diff options
| -rw-r--r-- | libexec/login_krb4-or-pwd/Makefile | 19 | ||||
| -rw-r--r-- | libexec/login_krb4/Makefile | 18 | ||||
| -rw-r--r-- | libexec/login_krb4/klogin.c | 281 | ||||
| -rw-r--r-- | libexec/login_krb4/login_krb4.c | 293 | ||||
| -rw-r--r-- | libexec/login_krb5-or-pwd/Makefile | 8 | ||||
| -rw-r--r-- | libexec/login_krb5/Makefile | 6 | ||||
| -rw-r--r-- | libexec/login_krb5/login_krb5.c | 184 | ||||
| -rw-r--r-- | libexec/login_passwd/Makefile | 5 | ||||
| -rw-r--r-- | libexec/login_passwd/common.h | 67 | ||||
| -rw-r--r-- | libexec/login_passwd/login.c | 169 | ||||
| -rw-r--r-- | libexec/login_passwd/login_passwd.c | 166 |
11 files changed, 338 insertions, 878 deletions
diff --git a/libexec/login_krb4-or-pwd/Makefile b/libexec/login_krb4-or-pwd/Makefile index 9bb2745a9bc..0c7e33043eb 100644 --- a/libexec/login_krb4-or-pwd/Makefile +++ b/libexec/login_krb4-or-pwd/Makefile @@ -1,21 +1,12 @@ -# $OpenBSD: Makefile,v 1.1 2001/06/24 23:31:45 hin Exp $ +# $OpenBSD: Makefile,v 1.2 2001/06/26 05:03:27 hin Exp $ PROG= login_krb4-or-pwd -SRCS= login_krb4.c +SRCS= login_krb4.c login_passwd.c login.c MAN= login_krb4-or-pwd.8 DPADD= ${LIBUTIL} -LDADD= -lutil -.PATH: ${.CURDIR}/../login_krb4 - -.include <bsd.own.mk> # For KERBEROS - -CFLAGS+=-Wall -DPASSWD -.if (${KERBEROS:L} == "yes") -CFLAGS+=-DKERBEROS -SRCS+= klogin.c -DPADD+= ${LIBKRB} ${LIBDES} -LDADD+= -lkrb -ldes -.endif +LDADD= -lutil -lkrb -lcrypto +CFLAGS+=-Wall -Werror -DPASSWD -DKRB4 -I${.CURDIR}/../login_passwd +.PATH: ${.CURDIR}/../login_krb4 ${.CURDIR}/../login_passwd BINOWN= root BINGRP= auth diff --git a/libexec/login_krb4/Makefile b/libexec/login_krb4/Makefile index f27acb57102..1d1a7f41653 100644 --- a/libexec/login_krb4/Makefile +++ b/libexec/login_krb4/Makefile @@ -1,20 +1,12 @@ -# $OpenBSD: Makefile,v 1.1 2001/06/24 23:26:22 hin Exp $ +# $OpenBSD: Makefile,v 1.2 2001/06/26 05:03:26 hin Exp $ PROG= login_krb4 -SRCS= login_krb4.c +SRCS= login_krb4.c login.c MAN= ${PROG}.8 DPADD= ${LIBUTIL} -LDADD= -lutil - -.include <bsd.own.mk> # For KERBEROS - -CFLAGS+=-Wall -.if (${KERBEROS:L} == "yes") -CFLAGS+=-DKERBEROS -SRCS+= klogin.c -DPADD+= ${LIBKRB} ${LIBDES} -LDADD+= -lkrb -ldes -.endif +LDADD= -lutil -lkrb -lcrypto +CFLAGS+=-DKRB4 -Wall -Werror -I${.CURDIR}/../login_passwd +.PATH: ${.CURDIR}/../login_passwd BINOWN= root BINGRP= auth diff --git a/libexec/login_krb4/klogin.c b/libexec/login_krb4/klogin.c deleted file mode 100644 index 90c7c48a11f..00000000000 --- a/libexec/login_krb4/klogin.c +++ /dev/null @@ -1,281 +0,0 @@ -/* $OpenBSD: klogin.c,v 1.1 2001/06/24 23:26:22 hin Exp $ */ - -/*- - * Copyright (c) 1990, 1993, 1994 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#ifndef lint -#if 0 -static char sccsid[] = "@(#)klogin.c 8.3 (Berkeley) 4/2/94"; -#endif -static char rcsid[] = "$OpenBSD: klogin.c,v 1.1 2001/06/24 23:26:22 hin Exp $"; -#endif /* not lint */ - -#ifdef KERBEROS -#include <sys/param.h> -#include <sys/syslog.h> -#include <des.h> -#include <kerberosIV/krb.h> -#include <kerberosIV/kafs.h> - -#include <err.h> -#include <netdb.h> -#include <pwd.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <unistd.h> - -#include <sys/types.h> -#include <sys/stat.h> -#include <fcntl.h> - -#define INITIAL_TICKET "krbtgt" -#define VERIFY_SERVICE "rcmd" - -extern int notickets; -extern int always_use_klogin; -extern char *krbtkfile_env; -static char realm[REALM_SZ]; - -int koktologin __P((char *, char *, char *)); - -/* - * Attempt to log the user in using Kerberos authentication - * - * return 0 on success (will be logged in) - * 1 if Kerberos failed (try local password in login) - */ -int -klogin(pw, instance, localhost, password) - struct passwd *pw; - char *instance, *localhost, *password; -{ - int kerror, fd; - AUTH_DAT authdata; - KTEXT_ST ticket; - struct hostent *hp; - unsigned long faddr; - char savehost[MAXHOSTNAMELEN]; - char tkt_location[MAXPATHLEN]; - char *tty; - char *user = strcmp(instance, "root") == 0 ? instance : pw->pw_name; - char *krb_get_phost(); - - /* - * Root