Annotation of src/usr.bin/passwd/krb5_passwd.c, Revision 1.2
1.2 ! deraadt 1: /* $OpenBSD$ */
! 2:
1.1 deraadt 3: /*-
4: * Copyright (c) 1990 The Regents of the University of California.
5: * All rights reserved.
6: *
7: * Redistribution and use in source and binary forms, with or without
8: * modification, are permitted provided that the following conditions
9: * are met:
10: * 1. Redistributions of source code must retain the above copyright
11: * notice, this list of conditions and the following disclaimer.
12: * 2. Redistributions in binary form must reproduce the above copyright
13: * notice, this list of conditions and the following disclaimer in the
14: * documentation and/or other materials provided with the distribution.
15: * 3. All advertising materials mentioning features or use of this software
16: * must display the following acknowledgement:
17: * This product includes software developed by the University of
18: * California, Berkeley and its contributors.
19: * 4. Neither the name of the University nor the names of its contributors
20: * may be used to endorse or promote products derived from this software
21: * without specific prior written permission.
22: *
23: * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
24: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
25: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
26: * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
27: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
28: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
29: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
30: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
31: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
32: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
33: * SUCH DAMAGE.
34: */
35:
36: #ifndef lint
37: /*static char sccsid[] = "from: @(#)krb_passwd.c 5.4 (Berkeley) 3/1/91";*/
1.2 ! deraadt 38: static char rcsid[] = "$OpenBSD: krb5_passwd.c,v 1.1.1.1 1995/10/18 08:45:53 deraadt Exp $";
1.1 deraadt 39: #endif /* not lint */
40:
41: #ifdef KERBEROS5
42:
43: #include <sys/types.h>
44: #include <sys/socket.h>
45: #include <sys/time.h>
46: #include <sys/resource.h>
47: #include <netinet/in.h>
48: #include <netdb.h>
49: #include <signal.h>
50: #include <pwd.h>
51: #include <errno.h>
52: #include <stdio.h>
53: #include <string.h>
54: #include <stdlib.h>
55: #include <krb5/adm_defs.h>
56: #include <krb5/krb5.h>
57: #include <krb5/kdb.h>
58: #include <krb5/kdb_dbm.h>
59: #include <krb5/ext-proto.h>
60: #include <krb5/los-proto.h>
61: #include <krb5/asn1.h>
62: #include <krb5/config.h>
63: #include <krb5/base-defs.h>
64: #include <krb5/asn.1/encode.h>
65:
66: #include <krb5/widen.h>
67:
68: #include <krb5/adm_err.h>
69: #include <krb5/errors.h>
70: #include <krb5/kdb5_err.h>
71: #include <krb5/krb5_err.h>
72:
73: static krb5_error_code get_first_ticket __P((krb5_ccache, krb5_principal));
74: static krb5_error_code print_and_choose_password __P((char *, krb5_data *));
75: static krb5_error_code adm5_init_link __P((krb5_data *, int *));
76:
77: struct sockaddr_in local_sin, remote_sin;
78:
79: krb5_creds my_creds;
80:
81: extern char *krb5_default_pwd_prompt1;
82:
83: /*
84: * Try no preauthentication first; then try the encrypted timestamp
85: */
86: int preauth_search_list[] = {
87: 0,
88: KRB5_PADATA_ENC_TIMESTAMP,
89: -1
90: };
91:
92: krb_passwd()
93: {
94: static void finish();
95: krb5_ccache cache = NULL;
96: char cache_name[255];
97: krb5_flags cc_flags;
98: krb5_address local_addr, foreign_addr;
99: struct passwd *pw;
100: krb5_principal client, server;
101: char default_name[256];
102: char *client_name; /* Single string representation of client id */
103: krb5_data requested_realm;
104: char *local_realm;
105: char input_string[768];
106: krb5_error_code retval; /* return code */
107: int local_socket;
108: int c, count;
109: krb5_error *err_ret;
110: krb5_ap_rep_enc_part *rep_ret;
111: kadmin_requests rd_priv_resp;
112: krb5_checksum send_cksum;
113: int cksum_alloc = 0;
114: krb5_data msg_data, inbuf;
115: krb5_int32 seqno;
116: char *new_password;
117: int new_pwsize;
118: krb5_data *decodable_pwd_string;
119: int i, j;
120: static struct rlimit rl = { 0, 0 };
121:
122: #ifdef KRB_NONETWORK
123: extern int networked();
124: int krb_secure;
125: struct stat statbuf;
126: #endif
127:
128: #ifdef KRB_NONETWORK /* Allow or Disallow Remote Clients to Modify Passwords */
129: /*
130: * If a Client Modifies a Password using kpasswd on this host
131: * from a remote host or network terminal, the Password selected
132: * is transmitted across the network in Cleartext.
