skeyinit.c revision 1.25
1 1.25 elad /* $NetBSD: skeyinit.c,v 1.25 2005/09/18 21:50:20 elad Exp $ */ 2 1.5 cgd 3 1.1 deraadt /* S/KEY v1.1b (skeyinit.c) 4 1.1 deraadt * 5 1.1 deraadt * Authors: 6 1.1 deraadt * Neil M. Haller <nmh (at) thumper.bellcore.com> 7 1.1 deraadt * Philip R. Karn <karn (at) chicago.qualcomm.com> 8 1.1 deraadt * John S. Walden <jsw (at) thumper.bellcore.com> 9 1.1 deraadt * Scott Chasin <chasin (at) crimelab.com> 10 1.1 deraadt * 11 1.13 mjl * Modifications: 12 1.13 mjl * Todd C. Miller <Todd.Miller (at) courtesan.com> 13 1.13 mjl * 14 1.1 deraadt * S/KEY initialization and seed update 15 1.1 deraadt */ 16 1.22 agc 17 1.22 agc #include <sys/cdefs.h> 18 1.22 agc 19 1.22 agc #ifndef lint 20 1.25 elad __RCSID("$NetBSD: skeyinit.c,v 1.25 2005/09/18 21:50:20 elad Exp $"); 21 1.22 agc #endif 22 1.1 deraadt 23 1.3 cgd #include <sys/param.h> 24 1.3 cgd #include <sys/time.h> 25 1.3 cgd #include <sys/resource.h> 26 1.3 cgd 27 1.13 mjl #include <ctype.h> 28 1.13 mjl #include <err.h> 29 1.13 mjl #include <errno.h> 30 1.13 mjl #include <fcntl.h> 31 1.17 itohy #include <paths.h> 32 1.13 mjl #include <pwd.h> 33 1.1 deraadt #include <stdio.h> 34 1.5 cgd #include <stdlib.h> 35 1.1 deraadt #include <string.h> 36 1.13 mjl #include <time.h> 37 1.1 deraadt #include <unistd.h> 38 1.3 cgd 39 1.13 mjl #include <skey.h> 40 1.1 deraadt 41 1.13 mjl #ifndef SKEY_NAMELEN 42 1.13 mjl #define SKEY_NAMELEN 4 43 1.13 mjl #endif 44 1.1 deraadt 45 1.13 mjl int main(int argc, char **argv) 46 1.1 deraadt { 47 1.13 mjl int rval, nn, i, l; 48 1.13 mjl int n = 0, defaultsetup = 1, zerokey = 0, hexmode = 0; 49 1.25 elad int argpass = 0, argkey = 0; 50 1.1 deraadt time_t now; 51 1.9 mrg char hostname[MAXHOSTNAMELEN + 1]; 52 1.13 mjl char seed[SKEY_MAX_PW_LEN+2], key[SKEY_BINKEY_SIZE], defaultseed[SKEY_MAX_SEED_LEN+1]; 53 1.13 mjl char passwd[SKEY_MAX_PW_LEN+2], passwd2[SKEY_MAX_PW_LEN+2], tbuf[27], buf[80]; 54 1.19 christos char lastc, me[LOGIN_NAME_MAX+1], *p, *pw, *ht = NULL; 55 1.11 mycroft const char *salt; 56 1.11 mycroft struct skey skey; 57 1.11 mycroft struct passwd *pp; 58 1.11 mycroft struct tm *tm; 59 1.13 mjl int c; 60 1.17 itohy 61 1.17 itohy /* 62 1.17 itohy * Make sure using stdin/stdout/stderr is safe 63 1.17 itohy * after opening any file. 64 1.17 itohy */ 65 1.17 itohy i = open(_PATH_DEVNULL, O_RDWR); 66 1.17 itohy while (i >= 0 && i < 2) 67 1.17 itohy i = dup(i); 68 1.17 itohy if (i > 2) 69 1.17 itohy close(i); 70 1.1 deraadt 71 1.13 mjl if (geteuid() != 0) 72 1.13 mjl errx(1, "must be setuid root."); 73 1.1 deraadt 74 1.2 deraadt if (gethostname(hostname, sizeof(hostname)) < 0) 75 1.2 deraadt err(1, "gethostname"); 76 1.14 thorpej 77 1.14 thorpej /* 78 1.14 thorpej * Copy the hostname into the default seed, eliminating any 79 1.14 thorpej * non alpha-numeric characters. 