Annotation of src/usr.bin/skeyinit/skeyinit.c, Revision 1.23
1.23 ! deraadt 1: /* $OpenBSD: skeyinit.c,v 1.22 1998/08/22 19:29:46 dgregor Exp $ */
1.1 deraadt 2: /* $NetBSD: skeyinit.c,v 1.6 1995/06/05 19:50:48 pk Exp $ */
3:
4: /* S/KEY v1.1b (skeyinit.c)
5: *
6: * Authors:
7: * Neil M. Haller <nmh@thumper.bellcore.com>
8: * Philip R. Karn <karn@chicago.qualcomm.com>
9: * John S. Walden <jsw@thumper.bellcore.com>
10: * Scott Chasin <chasin@crimelab.com>
11: *
1.20 millert 12: * Modifications:
13: * Todd C. Miller <Todd.Miller@courtesan.com>
14: *
1.1 deraadt 15: * S/KEY initialization and seed update
16: */
17:
18: #include <sys/param.h>
1.20 millert 19: #include <sys/file.h>
1.1 deraadt 20: #include <sys/time.h>
21: #include <sys/resource.h>
22:
1.19 millert 23: #include <err.h>
1.20 millert 24: #include <errno.h>
1.19 millert 25: #include <ctype.h>
26: #include <pwd.h>
1.1 deraadt 27: #include <stdio.h>
28: #include <stdlib.h>
29: #include <string.h>
1.19 millert 30: #include <syslog.h>
31: #include <time.h>
1.1 deraadt 32: #include <unistd.h>
1.6 millert 33: #include <utmp.h>
1.19 millert 34:
1.4 millert 35: #include <skey.h>
1.1 deraadt 36:
1.4 millert 37: #ifndef SKEY_NAMELEN
1.17 millert 38: #define SKEY_NAMELEN 4
1.4 millert 39: #endif
1.1 deraadt 40:
1.8 millert 41: void usage __P((char *));
42:
1.1 deraadt 43: int
44: main(argc, argv)
45: int argc;
46: char *argv[];
47: {
1.17 millert 48: int rval, nn, i, l, n=0, defaultsetup=1, zerokey=0, hexmode=0;
1.1 deraadt 49: time_t now;
50: char hostname[MAXHOSTNAMELEN];
1.17 millert 51: char passwd[SKEY_MAX_PW_LEN+2], passwd2[SKEY_MAX_PW_LEN+2];
52: char seed[SKEY_MAX_SEED_LEN+2], defaultseed[SKEY_MAX_SEED_LEN+1];
53: char tbuf[27], buf[80], key[SKEY_BINKEY_SIZE];
1.8 millert 54: char lastc, me[UT_NAMESIZE+1], *salt, *p, *pw, *ht=NULL;
1.1 deraadt 55: struct skey skey;
56: struct passwd *pp;
57: struct tm *tm;
58:
1.4 millert 59: if (geteuid() != 0)
60: errx(1, "must be setuid root.");
61:
1.1 deraadt 62: if (gethostname(hostname, sizeof(hostname)) < 0)
63: err(1, "gethostname");
1.4 millert 64: (void)strncpy(defaultseed, hostname, sizeof(defaultseed) - 1);
65: defaultseed[SKEY_NAMELEN] = '\0';
1.17 millert 66: (void)time(&now);
67: (void)sprintf(tbuf, "%05ld", (long) (now % 100000));
1.4 millert 68: (void)strncat(defaultseed, tbuf, sizeof(defaultseed) - 5);
1.1 deraadt 69:
70: if ((pp = getpwuid(getuid())) == NULL)
71: err(1, "no user with uid %d", getuid());
1.4 millert 72: (void)strcpy(me, pp->pw_name);
1.1 deraadt 73:
74: if ((pp = getpwnam(me)) == NULL)
75: err(1, "Who are you?");
1.16 millert 76: salt = pp->pw_passwd;
1.1 deraadt 77:
1.8 millert 78: for (i = 1; i < argc && argv[i][0] == '-' && strcmp(argv[i], "--");) {
79: if (argv[i][2] == '\0') {
80: /* Single character switch */
81: switch (argv[i][1]) {
1.4 millert 82: case 's':
83: defaultsetup = 0;
84: break;
85: case 'x':
86: hexmode = 1;
87: break;
88: case 'z':
89: zerokey = 1;
90: break;
1.17 millert 91: case 'n':
