summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/passwd/krb5_passwd.c1115
1 files changed, 123 insertions, 992 deletions
diff --git a/usr.bin/passwd/krb5_passwd.c b/usr.bin/passwd/krb5_passwd.c
index 12304f02375..4ef36c408d6 100644
--- a/usr.bin/passwd/krb5_passwd.c
+++ b/usr.bin/passwd/krb5_passwd.c
@@ -1,1012 +1,143 @@
-/* $OpenBSD: krb5_passwd.c,v 1.2 1996/06/26 05:37:45 deraadt Exp $ */
-
-/*-
- * Copyright (c) 1990 The Regents of the University of California.
- * All rights reserved.
+/*
+ * Copyright (c) 1997-2000 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
*
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- * must display the following acknowledgement:
- * This product includes software developed by the University of
- * California, Berkeley and its contributors.
- * 4. Neither the name of the University nor the names of its contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
*
- * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- */
-
-#ifndef lint
-/*static char sccsid[] = "from: @(#)krb_passwd.c 5.4 (Berkeley) 3/1/91";*/
-static char rcsid[] = "$OpenBSD: krb5_passwd.c,v 1.2 1996/06/26 05:37:45 deraadt Exp $";
-#endif /* not lint */
-
-#ifdef KERBEROS5
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/time.h>
-#include <sys/resource.h>
-#include <netinet/in.h>
-#include <netdb.h>
-#include <signal.h>
-#include <pwd.h>
-#include <errno.h>
-#include <stdio.h>
-#include <string.h>
-#include <stdlib.h>
-#include <krb5/adm_defs.h>
-#include <krb5/krb5.h>
-#include <krb5/kdb.h>
-#include <krb5/kdb_dbm.h>
-#include <krb5/ext-proto.h>
-#include <krb5/los-proto.h>
-#include <krb5/asn1.h>
-#include <krb5/config.h>
-#include <krb5/base-defs.h>
-#include <krb5/asn.1/encode.h>
-
-#include <krb5/widen.h>
-
-#include <krb5/adm_err.h>
-#include <krb5/errors.h>
-#include <krb5/kdb5_err.h>
-#include <krb5/krb5_err.h>
-
-static krb5_error_code get_first_ticket __P((krb5_ccache, krb5_principal));
-static krb5_error_code print_and_choose_password __P((char *, krb5_data *));
-static krb5_error_code adm5_init_link __P((krb5_data *, int *));
-
-struct sockaddr_in local_sin, remote_sin;
-
-krb5_creds my_creds;
-
-extern char *krb5_default_pwd_prompt1;
-
-/*
- * Try no preauthentication first; then try the encrypted timestamp
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
*/
-int preauth_search_list[] = {
- 0,
- KRB5_PADATA_ENC_TIMESTAMP,
- -1
-};
-
-krb_passwd()
-{
- static void finish();
- krb5_ccache cache = NULL;
- char cache_name[255];
- krb5_flags cc_flags;
- krb5_address local_addr, foreign_addr;
- struct passwd *pw;
- krb5_principal client, server;
- char default_name[256];
- char *client_name; /* Single string representation of client id */
- krb5_data requested_realm;
- char *local_realm;
- char input_string[768];
- krb5_error_code retval; /* return code */
- int local_socket;
- int c, count;
- krb5_error *err_ret;
- krb5_ap_rep_enc_part *rep_ret;
- kadmin_requests rd_priv_resp;
- krb5_checksum send_cksum;
- int cksum_alloc = 0;
- krb5_data msg_data, inbuf;
- krb5_int32 seqno;
- char *new_password;
- int new_pwsize;
- krb5_data *decodable_pwd_string;
- int i, j;
- static struct rlimit rl = { 0, 0 };
-
-#ifdef KRB_NONETWORK
- extern int networked();
- int krb_secure;
- struct stat statbuf;
-#endif
-
-#ifdef KRB_NONETWORK /* Allow or Disallow Remote Clients to Modify Passwords */
- /*
- * If a Client Modifies a Password using kpasswd on this host
- * from a remote host or network terminal, the Password selected
- * is transmitted across the network in Cleartext.
- *
- * The systems administrator can disallow "remote" kpasswd usage by
- * creating the file "/etc/krb.secure"
- */
- krb_secure = 0;
- /*
- * First check to see if the file /etc/krb.secure exists.
- * If it does then krb_secure to 1.
- */
-
- if (stat("/etc/krb.secure", &statbuf) == 0) krb_secure = 1;
-
- /*
- * Check to see if this process is tied to a physical terminal.