80 1.14 thorpej */ 81 1.14 thorpej for (i = 0, l = 0; l < sizeof(defaultseed); i++) { 82 1.14 thorpej if (hostname[i] == '\0') { 83 1.14 thorpej defaultseed[l] = hostname[i]; 84 1.14 thorpej break; 85 1.14 thorpej } 86 1.24 dsl if (isalnum((unsigned char)hostname[i])) 87 1.14 thorpej defaultseed[l++] = hostname[i]; 88 1.14 thorpej } 89 1.14 thorpej 90 1.13 mjl defaultseed[SKEY_NAMELEN] = '\0'; 91 1.13 mjl (void)time(&now); 92 1.21 itojun (void)snprintf(tbuf, sizeof(tbuf), "%05ld", (long) (now % 100000)); 93 1.21 itojun (void)strlcat(defaultseed, tbuf, sizeof(defaultseed)); 94 1.1 deraadt 95 1.1 deraadt if ((pp = getpwuid(getuid())) == NULL) 96 1.12 christos err(1, "no user with uid %ld", (u_long)getuid()); 97 1.20 itojun (void)strlcpy(me, pp->pw_name, sizeof(me)); 98 1.1 deraadt 99 1.1 deraadt if ((pp = getpwnam(me)) == NULL) 100 1.1 deraadt err(1, "Who are you?"); 101 1.13 mjl salt = pp->pw_passwd; 102 1.1 deraadt 103 1.25 elad while((c = getopt(argc, argv, "k:n:p:t:sxz")) != -1) { 104 1.13 mjl switch(c) { 105 1.25 elad case 'k': 106 1.25 elad argkey = 1; 107 1.25 elad if (strlen(optarg) > SKEY_MAX_PW_LEN) 108 1.25 elad errx(1, "key too long"); 109 1.25 elad strlcpy(passwd, optarg, sizeof(passwd)); 110 1.25 elad strlcpy(passwd2, optarg, sizeof(passwd)); 111 1.25 elad break; 112 1.13 mjl case 'n': 113 1.13 mjl n = atoi(optarg); 114 1.13 mjl if(n < 1 || n > SKEY_MAX_SEQ) 115 1.13 mjl errx(1, "count must be between 1 and %d", SKEY_MAX_SEQ); 116 1.13 mjl break; 117 1.25 elad case 'p': 118 1.25 elad if (strlen(optarg) >= _PASSWORD_LEN) 119 1.25 elad errx(1, "password too long"); 120 1.25 elad if ((pw = malloc(_PASSWORD_LEN + 1)) == NULL) 121 1.25 elad err(1, "no memory for password"); 122 1.25 elad strlcpy(pw, optarg, _PASSWORD_LEN + 1); 123 1.25 elad break; 124 1.13 mjl case 't': 125 1.13 mjl if(skey_set_algorithm(optarg) == NULL) 126 1.13 mjl errx(1, "Unknown hash algorithm %s", optarg); 127 1.13 mjl ht = optarg; 128 1.13 mjl break; 129 1.13 mjl case 's': 130 1.13 mjl defaultsetup = 0; 131 1.13 mjl break; 132 1.13 mjl case 'x': 133 1.13 mjl hexmode = 1; 134 1.13 mjl break; 135 1.13 mjl case 'z': 136 1.13 mjl zerokey = 1; 137 1.13 mjl break; 138 1.13 mjl default: 139 1.23 jmmv errx(1, "usage: %s [-n count] [-t md4|md5|sha1] [-s] [-x] [-z] [user]", argv[0]); 140 1.13 mjl } 141 1.13 mjl } 142 1.13 mjl 143 1.13 mjl if(argc > optind) { 144 1.13 mjl pp = getpwnam(argv[optind]); 145 1.13 mjl if (pp == NULL) 146 1.13 mjl errx(1, "User %s unknown", argv[optind]); 147 1.13 mjl } 148 1.1 deraadt 149 1.1 deraadt if (strcmp(pp->pw_name, me) != 0) { 150 1.1 deraadt if (getuid() != 0) { 151 1.1 deraadt /* Only root can change other's passwds */ 152 1.13 mjl errx(1, "Permission denied."); 153 1.1 deraadt } 154 1.1 deraadt } 155 1.1 deraadt 156 1.1 deraadt if (getuid() != 0) { 157 1.25 elad if (!argpass) 158 1.25 elad pw = getpass("Password:"); 159 1.1 deraadt p = crypt(pw, salt); 160 1.1 deraadt 161 1.13 mjl if (strcmp(p, pp->pw_passwd)) { 162 1.13 mjl errx(1, "Password incorrect."); 163 1.1 deraadt } 164 1.1 deraadt } 165 1.13 mjl 166 1.1 deraadt rval = skeylookup(&skey, pp->pw_name); 167 1.1 deraadt switch (rval) { 168 1.1 deraadt case -1: 169 1.1 deraadt err(1, "cannot open database"); 170 1.1 deraadt case 0: 171 1.13 mjl /* comment out user if asked to */ 172 1.13 mjl if (zerokey) 173 1.13 mjl exit(skeyzero(&skey, pp->pw_name)); 174 1.13 mjl 175 1.1 deraadt printf("[Updating %s]\n", pp->pw_name); 176 1.13 mjl printf("Old key: [%s] %s\n", skey_get_algorithm(), skey.seed); 177 1.1 deraadt 178 1.1 deraadt /* 179 1.1 deraadt * lets be nice if they have a skey.seed that 180 1.1 deraadt * ends in 0-8 just add one 181 1.1 deraadt */ 182 1.1 deraadt l = strlen(skey.seed); 183 1.1 deraadt if (l > 0) { 184 1.1 deraadt lastc = skey.seed[l - 1]; 185 1.12 christos if (isdigit((unsigned char)lastc) && lastc != '9') { 186 1.20 itojun (void)strlcpy(defaultseed, skey.seed, 187 1.20 itojun sizeof(defaultseed)); 188 1.1 deraadt defaultseed[l - 1] = lastc + 1; 189 1.1 deraadt } 190 1.12 christos if (isdigit((unsigned char)lastc) && lastc == '9' && 191 1.12 christos l < 16) { 192 1.21 itojun (void)strlcpy(defaultseed, skey.seed, 193 1.20 itojun sizeof(defaultseed)); 194 1.1 deraadt defaultseed[l - 1] = '0'; 195 1.1 deraadt defaultseed[l] = '0'; 196 1.1 deraadt defaultseed[l + 1] = '\0'; 197 1.1 deraadt } 198 1.1 deraadt } 199 1.1 deraadt break; 200 1.1 deraadt case 1: 201 1.13 mjl if (zerokey) 202 1.13 mjl errx(1, "You have no entry to zero."); 203 1.1 deraadt printf("[Adding %s]\n", pp->pw_name); 204 1.1 deraadt break; 205 1.1 deraadt } 206 1.13 mjl 207 1.13 mjl if(n==0) 208 1.13 mjl n = 99; 209 1.13 mjl 210 1.13 mjl /* Set hash type if asked to */ 211 1.13 mjl if (ht) { 212 1.13 mjl /* Need to zero out old key when changing algorithm */ 213 1.13 mjl if (strcmp(ht, skey_get_algorithm()) && skey_set_algorithm(ht)) 214 1.13 mjl zerokey = 1; 215 1.13 mjl } 216 1.1 deraadt 217 1.1 deraadt if (!defaultsetup) { 218 1.13 mjl printf("You need the 6 english words generated from the \"skey\" command.\n"); 219 1.1 deraadt for (i = 0;; i++) { 220 1.1 deraadt if (i >= 2) 221 1.1 deraadt exit(1); 222 1.13 mjl printf("Enter sequence count from 1 to %d: ", SKEY_MAX_SEQ); 223 1.13 mjl fgets(buf, sizeof(buf), stdin); 224 1.13 mjl n = atoi(buf); 225 1.13 mjl if (n > 0 && n < SKEY_MAX_SEQ) 226 1.1 deraadt break; /* Valid range */ 227 1.13 mjl printf("\nError: Count must be between 0 and %d\n", SKEY_MAX_SEQ); 228 1.13 mjl } 229 1.13 mjl 230 1.13 mjl for (i = 0;; i++) { 231 1.13 mjl if (i >= 2) 232 1.13 mjl exit(1); 233 1.13 mjl 234 1.13 mjl printf("Enter new seed [default %s]: ", defaultseed); 235 1.13 mjl fflush(stdout); 236 1.13 mjl