skeyinit.c revision 1.25
1 /* $NetBSD: skeyinit.c,v 1.25 2005/09/18 21:50:20 elad Exp $ */ 2 3 /* S/KEY v1.1b (skeyinit.c) 4 * 5 * Authors: 6 * Neil M. Haller <nmh (at) thumper.bellcore.com> 7 * Philip R. Karn <karn (at) chicago.qualcomm.com> 8 * John S. Walden <jsw (at) thumper.bellcore.com> 9 * Scott Chasin <chasin (at) crimelab.com> 10 * 11 * Modifications: 12 * Todd C. Miller <Todd.Miller (at) courtesan.com> 13 * 14 * S/KEY initialization and seed update 15 */ 16 17 #include <sys/cdefs.h> 18 19 #ifndef lint 20 __RCSID("$NetBSD: skeyinit.c,v 1.25 2005/09/18 21:50:20 elad Exp $"); 21 #endif 22 23 #include <sys/param.h> 24 #include <sys/time.h> 25 #include <sys/resource.h> 26 27 #include <ctype.h> 28 #include <err.h> 29 #include <errno.h> 30 #include <fcntl.h> 31 #include <paths.h> 32 #include <pwd.h> 33 #include <stdio.h> 34 #include <stdlib.h> 35 #include <string.h> 36 #include <time.h> 37 #include <unistd.h> 38 39 #include <skey.h> 40 41 #ifndef SKEY_NAMELEN 42 #define SKEY_NAMELEN 4 43 #endif 44 45 int main(int argc, char **argv) 46 { 47 int rval, nn, i, l; 48 int n = 0, defaultsetup = 1, zerokey = 0, hexmode = 0; 49 int argpass = 0, argkey = 0; 50 time_t now; 51 char hostname[MAXHOSTNAMELEN + 1]; 52 char seed[SKEY_MAX_PW_LEN+2], key[SKEY_BINKEY_SIZE], defaultseed[SKEY_MAX_SEED_LEN+1]; 53 char passwd[SKEY_MAX_PW_LEN+2], passwd2[SKEY_MAX_PW_LEN+2], tbuf[27], buf[80]; 54 char lastc, me[LOGIN_NAME_MAX+1], *p, *pw, *ht = NULL; 55 const char *salt; 56 struct skey skey; 57 struct passwd *pp; 58 struct tm *tm; 59 int c; 60 61 /* 62 * Make sure using stdin/stdout/stderr is safe 63 * after opening any file. 64 */ 65 i = open(_PATH_DEVNULL, O_RDWR); 66 while (i >= 0 && i < 2) 67 i = dup(i); 68 if (i > 2) 69 close(i); 70 71 if (geteuid() != 0) 72 errx(1, "must be setuid root."); 73 74 if (gethostname(hostname, sizeof(hostname)) < 0) 75 err(1, "gethostname"); 76 77 /* 78 * Copy the hostname into the default seed, eliminating any 79 * non alpha-numeric characters. 80 */ 81 for (i = 0, l = 0; l < sizeof(defaultseed); i++) { 82 if (hostname[i] == '\0') { 83 defaultseed[l] = hostname[i]; 84 break; 85 } 86 if (isalnum((unsigned char)hostname[i])) 87 defaultseed[l++] = hostname[i]; 88 } 89 90 defaultseed[SKEY_NAMELEN] = '\0'; 91 (void)time(&now); 92 (void)snprintf(tbuf, sizeof(tbuf), "%05ld", (long) (now % 100000)); 93 (void)strlcat(defaultseed, tbuf, sizeof(defaultseed)); 94 95 if ((pp = getpwuid(getuid())) == NULL) 96 err(1, "no user with uid %ld", (u_long)getuid()); 97 (void)strlcpy(me, pp->pw_name, sizeof(me)); 98 99 if ((pp = getpwnam(me)) == NULL) 100 err(1, "Who are you?"); 101 salt = pp->pw_passwd; 102 103 while((c = getopt(argc, argv, "k:n:p:t:sxz")) != -1) { 104 switch(c) { 105 case 'k': 106 argkey = 1; 107 if (strlen(optarg) > SKEY_MAX_PW_LEN) 108 errx(1, "key too long"); 109 strlcpy(passwd, optarg, sizeof(passwd)); 110 strlcpy(passwd2, optarg, sizeof(passwd)); 111 break; 112 case 'n': 113 n = atoi(optarg); 114 if(n < 1 || n > SKEY_MAX_SEQ) 115 errx(1, "count must be between 1 and %d", SKEY_MAX_SEQ); 116 break; 117 case 'p': 118 if (strlen(optarg) >= _PASSWORD_LEN) 119 errx(1, "password too long"); 120 if ((pw = malloc(_PASSWORD_LEN + 1)) == NULL) 121 err(1, "no memory for password"); 122 strlcpy(pw, optarg, _PASSWORD_LEN + 1); 123 break; 124 case 't': 125 if(skey_set_algorithm(optarg) == NULL) 126 errx(1, "Unknown hash algorithm %s", optarg); 127 ht = optarg; 128 break; 