Annotation of src/usr.bin/skeyinit/skeyinit.c, Revision 1.20
1.20 ! millert 1: /* $OpenBSD: skeyinit.c,v 1.19 1997/07/25 00:27:30 millert Exp $ */
1.1 deraadt 2: /* $NetBSD: skeyinit.c,v 1.6 1995/06/05 19:50:48 pk Exp $ */
3:
4: /* S/KEY v1.1b (skeyinit.c)
5: *
6: * Authors:
7: * Neil M. Haller <nmh@thumper.bellcore.com>
8: * Philip R. Karn <karn@chicago.qualcomm.com>
9: * John S. Walden <jsw@thumper.bellcore.com>
10: * Scott Chasin <chasin@crimelab.com>
11: *
1.20 ! millert 12: * Modifications:
! 13: * Todd C. Miller <Todd.Miller@courtesan.com>
! 14: *
1.1 deraadt 15: * S/KEY initialization and seed update
16: */
17:
18: #include <sys/param.h>
1.20 ! millert 19: #include <sys/file.h>
1.1 deraadt 20: #include <sys/time.h>
21: #include <sys/resource.h>
22:
1.19 millert 23: #include <err.h>
1.20 ! millert 24: #include <errno.h>
1.19 millert 25: #include <ctype.h>
26: #include <pwd.h>
1.1 deraadt 27: #include <stdio.h>
28: #include <stdlib.h>
29: #include <string.h>
1.19 millert 30: #include <syslog.h>
31: #include <time.h>
1.1 deraadt 32: #include <unistd.h>
1.6 millert 33: #include <utmp.h>
1.19 millert 34:
1.4 millert 35: #include <skey.h>
1.1 deraadt 36:
1.4 millert 37: #ifndef SKEY_NAMELEN
1.17 millert 38: #define SKEY_NAMELEN 4
1.4 millert 39: #endif
1.1 deraadt 40:
1.8 millert 41: void usage __P((char *));
42:
1.1 deraadt 43: int
44: main(argc, argv)
45: int argc;
46: char *argv[];
47: {
1.17 millert 48: int rval, nn, i, l, n=0, defaultsetup=1, zerokey=0, hexmode=0;
1.1 deraadt 49: time_t now;
50: char hostname[MAXHOSTNAMELEN];
1.17 millert 51: char passwd[SKEY_MAX_PW_LEN+2], passwd2[SKEY_MAX_PW_LEN+2];
52: char seed[SKEY_MAX_SEED_LEN+2], defaultseed[SKEY_MAX_SEED_LEN+1];
53: char tbuf[27], buf[80], key[SKEY_BINKEY_SIZE];
1.8 millert 54: char lastc, me[UT_NAMESIZE+1], *salt, *p, *pw, *ht=NULL;
1.1 deraadt 55: struct skey skey;
56: struct passwd *pp;
57: struct tm *tm;
58:
1.4 millert 59: if (geteuid() != 0)
60: errx(1, "must be setuid root.");
61:
1.1 deraadt 62: if (gethostname(hostname, sizeof(hostname)) < 0)
63: err(1, "gethostname");
1.4 millert 64: (void)strncpy(defaultseed, hostname, sizeof(defaultseed) - 1);
65: defaultseed[SKEY_NAMELEN] = '\0';
1.17 millert 66: (void)time(&now);
67: (void)sprintf(tbuf, "%05ld", (long) (now % 100000));
1.4 millert 68: (void)strncat(defaultseed, tbuf, sizeof(defaultseed) - 5);
1.1 deraadt 69:
70: if ((pp = getpwuid(getuid())) == NULL)
71: err(1, "no user with uid %d", getuid());
1.4 millert 72: (void)strcpy(me, pp->pw_name);
1.1 deraadt 73:
74: if ((pp = getpwnam(me)) == NULL)
75: err(1, "Who are you?");
1.16 millert 76: salt = pp->pw_passwd;
1.1 deraadt 77:
1.8 millert 78: for (i = 1; i < argc && argv[i][0] == '-' && strcmp(argv[i], "--");) {
79: if (argv[i][2] == '\0') {
80: /* Single character switch */
81: switch (argv[i][1]) {
1.4 millert 82: case 's':
83: defaultsetup = 0;
84: break;
85: case 'x':
86: hexmode = 1;
87: break;
88: case 'z':
89: zerokey = 1;
90: break;
