krb5_passwd.c revision 1.4
1 /* $NetBSD: krb5_passwd.c,v 1.4 1997/02/11 09:35:56 mrg Exp $ */ 2 3 /*- 4 * Copyright (c) 1990 The Regents of the University of California. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by the University of 18 * California, Berkeley and its contributors. 19 * 4. Neither the name of the University nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #ifndef lint 37 #if 0 38 static char sccsid[] = "from: @(#)krb_passwd.c 5.4 (Berkeley) 3/1/91"; 39 #else 40 static char rcsid[] = "$NetBSD: krb5_passwd.c,v 1.4 1997/02/11 09:35:56 mrg Exp $"; 41 #endif 42 #endif /* not lint */ 43 44 #ifdef KERBEROS5 45 46 #include <sys/types.h> 47 #include <sys/socket.h> 48 #include <sys/time.h> 49 #include <sys/resource.h> 50 #include <netinet/in.h> 51 #include <netdb.h> 52 #include <signal.h> 53 #include <pwd.h> 54 #include <errno.h> 55 #include <stdio.h> 56 #include <string.h> 57 #include <stdlib.h> 58 #include <krb5/adm_defs.h> 59 #include <krb5/krb5.h> 60 #include <krb5/kdb.h> 61 #include <krb5/kdb_dbm.h> 62 #include <krb5/ext-proto.h> 63 #include <krb5/los-proto.h> 64 #include <krb5/asn1.h> 65 #include <krb5/config.h> 66 #include <krb5/base-defs.h> 67 #include <krb5/asn.1/encode.h> 68 69 #include <krb5/widen.h> 70 71 #include <krb5/adm_err.h> 72 #include <krb5/errors.h> 73 #include <krb5/kdb5_err.h> 74 #include <krb5/krb5_err.h> 75 76 static krb5_error_code get_first_ticket __P((krb5_ccache, krb5_principal)); 77 static krb5_error_code print_and_choose_password __P((char *, krb5_data *)); 78 static krb5_error_code adm5_init_link __P((krb5_data *, int *)); 79 80 struct sockaddr_in local_sin, remote_sin; 81 82 krb5_creds my_creds; 83 84 extern char *krb5_default_pwd_prompt1; 85 86 /* 87 * Try no preauthentication first; then try the encrypted timestamp 88 */ 89 int preauth_search_list[] = { 90 0, 91 KRB5_PADATA_ENC_TIMESTAMP, 92 -1 93 }; 94 95 int 96 krb_passwd() 97 { 98 static void finish(); 99 krb5_ccache cache = NULL; 100 char cache_name[255]; 101 krb5_flags cc_flags; 102 krb5_address local_addr, foreign_addr; 103 struct passwd *pw; 104 krb5_principal client, server; 105 char default_name[256]; 106 char *client_name; /* Single string representation of client id */ 107 krb5_data requested_realm; 108 char *local_realm; 109 char input_string[768]; 110 krb5_error_code retval; /* return code */ 111 int local_socket; 112 int c, count; 113 krb5_error *err_ret; 114 krb5_ap_rep_enc_part *rep_ret; 115 kadmin_requests rd_priv_resp; 116 krb5_checksum send_cksum; 117 int cksum_alloc = 0; 118 krb5_data msg_data, inbuf; 119 krb5_int32 seqno; 120 char *new_password; 121 int new_pwsize; 122 krb5_data *decodable_pwd_string; 123 int i, j; 124 static struct rlimit rl = { 0, 0 }; 125 126 #ifdef KRB_NONETWORK 127 extern int networked(); 128 int krb_secure; 129 struct stat statbuf; 130 #endif 131 132 #ifdef KRB_NONETWORK /* Allow or Disallow Remote Clients to Modify Passwords */ 133 /* 134 * If a Client Modifies a Password using kpasswd on this host 135 * from a remote host or network terminal, the Password selected 136 * is transmitted across the network in Cleartext. 137 * 138 * The systems administrator can disallow "remote" kpasswd usage by 139 * creating the file "/etc/krb.secure" 140 */ 141 krb_secure = 0; 142 /* 143 * First check to see if the file /etc/krb.secure exists. 144 * If it does then krb_secure to 1. 145 */ 146 147 if (stat("/etc/krb.secure", &statbuf) == 0) krb_secure = 1; 148 149 /* 150 * Check to see if this process is tied to a physical terminal. 