logins don't use Kerberos (or at least shouldn't be - * sending kerberos passwords around in cleartext), so don't - * allow any root logins here (keeping in mind that we only - * get here with a password). - * - * If we have a realm, try getting a ticket-granting ticket - * and using it to authenticate. Otherwise, return - * failure so that we can try the normal passwd file - * for a password. If that's ok, log the user in - * without issuing any tickets. - */ - if (pw->pw_uid == 0 || - (realm[0] == '\0' && krb_get_lrealm(realm, 0) != KSUCCESS)) - return (1); - - tty = ttyname(STDIN_FILENO); - if (tty == NULL || *tty == '\0') - tty = "??"; - else if ((tty = strrchr(tty, '/'))) - tty++; - - /* - * get TGT for local realm - * tickets are stored in a file named TKT_ROOT plus uid plus tty - * except for user.root tickets. - */ - - if (strcmp(instance, "root") != 0) - snprintf(tkt_location, sizeof(tkt_location), "%s%d.%s", - TKT_ROOT, pw->pw_uid, tty); - else { - snprintf(tkt_location, sizeof(tkt_location), "%s_root_%d.%s", - TKT_ROOT, pw->pw_uid, tty); - krbtkfile_env = tkt_location; - } - (void)krb_set_tkt_string(tkt_location); - - /* - * Set real as well as effective ID to 0 for the moment, - * to make the kerberos library do the right thing. - */ - if (setuid(0) < 0) { - warnx("setuid"); - return (1); - } - kerror = krb_get_pw_in_tkt(pw->pw_name, instance, - realm, INITIAL_TICKET, realm, DEFAULT_TKT_LIFE, password); - /* - * If we got a TGT, get a local "rcmd" ticket and check it so as to - * ensure that we are not talking to a bogus Kerberos server. - * - * There are 2 cases where we still allow a login: - * 1: the VERIFY_SERVICE doesn't exist in the KDC - * 2: local host has no srvtab, as (hopefully) indicated by a - * return value of RD_AP_UNDEC from krb_rd_req(). - */ - if (kerror != INTK_OK) { - if (kerror != INTK_BADPW && kerror != KDC_PR_UNKNOWN) { - syslog(LOG_ERR, "Kerberos intkt error: %s", - krb_err_txt[kerror]); - dest_tkt(); - } - return (1); - } - - /* - * Set the owner of the ticket file to root but bail if someone - * has nefariously swapped a link in place of the file. - */ - fd = open(TKT_FILE, O_RDWR|O_NOFOLLOW, 0); - if (fd == -1) { - syslog(LOG_ERR, "unable to open ticket file: %m"); - dest_tkt(); - return (1); - } - if (fchown(fd, pw->pw_uid, pw->pw_gid) < 0) - syslog(LOG_ERR, "fchown tkfile (%s): %m", TKT_FILE); - close(fd); - - (void)strlcpy(savehost, krb_get_phost(localhost), sizeof(savehost)); - - /* - * if the "VERIFY_SERVICE" doesn't exist in the KDC for this host, - * still allow login with tickets, but log the error condition. - */ - - kerror = krb_mk_req(&ticket, VERIFY_SERVICE, savehost, realm, 33); - if (kerror == KDC_PR_UNKNOWN) { - syslog(LOG_NOTICE, - "warning: TGT not verified (%s); %s.%s not registered, or srvtab is wrong?", - krb_err_txt[kerror], VERIFY_SERVICE, savehost); - if (koktologin(pw->pw_name, instance, user)) - return (1); - notickets = 0; - /* - * but for security, don't allow root instances in under - * this condition! - */ - if (strcmp(instance, "root") == 0) { - syslog(LOG_ERR, "Kerberos %s root instance login refused", - pw->pw_name); - dest_tkt(); - return (1); - } - /* Otherwise, leave ticket around, but make sure - * password matches the Unix password. */ - return (1); - } - - if (kerror != KSUCCESS) { - warnx("unable to use TGT: (%s)", krb_err_txt[kerror]); - syslog(LOG_NOTICE, "unable to use TGT: (%s)", - krb_err_txt[kerror]); - dest_tkt(); - return (1); - } - - if (!