diff options
| author | Artur Grabowski <art@cvs.openbsd.org> | 1997-12-17 07:50:18 +0000 |
|---|---|---|
| committer | Artur Grabowski <art@cvs.openbsd.org> | 1997-12-17 07:50:18 +0000 |
| commit | dc7b53e733bdae6a577bbc013f46eeef34f16eb7 (patch) | |
| tree | f15794be516e8dc286f3b05e5968bec7bdbea89c /kerberosIV | |
| parent | 02925b9d061b28785a08ed3e84389b8ee1f230ce (diff) | |
another upgrade.
Diffstat (limited to 'kerberosIV')
| -rw-r--r-- | kerberosIV/ksrvutil/Makefile | 4 | ||||
| -rw-r--r-- | kerberosIV/ksrvutil/ksrvutil.c | 657 | ||||
| -rw-r--r-- | kerberosIV/ksrvutil/ksrvutil_get.c | 429 |
3 files changed, 743 insertions, 347 deletions
diff --git a/kerberosIV/ksrvutil/Makefile b/kerberosIV/ksrvutil/Makefile index cf106f4a2b1..94dc17c2e2f 100644 --- a/kerberosIV/ksrvutil/Makefile +++ b/kerberosIV/ksrvutil/Makefile @@ -1,7 +1,8 @@ -# $OpenBSD: Makefile,v 1.4 1997/02/11 04:40:39 tholo Exp $ +# $OpenBSD: Makefile,v 1.5 1997/12/17 07:50:16 art Exp $ .include <bsd.obj.mk> +SRCS= ksrvutil.c ksrvutil_get.c PROG= ksrvutil .if exists(${.CURDIR}/../kadm/${__objdir}) CFLAGS+=-I${.CURDIR}/../kadm/${__objdir} @@ -13,7 +14,6 @@ CFLAGS+=-I${.CURDIR}/../krb/${__objdir} .else CFLAGS+=-I${.CURDIR}/../krb .endif -#CFLAGS+=-I${.CURDIR}/../../lib/libss LDADD+= -lkadm -lkrb -ldes -lcom_err DPADD+= ${LIBKADM} ${LIBKRB} ${LIBDES} ${LIBCOM_ERR} MAN= ksrvutil.8 diff --git a/kerberosIV/ksrvutil/ksrvutil.c b/kerberosIV/ksrvutil/ksrvutil.c index 9001477f4fb..6530d6d057f 100644 --- a/kerberosIV/ksrvutil/ksrvutil.c +++ b/kerberosIV/ksrvutil/ksrvutil.c @@ -1,12 +1,13 @@ -/* $Id: ksrvutil.c,v 1.4 1997/04/08 22:40:52 rees Exp $ */ +/* $OpenBSD: ksrvutil.c,v 1.5 1997/12/17 07:50:16 art Exp $ */ +/* $KTH: ksrvutil.c,v 1.39 1997/05/02 14:28:52 assar Exp $ */ -/*- - * Copyright (C) 1989 by the Massachusetts Institute of Technology +/* + * Copyright (C) 1989 by the Massachusetts Institute of Technology * - * Export of this software from the United States of America is assumed - * to require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. + * Export of this software from the United States of America is assumed + * to require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. * * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and * distribute this software and its documentation for any purpose and @@ -18,6 +19,7 @@ * permission. M.I.T. makes no representations about the suitability of * this software for any purpose. It is provided "as is" without express * or implied warranty. + * */ /* @@ -29,16 +31,9 @@ * list and update the contents of srvtab files */ -#ifndef FALSE -#define FALSE 0 -#endif +#include "kadm_locl.h" -#ifndef TRUE -#define TRUE 1 -#endif - -#include <kadm_locl.h> -#include <sys/param.h> +#include "ksrvutil.h" #ifdef NOENCRYPTION #define read_long_pw_string placebo_read_pw_string @@ -54,13 +49,21 @@ #define PRINC_HEADER " Principal\n" #define PRINC_FORMAT "%s" +char u_name[ANAME_SZ]; +char u_inst[INST_SZ]; +char u_realm[REALM_SZ]; + +char progname[] = "ksrvutil"; + +int destroyp = FALSE; /* Should the ticket file be destroyed? */ + static unsigned short get_mode(char *filename) { struct stat statbuf; unsigned short mode; - (void) bzero((char *)&statbuf, sizeof(statbuf)); + memset(&statbuf, 0, sizeof(statbuf)); if (stat(filename, &statbuf) < 0) mode = SRVTAB_MODE; @@ -71,7 +74,7 @@ get_mode(char *filename) } static void -copy_keyfile(char *progname, char *keyfile, char *backup_keyfile) +copy_keyfile(char *keyfile, char *backup_keyfile) { int keyfile_fd; int backup_keyfile_fd; @@ -80,31 +83,22 @@ copy_keyfile(char *progname, char *keyfile, char *backup_keyfile) int rcount; /* for copying keyfiles */ int try_again; - (void) bzero((char *)buf, sizeof(buf)); + memset(buf, 0, sizeof(buf)); do { try_again = FALSE; if ((keyfile_fd = open(keyfile, O_RDONLY, 0)) < 0) { - if (errno != ENOENT) { - (void)fprintf(stderr, "%s: Unable to read %s: %s\n", progname, - keyfile, strerror(errno)); - exit(1); - } + if (errno != ENOENT) + err (1, "read %s", keyfile); else { try_again = TRUE; if ((keyfile_fd = open(keyfile, - O_WRONLY | O_TRUNC | O_CREAT, SRVTAB_MODE)) < 0) { - (void) fprintf(stderr, "%s: Unable to create %s: %s\n", - progname, keyfile, strerror(errno)); - exit(1); - } + O_WRONLY | O_TRUNC | O_CREAT, SRVTAB_MODE)) < 0) + err(1, "create %s", keyfile); else - if (close(keyfile_fd) < 0) { - (void) fprintf(stderr, "%s: Failure closing %s: %s\n", - progname, keyfile, strerror(errno)); - exit(1); - } + if (close(keyfile_fd) < 0) + err (1, "close %s", keyfile); } } } while(try_again); @@ -113,101 +107,95 @@ copy_keyfile(char *progname, char *keyfile, char *backup_keyfile) if ((backup_keyfile_fd = open(backup_keyfile, O_WRONLY | O_TRUNC | O_CREAT, - keyfile_mode)) < 0) { - (void) fprintf(stderr, "%s: Unable to write %s: %s\n", progname, - backup_keyfile, strerror(errno)); - exit(1); - } + keyfile_mode)) < 0) + err (1, "write %s", backup_keyfile); do { - if ((rcount = read(keyfile_fd, (char *)buf, sizeof(buf))) < 0) { - (void) fprintf(stderr, "%s: Error reading %s: %s\n", progname, - keyfile, strerror(errno)); - exit(1); - } - if (rcount && (write(backup_keyfile_fd, buf, rcount) != rcount)) { - (void) fprintf(stderr, "%s: Error writing %s: %s\n", progname, - backup_keyfile, strerror(errno)); - exit(1); - } + if ((rcount = read(keyfile_fd, buf, sizeof(buf))) < 0) + err (1, "read %s", keyfile); + if (rcount && (write(backup_keyfile_fd, buf, rcount) != rcount)) + err (1, "write %s", backup_keyfile); } while (rcount); - if (close(backup_keyfile_fd) < 0) { - (void) fprintf(stderr, "%s: Error closing %s: %s\n", progname, - backup_keyfile, strerror(errno)); - exit(1); - } - if (close(keyfile_fd) < 0) { - (void) fprintf(stderr, "%s: Error closing %s: %s\n", progname, - keyfile, strerror(errno)); - exit(1); - } + if (close(backup_keyfile_fd) < 0) + err(1, "close %s", backup_keyfile); + if (close(keyfile_fd) < 0) + err(1, "close %s", keyfile); } -static void +void leave(char *str, int x) { if (str) - (void) fprintf(stderr, "%s\n", str); - (void) dest_tkt(); + fprintf(stderr, "%s\n", str); + if (destroyp) + dest_tkt(); exit(x); } -static void -safe_read_stdin(char *prompt, char *buf, int size) +void +safe_read_stdin(char *prompt, char *buf, size_t size) { - (void) printf(prompt); - (void) fflush(stdout); - (void) bzero(buf, size); + printf("%s", prompt); + fflush(stdout); + memset(buf, 0, size); if (read(0, buf, size - 1) < 0) { - (void) fprintf(stderr, "Failure reading from stdin: %s\n", - strerror(errno)); - leave((char *)NULL, 1); + warn("read stdin"); + leave(NULL, 1); } - fflush(stdin); buf[strlen(buf)-1] = 0; -} - +} -static void -safe_write(char *progname, char *filename, int fd, char *buf, int len) +void +safe_write(char *filename, int fd, void *buf, size_t len) { if (write(fd, buf, len) != len) { - (void) fprintf(stderr, "%s: Failure writing to %s: %s\n", progname, - filename, strerror(errno)); - (void) close(fd); + warn("write %s", filename); + close(fd); leave("In progress srvtab in this file.", 1); } -} +} static int -yn(char *string) +yes_no(char *string, int dflt) { - char ynbuf[5]; - - (void) printf("%s (y,n) [y] ", string); - for (;;) { - safe_read_stdin("", ynbuf, sizeof(ynbuf)); - - if ((ynbuf[0] == 'n') || (ynbuf[0] == 'N')) - return(0); - else if ((ynbuf[0] == 'y') || (ynbuf[0] == 'Y') || (ynbuf[0] == 0)) - return(1); - else { - (void) printf("Please enter 'y' or 'n': "); - fflush(stdout); - } + char ynbuf[5]; + + printf("%s (y,n) [%c]", string, dflt?'y':'n'); + for (;;) { + safe_read_stdin("", ynbuf, sizeof(ynbuf)); + + if ((ynbuf[0] == 'n') || (ynbuf[0] == 'N')) + return(0); + else if ((ynbuf[0] == 'y') || (ynbuf[0] == 'Y')) + return(1); + else if(ynbuf[0] == 0) + return dflt; + else { + printf("Please enter 'y' or 'n': "); + fflush(stdout); } + } +} + +int yn(char *string) +{ + return yes_no(string, 1); +} + +int ny(char *string) +{ + return yes_no(string, 0); } static void -append_srvtab(char *progname, char *filename, int fd, char *sname, char *sinst, char *srealm, unsigned char key_vno, unsigned char *key) +append_srvtab(char *filename, int fd, char *sname, char *sinst, char *srealm, unsigned char key_vno, unsigned char *key) { - /* Add one to append null */ - safe_write(progname, filename, fd, sname, strlen(sname) + 1); - safe_write(progname, filename, fd, sinst, strlen(sinst) + 1); - safe_write(progname, filename, fd, srealm, strlen(srealm) + 1); - safe_write(progname, filename, fd, (char *)&key_vno, 1); - safe_write(progname, filename, fd, (char *)key, sizeof(des_cblock)); - (void) fsync(fd); + /* Add one to append null */ + safe_write(filename, fd, sname, strlen(sname) + 1); + safe_write(filename, fd, sinst, strlen(sinst) + 1); + safe_write(filename, fd, srealm, strlen(srealm) + 1); + safe_write(filename, fd, &key_vno, 1); + safe_write(filename, fd, key, sizeof(des_cblock)); + fsync(fd); } static void @@ -216,39 +204,33 @@ print_key(unsigned char *key) int i; for (i = 0; i < 4; i++) - (void) printf("%02x", key[i]); - (void) printf(" "); + printf("%02x", key[i]); + printf(" "); for (i = 4; i < 8; i++) - (void) printf("%02x", key[i]); + printf("%02x", key[i]); } static void print_name(char *name, char *inst, char *realm) { - (void) printf("%s%s%s%s%s", name, inst[0] ? "." : "", inst, - realm[0] ? "@" : "", realm); + printf("%s", krb_unparse_name_long(name, inst, realm)); } static int -get_svc_new_key(unsigned char *new_key, char *sname, char *sinst, char *srealm, char *keyfile) +get_svc_new_key(des_cblock *new_key, char *sname, char *sinst, + char *srealm, char *keyfile) { - char *dot, admin[MAXHOSTNAMELEN]; - int status; - - if ((status = krb_get_admhst(admin, srealm, 1)) != KSUCCESS) - return(status); - if ((dot = strchr(admin, '.')) != NULL) - *dot = '\0'; - status = KADM_SUCCESS; + int status = KADM_SUCCESS; + if (((status = krb_get_svc_in_tkt(sname, sinst, srealm, PWSERV_NAME, KADM_SINST, 1, keyfile)) == KSUCCESS) && - ((status = kadm_init_link("changepw", admin, srealm)) == + ((status = kadm_init_link(PWSERV_NAME, KRB_MASTER, srealm)) == KADM_SUCCESS)) { #ifdef NOENCRYPTION - (void) bzero((char *) new_key, sizeof(des_cblock)); - new_key[0] = (unsigned char) 1; + memset(new_key, 0, sizeof(des_cblock)); + (*new_key)[0] = (unsigned char) 1; #else /* NOENCRYPTION */ - (void) des_new_random_key((des_cblock*)&new_key); + des_new_random_key(new_key); #endif /* NOENCRYPTION */ return(KADM_SUCCESS); } @@ -257,40 +239,36 @@ get_svc_new_key(unsigned char *new_key, char *sname, char *sinst, char *srealm, } static void -get_key_from_password(des_cblock (*key), int afskey, char *srealm) +get_key_from_password(des_cblock (*key), char *cellname) { char password[MAX_KPW_LEN]; /* storage for the password */ - char cell[REALM_SZ], *p; if (read_long_pw_string(password, sizeof(password)-1, "Password: ", 1)) leave("Error reading password.", 1); #ifdef NOENCRYPTION - (void) bzero((char *) key, sizeof(des_cblock)); - key[0] = (unsigned char) 1; + memset(key, 0, sizeof(des_cblock)); + (*key)[0] = (unsigned char) 1; #else /* NOENCRYPTION */ - if (afskey) { - strcpy(cell, srealm); - for (p = cell; *p; p++) - if (isupper(*p)) - *p = tolower(*p); - afs_string_to_key(password, cell, key); - } else - (void) des_string_to_key(password, key); + if (strlen(cellname) == 0) + des_string_to_key(password, key); + else + afs_string_to_key(password, cellname, key); #endif /* NOENCRYPTION */ - (void) bzero((char *)password, sizeof(password)); + memset(password, 0, sizeof(password)); } static void usage(void) { - (void) fprintf(stderr, "Usage: ksrvutil [-f keyfile] [-i] [-k] [-a] "); - (void) fprintf(stderr, "{list | change | add | get}\n"); - (void) fprintf(stderr, " -i causes the program to ask for "); - (void) fprintf(stderr, "confirmation before changing keys.\n"); - (void) fprintf(stderr, " -k causes the key to printed for list or "); - (void) fprintf(stderr, "change.\n"); - (void) fprintf(stderr, " -a uses the AFS string-to-key.\n"); + fprintf(stderr, "Usage: ksrvutil [-f keyfile] [-i] [-k] "); + fprintf(stderr, "[-p principal] [-r realm] "); + fprintf(stderr, "[-c AFS cellname] "); + fprintf(stderr, "{list | change | add | get}\n"); + fprintf(stderr, " -i causes the program to ask for "); + fprintf(stderr, "confirmation before changing keys.\n"); + fprintf(stderr, " -k causes the key to printed for list or "); + fprintf(stderr, "change.\n"); exit(1); } @@ -312,133 +290,146 @@ main(int argc, char **argv) int work_keyfile_fd = -1; /* Initialize so that */ int backup_keyfile_fd = -1; /* compiler doesn't complain */ char local_realm[REALM_SZ]; /* local kerberos realm */ - int i; + char cellname[1024]; /* AFS cell name */ + int c; int interactive = FALSE; int list = FALSE; int change = FALSE; int add = FALSE; int get = FALSE; int key = FALSE; /* do we show keys? */ - int afskey = FALSE; /* do we use AFS string-to-key? */ int arg_entered = FALSE; int change_this_key = FALSE; char databuf[BUFSIZ]; int first_printed = FALSE; /* have we printed the first item? */ - (void) bzero((char *)sname, sizeof(sname)); - (void) bzero((char *)sinst, sizeof(sinst)); - (void) bzero((char *)srealm, sizeof(srealm)); + memset(sname, 0, sizeof(sname)); + memset(sinst, 0, sizeof(sinst)); + memset(srealm, 0, sizeof(srealm)); + + memset(change_tkt, 0, sizeof(change_tkt)); + memset(keyfile, 0, sizeof(keyfile)); + memset(work_keyfile, 0, sizeof(work_keyfile)); + memset(backup_keyfile, 0, sizeof(backup_keyfile)); + memset(local_realm, 0, sizeof(local_realm)); + memset(cellname, 0, sizeof(cellname)); - (void) bzero((char *)change_tkt, sizeof(change_tkt)); - (void) bzero((char *)keyfile, sizeof(keyfile)); - (void) bzero((char *)work_keyfile, sizeof(work_keyfile)); - (void) bzero((char *)backup_keyfile, sizeof(backup_keyfile)); - (void) bzero((char *)local_realm, sizeof(local_realm)); - - (void) snprintf(change_tkt, sizeof(change_tkt), "/tmp/tkt_ksrvutil.