Annotation of src/usr.bin/skeyinit/skeyinit.c, Revision 1.27
1.27 ! millert 1: /* $OpenBSD: skeyinit.c,v 1.26 2001/01/26 16:25:34 millert Exp $ */
1.1 deraadt 2:
3: /* S/KEY v1.1b (skeyinit.c)
4: *
5: * Authors:
6: * Neil M. Haller <nmh@thumper.bellcore.com>
7: * Philip R. Karn <karn@chicago.qualcomm.com>
8: * John S. Walden <jsw@thumper.bellcore.com>
9: * Scott Chasin <chasin@crimelab.com>
10: *
1.20 millert 11: * Modifications:
12: * Todd C. Miller <Todd.Miller@courtesan.com>
13: *
1.1 deraadt 14: * S/KEY initialization and seed update
15: */
16:
17: #include <sys/param.h>
1.20 millert 18: #include <sys/file.h>
1.1 deraadt 19: #include <sys/time.h>
20: #include <sys/resource.h>
21:
1.19 millert 22: #include <err.h>
1.20 millert 23: #include <errno.h>
1.19 millert 24: #include <ctype.h>
25: #include <pwd.h>
1.1 deraadt 26: #include <stdio.h>
27: #include <stdlib.h>
28: #include <string.h>
1.19 millert 29: #include <syslog.h>
30: #include <time.h>
1.1 deraadt 31: #include <unistd.h>
1.6 millert 32: #include <utmp.h>
1.19 millert 33:
1.4 millert 34: #include <skey.h>
1.1 deraadt 35:
1.4 millert 36: #ifndef SKEY_NAMELEN
1.17 millert 37: #define SKEY_NAMELEN 4
1.4 millert 38: #endif
1.1 deraadt 39:
1.8 millert 40: void usage __P((char *));
41:
1.1 deraadt 42: int
43: main(argc, argv)
44: int argc;
45: char *argv[];
46: {
1.17 millert 47: int rval, nn, i, l, n=0, defaultsetup=1, zerokey=0, hexmode=0;
1.1 deraadt 48: time_t now;
49: char hostname[MAXHOSTNAMELEN];
1.17 millert 50: char passwd[SKEY_MAX_PW_LEN+2], passwd2[SKEY_MAX_PW_LEN+2];
51: char seed[SKEY_MAX_SEED_LEN+2], defaultseed[SKEY_MAX_SEED_LEN+1];
52: char tbuf[27], buf[80], key[SKEY_BINKEY_SIZE];
1.8 millert 53: char lastc, me[UT_NAMESIZE+1], *salt, *p, *pw, *ht=NULL;
1.1 deraadt 54: struct skey skey;
55: struct passwd *pp;
56: struct tm *tm;
57:
1.4 millert 58: if (geteuid() != 0)
59: errx(1, "must be setuid root.");
60:
1.1 deraadt 61: if (gethostname(hostname, sizeof(hostname)) < 0)
62: err(1, "gethostname");
1.25 millert 63: for (i = 0, p = defaultseed; hostname[i] && i < SKEY_NAMELEN; i++) {
64: if (isalpha(hostname[i])) {
1.26 millert 65: if (isupper(hostname[i]))
66: hostname[i] = tolower(hostname[i]);
67: *p++ = hostname[i];
1.25 millert 68: } else if (isdigit(hostname[i]))
69: *p++ = hostname[i];
70: }
71: *p = '\0';
1.17 millert 72: (void)time(&now);
73: (void)sprintf(tbuf, "%05ld", (long) (now % 100000));
1.4 millert 74: (void)strncat(defaultseed, tbuf, sizeof(defaultseed) - 5);
1.1 deraadt 75:
76: if ((pp = getpwuid(getuid())) == NULL)
77: err(1, "no user with uid %d", getuid());
1.4 millert 78: (void)strcpy(me, pp->pw_name);