(hp = gethostbyname(localhost))) { - syslog(LOG_ERR, "couldn't get local host address"); - dest_tkt(); - return (1); - } - - memmove((void *)&faddr, (void *)hp->h_addr, sizeof(faddr)); - - kerror = krb_rd_req(&ticket, VERIFY_SERVICE, savehost, faddr, - &authdata, ""); - - if (kerror == KSUCCESS) { - if (koktologin(pw->pw_name, instance, user)) - return (1); - - notickets = 0; - return (0); - } - - /* undecipherable: probably didn't have a srvtab on the local host */ - if (kerror == RD_AP_UNDEC) { - syslog(LOG_NOTICE, "krb_rd_req: (%s)", krb_err_txt[kerror]); - dest_tkt(); - return (1); - } - /* failed for some other reason */ - warnx("unable to verify %s ticket: (%s)", VERIFY_SERVICE, - krb_err_txt[kerror]); - syslog(LOG_NOTICE, "couldn't verify %s ticket: %s", VERIFY_SERVICE, - krb_err_txt[kerror]); - dest_tkt(); - return (1); -} - -int -koktologin(name, instance, user) - char *name, *instance, *user; -{ - AUTH_DAT *kdata; - AUTH_DAT kdata_st; - - if (realm[0] == '\0' && krb_get_lrealm(realm, 0) != KSUCCESS) - return(1); - - if (always_use_klogin == 0 && *instance == '\0') - return (0); - - kdata = &kdata_st; - memset((char *)kdata, 0, sizeof(*kdata)); - (void)strlcpy(kdata->pname, name, sizeof(kdata->pname)); - (void)strlcpy(kdata->pinst, instance, sizeof(kdata->pinst)); - (void)strlcpy(kdata->prealm, realm, sizeof(kdata->prealm)); - if (kuserok(kdata, user)) { - warnx("not in %s's ACL", user); - dest_tkt(); - return (1); - } - return (0); -} - -int -krb_configured() -{ - - if (realm[0] != '\0') - return(KSUCCESS); - else - return (krb_get_lrealm(realm, 0)); -} -#endif diff --git a/libexec/login_krb4/login_krb4.c b/libexec/login_krb4/login_krb4.c index efebd843046..2e222bae2ad 100644 --- a/libexec/login_krb4/login_krb4.c +++ b/libexec/login_krb4/login_krb4.c @@ -1,7 +1,8 @@ -/* $OpenBSD: login_krb4.c,v 1.1 2001/06/24 23:26:23 hin Exp $ */ +/* $OpenBSD: login_krb4.c,v 1.2 2001/06/26 05:03:26 hin Exp $ */ /*- - * Copyright (c) 1995 Berkeley Software Design, Inc. All rights reserved. + * Copyright (c) 2001 Hans Insulander <hin@openbsd.org>. + * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -11,18 +12,11 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Berkeley Software Design, - * Inc. - * 4. The name of Berkeley Software Design, Inc. may not be used to endorse - * or promote products derived from this software without specific prior - * written permission. * - * THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) @@ -30,253 +24,70 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * BSDI $From: login_kerberos.c,v 1.15 1997/08/08 18:58:22 prb Exp $ */ -#include <sys/param.h> -#include <sys/stat.h> -#include <sys/time.h> -#include <sys/resource.h> -#include <sys/file.h> -#include <sys/wait.h> - -#include <err.h> -#include <errno.h> -#include <pwd.h> -#include <signal.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <syslog.h> -#include <unistd.h> -#include <util.h> -#include <login_cap.h> -#include <bsd_auth.h> +#include "common.h" +#include <fcntl.h> -#ifdef KERBEROS #include <kerberosIV/krb.h> -#endif - -int klogin __P((struct passwd *, char *, char *, char *)); -int krb_configured __P((void)); -int koktologin __P((char *, char *, char *)); - -int always_use_klogin; -int notickets = 1; -char *krbtkfile_env; -int authok; int -main(argc, argv) - int argc; - char *argv[]; +krb4_login(char *username, char *password, char *invokinguser, int new_tickets) { - FILE *back; + int ret; + char realm[REALM_SZ]; + char tkfile[MAXPATHLEN]; + char *instance, *targetuser; struct passwd *pwd; - char *p, *class, *username, *instance, *wheel; - char localhost[MAXHOSTNAMELEN], response[1024]; - int c, krb_configed = 0, mode, rval, lastchance; - struct rlimit rl; - login_cap_t *lc; - - rl.rlim_cur = 0; - rl.rlim_max = 0; - (void)setrlimit(RLIMIT_CORE, &rl); - - (void)signal(SIGQUIT, SIG_IGN); - (void)signal(SIGINT, SIG_IGN); - (void)setpriority(PRIO_PROCESS, 0, 0); - - openlog(NULL, LOG_ODELAY, LOG_AUTH); - - if (gethostname(localhost, sizeof(localhost)) < 0) - syslog(LOG_ERR, "couldn't get local hostname: %m"); - - class = NULL; - username = NULL; - instance = NULL; - wheel = NULL; - mode = 0; - rval = 1; - back = NULL; - p = NULL; - lastchance = 0; - - while ((c = getopt(argc, argv, "dv:s:")) != -1) - switch(c) { - case 'd': - back = stdout; - break; + int fd; - case 'v': - if (strncmp(optarg, "wheel=", 6) == 0) - wheel = optarg + 6; - else if (strncmp(optarg, "lastchance=", 10) == 0) - lastchance = (strcmp(optarg + 10, "yes") == 0); - break; - case 's': /* service */ - if (strcmp(optarg, "login") == 0) - mode = 0; - else if (strcmp(optarg, "challenge") == 0) - mode = 1; - else if (strcmp(optarg, "response") == 0) - mode = 2; - else { - syslog(LOG_ERR, "invalid service: %s", optarg); - exit(1); - } - break; - default: - syslog(LOG_ERR, "usage error"); - exit(1); - } - - switch(argc - optind) { - case 2: - class = argv[optind + 1]; - case 1: - username = argv[optind]; - break; - default: - syslog(LOG_ERR, "usage error"); - exit(1); - } - - instance = strchr(username, '.'); - if (instance) - *instance++ = '\0'; - else - instance = ""; - - if (back == NULL && (back = fdopen(3, "r+")) == NULL) { - syslog(LOG_ERR, "reopening back channel: %m"); - exit(1); - } + /* Check if we can open the srvtab file */ + if((fd = open(KEYFILE, O_RDONLY, 0400)) < 0) + return AUTH_FAILED; + close(fd); pwd = getpwnam(username); - if (pwd) - pwd = pw_dup(pwd); - if (class && pwd) - pwd->pw_class = class; - - if (pwd == NULL || (lc = login_getclass(pwd->pw_class)) == NULL) - always_use_klogin = 1; - else - always_use_klogin = login_getcapbool(lc, "alwaysuseklogin", 0); - -#if defined(KERBEROS) - krb_configed = (krb_configured() != KFAILURE); -#endif + tkfile[0] = '\0'; -#if defined(PASSWD) - if (wheel != NULL && strcmp(wheel, "yes") != 0 && - (!krb_configed || pwd == NULL || - koktologin(pwd->pw_name, instance, - strcmp(instance, "root") == 0 ? instance : pwd->pw_name))) { - fprintf(back, BI_VALUE " errormsg %s\n", - auth_mkvalue("you are not in group wheel")); - fprintf(back, BI_REJECT "\n"); - exit(1); + targetuser = username; + if(krb_get_lrealm(realm, 1)){ + syslog(LOG_INFO, "krb_get_lrealm failed"); } - if (*instance == '\0' && pwd && *pwd->pw_passwd == '\0') { - fprintf(back, BI_AUTH "\n"); - exit(0); - } -#else - if (!krb_configed) { - syslog(LOG_ERR, "Kerberos not configured"); - exit(1); - } - if (koktologin(pwd->pw_name, instance, strcmp(instance, "root") == 0 ? - instance : pwd->pw_name)) { - fprintf(back, BI_REJECT "\n"); - exit(1); - } -#endif - - if (mode == 1) { - fprintf(back, BI_SILENT "\n"); - exit(0); + if(new_tickets) { + snprintf(tkfile, sizeof(tkfile), "%s%d", TKT_ROOT, + pwd ? pwd->pw_uid : getuid()); + krb_set_tkt_string(tkfile); + unlink(tkfile); } - (void)setpriority(PRIO_PROCESS, 0, -4); - - if (mode == 2) { - mode = 0; - c = -1; - while (++c < sizeof(response) && - read(3, &response[c], 1) == 1) { - if (response[c] == '\0' && ++mode == 2) - break; - if (response[c] == '\0' && mode == 1) - p = response + c + 1; - } - if (mode < 2) { - syslog(LOG_ERR, "protocol error on back channel"); - exit(1); - } + if(strcmp(username, "root") == 0) { + instance = "root"; + username = invokinguser; } else -#if defined(PASSWD) - p = getpass("Password:"); -#else - p = getpass("Kerberos Password:"); -#endif - - if (pwd) { -#if defined(KERBEROS) - rval = krb_configed ? klogin(pwd, instance, localhost, p) : 1; - if (rval == 0) - if (*instance && strcmp(instance, "root") == 0) - fprintf(back, BI_ROOTOKAY "\n"); - else - fprintf(back, BI_AUTH "\n"); - else if (rval == 1) -#endif -#if defined(PASSWD) - { - if (wheel != NULL && strcmp(wheel, "yes") != 0) - exit(1); - if (*instance && - (strcmp(instance, "root") != 0 || - (pwd = getpwnam(instance)) == NULL)) { - crypt(p, "xx"); - memset(p, 0, strlen(p)); - exit(1); - } - rval = strcmp(crypt(p, pwd->pw_passwd), pwd->pw_passwd); - if (rval == 0) - rval = login_check_expire(back, pwd, class, - lastchance); - } -#else - { ; } -#endif - } -#if defined(PASSWD) - else - crypt(p, "xx"); -#endif - memset(p, 0, strlen(p)); - - if (!pwd || rval) - exit(1); - fprintf(back, BI_AUTH "\n"); + instance = ""; - if (krbtkfile_env) { - fprintf(back, BI_REMOVE " %s\n", krbtkfile_env); - fprintf(back, BI_SETENV " KRBTKFILE %s\n", krbtkfile_env); + /* + * This kludge is needed because the krb library checks if it seems + * to be running as a setuid program, due to problems with setuid + * programs and environment variables. + * + * But in this case it's okay, because the login scripts are called + * with a clean