7 files changed, 936 insertions, 0 deletions
diff --git a/third_party/heimdal/appl/afsutil/ChangeLog b/third_party/heimdal/appl/afsutil/ChangeLog
new file mode 100644
index 0000000..9825c55
--- /dev/null
+++ b/third_party/heimdal/appl/afsutil/ChangeLog
@@ -0,0 +1,125 @@
+2007-04-11  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* pagsh.1,afslog.1: - options must be lexicographically ordered;
+	  again, options without arguments must be placed before options
+	  with arguments.  - manual page cross references are done using
+	  the macro `.Xr', not the macro `.Nm' (used for command names
+	  instead).
+	
+	From Igor Sobrado.
+	
+2006-10-07  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: Add man_MANS to EXTRA_DIST
+	
+2006-01-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* afslog.1: Document options to allow select principal or
+	credential cache when doing afslog.
+
+	* afslog.c: Add options to allow select principal or credential
+	cache when doing afslog.
+	
+2005-02-12  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* Makefile.am: man_MANS += pagsh.1
+
+	* pagsh.c: add --cache-type that allows the user to control the
+	resulting credential cache type, inherit the type from the
+	invoking process
+
+	* pagsh.1: manpage for pagsh
+
+2004-09-03  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* afslog.c: use negative string help string for arg_negative_flag
+	Pointed out by Harald Barth
+	
+2004-07-27  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* pagsh.c: use setprogname, if we stripped off -c, try use the
+	fallback code
+	
+2003-10-14  Johan Danielsson  <joda@pdc.kth.se>
+
+	* pagsh.c: mkstemp formats must end in exactly six X's
+
+2003-07-15  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* afslog.c (do_afslog): is cell is unset, set it "<default cell>"
+	for error printing
+
+	* pagsh.c: unconditionally set KRBTKFILE
+	
+2003-04-23  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* afslog.c (log_func): drop the error number
+	
+2003-04-14  Love Hörnquist Åstrand  <lha@it.su.se>
+
+	* afslog.c: set kafs log function if verbose is turned on
+	
+2003-03-18  Love Hörnquist Åstrand  <lha@it.su.se>
+	
+	* Makefile.am (LDADD): use LIB_kafs
+	
+	* afslog.1: --no-v4, --no-v5
+	
+	* Makefile.am: always build afsutils now
+	
+	* afslog.c: make build without KRB4
+	
+2002-11-26  Johan Danielsson  <joda@pdc.kth.se>
+
+	* afslog.c: remove plural form in help string
+
+	* Makefile.am: add afslog manpage
+
+	* afslog.1: manpage
+
+	* afslog.c: try more files when trying to expand a cell name
+
+	* afslog.c: create a list of cells to get tokens for, before
+	actually doing anything, and try to get tokens via krb4 if krb5
+	fails, and give it a chance to work with krb4-only; also some bug
+	fixes, partially from Tomas Olsson.
+
+2002-08-23  Assar Westerlund  <assar@kth.se>
+
+	* pagsh.c: make it handle --version/--help
+
+2001-05-17  Assar Westerlund  <assar@sics.se>
+
+	* afslog.c (main): call free_getarg_strings
+
+2000-12-31  Assar Westerlund  <assar@sics.se>
+
+	* afslog.c (main): handle krb5_init_context failure consistently
+
+2000-12-25  Assar Westerlund  <assar@sics.se>
+
+	* afslog.c: clarify usage strings
+
+1999-08-04  Assar Westerlund  <assar@sics.se>
+
+	* pagsh.c (main): use mkstemp to generate temporary file names.
