krb5_passwd.c revision 1.5
1 /* $NetBSD: krb5_passwd.c,v 1.5 1997/10/19 12:29:44 lukem Exp $ */ 2 3 /*- 4 * Copyright (c) 1990 The Regents of the University of California. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgement: 17 * This product includes software developed by the University of 18 * California, Berkeley and its contributors. 19 * 4. Neither the name of the University nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #ifndef lint 37 #if 0 38 static char sccsid[] = "from: @(#)krb_passwd.c 5.4 (Berkeley) 3/1/91"; 39 #else 40 __RCSID("$NetBSD: krb5_passwd.c,v 1.5 1997/10/19 12:29:44 lukem Exp $"); 41 #endif 42 #endif /* not lint */ 43 44 #ifdef KERBEROS5 45 46 #include <sys/types.h> 47 #include <sys/socket.h> 48 #include <sys/time.h> 49 #include <sys/resource.h> 50 #include <netinet/in.h> 51 #include <err.h> 52 #include <errno.h> 53 #include <netdb.h> 54 #include <pwd.h> 55 #include <signal.h> 56 #include <stdio.h> 57 #include <stdlib.h> 58 #include <string.h> 59 #include <krb5/adm_defs.h> 60 #include <krb5/krb5.h> 61 #include <krb5/kdb.h> 62 #include <krb5/kdb_dbm.h> 63 #include <krb5/ext-proto.h> 64 #include <krb5/los-proto.h> 65 #include <krb5/asn1.h> 66 #include <krb5/config.h> 67 #include <krb5/base-defs.h> 68 #include <krb5/asn.1/encode.h> 69 70 #include <krb5/widen.h> 71 72 #include <krb5/adm_err.h> 73 #include <krb5/errors.h> 74 #include <krb5/kdb5_err.h> 75 #include <krb5/krb5_err.h> 76 77 static krb5_error_code get_first_ticket __P((krb5_ccache, krb5_principal)); 78 static krb5_error_code print_and_choose_password __P((char *, krb5_data *)); 79 static krb5_error_code adm5_init_link __P((krb5_data *, int *)); 80 81 struct sockaddr_in local_sin, remote_sin; 82 83 krb5_creds my_creds; 84 85 extern char *krb5_default_pwd_prompt1; 86 87 /* 88 * Try no preauthentication first; then try the encrypted timestamp 89 */ 90 int preauth_search_list[] = { 91 0, 92 KRB5_PADATA_ENC_TIMESTAMP, 93 -1 94 }; 95 96 int 97 krb_passwd() 98 { 99 static void finish(); 100 krb5_ccache cache = NULL; 101 char cache_name[255]; 102 krb5_flags cc_flags; 103 krb5_address local_addr, foreign_addr; 104 struct passwd *pw; 105 krb5_principal client, server; 106 char default_name[256]; 107 char *client_name; /* Single string representation of client id */ 108 krb5_data requested_realm; 109 char *local_realm; 110 char input_string[768]; 111 krb5_error_code retval; /* return code */ 112 int local_socket; 113 int c, count; 114 krb5_error *err_ret; 115 krb5_ap_rep_enc_part *rep_ret; 116 kadmin_requests rd_priv_resp; 117 krb5_checksum send_cksum; 118 int cksum_alloc = 0; 119 krb5_data msg_data, inbuf; 120 krb5_int32 seqno; 121 char *new_password; 122 int new_pwsize; 123 krb5_data *decodable_pwd_string; 124 int i, j; 125 static struct rlimit rl = { 0, 0 }; 126 127 #ifdef KRB_NONETWORK 128 extern int networked(); 129 int krb_secure; 130 struct stat statbuf; 131 #endif 132 133 #ifdef KRB_NONETWORK /* Allow or Disallow Remote Clients to Modify Passwords */ 134 /* 135 * If a Client Modifies a Password using kpasswd on this host 136 * from a remote host or network terminal, the Password selected 137 * is transmitted across the network in Cleartext. 138 * 139 * The systems administrator can disallow "remote" kpasswd usage by 140 * creating the file "/etc/krb.secure" 141 */ 142 krb_secure = 0; 143 /* 144 * First check to see if the file /etc/krb.secure exists. 