krb5_passwd.c revision 1.3
1 /* $NetBSD: krb5_passwd.c,v 1.3 1997/01/07 04:08:15 tls Exp $ */ 2 3 /*- 4 * Copyright (c) 1990 The Regents of the University of California. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by the University of 18 * California, Berkeley and its contributors. 19 * 4. Neither the name of the University nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #ifndef lint 37 #if 0 38 static char sccsid[] = "from: @(#)krb_passwd.c 5.4 (Berkeley) 3/1/91"; 39 #else 40 static char rcsid[] = "$NetBSD: krb5_passwd.c,v 1.3 1997/01/07 04:08:15 tls Exp $"; 41 #endif 42 #endif /* not lint */ 43 44 #ifdef KERBEROS5 45 46 #include <sys/types.h> 47 #include <sys/socket.h> 48 #include <sys/time.h> 49 #include <sys/resource.h> 50 #include <netinet/in.h> 51 #include <netdb.h> 52 #include <signal.h> 53 #include <pwd.h> 54 #include <errno.h> 55 #include <stdio.h> 56 #include <string.h> 57 #include <stdlib.h> 58 #include <krb5/adm_defs.h> 59 #include <krb5/krb5.h> 60 #include <krb5/kdb.h> 61 #include <krb5/kdb_dbm.h> 62 #include <krb5/ext-proto.h> 63 #include <krb5/los-proto.h> 64 #include <krb5/asn1.h> 65 #include <krb5/config.h> 66 #include <krb5/base-defs.h> 67 #include <krb5/asn.1/encode.h> 68 69 #include <krb5/widen.h> 70 71 #include <krb5/adm_err.h> 72 #include <krb5/errors.h> 73 #include <krb5/kdb5_err.h> 74 #include <krb5/krb5_err.h> 75 76 static krb5_error_code get_first_ticket __P((krb5_ccache, krb5_principal)); 77 static krb5_error_code print_and_choose_password __P((char *, krb5_data *)); 78 static krb5_error_code adm5_init_link __P((krb5_data *, int *)); 79 80 struct sockaddr_in local_sin, remote_sin; 81 82 krb5_creds my_creds; 83 84 extern char *krb5_default_pwd_prompt1; 85 86 /* 87 * Try no preauthentication first; then try the encrypted timestamp 88 */ 89 int preauth_search_list[] = { 90 0, 91 KRB5_PADATA_ENC_TIMESTAMP, 92 -1 93 }; 94 95 int 96 krb_passwd() 97 { 98 static void finish(); 99 krb5_ccache cache = NULL; 100 char cache_name[255]; 101 krb5_flags cc_flags; 102 krb5_address local_addr, foreign_addr; 103 struct passwd *pw; 104 krb5_principal client, server; 105 char default_name[256]; 106 char *client_name; /* Single string representation of client id */ 107 krb5_data requested_realm; 108 char *local_realm; 109 char input_string[768]; 110 krb5_error_code retval; /* return code */ 111 int local_socket; 112 int c, count; 113 krb5_error *err_ret; 114 krb5_ap_rep_enc_part *rep_ret; 115 kadmin_requests rd_priv_resp; 116 krb5_checksum send_cksum; 117 int cksum_alloc = 0; 118 krb5_data msg_data, inbuf; 119 krb5_int32 seqno; 120 char *new_password; 121 int new_pwsize; 122 krb5_data *decodable_pwd_string; 123 int i, j; 124 static struct rlimit rl = { 0, 0 }; 125 126 #ifdef KRB_NONETWORK 127 extern int networked(); 128 int krb_secure; 129 struct stat statbuf; 130 #endif 131 132 #ifdef KRB_NONETWORK /* Allow or Disallow Remote Clients to Modify Passwords */ 133 /* 134 * If a Client Modifies a Password using kpasswd on this host 135 * from a remote host or network terminal, the Password selected 136 * is transmitted across the network in Cleartext. 137 * 138 * The systems administrator can disallow "remote" kpasswd usage by 139 * creating the file "/etc/krb.secure" 140 */ 141 krb_secure = 0; 142 /* 143 * First check to see if the file /etc/krb.secure exists. 144 * If it does then krb_secure to 1. 145 */ 146 147 if (stat("/etc/krb.secure", &statbuf) == 0) krb_secure = 1; 148 149 /* 150 * Check to see if this process is tied to a physical terminal. 