129 case 's': 130 defaultsetup = 0; 131 break; 132 case 'x': 133 hexmode = 1; 134 break; 135 case 'z': 136 zerokey = 1; 137 break; 138 default: 139 errx(1, "usage: %s [-n count] [-t md4|md5|sha1] [-s] [-x] [-z] [user]", argv[0]); 140 } 141 } 142 143 if(argc > optind) { 144 pp = getpwnam(argv[optind]); 145 if (pp == NULL) 146 errx(1, "User %s unknown", argv[optind]); 147 } 148 149 if (strcmp(pp->pw_name, me) != 0) { 150 if (getuid() != 0) { 151 /* Only root can change other's passwds */ 152 errx(1, "Permission denied."); 153 } 154 } 155 156 if (getuid() != 0) { 157 if (!argpass) 158 pw = getpass("Password:"); 159 p = crypt(pw, salt); 160 161 if (strcmp(p, pp->pw_passwd)) { 162 errx(1, "Password incorrect."); 163 } 164 } 165 166 rval = skeylookup(&skey, pp->pw_name); 167 switch (rval) { 168 case -1: 169 err(1, "cannot open database"); 170 case 0: 171 /* comment out user if asked to */ 172 if (zerokey) 173 exit(skeyzero(&skey, pp->pw_name)); 174 175 printf("[Updating %s]\n", pp->pw_name); 176 printf("Old key: [%s] %s\n", skey_get_algorithm(), skey.seed); 177 178 /* 179 * lets be nice if they have a skey.seed that 180 * ends in 0-8 just add one 181 */ 182 l = strlen(skey.seed); 183 if (l > 0) { 184 lastc = skey.seed[l - 1]; 185 if (isdigit((unsigned char)lastc) && lastc != '9') { 186 (void)strlcpy(defaultseed, skey.seed, 187 sizeof(defaultseed)); 188 defaultseed[l - 1] = lastc + 1; 189 } 190 if (isdigit((unsigned char)lastc) && lastc == '9' && 191 l < 16) { 192 (void)strlcpy(defaultseed, skey.seed, 193 sizeof(defaultseed)); 194 defaultseed[l - 1] = '0'; 195 defaultseed[l] = '0'; 196 defaultseed[l + 1] = '\0'; 197 } 198 } 199 break; 200 case 1: 201 if (zerokey) 202 errx(1, "You have no entry to zero."); 203 printf("[Adding %s]\n", pp->pw_name); 204 break; 205 } 206 207 if(n==0) 208 n = 99; 209 210 /* Set hash type if asked to */ 211 if (ht) { 212 /* Need to zero out old key when changing algorithm */ 213 if (strcmp(ht, skey_get_algorithm()) && skey_set_algorithm(ht)) 214 zerokey = 1; 215 } 216 217 if (!defaultsetup) { 218 printf("You need the 6 english words generated from the \"skey\" command.\n"); 219 for (i = 0;; i++) { 220 if (i >= 2) 221 exit(1); 222 printf("Enter sequence count from 1 to %d: ", SKEY_MAX_SEQ); 223 fgets(buf, sizeof(buf), stdin); 224 n = atoi(buf); 225 if (n > 0 && n < SKEY_MAX_SEQ) 226 break; /* Valid range */ 227 printf("\nError: Count must be between 0 and %d\n", SKEY_MAX_SEQ); 228 } 229 230 for (i = 0;; i++) { 231 if (i >= 2) 232 exit(1); 233 234 printf("Enter new seed [default %s]: ", defaultseed); 235 fflush(stdout); 236 fgets(seed, sizeof(seed), stdin); 237 rip(seed); 238 for (p = seed; *p; p++) { 239 if (isalpha((unsigned char)*p)) { 240 *p = tolower((unsigned char)*p); 241 } else if (!isdigit((unsigned char)*p)) { 242 (void)puts("Error: seed may only contain alphanumeric characters"); 243 break; 244 } 245 } 246 if (*p == '\0') 247 break; /* Valid seed */ 248 } 249 if (strlen(seed) > SKEY_MAX_SEED_LEN) { 250 printf("Notice: Seed truncated to %d characters.