1.17 millert 91: case 'n':
92: if (argv[++i][0] == '\0')
93: usage(argv[0]);
94: if ((n = atoi(argv[i])) < 1 || n >= SKEY_MAX_SEQ)
95: errx(1, "count must be > 0 and < %d",
96: SKEY_MAX_SEQ);
97: break;
1.8 millert 98: default:
99: usage(argv[0]);
100: }
101: } else {
102: /* Multi character switches are hash types */
103: if ((ht = skey_set_algorithm(&argv[i][1])) == NULL) {
104: warnx("Unknown hash algorithm %s", &argv[i][1]);
105: usage(argv[0]);
106: }
1.7 millert 107: }
1.8 millert 108: i++;
1.7 millert 109: }
110:
111: /* check for optional user string */
1.8 millert 112: if (argc - i > 1) {
113: usage(argv[0]);
114: } else if (argv[i]) {
1.16 millert 115: if ((pp = getpwnam(argv[i])) == NULL) {
116: if (getuid() == 0) {
117: static struct passwd _pp;
118:
119: _pp.pw_name = argv[i];
120: pp = &_pp;
121: warnx("Warning, user unknown: %s", argv[i]);
122: } else {
123: errx(1, "User unknown: %s", argv[i]);
124: }
125: } else if (strcmp(pp->pw_name, me) != 0) {
1.4 millert 126: if (getuid() != 0) {
127: /* Only root can change other's passwds */
128: errx(1, "Permission denied.");
129: }
1.1 deraadt 130: }
131: }
132:
133: if (getuid() != 0) {
1.11 millert 134: pw = getpass("Password (or `s/key'):");
1.10 millert 135: if (strcasecmp(pw, "s/key") == 0) {
136: if (skey_haskey(me))
137: exit(1);
138: if (skey_authenticate(me))
139: errx(1, "Password incorrect.");
140: } else {
141: p = crypt(pw, salt);
142: if (strcmp(p, pp->pw_passwd))
143: errx(1, "Password incorrect.");
144: }
145: }
1.1 deraadt 146:
147: rval = skeylookup(&skey, pp->pw_name);
148: switch (rval) {
1.4 millert 149: case -1:
150: err(1, "cannot open database");
151: case 0:
152: /* comment out user if asked to */
153: if (zerokey)
154: exit(skeyzero(&skey, pp->pw_name));
155:
156: (void)printf("[Updating %s]\n", pp->pw_name);
1.12 millert 157: (void)printf("Old key: [%s] %s\n", skey_get_algorithm(),
158: skey.seed);
1.4 millert 159:
160: /*
1.17 millert 161: * Let's be nice if they have an skey.seed that
1.4 millert 162: * ends in 0-8 just add one
163: */
164: l = strlen(skey.seed);
165: if (l > 0) {
166: lastc = skey.seed[l - 1];
167: if (isdigit(lastc) && lastc != '9') {
168: (void)strcpy(defaultseed, skey.seed);
169: defaultseed[l - 1] = lastc + 1;
170: }
171: if (isdigit(lastc) && lastc == '9' && l < 16) {
172: (void)strcpy(defaultseed, skey.seed);
173: defaultseed[l - 1] = '0';
174: defaultseed[l] = '0';
175: defaultseed[l + 1] = '\0';
176: }
1.1 deraadt 177: }
1.4 millert 178: break;
179: case 1:
180: if (zerokey)
181: errx(1, "You have no entry to zero.");
182: (void)printf("[Adding %s]\n", pp->pw_name);
183: break;
1.1 deraadt 184: }
1.17 millert 185: if (n == 0)
186: n = 99;
1.1 deraadt 187:
1.8 millert 188: /* Set hash type if asked to */
1.13 millert 189: if (ht) {
190: /* Need to zero out old key when changing algorithm */
191: if (strcmp(ht, skey_get_algorithm()) && skey_set_algorithm(ht))
192: zerokey = 1;
193: }
1.4 millert 194:
1.1 deraadt 195: if (!defaultsetup) {
1.4 millert 196: (void)printf("You need the 6 english words generated from the \"skey\" command.\n");
1.17 millert 197: for (i = 0; ; i++) {
1.1 deraadt 198: if (i >= 2)
199: exit(1);
1.10 millert 200:
1.4 millert 201: (void)printf("Enter sequence count from 1 to %d: ",
1.17 millert 202: SKEY_MAX_SEQ);
203: (void)fgets(buf, sizeof(buf), stdin);
204: n = atoi(buf);
205: if (n > 0 && n < SKEY_MAX_SEQ)
1.1 deraadt 206: break; /* Valid range */
1.10 millert 207: (void)printf("Error: Count must be > 0 and < %d\n",
1.17 millert 208: SKEY_MAX_SEQ);
1.1 deraadt 209: }
1.4 millert 210:
1.10 millert 211: for (i = 0;; i++) {
212: if (i >= 2)
213: exit(1);
214:
215: (void)printf("Enter new key [default %s]: ",
216: defaultseed);
217: (void)fgets(seed, sizeof(seed), stdin);
218: rip(seed);
219: for (p = seed; *p; p++) {
220: if (isalpha(*p)) {
221: if (isupper(*p))
222: *p = tolower(*p);
223: } else if (!isdigit(*p)) {
224: (void)puts("Error: seed may only contain alpha numeric characters");
225: break;
226: }
227: }
228: if (*p == '\0')
229: break; /* Valid seed */
230: }
1.17 millert 231: if (strlen(seed) > SKEY_MAX_SEED_LEN) {
232: (void)printf("Notice: Seed truncated to %d characters.\n",
233: SKEY_MAX_SEED_LEN);
234: seed[SKEY_MAX_SEED_LEN] = '\0';
235: } else if (seed[0] == '\0')
1.4 millert 236: (void)strcpy(seed, defaultseed);
1.1 deraadt 237:
238: for (i = 0;; i++) {
239: if (i >= 2)
240: exit(1);
241:
1.10 millert 242: (void)printf("otp-%s %d %s\nS/Key access password: ",
243: skey_get_algorithm(), n, seed);
1.17 millert 244: (void)fgets(buf, sizeof(buf), stdin);
245: rip(buf);
246: backspace(buf);
1.1 deraadt 247:
1.17 millert 248: if (buf[0] == '?') {
1.4 millert 249: (void)puts("Enter 6 English words from secure S/Key calculation.");
1.1 deraadt 250: continue;
1.17 millert 251: } else if (buf[0] == '\0')
1.1 deraadt 252: exit(1);
1.17 millert 253: if (etob(key, buf) == 1 || atob8(key, buf) == 0)
1.1 deraadt 254: break; /* Valid format */
1.4 millert 255: (void)puts("Invalid format - try again with 6 English words.");
1.1 deraadt 256: }
257: } else {
258: /* Get user's secret password */
1.4 millert 259: fputs("Reminder - Only use this method if you are directly connected\n or have an encrypted channel. If you are using telnet\n or rlogin, exit with no password and use keyinit -s.\n", stderr);
260:
1.1 deraadt 261: for (i = 0;; i++) {
1.4 millert 262: if (i > 2)
1.1 deraadt 263: exit(1);
264:
1.4 millert 265: (void)fputs("Enter secret password: ", stderr);
1.1 deraadt 266: readpass(passwd, sizeof(passwd));
267: if (passwd[0] == '\0')
268: exit(1);
269:
1.4 millert 270: if (strlen(passwd) < SKEY_MIN_PW_LEN) {
1.19 millert 271: (void)fprintf(stderr,
272: "Your password must be at least %d characters long.\n", SKEY_MIN_PW_LEN);
273: continue;
274: } else if (strcmp(passwd, pp->pw_name) == 0) {
275: (void)fputs("Your password may not be the same as your user name.\n", stderr);