151 * Network() verifies the terminal device is not a pseudo tty 152 */ 153 if (networked() && krb_secure) { 154 fprintf(stderr,"passwd: Sorry but you cannot %s from a\n", argv[0]); 155 fprintf(stderr," pseudo tty terminal.\n"); 156 retval = 1; 157 goto finish; 158 } 159 #endif 160 161 /* (3 * 255) + 1 (/) + 1 (@) + 1 (NULL) */ 162 if ((client_name = (char *) calloc (1, (3 * 256))) == NULL) { 163 fprintf(stderr, "passwd: No Memory for Client_name\n"); 164 retval = 1; 165 goto finish; 166 } 167 168 if ((requested_realm.data = (char *) calloc (1, 256)) == NULL) { 169 fprintf(stderr, "passwd: No Memory for realm_name\n"); 170 retval = 1; 171 free(client_name); 172 goto finish; 173 } 174 175 (void)signal(SIGHUP, SIG_IGN); 176 (void)signal(SIGINT, SIG_IGN); 177 (void)signal(SIGTSTP, SIG_IGN); 178 179 if (setrlimit(RLIMIT_CORE, &rl) < 0) { 180 (void)fprintf(stderr, 181 "passwd: setrlimit: %s\n", strerror(errno)); 182 return(1); 183 } 184 185 krb5_init_ets(); 186 memset((char *) default_name, 0, sizeof(default_name)); 187 188 /* Identify Default Credentials Cache */ 189 if ((retval = krb5_cc_default(&cache))) { 190 fprintf(stderr, "passwd: Error while getting default ccache.\n"); 191 goto finish; 192 } 193 194 /* 195 * Attempt to Modify Credentials Cache 196 * retval == 0 ==> ccache Exists - Use It 197 * retval == ENOENT ==> No Entries, but ccache Exists 198 * retval != 0 ==> Assume ccache does NOT Exist 199 */ 200 cc_flags = 0; 201 if ((retval = krb5_cc_set_flags(cache, cc_flags))) { 202 /* Search passwd file for client */ 203 pw = getpwuid((int) getuid()); 204 if (pw) { 205 (void) strcpy(default_name, pw->pw_name); 206 } 207 else { 208 fprintf(stderr, 209 "passwd: Unable to Identify Customer from Password File\n"); 210 retval = 1; 211 goto finish; 212 } 213 214 /* Use this to get default_realm and format client_name */ 215 if ((retval = krb5_parse_name(default_name, &client))) { 216 fprintf(stderr, "passwd: Unable to Parse Client Name\n"); 217 goto finish; 218 } 219 220 if ((retval = krb5_unparse_name(client, &client_name))) { 221 fprintf(stderr, "passwd: Unable to Parse Client Name\n"); 222 goto finish; 223 } 224 225 requested_realm.length = client->realm.length; 226 memcpy((char *) requested_realm.data, 227 (char *) client->realm.data, 228 requested_realm.length); 229 } 230 else { 231 /* Read Client from Cache */ 232 if ((retval = krb5_cc_get_principal(cache, (krb5_principal *) &client))) { 233 fprintf(stderr, "passwd: Unable to Read Customer Credentials File\n"); 234 goto finish; 235 } 236 237 if ((retval = krb5_unparse_name(client, &client_name))) { 238 fprintf(stderr, "passwd: Unable to Parse Client Name\n"); 239 goto finish; 240 } 241 242 requested_realm.length = client->realm.length; 243 memcpy((char *) requested_realm.data, 244 (char *) client->realm.data, 245 requested_realm.length); 246 247 (void) krb5_cc_close(cache); 248 } 249 250 /* Create credential cache for changepw */ 251 (void) sprintf(cache_name, "FILE:/tmp/tkt_cpw_%d", getpid()); 252 253 if ((retval = krb5_cc_resolve(cache_name, &cache))) { 254 fprintf(stderr, "passwd: Unable to Resolve Cache: %s\n", cache_name); 255 } 256 257 if ((retval = krb5_cc_initialize(cache, client))) { 258 fprintf(stderr, "passwd: Error initializing cache: %s\n", cache_name); 259 goto finish; 260 } 261 262 /* 263 * Verify User by Obtaining Initial Credentials prior to Initial Link 264 */ 265 if ((retval = get_first_ticket(cache, client))) { 266 goto finish; 267 } 268 269 /* Initiate Link to Server */ 270 if ((retval = adm5_init_link(&requested_realm, &local_socket))) { 271 goto finish; 272 } 273 274 #define SIZEOF_INADDR sizeof(struct in_addr) 275 276 /* V4 kpasswd Protocol Hack */ 277 { 278 int msg_length = 0; 279 280 retval = krb5_net_write(local_socket, (char *) &msg_length + 2, 2); 281 if (retval < 0) { 282 fprintf(stderr, "passwd: krb5_net_write failure\n"); 283 goto finish; 284 } 285 } 286 287 local_addr.addrtype = ADDRTYPE_INET; 288 local_addr.length = SIZEOF_INADDR ; 289 local_addr.contents = (krb5_octet *)&local_sin.sin_addr; 290 291 foreign_addr.addrtype = ADDRTYPE_INET; 292 foreign_addr.length = SIZEOF_INADDR ; 293 foreign_addr.contents = (krb5_octet *)&remote_sin.sin_addr; 294 295 /* compute checksum, using CRC-32 */ 296 if (!(send_cksum.contents = (krb5_octet *) 297 malloc(krb5_checksum_size(CKSUMTYPE_CRC32)))) { 298 fprintf(stderr, "passwd: Insufficient Memory while Allocating Checksum\n"); 299 goto finish; 300 } 301 cksum_alloc++; 302 /* choose some random stuff to compute checksum from */ 303 if (retval = krb5_calculate_checksum(CKSUMTYPE_CRC32, 304 ADM_CPW_VERSION, 305 strlen(ADM_CPW_VERSION), 306 0, 307 0, /* if length is 0, crc-32 doesn't 308 use the seed */ 309 &send_cksum)) { 310 fprintf(stderr, "Error while Computing Checksum: %s\n", 311 error_message(retval)); 312 goto finish; 313 } 314 315 /* call Kerberos library routine to obtain an authenticator, 316 pass it over the socket to the server, and obtain mutual 317 authentication. */ 318 319 if ((retval = krb5_sendauth((krb5_pointer) &local_socket, 320 ADM_CPW_VERSION, 321 my_creds.client, 322 my_creds.server, 323 AP_OPTS_MUTUAL_REQUIRED, 324 &send_cksum, 325 0, 326 cache, 327 &seqno, 328 0, /* don't need a subsession key */ 329 &err_ret, 330 &rep_ret))) { 331 fprintf(stderr, "passwd: Error while performing sendauth: %s\n", 332 error_message(retval)); 333 goto finish; 334 } 335 336 /* Get credentials : to use for safe and private messages */ 337 if (retval = krb5_get_credentials(0, cache, &my_creds)){ 338 fprintf(stderr, "passwd: Error Obtaining Credentials: %s\n", 339 error_message(retval)); 340 goto finish; 341 } 342 343 /* Read back what the server has to say... */ 344 if (retval = krb5_read_message(&local_socket, &inbuf)){ 345 fprintf(stderr, "passwd: Read Message Error: %s\n", 346 error_message(retval)); 347 goto finish; 348 } 349 if ((inbuf.length != 2) || (inbuf.data[0] != KADMIND) || 350 (inbuf.data[1] != KADMSAG)){ 351 fprintf(stderr, "passwd: Invalid ack from admin server.\n"); 352 goto finish; 353 } 354 355 inbuf.data[0] = KPASSWD; 356 inbuf.data[1] = CHGOPER; 357 inbuf.length = 2; 358 359 if ((retval = krb5_mk_priv(&inbuf, 360 ETYPE_DES_CBC_CRC, 361 &my_creds.keyblock, 362 &local_addr, 363 &foreign_addr, 364 seqno, 365 KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, 366 0, 367 0, 368 &msg_data))) { 369 fprintf(stderr, "passwd: Error during First Message Encoding: %s\n", 370 error_message(retval)); 371 goto finish; 372 } 373 free(inbuf.data); 374 375 /* write private message to server */ 376 if (krb5_write_message(&local_socket, &msg_data)){ 377 fprintf(stderr, "passwd: Write Error During First Message Transmission\n"); 378 retval = 1; 379 goto finish; 380 } 381 free(msg_data.data); 382 383 (void)signal(SIGHUP, finish); 384 (void)signal(SIGINT, finish); 385 386 #ifdef MACH_PASS /* Machine-generated Passwords */ 387 /* Ok Now let's get the private message */ 388 if (retval = krb5_read_message(&local_socket, &inbuf)){ 389 fprintf(stderr, "passwd: Read Error During First Reply: %s\n", 390 