1.23 ! deraadt 92: if (argv[++i] == NULL || argv[i][0] == '\0')
1.17 millert 93: usage(argv[0]);
94: if ((n = atoi(argv[i])) < 1 || n >= SKEY_MAX_SEQ)
95: errx(1, "count must be > 0 and < %d",
96: SKEY_MAX_SEQ);
97: break;
1.8 millert 98: default:
99: usage(argv[0]);
100: }
101: } else {
102: /* Multi character switches are hash types */
103: if ((ht = skey_set_algorithm(&argv[i][1])) == NULL) {
104: warnx("Unknown hash algorithm %s", &argv[i][1]);
105: usage(argv[0]);
106: }
1.7 millert 107: }
1.8 millert 108: i++;
1.7 millert 109: }
110:
111: /* check for optional user string */
1.8 millert 112: if (argc - i > 1) {
113: usage(argv[0]);
114: } else if (argv[i]) {
1.16 millert 115: if ((pp = getpwnam(argv[i])) == NULL) {
116: if (getuid() == 0) {
117: static struct passwd _pp;
118:
119: _pp.pw_name = argv[i];
120: pp = &_pp;
121: warnx("Warning, user unknown: %s", argv[i]);
122: } else {
123: errx(1, "User unknown: %s", argv[i]);
124: }
125: } else if (strcmp(pp->pw_name, me) != 0) {
1.4 millert 126: if (getuid() != 0) {
127: /* Only root can change other's passwds */
128: errx(1, "Permission denied.");
129: }
1.1 deraadt 130: }
131: }
132:
133: if (getuid() != 0) {
1.11 millert 134: pw = getpass("Password (or `s/key'):");
1.10 millert 135: if (strcasecmp(pw, "s/key") == 0) {
136: if (skey_haskey(me))
137: exit(1);
138: if (skey_authenticate(me))
139: errx(1, "Password incorrect.");
140: } else {
141: p = crypt(pw, salt);
142: if (strcmp(p, pp->pw_passwd))
143: errx(1, "Password incorrect.");
144: }
145: }
1.1 deraadt 146:
147: rval = skeylookup(&skey, pp->pw_name);
148: switch (rval) {
1.4 millert 149: case -1:
1.21 millert 150: if (errno == ENOENT)
151: errx(1, "s/key disabled");
152: else
153: err(1, "cannot open database");
154: break;
1.4 millert 155: case 0:
156: /* comment out user if asked to */
157: if (zerokey)
158: exit(skeyzero(&skey, pp->pw_name));
159:
160: (void)printf("[Updating %s]\n", pp->pw_name);
1.12 millert 161: (void)printf("Old key: [%s] %s\n", skey_get_algorithm(),
162: skey.seed);
1.4 millert 163:
164: /*
1.17 millert 165: * Let's be nice if they have an skey.seed that
1.4 millert 166: * ends in 0-8 just add one
167: */
168: l = strlen(skey.seed);
169: if (l > 0) {
170: lastc = skey.seed[l - 1];
171: if (isdigit(lastc) && lastc != '9') {
172: (void)strcpy(defaultseed, skey.seed);
173: defaultseed[l - 1] = lastc + 1;
174: }
175: if (isdigit(lastc) && lastc == '9' && l < 16) {
176: (void)strcpy(defaultseed, skey.seed);
177: defaultseed[l - 1] = '0';
178: defaultseed[l] = '0';
179: defaultseed[l + 1] = '\0';
180: }
1.1 deraadt 181: }
1.4 millert 182: break;
183: case 1:
184: if (zerokey)
185: errx(1, "You have no entry to zero.");
186: (void)printf("[Adding %s]\n", pp->pw_name);
187: break;
1.1 deraadt 188: }
1.17 millert 189: if (n == 0)
190: n = 99;
1.1 deraadt 191:
1.8 millert 192: /* Set hash type if asked to */
1.13 millert 193: if (ht) {
194: /* Need to zero out old key when changing algorithm */