- * Network() verifies the terminal device is not a pseudo tty
- */
- if (networked() && krb_secure) {
- fprintf(stderr,"passwd: Sorry but you cannot %s from a\n", argv[0]);
- fprintf(stderr," pseudo tty terminal.\n");
- retval = 1;
- goto finish;
- }
-#endif
-
- /* (3 * 255) + 1 (/) + 1 (@) + 1 (NULL) */
- if ((client_name = (char *) calloc (1, (3 * 256))) == NULL) {
- fprintf(stderr, "passwd: No Memory for Client_name\n");
- retval = 1;
- goto finish;
- }
-
- if ((requested_realm.data = (char *) calloc (1, 256)) == NULL) {
- fprintf(stderr, "passwd: No Memory for realm_name\n");
- retval = 1;
- free(client_name);
- goto finish;
- }
-
- (void)signal(SIGHUP, SIG_IGN);
- (void)signal(SIGINT, SIG_IGN);
- (void)signal(SIGTSTP, SIG_IGN);
-
- if (setrlimit(RLIMIT_CORE, &rl) < 0) {
- (void)fprintf(stderr,
- "passwd: setrlimit: %s\n", strerror(errno));
- return(1);
- }
-
- krb5_init_ets();
- memset((char *) default_name, 0, sizeof(default_name));
-
- /* Identify Default Credentials Cache */
- if ((retval = krb5_cc_default(&cache))) {
- fprintf(stderr, "passwd: Error while getting default ccache.\n");
- goto finish;
- }
-
- /*
- * Attempt to Modify Credentials Cache
- * retval == 0 ==> ccache Exists - Use It
- * retval == ENOENT ==> No Entries, but ccache Exists
- * retval != 0 ==> Assume ccache does NOT Exist
- */
- cc_flags = 0;
- if ((retval = krb5_cc_set_flags(cache, cc_flags))) {
- /* Search passwd file for client */
- pw = getpwuid((int) getuid());
- if (pw) {
- (void) strcpy(default_name, pw->pw_name);
- }
- else {
- fprintf(stderr,
- "passwd: Unable to Identify Customer from Password File\n");
- retval = 1;
- goto finish;
- }
-
- /* Use this to get default_realm and format client_name */
- if ((retval = krb5_parse_name(default_name, &client))) {
- fprintf(stderr, "passwd: Unable to Parse Client Name\n");
- goto finish;
- }
-
- if ((retval = krb5_unparse_name(client, &client_name))) {
- fprintf(stderr, "passwd: Unable to Parse Client Name\n");
- goto finish;
- }
-
- requested_realm.length = client->realm.length;
- memcpy((char *) requested_realm.data,
- (char *) client->realm.data,
- requested_realm.length);
- }
- else {
- /* Read Client from Cache */
- if ((retval = krb5_cc_get_principal(cache, (krb5_principal *) &client))) {
- fprintf(stderr, "passwd: Unable to Read Customer Credentials File\n");
- goto finish;
- }
-
- if ((retval = krb5_unparse_name(client, &client_name))) {
- fprintf(stderr, "passwd: Unable to Parse Client Name\n");
- goto finish;
- }
-
- requested_realm.length = client->realm.length;
- memcpy((char *) requested_realm.data,
- (char *) client->realm.data,
- requested_realm.length);
-
- (void) krb5_cc_close(cache);
- }
-
- /* Create credential cache for changepw */
- (void) sprintf(cache_name, "FILE:/tmp/tkt_cpw_%d", getpid());
-
- if ((retval = krb5_cc_resolve(cache_name, &cache))) {
- fprintf(stderr, "passwd: Unable to Resolve Cache: %s\n", cache_name);
- }
-
- if ((retval = krb5_cc_initialize(cache, client))) {
- fprintf(stderr, "passwd: Error initializing cache: %s\n", cache_name);
- goto finish;
- }
-
- /*
- * Verify User by Obtaining Initial Credentials prior to Initial Link
- */
- if ((retval = get_first_ticket(cache, client))) {
- goto finish;
- }
-
- /* Initiate Link to Server */
- if ((retval = adm5_init_link(&requested_realm, &local_socket))) {
- goto finish;
- }
-
-#define SIZEOF_INADDR sizeof(struct in_addr)
-
- /* V4 kpasswd Protocol Hack */
-{
- int msg_length = 0;
-
- retval = krb5_net_write(local_socket, (char *) &msg_length + 2, 2);
- if (retval < 0) {
- fprintf(stderr, "passwd: krb5_net_write failure\n");