151 * Network() verifies the terminal device is not a pseudo tty 152 */ 153 if (networked() && krb_secure) { 154 fprintf(stderr,"passwd: Sorry but you cannot %s from a\n", argv[0]); 155 fprintf(stderr," pseudo tty terminal.\n"); 156 retval = 1; 157 goto finish; 158 } 159 #endif 160 161 /* (3 * 255) + 1 (/) + 1 (@) + 1 (NULL) */ 162 if ((client_name = (char *) calloc (1, (3 * 256))) == NULL) { 163 fprintf(stderr, "passwd: No Memory for Client_name\n"); 164 retval = 1; 165 goto finish; 166 } 167 168 if ((requested_realm.data = (char *) calloc (1, 256)) == NULL) { 169 fprintf(stderr, "passwd: No Memory for realm_name\n"); 170 retval = 1; 171 free(client_name); 172 goto finish; 173 } 174 175 (void)signal(SIGHUP, SIG_IGN); 176 (void)signal(SIGINT, SIG_IGN); 177 (void)signal(SIGTSTP, SIG_IGN); 178 179 if (setrlimit(RLIMIT_CORE, &rl) < 0) { 180 (void)fprintf(stderr, 181 "passwd: setrlimit: %s\n", strerror(errno)); 182 return(1); 183 } 184 185 krb5_init_ets(); 186 memset((char *) default_name, 0, sizeof(default_name)); 187 188 /* Identify Default Credentials Cache */ 189 if ((retval = krb5_cc_default(&cache))) { 190 fprintf(stderr, "passwd: Error while getting default ccache.\n"); 191 goto finish; 192 } 193 194 /* 195 * Attempt to Modify Credentials Cache 196 * retval == 0 ==> ccache Exists - Use It 197 * retval == ENOENT ==> No Entries, but ccache Exists 198 * retval != 0 ==> Assume ccache does NOT Exist 199 */ 200 cc_flags = 0; 201 if ((retval = krb5_cc_set_flags(cache, cc_flags))) { 202 /* Search passwd file for client */ 203 pw = getpwuid((int) getuid()); 204 if (pw) { 205 (void)strncpy(default_name, pw->pw_name, sizeof(default_name) - 1); 206 } 207 else { 208 fprintf(stderr, 209 "passwd: Unable to Identify Customer from Password File\n"); 210 retval = 1; 211 goto finish; 212 } 213 214 /* Use this to get default_realm and format client_name */ 215 if ((retval = krb5_parse_name(default_name, &client))) { 216 fprintf(stderr, "passwd: Unable to Parse Client Name\n"); 217 goto finish; 218 } 219 220 if ((retval = krb5_unparse_name(client, &client_name))) { 221 fprintf(stderr, "passwd: Unable to Parse Client Name\n"); 222 goto finish; 223 } 224 225 requested_realm.length = client->realm.length; 226 memcpy((char *) requested_realm.data, 227 (char *) client->realm.data, 228 requested_realm.length); 229 } 230 else { 231 /* Read Client from Cache */ 232 if ((retval = krb5_cc_get_principal(cache, (krb5_principal *) &client))) { 233 fprintf(stderr, "passwd: Unable to Read Customer Credentials File\n"); 234 goto finish; 235 } 236 237 if ((retval = krb5_unparse_name(client, &client_name))) { 238 fprintf(stderr, "passwd: Unable to Parse Client Name\n"); 239 goto finish; 240 } 241 242 requested_realm.length = client->realm.length; 243 memcpy((char *) requested_realm.data, 244 (char *) client->realm.data, 245 requested_realm.length); 246 247 (void) krb5_cc_close(cache); 248 } 249 250 /* Create credential cache for changepw */ 251 (void)snprintf(cache_name, sizeof cache_name, "FILE:/tmp/tkt_cpw_%d", 252 getpid()); 253 254 if ((retval = krb5_cc_resolve(cache_name, &cache))) { 255 fprintf(stderr, "passwd: Unable to Resolve Cache: %s\n", cache_name); 256 } 257 258 if ((retval = krb5_cc_initialize(cache, client))) { 259 fprintf(stderr, "passwd: Error initializing cache: %s\n", cache_name); 260 goto finish; 261 } 262 263 /* 264 * Verify User by Obtaining Initial Credentials prior to Initial Link 265 */ 266 if ((retval = get_first_ticket(cache, client))) { 267 goto finish; 268 } 269 270 /* Initiate