145 * If it does then krb_secure to 1. 146 */ 147 148 if (stat("/etc/krb.secure", &statbuf) == 0) krb_secure = 1; 149 150 /* 151 * Check to see if this process is tied to a physical terminal. 152 * Network() verifies the terminal device is not a pseudo tty 153 */ 154 if (networked() && krb_secure) { 155 warnx("Sorry but you cannot %s from a pseudo tty terminal", argv[0]); 156 retval = 1; 157 goto finish; 158 } 159 #endif 160 161 /* (3 * 255) + 1 (/) + 1 (@) + 1 (NULL) */ 162 if ((client_name = (char *) calloc (1, (3 * 256))) == NULL) { 163 warnx("No Memory for Client_name"); 164 retval = 1; 165 goto finish; 166 } 167 168 if ((requested_realm.data = (char *) calloc (1, 256)) == NULL) { 169 warnx("No Memory for realm_name"); 170 retval = 1; 171 free(client_name); 172 goto finish; 173 } 174 175 (void)signal(SIGHUP, SIG_IGN); 176 (void)signal(SIGINT, SIG_IGN); 177 (void)signal(SIGTSTP, SIG_IGN); 178 179 if (setrlimit(RLIMIT_CORE, &rl) < 0) { 180 warn("setrlimit"); 181 return(1); 182 } 183 184 krb5_init_ets(); 185 memset((char *) default_name, 0, sizeof(default_name)); 186 187 /* Identify Default Credentials Cache */ 188 if ((retval = krb5_cc_default(&cache))) { 189 warnx("Error while getting default ccache."); 190 goto finish; 191 } 192 193 /* 194 * Attempt to Modify Credentials Cache 195 * retval == 0 ==> ccache Exists - Use It 196 * retval == ENOENT ==> No Entries, but ccache Exists 197 * retval != 0 ==> Assume ccache does NOT Exist 198 */ 199 cc_flags = 0; 200 if ((retval = krb5_cc_set_flags(cache, cc_flags))) { 201 /* Search passwd file for client */ 202 pw = getpwuid((int) getuid()); 203 if (pw) { 204 (void)strncpy(default_name, pw->pw_name, sizeof(default_name) - 1); 205 } 206 else { 207 warnx("Unable to Identify Customer from Password File"); 208 retval = 1; 209 goto finish; 210 } 211 212 /* Use this to get default_realm and format client_name */ 213 if ((retval = krb5_parse_name(default_name, &client))) { 214 warnx("Unable to Parse Client Name"); 215 goto finish; 216 } 217 218 if ((retval = krb5_unparse_name(client, &client_name))) { 219 warnx("Unable to Parse Client Name"); 220 goto finish; 221 } 222 223 requested_realm.length = client->realm.length; 224 memcpy((char *) requested_realm.data, 225 (char *) client->realm.data, 226 requested_realm.length); 227 } 228 else { 229 /* Read Client from Cache */ 230 if ((retval = krb5_cc_get_principal(cache, (krb5_principal *) &client))) { 231 warnx("Unable to Read Customer Credentials File"); 232 goto finish; 233 } 234 235 if ((retval = krb5_unparse_name(client, &client_name))) { 236 warnx("Unable to Parse Client Name"); 237 goto finish; 238 } 239 240 requested_realm.length = client->realm.length; 241 memcpy((char *) requested_realm.data, 242 (char *) client->realm.data, 243 requested_realm.length); 244 245 (void) krb5_cc_close(cache); 246 } 247 248 /* Create credential cache for changepw */ 249 (void)snprintf(cache_name, sizeof cache_name, "FILE:/tmp/tkt_cpw_%d", 250 getpid()); 251 252 if ((retval = krb5_cc_resolve(cache_name, &cache))) { 253 warnx("Unable to Resolve Cache: %s", cache_name); 254 } 255 256 if ((retval = krb5_cc_initialize(cache, client))) { 257 warnx("Error initializing cache: %s", cache_name); 258 goto finish; 259 } 260 261 /* 262 * Verify User by Obtaining Initial Credentials prior to Initial Link 263 */ 264 if ((retval = get_first_ticket(cache, client))) { 265 goto finish; 266 } 267 268 /* Initiate Link to Server */ 269 if ((retval = adm5_init_link(&requested_realm, &local_socket))) { 270 goto finish; 271 } 272 273 #define SIZEOF_INADDR sizeof(struct in_addr) 274 275 /* V4 kpasswd Protocol Hack */ 276 { 277 int msg_length = 0; 278 279 retval = krb5_net_write(local_socket, (char *) &msg_length + 2, 2); 280 if (retval < 0) { 281 warnx("krb5_net_write failure"); 282 goto finish; 283 } 284 } 285 286 local_addr.addrtype = ADDRTYPE_INET; 287 local_addr.length = SIZEOF_INADDR ; 288 local_addr.contents = (krb5_octet *)&local_sin.sin_addr; 289 290 foreign_addr.addrtype = ADDRTYPE_INET; 291 foreign_addr.length = SIZEOF_INADDR ; 292 foreign_addr.contents = (krb5_octet *)&remote_sin.sin_addr; 293 294 /* compute checksum, using CRC-32 */ 295 if (!(send_cksum.contents = (krb5_octet *) 296 malloc(krb5_checksum_size(CKSUMTYPE_CRC32)))) { 297 warnx("Insufficient Memory while Allocating Checksum"); 298 goto finish; 299 } 300 cksum_alloc++; 301 /* choose some random stuff to compute checksum from */ 302 if (retval = krb5_calculate_checksum(CKSUMTYPE_CRC32, 303 ADM_CPW_VERSION, 304 strlen(ADM_CPW_VERSION), 305 0, 306 0, /* if length is 0, crc-32 doesn't 307 use the seed */ 308 &send_cksum)) { 309 warnx("Error while Computing Checksum: %s", error_message(retval)); 310 goto finish; 311 } 312 313 /* call Kerberos library routine to obtain an authenticator, 314 pass it over the socket to the server, and obtain mutual 315 authentication. */ 316 317 if ((retval = krb5_sendauth((krb5_pointer) &local_socket, 318 ADM_CPW_VERSION, 319 my_creds.client, 320 my_creds.server, 321 AP_OPTS_MUTUAL_REQUIRED, 322 &send_cksum, 323 0, 324 cache, 325 &seqno, 326 0, /* don't need a subsession key */ 327 &err_ret, 328 &rep_ret))) { 329 warnx("Error while performing sendauth: %s", error_message(retval)); 330 goto finish; 331 } 332 333 /* Get credentials : to use for safe and private messages */ 334 if (retval = krb5_get_credentials(0, cache, &my_creds)){ 335 warnx("Error Obtaining Credentials: %s", error_message(retval)); 336 goto finish; 337 } 338 339 /* Read back what the server has to say... */ 340 if (retval = krb5_read_message(&local_socket, &inbuf)){ 341 warnx("Read Message Error: %s", error_message(retval)); 342 goto finish; 343 } 344 if ((inbuf.length != 2) || (inbuf.data[0] != KADMIND) || 345 (inbuf.data[1] != KADMSAG)){ 346 warnx("Invalid ack from admin server."); 347 goto finish; 348 } 349 350 inbuf.data[0] = KPASSWD; 351 inbuf.data[1] = CHGOPER; 352 inbuf.length = 2; 353 354 if ((retval = krb5_mk_priv(&inbuf, 355 ETYPE_DES_CBC_CRC, 356 &my_creds.keyblock, 357 &local_addr, 358 &foreign_addr, 359 seqno, 360 KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, 361 0, 362 0, 363 &msg_data))) { 364 warnx("Error during First Message Encoding: %s", error_message(retval)); 365 goto finish; 366 } 367 free(inbuf.data); 368 369 /* write private message to server */ 370 if (krb5_write_message(&local_socket, &msg_data)){ 371 warnx("Write Error During First Message Transmission"); 372 retval = 1; 373 goto finish; 374 } 375 free(msg_data.data); 376 377 (void)signal(SIGHUP, finish); 378 (void)signal(SIGINT, finish); 379 380 #ifdef MACH_PASS /* Machine-generated Passwords */ 381 /* Ok Now let's get the private message */ 382 if (retval = krb5_read_message(&local_socket, &inbuf)){ 383 warnx("Read Error During First Reply: %s", error_message(retval)); 384 retval = 1; 385 goto finish; 386 } 387 388 if ((retval = krb5_rd_priv(&inbuf, 389 &my_creds.keyblock, 390 &foreign_addr, 391 &local_addr, 392 rep_ret->seq_number, 393 KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, 394 0, 395 0, 396 &msg_data))) { 397 warnx("Error during First Read Decoding: %s", error_message(retval)); 398 goto finish; 399 } 400 free(inbuf.data); 401 #endif 402 403 if ((new_password = (char *) calloc (1, ADM_MAX_PW_LENGTH+1)) == NULL) { 404 warnx("Unable to Allocate Space for New Password"); 405 goto finish; 406 } 407 408 #ifdef MACH_PASS /* Machine-generated passwords */ 409 /* Offer Client Password Choices */ 410 if ((retval = print_and_choose_password(new_password, 411 &msg_data))) { 412 (void) memset((char *) new_password, 0, ADM_MAX_PW_LENGTH+1); 413 free(new_password); 414 goto finish; 415 } 416 #else 417 new_pwsize = ADM_MAX_PW_LENGTH+1; 418 if ((retval = krb5_read_password("New Kerberos password: ", 419 "Retype new Kerberos password: ", 420 new_password, 421 &new_pwsize))) { 422 fprintf(stderr, "\nError while reading new password for '%s'\n", 423 client_name); 424 (void) memset((char *) new_password, 0, ADM_MAX_PW_LENGTH+1); 425 free(new_password); 426 goto finish; 427 } 428 #endif 429 430 inbuf.data = new_password; 431 inbuf.length = strlen(new_password); 432 433 if ((retval = krb5_mk_priv(&inbuf, 434 ETYPE_DES_CBC_CRC, 435 &my_creds.keyblock, 436 &local_addr, 437 &foreign_addr, 438 seqno, 439 KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, 440 0, 441 0, 442 &msg_data))) { 443 warnx("Error during Second Message Encoding: %s", 444 error_message(retval)); 445 goto finish; 446 } 447 memset(inbuf.data,0,inbuf.length); 448 free(inbuf.data); 449 450 /* write private message to server */ 451 if (krb5_write_message(&local_socket, &msg_data)){ 452 warnx("Write Error During Second Message Transmission"); 453 retval = 1; 454 goto finish; 455 } 456 free(msg_data.data); 457 458 /* Ok Now let's get the private message */ 459 if (retval = krb5_read_message(&local_socket, &inbuf)){ 460 warnx("Read Error During Second Reply: %s", error_message(retval)); 461 retval = 1; 462 goto finish; 463 } 464 465 if ((retval = krb5_rd_priv(&inbuf, 466 &my_creds.keyblock, 467 &foreign_addr, 468 &local_addr, 469 rep_ret->seq_number, 470 KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME, 471 0, 472 0, 473 &msg_data))) { 474 warnx("Error during Second Read Decoding :%s", error_message(retval)); 475 goto finish; 476 } 477 478 rd_priv_resp.appl_code = msg_data.data[0]; 479 rd_priv_resp.oper_code = msg_data.data[1]; 480 rd_priv_resp.retn_code = msg_data.data[2]; 481 if (msg_data.length > 3 && msg_data.data[3]) { 482 rd_priv_resp.message = malloc(msg_data.length - 2); 483 if (rd_priv_resp.message) { 484 memcpy(rd_priv_resp.message, msg_data.data + 3, 485 msg_data.length - 3); 486 rd_priv_resp.message[msg_data.length - 3] = 0; 487 } 488 } else 489 rd_priv_resp.message = NULL; 490 491 492 free(inbuf.data); 493 free(msg_data.data); 494 if (rd_priv_resp.appl_code == KPASSWD) { 495 if (rd_priv_resp.retn_code == KPASSBAD) { 496 if (rd_priv_resp.message) 497 warnx("%s", rd_priv_resp.message); 498 else 499 warnx("Server returned KPASSBAD."); 500 } else if (rd_priv_resp.retn_code != KPASSGOOD) 501 warnx("Server returned unknown kerberos code."); 502 } else 503 warnx("Server returned bad application code %d", 504 rd_priv_resp.appl_code); 505 