- goto finish;
- }
-}
-
- local_addr.addrtype = ADDRTYPE_INET;
- local_addr.length = SIZEOF_INADDR ;
- local_addr.contents = (krb5_octet *)&local_sin.sin_addr;
-
- foreign_addr.addrtype = ADDRTYPE_INET;
- foreign_addr.length = SIZEOF_INADDR ;
- foreign_addr.contents = (krb5_octet *)&remote_sin.sin_addr;
-
- /* compute checksum, using CRC-32 */
- if (!(send_cksum.contents = (krb5_octet *)
- malloc(krb5_checksum_size(CKSUMTYPE_CRC32)))) {
- fprintf(stderr, "passwd: Insufficient Memory while Allocating Checksum\n");
- goto finish;
- }
- cksum_alloc++;
- /* choose some random stuff to compute checksum from */
- if (retval = krb5_calculate_checksum(CKSUMTYPE_CRC32,
- ADM_CPW_VERSION,
- strlen(ADM_CPW_VERSION),
- 0,
- 0, /* if length is 0, crc-32 doesn't
- use the seed */
- &send_cksum)) {
- fprintf(stderr, "Error while Computing Checksum: %s\n",
- error_message(retval));
- goto finish;
- }
-
- /* call Kerberos library routine to obtain an authenticator,
- pass it over the socket to the server, and obtain mutual
- authentication. */
-
- if ((retval = krb5_sendauth((krb5_pointer) &local_socket,
- ADM_CPW_VERSION,
- my_creds.client,
- my_creds.server,
- AP_OPTS_MUTUAL_REQUIRED,
- &send_cksum,
- 0,
- cache,
- &seqno,
- 0, /* don't need a subsession key */
- &err_ret,
- &rep_ret))) {
- fprintf(stderr, "passwd: Error while performing sendauth: %s\n",
- error_message(retval));
- goto finish;
- }
-
- /* Get credentials : to use for safe and private messages */
- if (retval = krb5_get_credentials(0, cache, &my_creds)){
- fprintf(stderr, "passwd: Error Obtaining Credentials: %s\n",
- error_message(retval));
- goto finish;
- }
-
- /* Read back what the server has to say... */
- if (retval = krb5_read_message(&local_socket, &inbuf)){
- fprintf(stderr, "passwd: Read Message Error: %s\n",
- error_message(retval));
- goto finish;
- }
- if ((inbuf.length != 2) || (inbuf.data[0] != KADMIND) ||
- (inbuf.data[1] != KADMSAG)){
- fprintf(stderr, "passwd: Invalid ack from admin server.\n");
- goto finish;
- }
-
- inbuf.data[0] = KPASSWD;
- inbuf.data[1] = CHGOPER;
- inbuf.length = 2;
-
- if ((retval = krb5_mk_priv(&inbuf,
- ETYPE_DES_CBC_CRC,
- &my_creds.keyblock,
- &local_addr,
- &foreign_addr,
- seqno,
- KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME,
- 0,
- 0,
- &msg_data))) {
- fprintf(stderr, "passwd: Error during First Message Encoding: %s\n",
- error_message(retval));
- goto finish;
- }
- free(inbuf.data);
-
- /* write private message to server */
- if (krb5_write_message(&local_socket, &msg_data)){
- fprintf(stderr, "passwd: Write Error During First Message Transmission\n");
- retval = 1;
- goto finish;
- }
- free(msg_data.data);
-
- (void)signal(SIGHUP, finish);
- (void)signal(SIGINT, finish);
-
-#ifdef MACH_PASS /* Machine-generated Passwords */
- /* Ok Now let's get the private message */
- if (retval = krb5_read_message(&local_socket, &inbuf)){
- fprintf(stderr, "passwd: Read Error During First Reply: %s\n",
- error_message(retval));
- retval = 1;
- goto finish;
- }
-
- if ((retval = krb5_rd_priv(&inbuf,
- &my_creds.keyblock,
- &foreign_addr,
- &local_addr,
- rep_ret->seq_number,
- KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME,
- 0,
- 0,
- &msg_data))) {
- fprintf(stderr, "passwd: Error during First Read Decoding: %s\n",
- error_message(retval));
- goto finish;
- }
- free(inbuf.data);
-#endif
-
- if ((new_password = (char *) calloc (1, ADM_MAX_PW_LENGTH+1)) == NULL) {
- fprintf(stderr, "passwd: Unable to Allocate Space for New Password\n");
- goto finish;
- }
-
-#ifdef MACH_PASS /* Machine-generated passwords */