Link to Server */ 271 if ((retval = adm5_init_link(&requested_realm, &local_socket))) { 272 goto finish; 273 } 274 275 #define SIZEOF_INADDR sizeof(struct in_addr) 276 277 /* V4 kpasswd Protocol Hack */ 278 { 279 int msg_length = 0; 280 281 retval = krb5_net_write(local_socket, (char *) &msg_length + 2, 2); 282 if (retval < 0) { 283 fprintf(stderr, "passwd: krb5_net_write failure\n"); 284 goto finish; 285 } 286 } 287 288 local_addr.addrtype = ADDRTYPE_INET; 289 local_addr.length = SIZEOF_INADDR ; 290 local_addr.contents = (krb5_octet *)&local_sin.sin_addr; 291 292 foreign_addr.addrtype = ADDRTYPE_INET; 293 foreign_addr.length = SIZEOF_INADDR ; 294 foreign_addr.contents = (krb5_octet *)&remote_sin.sin_addr; 295 296 /* compute checksum, using CRC-32 */ 297 if (!(send_cksum.contents = (krb5_octet *) 298 malloc(krb5_checksum_size(CKSUMTYPE_CRC32)))) { 299 fprintf(stderr, "passwd: Insufficient Memory while Allocating Checksum\n"); 300 goto finish; 301 } 302 cksum_alloc++; 303 /* choose some random stuff to compute checksum from */ 304 if (retval = krb5_calculate_checksum(CKSUMTYPE_CRC32, 305 ADM_CPW_VERSION, 306 strlen(ADM_CPW_VERSION), 307 0, 308 0, /* if length is 0, crc-32 doesn't 309 use the seed */ 310 &send_cksum)) { 311 fprintf(stderr, "Error while Computing Checksum: %s\n", 312 error_message(retval)); 313 goto finish; 314 } 315 316 /* call Kerberos library routine to obtain an authenticator, 317 pass it over the socket to the server, and obtain mutual 318 authentication. */ 319 320 if ((retval = krb5_sendauth((krb5_pointer) &local_socket, 321 ADM_CPW_VERSION, 322 my_creds.client, 323 my_creds.server, 324 AP_OPTS_MUTUAL_REQUIRED, 325 &send_cksum, 326 0, 327 cache, 328 &seqno, 329 0, /* don't need a subsession key */ 330 &err_ret, 331 &rep_ret))) { 332 fprintf(stderr, "passwd: Error while performing sendauth: %s\n", 333 error_message(retval)); 334 goto finish; 335 } 336 337 /* Get credentials : to use for safe and private messages */ 338 if (retval = krb5_get_credentials(0, cache, &my_creds)){ 339 fprintf(stderr, "passwd: Error Obtaining Credentials: %s\n", 340 error_message(retval)); 341 goto finish; 342 } 343 344 /* Read back what the server has to say... */ 345 if (retval = krb5_read_message(&local_socket, &inbuf)){ 346 fprintf(stderr, "passwd: Read Message Error: %s\n", 347 error_message(retval)); 348 goto finish; 349 } 350 if ((inbuf.length != 2) || (inbuf.data[0] != KADMIND) || 351 (inbuf.data[1] != KADMSAG)){ 352 fprintf(stderr, "passwd: Invalid ack from admin server.\n"); 353 goto finish; 354 } 355 356 inbuf.data[0] = KPASSWD; 357 inbuf.data[1] = CHGOPER; 358 inbuf.length = 2; 359 360 if ((retval = krb5_mk_priv(&inbuf, 361 ETYPE_DES_CBC_CRC, 362 &my_creds.keyblock, 363 &local_addr, 364 &foreign_addr, 365 seqno, 366 KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, 367 0, 368 0, 369 &msg_data))) { 370 fprintf(stderr, "passwd: Error during First Message Encoding: %s\n", 371 error_message(retval)); 372 goto finish; 373 } 374 free(inbuf.data); 375 376 /* write private message to server */ 377 if (krb5_write_message(&local_socket, &msg_data)){ 378 fprintf(stderr, "passwd: Write Error During First Message Transmission\n"); 379 retval = 1; 380 goto finish; 381 } 382 free(msg_data.data); 383 384 (void)signal(SIGHUP, finish); 385 (void)signal(SIGINT, finish); 386 387 #ifdef MACH_PASS /* Machine-generated Passwords */ 388 /* Ok Now let's get the private message */ 389 if (retval = krb5_read_message(&local_socket, &inbuf)){ 390 fprintf(stderr, "passwd: Read Error