error_message(retval)); 391 retval = 1; 392 goto finish; 393 } 394 395 if ((retval = krb5_rd_priv(&inbuf, 396 &my_creds.keyblock, 397 &foreign_addr, 398 &local_addr, 399 rep_ret->seq_number, 400 KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, 401 0, 402 0, 403 &msg_data))) { 404 fprintf(stderr, "passwd: Error during First Read Decoding: %s\n", 405 error_message(retval)); 406 goto finish; 407 } 408 free(inbuf.data); 409 #endif 410 411 if ((new_password = (char *) calloc (1, ADM_MAX_PW_LENGTH+1)) == NULL) { 412 fprintf(stderr, "passwd: Unable to Allocate Space for New Password\n"); 413 goto finish; 414 } 415 416 #ifdef MACH_PASS /* Machine-generated passwords */ 417 /* Offer Client Password Choices */ 418 if ((retval = print_and_choose_password(new_password, 419 &msg_data))) { 420 (void) memset((char *) new_password, 0, ADM_MAX_PW_LENGTH+1); 421 free(new_password); 422 goto finish; 423 } 424 #else 425 new_pwsize = ADM_MAX_PW_LENGTH+1; 426 if ((retval = krb5_read_password("New Kerberos password: ", 427 "Retype new Kerberos password: ", 428 new_password, 429 &new_pwsize))) { 430 fprintf(stderr, "\nError while reading new password for '%s'\n", 431 client_name); 432 (void) memset((char *) new_password, 0, ADM_MAX_PW_LENGTH+1); 433 free(new_password); 434 goto finish; 435 } 436 #endif 437 438 inbuf.data = new_password; 439 inbuf.length = strlen(new_password); 440 441 if ((retval = krb5_mk_priv(&inbuf, 442 ETYPE_DES_CBC_CRC, 443 &my_creds.keyblock, 444 &local_addr, 445 &foreign_addr, 446 seqno, 447 KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, 448 0, 449 0, 450 &msg_data))) { 451 fprintf(stderr, "passwd: Error during Second Message Encoding: %s\n", 452 error_message(retval)); 453 goto finish; 454 } 455 memset(inbuf.data,0,inbuf.length); 456 free(inbuf.data); 457 458 /* write private message to server */ 459 if (krb5_write_message(&local_socket, &msg_data)){ 460 fprintf(stderr, "passwd: Write Error During Second Message Transmission\n"); 461 retval = 1; 462 goto finish; 463 } 464 free(msg_data.data); 465 466 /* Ok Now let's get the private message */ 467 if (retval = krb5_read_message(&local_socket, &inbuf)){ 468 fprintf(stderr, "passwd: Read Error During Second Reply: %s\n", 469 error_message(retval)); 470 retval = 1; 471 goto finish; 472 } 473 474 if ((retval = krb5_rd_priv(&inbuf, 475 &my_creds.keyblock, 476 &foreign_addr, 477 &local_addr, 478 rep_ret->seq_number, 479 KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, 480 0, 481 0, 482 &msg_data))) { 483 fprintf(stderr, "passwd: Error during Second Read Decoding :%s\n", 484 error_message(retval)); 485 goto finish; 486 } 487 488 rd_priv_resp.appl_code = msg_data.data[0]; 489 rd_priv_resp.oper_code = msg_data.data[1]; 490 rd_priv_resp.retn_code = msg_data.data[2]; 491 if (msg_data.length > 3 && msg_data.data[3]) { 492 rd_priv_resp.message = malloc(msg_data.length - 2); 493 if (rd_priv_resp.message) { 494 memcpy(rd_priv_resp.message, msg_data.data + 3, 495 msg_data.length - 3); 496 rd_priv_resp.message[msg_data.length - 3] = 0; 497 } 498 } else 499 rd_priv_resp.message = NULL; 500 501 502 free(inbuf.data); 503 free(msg_data.data); 504 if (rd_priv_resp.appl_code == KPASSWD) { 505 if (rd_priv_resp.retn_code == KPASSBAD) { 506 if (rd_priv_resp.message) 507 fprintf(stderr, "passwd: %s\n", rd_priv_resp.message); 508 else 509 fprintf(stderr, "passwd: Server returned KPASSBAD.\n"); 510 } else if (rd_priv_resp.retn_code != KPASSGOOD) 511 fprintf(stderr, "passwd: Server returned unknown kerberos code.