- /* Offer Client Password Choices */
- if ((retval = print_and_choose_password(new_password,
- &msg_data))) {
- (void) memset((char *) new_password, 0, ADM_MAX_PW_LENGTH+1);
- free(new_password);
- goto finish;
- }
-#else
- new_pwsize = ADM_MAX_PW_LENGTH+1;
- if ((retval = krb5_read_password("New Kerberos password: ",
- "Retype new Kerberos password: ",
- new_password,
- &new_pwsize))) {
- fprintf(stderr, "\nError while reading new password for '%s'\n",
- client_name);
- (void) memset((char *) new_password, 0, ADM_MAX_PW_LENGTH+1);
- free(new_password);
- goto finish;
- }
-#endif
-
- inbuf.data = new_password;
- inbuf.length = strlen(new_password);
-
- if ((retval = krb5_mk_priv(&inbuf,
- ETYPE_DES_CBC_CRC,
- &my_creds.keyblock,
- &local_addr,
- &foreign_addr,
- seqno,
- KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME,
- 0,
- 0,
- &msg_data))) {
- fprintf(stderr, "passwd: Error during Second Message Encoding: %s\n",
- error_message(retval));
- goto finish;
- }
- memset(inbuf.data,0,inbuf.length);
- free(inbuf.data);
-
- /* write private message to server */
- if (krb5_write_message(&local_socket, &msg_data)){
- fprintf(stderr, "passwd: Write Error During Second Message Transmission\n");
- retval = 1;
- goto finish;
- }
- free(msg_data.data);
-
- /* Ok Now let's get the private message */
- if (retval = krb5_read_message(&local_socket, &inbuf)){
- fprintf(stderr, "passwd: Read Error During Second Reply: %s\n",
- error_message(retval));
- retval = 1;
- goto finish;
- }
-
- if ((retval = krb5_rd_priv(&inbuf,
- &my_creds.keyblock,
- &foreign_addr,
- &local_addr,
- rep_ret->seq_number,
- KRB5_PRIV_DOSEQUENCE|KRB5_PRIV_NOTIME,
- 0,
- 0,
- &msg_data))) {
- fprintf(stderr, "passwd: Error during Second Read Decoding :%s\n",
- error_message(retval));
- goto finish;
- }
-
- rd_priv_resp.appl_code = msg_data.data[0];
- rd_priv_resp.oper_code = msg_data.data[1];
- rd_priv_resp.retn_code = msg_data.data[2];
- if (msg_data.length > 3 && msg_data.data[3]) {
- rd_priv_resp.message = malloc(msg_data.length - 2);
- if (rd_priv_resp.message) {
- memcpy(rd_priv_resp.message, msg_data.data + 3,
- msg_data.length - 3);
- rd_priv_resp.message[msg_data.length - 3] = 0;
- }
- } else
- rd_priv_resp.message = NULL;
-
-
- free(inbuf.data);
- free(msg_data.data);
- if (rd_priv_resp.appl_code == KPASSWD) {
- if (rd_priv_resp.retn_code == KPASSBAD) {
- if (rd_priv_resp.message)
- fprintf(stderr, "passwd: %s\n", rd_priv_resp.message);
- else
- fprintf(stderr, "passwd: Server returned KPASSBAD.\n");
- } else if (rd_priv_resp.retn_code != KPASSGOOD)
- fprintf(stderr, "passwd: Server returned unknown kerberos code.\n");
- } else
- fprintf(stderr, "passwd: Server returned bad application code %d\n",
- rd_priv_resp.appl_code);
-
- if (rd_priv_resp.message)
- free(rd_priv_resp.message);
-
- finish:
- (void) krb5_cc_destroy(cache);
-
- free(client_name);
- free(requested_realm.data);
- if (cksum_alloc) free(send_cksum.contents);
- if (retval) {
- fprintf(stderr, "passwd: Protocol Failure - Password NOT changed\n");
- exit(1);
- }
-
- exit(0);
-}
+#include "kpasswd_locl.h"
+RCSID("$KTH: kpasswd.c,v 1.23 2000/12/31 07:48:34 assar Exp $");
+static int version_flag;
+static int help_flag;
-krb5_data cpwname = {
- sizeof(CPWNAME)-1,
- CPWNAME
+static struct getargs args[] = {
+ { "version", 0, arg_flag, &version_flag },
+ { "help", 0, arg_flag, &help_flag }
};
-static krb5_error_code
-get_first_ticket(cache, client)
- krb5_ccache cache;
- krb5_principal client;
-{
- char prompt[255]; /* for the password prompt */
- char verify_prompt[255]; /* Verification Prompt if Desired */