+  	From Miroslav Ruda <ruda@ics.muni.cz>
+
+1999-07-04  Assar Westerlund  <assar@sics.se>
+
+	* afslog.c (expand_cell_name): terminate on #.  From Miroslav Ruda
+ 	<ruda@ics.muni.cz>
+
+1999-06-27  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am (bin_PROGRAMS): only include pagsh if KRB4
+
+1999-06-26  Assar Westerlund  <assar@sics.se>
+
+	* Makefile.am: add pagsh
+
+	* pagsh.c: new file.  contributed by Miroslav Ruda <ruda@ics.muni.cz>
+
+Sat Mar 27 12:49:43 1999  Johan Danielsson  <joda@blubb.pdc.kth.se>
+
+	* afslog.c: cleanup option parsing
diff --git a/third_party/heimdal/appl/afsutil/Makefile.am b/third_party/heimdal/appl/afsutil/Makefile.am
new file mode 100644
index 0000000..705bdf1
--- /dev/null
+++ b/third_party/heimdal/appl/afsutil/Makefile.am
@@ -0,0 +1,19 @@
+# $Id$
+
+include $(top_srcdir)/Makefile.am.common
+
+bin_PROGRAMS = afslog pagsh
+
+afslog_SOURCES = afslog.c
+
+pagsh_SOURCES  = pagsh.c
+
+man_MANS = afslog.1 pagsh.1
+
+LDADD = $(LIB_kafs) \
+	$(top_builddir)/lib/krb5/libkrb5.la \
+	$(top_builddir)/lib/asn1/libasn1.la \
+	$(LIB_hcrypto) \
+	$(LIB_roken)
+
+EXTRA_DIST = NTMakefile $(man_MANS)
diff --git a/third_party/heimdal/appl/afsutil/NTMakefile b/third_party/heimdal/appl/afsutil/NTMakefile
new file mode 100644
index 0000000..f1f696c
--- /dev/null
+++ b/third_party/heimdal/appl/afsutil/NTMakefile
@@ -0,0 +1,35 @@
+########################################################################
+#
+# Copyright (c) 2009, Secure Endpoints Inc.
+# All rights reserved.
+# 
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+# 
+# - Redistributions of source code must retain the above copyright
+#   notice, this list of conditions and the following disclaimer.
+# 
+# - Redistributions in binary form must reproduce the above copyright
+#   notice, this list of conditions and the following disclaimer in
+#   the documentation and/or other materials provided with the
+#   distribution.
+# 
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+# 
+
+RELDIR=appl\afsutil 
+
+!include ../../windows/NTMakefile.w32 
+
diff --git a/third_party/heimdal/appl/afsutil/afslog.1 b/third_party/heimdal/appl/afsutil/afslog.1
new file mode 100644
index 0000000..779d9cd
--- /dev/null
+++ b/third_party/heimdal/appl/afsutil/afslog.1
@@ -0,0 +1,147 @@
+.\" Copyright (c) 2002 - 2007 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd November 26, 2002
+.Dt AFSLOG 1
+.Os HEIMDAL
+.Sh NAME
+.Nm afslog
+.Nd obtain AFS tokens
+.Sh SYNOPSIS
+.Nm
+.Op Fl h | Fl Fl help
+.Op Fl Fl no-v5
+.Op Fl u | Fl Fl unlog
+.Op Fl v | Fl Fl verbose
+.Op Fl Fl version
+.Oo Fl c Ar cell \*(Ba Xo
+.Fl Fl cell= Ns Ar cell
+.Xc
+.Oc
+.Oo Fl k Ar realm \*(Ba Xo
+.Fl Fl realm= Ns Ar realm
+.Xc
+.Oc
+.Oo Fl P Ar principal \*(Ba Xo
+.Fl Fl principal= Ns Ar principal
+.Xc
+.Oc
+.Bk -words
+.Oo Fl p Ar path \*(Ba Xo
+.Fl Fl file= Ns Ar path
+.Xc
+.Oc
+.Ek
+.Op Ar cell | path ...
+.Sh DESCRIPTION
+.Nm
+obtains AFS tokens for a number of cells. What cells to get tokens for
+can either be specified as an explicit list, as file paths to get
+tokens for, or be left unspecified, in which case
+.Nm
+will use whatever magic
+.Xr krb_afslog 3
+decides upon.
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Fl Fl no-v5
+This makes
+.Nm
+not try using Kerberos 5.
+.It Xo
+.Fl P Ar principal ,
+.Fl Fl principal Ar principal
+.Xc
+select what Kerberos 5 principal to use.
+.It Fl Fl cache Ar cache
+select what Kerberos 5 credential cache to use.
+.Fl Fl principal
+overrides this option.
+.It Xo
+.Fl u ,
+.Fl Fl unlog
+.Xc
+Destroy tokens instead of obtaining new. If this is specified, all
+other options are ignored (except for
+.Fl Fl help
+and
+.Fl Fl version ) .