%d", - (int)getpid()); - krb_set_tkt_string(change_tkt); + if (krb_get_default_principal(u_name, u_inst, u_realm) < 0) + errx (1, "could not get default principal"); /* This is used only as a default for adding keys */ if (krb_get_lrealm(local_realm, 1) != KSUCCESS) { - (void) fprintf(stderr, "%s: Unable to find local realm name\n", argv[0]); - exit(1); + strncpy(local_realm, KRB_REALM, REALM_SZ - 1); + local_realm[REALM_SZ - 1] = '\0'; } - for (i = 1; i < argc; i++) { - if (strcmp(argv[i], "-i") == 0) - interactive++; - else if (strcmp(argv[i], "-k") == 0) - key++; - else if (strcmp(argv[i], "list") == 0) { - if (arg_entered) - usage(); - else { - arg_entered++; - list++; - } - } - else if (strcmp(argv[i], "change") == 0) { - if (arg_entered) - usage(); - else { - arg_entered++; - change++; - } - } - else if (strcmp(argv[i], "add") == 0) { - if (arg_entered) - usage(); - else { - arg_entered++; - add++; - } - } - else if (strcmp(argv[i], "get") == 0) { - if (arg_entered) - usage(); - else { - arg_entered++; - get++; - } - } - else if (strcmp(argv[i], "-f") == 0) { - if (++i == argc) - usage(); - else - (void) strcpy(keyfile, argv[i]); - } - else if (strcmp(argv[i], "-a") == 0) - afskey++; - else - usage(); + while((c = getopt(argc, argv, "ikc:f:p:r:")) != EOF) { + switch (c) { + case 'i': + interactive++; + break; + case 'k': + key++; + break; + case 'c': + strcpy(cellname, optarg); + break; + case 'f': + strcpy(keyfile, optarg); + break; + case 'p': + if((status = kname_parse (u_name, u_inst, u_realm, optarg)) != + KSUCCESS) + errx (1, "principal %s: %s", optarg, + krb_get_err_text(status)); + break; + case 'r': + strcpy(u_realm, optarg); + break; + case '?': + usage(); + } } + if (optind >= argc) + usage(); + if (*u_realm == '\0') + strcpy (u_realm, local_realm); + if (strcmp(argv[optind], "list") == 0) { + if (arg_entered) + usage(); + else { + arg_entered++; + list++; + } + } + else if (strcmp(argv[optind], "change") == 0) { + if (arg_entered) + usage(); + else { + arg_entered++; + change++; + } + } + else if (strcmp(argv[optind], "add") == 0) { + if (arg_entered) + usage(); + else { + arg_entered++; + add++; + } + } + else if (strcmp(argv[optind], "get") == 0) { + if (arg_entered) + usage(); + else { + arg_entered++; + get++; + } + } + else + usage(); + ++optind; if (!arg_entered) usage(); if (!keyfile[0]) - (void) strcpy(keyfile, KEYFILE); + strcpy(keyfile, KEYFILE); - (void) strcpy(work_keyfile, keyfile); - (void) strcpy(backup_keyfile, keyfile); + strcpy(work_keyfile, keyfile); + strcpy(backup_keyfile, keyfile); if (change || add || get) { - (void) strcat(work_keyfile, ".work"); - (void) strcat(backup_keyfile, ".old"); + strcat(work_keyfile, ".work"); + strcat(backup_keyfile, ".old"); - copy_keyfile(argv[0], keyfile, backup_keyfile); + copy_keyfile(keyfile, backup_keyfile); } if (add || get) - copy_keyfile(argv[0], backup_keyfile, work_keyfile); + copy_keyfile(backup_keyfile, work_keyfile); keyfile_mode = get_mode(keyfile); - if (change || list) { - if ((backup_keyfile_fd = open(backup_keyfile, O_RDONLY, 0)) < 0) { - (void) fprintf(stderr, "%s: Unable to read %s: %s\n", argv[0], - backup_keyfile, strerror(errno)); - exit(1); - } - } + if (change || list) + if ((backup_keyfile_fd = open(backup_keyfile, O_RDONLY, 0)) < 0) + err (1, "open %s", backup_keyfile); if (change) { if ((work_keyfile_fd = open(work_keyfile, O_WRONLY | O_CREAT | O_TRUNC, - SRVTAB_MODE)) < 0) { - (void) fprintf(stderr, "%s: Unable to write %s: %s\n", argv[0], - work_keyfile, strerror(errno)); - exit(1); - } + SRVTAB_MODE)) < 0) + err (1, "creat %s", work_keyfile); } - else if (add || get) { + else if (add) { if ((work_keyfile_fd = - open(work_keyfile, O_APPEND | O_WRONLY, SRVTAB_MODE)) < 0) { - (void) fprintf(stderr, "%s: Unable to open %s for append: %s\n", - argv[0], work_keyfile, strerror(errno)); - exit(1); - } + open(work_keyfile, O_APPEND | O_WRONLY, SRVTAB_MODE)) < 0) + err (1, "open with append %s", work_keyfile ); + } + else if (get) { + if ((work_keyfile_fd = + open(work_keyfile, O_RDWR | O_CREAT, SRVTAB_MODE)) < 0) + err (1, "open for writing %s", work_keyfile); } if (change || list) { @@ -446,31 +437,37 @@ main(int argc, char **argv) (getst(backup_keyfile_fd, sinst, INST_SZ) > 0) && (getst(backup_keyfile_fd, srealm, REALM_SZ) > 0) && (read(backup_keyfile_fd, &key_vno, 1) > 0) && - (read(backup_keyfile_fd,(char *)old_key,sizeof(old_key)) > 0)) { + (read(backup_keyfile_fd, old_key, sizeof(old_key)) > 0)) { if (list) { if (!first_printed) { - (void) printf(VNO_HEADER); - (void) printf(PAD); + printf(VNO_HEADER); + printf(PAD); if (key) { - (void) printf(KEY_HEADER); - (void) printf(PAD); + printf(KEY_HEADER); + printf(PAD); } - (void) printf(PRINC_HEADER); + printf(PRINC_HEADER); first_printed = 1; } - (void) printf(VNO_FORMAT, key_vno); - (void) printf(PAD); + printf(VNO_FORMAT, key_vno); + printf(PAD); if (key) { print_key(old_key); - (void) printf(PAD); + printf(PAD); } print_name(sname, sinst, srealm); - (void) printf("\n"); + printf("\n"); } else if (change) { - (void) printf("\nPrincipal: "); + snprintf(change_tkt, sizeof(change_tkt), + TKT_ROOT "_ksrvutil.