506 if (rd_priv_resp.message) 507 free(rd_priv_resp.message); 508 509 finish: 510 (void) krb5_cc_destroy(cache); 511 512 free(client_name); 513 free(requested_realm.data); 514 if (cksum_alloc) free(send_cksum.contents); 515 if (retval) 516 errx(1, "Protocol Failure - Password NOT changed"); 517 518 exit(0); 519 } 520 521 522 523 krb5_data cpwname = { 524 sizeof(CPWNAME)-1, 525 CPWNAME 526 }; 527 528 static krb5_error_code 529 get_first_ticket(cache, client) 530 krb5_ccache cache; 531 krb5_principal client; 532 { 533 char prompt[255]; /* for the password prompt */ 534 char verify_prompt[255]; /* Verification Prompt if Desired */ 535 char pword[ADM_MAX_PW_LENGTH+1]; /* storage for the password */ 536 int pword_length = sizeof(pword); 537 char *old_password; 538 int old_pwsize; 539 int i; 540 541 krb5_address **my_addresses; 542 543 char *client_name; 544 char local_realm[255]; 545 krb5_error_code retval; 546 547 if ((retval = krb5_unparse_name(client, &client_name))) { 548 warnx("Unable to Unparse Client Name"); 549 return(1); 550 } 551 552 (void) printf("Changing Kerberos password for %s\n", client_name); 553 554 if ((retval = krb5_os_localaddr(&my_addresses))) { 555 warnx("Unable to Get Customers Address"); 556 return(1); 557 } 558 559 memset((char *) &my_creds, 0, sizeof(my_creds)); 560 561 my_creds.client = client; 562 563 if ((retval = krb5_build_principal_ext(&my_creds.server, 564 client->realm.length, 565 client->realm.data, 566 cpwname.length, /* 6 */ 567 cpwname.data, /* "kadmin" */ 568 client->realm.length, 569 /* instance is local realm */ 570 client->realm.data, 571 0))) { 572 warnx("Error %s while building server name"); 573 return(1); 574 } 575 576 577 if ((old_password = (char *) calloc (1, 255)) == NULL) { 578 warnx("No Memory for Retrieving old password"); 579 return(1); 580 } 581 582 old_pwsize = 255; 583 if ((retval = krb5_read_password("Old kerberos password: ", 584 0, 585 old_password, 586 &old_pwsize))) { 587 fprintf(stderr, "\nError while reading password for '%s'\n", 588 client_name); 589 return(1); 590 } 591 592 /* Build Request for Initial Credentials */ 593 for (i=0; preauth_search_list[i] >= 0; i++) { 594 retval = krb5_get_in_tkt_with_password( 595 0, /* options */ 596 my_addresses, 597 /* do random preauth */ 598 preauth_search_list[i], 599 ETYPE_DES_CBC_CRC, /* etype */ 600 KEYTYPE_DES, 601 old_password, 602 cache, 603 &my_creds, 604 0); 605 if (retval != KRB5KDC_PREAUTH_FAILED && 606 retval != KRB5KRB_ERR_GENERIC) 607 break; 608 } 609 610 if (retval) { 611 warnx("Unable to Get Initial Credentials : %s", error_message(retval)); 612 } 613 614 /* Do NOT Forget to zap password */ 615 memset((char *) old_password, 0, old_pwsize); 616 free(old_password); 617 memset((char *) pword, 0, sizeof(pword)); 618 return(retval); 619 } 620 621 #ifdef MACH_PASS /* Machine-generated Passwords */ 622 static krb5_error_code 623 print_and_choose_password(new_password, decodable_pwd_string) 624 char * new_password; 625 krb5_data *decodable_pwd_string; 626 { 627 krb5_error_code retval; 628 krb5_pwd_data *pwd_data; 629 passwd_phrase_element **next_passwd_phrase_element; 630 char prompt[255]; 631 char *verify_prompt = 0; 632 int i, j, k; 633 int legit_pswd = 0; /* Assume No Legitimate Password */ 634 char *password_list[ADM_MAX_PW_CHOICES]; 635 char verification_passwd[ADM_MAX_PW_LENGTH+1]; 636 char phrase_in[ADM_MAX_PHRASE_LENGTH]; 637 int