environment. + */ + setuid(geteuid()); + ret = krb_verify_user(username, instance , realm, password, 1, "rcmd"); + + if(new_tickets && pwd) + chown(tkfile, pwd->pw_uid, pwd->pw_gid); + + if(ret == KSUCCESS && + krb_kuserok(username, instance, realm, targetuser) == 0) { + fprintf(back, BI_AUTH "\n"); + if(strlen(tkfile) > 0) + fprintf(back, BI_SETENV " KRBTKFILE %s\n", tkfile); + return AUTH_OK; } - return(0); -} - -#if !defined(KERBEROS) -int -koktologin(name, instance, user) - char *name, *instance, *user; -{ - - return(1); + unlink(tkfile); + return AUTH_FAILED; } -#endif diff --git a/libexec/login_krb5-or-pwd/Makefile b/libexec/login_krb5-or-pwd/Makefile index 637e8654f96..f25094d06c4 100644 --- a/libexec/login_krb5-or-pwd/Makefile +++ b/libexec/login_krb5-or-pwd/Makefile @@ -1,11 +1,11 @@ -# $OpenBSD: Makefile,v 1.2 2001/06/25 22:02:13 hin Exp $ +# $OpenBSD: Makefile,v 1.3 2001/06/26 05:03:27 hin Exp $ PROG= login_krb5-or-pwd -SRCS= login_krb5.c +SRCS= login_krb5.c login_passwd.c login.c MAN= ${PROG}.8 LDADD= -lkrb5 -lasn1 -lcrypto -lcom_err -lkrb -lutil -CFLAGS+=-DKRB524 -DPASSWD -Wall -Werror -.PATH: ${.CURDIR}/../login_krb5 +CFLAGS+=-DKRB524 -DKRB5 -DPASSWD -Wall -Werror -I${.CURDIR}/../login_passwd +.PATH: ${.CURDIR}/../login_passwd ${.CURDIR}/../login_krb5 BINOWN= root BINGRP= auth diff --git a/libexec/login_krb5/Makefile b/libexec/login_krb5/Makefile index c5475940cfc..83e0ee464f4 100644 --- a/libexec/login_krb5/Makefile +++ b/libexec/login_krb5/Makefile @@ -1,9 +1,11 @@ -# $OpenBSD: Makefile,v 1.5 2001/06/25 22:02:13 hin Exp $ +# $OpenBSD: Makefile,v 1.6 2001/06/26 05:03:27 hin Exp $ PROG= login_krb5 +SRCS= login.c login_krb5.c MAN= ${PROG}.8 LDADD= -lkrb5 -lasn1 -lcrypto -lcom_err -lkrb -CFLAGS+=-DKRB524 -Wall -Werror +CFLAGS+=-DKRB524 -Wall -Werror -I${.CURDIR}/../login_passwd +.PATH: ${.CURDIR}/../login_passwd BINOWN= root BINGRP= auth diff --git a/libexec/login_krb5/login_krb5.c b/libexec/login_krb5/login_krb5.c index c17439f3d41..e4437dcd26c 100644 --- a/libexec/login_krb5/login_krb5.c +++ b/libexec/login_krb5/login_krb5.c @@ -1,4 +1,4 @@ -/* $OpenBSD: login_krb5.c,v 1.10 2001/06/25 22:02:13 hin Exp $ */ +/* $OpenBSD: login_krb5.c,v 1.11 2001/06/26 05:03:27 hin Exp $ */ /*- * Copyright (c) 2001 Hans Insulander <hin@openbsd.org>. @@ -26,35 +26,13 @@ * SUCH DAMAGE. */ -#include <sys/types.h> -#include <sys/signal.h> -#include <sys/resource.h> -#include <sys/param.h> - -#include <syslog.h> -#include <stdlib.h> -#include <unistd.h> -#include <login_cap.h> -#include <bsd_auth.h> -#include <stdio.h> -#include <string.h> -#include <pwd.h> -#include <err.h> -#include <util.h> +#include "common.h" #include <kerberosV/krb5.h> #ifdef KRB524 #include <kerberosIV/krb.h> #endif -#define MODE_LOGIN 0 -#define MODE_CHALLENGE 1 -#define MODE_RESPONSE 2 - -#define AUTH_OK 0 -#define AUTH_FAILED -1 - -FILE *back = NULL; krb5_error_code ret; krb5_context context; krb5_ccache ccache; @@ -239,161 +217,3 @@ krb5_login(char *username, char *invokinguser, char *password, int login, int ti return return_code; } - -#ifdef PASSWD -int -pwd_login(char *username, char *password) -{ - struct passwd *pwd; - char *salt; - - pwd = getpwnam(username); - - /* Check for empty password */ - if((pwd != NULL) && (*pwd->pw_passwd == '\0')) { - fprintf(back, BI_AUTH "\n"); - return AUTH_OK; - } - - if(pwd) - salt = pwd->pw_passwd; - else - salt = "xx"; - - setpriority(PRIO_PROCESS, 0, -4); - - salt = crypt(password, salt); - memset(password, 0, strlen(password)); - if (!pwd || strcmp(salt, pwd->pw_passwd) != 0) - return AUTH_FAILED; - - if(login_check_expire(back, pwd, NULL, 0)) - return AUTH_FAILED; - - fprintf(back, BI_AUTH "\n"); - - return AUTH_OK; -} -#endif PASSWD - -int -main(int argc, char **argv) -{ - int opt, mode = 0, ret; - char *username, *password = NULL; - char response[1024]; - int arg_login = 0, arg_notickets = 0; - char invokinguser[MAXLOGNAME]; - - invokinguser[0] = '\0'; - - signal(SIGQUIT, SIG_IGN); - signal(SIGINT, SIG_IGN); - setpriority(PRIO_PROCESS, 0, 