133: *
134: * The systems administrator can disallow "remote" kpasswd usage by
135: * creating the file "/etc/krb.secure"
136: */
137: krb_secure = 0;
138: /*
139: * First check to see if the file /etc/krb.secure exists.
140: * If it does then krb_secure to 1.
141: */
142:
143: if (stat("/etc/krb.secure", &statbuf) == 0) krb_secure = 1;
144:
145: /*
146: * Check to see if this process is tied to a physical terminal.
147: * Network() verifies the terminal device is not a pseudo tty
148: */
149: if (networked() && krb_secure) {
150: fprintf(stderr,"passwd: Sorry but you cannot %s from a\n", argv[0]);
151: fprintf(stderr," pseudo tty terminal.\n");
152: retval = 1;
153: goto finish;
154: }
155: #endif
156:
157: /* (3 * 255) + 1 (/) + 1 (@) + 1 (NULL) */
158: if ((client_name = (char *) calloc (1, (3 * 256))) == NULL) {
159: fprintf(stderr, "passwd: No Memory for Client_name\n");
160: retval = 1;
161: goto finish;
162: }
163:
164: if ((requested_realm.data = (char *) calloc (1, 256)) == NULL) {
165: fprintf(stderr, "passwd: No Memory for realm_name\n");
166: retval = 1;
167: free(client_name);
168: goto finish;
169: }
170:
171: (void)signal(SIGHUP, SIG_IGN);
172: (void)signal(SIGINT, SIG_IGN);
173: (void)signal(SIGTSTP, SIG_IGN);
174:
175: if (setrlimit(RLIMIT_CORE, &rl) < 0) {
176: (void)fprintf(stderr,
177: "passwd: setrlimit: %s\n", strerror(errno));
178: return(1);
179: }
180:
181: krb5_init_ets();
182: memset((char *) default_name, 0, sizeof(default_name));
183:
184: /* Identify Default Credentials Cache */
185: if ((retval = krb5_cc_default(&cache))) {
186: fprintf(stderr, "passwd: Error while getting default ccache.\n");
187: goto finish;
188: }
189:
190: /*
191: * Attempt to Modify Credentials Cache
192: * retval == 0 ==> ccache Exists - Use It
193: * retval == ENOENT ==> No Entries, but ccache Exists
194: * retval != 0 ==> Assume ccache does NOT Exist
195: */
196: cc_flags = 0;
197: if ((retval = krb5_cc_set_flags(cache, cc_flags))) {
198: /* Search passwd file for client */
199: pw = getpwuid((int) getuid());
200: if (pw) {
201: (void) strcpy(default_name, pw->pw_name);
202: }
203: else {
204: fprintf(stderr,
205: "passwd: Unable to Identify Customer from Password File\n");
206: retval = 1;
207: goto finish;
208: }
209:
210: /* Use this to get default_realm and format client_name */
211: if ((retval = krb5_parse_name(default_name, &client))) {
212: fprintf(stderr, "passwd: Unable to Parse Client Name\n");
213: goto finish;
214: }
215:
216: if ((retval = krb5_unparse_name(client, &client_name))) {
217: fprintf(stderr, "passwd: Unable to Parse Client Name\n");
218: goto finish;
219: }
220:
221: requested_realm.length = client->realm.length;
222: memcpy((char *) requested_realm.data,
223: (char *) client->realm.data,
224: requested_realm.length);
225: }
226: else {
227: /* Read Client from Cache */
228: if ((retval = krb5_cc_get_principal(cache, (krb5_principal *) &client))) {
229: fprintf(stderr, "passwd: Unable to Read Customer Credentials File\n");
230: goto finish;
231: }
232:
233: if ((retval = krb5_unparse_name(client, &client_name))) {
234: fprintf(stderr, "passwd: Unable to Parse Client Name\n");
235: goto finish;
236: }
237:
238: requested_realm.length = client->realm.length;
239: memcpy((char *) requested_realm.data,
240: (char *) client->realm.data,
241: requested_realm.length);
242:
243: (void) krb5_cc_close(cache);
244: }
245:
246: /* Create credential cache for changepw */
247: (void) sprintf(cache_name, "FILE:/tmp/tkt_cpw_%d", getpid());
248:
249: if ((retval = krb5_cc_resolve(cache_name, &cache))) {
250: fprintf(stderr, "passwd: Unable to Resolve Cache: %s\n", cache_name);
251: }
252:
