Rkinit allows you to safely forward tickets to other kerberos hosts.

Obtained from: MIT
svn path=/vendor-crypto/eBones/dist/; revision=10766
1995-09-15 06:11:53 +00:00 · 1995-09-15 06:11:53 +00:00 · 43dcd8e508 · 2020-12-20 02:59:44 +00:00
commit 43dcd8e508
parent b00d18e592
3 changed files with 433 additions and 0 deletions
--- a/eBones/usr.bin/rkinit/Makefile
+++ b/eBones/usr.bin/rkinit/Makefile
@ -0,0 +1,11 @@
+#	Makefile,v 1.2 1995/01/20 22:08:14 wollman Exp
+
+PROG=	rkinit
+SRCS=	${RKINITOBJDIR}/rkinit_err.h rkinit.c
+CFLAGS+=	-I${KRBOBJDIR} -I${RKINITOBJDIR}
+LDADD+=	-L${RKINITOBJDIR} -lrkinit -L${KRBOBJDIR} -lkrb -L${DESOBJDIR} -ldes
+LDADD+=	-lss -lcom_err
+
+MAN1=	rkinit.1
+
+.include <bsd.prog.mk>
--- a/eBones/usr.bin/rkinit/rkinit.1
+++ b/eBones/usr.bin/rkinit/rkinit.1
@ -0,0 +1,206 @@
+.\" 
+.\" $Header: /local/cvsfiles/kerberos/src/appl/rkinit/man/rkinit.1,v 1.1 1991/12/03 23:21:25 eichin Exp $
+.\" $Source: /local/cvsfiles/kerberos/src/appl/rkinit/man/rkinit.1,v $
+.\" $Author: eichin $
+.\"
+.\"
+.TH RKINIT 1 "November 12, 1989"
+.UC 4
+.SH NAME
+rkinit \- establish kerberos tickets safely on a remote host
+.SH SYNOPSIS
+.B rkinit [ host ]
+[ -p
+.B principal 
+] [ -l 
+.B username
+] [ -k 
+.B kerberos_realm
+] [ -f
+.B ticket_file
+] [ -h
+.B remote_host
+] [ -t
+.B ticket_lifetime 
+] [ 
+.B \-notimeout 
+]
+
+A host name must be specified either as the first command line
+argument or following a \-h flag.  If redundant command line
+arguments are given, the last one to appear takes precedence.
+
+.SH DESCRIPTION
+.I rkinit
+is a program that allows a user to establish kerberos tickets on
+a remote host registered for
+rlogin service.  This can be done without the user's kerberos
+password ever leaving the client machine.
+
+In order to establish tickets remotely
+without the use of something like 
+.I rkinit, 
+one would have to log in to the
+remote host and run 
+.IR kinit (1).
+.I rkinit 
+followed by 
+.I rlogin 
+can be thought of as a safe substitute for
+.I rlogin
+followed 
+.I kinit.
+
+.I rkinit
+uses the same access checking mechanism as 
+.I rlogin.
+That means that 
+.I rkinit 
+can be used to create any tickets for user 
+.I A
+on remote host 
+.I B 
+if and only if 
+.IR A 's
+tickets would entitle a login to 
+.I B.
+This means that one can create remote tickets for himself or for
+another user if he is in that user's .klogin file.
+
+.I rkinit
+understands the following command line options:
+
+.TP 4
+.B \-p \fIprincipal\fR
+If 
+.I principal,
+in the format 
+.I name[.inst][@realm] 
+is specified, the tickets created on the remote host will be the
+tickets indicated by the 
+.I principal
+field.  If this option is not given, the following defaults are
+used: If the user running 
+.I rkinit
+does not have tickets on the client machine, 
+.I rkinit
+will prompt for a password and behave effectively as if the user
+had invoked 
+.I kinit
+on the specified 
+remote host; i.e., 
+the tickets established will be owned on the remote host
+by the user who invoked 
+.I rkinit 
+and will be for the local realm of the
+remote host.
+If the user running 
+.I rkinit
+already has tickets, 
+.I rkinit 
+will prompt for a password and create tickets whose principal
+matches that of the 
+tickets that the user already has.
+
+
+.TP 
+.B \-l \fIusername\fR
+If 
+.I username
+is specified, the ticket file on the remote host will be owned by the
+user 
+.I username.  
+If it is not specified, the tickets will be owned by
+the remote user whose login name matches that of the user invoking
+.I rkinit.
+
+.TP 
+.B \-r \fIrealm\fR
+.I realm
+is used to tell 
+.I rkinit 
+what realm the remote host is in.  This
+option should not usually have to be used since 
+.I rkinit
+uses 
+.IR krb_realmofhost (3)
+to determine the remote host's kerberos realm.  Note that this
+is distinct from realm as specified in 
+.I principal,
+which refers to the realm of the remote tickets.