1.1 deraadt 79:
80: if ((pp = getpwnam(me)) == NULL)
81: err(1, "Who are you?");
1.16 millert 82: salt = pp->pw_passwd;
1.1 deraadt 83:
1.8 millert 84: for (i = 1; i < argc && argv[i][0] == '-' && strcmp(argv[i], "--");) {
85: if (argv[i][2] == '\0') {
86: /* Single character switch */
87: switch (argv[i][1]) {
1.4 millert 88: case 's':
89: defaultsetup = 0;
90: break;
91: case 'x':
92: hexmode = 1;
93: break;
94: case 'z':
95: zerokey = 1;
96: break;
1.17 millert 97: case 'n':
1.23 deraadt 98: if (argv[++i] == NULL || argv[i][0] == '\0')
1.17 millert 99: usage(argv[0]);
100: if ((n = atoi(argv[i])) < 1 || n >= SKEY_MAX_SEQ)
101: errx(1, "count must be > 0 and < %d",
102: SKEY_MAX_SEQ);
103: break;
1.8 millert 104: default:
105: usage(argv[0]);
106: }
107: } else {
108: /* Multi character switches are hash types */
109: if ((ht = skey_set_algorithm(&argv[i][1])) == NULL) {
110: warnx("Unknown hash algorithm %s", &argv[i][1]);
111: usage(argv[0]);
112: }
1.7 millert 113: }
1.8 millert 114: i++;
1.7 millert 115: }
116:
117: /* check for optional user string */
1.8 millert 118: if (argc - i > 1) {
119: usage(argv[0]);
120: } else if (argv[i]) {
1.16 millert 121: if ((pp = getpwnam(argv[i])) == NULL) {
122: if (getuid() == 0) {
123: static struct passwd _pp;
124:
125: _pp.pw_name = argv[i];
126: pp = &_pp;
127: warnx("Warning, user unknown: %s", argv[i]);
128: } else {
129: errx(1, "User unknown: %s", argv[i]);
130: }
131: } else if (strcmp(pp->pw_name, me) != 0) {
1.4 millert 132: if (getuid() != 0) {
133: /* Only root can change other's passwds */
134: errx(1, "Permission denied.");
135: }
1.1 deraadt 136: }
137: }
138:
139: if (getuid() != 0) {
1.11 millert 140: pw = getpass("Password (or `s/key'):");
1.10 millert 141: if (strcasecmp(pw, "s/key") == 0) {
142: if (skey_haskey(me))
143: exit(1);
144: if (skey_authenticate(me))
145: errx(1, "Password incorrect.");
146: } else {
147: p = crypt(pw, salt);
148: if (strcmp(p, pp->pw_passwd))
149: errx(1, "Password incorrect.");
150: }
151: }
1.1 deraadt 152:
153: rval = skeylookup(&skey, pp->pw_name);
154: switch (rval) {
1.4 millert 155: case -1:
1.21 millert 156: if (errno == ENOENT)
1.27 ! millert 157: errx(1, "S/Key disabled");
1.21 millert 158: else
159: err(1, "cannot open database");
160: break;
1.4 millert 161: case 0:
162: /* comment out user if asked to */
163: if (zerokey)
164: exit(skeyzero(&skey, pp->pw_name));
165:
166: (void)printf("[Updating %s]\n", pp->pw_name);
1.12 millert 167: (void)printf("Old key: [%s] %s\n", skey_get_algorithm(),
168: skey.seed);
1.4 millert 169:
170: /*
1.25 millert 171: * Sanity check old seed.
