->contents = tmp; + + if (*padata == NULL) { + new_padata = (krb5_pa_data **) + malloc(2 * sizeof(krb5_pa_data *)); + i = 0; + } else { + for (i=0; (*padata)[i]; i++); /* count */ + + new_padata = *padata; + new_padata = (krb5_pa_data **) + realloc(new_padata, (i+2) * sizeof(krb5_pa_data *)); + } + if (new_padata == NULL) { + krb5_xfree(pa->contents); + krb5_xfree(pa); + return(ENOMEM); + } + + new_padata[i++] = pa; + new_padata[i] = NULL; + + *padata = new_padata; + + return(0); +} +#endif + /* * This function sends a request to the KDC, and gets back a response; * the response is parsed into ret_err_reply or ret_as_reply if the @@ -951,6 +1015,15 @@ prompter_data, gak_fct, gak_data))) goto cleanup; +#ifdef NOMSPAC + if (options && (options->flags & + KRB5_GET_INIT_CREDS_OPT_PA_PAC_REQUEST)) { + if (ret = add_ms_pac_req(context, &request.padata)) { + goto cleanup; + } + } +#endif + if (padata) { krb5_free_pa_data(context, padata); padata = 0; @@ -996,6 +1069,14 @@ &salt, &s2kparams, &etype, &as_key, prompter, prompter_data, gak_fct, gak_data))) goto cleanup; +#ifdef NOMSPAC + if (options && (options->flags & + KRB5_GET_INIT_CREDS_OPT_PA_PAC_REQUEST)) { + if (ret = add_ms_pac_req(context, &padata)) { + goto cleanup; + } + } +#endif /* XXX if there's padata on output, something is wrong, but it's not obviously an error */