+
+.TP 
+.B \-f \fIticket_file\fR
+This option is used to specify the name of the ticket file that
+should be used on the remote host.  Note that if you
+specify a location for the ticket file that is other
+than the default, you will have to set the environment variable
+KRBTKFILE to that filename once you get to the remote host in
+order for you to use the tickets.
+If a ticket file is not specified, the tickets will 
+be placed in the 
+default location as specified by 
+.IR tkt_file (3). 
+On a UNIX host, this is /tmp/tkt<uid>, where
+<uid> is the user id of the person who owns the remote ticket file.
+
+.TP 
+.B \-h \fIremote_host\fR
+.I remote host
+is the host on which remote tickets are being obtained.  This
+option can be used in place of specifying the host as the first
+command line argument.
+
+.TP 
+.B \-t \fIticket_lifetime\fR
+.I ticket lifetime
+is the lifetime in minutes of the remote tickets.  If it is not
+specified, the default ticket life time (as defined in krb.h) is
+used. 
+
+.TP 
+.B \-notimeout
+prevents the client from timing out.  This is mainly useful only
+for debugging since the rkinit server also times out.
+
+.SH EXAMPLES
+
+In the following examples, 
+.B tabetha 
+and 
+.B soup 
+are machines in the
+.B ATHENA.MIT.EDU 
+kerberos realm and 
+.B local 
+is a user who can log in
+to 
+.B soup 
+and has 
+.B qjb.root@ATHENA.MIT.EDU 
+in his .klogin file.
+
+
+% rkinit tabetha
+.br
+Kerberos initialization (tabetha)
+.br
+Password for qjb@ATHENA.MIT.EDU:
+.br
+% 
+.br
+
+.br
+% rkinit soup -p qjb.root -l local
+.br
+Kerberos initialization (soup): tickets will be owned by local
+.br
+Password for qjb.root@ATHENA.MIT.EDU:
+.br
+% 
+
+.SH SEE ALSO
+rkinitd(8), kerberos(1), kerberos(3), kinit(1)
+
+.SH AUTHOR
+Emanuel Jay Berkenbilt (MIT-Project Athena)
--- a/eBones/usr.bin/rkinit/rkinit.c
+++ b/eBones/usr.bin/rkinit/rkinit.c
@ -0,0 +1,216 @@
+/* 
+ * $Id: rkinit.c,v 1.1 1993/12/10 18:41:00 dglo Exp gibbs $
+ * $Source: /usr/src/eBones/rkinit/RCS/rkinit.c,v $
+ * $Author: dglo $
+ *
+ * This is an rkinit client
+ */
+
+#if !defined(lint) && !defined(SABER) && !defined(LOCORE) && defined(RCS_HDRS)
+static char *rcsid = "$Id: rkinit.c,v 1.1 1993/12/10 18:41:00 dglo Exp gibbs $";
+#endif /* lint || SABER || LOCORE || RCS_HDRS */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <netdb.h>
+#include <pwd.h>
+#include <krb.h>
+#include <des.h>
+#include <com_err.h>
+
+#include <rkinit.h>
+#include <rkinit_err.h>
+
+#ifndef TRUE
+#define TRUE 1
+#endif
+
+#ifndef FALSE
+#define FALSE 0
+#endif
+	
+#ifdef __STDC__
+static void usage(void) 
+#else
+static void usage()
+#endif /* __STDC__ */
+{
+    fprintf(stderr,"Usage: rkinit [host] options\n");
+    fprintf(stderr,
+      "Options: [-l username] [-k krb_realm] [-p principal] [-f tktfile]\n");
+    fprintf(stderr, "         [-t lifetime] [-h host] [-notimeout]\n");
+    fprintf(stderr, "A host must be specified either with the -h option ");
+    fprintf(stderr, "or as the first argument.\n");
+	    
+    exit(1);
+}
+
+int
+#ifdef __STDC__
+main(int argc, char *argv[])
+#else
+main(argc, argv)
+  int argc;
+  char *argv[];
+#endif /* __STDC__ */
+{
+    char *whoami;		/* Name of this program */
+
+    char principal[MAX_K_NAME_SZ]; /* Principal for which to get tickets */
+    char *host = NULL;		/* Remote host */
+    char *username = 0;		/* Username of owner of ticket */
+    char r_krealm[REALM_SZ];	/* Kerberos realm of remote host */
+    char aname[ANAME_SZ];	/* Aname of remote ticket file */
+    char inst[INST_SZ];		/* Instance of remote ticket file */
+    char realm[REALM_SZ];	/* Realm of remote ticket file */
+    char *tktfilename = NULL;	/* Name of ticket file on remote host */