\n"); 512 } else 513 fprintf(stderr, "passwd: Server returned bad application code %d\n", 514 rd_priv_resp.appl_code); 515 516 if (rd_priv_resp.message) 517 free(rd_priv_resp.message); 518 519 finish: 520 (void) krb5_cc_destroy(cache); 521 522 free(client_name); 523 free(requested_realm.data); 524 if (cksum_alloc) free(send_cksum.contents); 525 if (retval) { 526 fprintf(stderr, "passwd: Protocol Failure - Password NOT changed\n"); 527 exit(1); 528 } 529 530 exit(0); 531 } 532 533 534 535 krb5_data cpwname = { 536 sizeof(CPWNAME)-1, 537 CPWNAME 538 }; 539 540 static krb5_error_code 541 get_first_ticket(cache, client) 542 krb5_ccache cache; 543 krb5_principal client; 544 { 545 char prompt[255]; /* for the password prompt */ 546 char verify_prompt[255]; /* Verification Prompt if Desired */ 547 char pword[ADM_MAX_PW_LENGTH+1]; /* storage for the password */ 548 int pword_length = sizeof(pword); 549 char *old_password; 550 int old_pwsize; 551 int i; 552 553 krb5_address **my_addresses; 554 555 char *client_name; 556 char local_realm[255]; 557 krb5_error_code retval; 558 559 if ((retval = krb5_unparse_name(client, &client_name))) { 560 fprintf(stderr, "Unable to Unparse Client Name\n"); 561 return(1); 562 } 563 564 (void) printf("Changing Kerberos password for %s\n", client_name); 565 566 if ((retval = krb5_os_localaddr(&my_addresses))) { 567 fprintf(stderr, "passwd: Unable to Get Customers Address\n"); 568 return(1); 569 } 570 571 memset((char *) &my_creds, 0, sizeof(my_creds)); 572 573 my_creds.client = client; 574 575 if ((retval = krb5_build_principal_ext(&my_creds.server, 576 client->realm.length, 577 client->realm.data, 578 cpwname.length, /* 6 */ 579 cpwname.data, /* "kadmin" */ 580 client->realm.length, 581 /* instance is local realm */ 582 client->realm.data, 583 0))) { 584 fprintf(stderr, "Error %s while building server name\n"); 585 return(1); 586 } 587 588 589 if ((old_password = (char *) calloc (1, 255)) == NULL) { 590 fprintf(stderr, "passwd: No Memory for Retrieving old password\n"); 591 return(1); 592 } 593 594 old_pwsize = 255; 595 if ((retval = krb5_read_password("Old kerberos password: ", 596 0, 597 old_password, 598 &old_pwsize))) { 599 fprintf(stderr, "\nError while reading password for '%s'\n", 600 client_name); 601 return(1); 602 } 603 604 /* Build Request for Initial Credentials */ 605 for (i=0; preauth_search_list[i] >= 0; i++) { 606 retval = krb5_get_in_tkt_with_password( 607 0, /* options */ 608 my_addresses, 609 /* do random preauth */ 610 preauth_search_list[i], 611 ETYPE_DES_CBC_CRC, /* etype */ 612 KEYTYPE_DES, 613 old_password, 614 cache, 615 &my_creds, 616 0); 617 if (retval != KRB5KDC_PREAUTH_FAILED && 618 retval != KRB5KRB_ERR_GENERIC) 619 break; 620 } 621 622 if (retval) { 623 fprintf(stderr, "passwd: Unable to Get Initial Credentials : %s\n", 624 error_message(retval)); 625 } 626 627 /* Do NOT Forget to zap password */ 628 memset((char *) old_password, 0, old_pwsize); 629 free(old_password); 630 memset((char *) pword, 0, sizeof(pword)); 631 return(retval); 632 } 633 634 #ifdef MACH_PASS /* Machine-generated Passwords */ 635 static krb5_error_code 636 print_and_choose_password(new_password, decodable_pwd_string) 637 char * new_password; 638 krb5_data *decodable_pwd_string; 639 { 640 krb5_error_code retval; 641 krb5_pwd_data *pwd_data; 642 passwd_phrase_element **next_passwd_phrase_element; 643 char prompt[255]; 644 char *verify_prompt = 0; 645 int i, j, k; 646 int legit_pswd = 0; /* Assume No Legitimate Password */ 647 char *password_list[ADM_MAX_PW_CHOICES]; 