- char pword[ADM_MAX_PW_LENGTH+1]; /* storage for the password */
- int pword_length = sizeof(pword);
- char *old_password;
- int old_pwsize;
- int i;
-
- krb5_address **my_addresses;
-
- char *client_name;
- char local_realm[255];
- krb5_error_code retval;
-
- if ((retval = krb5_unparse_name(client, &client_name))) {
- fprintf(stderr, "Unable to Unparse Client Name\n");
- return(1);
- }
-
- (void) printf("Changing Kerberos password for %s\n", client_name);
-
- if ((retval = krb5_os_localaddr(&my_addresses))) {
- fprintf(stderr, "passwd: Unable to Get Customers Address\n");
- return(1);
- }
-
- memset((char *) &my_creds, 0, sizeof(my_creds));
-
- my_creds.client = client;
-
- if ((retval = krb5_build_principal_ext(&my_creds.server,
- client->realm.length,
- client->realm.data,
- cpwname.length, /* 6 */
- cpwname.data, /* "kadmin" */
- client->realm.length,
- /* instance is local realm */
- client->realm.data,
- 0))) {
- fprintf(stderr, "Error %s while building server name\n");
- return(1);
- }
-
-
- if ((old_password = (char *) calloc (1, 255)) == NULL) {
- fprintf(stderr, "passwd: No Memory for Retrieving old password\n");
- return(1);
- }
-
- old_pwsize = 255;
- if ((retval = krb5_read_password("Old kerberos password: ",
- 0,
- old_password,
- &old_pwsize))) {
- fprintf(stderr, "\nError while reading password for '%s'\n",
- client_name);
- return(1);
- }
-
- /* Build Request for Initial Credentials */
- for (i=0; preauth_search_list[i] >= 0; i++) {
- retval = krb5_get_in_tkt_with_password(
- 0, /* options */
- my_addresses,
- /* do random preauth */
- preauth_search_list[i],
- ETYPE_DES_CBC_CRC, /* etype */
- KEYTYPE_DES,
- old_password,
- cache,
- &my_creds,
- 0);
- if (retval != KRB5KDC_PREAUTH_FAILED &&
- retval != KRB5KRB_ERR_GENERIC)
- break;
- }
-
- if (retval) {
- fprintf(stderr, "passwd: Unable to Get Initial Credentials : %s\n",
- error_message(retval));
- }
-
- /* Do NOT Forget to zap password */
- memset((char *) old_password, 0, old_pwsize);
- free(old_password);
- memset((char *) pword, 0, sizeof(pword));
- return(retval);
-}
-
-#ifdef MACH_PASS /* Machine-generated Passwords */
-static krb5_error_code
-print_and_choose_password(new_password, decodable_pwd_string)
- char * new_password;
- krb5_data *decodable_pwd_string;
-{
- krb5_error_code retval;
- krb5_pwd_data *pwd_data;
- passwd_phrase_element **next_passwd_phrase_element;
- char prompt[255];
- char *verify_prompt = 0;
- int i, j, k;
- int legit_pswd = 0; /* Assume No Legitimate Password */
- char *password_list[ADM_MAX_PW_CHOICES];
- char verification_passwd[ADM_MAX_PW_LENGTH+1];
- char phrase_in[ADM_MAX_PHRASE_LENGTH];
- int new_passwd_length;
- char *ptr;
- int verify = 0; /* Do Not Request Password Selection Verification */
- int ok = 0;
-
-#define free_local_password_list() \
-{ for ( k = 0; k < i && k < ADM_MAX_PW_CHOICES; k++) { \
- (void) memset(password_list[k], 0, ADM_MAX_PW_LENGTH); \
- free(password_list[k]); } \
-}
-
- /* Decode Password and Phrase Information Obtained from krb5_rd_priv */
- if ((retval = decode_krb5_pwd_data(decodable_pwd_string , &pwd_data))) {
- fprintf(stderr, "passwd: Unable to Decode Passwords and Phrases\n");
- fprintf(stderr, " Notify your System Administrator or the Kerberos Administrator\n");
- return(1);
- }
-
- next_passwd_phrase_element = pwd_data->element;
- /* Display List in 5 Password/Phrase Increments up to MAX Iterations */
- memset((char *) phrase_in, 0, ADM_MAX_PHRASE_LENGTH);
- for ( j = 0; j <= ADM_MAX_PW_ITERATIONS; j++) {
- if (j == ADM_MAX_PW_ITERATIONS) {