During First Reply: %s\n", 391 error_message(retval)); 392 retval = 1; 393 goto finish; 394 } 395 396 if ((retval = krb5_rd_priv(&inbuf, 397 &my_creds.keyblock, 398 &foreign_addr, 399 &local_addr, 400 rep_ret->seq_number, 401 KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, 402 0, 403 0, 404 &msg_data))) { 405 fprintf(stderr, "passwd: Error during First Read Decoding: %s\n", 406 error_message(retval)); 407 goto finish; 408 } 409 free(inbuf.data); 410 #endif 411 412 if ((new_password = (char *) calloc (1, ADM_MAX_PW_LENGTH+1)) == NULL) { 413 fprintf(stderr, "passwd: Unable to Allocate Space for New Password\n"); 414 goto finish; 415 } 416 417 #ifdef MACH_PASS /* Machine-generated passwords */ 418 /* Offer Client Password Choices */ 419 if ((retval = print_and_choose_password(new_password, 420 &msg_data))) { 421 (void) memset((char *) new_password, 0, ADM_MAX_PW_LENGTH+1); 422 free(new_password); 423 goto finish; 424 } 425 #else 426 new_pwsize = ADM_MAX_PW_LENGTH+1; 427 if ((retval = krb5_read_password("New Kerberos password: ", 428 "Retype new Kerberos password: ", 429 new_password, 430 &new_pwsize))) { 431 fprintf(stderr, "\nError while reading new password for '%s'\n", 432 client_name); 433 (void) memset((char *) new_password, 0, ADM_MAX_PW_LENGTH+1); 434 free(new_password); 435 goto finish; 436 } 437 #endif 438 439 inbuf.data = new_password; 440 inbuf.length = strlen(new_password); 441 442 if ((retval = krb5_mk_priv(&inbuf, 443 ETYPE_DES_CBC_CRC, 444 &my_creds.keyblock, 445 &local_addr, 446 &foreign_addr, 447 seqno, 448 KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, 449 0, 450 0, 451 &msg_data))) { 452 fprintf(stderr, "passwd: Error during Second Message Encoding: %s\n", 453 error_message(retval)); 454 goto finish; 455 } 456 memset(inbuf.data,0,inbuf.length); 457 free(inbuf.data); 458 459 /* write private message to server */ 460 if (krb5_write_message(&local_socket, &msg_data)){ 461 fprintf(stderr, "passwd: Write Error During Second Message Transmission\n"); 462 retval = 1; 463 goto finish; 464 } 465 free(msg_data.data); 466 467 /* Ok Now let's get the private message */ 468 if (retval = krb5_read_message(&local_socket, &inbuf)){ 469 fprintf(stderr, "passwd: Read Error During Second Reply: %s\n", 470 error_message(retval)); 471 retval = 1; 472 goto finish; 473 } 474 475 if ((retval = krb5_rd_priv(&inbuf, 476 &my_creds.keyblock, 477 &foreign_addr, 478 &local_addr, 479 rep_ret->seq_number, 480 KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, 481 0, 482 0, 483 &msg_data))) { 484 fprintf(stderr, "passwd: Error during Second Read Decoding :%s\n", 485 error_message(retval)); 486 goto finish; 487 } 488 489 rd_priv_resp.appl_code = msg_data.data[0]; 490 rd_priv_resp.oper_code = msg_data.data[1]; 491 rd_priv_resp.retn_code = msg_data.data[2]; 492 if (msg_data.length > 3 && msg_data.data[3]) { 493 rd_priv_resp.message = malloc(msg_data.length - 2); 494 if (rd_priv_resp.message) { 495 memcpy(rd_priv_resp.message, msg_data.data + 3, 496 msg_data.length - 3); 497 rd_priv_resp.message[msg_data.length - 3] = 0; 498 } 499 } else 500 rd_priv_resp.message = NULL; 501 502 503 free(inbuf.data); 504 free(msg_data.data); 505 if (rd_priv_resp.appl_code == KPASSWD) { 506 if (rd_priv_resp.retn_code == KPASSBAD) { 507 if (rd_priv_resp.message) 508 fprintf(stderr, "passwd: %s\n", rd_priv_resp.message); 509 else 510 fprintf(stderr, "passwd: Server returned KPASSBAD.\n"); 511 } else if (rd_priv_resp.retn_code != KPASSGOOD) 512 fprintf(stderr, "passwd: Server returned unknown kerberos code.