Annotation of src/usr.bin/skeyinit/skeyinit.c, Revision 1.19
1.19 ! millert 1: /* $OpenBSD: skeyinit.c,v 1.18 1997/07/17 05:48:41 millert Exp $ */
1.1 deraadt 2: /* $NetBSD: skeyinit.c,v 1.6 1995/06/05 19:50:48 pk Exp $ */
3:
4: /* S/KEY v1.1b (skeyinit.c)
5: *
6: * Authors:
7: * Neil M. Haller <nmh@thumper.bellcore.com>
8: * Philip R. Karn <karn@chicago.qualcomm.com>
9: * John S. Walden <jsw@thumper.bellcore.com>
10: * Scott Chasin <chasin@crimelab.com>
11: *
12: * S/KEY initialization and seed update
13: */
14:
15: #include <sys/param.h>
16: #include <sys/time.h>
17: #include <sys/resource.h>
18:
1.19 ! millert 19: #include <err.h>
! 20: #include <ctype.h>
! 21: #include <pwd.h>
1.1 deraadt 22: #include <stdio.h>
23: #include <stdlib.h>
24: #include <string.h>
1.19 ! millert 25: #include <syslog.h>
! 26: #include <time.h>
1.1 deraadt 27: #include <unistd.h>
1.6 millert 28: #include <utmp.h>
1.19 ! millert 29:
1.4 millert 30: #include <skey.h>
1.1 deraadt 31:
1.4 millert 32: #ifndef SKEY_NAMELEN
1.17 millert 33: #define SKEY_NAMELEN 4
1.4 millert 34: #endif
1.1 deraadt 35:
1.8 millert 36: void usage __P((char *));
37:
1.1 deraadt 38: int
39: main(argc, argv)
40: int argc;
41: char *argv[];
42: {
1.17 millert 43: int rval, nn, i, l, n=0, defaultsetup=1, zerokey=0, hexmode=0;
1.1 deraadt 44: time_t now;
45: char hostname[MAXHOSTNAMELEN];
1.17 millert 46: char passwd[SKEY_MAX_PW_LEN+2], passwd2[SKEY_MAX_PW_LEN+2];
47: char seed[SKEY_MAX_SEED_LEN+2], defaultseed[SKEY_MAX_SEED_LEN+1];
48: char tbuf[27], buf[80], key[SKEY_BINKEY_SIZE];
1.8 millert 49: char lastc, me[UT_NAMESIZE+1], *salt, *p, *pw, *ht=NULL;
1.1 deraadt 50: struct skey skey;
51: struct passwd *pp;
52: struct tm *tm;
53:
1.4 millert 54: if (geteuid() != 0)
55: errx(1, "must be setuid root.");
56:
1.1 deraadt 57: if (gethostname(hostname, sizeof(hostname)) < 0)
58: err(1, "gethostname");
1.4 millert 59: (void)strncpy(defaultseed, hostname, sizeof(defaultseed) - 1);
60: defaultseed[SKEY_NAMELEN] = '\0';
1.17 millert 61: (void)time(&now);
62: (void)sprintf(tbuf, "%05ld", (long) (now % 100000));
1.4 millert 63: (void)strncat(defaultseed, tbuf, sizeof(defaultseed) - 5);
1.1 deraadt 64:
65: if ((pp = getpwuid(getuid())) == NULL)
66: err(1, "no user with uid %d", getuid());
1.4 millert 67: (void)strcpy(me, pp->pw_name);
1.1 deraadt 68:
69: if ((pp = getpwnam(me)) == NULL)
70: err(1, "Who are you?");
1.16 millert 71: salt = pp->pw_passwd;
1.1 deraadt 72:
1.8 millert 73: for (i = 1; i < argc && argv[i][0] == '-' && strcmp(argv[i], "--");) {
74: if (argv[i][2] == '\0') {
75: /* Single character switch */
76: switch (argv[i][1]) {
1.4 millert 77: case 's':
78: defaultsetup = 0;
79: break;
80: case 'x':
81: hexmode = 1;
82: break;
83: case 'z':
84: zerokey = 1;
85: break;
1.17 millert 86: case 'n':
87: if (argv[++i][0] == '\0')
88: usage(argv[0]);
89: if ((n = atoi(argv[i])) < 1 || n >= SKEY_MAX_SEQ)
90: errx(1, "count must be > 0 and < %d",
91: SKEY_MAX_SEQ);
92: break;
1.8 millert 93: default:
94: usage(argv[0]);
95: }
96: } else {
97: /* Multi character switches are hash types */
98: if ((ht = skey_set_algorithm(&argv[i][1])) == NULL) {
99: warnx("Unknown hash algorithm %s", &argv[i][1]);
100: usage(argv[0]);
101: }
1.7 millert 102: }
1.8 millert 103: i++;
1.7 millert 104: }
105:
106: /* check for optional user string */
1.8 millert 107: if (argc - i > 1) {
108: usage(argv[0]);
109: } else if (argv[i]) {
1.16 millert 110: if ((pp = getpwnam(argv[i])) == NULL) {
111: if (getuid() == 0) {
112: static struct passwd _pp;
113:
114: _pp.pw_name = argv[i];
115: pp = &_pp;
116: warnx("Warning, user unknown: %s", argv[i]);
117: } else {
118: errx(1, "User unknown: %s", argv[i]);
119: }
120: } else if (strcmp(pp->pw_name, me) != 0) {