new_passwd_length; 638 char *ptr; 639 int verify = 0; /* Do Not Request Password Selection Verification */ 640 int ok = 0; 641 642 #define free_local_password_list() \ 643 { for ( k = 0; k < i && k < ADM_MAX_PW_CHOICES; k++) { \ 644 (void) memset(password_list[k], 0, ADM_MAX_PW_LENGTH); \ 645 free(password_list[k]); } \ 646 } 647 648 /* Decode Password and Phrase Information Obtained from krb5_rd_priv */ 649 if ((retval = decode_krb5_pwd_data(decodable_pwd_string , &pwd_data))) { 650 warnx("Unable to Decode Passwords and Phrases\n%s", 651 " Notify your System Administrator or the Kerberos Administrator"); 652 return(1); 653 } 654 655 next_passwd_phrase_element = pwd_data->element; 656 /* Display List in 5 Password/Phrase Increments up to MAX Iterations */ 657 memset((char *) phrase_in, 0, ADM_MAX_PHRASE_LENGTH); 658 for ( j = 0; j <= ADM_MAX_PW_ITERATIONS; j++) { 659 if (j == ADM_MAX_PW_ITERATIONS) { 660 warnx("Sorry - You Have Exceeded the List of Choices (%d)\n%s%s%s", 661 ADM_MAX_PW_ITERATIONS * ADM_MAX_PW_CHOICES, 662 "\tAllowed for Password Modification.\n", 663 "\tYou Must Repeat this Operation in order\n", 664 "\tto Successfully Change your Password."); 665 break; 666 } 667 668 display_print: 669 printf("Choose a password from the following list:\n"); 670 671 printf("\nPassword Remembrance Aid\n"); 672 673 /* Print Passwords and Assistance Phrases List */ 674 for ( i = 0; i < ADM_MAX_PW_CHOICES; i++){ 675 if ((password_list[i] = (char *) calloc (1, 676 ADM_MAX_PW_LENGTH + 1)) == NULL) { 677 warnx("Unable to Allocate Password List."); 678 return(1); 679 } 680 681 memcpy(password_list[i], 682 (*next_passwd_phrase_element)->passwd->data, 683 (*next_passwd_phrase_element)->passwd->length); 684 printf("%s ", password_list[i]); 685 686 memcpy((char *) phrase_in, 687 (*next_passwd_phrase_element)->phrase->data, 688 (*next_passwd_phrase_element)->phrase->length); 689 for ( k = 0; 690 k < 50 && k < (*next_passwd_phrase_element)->phrase->length; 691 k++) { 692 printf("%c", phrase_in[k]); 693 } 694 for ( k = k; 695 k < 70 && k < (*next_passwd_phrase_element)->phrase->length; 696 k++) { 697 if (phrase_in[k] == ' ') { 698 printf("\n "); 699 k++; 700 break; 701 } else { 702 printf("%c", phrase_in[k]); 703 } 704 } 705 for ( k = k; 706 k < (*next_passwd_phrase_element)->phrase->length; 707 k++) { 708 printf("%c", phrase_in[k]); 709 } 710 printf("\n"); 711 memset((char *) phrase_in, 0, ADM_MAX_PHRASE_LENGTH); 712 next_passwd_phrase_element++; 713 } 714 715 (void)snprintf(prompt, sizeof prompt, 716 "\nEnter Password Selection or a <CR> to get new list: "); 717 718 new_passwd_length = ADM_MAX_PW_LENGTH+1; 719 /* Read New Password from Terminal (Do Not Print on Screen) */ 720 if ((retval = krb5_read_password(&prompt[0], 0, 721 new_password, &new_passwd_length))) { 722 warnx("Error Reading Password Input or Input Aborted"); 723 free_local_password_list(); 724 break;; 725 } 726 727 /* Check for <CR> ==> Provide a New List */ 728 if (new_passwd_length == 0) continue; 729 730 /* Check that Selection is from List - Server also does this */ 731 legit_pswd = 0; 732 for (i = 0; i < ADM_MAX_PW_CHOICES && !legit_pswd; i++) 733 if ((retval = memcmp(new_password, 734 password_list[i], 8)) == 0) { 735 legit_pswd++; 736 } 737 free_local_password_list(); 738 739 if (!