fgets(seed, sizeof(seed), stdin); 237 1.13 mjl rip(seed); 238 1.13 mjl for (p = seed; *p; p++) { 239 1.24 dsl if (isalpha((unsigned char)*p)) { 240 1.24 dsl *p = tolower((unsigned char)*p); 241 1.24 dsl } else if (!isdigit((unsigned char)*p)) { 242 1.13 mjl (void)puts("Error: seed may only contain alphanumeric characters"); 243 1.13 mjl break; 244 1.13 mjl } 245 1.13 mjl } 246 1.13 mjl if (*p == '\0') 247 1.13 mjl break; /* Valid seed */ 248 1.1 deraadt } 249 1.13 mjl if (strlen(seed) > SKEY_MAX_SEED_LEN) { 250 1.13 mjl printf("Notice: Seed truncated to %d characters.\n", SKEY_MAX_SEED_LEN); 251 1.13 mjl seed[SKEY_MAX_SEED_LEN] = '\0'; 252 1.1 deraadt } 253 1.1 deraadt if (seed[0] == '\0') 254 1.20 itojun (void)strlcpy(seed, defaultseed, sizeof(seed)); 255 1.1 deraadt 256 1.1 deraadt for (i = 0;; i++) { 257 1.1 deraadt if (i >= 2) 258 1.1 deraadt exit(1); 259 1.1 deraadt 260 1.13 mjl printf("otp-%s %d %s\ns/key access password: ", 261 1.13 mjl skey_get_algorithm(), n, seed); 262 1.13 mjl fgets(buf, sizeof(buf), stdin); 263 1.13 mjl rip(buf); 264 1.13 mjl backspace(buf); 265 1.1 deraadt 266 1.13 mjl if (buf[0] == '?') { 267 1.13 mjl puts("Enter 6 English words from secure S/Key calculation."); 268 1.1 deraadt continue; 269 1.13 mjl } else if (buf[0] == '\0') { 270 1.1 deraadt exit(1); 271 1.1 deraadt } 272 1.13 mjl if (etob(key, buf) == 1 || atob8(key, buf) == 0) 273 1.1 deraadt break; /* Valid format */ 274 1.13 mjl (void)puts("Invalid format - try again with 6 English words."); 275 1.1 deraadt } 276 1.1 deraadt } else { 277 1.13 mjl /* Get user's secret password */ 278 1.13 mjl puts("Reminder - Only use this method if you are directly connected\n" 279 1.13 mjl " or have an encrypted channel. If you are using telnet\n" 280 1.13 mjl " or rlogin, exit with no password and use skeyinit -s.\n"); 281 1.13 mjl 282 1.13 mjl for (i = 0;; i++) { 283 1.1 deraadt if (i >= 2) 284 1.1 deraadt exit(1); 285 1.1 deraadt 286 1.25 elad if (!argkey) { 287 1.25 elad printf("Enter secret password: "); 288 1.25 elad readpass(passwd, sizeof(passwd)); 289 1.25 elad if (passwd[0] == '\0') 290 1.25 elad exit(1); 291 1.25 elad } 292 1.1 deraadt 293 1.13 mjl if (strlen(passwd) < SKEY_MIN_PW_LEN) { 294 1.13 mjl (void)fprintf(stderr, 295 1.13 mjl "Your password must be at least %d characters long.\n", SKEY_MIN_PW_LEN); 296 1.13 mjl continue; 297 1.13 mjl } else if (strcmp(passwd, pp->pw_name) == 0) { 298 1.13 mjl (void)fputs("Your password may not be the same as your user name.\n", stderr); 299 1.13 mjl continue; 300 1.13 mjl } 301 1.13 mjl #if 0 302 1.13 mjl else if (strspn(passwd, "abcdefghijklmnopqrstuvwxyz") == strlen(passwd)) { 303 1.13 mjl (void)fputs("Your password must contain more than just lower case letters.\n" 304 1.13 mjl "Whitespace, numbers, and puctuation are suggested.