\n"); 513 } else 514 fprintf(stderr, "passwd: Server returned bad application code %d\n", 515 rd_priv_resp.appl_code); 516 517 if (rd_priv_resp.message) 518 free(rd_priv_resp.message); 519 520 finish: 521 (void) krb5_cc_destroy(cache); 522 523 free(client_name); 524 free(requested_realm.data); 525 if (cksum_alloc) free(send_cksum.contents); 526 if (retval) { 527 fprintf(stderr, "passwd: Protocol Failure - Password NOT changed\n"); 528 exit(1); 529 } 530 531 exit(0); 532 } 533 534 535 536 krb5_data cpwname = { 537 sizeof(CPWNAME)-1, 538 CPWNAME 539 }; 540 541 static krb5_error_code 542 get_first_ticket(cache, client) 543 krb5_ccache cache; 544 krb5_principal client; 545 { 546 char prompt[255]; /* for the password prompt */ 547 char verify_prompt[255]; /* Verification Prompt if Desired */ 548 char pword[ADM_MAX_PW_LENGTH+1]; /* storage for the password */ 549 int pword_length = sizeof(pword); 550 char *old_password; 551 int old_pwsize; 552 int i; 553 554 krb5_address **my_addresses; 555 556 char *client_name; 557 char local_realm[255]; 558 krb5_error_code retval; 559 560 if ((retval = krb5_unparse_name(client, &client_name))) { 561 fprintf(stderr, "Unable to Unparse Client Name\n"); 562 return(1); 563 } 564 565 (void) printf("Changing Kerberos password for %s\n", client_name); 566 567 if ((retval = krb5_os_localaddr(&my_addresses))) { 568 fprintf(stderr, "passwd: Unable to Get Customers Address\n"); 569 return(1); 570 } 571 572 memset((char *) &my_creds, 0, sizeof(my_creds)); 573 574 my_creds.client = client; 575 576 if ((retval = krb5_build_principal_ext(&my_creds.server, 577 client->realm.length, 578 client->realm.data, 579 cpwname.length, /* 6 */ 580 cpwname.data, /* "kadmin" */ 581 client->realm.length, 582 /* instance is local realm */ 583 client->realm.data, 584 0))) { 585 fprintf(stderr, "Error %s while building server name\n"); 586 return(1); 587 } 588 589 590 if ((old_password = (char *) calloc (1, 255)) == NULL) { 591 fprintf(stderr, "passwd: No Memory for Retrieving old password\n"); 592 return(1); 593 } 594 595 old_pwsize = 255; 596 if ((retval = krb5_read_password("Old kerberos password: ", 597 0, 598 old_password, 599 &old_pwsize))) { 600 fprintf(stderr, "\nError while reading password for '%s'\n", 601 client_name); 602 return(1); 603 } 604 605 /* Build Request for Initial Credentials */ 606 for (i=0; preauth_search_list[i] >= 0; i++) { 607 retval = krb5_get_in_tkt_with_password( 608 0, /* options */ 609 my_addresses, 610 /* do random preauth */ 611 preauth_search_list[i], 612 ETYPE_DES_CBC_CRC, /* etype */ 613 KEYTYPE_DES, 614 old_password, 615 cache, 616 &my_creds, 617 0); 618 if (retval != KRB5KDC_PREAUTH_FAILED && 619 retval != KRB5KRB_ERR_GENERIC) 620 break; 621 } 622 623 if (retval) { 624 fprintf(stderr, "passwd: Unable to Get Initial Credentials : %s\n", 625 error_message(retval)); 626 } 627 628 /* Do NOT Forget to zap password */ 629 memset((char *) old_password, 0, old_pwsize); 630 free(old_password); 631 memset((char *) pword, 0, sizeof(pword)); 632 return(retval); 633 } 634 635 #ifdef MACH_PASS /* Machine-generated Passwords */ 636 static krb5_error_code 637 print_and_choose_password(new_password, decodable_pwd_string) 638 char * new_password; 639 krb5_data *decodable_pwd_string; 640 { 641 krb5_error_code retval; 642 krb5_pwd_data *pwd_data; 643 passwd_phrase_element **next_passwd_phrase_element; 644 char prompt[255]; 645 char *verify_prompt = 0; 646 int i, j, k; 647 int legit_pswd = 0; /* Assume No Legitimate Password */ 648 