(legit_pswd)) { 740 printf("\07\07Password must be from the specified list "); 741 printf("- Try Again\n"); 742 } 743 744 if (legit_pswd) break; /* Exit Loop */ 745 } /* ADM_MAX_PW_CHOICES Loop */ 746 747 if (!(legit_pswd)) return (1); 748 749 return(0); /* SUCCESS */ 750 } 751 #endif 752 753 static krb5_error_code 754 adm5_init_link(realm_of_server, local_socket) 755 krb5_data *realm_of_server; 756 int * local_socket; 757 { 758 struct servent *service_process; /* service we will talk to */ 759 struct hostent *local_host; /* us */ 760 struct hostent *remote_host; /* host we will talk to */ 761 struct sockaddr *sockaddr_list; 762 763 char **hostlist; 764 765 int host_count; 766 int namelen; 767 int i, count; 768 769 krb5_error_code retval; 770 771 /* clear out the structure first */ 772 (void) memset((char *)&remote_sin, 0, sizeof(remote_sin)); 773 774 if ((service_process = getservbyname(CPW_SNAME, "tcp")) == NULL) { 775 warnx("Unable to find Service (%s) Check services file", CPW_SNAME); 776 return(1); 777 } 778 779 /* Copy the Port Number */ 780 remote_sin.sin_port = service_process->s_port; 781 782 hostlist = 0; 783 784 /* Identify all Hosts Associated with this Realm */ 785 if ((retval = krb5_get_krbhst (realm_of_server, &hostlist))) { 786 warnx("Unable to Determine Server Name"); 787 return(1); 788 } 789 790 for (i=0; hostlist[i]; i++); 791 792 count = i; 793 794 if (count == 0) { 795 host_count = 0; 796 warnx("No hosts found"); 797 return(1); 798 } 799 800 for (i=0; hostlist[i]; i++) { 801 remote_host = gethostbyname(hostlist[i]); 802 if (remote_host != 0) { 803 804 /* set up the address of the foreign socket for connect() */ 805 remote_sin.sin_family = remote_host->h_addrtype; 806 (void) memcpy((char *) &remote_sin.sin_addr, 807 (char *) remote_host->h_addr, 808 sizeof(remote_host->h_addr)); 809 break; /* Only Need one */ 810 } 811 } 812 813 free ((char *)hostlist); 814 815 /* open a TCP socket */ 816 *local_socket = socket(PF_INET, SOCK_STREAM, 0); 817 if (*local_socket < 0) { 818 warnx("Cannot Open Socket"); 819 return(1); 820 } 821 /* connect to the server */ 822 if (connect(*local_socket, (struct sockaddr *)&remote_sin, sizeof(remote_sin)) < 0) { 823 warnx("Cannot Connect to Socket"); 824 close(*local_socket); 825 return(1); 826 } 827 828 /* find out who I am, now that we are connected and therefore bound */ 829 namelen = sizeof(local_sin); 830 if (getsockname(*local_socket, 831 (struct sockaddr *) &local_sin, &namelen) < 0) { 832 warnx("Cannot Perform getsockname"); 833 close(*local_socket); 834 return(1); 835 } 836 return(0); 837 } 838 839 static void 840 finish() 841 { 842 exit(1); 843 } 844 845 #ifdef KRB_NONETWORK 846 #include <utmp.h> 847 848 #ifndef MAXHOSTNAME 849 #define MAXHOSTNAME 64 850 #endif 851 852 int utfile; /* Global utfile file descriptor for BSD version 853 of setutent, getutline, and endutent */ 854 855 #if !defined(SYSV) && !defined(UMIPS) /* Setutent, Endutent, and getutline 856 routines for non System V Unix 857 systems */ 858 #include <fcntl.h> 859 860 void setutent() 861 { 862 utfile = open("/etc/utmp",O_RDONLY); 863 } 864 865 struct utmp * getutline(utmpent) 866 struct utmp *utmpent; 867 { 868 static struct utmp tmputmpent; 869 int found = 0; 870 while ( read(utfile,&tmputmpent,sizeof(struct utmp)) > 0 ){ 871 if ( strcmp(tmputmpent.ut_line,utmpent->ut_line) == 0){ 872 #ifdef NO_UT_HOST 873 if ( ( 1) && 874 #else 875 if ( (strcmp(tmputmpent.ut_host,"") == 0) && 876 #endif 877 (strcmp(tmputmpent.ut_name,"") == 