172: */
173: l = strlen(skey.seed);
174: for (p = skey.seed; *p; p++) {
175: if (isalpha(*p)) {
176: if (isupper(*p))
177: *p = tolower(*p);
178: } else if (!isdigit(*p)) {
179: memmove(p, p + 1, l - (p - skey.seed));
180: l--;
181: }
182: }
183:
184: /*
1.17 millert 185: * Let's be nice if they have an skey.seed that
1.4 millert 186: * ends in 0-8 just add one
187: */
188: if (l > 0) {
189: lastc = skey.seed[l - 1];
190: if (isdigit(lastc) && lastc != '9') {
191: (void)strcpy(defaultseed, skey.seed);
192: defaultseed[l - 1] = lastc + 1;
193: }
194: if (isdigit(lastc) && lastc == '9' && l < 16) {
195: (void)strcpy(defaultseed, skey.seed);
196: defaultseed[l - 1] = '0';
197: defaultseed[l] = '0';
198: defaultseed[l + 1] = '\0';
199: }
1.1 deraadt 200: }
1.4 millert 201: break;
202: case 1:
203: if (zerokey)
204: errx(1, "You have no entry to zero.");
205: (void)printf("[Adding %s]\n", pp->pw_name);
206: break;
1.1 deraadt 207: }
1.17 millert 208: if (n == 0)
209: n = 99;
1.1 deraadt 210:
1.8 millert 211: /* Set hash type if asked to */
1.13 millert 212: if (ht) {
213: /* Need to zero out old key when changing algorithm */
214: if (strcmp(ht, skey_get_algorithm()) && skey_set_algorithm(ht))
215: zerokey = 1;
216: }
1.4 millert 217:
1.1 deraadt 218: if (!defaultsetup) {
1.4 millert 219: (void)printf("You need the 6 english words generated from the \"skey\" command.\n");
1.17 millert 220: for (i = 0; ; i++) {
1.1 deraadt 221: if (i >= 2)
222: exit(1);
1.10 millert 223:
1.4 millert 224: (void)printf("Enter sequence count from 1 to %d: ",
1.17 millert 225: SKEY_MAX_SEQ);
226: (void)fgets(buf, sizeof(buf), stdin);
227: n = atoi(buf);
228: if (n > 0 && n < SKEY_MAX_SEQ)
1.1 deraadt 229: break; /* Valid range */
1.10 millert 230: (void)printf("Error: Count must be > 0 and < %d\n",
1.17 millert 231: SKEY_MAX_SEQ);
1.1 deraadt 232: }
1.4 millert 233:
1.10 millert 234: for (i = 0;; i++) {
235: if (i >= 2)
236: exit(1);
237:
238: (void)printf("Enter new key [default %s]: ",
239: defaultseed);
240: (void)fgets(seed, sizeof(seed), stdin);
241: rip(seed);
1.25 millert 242: if (seed[0] == '\0')
243: (void)strcpy(seed, defaultseed);
1.10 millert 244: for (p = seed; *p; p++) {
245: if (isalpha(*p)) {
246: if (isupper(*p))
247: *p = tolower(*p);
248: } else if (!isdigit(*p)) {
249: (void)puts("Error: seed may only contain alpha numeric characters");
250: break;
251: }
252: }
253: if (*p == '\0')
254: break; /* Valid seed */
255: }
1.17 millert 256: if (strlen(seed) > SKEY_MAX_SEED_LEN) {
257: (void)printf("Notice: Seed truncated to %d characters.\n",
258: SKEY_MAX_SEED_LEN);
259: seed[SKEY_MAX_SEED_LEN] = '\0';
1.25 millert 260: }
1.1 deraadt 261:
262: for (i = 0;; i++) {
263: if (i >= 2)
264: exit(1);
265:
1.10 millert 266: (void)printf("otp-%s %d %s\nS/Key access password: ",
267: skey_get_algorithm(), n, seed);
1.17 millert 268: (void)fgets(buf, sizeof(buf), stdin);
269: rip(buf);
270: backspace(buf);
1.1 deraadt 271:
1.17 millert 272: if (buf[0] == '?') {
1.4 millert 273: (void)puts("Enter 6 English words from secure S/Key calculation.");
1.1 deraadt 274: continue;
1.17 millert 275: } else if (buf[0] == '\0')
1.1 deraadt 276: exit(1);
1.17 millert 277: if (etob(key, buf) == 1 || atob8(key, buf) == 0)
1.1 deraadt 278: break; /* Valid format */
1.4 millert 279: (void)puts("Invalid format - try again with 6 English words.");
1.1 deraadt 280: }
281: } else {
282: /* Get user's secret password */
1.22 dgregor 283: fputs("Reminder - Only use this method if you are directly connected\n or have an encrypted channel. If you are using telnet\n or rlogin, exit with no password and use skeyinit -s.\n", stderr);