+    u_long lifetime = DEFAULT_TKT_LIFE;	/* Lifetime of remote tickets */
+    int timeout = TRUE;		/* Should we time out? */
+    rkinit_info info;		/* Information needed by rkinit */
+
+    struct passwd *localid;	/* To determine local id */
+
+    int status = 0;		/* general error number */
+
+    int i;
+
+    bzero(r_krealm, sizeof(r_krealm));
+    bzero(principal, sizeof(principal));
+    bzero(aname, sizeof(aname));
+    bzero(inst, sizeof(inst));
+    bzero(realm, sizeof(realm));
+
+    /* Parse commandline arguements. */
+    if ((whoami = rindex(argv[0], '/')) == 0)
+	whoami = argv[0];
+    else
+	whoami++;
+
+    if (argc < 2) usage();
+
+    if (argv[1][0] != '-') {
+	host = argv[1];
+	i = 2;
+    }
+    else
+	i = 1;
+
+    for (/* i initialized above */; i < argc; i++) {
+	if (strcmp(argv[i], "-h") == NULL) {
+	    if (++i >= argc)
+		usage();
+	    else
+		host = argv[i];
+	}	    
+	else if (strcmp(argv[i], "-l") == NULL) {
+	    if (++i >= argc)
+		usage();
+	    else 
+		username = argv[i];
+	}
+	else if (strcmp(argv[i], "-k") == NULL) {
+	    if (++i >= argc)
+		usage();
+	    else
+		strncpy(r_krealm, argv[i], sizeof(r_krealm) - 1);
+	}
+	else if (strcmp(argv[i], "-p") == NULL) {
+	    if (++i >= argc)
+		usage();
+	    else
+		strncpy(principal, argv[i], sizeof(principal) - 1);
+	}
+	else if (strcmp(argv[i], "-f") == NULL) {
+	    if (++i >= argc)
+		usage();
+	    else
+		tktfilename = argv[i];
+	}
+	else if (strcmp(argv[i], "-t") == NULL) {
+	    if (++i >= argc)
+		usage();
+	    else {
+		lifetime = atoi(argv[i])/5;
+		if (lifetime == 0)
+		    lifetime = 1;
+		else if (lifetime > 255)
+		    lifetime = 255;
+	    }
+	}
+	else if (strcmp(argv[i], "-notimeout") == NULL)
+	    timeout = FALSE;
+	else
+	    usage();
+    }
+
+    if (host == NULL)
+	usage();
+
+    /* Initialize the realm of the remote host if necessary */
+    if (r_krealm[0] == 0) {
+	/* 
+	 * Try to figure out the realm of the remote host.  If the
+	 * remote host is unknown, don't worry about it; the library
+	 * will handle the error better and print a good error message.
+	 */
+	struct hostent *hp;
+	if ((hp = gethostbyname(host)))
+	    strcpy(r_krealm, krb_realmofhost(hp->h_name));
+    }
+
+    /* If no username was specified, use local id on client host */
+    if (username == 0) {
+	if ((localid = getpwuid(getuid())) == 0) {
+	    fprintf(stderr, "You can not be found in the password file.\n");
+	    exit(1);
+	}
+	username = localid->pw_name;
+    }
+
+    /* Find out who will go in the ticket file */
+    if (! principal[0]) {
+	if ((status = krb_get_tf_fullname(TKT_FILE, aname, inst, realm)) 
+	    != KSUCCESS) {
+	    /* 
+	     * If user has no ticket file and principal was not specified, 
+	     * we will try to get tickets for username@remote_realm
+	     */
+	    strcpy(aname, username);
+	    strcpy(realm, r_krealm);
+	}
+    }
+    else {
+	if ((status = kname_parse(aname, inst, realm, principal))
+	    != KSUCCESS) {
+	    fprintf(stderr, "%s\n", krb_err_txt[status]);
+	    exit(1);
+	}
+	if (strlen(realm) == 0) {
+	    if (krb_get_lrealm(realm, 1) != KSUCCESS)
+		strcpy(realm, KRB_REALM);
+	}
+    }
+
+    bzero((char *)&info, sizeof(info));
+    
+    strcpy(info.aname, aname);
+    strcpy(info.inst, inst);
+    strcpy(info.realm, realm);
+    strcpy(info.sname, "krbtgt");
+    strcpy(info.sinst, realm);
+    strncpy(info.username, username, sizeof(info.username) - 1);
+    if (tktfilename)
+	strncpy(info.tktfilename, tktfilename, sizeof(info.tktfilename) - 1);
+    info.lifetime = lifetime;
+
+    if ((status = rkinit(host, r_krealm, &info, timeout))) {
+	com_err(whoami, status, "while obtaining remote tickets:");
+	fprintf(stderr, "%s\n", rkinit_errmsg(0));
+	exit(1);
+    }
+
+    exit(0);
+}