char *password_list[ADM_MAX_PW_CHOICES]; 649 char verification_passwd[ADM_MAX_PW_LENGTH+1]; 650 char phrase_in[ADM_MAX_PHRASE_LENGTH]; 651 int new_passwd_length; 652 char *ptr; 653 int verify = 0; /* Do Not Request Password Selection Verification */ 654 int ok = 0; 655 656 #define free_local_password_list() \ 657 { for ( k = 0; k < i && k < ADM_MAX_PW_CHOICES; k++) { \ 658 (void) memset(password_list[k], 0, ADM_MAX_PW_LENGTH); \ 659 free(password_list[k]); } \ 660 } 661 662 /* Decode Password and Phrase Information Obtained from krb5_rd_priv */ 663 if ((retval = decode_krb5_pwd_data(decodable_pwd_string , &pwd_data))) { 664 fprintf(stderr, "passwd: Unable to Decode Passwords and Phrases\n"); 665 fprintf(stderr, " Notify your System Administrator or the Kerberos Administrator\n"); 666 return(1); 667 } 668 669 next_passwd_phrase_element = pwd_data->element; 670 /* Display List in 5 Password/Phrase Increments up to MAX Iterations */ 671 memset((char *) phrase_in, 0, ADM_MAX_PHRASE_LENGTH); 672 for ( j = 0; j <= ADM_MAX_PW_ITERATIONS; j++) { 673 if (j == ADM_MAX_PW_ITERATIONS) { 674 fprintf(stderr, "passwd: Sorry - You Have Exceeded the List of Choices (%d) Allowed for Password\n", 675 ADM_MAX_PW_ITERATIONS * ADM_MAX_PW_CHOICES); 676 fprintf(stderr, " Modification. You Must Repeat this Operation in order to Successfully\n"); 677 fprintf(stderr, " Change your Password.\n"); 678 break; 679 } 680 681 display_print: 682 printf("Choose a password from the following list:\n"); 683 684 printf("\nPassword Remembrance Aid\n"); 685 686 /* Print Passwords and Assistance Phrases List */ 687 for ( i = 0; i < ADM_MAX_PW_CHOICES; i++){ 688 if ((password_list[i] = (char *) calloc (1, 689 ADM_MAX_PW_LENGTH + 1)) == NULL) { 690 fprintf(stderr, "passwd: Unable to Allocate Password List.\n"); 691 return(1); 692 } 693 694 memcpy(password_list[i], 695 (*next_passwd_phrase_element)->passwd->data, 696 (*next_passwd_phrase_element)->passwd->length); 697 printf("%s ", password_list[i]); 698 699 memcpy((char *) phrase_in, 700 (*next_passwd_phrase_element)->phrase->data, 701 (*next_passwd_phrase_element)->phrase->length); 702 for ( k = 0; 703 k < 50 && k < (*next_passwd_phrase_element)->phrase->length; 704 k++) { 705 printf("%c", phrase_in[k]); 706 } 707 for ( k = k; 708 k < 70 && k < (*next_passwd_phrase_element)->phrase->length; 709 k++) { 710 if (phrase_in[k] == ' ') { 711 printf("\n "); 712 k++; 713 break; 714 } else { 715 printf("%c", phrase_in[k]); 716 } 717 } 718 for ( k = k; 719 k < (*next_passwd_phrase_element)->phrase->length; 720 k++) { 721 printf("%c", phrase_in[k]); 722 } 723 printf("\n"); 724 memset((char *) phrase_in, 0, ADM_MAX_PHRASE_LENGTH); 725 next_passwd_phrase_element++; 726 } 727 728 (void)snprintf(prompt, sizeof prompt, 729 "\nEnter Password Selection or a <CR> to get new list: "); 730 731 new_passwd_length = ADM_MAX_PW_LENGTH+1; 732 /* Read New Password from Terminal (Do Not Print on Screen) */ 733 if ((retval = krb5_read_password(&prompt[0], 0, 734 new_password, &new_passwd_length))) { 735 fprintf(stderr, 736 "passwd: Error Reading Password Input or Input Aborted\n"); 737 free_local_password_list(); 738 break;; 739 } 740 741 /* Check for <CR> ==> Provide a New List */ 742 if (new_passwd_length == 0) continue; 743 744 /* Check that Selection is from List - Server also does this */ 745 legit_pswd = 0; 746 for (i = 0; i < ADM_MAX_PW_CHOICES && !legit_pswd; i++) 747 if ((retval = memcmp(new_password, 748 password_list[i], 8)) == 0) { 749 legit_pswd++; 750 } 751 free_local_password_list(); 752 753 if (!