253: if ((retval = krb5_cc_initialize(cache, client))) {
254: fprintf(stderr, "passwd: Error initializing cache: %s\n", cache_name);
255: goto finish;
256: }
257:
258: /*
259: * Verify User by Obtaining Initial Credentials prior to Initial Link
260: */
261: if ((retval = get_first_ticket(cache, client))) {
262: goto finish;
263: }
264:
265: /* Initiate Link to Server */
266: if ((retval = adm5_init_link(&requested_realm, &local_socket))) {
267: goto finish;
268: }
269:
270: #define SIZEOF_INADDR sizeof(struct in_addr)
271:
272: /* V4 kpasswd Protocol Hack */
273: {
274: int msg_length = 0;
275:
276: retval = krb5_net_write(local_socket, (char *) &msg_length + 2, 2);
277: if (retval < 0) {
278: fprintf(stderr, "passwd: krb5_net_write failure\n");
279: goto finish;
280: }
281: }
282:
283: local_addr.addrtype = ADDRTYPE_INET;
284: local_addr.length = SIZEOF_INADDR ;
285: local_addr.contents = (krb5_octet *)&local_sin.sin_addr;
286:
287: foreign_addr.addrtype = ADDRTYPE_INET;
288: foreign_addr.length = SIZEOF_INADDR ;
289: foreign_addr.contents = (krb5_octet *)&remote_sin.sin_addr;
290:
291: /* compute checksum, using CRC-32 */
292: if (!(send_cksum.contents = (krb5_octet *)
293: malloc(krb5_checksum_size(CKSUMTYPE_CRC32)))) {
294: fprintf(stderr, "passwd: Insufficient Memory while Allocating Checksum\n");
295: goto finish;
296: }
297: cksum_alloc++;
298: /* choose some random stuff to compute checksum from */
299: if (retval = krb5_calculate_checksum(CKSUMTYPE_CRC32,
300: ADM_CPW_VERSION,
301: strlen(ADM_CPW_VERSION),
302: 0,
303: 0, /* if length is 0, crc-32 doesn't
304: use the seed */
305: &send_cksum)) {
306: fprintf(stderr, "Error while Computing Checksum: %s\n",
307: error_message(retval));
308: goto finish;
309: }
310:
311: /* call Kerberos library routine to obtain an authenticator,
312: pass it over the socket to the server, and obtain mutual
313: authentication. */
314:
315: if ((retval = krb5_sendauth((krb5_pointer) &local_socket,
316: ADM_CPW_VERSION,
317: my_creds.client,
318: my_creds.server,
319: AP_OPTS_MUTUAL_REQUIRED,
320: &send_cksum,
321: 0,
322: cache,
323: &seqno,
324: 0, /* don't need a subsession key */
325: &err_ret,
326: &rep_ret))) {
327: fprintf(stderr, "passwd: Error while performing sendauth: %s\n",
328: error_message(retval));
329: goto finish;
330: }
331:
332: /* Get credentials : to use for safe and private messages */
333: if (retval = krb5_get_credentials(0, cache, &my_creds)){
334: fprintf(stderr, "passwd: Error Obtaining Credentials: %s\n",
335: error_message(retval));
336: goto finish;
337: }
338:
339: /* Read back what the server has to say... */
340: if (retval = krb5_read_message(&local_socket, &inbuf)){
341: fprintf(stderr, "passwd: Read Message Error: %s\n",
342: error_message(retval));
343: goto finish;
344: }
345: if ((inbuf.length != 2) || (inbuf.data[0] != KADMIND) ||
346: (inbuf.data[1] != KADMSAG)){
347: fprintf(stderr, "passwd: Invalid ack from admin server.\n");
348: goto finish;
349: }
350:
351: inbuf.data[0] = KPASSWD;
352: inbuf.data[1] = CHGOPER;
353: inbuf.length = 2;
354:
355: if ((retval = krb5_mk_priv(&inbuf,
356: ETYPE_DES_CBC_CRC,
357: &my_creds.keyblock,
358: &local_addr,
359: &foreign_addr,
360: seqno,
361: KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME,
362: 0,
363: 0,
364: &msg_data))) {
365: fprintf(stderr, "passwd: Error during First Message Encoding: %s\n",
366: error_message(retval));
367: goto finish;
368: }
369: free(inbuf.data);
370:
371: /* write private message to server */
372: if (krb5_write_message(&local_socket, &msg_data)){
373: fprintf(stderr, "passwd: Write Error During First Message Transmission\n");
374: retval = 1;
375: goto finish;
376: }
377: free(msg_data.data);