- fprintf(stderr, "passwd: Sorry - You Have Exceeded the List of Choices (%d) Allowed for Password\n",
- ADM_MAX_PW_ITERATIONS * ADM_MAX_PW_CHOICES);
- fprintf(stderr, " Modification. You Must Repeat this Operation in order to Successfully\n");
- fprintf(stderr, " Change your Password.\n");
- break;
- }
-
- display_print:
- printf("Choose a password from the following list:\n");
-
- printf("\nPassword Remembrance Aid\n");
-
- /* Print Passwords and Assistance Phrases List */
- for ( i = 0; i < ADM_MAX_PW_CHOICES; i++){
- if ((password_list[i] = (char *) calloc (1,
- ADM_MAX_PW_LENGTH + 1)) == NULL) {
- fprintf(stderr, "passwd: Unable to Allocate Password List.\n");
- return(1);
- }
-
- memcpy(password_list[i],
- (*next_passwd_phrase_element)->passwd->data,
- (*next_passwd_phrase_element)->passwd->length);
- printf("%s ", password_list[i]);
-
- memcpy((char *) phrase_in,
- (*next_passwd_phrase_element)->phrase->data,
- (*next_passwd_phrase_element)->phrase->length);
- for ( k = 0;
- k < 50 && k < (*next_passwd_phrase_element)->phrase->length;
- k++) {
- printf("%c", phrase_in[k]);
- }
- for ( k = k;
- k < 70 && k < (*next_passwd_phrase_element)->phrase->length;
- k++) {
- if (phrase_in[k] == ' ') {
- printf("\n ");
- k++;
- break;
- } else {
- printf("%c", phrase_in[k]);
- }
- }
- for ( k = k;
- k < (*next_passwd_phrase_element)->phrase->length;
- k++) {
- printf("%c", phrase_in[k]);
- }
- printf("\n");
- memset((char *) phrase_in, 0, ADM_MAX_PHRASE_LENGTH);
- next_passwd_phrase_element++;
- }
-
- sprintf(prompt,
- "\nEnter Password Selection or a <CR> to get new list: ");
-
- new_passwd_length = ADM_MAX_PW_LENGTH+1;
- /* Read New Password from Terminal (Do Not Print on Screen) */
- if ((retval = krb5_read_password(&prompt[0], 0,
- new_password, &new_passwd_length))) {
- fprintf(stderr,
- "passwd: Error Reading Password Input or Input Aborted\n");
- free_local_password_list();
- break;;
- }
-
- /* Check for <CR> ==> Provide a New List */
- if (new_passwd_length == 0) continue;
-
- /* Check that Selection is from List - Server also does this */
- legit_pswd = 0;
- for (i = 0; i < ADM_MAX_PW_CHOICES && !legit_pswd; i++)
- if ((retval = memcmp(new_password,
- password_list[i], 8)) == 0) {
- legit_pswd++;
- }
- free_local_password_list();
-
- if (!(legit_pswd)) {
- printf("\07\07Password must be from the specified list ");
- printf("- Try Again\n");
- }
-
- if (legit_pswd) break; /* Exit Loop */
- } /* ADM_MAX_PW_CHOICES Loop */
-
- if (!(legit_pswd)) return (1);
-
- return(0); /* SUCCESS */
-}
-#endif
-
-static krb5_error_code
-adm5_init_link(realm_of_server, local_socket)
-krb5_data *realm_of_server;
-int * local_socket;
-{
- struct servent *service_process; /* service we will talk to */
- struct hostent *local_host; /* us */
- struct hostent *remote_host; /* host we will talk to */
- struct sockaddr *sockaddr_list;
-
- char **hostlist;
-
- int host_count;
- int namelen;
- int i, count;
-
- krb5_error_code retval;
-
- /* clear out the structure first */
- (void) memset((char *)&remote_sin, 0, sizeof(remote_sin));
-
- if ((service_process = getservbyname(CPW_SNAME, "tcp")) == NULL) {
- fprintf(stderr, "passwd: Unable to find Service (%s) Check services file\n",
- CPW_SNAME);
- return(1);
- }
-
- /* Copy the Port Number */
- remote_sin.sin_port = service_process->s_port;
-
- hostlist = 0;
-
- /* Identify all Hosts Associated with this Realm */
- if ((retval = krb5_get_krbhst (realm_of_server, &hostlist))) {
- fprintf(stderr, "passwd: Unable to Determine Server Name\n");
- return(1);
- }
-
- for (i=0; hostlist[i]; i++);
-
- count = i;
-
- if (count == 0) {
- host_count = 0;