0); - - openlog(NULL, LOG_ODELAY, LOG_AUTH); - - while((opt = getopt(argc, argv, "ds:v:")) != -1) { - switch(opt) { - case 'd': - back = stdout; - break; - case 's': /* service */ - if(strcmp(optarg, "login") == 0) - mode = MODE_LOGIN; - else if(strcmp(optarg, "challenge") == 0) - mode = MODE_CHALLENGE; - else if(strcmp(optarg, "response") == 0) - mode = MODE_RESPONSE; - else { - syslog(LOG_ERR, "%s: invalid service", optarg); - exit(1); - } - break; - case 'v': - if(strcmp(optarg, "login=yes") == 0) - arg_login = 1; - else if(strcmp(optarg, "notickets=yes") == 0) - arg_notickets = 1; - else if(strncmp(optarg, "invokinguser=", 13) == 0) - snprintf(invokinguser, sizeof(invokinguser), - "%s", &optarg[13]); - /* All other arguments are silently ignored */ - break; - default: - syslog(LOG_ERR, "usage error1"); - exit(1); - } - } - - switch(argc - optind) { - case 2: - /* class = argv[optind + 1]; */ - case 1: - username = argv[optind]; - break; - default: - syslog(LOG_ERR, "usage error2"); - exit(1); - } - - if(back == NULL && (back = fdopen(3, "r+")) == NULL) { - syslog(LOG_ERR, "reopening back channel: %m"); - exit(1); - } - - /* - * Read password, either as from the terminal or if the - * response mode is active from the caller program. - * - * XXX This is completely ungrokkable, and should be rewritten. - */ - switch(mode) { - case MODE_RESPONSE: { - int count; - mode = 0; - count = -1; - while(++count < sizeof(response) && - read(3, &response[count], 1) == 1) { - if(response[count] == '\0' && ++mode == 2) - break; - if(response[count] == '\0' && mode == 1) { - password = response + count + 1; - } - } - if(mode < 2) { - syslog(LOG_ERR, "protocol error on back channel"); - exit(1); - } - break; - } - - case MODE_LOGIN: - password = getpass("Password:"); - break; - - case MODE_CHALLENGE: - fprintf(back, BI_AUTH "\n"); - exit(0); - break; - default: - syslog(LOG_ERR, "%d: unknown mode", mode); - exit(1); - break; - } - - ret = krb5_login(username, invokinguser, password, arg_login, - !arg_notickets); - -#ifdef PASSWD - if(ret != AUTH_OK) - ret = pwd_login(username, password); -#endif - memset(password, 0, strlen(password)); - if(ret != AUTH_OK) - fprintf(back, BI_REJECT "\n"); - - closelog(); - - return 0; -} diff --git a/libexec/login_passwd/Makefile b/libexec/login_passwd/Makefile index 793d1cf434b..7e7de6c7c80 100644 --- a/libexec/login_passwd/Makefile +++ b/libexec/login_passwd/Makefile @@ -1,10 +1,11 @@ -# $OpenBSD: Makefile,v 1.1 2000/12/12 02:33:44 millert Exp $ +# $OpenBSD: Makefile,v 1.2 2001/06/26 05:03:28 hin Exp $ PROG= login_passwd MAN= login_passwd.8 +SRCS= login.c login_passwd.c DPADD= ${LIBUTIL} LDADD= -lutil -CFLAGS+=-Wall +CFLAGS+=-Wall -DPASSWD BINOWN= root BINGRP= auth diff --git a/libexec/login_passwd/common.h b/libexec/login_passwd/common.h new file mode 100644 index 00000000000..ec7f21d8635 --- /dev/null +++ b/libexec/login_passwd/common.h @@ -0,0 +1,67 @@ +/* $OpenBSD: common.h,v 1.1 2001/06/26 05:03:28 hin Exp $ */ +/*- + * Copyright (c) 2001 Hans Insulander <hin@openbsd.org>. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#ifndef _COMMON_H_ +#define _COMMON_H_ + +#include <sys/types.h> +#include <sys/signal.h> +#include <sys/resource.h> +#include <sys/param.h> + +#include <syslog.h> +#include <stdlib.h> +#include <unistd.h> +#include <login_cap.h> +#include <bsd_auth.h> +#include <stdio.h> +#include <string.h> +#include <pwd.h> +#include <err.h> +#include <util.h> + + +#define MODE_LOGIN 0 +#define MODE_CHALLENGE 1 +#define MODE_RESPONSE 2 + +#define AUTH_OK 0 +#define AUTH_FAILED -1 + +extern FILE *back; + +#ifdef PASSWD +int pwd_login(char *, char *, char *, int, char *); +#endif +#ifdef KRB4 +int krb4_login(char *, char *, char *, int); +#endif +#ifdef KRB5 +int krb5_login(char *, char *, char *, int, int); +#endif + +#endif /* !