378:
379: (void)signal(SIGHUP, finish);
380: (void)signal(SIGINT, finish);
381:
382: #ifdef MACH_PASS /* Machine-generated Passwords */
383: /* Ok Now let's get the private message */
384: if (retval = krb5_read_message(&local_socket, &inbuf)){
385: fprintf(stderr, "passwd: Read Error During First Reply: %s\n",
386: error_message(retval));
387: retval = 1;
388: goto finish;
389: }
390:
391: if ((retval = krb5_rd_priv(&inbuf,
392: &my_creds.keyblock,
393: &foreign_addr,
394: &local_addr,
395: rep_ret->seq_number,
396: KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME,
397: 0,
398: 0,
399: &msg_data))) {
400: fprintf(stderr, "passwd: Error during First Read Decoding: %s\n",
401: error_message(retval));
402: goto finish;
403: }
404: free(inbuf.data);
405: #endif
406:
407: if ((new_password = (char *) calloc (1, ADM_MAX_PW_LENGTH+1)) == NULL) {
408: fprintf(stderr, "passwd: Unable to Allocate Space for New Password\n");
409: goto finish;
410: }
411:
412: #ifdef MACH_PASS /* Machine-generated passwords */
413: /* Offer Client Password Choices */
414: if ((retval = print_and_choose_password(new_password,
415: &msg_data))) {
416: (void) memset((char *) new_password, 0, ADM_MAX_PW_LENGTH+1);
417: free(new_password);
418: goto finish;
419: }
420: #else
421: new_pwsize = ADM_MAX_PW_LENGTH+1;
422: if ((retval = krb5_read_password("New Kerberos password: ",
423: "Retype new Kerberos password: ",
424: new_password,
425: &new_pwsize))) {
426: fprintf(stderr, "\nError while reading new password for '%s'\n",
427: client_name);
428: (void) memset((char *) new_password, 0, ADM_MAX_PW_LENGTH+1);
429: free(new_password);
430: goto finish;
431: }
432: #endif
433:
434: inbuf.data = new_password;
435: inbuf.length = strlen(new_password);
436:
437: if ((retval = krb5_mk_priv(&inbuf,
438: ETYPE_DES_CBC_CRC,
439: &my_creds.keyblock,
440: &local_addr,
441: &foreign_addr,
442: seqno,
443: KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME,
444: 0,
445: 0,
446: &msg_data))) {
447: fprintf(stderr, "passwd: Error during Second Message Encoding: %s\n",
448: error_message(retval));
449: goto finish;
450: }
451: memset(inbuf.data,0,inbuf.length);
452: free(inbuf.data);
453:
454: /* write private message to server */
455: if (krb5_write_message(&local_socket, &msg_data)){
456: fprintf(stderr, "passwd: Write Error During Second Message Transmission\n");
457: retval = 1;
458: goto finish;
459: }
460: free(msg_data.data);
461:
462: /* Ok Now let's get the private message */
463: if (retval = krb5_read_message(&local_socket, &inbuf)){
464: fprintf(stderr, "passwd: Read Error During Second Reply: %s\n",
465: error_message(retval));
466: retval = 1;
467: goto finish;
468: }
469:
470: if ((retval = krb5_rd_priv(&inbuf,
471: &my_creds.keyblock,
472: &foreign_addr,
473: &local_addr,
474: rep_ret->seq_number,
475: KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME,
476: 0,
477: 0,
478: &msg_data))) {
479: fprintf(stderr, "passwd: Error during Second Read Decoding :%s\n",
480: error_message(retval));
481: goto finish;
482: }
483:
484: rd_priv_resp.appl_code = msg_data.data[0];
485: rd_priv_resp.oper_code = msg_data.data[1];
486: rd_priv_resp.retn_code = msg_data.data[2];
487: if (msg_data.length > 3 && msg_data.data[3]) {
488: rd_priv_resp.message = malloc(msg_data.length - 2);
489: if (rd_priv_resp.message) {
490: memcpy(rd_priv_resp.message, msg_data.data + 3,
491: msg_data.length - 3);
492: rd_priv_resp.message[msg_data.length - 3] = 0;
493: }
494: } else
495: rd_priv_resp.message = NULL;
496:
497:
498: free(inbuf.data);
499: free(msg_data.data);
500: if (rd_priv_resp.appl_code == KPASSWD) {
501: if (rd_priv_resp.retn_code == KPASSBAD) {