648 char verification_passwd[ADM_MAX_PW_LENGTH+1]; 649 char phrase_in[ADM_MAX_PHRASE_LENGTH]; 650 int new_passwd_length; 651 char *ptr; 652 int verify = 0; /* Do Not Request Password Selection Verification */ 653 int ok = 0; 654 655 #define free_local_password_list() \ 656 { for ( k = 0; k < i && k < ADM_MAX_PW_CHOICES; k++) { \ 657 (void) memset(password_list[k], 0, ADM_MAX_PW_LENGTH); \ 658 free(password_list[k]); } \ 659 } 660 661 /* Decode Password and Phrase Information Obtained from krb5_rd_priv */ 662 if ((retval = decode_krb5_pwd_data(decodable_pwd_string , &pwd_data))) { 663 fprintf(stderr, "passwd: Unable to Decode Passwords and Phrases\n"); 664 fprintf(stderr, " Notify your System Administrator or the Kerberos Administrator\n"); 665 return(1); 666 } 667 668 next_passwd_phrase_element = pwd_data->element; 669 /* Display List in 5 Password/Phrase Increments up to MAX Iterations */ 670 memset((char *) phrase_in, 0, ADM_MAX_PHRASE_LENGTH); 671 for ( j = 0; j <= ADM_MAX_PW_ITERATIONS; j++) { 672 if (j == ADM_MAX_PW_ITERATIONS) { 673 fprintf(stderr, "passwd: Sorry - You Have Exceeded the List of Choices (%d) Allowed for Password\n", 674 ADM_MAX_PW_ITERATIONS * ADM_MAX_PW_CHOICES); 675 fprintf(stderr, " Modification. You Must Repeat this Operation in order to Successfully\n"); 676 fprintf(stderr, " Change your Password.\n"); 677 break; 678 } 679 680 display_print: 681 printf("Choose a password from the following list:\n"); 682 683 printf("\nPassword Remembrance Aid\n"); 684 685 /* Print Passwords and Assistance Phrases List */ 686 for ( i = 0; i < ADM_MAX_PW_CHOICES; i++){ 687 if ((password_list[i] = (char *) calloc (1, 688 ADM_MAX_PW_LENGTH + 1)) == NULL) { 689 fprintf(stderr, "passwd: Unable to Allocate Password List.\n"); 690 return(1); 691 } 692 693 memcpy(password_list[i], 694 (*next_passwd_phrase_element)->passwd->data, 695 (*next_passwd_phrase_element)->passwd->length); 696 printf("%s ", password_list[i]); 697 698 memcpy((char *) phrase_in, 699 (*next_passwd_phrase_element)->phrase->data, 700 (*next_passwd_phrase_element)->phrase->length); 701 for ( k = 0; 702 k < 50 && k < (*next_passwd_phrase_element)->phrase->length; 703 k++) { 704 printf("%c", phrase_in[k]); 705 } 706 for ( k = k; 707 k < 70 && k < (*next_passwd_phrase_element)->phrase->length; 708 k++) { 709 if (phrase_in[k] == ' ') { 710 printf("\n "); 711 k++; 712 break; 713 } else { 714 printf("%c", phrase_in[k]); 715 } 716 } 717 for ( k = k; 718 k < (*next_passwd_phrase_element)->phrase->length; 719 k++) { 720 printf("%c", phrase_in[k]); 721 } 722 printf("\n"); 723 memset((char *) phrase_in, 0, ADM_MAX_PHRASE_LENGTH); 724 next_passwd_phrase_element++; 725 } 726 727 sprintf(prompt, 728 "\nEnter Password Selection or a <CR> to get new list: "); 729 730 new_passwd_length = ADM_MAX_PW_LENGTH+1; 731 /* Read New Password from Terminal (Do Not Print on Screen) */ 732 if ((retval = krb5_read_password(&prompt[0], 0, 733 new_password, &new_passwd_length))) { 734 fprintf(stderr, 735 "passwd: Error Reading Password Input or Input Aborted\n"); 736 free_local_password_list(); 737 break;; 738 } 739 740 /* Check for <CR> ==> Provide a New List */ 741 if (new_passwd_length == 0) continue; 742 743 /* Check that Selection is from List - Server also does this */ 744 legit_pswd = 0; 745 for (i = 0; i < ADM_MAX_PW_CHOICES && !legit_pswd; i++) 746 if ((retval = memcmp(new_password, 747 password_list[i], 8)) == 0) { 748 legit_pswd++; 749 } 750 free_local_password_list(); 751 752 if (!