(legit_pswd)) { 754 printf("\07\07Password must be from the specified list "); 755 printf("- Try Again\n"); 756 } 757 758 if (legit_pswd) break; /* Exit Loop */ 759 } /* ADM_MAX_PW_CHOICES Loop */ 760 761 if (!(legit_pswd)) return (1); 762 763 return(0); /* SUCCESS */ 764 } 765 #endif 766 767 static krb5_error_code 768 adm5_init_link(realm_of_server, local_socket) 769 krb5_data *realm_of_server; 770 int * local_socket; 771 { 772 struct servent *service_process; /* service we will talk to */ 773 struct hostent *local_host; /* us */ 774 struct hostent *remote_host; /* host we will talk to */ 775 struct sockaddr *sockaddr_list; 776 777 char **hostlist; 778 779 int host_count; 780 int namelen; 781 int i, count; 782 783 krb5_error_code retval; 784 785 /* clear out the structure first */ 786 (void) memset((char *)&remote_sin, 0, sizeof(remote_sin)); 787 788 if ((service_process = getservbyname(CPW_SNAME, "tcp")) == NULL) { 789 fprintf(stderr, "passwd: Unable to find Service (%s) Check services file\n", 790 CPW_SNAME); 791 return(1); 792 } 793 794 /* Copy the Port Number */ 795 remote_sin.sin_port = service_process->s_port; 796 797 hostlist = 0; 798 799 /* Identify all Hosts Associated with this Realm */ 800 if ((retval = krb5_get_krbhst (realm_of_server, &hostlist))) { 801 fprintf(stderr, "passwd: Unable to Determine Server Name\n"); 802 return(1); 803 } 804 805 for (i=0; hostlist[i]; i++); 806 807 count = i; 808 809 if (count == 0) { 810 host_count = 0; 811 fprintf(stderr, "passwd: No hosts found\n"); 812 return(1); 813 } 814 815 for (i=0; hostlist[i]; i++) { 816 remote_host = gethostbyname(hostlist[i]); 817 if (remote_host != 0) { 818 819 /* set up the address of the foreign socket for connect() */ 820 remote_sin.sin_family = remote_host->h_addrtype; 821 (void) memcpy((char *) &remote_sin.sin_addr, 822 (char *) remote_host->h_addr, 823 sizeof(remote_host->h_addr)); 824 break; /* Only Need one */ 825 } 826 } 827 828 free ((char *)hostlist); 829 830 /* open a TCP socket */ 831 *local_socket = socket(PF_INET, SOCK_STREAM, 0); 832 if (*local_socket < 0) { 833 fprintf(stderr, "passwd: Cannot Open Socket\n"); 834 return(1); 835 } 836 /* connect to the server */ 837 if (connect(*local_socket, (struct sockaddr *)&remote_sin, sizeof(remote_sin)) < 0) { 838 fprintf(stderr, "passwd: Cannot Connect to Socket\n"); 839 close(*local_socket); 840 return(1); 841 } 842 843 /* find out who I am, now that we are connected and therefore bound */ 844 namelen = sizeof(local_sin); 845 if (getsockname(*local_socket, 846 (struct sockaddr *) &local_sin, &namelen) < 0) { 847 fprintf(stderr, "passwd: Cannot Perform getsockname\n"); 848 close(*local_socket); 849 return(1); 850 } 851 return(0); 852 } 853 854 static void 855 finish() 856 { 857 exit(1); 858 } 859 860 #ifdef KRB_NONETWORK 861 #include <utmp.h> 862 863 #ifndef MAXHOSTNAME 864 #define MAXHOSTNAME 64 865 #endif 866 867 int utfile; /* Global utfile file descriptor for BSD version 868 of setutent, getutline, and endutent */ 869 870 #if !defined(SYSV) && !defined(UMIPS) /* Setutent, Endutent, and getutline 871 routines for non System V Unix 872 systems */ 873 #include <fcntl.h> 874 875 void setutent() 876 { 877 utfile = open("/etc/utmp",O_RDONLY); 878 } 879 880 struct utmp * getutline(utmpent) 881 struct utmp *utmpent; 882 { 883 static struct utmp tmputmpent; 884 int found = 0; 885 while ( read(utfile,&tmputmpent,sizeof(struct utmp)) > 0 ){ 886 if ( strcmp(tmputmpent.ut_line,utmpent->ut_line) == 0){ 887 #ifdef NO_UT_HOST 