\n", SKEY_MAX_SEED_LEN); 251 seed[SKEY_MAX_SEED_LEN] = '\0'; 252 } 253 if (seed[0] == '\0') 254 (void)strlcpy(seed, defaultseed, sizeof(seed)); 255 256 for (i = 0;; i++) { 257 if (i >= 2) 258 exit(1); 259 260 printf("otp-%s %d %s\ns/key access password: ", 261 skey_get_algorithm(), n, seed); 262 fgets(buf, sizeof(buf), stdin); 263 rip(buf); 264 backspace(buf); 265 266 if (buf[0] == '?') { 267 puts("Enter 6 English words from secure S/Key calculation."); 268 continue; 269 } else if (buf[0] == '\0') { 270 exit(1); 271 } 272 if (etob(key, buf) == 1 || atob8(key, buf) == 0) 273 break; /* Valid format */ 274 (void)puts("Invalid format - try again with 6 English words."); 275 } 276 } else { 277 /* Get user's secret password */ 278 puts("Reminder - Only use this method if you are directly connected\n" 279 " or have an encrypted channel. If you are using telnet\n" 280 " or rlogin, exit with no password and use skeyinit -s.\n"); 281 282 for (i = 0;; i++) { 283 if (i >= 2) 284 exit(1); 285 286 if (!argkey) { 287 printf("Enter secret password: "); 288 readpass(passwd, sizeof(passwd)); 289 if (passwd[0] == '\0') 290 exit(1); 291 } 292 293 if (strlen(passwd) < SKEY_MIN_PW_LEN) { 294 (void)fprintf(stderr, 295 "Your password must be at least %d characters long.\n", SKEY_MIN_PW_LEN); 296 continue; 297 } else if (strcmp(passwd, pp->pw_name) == 0) { 298 (void)fputs("Your password may not be the same as your user name.\n", stderr); 299 continue; 300 } 301 #if 0 302 else if (strspn(passwd, "abcdefghijklmnopqrstuvwxyz") == strlen(passwd)) { 303 (void)fputs("Your password must contain more than just lower case letters.\n" 304 "Whitespace, numbers, and puctuation are suggested.\n", stderr); 305 continue; 306 } 307 #endif 308 309 if (!argkey) { 310 printf("Again secret password: "); 311 readpass(passwd2, sizeof(passwd)); 312 if (passwd2[0] == '\0') 313 exit(1); 314 } 315 316 if (strcmp(passwd, passwd2) == 0) 317 break; 318 319 puts("Passwords do not match."); 320 } 321 322 /* Crunch seed and password into starting key */ 323 (void)strlcpy(seed, defaultseed, sizeof(seed)); 324 if (keycrunch(key, seed, passwd) != 0) 325 err(2, "key crunch failed"); 326 nn = n; 327 while (nn-- != 0) 328 f(key); 329 } 330 (void)time(&now); 331 tm = localtime(&now); 332 (void)strftime(tbuf, sizeof(tbuf), " %b %d,%Y %T", tm); 333 334 if ((skey.val = (char *)malloc(16 + 1)) == NULL) 335 err(1, "Can't allocate memory"); 336 337 /* Zero out old key if necessary (entry would change size) */ 338 if (zerokey) { 339 (void)skeyzero(&skey, pp->pw_name); 340 /* Re-open keys file and seek to the end */ 341 if (skeylookup(&skey, pp->pw_name) == -1) 342 err(1, "cannot open database"); 343 } 344 345 btoa8(skey.val, key); 346 347 /* 348 * Obtain an exclusive lock on the key file so we don't 349 * clobber someone authenticating themselves at the same time. 350 */ 351 for (i = 0; i < 300; i++) { 352 if ((rval = flock(fileno(skey.keyfile), LOCK_EX|LOCK_NB)) == 0 353 || errno != EWOULDBLOCK) 354 break; 355 usleep(100000); /* Sleep for 0.1 seconds */ 356 } 357 if (rval == -1) { /* Can't get exclusive lock */ 358 errno = EAGAIN; 359 err(1, "cannot open database"); 360 } 361 362 /* Don't save algorithm type for md4 (keep record length same) */ 363 if (strcmp(skey_get_algorithm(), "md4") == 0) 364 (void)fprintf(skey.keyfile, "%s %04d %-16s %s %-21s\n", 365 pp->pw_name, n, seed, skey.val, tbuf); 366 else 367 (void)fprintf(skey.keyfile, "%s %s %04d %-16s %s %-21s\n", 368 pp->pw_name, skey_get_algorithm(), n, seed, skey.val, tbuf); 369 370 (void)fclose(skey.keyfile); 371 372 (void)printf("\nID %s skey is otp-%s %d %s\n", pp->pw_name, 373 skey_get_algorithm(), n, seed); 374 (void)printf("Next login password: %s\n\n", 375 hexmode ? put8(buf, key) : btoe(buf, key)); 376 377 return(0); 378 } 379
Indexes created Thu Sep 25 08:09:54 GMT 2025