502: if (rd_priv_resp.message)
503: fprintf(stderr, "passwd: %s\n", rd_priv_resp.message);
504: else
505: fprintf(stderr, "passwd: Server returned KPASSBAD.\n");
506: } else if (rd_priv_resp.retn_code != KPASSGOOD)
507: fprintf(stderr, "passwd: Server returned unknown kerberos code.\n");
508: } else
509: fprintf(stderr, "passwd: Server returned bad application code %d\n",
510: rd_priv_resp.appl_code);
511:
512: if (rd_priv_resp.message)
513: free(rd_priv_resp.message);
514:
515: finish:
516: (void) krb5_cc_destroy(cache);
517:
518: free(client_name);
519: free(requested_realm.data);
520: if (cksum_alloc) free(send_cksum.contents);
521: if (retval) {
522: fprintf(stderr, "passwd: Protocol Failure - Password NOT changed\n");
523: exit(1);
524: }
525:
526: exit(0);
527: }
528:
529:
530:
531: krb5_data cpwname = {
532: sizeof(CPWNAME)-1,
533: CPWNAME
534: };
535:
536: static krb5_error_code
537: get_first_ticket(cache, client)
538: krb5_ccache cache;
539: krb5_principal client;
540: {
541: char prompt[255]; /* for the password prompt */
542: char verify_prompt[255]; /* Verification Prompt if Desired */
543: char pword[ADM_MAX_PW_LENGTH+1]; /* storage for the password */
544: int pword_length = sizeof(pword);
545: char *old_password;
546: int old_pwsize;
547: int i;
548:
549: krb5_address **my_addresses;
550:
551: char *client_name;
552: char local_realm[255];
553: krb5_error_code retval;
554:
555: if ((retval = krb5_unparse_name(client, &client_name))) {
556: fprintf(stderr, "Unable to Unparse Client Name\n");
557: return(1);
558: }
559:
560: (void) printf("Changing Kerberos password for %s\n", client_name);
561:
562: if ((retval = krb5_os_localaddr(&my_addresses))) {
563: fprintf(stderr, "passwd: Unable to Get Customers Address\n");
564: return(1);
565: }
566:
567: memset((char *) &my_creds, 0, sizeof(my_creds));
568:
569: my_creds.client = client;
570:
571: if ((retval = krb5_build_principal_ext(&my_creds.server,
572: client->realm.length,
573: client->realm.data,
574: cpwname.length, /* 6 */
575: cpwname.data, /* "kadmin" */
576: client->realm.length,
577: /* instance is local realm */
578: client->realm.data,
579: 0))) {
580: fprintf(stderr, "Error %s while building server name\n");
581: return(1);
582: }
583:
584:
585: if ((old_password = (char *) calloc (1, 255)) == NULL) {
586: fprintf(stderr, "passwd: No Memory for Retrieving old password\n");
587: return(1);
588: }
589:
590: old_pwsize = 255;
591: if ((retval = krb5_read_password("Old kerberos password: ",
592: 0,
593: old_password,
594: &old_pwsize))) {
595: fprintf(stderr, "\nError while reading password for '%s'\n",
596: client_name);
597: return(1);
598: }
599:
600: /* Build Request for Initial Credentials */
601: for (i=0; preauth_search_list[i] >= 0; i++) {
602: retval = krb5_get_in_tkt_with_password(
603: 0, /* options */
604: my_addresses,
605: /* do random preauth */
606: preauth_search_list[i],
607: ETYPE_DES_CBC_CRC, /* etype */
608: KEYTYPE_DES,
609: old_password,
610: cache,
611: &my_creds,
612: 0);
613: if (retval != KRB5KDC_PREAUTH_FAILED &&
614: retval != KRB5KRB_ERR_GENERIC)
615: break;
616: }
617:
618: if (retval) {
619: fprintf(stderr, "passwd: Unable to Get Initial Credentials : %s\n",
620: error_message(retval));
621: }
622:
623: /* Do NOT Forget to zap password */
624: memset((char *) old_password, 0, old_pwsize);
625: free(old_password);
626: memset((char *) pword, 0, sizeof(pword));
627: return(retval);
628: }
629:
630: #ifdef MACH_PASS /* Machine-generated Passwords */
631: static krb5_error_code
632: print_and_choose_password(new_password, decodable_pwd_string)
633: char * new_password;
634: krb5_data *decodable_pwd_string;
635: {
636: krb5_error_code retval;