888 if ( ( 1) && 889 #else 890 if ( (strcmp(tmputmpent.ut_host,"") == 0) && 891 #endif 892 (strcmp(tmputmpent.ut_name,"") == 0)) continue; 893 found = 1; 894 break; 895 } 896 } 897 if (found) 898 return(&tmputmpent); 899 return((struct utmp *) 0); 900 } 901 902 void endutent() 903 { 904 close(utfile); 905 } 906 #endif /* not SYSV */ 907 908 909 int network_connected() 910 { 911 struct utmp utmpent; 912 struct utmp retutent, *tmpptr; 913 char *display_indx; 914 char currenthost[MAXHOSTNAME]; 915 char *username,*tmpname; 916 917 918 /* Macro for pseudo_tty */ 919 #define pseudo_tty(ut) \ 920 ((strncmp((ut).ut_line, "tty", 3) == 0 && ((ut).ut_line[3] == 'p' \ 921 || (ut).ut_line[3] == 'q' \ 922 || (ut).ut_line[3] == 'r' \ 923 || (ut).ut_line[3] == 's'))\ 924 || (strncmp((ut).ut_line, "pty", 3) == 0)) 925 926 /* Check to see if getlogin returns proper name */ 927 if ( (tmpname = (char *) getlogin()) == (char *) 0) 928 return(1); 929 username = strdup(tmpname); 930 if (username == (char *) 0) 931 return(1); 932 933 /* Obtain tty device for controlling tty of current process.*/ 934 strncpy(utmpent.ut_line,ttyname(0) + strlen("/dev/"), 935 sizeof(utmpent.ut_line)); 936 937 /* See if this device is currently listed in /etc/utmp under 938 calling user */ 939 #ifdef SYSV 940 utmpent.ut_type = USER_PROCESS; 941 #define ut_name ut_user 942 #endif 943 setutent(); 944 while ( (tmpptr = (struct utmp *) getutline(&utmpent)) 945 != ( struct utmp *) 0) { 946 947 /* If logged out name and host will be empty */ 948 if ((strcmp(tmpptr->ut_name,"") == 0) && 949 #ifdef NO_UT_HOST 950 ( 1)) continue; 951 #else 952 (strcmp(tmpptr->ut_host,"") == 0)) continue; 953 #endif 954 else break; 955 } 956 if ( tmpptr == (struct utmp *) 0) { 957 endutent(); 958 return(1); 959 } 960 bcopy((char *)&retutent, (char *)tmpptr, sizeof(struct utmp)); 961 endutent(); 962 #ifdef DEBUG 963 #ifdef NO_UT_HOST 964 printf("User %s on line %s :\n", 965 retutent.ut_name,retutent.ut_line); 966 #else 967 printf("User %s on line %s connected from host :%s:\n", 968 retutent.ut_name,retutent.ut_line,retutent.ut_host); 969 #endif 970 #endif 971 if (strcmp(retutent.ut_name,username) != 0) { 972 return(1); 973 } 974 975 976 /* If this is not a pseudo tty then everything is OK */ 977 if (! pseudo_tty(retutent)) return(0); 978 979 /* OK now the work begins there is an entry in utmp and 980 the device is a pseudo tty. */ 981 982 /* Check if : is in hostname if so this is xwindow display */ 983 984 if (gethostname(currenthost,sizeof(currenthost))) return(1); 985 #ifdef NO_UT_HOST 986 display_indx = (char *) 0; 987 #else 988 display_indx = (char *) strchr(retutent.ut_host,':'); 989 #endif 990 if ( display_indx != (char *) 0) { 991 /* 992 We have X window application here. The host field should have 993 the form => local_system_name:0.0 or :0.0 994 if the window is being displayed on the local system. 995 */ 996 #ifdef NO_UT_HOST 997 return(1); 998 #else 999 if (strncmp(currenthost,retutent.ut_host, 1000 (display_indx - retutent.ut_host)) != 0) return(1); 1001 else return(0); 1002 #endif 1003 } 1004 1005 /* Host field is empty or is not X window entry. At this point 1006 we can't trust that the pseudo tty is not connected to a 1007 networked process so let's return 1. 1008 */ 1009 return(1); 1010 } 1011 1012 int networked() 1013 { 1014 return(network_connected()); 1015 } 1016 #endif 1017 1018 int 1019 krb_check() 1020 { 1021 return(1): /* XXX! */ 1022 } 1023 1024 #endif /* KERBEROS5 */ 1025
Indexes created Mon Sep 29 21:09:56 GMT 2025