195: if (strcmp(ht, skey_get_algorithm()) && skey_set_algorithm(ht))
196: zerokey = 1;
197: }
1.4 millert 198:
1.1 deraadt 199: if (!defaultsetup) {
1.4 millert 200: (void)printf("You need the 6 english words generated from the \"skey\" command.\n");
1.17 millert 201: for (i = 0; ; i++) {
1.1 deraadt 202: if (i >= 2)
203: exit(1);
1.10 millert 204:
1.4 millert 205: (void)printf("Enter sequence count from 1 to %d: ",
1.17 millert 206: SKEY_MAX_SEQ);
207: (void)fgets(buf, sizeof(buf), stdin);
208: n = atoi(buf);
209: if (n > 0 && n < SKEY_MAX_SEQ)
1.1 deraadt 210: break; /* Valid range */
1.10 millert 211: (void)printf("Error: Count must be > 0 and < %d\n",
1.17 millert 212: SKEY_MAX_SEQ);
1.1 deraadt 213: }
1.4 millert 214:
1.10 millert 215: for (i = 0;; i++) {
216: if (i >= 2)
217: exit(1);
218:
219: (void)printf("Enter new key [default %s]: ",
220: defaultseed);
221: (void)fgets(seed, sizeof(seed), stdin);
222: rip(seed);
223: for (p = seed; *p; p++) {
224: if (isalpha(*p)) {
225: if (isupper(*p))
226: *p = tolower(*p);
227: } else if (!isdigit(*p)) {
228: (void)puts("Error: seed may only contain alpha numeric characters");
229: break;
230: }
231: }
232: if (*p == '\0')
233: break; /* Valid seed */
234: }
1.17 millert 235: if (strlen(seed) > SKEY_MAX_SEED_LEN) {
236: (void)printf("Notice: Seed truncated to %d characters.\n",
237: SKEY_MAX_SEED_LEN);
238: seed[SKEY_MAX_SEED_LEN] = '\0';
239: } else if (seed[0] == '\0')
1.4 millert 240: (void)strcpy(seed, defaultseed);
1.1 deraadt 241:
242: for (i = 0;; i++) {
243: if (i >= 2)
244: exit(1);
245:
1.10 millert 246: (void)printf("otp-%s %d %s\nS/Key access password: ",
247: skey_get_algorithm(), n, seed);
1.17 millert 248: (void)fgets(buf, sizeof(buf), stdin);
249: rip(buf);
250: backspace(buf);
1.1 deraadt 251:
1.17 millert 252: if (buf[0] == '?') {
1.4 millert 253: (void)puts("Enter 6 English words from secure S/Key calculation.");
1.1 deraadt 254: continue;
1.17 millert 255: } else if (buf[0] == '\0')
1.1 deraadt 256: exit(1);
1.17 millert 257: if (etob(key, buf) == 1 || atob8(key, buf) == 0)
1.1 deraadt 258: break; /* Valid format */
1.4 millert 259: (void)puts("Invalid format - try again with 6 English words.");
1.1 deraadt 260: }
261: } else {
262: /* Get user's secret password */
1.22 dgregor 263: fputs("Reminder - Only use this method if you are directly connected\n or have an encrypted channel. If you are using telnet\n or rlogin, exit with no password and use skeyinit -s.\n", stderr);
1.4 millert 264:
1.1 deraadt 265: for (i = 0;; i++) {
1.4 millert 266: if (i > 2)
1.1 deraadt 267: exit(1);
268:
1.4 millert 269: (void)fputs("Enter secret password: ", stderr);
1.1 deraadt 270: readpass(passwd, sizeof(passwd));
271: if (passwd[0] == '\0')
272: exit(1);
273:
1.4 millert 274: if (strlen(passwd) < SKEY_MIN_PW_LEN) {
1.19 millert 275: (void)fprintf(stderr,
276: "Your password must be at least %d characters long.\n", SKEY_MIN_PW_LEN);
277: continue;
278: } else if (strcmp(passwd, pp->pw_name) == 0) {