%u", + (unsigned)getpid()); + krb_set_tkt_string(change_tkt); + destroyp = TRUE; + + printf("\nPrincipal: "); print_name(sname, sinst, srealm); - (void) printf("; version %d\n", key_vno); + printf("; version %d\n", key_vno); if (interactive) change_this_key = yn("Change this key?"); else if (change) @@ -479,167 +476,137 @@ main(int argc, char **argv) change_this_key = 0; if (change_this_key) - (void) printf("Changing to version %d.\n", key_vno + 1); + printf("Changing to version %d.\n", key_vno + 1); else if (change) - (void) printf("Not changing this key.\n"); + printf("Not changing this key.\n"); if (change_this_key) { - /* Initialize non shared random sequence old key. */ + /* + * This is not a good choice of seed when/if the + * key has been compromised so we also use a + * random sequence number! + */ des_init_random_number_generator(&old_key); - +#if 0 /* kth-krb has own addidtions to libdes */ + { + des_cblock seqnum; + des_generate_random_block(&seqnum); + des_set_sequence_number((unsigned char *)&seqnum); + } +#endif /* * Pick a new key and determine whether or not * it is safe to change */ if ((status = - get_svc_new_key(new_key, sname, sinst, + get_svc_new_key(&new_key, sname, sinst, srealm, keyfile)) == KADM_SUCCESS) key_vno++; else { - (void) bcopy(old_key, new_key, sizeof(new_key)); - (void) fprintf(stderr, "%s: Key NOT changed: %s\n", - argv[0], krb_err_txt[status]); + memcpy(new_key, old_key, sizeof(new_key)); + warnx ("Key NOT changed: %s\n", + krb_get_err_text(status)); change_this_key = FALSE; } } else - (void) bcopy(old_key, new_key, sizeof(new_key)); - append_srvtab(argv[0], work_keyfile, work_keyfile_fd, + memcpy(new_key, old_key, sizeof(new_key)); + append_srvtab(work_keyfile, work_keyfile_fd, sname, sinst, srealm, key_vno, new_key); if (key && change_this_key) { - (void) printf("Old key: "); + printf("Old key: "); print_key(old_key); - (void) printf("; new key: "); + printf("; new key: "); print_key(new_key); - (void) printf("\n"); + printf("\n"); } if (change_this_key) { if ((status = kadm_change_pw(new_key)) == KADM_SUCCESS) { - (void) printf("Key changed.\n"); - (void) dest_tkt(); + printf("Key changed.\n"); + dest_tkt(); } else { - com_err(argv[0], status, + com_err(progname, status, " attempting to change password."); - (void) dest_tkt(); + dest_tkt(); /* XXX This knows the format of a keyfile */ if (lseek(work_keyfile_fd, -9, SEEK_CUR) >= 0) { key_vno--; - safe_write(argv[0], work_keyfile, - work_keyfile_fd, (char *)&key_vno, 1); - safe_write(argv[0], work_keyfile, work_keyfile_fd, - (char *)old_key, sizeof(des_cblock)); - (void) fsync(work_keyfile_fd); - (void) fprintf(stderr,"Key NOT changed.\n"); - } - else { - (void)fprintf(stderr, - "%s: Unable to revert keyfile: %s\n", - argv[0], strerror(errno)); + safe_write(work_keyfile, + work_keyfile_fd, &key_vno, 1); + safe_write(work_keyfile, work_keyfile_fd, + old_key, sizeof(des_cblock)); + fsync(work_keyfile_fd); + fprintf(stderr,"Key NOT changed.\n"); + } else { + warn ("Unable to revert keyfile"); leave("", 1); } } } } - bzero((char *)old_key, sizeof(des_cblock)); - bzero((char *)new_key, sizeof(des_cblock)); + memset(old_key, 0, sizeof(des_cblock)); + memset(new_key, 0, sizeof(des_cblock)); } } else if (add) { do { do { safe_read_stdin("Name: ", databuf, sizeof(databuf)); - (void) strncpy(sname, databuf, sizeof(sname) - 1); - safe_read_stdin("Instance: ", databuf, sizeof(databuf)); - (void) strncpy(sinst, databuf, sizeof(sinst) - 1); + strncpy(sname, databuf, sizeof(sname) - 1); + sname[sizeof(sname) - 1] = '\0'; + if (strchr(sname, '.') != 0) { + strncpy(sinst, strchr(sname, '.') + 1, sizeof(sinst) - 1); + sinst[sizeof(sinst) - 1] = '\0'; + *(strchr(sname, '.')) = 0; + } else { + safe_read_stdin("Instance: ", databuf, sizeof(databuf)); + strncpy(sinst, databuf, sizeof(sinst) - 1); + sinst[sizeof(sinst) - 1] = '\0'; + } safe_read_stdin("Realm: ", databuf, sizeof(databuf)); - (void) strncpy(srealm, databuf, sizeof(srealm) - 1); + strncpy(srealm, databuf, sizeof(srealm) - 1); + srealm[sizeof(srealm) - 1] = '\0'; safe_read_stdin("Version number: ", databuf, sizeof(databuf)); key_vno = atoi(databuf); - if (!srealm[0]) - (void) strcpy(srealm, local_realm); - (void) printf("New principal: "); + if (key_vno == 0) + key_vno = 1; /* Version numbers are never 0 */ + if (!srealm[0]) { + strncpy(srealm, local_realm, sizeof(srealm) - 1); + srealm[sizeof(srealm) - 1] = '\0'; + } + printf("New principal: "); print_name(sname, sinst, srealm); - (void) printf("; version %d\n", key_vno); + printf("; version %d\n", key_vno); } while (!yn("Is this correct?")); - get_key_from_password(&new_key, afskey, srealm); + get_key_from_password(&new_key, cellname); if (key) { - (void) printf("Key: "); + printf("Key: "); print_key(new_key); - (void) printf("\n"); + printf("\n"); } - append_srvtab(argv[0], work_keyfile, work_keyfile_fd, + append_srvtab(work_keyfile, work_keyfile_fd, sname, sinst, srealm, key_vno, new_key); - (void) printf("Key successfully added.\n"); + printf("Key successfully added.\n"); } while (yn("Would you like to add another key?")); } else if (get) { - ksrvutil_get(); + ksrvutil_get(work_keyfile_fd, work_keyfile, + argc - optind, argv + optind); } if (change || list) - if (close(backup_keyfile_fd) < 0) { - (void) fprintf(stderr, "%s: Failure closing %s: %s\n", - argv[0], backup_keyfile, strerror(errno)); - (void) fprintf(stderr, "continuing...\n"); - } + if (close(backup_keyfile_fd) < 0) + warn ("close %s", backup_keyfile); if (change || add || get) { - if (close(work_keyfile_fd) < 0) { - (void) fprintf(stderr, "%s: Failure closing %s: %s\n", - argv[0], work_keyfile, strerror(errno)); - exit(1); - } - if (rename(work_keyfile, keyfile) < 0) { - (void) fprintf(stderr, "%s: Failure renaming %s to %s: %s\n", - argv[0], work_keyfile, keyfile, - strerror(errno)); - exit(1); - } - (void) chmod(backup_keyfile, keyfile_mode); - (void) chmod(keyfile, keyfile_mode); - (void) printf("Old keyfile in %s.\n", backup_keyfile); + if (close(work_keyfile_fd) < 0) + err (1, "close %s", work_keyfile); + if (rename(work_keyfile, keyfile) < 0) + err (1, "rename(%s, %s)", work_keyfile, keyfile); + chmod(backup_keyfile, keyfile_mode); + chmod(keyfile, keyfile_mode); + printf("Old keyfile in %s.\n", backup_keyfile); } - - exit(0); -} - -ksrvutil_get() -{ - char sname[ANAME_SZ]; /* name of service */ - char sinst[INST_SZ]; /* instance of service */ - char srealm[REALM_SZ]; /* realm of service */ - char databuf[BUFSIZ]; - char local_realm[REALM_SZ]; /* local kerberos realm */ - char local_hostname[100]; - - if (krb_get_lrealm(local_realm, 1) != KSUCCESS) - strcpy(local_realm, ""); - gethostname(local_hostname, sizeof(local_hostname)); - strcpy(local_hostname, krb_get_phost(local_hostname)); - do { - do { - safe_read_stdin("Name [rcmd]: ", databuf, sizeof(databuf)); - if (databuf[0]) - strncpy(sname, databuf, sizeof(sname) - 1); - else - strcpy(sname, "rcmd"); - - safe_read_stdin("Instance [hostname]: ", databuf, sizeof(databuf)); - if (databuf[0]) - strncpy(sinst, databuf, sizeof(sinst) - 1); - else - strcpy(sinst, local_hostname); - - safe_read_stdin("Realm [localrealm]: ", databuf, sizeof(databuf)); - if (databuf[0]) - strncpy(srealm, databuf, sizeof(srealm) - 1); - else - strcpy(srealm, local_realm); - - printf("New principal: "); - print_name(sname, sinst, srealm); - } while (!yn("Is this correct?")); - printf("NOT adding anything!!! Key successfully added.\n"); - } while (yn("Would you like to add another key?")); + return 0; } diff --git a/kerberosIV/ksrvutil/ksrvutil_get.c b/kerberosIV/ksrvutil/ksrvutil_get.c new file mode 100644 index 00000000000..b199e713077 --- /dev/null +++ b/kerberosIV/ksrvutil/ksrvutil_get.c @@ -0,0 +1,429 @@ +/* $OpenBSD: ksrvutil_get.c,v 1.1 1997/12/17 07:50:17 art Exp $ */ +/* $KTH: ksrvutil_get.c,v 1.35 1997/12/05 04:27:02 assar Exp $ */ + +/* + * Copyright (c) 1995, 1996, 1997 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "kadm_locl.h" +#include "ksrvutil.h" + +#define BAD_PW 1 +#define GOOD_PW 0 +#define FUDGE_VALUE 15 /* for ticket expiration time */ +#define PE_NO 0 +#define PE_YES 1 +#define PE_UNSURE 2 + +static char tktstring[128]; + +static int +princ_exists(char *name, char *instance, char *realm) +{ + int status; + + status = krb_get_pw_in_tkt(name, instance, realm, + KRB_TICKET_GRANTING_TICKET, + realm, 1, ""); + + if ((status == KSUCCESS) || (status == INTK_BADPW)) + return(PE_YES); + else if (status == KDC_PR_UNKNOWN) + return(PE_NO); + else + return(PE_UNSURE); +} + +static int +get_admin_password(char *myname, char *myinst, char *myrealm) +{ + int status; + char admin_passwd[MAX_KPW_LEN]; /* Admin's password */ + int ticket_life = 1; /* minimum ticket lifetime */ + char buf[1024]; + CREDENTIALS c; + + if (princ_exists(myname, myinst, myrealm) != PE_NO) { + snprintf(buf, sizeof(buf), "Password for %s: ", + krb_unparse_name_long (myname, myinst, myrealm)); + if (des_read_pw_string(admin_passwd, sizeof(admin_passwd)-1, + buf, 0)) { + fprintf(stderr, "Error reading admin password.