1.4 millert 121: if (getuid() != 0) {
122: /* Only root can change other's passwds */
123: errx(1, "Permission denied.");
124: }
1.1 deraadt 125: }
126: }
127:
128: if (getuid() != 0) {
1.11 millert 129: pw = getpass("Password (or `s/key'):");
1.10 millert 130: if (strcasecmp(pw, "s/key") == 0) {
131: if (skey_haskey(me))
132: exit(1);
133: if (skey_authenticate(me))
134: errx(1, "Password incorrect.");
135: } else {
136: p = crypt(pw, salt);
137: if (strcmp(p, pp->pw_passwd))
138: errx(1, "Password incorrect.");
139: }
140: }
1.1 deraadt 141:
1.10 millert 142: (void)setpriority(PRIO_PROCESS, 0, -4);
1.4 millert 143:
1.1 deraadt 144: rval = skeylookup(&skey, pp->pw_name);
145: switch (rval) {
1.4 millert 146: case -1:
147: err(1, "cannot open database");
148: case 0:
149: /* comment out user if asked to */
150: if (zerokey)
151: exit(skeyzero(&skey, pp->pw_name));
152:
153: (void)printf("[Updating %s]\n", pp->pw_name);
1.12 millert 154: (void)printf("Old key: [%s] %s\n", skey_get_algorithm(),
155: skey.seed);
1.4 millert 156:
157: /*
1.17 millert 158: * Let's be nice if they have an skey.seed that
1.4 millert 159: * ends in 0-8 just add one
160: */
161: l = strlen(skey.seed);
162: if (l > 0) {
163: lastc = skey.seed[l - 1];
164: if (isdigit(lastc) && lastc != '9') {
165: (void)strcpy(defaultseed, skey.seed);
166: defaultseed[l - 1] = lastc + 1;
167: }
168: if (isdigit(lastc) && lastc == '9' && l < 16) {
169: (void)strcpy(defaultseed, skey.seed);
170: defaultseed[l - 1] = '0';
171: defaultseed[l] = '0';
172: defaultseed[l + 1] = '\0';
173: }
1.1 deraadt 174: }
1.4 millert 175: break;
176: case 1:
177: if (zerokey)
178: errx(1, "You have no entry to zero.");
179: (void)printf("[Adding %s]\n", pp->pw_name);
180: break;
1.1 deraadt 181: }
1.17 millert 182: if (n == 0)
183: n = 99;
1.1 deraadt 184:
1.8 millert 185: /* Set hash type if asked to */
1.13 millert 186: if (ht) {
187: /* Need to zero out old key when changing algorithm */
188: if (strcmp(ht, skey_get_algorithm()) && skey_set_algorithm(ht))
189: zerokey = 1;
190: }
1.4 millert 191:
1.1 deraadt 192: if (!defaultsetup) {
1.4 millert 193: (void)printf("You need the 6 english words generated from the \"skey\" command.\n");
1.17 millert 194: for (i = 0; ; i++) {
1.1 deraadt 195: if (i >= 2)
196: exit(1);
1.10 millert 197:
1.4 millert 198: (void)printf("Enter sequence count from 1 to %d: ",
1.17 millert 199: SKEY_MAX_SEQ);
200: (void)fgets(buf, sizeof(buf), stdin);
201: n = atoi(buf);
202: if (n > 0 && n < SKEY_MAX_SEQ)
1.1 deraadt 203: break; /* Valid range */
1.10 millert 204: (void)printf("Error: Count must be > 0 and < %d\n",
1.17 millert 205: SKEY_MAX_SEQ);
1.1 deraadt 206: }
1.4 millert 207:
1.10 millert 208: for (i = 0;; i++) {
209: if (i >= 2)
210: exit(1);
211:
212: (void)printf("Enter new key [default %s]: ",
213: defaultseed);
214: (void)fgets(seed, sizeof(seed), stdin);
215: rip(seed);
216: for (p = seed; *p; p++) {
217: if (isalpha(*p)) {
218: if (isupper(*p))
219: *p = tolower(*p);
220: } else if (!isdigit(*p)) {
221: (void)puts("Error: seed may only contain alpha numeric characters");
222: break;
223: }
224: }
225: if (*p == '\0')
226: break; /* Valid seed */
227: }
1.17 millert 228: if (strlen(seed) > SKEY_MAX_SEED_LEN) {
229: (void)printf("Notice: Seed truncated to %d characters.\n",
230: SKEY_MAX_SEED_LEN);
231: seed[SKEY_MAX_SEED_LEN] = '\0';
232: } else if (seed[0] == '\0')
1.4 millert 233: (void)strcpy(seed, defaultseed);
1.1 deraadt 234:
235: for (i = 0;; i++) {
236: if (i >= 2)
237: exit(1);
238:
1.10 millert 239: (void)printf("otp-%s %d %s\nS/Key access password: ",
240: skey_get_algorithm(), n, seed);
1.17 millert 241: (void)fgets(buf, sizeof(buf), stdin);
242: rip(buf);
243: backspace(buf);
1.1 deraadt 244:
1.17 millert 245: if (buf[0] == '?') {
1.4 millert 246: (void)puts("Enter 6 English words from secure S/Key calculation.");
1.1 deraadt 247: continue;
1.17 millert 248: } else if (buf[0] == '\0')
1.1 deraadt 249: exit(1);
1.17 millert 250: if (etob(key, buf) == 1 || atob8(key, buf) == 0)
1.1 deraadt 251: break; /* Valid format */
1.4 millert 252: (void)puts("Invalid format - try again with 6 English words.");
1.1 deraadt 253: }
254: } else {
255: /* Get user's secret password */
1.4 millert 256: fputs("Reminder - Only use this method if you are directly connected\n or have an encrypted channel. If you are using telnet\n or rlogin, exit with no password and use keyinit -s.\n", stderr);
257:
1.1 deraadt 258: for (i = 0;; i++) {
1.4 millert 259: if (i > 2)
1.1 deraadt 260: exit(1);
261:
1.4 millert 262: (void)fputs("Enter secret password: ", stderr);
1.1 deraadt 263: readpass(passwd, sizeof(passwd));
264: if (passwd[0] == '\0')
265: exit(1);
266:
1.4 millert 267: if (strlen(passwd) < SKEY_MIN_PW_LEN) {
1.19 ! millert 268: (void)fprintf(stderr,
! 269: "Your password must be at least %d characters long.\n", SKEY_MIN_PW_LEN);
! 270: continue;
! 271: } else if (strcmp(passwd, pp->pw_name) == 0) {
! 272: (void)fputs("Your password may not be the same as your user name.\n", stderr);
! 273: continue;
! 274: } else if (strspn(passwd, "abcdefghijklmnopqrstuvwxyz") == strlen(passwd)) {
! 275: (void)fputs("Your password must contain more than just lower case letters.\nWhitespace, numbers, and puctuation are suggested.\n", stderr);
1.4 millert 276: continue;
277: }
278:
279: (void)fputs("Again secret password: ", stderr);
1.1 deraadt 280: readpass(passwd2, sizeof(passwd));
281:
282: if (strcmp(passwd, passwd2) == 0)
283: break;
284:
1.4 millert 285: (void)fputs("Passwords do not match.\n", stderr);
1.1 deraadt 286: }
287:
288: /* Crunch seed and password into starting key */
1.4 millert 289: (void)strcpy(seed, defaultseed);
1.1 deraadt 290: if (keycrunch(key, seed, passwd) != 0)
291: err(2, "key crunch failed");
1.4 millert 292:
1.1 deraadt 293: nn = n;
294: while (nn-- != 0)
295: f(key);
296: }
1.4 millert 297: (void)time(&now);
1.1 deraadt 298: tm = localtime(&now);
1.4 millert 299: (void)strftime(tbuf, sizeof(tbuf), " %b %d,%Y %T", tm);
1.1 deraadt 300:
1.4 millert 301: if ((skey.val = (char *)malloc(16 + 1)) == NULL)
302: err(1, "Can't allocate memory");
1.1 deraadt 303:
1.13 millert 304: /* Zero out old key if necesary (entry would change size) */
305: if (zerokey) {
306: (void)skeyzero(&skey, pp->pw_name);
307: /* Re-open keys file and seek to the end */
308: if (skeylookup(&skey, pp->pw_name) == -1)
309: err(1, "cannot open database");
310: }
311:
1.1 deraadt 312: btoa8(skey.val, key);
313:
1.12 millert 314: /* Don't save algorithm type for md4 (keep record length same) */
315: if (strcmp(skey_get_algorithm(), "md4") == 0)
1.13 millert 316: (void)fprintf(skey.keyfile, "%s %04d %-16s %s %-21s\n",
1.12 millert 317: pp->pw_name, n, seed, skey.val, tbuf);
318: else
319: (void)fprintf(skey.keyfile, "%s %s %04d %-16s %s %-21s\n",
320: pp->pw_name, skey_get_algorithm(), n, seed, skey.val, tbuf);
1.4 millert 321: (void)fclose(skey.keyfile);
1.10 millert 322:
323: (void)setpriority(PRIO_PROCESS, 0, 0);
324:
1.12 millert 325: (void)printf("\nID %s skey is otp-%s %d %s\n", pp->pw_name,
326: skey_get_algorithm(), n, seed);
1.10 millert 327: (void)printf("Next login password: %s\n\n",
328: hexmode ? put8(buf, key) : btoe(buf, key));
1.4 millert 329: exit(0);
1.8 millert 330: }
331:
332: void
333: usage(s)
334: char *s;
335: {
336: (void)fprintf(stderr,
1.18 millert 337: "Usage: %s [-s] [-x] [-z] [-n count] [-md4|-md5|-sha1|-rmd160] [user]\n", s);
1.8 millert 338: exit(1);
1.1 deraadt 339: }