+.It Xo
+.Fl v ,
+.Fl Fl verbose
+.Xc
+Adds more verbosity for what is actually going on.
+.It Xo
+.Fl c Ar cell,
+.Fl Fl cell= Ns Ar cell
+.Xc
+This specified one or more cell names to get tokens for.
+.It Xo
+.Fl k Ar realm ,
+.Fl Fl realm= Ns Ar realm
+.Xc
+This is the Kerberos realm the AFS servers live in, this should
+normally not be specified.
+.It Xo
+.Fl p Ar path ,
+.Fl Fl file= Ns Ar path
+.Xc
+This specified one or more file paths for which tokens should be
+obtained.
+.El
+.Pp
+Instead of using
+.Fl c
+and
+.Fl p ,
+you may also pass a list of cells and file paths after any other
+options. These arguments are considered files if they are either
+the strings
+.Do . Dc
+or
+.Dq ..
+or they contain a slash, or if there exists a file by that name.
+.Sh EXAMPLES
+Assuming that there is no file called
+.Dq openafs.org
+in the current directory, and that
+.Pa /afs/openafs.org
+points to that cell, the follwing should be identical:
+.Bd -literal -offset indent
+$ afslog -c openafs.org
+$ afslog openafs.org
+$ afslog /afs/openafs.org/some/file
+.Ed
+.Sh SEE ALSO
+.Xr krb_afslog 3
diff --git a/third_party/heimdal/appl/afsutil/afslog.c b/third_party/heimdal/appl/afsutil/afslog.c
new file mode 100644
index 0000000..05078ee
--- /dev/null
+++ b/third_party/heimdal/appl/afsutil/afslog.c
@@ -0,0 +1,303 @@
+/*
+ * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+RCSID("$Id$");
+#endif
+#include <ctype.h>
+#ifdef KRB5
+#include <krb5.h>
+#endif
+#include <kafs.h>
+#include <roken.h>
+#include <getarg.h>
+#include <err.h>
+
+static int help_flag;
+static int version_flag;
+static getarg_strings cells;
+static char *realm;
+static getarg_strings files;
+static int unlog_flag;
+static int verbose;
+#ifdef KRB5
+static char *client_string;
+static char *cache_string;
+static int use_krb5 = 1;
+#endif
+
+struct getargs args[] = {
+    { "cell",	'c', arg_strings, &cells, "cells to get tokens for", "cell" },
+    { "file",	'p', arg_strings, &files, "files to get tokens for", "path" },
+    { "realm",	'k', arg_string, &realm, "realm for afs cell", "realm" },
+    { "unlog",	'u', arg_flag, &unlog_flag, "remove tokens", NULL },
+#ifdef KRB5
+    { "principal",'P',arg_string,&client_string,"principal to use","principal"},
+    { "cache",   0,  arg_string, &cache_string, "ccache to use", "cache"},
+    { "v5",	 0,  arg_negative_flag, &use_krb5, "don't use Kerberos 5",
+      NULL },
+#endif
+    { "verbose",'v', arg_flag, &verbose, NULL, NULL },
+    { "version", 0,  arg_flag, &version_flag, NULL, NULL },
+    { "help",	'h', arg_flag, &help_flag, NULL, NULL },
+};
+
+static int num_args = sizeof(args) / sizeof(args[0]);
+
+#ifdef KRB5
+krb5_context context;
+krb5_ccache id;
+#endif
+
+static const char *
+expand_one_file(FILE *f, const char *cell)
+{
+    static char buf[1024];
+    char *p;
+
+    while (fgets (buf, sizeof(buf), f) != NULL) {
+	if(buf[0] == '>') {
+	    for(p = buf; *p && !isspace((unsigned char)*p) && *p != '#'; p++)
+		;
+	    *p = '\0';
+	    if(strncmp(buf + 1, cell, strlen(cell)) == 0)
+		return buf + 1;
+	}
+	buf[0] = '\0';
+    }
+    return NULL;
+}
+
+static const char *
+expand_cell_name(const char *cell)
+{
+    FILE *f;
+    const char *c;