279: (void)fputs("Your password may not be the same as your user name.\n", stderr);
280: continue;
281: } else if (strspn(passwd, "abcdefghijklmnopqrstuvwxyz") == strlen(passwd)) {
282: (void)fputs("Your password must contain more than just lower case letters.\nWhitespace, numbers, and puctuation are suggested.\n", stderr);
1.4 millert 283: continue;
284: }
285:
286: (void)fputs("Again secret password: ", stderr);
1.1 deraadt 287: readpass(passwd2, sizeof(passwd));
288:
289: if (strcmp(passwd, passwd2) == 0)
290: break;
291:
1.4 millert 292: (void)fputs("Passwords do not match.\n", stderr);
1.1 deraadt 293: }
294:
295: /* Crunch seed and password into starting key */
1.4 millert 296: (void)strcpy(seed, defaultseed);
1.1 deraadt 297: if (keycrunch(key, seed, passwd) != 0)
298: err(2, "key crunch failed");
1.4 millert 299:
1.1 deraadt 300: nn = n;
301: while (nn-- != 0)
302: f(key);
303: }
1.4 millert 304: (void)time(&now);
1.1 deraadt 305: tm = localtime(&now);
1.4 millert 306: (void)strftime(tbuf, sizeof(tbuf), " %b %d,%Y %T", tm);
1.1 deraadt 307:
1.4 millert 308: if ((skey.val = (char *)malloc(16 + 1)) == NULL)
309: err(1, "Can't allocate memory");
1.1 deraadt 310:
1.13 millert 311: /* Zero out old key if necesary (entry would change size) */
312: if (zerokey) {
313: (void)skeyzero(&skey, pp->pw_name);
314: /* Re-open keys file and seek to the end */
315: if (skeylookup(&skey, pp->pw_name) == -1)
316: err(1, "cannot open database");
317: }
318:
1.1 deraadt 319: btoa8(skey.val, key);
320:
1.20 millert 321: /*
322: * Obtain an exclusive lock on the key file so we don't
323: * clobber someone authenticating themselves at the same time.
324: */
325: for (i = 0; i < 300; i++) {
326: if ((rval = flock(fileno(skey.keyfile), LOCK_EX|LOCK_NB)) == 0
327: || errno != EWOULDBLOCK)
328: break;
329: usleep(100000); /* Sleep for 0.1 seconds */
330: }
331: if (rval == -1) { /* Can't get exclusive lock */
332: errno = EAGAIN;
333: err(1, "cannot open database");
334: }
335:
1.12 millert 336: /* Don't save algorithm type for md4 (keep record length same) */
337: if (strcmp(skey_get_algorithm(), "md4") == 0)
1.13 millert 338: (void)fprintf(skey.keyfile, "%s %04d %-16s %s %-21s\n",
1.12 millert 339: pp->pw_name, n, seed, skey.val, tbuf);
340: else
341: (void)fprintf(skey.keyfile, "%s %s %04d %-16s %s %-21s\n",
342: pp->pw_name, skey_get_algorithm(), n, seed, skey.val, tbuf);
1.20 millert 343:
344: (void)flock(fileno(skey.keyfile), LOCK_UN);
1.4 millert 345: (void)fclose(skey.keyfile);
1.10 millert 346:
1.12 millert 347: (void)printf("\nID %s skey is otp-%s %d %s\n", pp->pw_name,
348: skey_get_algorithm(), n, seed);
1.10 millert 349: (void)printf("Next login password: %s\n\n",
350: hexmode ? put8(buf, key) : btoe(buf, key));
1.4 millert 351: exit(0);
1.8 millert 352: }
353:
354: void
355: usage(s)
356: char *s;
357: {
358: (void)fprintf(stderr,
1.18 millert 359: "Usage: %s [-s] [-x] [-z] [-n count] [-md4|-md5|-sha1|-rmd160] [user]\n", s);
1.8 millert 360: exit(1);
1.1 deraadt 361: }