(legit_pswd)) { 753 printf("\07\07Password must be from the specified list "); 754 printf("- Try Again\n"); 755 } 756 757 if (legit_pswd) break; /* Exit Loop */ 758 } /* ADM_MAX_PW_CHOICES Loop */ 759 760 if (!(legit_pswd)) return (1); 761 762 return(0); /* SUCCESS */ 763 } 764 #endif 765 766 static krb5_error_code 767 adm5_init_link(realm_of_server, local_socket) 768 krb5_data *realm_of_server; 769 int * local_socket; 770 { 771 struct servent *service_process; /* service we will talk to */ 772 struct hostent *local_host; /* us */ 773 struct hostent *remote_host; /* host we will talk to */ 774 struct sockaddr *sockaddr_list; 775 776 char **hostlist; 777 778 int host_count; 779 int namelen; 780 int i, count; 781 782 krb5_error_code retval; 783 784 /* clear out the structure first */ 785 (void) memset((char *)&remote_sin, 0, sizeof(remote_sin)); 786 787 if ((service_process = getservbyname(CPW_SNAME, "tcp")) == NULL) { 788 fprintf(stderr, "passwd: Unable to find Service (%s) Check services file\n", 789 CPW_SNAME); 790 return(1); 791 } 792 793 /* Copy the Port Number */ 794 remote_sin.sin_port = service_process->s_port; 795 796 hostlist = 0; 797 798 /* Identify all Hosts Associated with this Realm */ 799 if ((retval = krb5_get_krbhst (realm_of_server, &hostlist))) { 800 fprintf(stderr, "passwd: Unable to Determine Server Name\n"); 801 return(1); 802 } 803 804 for (i=0; hostlist[i]; i++); 805 806 count = i; 807 808 if (count == 0) { 809 host_count = 0; 810 fprintf(stderr, "passwd: No hosts found\n"); 811 return(1); 812 } 813 814 for (i=0; hostlist[i]; i++) { 815 remote_host = gethostbyname(hostlist[i]); 816 if (remote_host != 0) { 817 818 /* set up the address of the foreign socket for connect() */ 819 remote_sin.sin_family = remote_host->h_addrtype; 820 (void) memcpy((char *) &remote_sin.sin_addr, 821 (char *) remote_host->h_addr, 822 sizeof(remote_host->h_addr)); 823 break; /* Only Need one */ 824 } 825 } 826 827 free ((char *)hostlist); 828 829 /* open a TCP socket */ 830 *local_socket = socket(PF_INET, SOCK_STREAM, 0); 831 if (*local_socket < 0) { 832 fprintf(stderr, "passwd: Cannot Open Socket\n"); 833 return(1); 834 } 835 /* connect to the server */ 836 if (connect(*local_socket, (struct sockaddr *)&remote_sin, sizeof(remote_sin)) < 0) { 837 fprintf(stderr, "passwd: Cannot Connect to Socket\n"); 838 close(*local_socket); 839 return(1); 840 } 841 842 /* find out who I am, now that we are connected and therefore bound */ 843 namelen = sizeof(local_sin); 844 if (getsockname(*local_socket, 845 (struct sockaddr *) &local_sin, &namelen) < 0) { 846 fprintf(stderr, "passwd: Cannot Perform getsockname\n"); 847 close(*local_socket); 848 return(1); 849 } 850 return(0); 851 } 852 853 static void 854 finish() 855 { 856 exit(1); 857 } 858 859 #ifdef KRB_NONETWORK 860 #include <utmp.h> 861 862 #ifndef MAXHOSTNAME 863 #define MAXHOSTNAME 64 864 #endif 865 866 int utfile; /* Global utfile file descriptor for BSD version 867 of setutent, getutline, and endutent */ 868 869 #if !defined(SYSV) && !defined(UMIPS) /* Setutent, Endutent, and getutline 870 routines for non System V Unix 871 systems */ 872 #include <fcntl.h> 873 874 void setutent() 875 { 876 utfile = open("/etc/utmp",O_RDONLY); 877 } 878 879 struct utmp * getutline(utmpent) 880 struct utmp *utmpent; 881 { 882 static struct utmp tmputmpent; 883 int found = 0; 884 while ( read(utfile,&tmputmpent,sizeof(struct utmp)) > 0 ){ 885 if ( strcmp(tmputmpent.ut_line,utmpent->ut_line) == 0){ 886 #ifdef NO_UT_HOST 887 if ( ( 1) && 888 #else 889 if ( (strcmp(tmputmpent.ut_host,"") == 0) && 890 #endif 891 (strcmp(tmputmpent.ut_name,"") == 0)) continue; 892 found = 1; 893 break; 894 } 895 } 896 if (found) 897 return(&tmputmpent); 898 return((struct utmp *) 0); 899 } 900 901 void endutent() 902 { 903 close(utfile); 904 } 905 #endif /* not SYSV */ 906 907 908 int network_connected() 909 { 910 struct utmp utmpent; 911 struct utmp retutent, *tmpptr; 912 char *display_indx; 913 char currenthost[MAXHOSTNAME]; 914 char *username,*tmpname; 915 916 917 /* Macro for pseudo_tty */ 918 #define pseudo_tty(ut) \ 919 ((strncmp((ut).ut_line, "tty", 3) == 0 && ((ut).ut_line[3] == 'p' \ 920 || (ut).ut_line[3] == 'q' \ 921 || (ut).ut_line[3] == 'r' \ 922 || (ut).ut_line[3] == 's'))\ 923 || (strncmp((ut).ut_line, "pty", 3) == 0)) 924 925 /* Check to see if getlogin returns proper name */ 926 if ( (tmpname = (char *) getlogin()) == (char *) 0) return(1); 927 username = (char *) malloc(strlen(tmpname) + 1); 928 if ( username == (char *) 0) return(1); 929 strcpy(username,tmpname); 930 931 /* Obtain tty device for controlling tty of current process.*/ 932 strncpy(utmpent.ut_line,ttyname(0) + strlen("/dev/"), 933 sizeof(utmpent.ut_line)); 934 935 /* See if this device is currently listed in /etc/utmp under 936 calling user */ 937 #ifdef SYSV 938 utmpent.ut_type = USER_PROCESS; 939 #define ut_name ut_user 940 #endif 941 setutent(); 942 while ( (tmpptr = (struct utmp *) getutline(&utmpent)) 943 != ( struct utmp *) 0) { 944 945 /* If logged out name and host will be empty */ 946 if ((strcmp(tmpptr->ut_name,"") == 0) && 947 #ifdef NO_UT_HOST 948 ( 1)) continue; 949 #else 950 (strcmp(tmpptr->ut_host,"") == 0)) continue; 951 #endif 952 else break; 953 } 954 if ( tmpptr == (struct utmp *) 0) { 955 endutent(); 956 return(1); 957 } 958 bcopy((char *)&retutent, (char *)tmpptr, sizeof(struct utmp)); 959 endutent(); 960 #ifdef DEBUG 961 #ifdef NO_UT_HOST 962 printf("User %s on line %s :\n", 963 retutent.ut_name,retutent.ut_line); 964 #else 965 printf("User %s on line %s connected from host :%s:\n", 966 retutent.ut_name,retutent.ut_line,retutent.ut_host); 967 #endif 968 #endif 969 if (strcmp(retutent.ut_name,username) != 0) { 970 return(1); 971 } 972 973 974 /* If this is not a pseudo tty then everything is OK */ 975 if (! pseudo_tty(retutent)) return(0); 976 977 /* OK now the work begins there is an entry in utmp and 978 the device is a pseudo tty. */ 979 980 /* Check if : is in hostname if so this is xwindow display */ 981 982 if (gethostname(currenthost,sizeof(currenthost))) return(1); 983 #ifdef NO_UT_HOST 984 display_indx = (char *) 0; 985 #else 986 display_indx = (char *) strchr(retutent.ut_host,':'); 987 #endif 988 if ( display_indx != (char *) 0) { 989 /* 990 We have X window application here. The host field should have 991 the form => local_system_name:0.0 or :0.0 992 if the window is being displayed on the local system. 993 */ 994 #ifdef NO_UT_HOST 995 return(1); 996 #else 997 if (strncmp(currenthost,retutent.ut_host, 998 (display_indx - retutent.ut_host)) != 0) return(1); 999 else return(0); 1000 #endif 1001 } 1002 1003 /* Host field is empty or is not X window entry. At this point 1004 we can't trust that the pseudo tty is not connected to a 1005 networked process so let's return 1. 1006 */ 1007 return(1); 1008 } 1009 1010 int networked() 1011 { 1012 return(network_connected()); 1013 } 1014 #endif 1015 1016 int 1017 krb_check() 1018 { 1019 return(1): /* XXX! */ 1020 } 1021 1022 #endif /* KERBEROS5 */ 1023
Indexes created Sun Sep 28 16:09:52 GMT 2025