+    const char **fn, *fns[] = { _PATH_CELLSERVDB,
+				_PATH_ARLA_CELLSERVDB,
+				_PATH_OPENAFS_DEBIAN_CELLSERVDB,
+				_PATH_ARLA_DEBIAN_CELLSERVDB,
+				NULL };
+    for(fn = fns; *fn; fn++) {
+	f = fopen(*fn, "r");
+	if(f == NULL)
+	    continue;
+	c = expand_one_file(f, cell);
+	fclose(f);
+	if(c)
+	    return c;
+    }
+    return NULL;
+}
+
+static void
+usage(int ecode)
+{
+    arg_printusage(args, num_args, NULL, "[cell|path]...");
+    exit(ecode);
+}
+
+struct cell_list {
+    char *cell;
+    struct cell_list *next;
+} *cell_list;
+
+static int
+afslog_cell(const char *cell, int expand)
+{
+    struct cell_list *p, **q;
+    const char *c = cell;
+    if(expand){
+	c = expand_cell_name(cell);
+	if(c == NULL){
+	    warnx("No cell matching \"%s\" found.", cell);
+	    return -1;
+	}
+	if(verbose && strcmp(c, cell) != 0)
+	    warnx("Cell \"%s\" expanded to \"%s\"", cell, c);
+    }
+    /* add to list of cells to get tokens for, and also remove
+       duplicates; the actual afslog takes place later */
+    for(p = cell_list, q = &cell_list; p; q = &p->next, p = p->next)
+	if(strcmp(p->cell, c) == 0)
+	    return 0;
+    p = malloc(sizeof(*p));
+    if(p == NULL)
+	return -1;
+    p->cell = strdup(c);
+    if(p->cell == NULL) {
+	free(p);
+	return -1;
+    }
+    p->next = NULL;
+    *q = p;
+    return 0;
+}
+
+static int
+afslog_file(const char *path)
+{
+    char cell[64];
+    if(k_afs_cell_of_file(path, cell, sizeof(cell))){
+	warnx("No cell found for file \"%s\".", path);
+	return -1;
+    }
+    if(verbose)
+	warnx("File \"%s\" lives in cell \"%s\"", path, cell);
+    return afslog_cell(cell, 0);
+}
+
+static int
+do_afslog(const char *cell)
+{
+    int k5ret;
+
+    k5ret = 0;
+
+#ifdef KRB5
+    if(context != NULL && id != NULL && use_krb5) {
+	k5ret = krb5_afslog(context, id, cell, realm);
+	if(k5ret == 0)
+	    return 0;
+    }
+#endif
+    if (cell == NULL)
+	cell = "<default cell>";
+#ifdef KRB5
+    if (k5ret)
+	krb5_warn(context, k5ret, "krb5_afslog(%s)", cell);
+#endif
+    if (k5ret)
+	return 1;
+    return 0;
+}
+
+static void
+log_func(void *ctx, const char *str)
+{
+    fprintf(stderr, "%s\n", str);
+}
+
+int
+main(int argc, char **argv)
+{
+    int optidx = 0;
+    int i;
+    int num;
+    int ret = 0;
+    int failed = 0;
+    struct cell_list *p;
+
+    setprogname(argv[0]);
+
+    if(getarg(args, num_args, argc, argv, &optidx))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    if(!k_hasafs())
+	errx(1, "AFS does not seem to be present on this machine");
+
+    if(unlog_flag){
+	k_unlog();
+	exit(0);
+    }
+#ifdef KRB5
+    ret = krb5_init_context(&context);
+    if (ret) {
+	context = NULL;
+    } else {
+	if (client_string) {
+	    krb5_principal client;
+
+	    ret = krb5_parse_name(context, client_string, &client);
+	    if (ret == 0)
+		ret = krb5_cc_cache_match(context, client, &id);
+	    if (ret)
+		id = NULL;
+	}
+	if (id == NULL && cache_string) {
+	    if(krb5_cc_resolve(context, cache_string, &id) != 0) {
+		krb5_warnx(context, "failed to open kerberos 5 cache '%s'",
+			   cache_string);
+		id = NULL;
+	    }
+	}
+	if (id == NULL)
+	    if(krb5_cc_default(context, &id) != 0)
+		id = NULL;
+    }
+#endif
+