637: krb5_pwd_data *pwd_data;
638: passwd_phrase_element **next_passwd_phrase_element;
639: char prompt[255];
640: char *verify_prompt = 0;
641: int i, j, k;
642: int legit_pswd = 0; /* Assume No Legitimate Password */
643: char *password_list[ADM_MAX_PW_CHOICES];
644: char verification_passwd[ADM_MAX_PW_LENGTH+1];
645: char phrase_in[ADM_MAX_PHRASE_LENGTH];
646: int new_passwd_length;
647: char *ptr;
648: int verify = 0; /* Do Not Request Password Selection Verification */
649: int ok = 0;
650:
651: #define free_local_password_list() \
652: { for ( k = 0; k < i && k < ADM_MAX_PW_CHOICES; k++) { \
653: (void) memset(password_list[k], 0, ADM_MAX_PW_LENGTH); \
654: free(password_list[k]); } \
655: }
656:
657: /* Decode Password and Phrase Information Obtained from krb5_rd_priv */
658: if ((retval = decode_krb5_pwd_data(decodable_pwd_string , &pwd_data))) {
659: fprintf(stderr, "passwd: Unable to Decode Passwords and Phrases\n");
660: fprintf(stderr, " Notify your System Administrator or the Kerberos Administrator\n");
661: return(1);
662: }
663:
664: next_passwd_phrase_element = pwd_data->element;
665: /* Display List in 5 Password/Phrase Increments up to MAX Iterations */
666: memset((char *) phrase_in, 0, ADM_MAX_PHRASE_LENGTH);
667: for ( j = 0; j <= ADM_MAX_PW_ITERATIONS; j++) {
668: if (j == ADM_MAX_PW_ITERATIONS) {
669: fprintf(stderr, "passwd: Sorry - You Have Exceeded the List of Choices (%d) Allowed for Password\n",
670: ADM_MAX_PW_ITERATIONS * ADM_MAX_PW_CHOICES);
671: fprintf(stderr, " Modification. You Must Repeat this Operation in order to Successfully\n");
672: fprintf(stderr, " Change your Password.\n");
673: break;
674: }
675:
676: display_print:
677: printf("Choose a password from the following list:\n");
678:
679: printf("\nPassword Remembrance Aid\n");
680:
681: /* Print Passwords and Assistance Phrases List */
682: for ( i = 0; i < ADM_MAX_PW_CHOICES; i++){
683: if ((password_list[i] = (char *) calloc (1,
684: ADM_MAX_PW_LENGTH + 1)) == NULL) {
685: fprintf(stderr, "passwd: Unable to Allocate Password List.\n");
686: return(1);
687: }
688:
689: memcpy(password_list[i],
690: (*next_passwd_phrase_element)->passwd->data,
691: (*next_passwd_phrase_element)->passwd->length);
692: printf("%s ", password_list[i]);
693:
694: memcpy((char *) phrase_in,
695: (*next_passwd_phrase_element)->phrase->data,
696: (*next_passwd_phrase_element)->phrase->length);
697: for ( k = 0;
698: k < 50 && k < (*next_passwd_phrase_element)->phrase->length;
699: k++) {
700: printf("%c", phrase_in[k]);
701: }
702: for ( k = k;
703: k < 70 && k < (*next_passwd_phrase_element)->phrase->length;
704: k++) {
705: if (phrase_in[k] == ' ') {
706: printf("\n ");
707: k++;
708: break;
709: } else {
710: printf("%c", phrase_in[k]);
711: }
712: }
713: for ( k = k;
714: k < (*next_passwd_phrase_element)->phrase->length;
715: k++) {
716: printf("%c", phrase_in[k]);
717: }
718: printf("\n");
719: memset((char *) phrase_in, 0, ADM_MAX_PHRASE_LENGTH);
720: next_passwd_phrase_element++;
721: }
722:
723: sprintf(prompt,
724: "\nEnter Password Selection or a <CR> to get new list: ");
725:
726: new_passwd_length = ADM_MAX_PW_LENGTH+1;
727: /* Read New Password from Terminal (Do Not Print on Screen) */
728: if ((retval = krb5_read_password(&prompt[0], 0,
729: new_password, &new_passwd_length))) {
730: fprintf(stderr,
731: "passwd: Error Reading Password Input or Input Aborted\n");
732: free_local_password_list();
733: break;;
734: }
735:
736: /* Check for <CR> ==> Provide a New List */
737: if (new_passwd_length == 0) continue;
738:
739: /* Check that Selection is from List - Server also does this */
740: legit_pswd = 0;
741: for (i = 0; i < ADM_MAX_PW_CHOICES && !legit_pswd; i++)