1.4 millert 284:
1.1 deraadt 285: for (i = 0;; i++) {
1.4 millert 286: if (i > 2)
1.1 deraadt 287: exit(1);
288:
1.4 millert 289: (void)fputs("Enter secret password: ", stderr);
1.1 deraadt 290: readpass(passwd, sizeof(passwd));
291: if (passwd[0] == '\0')
292: exit(1);
293:
1.4 millert 294: if (strlen(passwd) < SKEY_MIN_PW_LEN) {
1.19 millert 295: (void)fprintf(stderr,
296: "Your password must be at least %d characters long.\n", SKEY_MIN_PW_LEN);
297: continue;
298: } else if (strcmp(passwd, pp->pw_name) == 0) {
299: (void)fputs("Your password may not be the same as your user name.\n", stderr);
300: continue;
301: } else if (strspn(passwd, "abcdefghijklmnopqrstuvwxyz") == strlen(passwd)) {
302: (void)fputs("Your password must contain more than just lower case letters.\nWhitespace, numbers, and puctuation are suggested.\n", stderr);
1.4 millert 303: continue;
304: }
305:
306: (void)fputs("Again secret password: ", stderr);
1.1 deraadt 307: readpass(passwd2, sizeof(passwd));
308:
309: if (strcmp(passwd, passwd2) == 0)
310: break;
311:
1.4 millert 312: (void)fputs("Passwords do not match.\n", stderr);
1.1 deraadt 313: }
314:
315: /* Crunch seed and password into starting key */
1.4 millert 316: (void)strcpy(seed, defaultseed);
1.1 deraadt 317: if (keycrunch(key, seed, passwd) != 0)
318: err(2, "key crunch failed");
1.4 millert 319:
1.1 deraadt 320: nn = n;
321: while (nn-- != 0)
322: f(key);
323: }
1.4 millert 324: (void)time(&now);
1.1 deraadt 325: tm = localtime(&now);
1.4 millert 326: (void)strftime(tbuf, sizeof(tbuf), " %b %d,%Y %T", tm);
1.1 deraadt 327:
1.4 millert 328: if ((skey.val = (char *)malloc(16 + 1)) == NULL)
329: err(1, "Can't allocate memory");
1.1 deraadt 330:
1.13 millert 331: /* Zero out old key if necesary (entry would change size) */
332: if (zerokey) {
333: (void)skeyzero(&skey, pp->pw_name);
334: /* Re-open keys file and seek to the end */
335: if (skeylookup(&skey, pp->pw_name) == -1)
336: err(1, "cannot open database");
337: }
338:
1.1 deraadt 339: btoa8(skey.val, key);
340:
1.20 millert 341: /*
342: * Obtain an exclusive lock on the key file so we don't
343: * clobber someone authenticating themselves at the same time.
344: */
345: for (i = 0; i < 300; i++) {
346: if ((rval = flock(fileno(skey.keyfile), LOCK_EX|LOCK_NB)) == 0
347: || errno != EWOULDBLOCK)
348: break;
349: usleep(100000); /* Sleep for 0.1 seconds */
350: }
351: if (rval == -1) { /* Can't get exclusive lock */
352: errno = EAGAIN;
353: err(1, "cannot open database");
354: }
355:
1.12 millert 356: /* Don't save algorithm type for md4 (keep record length same) */
357: if (strcmp(skey_get_algorithm(), "md4") == 0)
1.13 millert 358: (void)fprintf(skey.keyfile, "%s %04d %-16s %s %-21s\n",
1.12 millert 359: pp->pw_name, n, seed, skey.val, tbuf);
360: else
361: (void)fprintf(skey.keyfile, "%s %s %04d %-16s %s %-21s\n",
362: pp->pw_name, skey_get_algorithm(), n, seed, skey.val, tbuf);
1.20 millert 363:
1.4 millert 364: (void)fclose(skey.keyfile);
1.10 millert 365:
1.12 millert 366: (void)printf("\nID %s skey is otp-%s %d %s\n", pp->pw_name,
367: skey_get_algorithm(), n, seed);
1.10 millert 368: (void)printf("Next login password: %s\n\n",
369: hexmode ? put8(buf, key) : btoe(buf, key));
1.4 millert 370: exit(0);
1.8 millert 371: }
372:
373: void
374: usage(s)
375: char *s;
376: {
377: (void)fprintf(stderr,
1.18 millert 378: "Usage: %s [-s] [-x] [-z] [-n count] [-md4|-md5|-sha1|-rmd160] [user]\n", s);
1.8 millert 379: exit(1);
1.1 deraadt 380: }