+    if (verbose)
+	kafs_set_verbose(log_func, NULL);
+
+    num = 0;
+    for(i = 0; i < files.num_strings; i++){
+	afslog_file(files.strings[i]);
+	num++;
+    }
+    free_getarg_strings (&files);
+    for(i = 0; i < cells.num_strings; i++){
+	afslog_cell(cells.strings[i], 1);
+	num++;
+    }
+    free_getarg_strings (&cells);
+    for(i = optidx; i < argc; i++){
+	num++;
+	if(strcmp(argv[i], ".") == 0 ||
+	   strcmp(argv[i], "..") == 0 ||
+	   strchr(argv[i], '/') ||
+	   access(argv[i], F_OK) == 0)
+	    afslog_file(argv[i]);
+	else
+	    afslog_cell(argv[i], 1);
+    }
+    if(num == 0) {
+	if(do_afslog(NULL))
+	    failed++;
+    } else
+	for(p = cell_list; p; p = p->next) {
+	    if(verbose)
+		warnx("Getting tokens for cell \"%s\"", p->cell);
+	    if(do_afslog(p->cell))
+		failed++;
+    }
+
+    return failed;
+}
diff --git a/third_party/heimdal/appl/afsutil/pagsh.1 b/third_party/heimdal/appl/afsutil/pagsh.1
new file mode 100644
index 0000000..3c1fd96
--- /dev/null
+++ b/third_party/heimdal/appl/afsutil/pagsh.1
@@ -0,0 +1,94 @@
+.\" Copyright (c) 2005 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd February 12, 2005
+.Dt PAGSH 1
+.Os
+.Sh NAME
+.Nm pagsh
+.Nd creates a new credential cache sandbox
+.Sh SYNOPSIS
+.Nm
+.Op Fl c Ar command-string
+.Op Fl h | Fl Fl help
+.Op Fl Fl version
+.Op Fl Fl cache-type= Ns Ar string
+.Ar command [args...]
+.Sh DESCRIPTION
+Supported options:
+.Bl -tag -width Ds
+.It Xo
+.Fl c Ar command-string
+Executes command(s) contained in
+.Ar command-string .
+.Xc
+.It Xo
+.Fl Fl cache-type= Ns Ar string
+.Xc
+.It Xo
+.Fl h ,
+.Fl Fl help
+.Xc
+.It Xo
+.Fl Fl version
+.Xc
+.El
+.Pp
+.Nm
+creates a new credential cache sandbox for the user to live in.
+If AFS is installed on the computer, the user is put in a newly
+created Process Authentication Group (PAG).
+.Pp
+For Kerberos 5, the credential cache type that is used is the same as
+the credential cache type that was used at the time of
+.Nm
+invocation.
+The credential cache type can be controlled by the option
+.Fl Fl cache-type .
+.Sh EXAMPLES
+Create a new sandbox where new credentials can be used, while the old
+credentials can be used by other processes.
+.Bd -literal -offset indent
+$ klist
+Credentials cache: FILE:/tmp/krb5cc_913
+        Principal: lha@E.KTH.SE
+
+  Issued           Expires          Principal
+Feb 12 10:08:31  Feb 12 20:06:36  krbtgt/E.KTH.SE@E.KTH.SE
+$ pagsh
+$ klist
+klist: No ticket file: /tmp/krb5cc_03014a
+.Ed
+.Sh SEE ALSO
+.Xr afslog 1 ,
+.Xr kinit 1
diff --git a/third_party/heimdal/appl/afsutil/pagsh.c b/third_party/heimdal/appl/afsutil/pagsh.c
new file mode 100644
index 0000000..377ac61
--- /dev/null
+++ b/third_party/heimdal/appl/afsutil/pagsh.c
@@ -0,0 +1,213 @@
+/*
+ * Copyright (c) 1995 - 2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+RCSID("$Id$");
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#include <time.h>
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+
+#ifdef KRB5
+#include <krb5.h>
+#endif
+#include <kafs.h>
+
+#include <err.h>
+#include <roken.h>
+#include <getarg.h>
+
+#ifndef TKT_ROOT
+#define TKT_ROOT "/tmp/tkt"
+#endif
+
+static int help_flag;
+static int version_flag;
+static int c_flag;