742: if ((retval = memcmp(new_password,
743: password_list[i], 8)) == 0) {
744: legit_pswd++;
745: }
746: free_local_password_list();
747:
748: if (!(legit_pswd)) {
749: printf("\07\07Password must be from the specified list ");
750: printf("- Try Again\n");
751: }
752:
753: if (legit_pswd) break; /* Exit Loop */
754: } /* ADM_MAX_PW_CHOICES Loop */
755:
756: if (!(legit_pswd)) return (1);
757:
758: return(0); /* SUCCESS */
759: }
760: #endif
761:
762: static krb5_error_code
763: adm5_init_link(realm_of_server, local_socket)
764: krb5_data *realm_of_server;
765: int * local_socket;
766: {
767: struct servent *service_process; /* service we will talk to */
768: struct hostent *local_host; /* us */
769: struct hostent *remote_host; /* host we will talk to */
770: struct sockaddr *sockaddr_list;
771:
772: char **hostlist;
773:
774: int host_count;
775: int namelen;
776: int i, count;
777:
778: krb5_error_code retval;
779:
780: /* clear out the structure first */
781: (void) memset((char *)&remote_sin, 0, sizeof(remote_sin));
782:
783: if ((service_process = getservbyname(CPW_SNAME, "tcp")) == NULL) {
784: fprintf(stderr, "passwd: Unable to find Service (%s) Check services file\n",
785: CPW_SNAME);
786: return(1);
787: }
788:
789: /* Copy the Port Number */
790: remote_sin.sin_port = service_process->s_port;
791:
792: hostlist = 0;
793:
794: /* Identify all Hosts Associated with this Realm */
795: if ((retval = krb5_get_krbhst (realm_of_server, &hostlist))) {
796: fprintf(stderr, "passwd: Unable to Determine Server Name\n");
797: return(1);
798: }
799:
800: for (i=0; hostlist[i]; i++);
801:
802: count = i;
803:
804: if (count == 0) {
805: host_count = 0;
806: fprintf(stderr, "passwd: No hosts found\n");
807: return(1);
808: }
809:
810: for (i=0; hostlist[i]; i++) {
811: remote_host = gethostbyname(hostlist[i]);
812: if (remote_host != 0) {
813:
814: /* set up the address of the foreign socket for connect() */
815: remote_sin.sin_family = remote_host->h_addrtype;
816: (void) memcpy((char *) &remote_sin.sin_addr,
817: (char *) remote_host->h_addr,
818: sizeof(remote_host->h_addr));
819: break; /* Only Need one */
820: }
821: }
822:
823: free ((char *)hostlist);
824:
825: /* open a TCP socket */
826: *local_socket = socket(PF_INET, SOCK_STREAM, 0);
827: if (*local_socket < 0) {
828: fprintf(stderr, "passwd: Cannot Open Socket\n");
829: return(1);
830: }
831: /* connect to the server */
832: if (connect(*local_socket, (struct sockaddr *)&remote_sin, sizeof(remote_sin)) < 0) {
833: fprintf(stderr, "passwd: Cannot Connect to Socket\n");
834: close(*local_socket);
835: return(1);
836: }
837:
838: /* find out who I am, now that we are connected and therefore bound */
839: namelen = sizeof(local_sin);
840: if (getsockname(*local_socket,
841: (struct sockaddr *) &local_sin, &namelen) < 0) {
842: fprintf(stderr, "passwd: Cannot Perform getsockname\n");
843: close(*local_socket);
844: return(1);
845: }
846: return(0);
847: }
848:
849: static void
850: finish()
851: {
852: exit(1);
853: }
854:
855: #ifdef KRB_NONETWORK
856: #include <utmp.h>
857:
858: #ifndef MAXHOSTNAME
859: #define MAXHOSTNAME 64
860: #endif
861:
862: int utfile; /* Global utfile file descriptor for BSD version
863: of setutent, getutline, and endutent */
864:
865: #if !defined(SYSV) && !defined(UMIPS) /* Setutent, Endutent, and getutline
866: routines for non System V Unix
867: systems */
868: #include <fcntl.h>
869:
870: void setutent()
871: {
872: utfile = open("/etc/utmp",O_RDONLY);
873: }
874:
875: struct utmp * getutline(utmpent)
876: struct utmp *utmpent;
877: {
878: static struct utmp tmputmpent;
879: int found = 0;
880: while ( read(utfile,&tmputmpent,sizeof(struct utmp)) > 0 ){