_COMMON_H_ */ diff --git a/libexec/login_passwd/login.c b/libexec/login_passwd/login.c new file mode 100644 index 00000000000..071879871cd --- /dev/null +++ b/libexec/login_passwd/login.c @@ -0,0 +1,169 @@ +/* $OpenBSD: login.c,v 1.1 2001/06/26 05:03:28 hin Exp $ */ + +/*- + * Copyright (c) 1995 Berkeley Software Design, Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Berkeley Software Design, + * Inc. + * 4. The name of Berkeley Software Design, Inc. may not be used to endorse + * or promote products derived from this software without specific prior + * written permission. + * + * THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * BSDI $From: login_passwd.c,v 1.11 1997/08/08 18:58:24 prb Exp $ + */ + +#include "common.h" + +FILE *back = NULL; + +int +main(int argc, char **argv) +{ + int opt, mode = 0, ret, lastchance = 0; + char *username, *password = NULL; + char response[1024]; + int arg_login = 0, arg_notickets = 0; + char invokinguser[MAXLOGNAME]; + char *wheel = NULL , *class = NULL; + + invokinguser[0] = '\0'; + + signal(SIGQUIT, SIG_IGN); + signal(SIGINT, SIG_IGN); + setpriority(PRIO_PROCESS, 0, 0); + + openlog(NULL, LOG_ODELAY, LOG_AUTH); + + while((opt = getopt(argc, argv, "ds:v:")) != -1) { + switch(opt) { + case 'd': + back = stdout; + break; + case 's': /* service */ + if(strcmp(optarg, "login") == 0) + mode = MODE_LOGIN; + else if(strcmp(optarg, "challenge") == 0) + mode = MODE_CHALLENGE; + else if(strcmp(optarg, "response") == 0) + mode = MODE_RESPONSE; + if (strncmp(optarg, "wheel=", 6) == 0) + wheel = optarg + 6; + else if (strncmp(optarg, "lastchance=", 10) == 0) + lastchance = (strcmp(optarg + 10, "yes") == 0); + /* Silently ignore unknown options */ + break; + case 'v': + if(strcmp(optarg, "login=yes") == 0) + arg_login = 1; + else if(strcmp(optarg, "notickets=yes") == 0) + arg_notickets = 1; + else if(strncmp(optarg, "invokinguser=", 13) == 0) + snprintf(invokinguser, sizeof(invokinguser), + "%s", &optarg[13]); + /* All other arguments are silently ignored */ + break; + default: + syslog(LOG_ERR, "usage error1"); + exit(1); + } + } + + switch(argc - optind) { + case 2: + class = argv[optind + 1]; + case 1: + username = argv[optind]; + break; + default: + syslog(LOG_ERR, "usage error2"); + exit(1); + } + + if(back == NULL && (back = fdopen(3, "r+")) == NULL) { + syslog(LOG_ERR, "reopening back channel: %m"); + exit(1); + } + + /* + * Read password, either as from the terminal or if the + * response mode is active from the caller program. + * + * XXX This is completely ungrokkable, and should be rewritten. + */ + switch(mode) { + case MODE_RESPONSE: { + int count; + mode = 0; + count = -1; + while(++count < sizeof(response) && + read(3, &response[count], 1) == 1) { + if(response[count] == '\0' && ++mode == 2) + break; + if(response[count] == '\0' && mode == 1) { + password = response + count + 1; + } + } + if(mode < 2) { + syslog(LOG_ERR, "protocol error on back channel"); + exit(1); + } + break; + } + + case MODE_LOGIN: + password = getpass("Password:"); + break; + + case MODE_CHALLENGE: + fprintf(back, BI_AUTH "\n"); + exit(0); + break; + default: + syslog(LOG_ERR, "%d: unknown mode", mode); + exit(1); + break; + } + + ret = AUTH_FAILED; +#ifdef KRB4 + ret = krb4_login(username, password, invokinguser, !arg_notickets); +#endif +#ifdef KRB5 + ret = krb5_login(username, invokinguser, password, arg_login, + !arg_notickets); +#endif +#ifdef PASSWD + if(ret != AUTH_OK) + ret = pwd_login(username, password, wheel, lastchance, class); +#endif + + memset(password, 0, strlen(password)); + if(ret != AUTH_OK) + fprintf(back, BI_REJECT "\n"); + + closelog(); + + return 0; +} diff --git a/libexec/login_passwd/login_passwd.c b/libexec/login_passwd/login_passwd.c index 660c305c790..ef49a1989bd 100644 --- a/libexec/login_passwd/login_passwd.c +++ b/libexec/login_passwd/login_passwd.c @@ -1,7 +1,8 @@ -/* $OpenBSD: login_passwd.c,v 1.2 2001/06/25 21:52:16 hin Exp $ */ +/* $OpenBSD: login_passwd.c,v 1.3 2001/06/26 05:03:28 hin Exp $ */ /*- - * Copyright (c) 1995 Berkeley Software Design, Inc. All rights reserved. + * Copyright (c) 2001 Hans Insulander <hin@openbsd.org>. + * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -11,18 +12,11 @@ * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by Berkeley Software Design, - * Inc. - * 4. The name of Berkeley Software Design, Inc. may not be used to endorse - * or promote products derived from this software without specific prior - * written permission. * - * THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) @@ -30,155 +24,49 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * - * BSDI $From: login_passwd.c,v 1.11 1997/08/08 18:58:24 prb Exp $ */ -#include <sys/param.h> -#include <sys/stat.h> -#include <sys/time.h> -#include <sys/resource.h> -#include <sys/file.h> -#include <sys/wait.h> - -#include <err.h> -#include <errno.h> -#include <pwd.h> -#include <signal.h> -#include <stdarg.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <syslog.h> -#include <unistd.h> -#include <util.h> -#include <login_cap.h> -#include <bsd_auth.h> +#include "common.h" int -main(argc, argv) - int argc; - char *argv[]; +pwd_login(char *username, char *password, char *wheel, int lastchance, + char *class) { - FILE *back; - char *class, *p, *salt, *username, *wheel; - char response[1024]; - int c, mode, lastchance; struct passwd *pwd; - struct rlimit rl; - - class = NULL; - username = NULL; - wheel = NULL; - mode = 0; - p = NULL; - lastchance = 0; - - rl.rlim_cur = 0; - rl.rlim_max = 0; - (void)setrlimit(RLIMIT_CORE, &rl); + char *salt; - (void)signal(SIGQUIT, SIG_IGN); - (void)signal(SIGINT, SIG_IGN); - (void)setpriority(PRIO_PROCESS, 0, 0); - openlog("login", LOG_ODELAY, LOG_AUTH); - - back = NULL; - while ((c = getopt(argc, argv, "dv:s:")) != -1) - switch(c) { - case 'd': - back = stdout; - break; - case 'v': - if (strncmp(optarg, "wheel=", 6) == 0) - wheel = optarg + 6; - else if (strncmp(optarg, "lastchance=", 10) == 0) - lastchance = (strcmp(optarg + 10, "yes") == 0); - break; - case 's': /* service */ - if (strcmp(optarg, "login") == 0) - mode = 0; - else if (strcmp(optarg, "challenge") == 0) - mode = 1; - else if (strcmp(optarg, "response") == 0) - mode = 2; - else { - syslog(LOG_ERR, "%s: invalid service", optarg); - exit(1); - } - break; - default: - syslog(LOG_ERR, "usage error"); - exit(1); - } - - switch(argc - optind) { - case 2: - class = argv[optind + 1]; - case 1: - username = argv[optind]; - break; - default: - syslog(LOG_ERR, "usage error"); - exit(1); + if((wheel != NULL) && strcmp(wheel, "yes") != 0) { + fprintf(back, BI_VALUE " errormsg %s\n", + auth_mkvalue("you are not in group wheel")); + fprintf(back, BI_REJECT "\n"); + return AUTH_FAILED; } pwd = getpwnam(username); - if (back == NULL && (back = fdopen(3, "r+")) == NULL) { - syslog(LOG_ERR, "reopening back channel: %m"); - exit(1); - } - if (wheel != NULL && strcmp(wheel, "yes") != 0) { - fprintf(back, BI_VALUE " errormsg %s\n", - auth_mkvalue("you are not in group wheel")); - fprintf(back, BI_REJECT "\n"); - exit(1); - } - - if (pwd && *pwd->pw_passwd == '\0') { + /* Check for empty password */ + if((pwd != NULL) && (*pwd->pw_passwd == '\0')) { fprintf(back, BI_AUTH "\n"); - exit(0); - } - - if (mode == 1) { - fprintf(back, BI_SILENT "\n"); - exit(0); + return AUTH_OK; } - if (pwd) + if(pwd) salt = pwd->pw_passwd; else salt = "xx"; - (void)setpriority(PRIO_PROCESS, 0, -4); - - if (mode == 2) { - mode = 0; - c = -1; - while (++c < sizeof(response) && - read(3, &response[c], 1) == 1) { - if (response[c] == '\0' && ++mode == 2) - break; - if (response[c] == '\0' && mode == 1) - p = response + c + 1; - } - if (mode < 2) { - syslog(LOG_ERR, "protocol error on back channel"); - exit(1); - } - } else - p = getpass("Password:"); + setpriority(PRIO_PROCESS, 0, -4); - salt = crypt(p, salt); - memset(p, 0, strlen(p)); + salt = crypt(password, salt); + memset(password, 0, strlen(password)); if (!pwd || strcmp(salt, pwd->pw_passwd) != 0) - exit(1); + return AUTH_FAILED; - c = login_check_expire(back, pwd, class, lastchance); - - if (c == 0) + if(login_check_expire(back, pwd, class, lastchance) == 0) fprintf(back, BI_AUTH "\n"); - exit(c); + else + return AUTH_FAILED; + + return AUTH_OK; } |