0)) continue; 878 found = 1; 879 break; 880 } 881 } 882 if (found) 883 return(&tmputmpent); 884 return((struct utmp *) 0); 885 } 886 887 void endutent() 888 { 889 close(utfile); 890 } 891 #endif /* not SYSV */ 892 893 894 int network_connected() 895 { 896 struct utmp utmpent; 897 struct utmp retutent, *tmpptr; 898 char *display_indx; 899 char currenthost[MAXHOSTNAME]; 900 char *username,*tmpname; 901 902 903 /* Macro for pseudo_tty */ 904 #define pseudo_tty(ut) \ 905 ((strncmp((ut).ut_line, "tty", 3) == 0 && ((ut).ut_line[3] == 'p' \ 906 || (ut).ut_line[3] == 'q' \ 907 || (ut).ut_line[3] == 'r' \ 908 || (ut).ut_line[3] == 's'))\ 909 || (strncmp((ut).ut_line, "pty", 3) == 0)) 910 911 /* Check to see if getlogin returns proper name */ 912 if ( (tmpname = (char *) getlogin()) == (char *) 0) 913 return(1); 914 username = strdup(tmpname); 915 if (username == (char *) 0) 916 return(1); 917 918 /* Obtain tty device for controlling tty of current process.*/ 919 strncpy(utmpent.ut_line,ttyname(0) + strlen("/dev/"), 920 sizeof(utmpent.ut_line)); 921 922 /* See if this device is currently listed in /etc/utmp under 923 calling user */ 924 #ifdef SYSV 925 utmpent.ut_type = USER_PROCESS; 926 #define ut_name ut_user 927 #endif 928 setutent(); 929 while ( (tmpptr = (struct utmp *) getutline(&utmpent)) 930 != ( struct utmp *) 0) { 931 932 /* If logged out name and host will be empty */ 933 if ((strcmp(tmpptr->ut_name,"") == 0) && 934 #ifdef NO_UT_HOST 935 ( 1)) continue; 936 #else 937 (strcmp(tmpptr->ut_host,"") == 0)) continue; 938 #endif 939 else break; 940 } 941 if ( tmpptr == (struct utmp *) 0) { 942 endutent(); 943 return(1); 944 } 945 memmove((char *)tmpptr, (char *)&retutent, sizeof(struct utmp)); 946 endutent(); 947 #ifdef DEBUG 948 #ifdef NO_UT_HOST 949 printf("User %s on line %s :\n", 950 retutent.ut_name,retutent.ut_line); 951 #else 952 printf("User %s on line %s connected from host :%s:\n", 953 retutent.ut_name,retutent.ut_line,retutent.ut_host); 954 #endif 955 #endif 956 if (strcmp(retutent.ut_name,username) != 0) { 957 return(1); 958 } 959 960 961 /* If this is not a pseudo tty then everything is OK */ 962 if (! pseudo_tty(retutent)) return(0); 963 964 /* OK now the work begins there is an entry in utmp and 965 the device is a pseudo tty. */ 966 967 /* Check if : is in hostname if so this is xwindow display */ 968 969 if (gethostname(currenthost,sizeof(currenthost))) return(1); 970 #ifdef NO_UT_HOST 971 display_indx = (char *) 0; 972 #else 973 display_indx = (char *) strchr(retutent.ut_host,':'); 974 #endif 975 if ( display_indx != (char *) 0) { 976 /* 977 We have X window application here. The host field should have 978 the form => local_system_name:0.0 or :0.0 979 if the window is being displayed on the local system. 980 */ 981 #ifdef NO_UT_HOST 982 return(1); 983 #else 984 if (strncmp(currenthost,retutent.ut_host, 985 (display_indx - retutent.ut_host)) != 0) return(1); 986 else return(0); 987 #endif 988 } 989 990 /* Host field is empty or is not X window entry. At this point 991 we can't trust that the pseudo tty is not connected to a 992 networked process so let's return 1. 993 */ 994 return(1); 995 } 996 997 int networked() 998 { 999 return(network_connected()); 1000 } 1001 #endif 1002 1003 int 1004 krb_check() 1005 { 1006 return(1): /* XXX! */ 1007 } 1008 1009 #endif /* KERBEROS5 */ 1010
Indexes created Mon Sep 29 21:09:56 GMT 2025