881: if ( strcmp(tmputmpent.ut_line,utmpent->ut_line) == 0){
882: #ifdef NO_UT_HOST
883: if ( ( 1) &&
884: #else
885: if ( (strcmp(tmputmpent.ut_host,"") == 0) &&
886: #endif
887: (strcmp(tmputmpent.ut_name,"") == 0)) continue;
888: found = 1;
889: break;
890: }
891: }
892: if (found)
893: return(&tmputmpent);
894: return((struct utmp *) 0);
895: }
896:
897: void endutent()
898: {
899: close(utfile);
900: }
901: #endif /* not SYSV */
902:
903:
904: int network_connected()
905: {
906: struct utmp utmpent;
907: struct utmp retutent, *tmpptr;
908: char *display_indx;
909: char currenthost[MAXHOSTNAME];
910: char *username,*tmpname;
911:
912:
913: /* Macro for pseudo_tty */
914: #define pseudo_tty(ut) \
915: ((strncmp((ut).ut_line, "tty", 3) == 0 && ((ut).ut_line[3] == 'p' \
916: || (ut).ut_line[3] == 'q' \
917: || (ut).ut_line[3] == 'r' \
918: || (ut).ut_line[3] == 's'))\
919: || (strncmp((ut).ut_line, "pty", 3) == 0))
920:
921: /* Check to see if getlogin returns proper name */
922: if ( (tmpname = (char *) getlogin()) == (char *) 0) return(1);
923: username = (char *) malloc(strlen(tmpname) + 1);
924: if ( username == (char *) 0) return(1);
925: strcpy(username,tmpname);
926:
927: /* Obtain tty device for controlling tty of current process.*/
928: strncpy(utmpent.ut_line,ttyname(0) + strlen("/dev/"),
929: sizeof(utmpent.ut_line));
930:
931: /* See if this device is currently listed in /etc/utmp under
932: calling user */
933: #ifdef SYSV
934: utmpent.ut_type = USER_PROCESS;
935: #define ut_name ut_user
936: #endif
937: setutent();
938: while ( (tmpptr = (struct utmp *) getutline(&utmpent))
939: != ( struct utmp *) 0) {
940:
941: /* If logged out name and host will be empty */
942: if ((strcmp(tmpptr->ut_name,"") == 0) &&
943: #ifdef NO_UT_HOST
944: ( 1)) continue;
945: #else
946: (strcmp(tmpptr->ut_host,"") == 0)) continue;
947: #endif
948: else break;
949: }
950: if ( tmpptr == (struct utmp *) 0) {
951: endutent();
952: return(1);
953: }
954: bcopy((char *)&retutent, (char *)tmpptr, sizeof(struct utmp));
955: endutent();
956: #ifdef DEBUG
957: #ifdef NO_UT_HOST
958: printf("User %s on line %s :\n",
959: retutent.ut_name,retutent.ut_line);
960: #else
961: printf("User %s on line %s connected from host :%s:\n",
962: retutent.ut_name,retutent.ut_line,retutent.ut_host);
963: #endif
964: #endif
965: if (strcmp(retutent.ut_name,username) != 0) {
966: return(1);
967: }
968:
969:
970: /* If this is not a pseudo tty then everything is OK */
971: if (! pseudo_tty(retutent)) return(0);
972:
973: /* OK now the work begins there is an entry in utmp and
974: the device is a pseudo tty. */
975:
976: /* Check if : is in hostname if so this is xwindow display */
977:
978: if (gethostname(currenthost,sizeof(currenthost))) return(1);
979: #ifdef NO_UT_HOST
980: display_indx = (char *) 0;
981: #else
982: display_indx = (char *) strchr(retutent.ut_host,':');
983: #endif
984: if ( display_indx != (char *) 0) {
985: /*
986: We have X window application here. The host field should have
987: the form => local_system_name:0.0 or :0.0
988: if the window is being displayed on the local system.
989: */
990: #ifdef NO_UT_HOST
991: return(1);
992: #else
993: if (strncmp(currenthost,retutent.ut_host,
994: (display_indx - retutent.ut_host)) != 0) return(1);
995: else return(0);
996: #endif
997: }
998:
999: /* Host field is empty or is not X window entry. At this point
1000: we can't trust that the pseudo tty is not connected to a
1001: networked process so let's return 1.
1002: */
1003: return(1);
1004: }
1005:
1006: int networked()
1007: {
1008: return(network_connected());
1009: }
1010: #endif
1011:
1012: #endif /* KERBEROS5 */