\n"); + goto bad; + } + status = krb_get_pw_in_tkt(myname, myinst, myrealm, PWSERV_NAME, + KADM_SINST, ticket_life, admin_passwd); + memset(admin_passwd, 0, sizeof(admin_passwd)); + + /* Initialize non shared random sequence from session key. */ + memset(&c, 0, sizeof(c)); + krb_get_cred(PWSERV_NAME, KADM_SINST, myrealm, &c); + des_init_random_number_generator(&c.session); + } + else + status = KDC_PR_UNKNOWN; + + switch(status) { + case GT_PW_OK: + return(GOOD_PW); + case KDC_PR_UNKNOWN: + printf("Principal %s does not exist.\n", + krb_unparse_name_long(myname, myinst, myrealm)); + goto bad; + case GT_PW_BADPW: + printf("Incorrect admin password.\n"); + goto bad; + default: + com_err("kadmin", status+krb_err_base, + "while getting password tickets"); + goto bad; + } + +bad: + memset(admin_passwd, 0, sizeof(admin_passwd)); + dest_tkt(); + return(BAD_PW); +} + +static void +srvtab_put_key (int fd, char *filename, char *name, char *inst, char *realm, + int8_t kvno, des_cblock key) +{ + char sname[ANAME_SZ]; /* name of service */ + char sinst[INST_SZ]; /* instance of service */ + char srealm[REALM_SZ]; /* realm of service */ + int8_t skvno; + des_cblock skey; + + lseek(fd, 0, SEEK_SET); + + while(getst(fd, sname, SNAME_SZ) > 0 && + getst(fd, sinst, INST_SZ) > 0 && + getst(fd, srealm, REALM_SZ) > 0 && + read(fd, &skvno, sizeof(skvno)) > 0 && + read(fd, skey, sizeof(skey)) > 0) { + if(strcmp(name, sname) == 0 && + strcmp(inst, sinst) == 0 && + strcmp(realm, srealm) == 0) { + lseek(fd, lseek(fd,0,SEEK_CUR)-(sizeof(skvno) + sizeof(skey)), SEEK_SET); + safe_write(filename, fd, &kvno, sizeof(kvno)); + safe_write(filename, fd, key, sizeof(des_cblock)); + return; + } + } + safe_write(filename, fd, name, strlen(name) + 1); + safe_write(filename, fd, inst, strlen(inst) + 1); + safe_write(filename, fd, realm, strlen(realm) + 1); + safe_write(filename, fd, &kvno, sizeof(kvno)); + safe_write(filename, fd, key, sizeof(des_cblock)); +} + +/* + * node list of services + */ + +struct srv_ent{ + char name[SNAME_SZ]; + char inst[INST_SZ]; + char realm[REALM_SZ]; + struct srv_ent *next; +}; + +static int +key_to_key(char *user, char *instance, char *realm, void *arg, + des_cblock *key) +{ + memcpy(key, arg, sizeof(des_cblock)); + return 0; +} + +static void +get_srvtab_ent(int fd, char *filename, char *name, char *inst, char *realm) +{ + char chname[128]; + des_cblock newkey; + char old_tktfile[MAXPATHLEN], new_tktfile[MAXPATHLEN]; + char garbage_name[ANAME_SZ]; + char garbage_inst[ANAME_SZ]; + CREDENTIALS c; + u_int8_t kvno; + Kadm_vals values; + int ret; + + strncpy(chname, krb_get_phost(inst), sizeof(chname) - 1); + chname[sizeof(chname) - 1] = '\0'; + if(strcmp(inst, chname)) + fprintf(stderr, + "Warning: Are you sure `%s' should not be `%s'?\n", + inst, chname); + + memset(&values, 0, sizeof(values)); + strncpy(values.name, name, ANAME_SZ - 1); + values.name[ANAME_SZ - 1] = '\0'; + strncpy(values.instance, inst, INST_SZ - 1); + values.instance[INST_SZ - 1] = '\0'; + des_new_random_key(&newkey); + values.key_low = (newkey[0] << 24) | (newkey[1] << 16) + | (newkey[2] << 8) | (newkey[3] << 0); + values.key_high = (newkey[4] << 24) | (newkey[5] << 16) + | (newkey[6] << 8) | (newkey[7] << 0); + + SET_FIELD(KADM_NAME,values.fields); + SET_FIELD(KADM_INST,values.fields); + SET_FIELD(KADM_DESKEY,values.fields); + + ret = kadm_mod(&values, &values); + if(ret == KADM_NOENTRY) + ret = kadm_add(&values); + if (ret != KSUCCESS) { + warnx ("Couldn't get srvtab entry for %s.%s: %s", + name, inst, error_message(ret)); + return; + } + + values.key_low = values.key_high = 0; + + /* get the key version number */ + + { + int old = krb_use_admin_server(1); + strncpy(old_tktfile, tkt_string(), sizeof(old_tktfile) - 1); + old_tktfile[sizeof(old_tktfile) - 1] = '\0'; + snprintf(new_tktfile, sizeof(new_tktfile), + TKT_ROOT "_ksrvutil-get.