276: continue;
277: } else if (strspn(passwd, "abcdefghijklmnopqrstuvwxyz") == strlen(passwd)) {
278: (void)fputs("Your password must contain more than just lower case letters.\nWhitespace, numbers, and puctuation are suggested.\n", stderr);
1.4 millert 279: continue;
280: }
281:
282: (void)fputs("Again secret password: ", stderr);
1.1 deraadt 283: readpass(passwd2, sizeof(passwd));
284:
285: if (strcmp(passwd, passwd2) == 0)
286: break;
287:
1.4 millert 288: (void)fputs("Passwords do not match.\n", stderr);
1.1 deraadt 289: }
290:
291: /* Crunch seed and password into starting key */
1.4 millert 292: (void)strcpy(seed, defaultseed);
1.1 deraadt 293: if (keycrunch(key, seed, passwd) != 0)
294: err(2, "key crunch failed");
1.4 millert 295:
1.1 deraadt 296: nn = n;
297: while (nn-- != 0)
298: f(key);
299: }
1.4 millert 300: (void)time(&now);
1.1 deraadt 301: tm = localtime(&now);
1.4 millert 302: (void)strftime(tbuf, sizeof(tbuf), " %b %d,%Y %T", tm);
1.1 deraadt 303:
1.4 millert 304: if ((skey.val = (char *)malloc(16 + 1)) == NULL)
305: err(1, "Can't allocate memory");
1.1 deraadt 306:
1.13 millert 307: /* Zero out old key if necesary (entry would change size) */
308: if (zerokey) {
309: (void)skeyzero(&skey, pp->pw_name);
310: /* Re-open keys file and seek to the end */
311: if (skeylookup(&skey, pp->pw_name) == -1)
312: err(1, "cannot open database");
313: }
314:
1.1 deraadt 315: btoa8(skey.val, key);
316:
1.20 ! millert 317: /*
! 318: * Obtain an exclusive lock on the key file so we don't
! 319: * clobber someone authenticating themselves at the same time.
! 320: */
! 321: for (i = 0; i < 300; i++) {
! 322: if ((rval = flock(fileno(skey.keyfile), LOCK_EX|LOCK_NB)) == 0
! 323: || errno != EWOULDBLOCK)
! 324: break;
! 325: usleep(100000); /* Sleep for 0.1 seconds */
! 326: }
! 327: if (rval == -1) { /* Can't get exclusive lock */
! 328: errno = EAGAIN;
! 329: err(1, "cannot open database");
! 330: }
! 331:
1.12 millert 332: /* Don't save algorithm type for md4 (keep record length same) */
333: if (strcmp(skey_get_algorithm(), "md4") == 0)
1.13 millert 334: (void)fprintf(skey.keyfile, "%s %04d %-16s %s %-21s\n",
1.12 millert 335: pp->pw_name, n, seed, skey.val, tbuf);
336: else
337: (void)fprintf(skey.keyfile, "%s %s %04d %-16s %s %-21s\n",
338: pp->pw_name, skey_get_algorithm(), n, seed, skey.val, tbuf);
1.20 ! millert 339:
! 340: (void)flock(fileno(skey.keyfile), LOCK_UN);
1.4 millert 341: (void)fclose(skey.keyfile);
1.10 millert 342:
1.12 millert 343: (void)printf("\nID %s skey is otp-%s %d %s\n", pp->pw_name,
344: skey_get_algorithm(), n, seed);
1.10 millert 345: (void)printf("Next login password: %s\n\n",
346: hexmode ? put8(buf, key) : btoe(buf, key));
1.4 millert 347: exit(0);
1.8 millert 348: }
349:
350: void
351: usage(s)
352: char *s;
353: {
354: (void)fprintf(stderr,
1.18 millert 355: "Usage: %s [-s] [-x] [-z] [-n count] [-md4|-md5|-sha1|-rmd160] [user]\n", s);
1.8 millert 356: exit(1);
1.1 deraadt 357: }