+#ifdef KRB5
+static char *typename_arg;
+#endif
+
+struct getargs getargs[] = {
+    { NULL,	'c', arg_flag, &c_flag, NULL, NULL },
+#ifdef KRB5
+    { "cache-type", 0,  arg_string, &typename_arg, NULL, NULL },
+#endif
+    { "version", 0,  arg_flag, &version_flag, NULL, NULL },
+    { "help",	'h', arg_flag, &help_flag, NULL, NULL },
+};
+
+static int num_args = sizeof(getargs) / sizeof(getargs[0]);
+
+static void
+usage(int ecode)
+{
+    arg_printusage(getargs, num_args, NULL, "command [args...]");
+    exit(ecode);
+}
+
+/*
+ * Run command with a new ticket file / credentials cache / token
+ */
+
+int
+main(int argc, char **argv)
+{
+    int f;
+    char tf[1024];
+    char shellbuf[MAX_PATH];
+    char *p;
+
+    char *path;
+    char **args;
+    unsigned int i;
+    int optidx = 0;
+
+    setprogname(argv[0]);
+    if(getarg(getargs, num_args, argc, argv, &optidx))
+	usage(1);
+    if(help_flag)
+	usage(0);
+    if(version_flag) {
+	print_version(NULL);
+	exit(0);
+    }
+
+    argc -= optidx;
+    argv += optidx;
+
+#ifdef KRB5
+    {
+	krb5_error_code ret;
+	krb5_context context;
+	krb5_ccache id;
+	const char *name;
+
+	ret = krb5_init_context(&context);
+	if (ret) /* XXX should this really call exit ? */
+	    errx(1, "no kerberos 5 support");
+
+	ret = krb5_cc_new_unique(context, typename_arg, NULL, &id);
+	if (ret)
+	    krb5_err(context, 1, ret, "Failed generating credential cache");
+
+	name = krb5_cc_get_name(context, id);
+	if (name == NULL)
+	    krb5_errx(context, 1, "Generated credential cache have no name");
+
+	snprintf(tf, sizeof(tf), "%s:%s", krb5_cc_get_type(context, id), name);
+
+	ret = krb5_cc_close(context, id);
+	if (ret)
+	    krb5_err(context, 1, ret, "Failed closing credential cache");
+
+	krb5_free_context(context);
+
+	esetenv("KRB5CCNAME", tf, 1);
+    }
+#endif
+
+    snprintf (tf, sizeof(tf), "%s_XXXXXX", TKT_ROOT);
+    f = mkstemp (tf);
+    if (f < 0)
+	err(1, "mkstemp failed");
+    close (f);
+    unlink (tf);
+    esetenv("KRBTKFILE", tf, 1);
+
+    i = 0;
+
+    args = (char **) malloc((argc + 10)*sizeof(char *));
+    if (args == NULL)
+	errx (1, "Out of memory allocating %lu bytes",
+	      (unsigned long)((argc + 10)*sizeof(char *)));
+
+    if(*argv == NULL) {
+        if (roken_get_shell(shellbuf, sizeof(shellbuf)) != NULL)
+            path = strdup(shellbuf);
+        else
+            path = strdup("/bin/sh");
+    } else {
+	path = strdup(*argv++);
+    }
+    if (path == NULL)
+	errx (1, "Out of memory copying path");
+
+    p=strrchr(path, '/');
+    if(p)
+	args[i] = strdup(p+1);
+    else
+	args[i] = strdup(path);
+
+    if (args[i++] == NULL)
+	errx (1, "Out of memory copying arguments");
+
+    while(*argv)
+	args[i++] = *argv++;
+
+    args[i++] = NULL;
+
+    if(k_hasafs())
+	k_setpag();
+
+    unsetenv("PAGPID");
+    execvp(path, args);
+    if (errno == ENOENT || c_flag) {
+	char **sh_args = malloc ((i + 2) * sizeof(char *));
+	unsigned int j;
+
+	if (sh_args == NULL)
+	    errx (1, "Out of memory copying sh arguments");
+	for (j = 1; j < i; ++j)
+	    sh_args[j + 2] = args[j];
+	sh_args[0] = "sh";
+	sh_args[1] = "-c";
+	sh_args[2] = path;
+	execv ("/bin/sh", sh_args);
+    }
+    err (1, "execvp");
+}