\n", stderr); 305 1.13 mjl continue; 306 1.13 mjl } 307 1.13 mjl #endif 308 1.25 elad 309 1.25 elad if (!argkey) { 310 1.25 elad printf("Again secret password: "); 311 1.25 elad readpass(passwd2, sizeof(passwd)); 312 1.25 elad if (passwd2[0] == '\0') 313 1.25 elad exit(1); 314 1.25 elad } 315 1.1 deraadt 316 1.1 deraadt if (strcmp(passwd, passwd2) == 0) 317 1.1 deraadt break; 318 1.1 deraadt 319 1.13 mjl puts("Passwords do not match."); 320 1.1 deraadt } 321 1.1 deraadt 322 1.1 deraadt /* Crunch seed and password into starting key */ 323 1.20 itojun (void)strlcpy(seed, defaultseed, sizeof(seed)); 324 1.1 deraadt if (keycrunch(key, seed, passwd) != 0) 325 1.1 deraadt err(2, "key crunch failed"); 326 1.1 deraadt nn = n; 327 1.1 deraadt while (nn-- != 0) 328 1.1 deraadt f(key); 329 1.1 deraadt } 330 1.13 mjl (void)time(&now); 331 1.1 deraadt tm = localtime(&now); 332 1.13 mjl (void)strftime(tbuf, sizeof(tbuf), " %b %d,%Y %T", tm); 333 1.1 deraadt 334 1.13 mjl if ((skey.val = (char *)malloc(16 + 1)) == NULL) 335 1.13 mjl err(1, "Can't allocate memory"); 336 1.13 mjl 337 1.16 wiz /* Zero out old key if necessary (entry would change size) */ 338 1.13 mjl if (zerokey) { 339 1.13 mjl (void)skeyzero(&skey, pp->pw_name); 340 1.13 mjl /* Re-open keys file and seek to the end */ 341 1.13 mjl if (skeylookup(&skey, pp->pw_name) == -1) 342 1.13 mjl err(1, "cannot open database"); 343 1.13 mjl } 344 1.1 deraadt 345 1.1 deraadt btoa8(skey.val, key); 346 1.1 deraadt 347 1.13 mjl /* 348 1.13 mjl * Obtain an exclusive lock on the key file so we don't 349 1.13 mjl * clobber someone authenticating themselves at the same time. 350 1.13 mjl */ 351 1.13 mjl for (i = 0; i < 300; i++) { 352 1.13 mjl if ((rval = flock(fileno(skey.keyfile), LOCK_EX|LOCK_NB)) == 0 353 1.13 mjl || errno != EWOULDBLOCK) 354 1.13 mjl break; 355 1.13 mjl usleep(100000); /* Sleep for 0.1 seconds */ 356 1.13 mjl } 357 1.13 mjl if (rval == -1) { /* Can't get exclusive lock */ 358 1.13 mjl errno = EAGAIN; 359 1.13 mjl err(1, "cannot open database"); 360 1.13 mjl } 361 1.13 mjl 362 1.13 mjl /* Don't save algorithm type for md4 (keep record length same) */ 363 1.13 mjl if (strcmp(skey_get_algorithm(), "md4") == 0) 364 1.13 mjl (void)fprintf(skey.keyfile, "%s %04d %-16s %s %-21s\n", 365 1.13 mjl pp->pw_name, n, seed, skey.val, tbuf); 366 1.13 mjl else 367 1.13 mjl (void)fprintf(skey.keyfile, "%s %s %04d %-16s %s %-21s\n", 368 1.13 mjl pp->pw_name, skey_get_algorithm(), n, seed, skey.val, tbuf); 369 1.13 mjl 370 1.13 mjl (void)fclose(skey.keyfile); 371 1.13 mjl 372 1.13 mjl (void)printf("\nID %s skey is otp-%s %d %s\n", pp->pw_name, 373 1.13 mjl skey_get_algorithm(), n, seed); 374 1.13 mjl (void)printf("Next login password: %s\n\n", 375 1.13 mjl hexmode ? put8(buf, key) : btoe(buf, key)); 376 1.1 deraadt 377 1.13 mjl return(0); 378 1.1 deraadt } 379
Indexes created Wed Sep 24 14:09:57 GMT 2025