%u", + (unsigned)getpid()); + krb_set_tkt_string(new_tktfile); + + ret = krb_get_in_tkt(name, inst, realm, name, inst, + 1, key_to_key, NULL, &newkey); + krb_use_admin_server(old); + } + + if (ret == KSUCCESS && + (ret = tf_init(tkt_string(), R_TKT_FIL)) == KSUCCESS && + (ret = tf_get_pname(garbage_name)) == KSUCCESS && + (ret = tf_get_pinst(garbage_inst)) == KSUCCESS && + (ret = tf_get_cred(&c)) == KSUCCESS) + kvno = c.kvno; + else { + warnx ("Could not find the cred in the ticket file"); + return; + } + + tf_close(); + krb_set_tkt_string(old_tktfile); + unlink(new_tktfile); + + if(ret != KSUCCESS) { + memset(&newkey, 0, sizeof(newkey)); + warnx ("Could not get a ticket for %s: %s\n", + krb_unparse_name_long(name, inst, realm), + krb_get_err_text(ret)); + return; + } + + /* Write the new key & c:o to the srvtab file */ + + srvtab_put_key (fd, filename, name, inst, realm, kvno, newkey); + memset(&newkey, 0, sizeof(newkey)); + + fprintf (stderr, "Added %s\n", krb_unparse_name_long (name, inst, realm)); +} + +static void +ksrvutil_kadm(int fd, char *filename, struct srv_ent *p) +{ + int ret; + CREDENTIALS c; + + ret = kadm_init_link(PWSERV_NAME, KADM_SINST, u_realm); + if (ret != KADM_SUCCESS) { + warnx("Couldn't initialize kadmin link: %s", error_message(ret)); + leave(NULL, 1); + } + + ret = krb_get_cred (PWSERV_NAME, KADM_SINST, u_realm, &c); + if (ret == KSUCCESS) + des_init_random_number_generator (&c.session); + else { + umask(077); + + /* + * create ticket file and get admin tickets + */ + snprintf(tktstring, sizeof(tktstring), TKT_ROOT "_ksrvutil_%d", (int)getpid()); + krb_set_tkt_string(tktstring); + destroyp = TRUE; + + ret = get_admin_password(u_name, u_inst, u_realm); + if (ret) { + warnx("Couldn't get admin password."); + leave(NULL, 1); + } + } + for(;p;){ + get_srvtab_ent(fd, filename, p->name, p->inst, p->realm); + p=p->next; + } + unlink(tktstring); +} + +static void +parseinput (char *result, size_t sz, char *val, char *def) +{ + char *lim; + int inq; + + if (val[0] == '\0') { + strncpy (result, def, sz-1); + result[sz - 1] = '\0'; + return; + } + lim = result + sz - 1; + inq = 0; + while(*val && result < lim) { + switch(*val) { + case '\'' : + inq = !inq; + ++val; + break; + case '\\' : + if(!inq) + val++; + default: + *result++ = *val++; + break; + } + } + *result = '\0'; +} + +void +ksrvutil_get(int fd, char *filename, int argc, char **argv) +{ + char sname[ANAME_SZ]; /* name of service */ + char sinst[INST_SZ]; /* instance of service */ + char srealm[REALM_SZ]; /* realm of service */ + char databuf[BUFSIZ]; + char local_hostname[MAXHOSTNAMELEN]; + char prompt[100]; + struct srv_ent *head=NULL; + int i; + + gethostname(local_hostname, sizeof(local_hostname)); + strncpy(local_hostname, + krb_get_phost(local_hostname), + sizeof(local_hostname) - 1); + local_hostname[sizeof(local_hostname) - 1] = '\0'; + + if (argc) + for(i=0; i < argc; ++i) { + struct srv_ent *p=malloc(sizeof(*p)); + + if(p == NULL) { + warnx ("out of memory in malloc"); + leave(NULL,1); + } + p->next = head; + strncpy (p->realm, u_realm, REALM_SZ - 1); + p->realm[REALM_SZ - 1] = '\0'; + if (kname_parse (p->name, p->inst, p->realm, argv[i]) != + KSUCCESS) { + warnx ("parse error on '%s'\n", argv[i]); + free(p); + p = NULL; + continue; + } + if (p->name[0] == '\0') { + strncpy(p->name, "rcmd", ANAME_SZ - 1); + p->name[ANAME_SZ - 1] = '\0'; + } + if (p->inst[0] == '\0') { + strncpy(p->inst, local_hostname, INST_SZ - 1); + p->inst[INST_SZ - 1] = '\0'; + } + if (p->realm[0] == '\0') { + strncpy(p->realm, u_realm, REALM_SZ - 1); + p->realm[REALM_SZ - 1] = '\0'; + } + head = p; + } + + else + do{ + safe_read_stdin("Name [rcmd]: ", databuf, sizeof(databuf)); + parseinput (sname, sizeof(sname), databuf, "rcmd"); + + snprintf(prompt, sizeof(prompt), "Instance [%s]: ", local_hostname); + safe_read_stdin(prompt, databuf, sizeof(databuf)); + parseinput (sinst, sizeof(sinst), databuf, local_hostname); + + snprintf(prompt, sizeof(prompt), "Realm [%s]: ", u_realm); + safe_read_stdin(prompt, databuf, sizeof(databuf)); + parseinput (srealm, sizeof(srealm), databuf, u_realm); + + if(yn("Is this correct?")){ + struct srv_ent *p=(struct srv_ent*)malloc(sizeof(struct srv_ent)); + if (p == NULL) { + warnx ("out of memory in malloc"); + leave(NULL,1); + } + p->next=head; + head=p; + strncpy(p->name, sname, ANAME_SZ - 1); + p->name[ANAME_SZ - 1] = '\0'; + strncpy(p->inst, sinst, INST_SZ - 1); + p->inst[INST_SZ - 1] = '\0'; + strncpy(p->realm, srealm, REALM_SZ - 1); + p->realm[REALM_SZ - 1] = '\0'; + } + }while(ny("Add more keys?")); + + + ksrvutil_kadm(fd, filename, head); + + { + struct srv_ent *p=head, *q; + while(p){ + q=p; + p=p->next; + free(q); + q = NULL; + } + } + +} |