- fprintf(stderr, "passwd: No hosts found\n");
- return(1);
- }
-
- for (i=0; hostlist[i]; i++) {
- remote_host = gethostbyname(hostlist[i]);
- if (remote_host != 0) {
-
- /* set up the address of the foreign socket for connect() */
- remote_sin.sin_family = remote_host->h_addrtype;
- (void) memcpy((char *) &remote_sin.sin_addr,
- (char *) remote_host->h_addr,
- sizeof(remote_host->h_addr));
- break; /* Only Need one */
- }
- }
-
- free ((char *)hostlist);
-
- /* open a TCP socket */
- *local_socket = socket(PF_INET, SOCK_STREAM, 0);
- if (*local_socket < 0) {
- fprintf(stderr, "passwd: Cannot Open Socket\n");
- return(1);
- }
- /* connect to the server */
- if (connect(*local_socket, (struct sockaddr *)&remote_sin, sizeof(remote_sin)) < 0) {
- fprintf(stderr, "passwd: Cannot Connect to Socket\n");
- close(*local_socket);
- return(1);
- }
-
- /* find out who I am, now that we are connected and therefore bound */
- namelen = sizeof(local_sin);
- if (getsockname(*local_socket,
- (struct sockaddr *) &local_sin, &namelen) < 0) {
- fprintf(stderr, "passwd: Cannot Perform getsockname\n");
- close(*local_socket);
- return(1);
- }
- return(0);
-}
-
static void
-finish()
-{
- exit(1);
-}
-
-#ifdef KRB_NONETWORK
-#include <utmp.h>
-
-#ifndef MAXHOSTNAME
-#define MAXHOSTNAME 64
-#endif
-
-int utfile; /* Global utfile file descriptor for BSD version
- of setutent, getutline, and endutent */
-
-#if !defined(SYSV) && !defined(UMIPS) /* Setutent, Endutent, and getutline
- routines for non System V Unix
- systems */
-#include <fcntl.h>
-
-void setutent()
+usage (int ret, struct getargs *a, int num_args)
{
- utfile = open("/etc/utmp",O_RDONLY);
+ arg_printusage (a, num_args, NULL, "[principal]");
+ exit (ret);
}
-struct utmp * getutline(utmpent)
-struct utmp *utmpent;
+int
+main (int argc, char **argv)
{
- static struct utmp tmputmpent;
- int found = 0;
- while ( read(utfile,&tmputmpent,sizeof(struct utmp)) > 0 ){
- if ( strcmp(tmputmpent.ut_line,utmpent->ut_line) == 0){
-#ifdef NO_UT_HOST
- if ( ( 1) &&
-#else
- if ( (strcmp(tmputmpent.ut_host,"") == 0) &&
-#endif
- (strcmp(tmputmpent.ut_name,"") == 0)) continue;
- found = 1;
- break;
- }
- }
- if (found)
- return(&tmputmpent);
- return((struct utmp *) 0);
-}
-
-void endutent()
-{
- close(utfile);
-}
-#endif /* not SYSV */
+ krb5_error_code ret;
+ krb5_context context;
+ krb5_principal principal;
+ int optind = 0;
+ krb5_get_init_creds_opt opt;
+ krb5_creds cred;
+ int result_code;
+ krb5_data result_code_string, result_string;
+ char pwbuf[BUFSIZ];
+ optind = krb5_program_setup(&context, argc, argv,
+ args, sizeof(args) / sizeof(args[0]), usage);
-int network_connected()
-{
-struct utmp utmpent;
-struct utmp retutent, *tmpptr;
-char *display_indx;
-char currenthost[MAXHOSTNAME];
-char *username,*tmpname;
+ if (help_flag)
+ usage (0, args, sizeof(args) / sizeof(args[0]));
-
-/* Macro for pseudo_tty */
-#define pseudo_tty(ut) \
- ((strncmp((ut).ut_line, "tty", 3) == 0 && ((ut).ut_line[3] == 'p' \
- || (ut).ut_line[3] == 'q' \
- || (ut).ut_line[3] == 'r' \
- || (ut).ut_line[3] == 's'))\
- || (strncmp((ut).ut_line, "pty", 3) == 0))
-
- /* Check to see if getlogin returns proper name */
- if ( (tmpname = (char *) getlogin()) == (char *) 0) return(1);
- username = (char *) malloc(strlen(tmpname) + 1);
- if ( username == (char *) 0) return(1);
- strcpy(username,tmpname);
-
- /* Obtain tty device for controlling tty of current process.*/
- strncpy(utmpent.ut_line,ttyname(0) + strlen("/dev/"),
- sizeof(utmpent.ut_line));
-
- /* See if this device is currently listed in /etc/utmp under
- calling user */
-#ifdef SYSV
- utmpent.ut_type = USER_PROCESS;
-#define ut_name ut_user
-#endif
- setutent();
- while ( (tmpptr = (struct utmp *) getutline(&utmpent))
- != ( struct utmp *) 0) {
-
- /* If logged out name and host will be empty */
- if ((strcmp(tmpptr->ut_name,"") == 0) &&
-#ifdef NO_UT_HOST
- ( 1)) continue;
-#else
- (strcmp(tmpptr->ut_host,"") == 0)) continue;
-#endif
- else break;
- }
- if ( tmpptr == (struct utmp *) 0) {
- endutent();
- return(1);
+ if(version_flag){
+ print_version (NULL);
+ exit(0);
}
- bcopy((char *)&retutent, (char *)tmpptr, sizeof(struct utmp));
- endutent();
-#ifdef DEBUG
-#ifdef NO_UT_HOST
- printf("User %s on line %s :\n",
- retutent.ut_name,retutent.ut_line);
-#else
- printf("User %s on line %s connected from host :%s:\n",
- retutent.ut_name,retutent.ut_line,retutent.ut_host);
-#endif
-#endif
- if (strcmp(retutent.ut_name,username) != 0) {
- return(1);
- }
-
-
- /* If this is not a pseudo tty then everything is OK */
- if (! pseudo_tty(retutent)) return(0);
- /* OK now the work begins there is an entry in utmp and
- the device is a pseudo tty. */
-
- /* Check if : is in hostname if so this is xwindow display */
-
- if (gethostname(currenthost,sizeof(currenthost))) return(1);
-#ifdef NO_UT_HOST
- display_indx = (char *) 0;
-#else
- display_indx = (char *) strchr(retutent.ut_host,':');
-#endif
- if ( display_indx != (char *) 0) {
- /*
- We have X window application here. The host field should have
- the form => local_system_name:0.0 or :0.0
- if the window is being displayed on the local system.
- */
-#ifdef NO_UT_HOST
- return(1);
-#else
- if (strncmp(currenthost,retutent.ut_host,
- (display_indx - retutent.ut_host)) != 0) return(1);
- else return(0);
-#endif
- }
+ krb5_get_init_creds_opt_init (&opt);
- /* Host field is empty or is not X window entry. At this point
- we can't trust that the pseudo tty is not connected to a
- networked process so let's return 1.
- */
- return(1);
-}
-
-int networked()
-{
- return(network_connected());
+ krb5_get_init_creds_opt_set_tkt_life (&opt, 300);
+ krb5_get_init_creds_opt_set_forwardable (&opt, FALSE);
+ krb5_get_init_creds_opt_set_proxiable (&opt, FALSE);
+
+ argc -= optind;
+ argv += optind;
+
+ if (argc > 1)
+ usage (1, args, sizeof(args) / sizeof(args[0]));
+
+ ret = krb5_init_context (&context);
+ if (ret)
+ errx (1, "krb5_init_context failed: %d", ret);
+
+ if(argv[0]) {
+ ret = krb5_parse_name (context, argv[0], &principal);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_parse_name");
+ } else
+ principal = NULL;
+
+ ret = krb5_get_init_creds_password (context,
+ &cred,
+ principal,
+ NULL,
+ krb5_prompter_posix,
+ NULL,
+ 0,
+ "kadmin/changepw",
+ &opt);
+ switch (ret) {
+ case 0:
+ break;
+ case KRB5_LIBOS_PWDINTR :
+ return 1;
+ case KRB5KRB_AP_ERR_BAD_INTEGRITY :
+ case KRB5KRB_AP_ERR_MODIFIED :
+ krb5_errx(context, 1, "Password incorrect");
+ break;
+ default:
+ krb5_err(context, 1, ret, "krb5_get_init_creds");
+ }
+
+ krb5_data_zero (&result_code_string);
+ krb5_data_zero (&result_string);
+
+ if(des_read_pw_string (pwbuf, sizeof(pwbuf), "New password: ", 1) != 0)
+ return 1;
+
+ ret = krb5_change_password (context, &cred, pwbuf,
+ &result_code,
+ &result_code_string,
+ &result_string);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_change_password");
+
+ printf ("Reply from server: %.*s\n", (int)result_string.length,
+ (char *)result_string.data);
+
+ krb5_data_free (&result_code_string);
+ krb5_data_free (&result_string);
+
+ krb5_free_creds_contents (context, &cred);
+ krb5_free_context (context);
+ return result_code;
}
-#endif
-
-#endif /* KERBEROS5 */