void main(int argc, char *argv[]) { int n; int32_t chal; char *err; char ukey[DESKEYLEN], resp[32], buf[NETCHLEN]; Ndb *db2; ARGBEGIN{ case 'd': debug = 1; break; }ARGEND; db = ndbopen("/lib/ndb/auth"); if(db == 0) syslog(0, AUTHLOG, "no /lib/ndb/auth"); db2 = ndbopen(0); if(db2 == 0) syslog(0, AUTHLOG, "no /lib/ndb/local"); db = ndbcat(db, db2); werrstr(""); strcpy(raddr, "unknown"); if(argc >= 1) getraddr(argv[argc-1]); argv0 = "guard"; srand((getpid()*1103515245)^time(0)); notify(catchalarm); /* * read the host and client and get their keys */ if(readarg(0, user, sizeof user) < 0) fail(0); /* * challenge-response */ chal = lnrand(MAXNETCHAL); snprint(buf, sizeof buf, "challenge: %lud\nresponse: ", chal); n = strlen(buf) + 1; if(write(1, buf, n) != n){ if(debug) syslog(0, AUTHLOG, "g-fail %s@%s: %r sending chal", user, raddr); exits("replying to server"); } alarm(3*60*1000); werrstr(""); if(readarg(0, resp, sizeof resp) < 0){ if(debug) syslog(0, AUTHLOG, "g-fail %s@%s: %r reading resp", user, raddr); fail(0); } alarm(0); /* remove password login from guard.research.bell-labs.com, sucre, etc. */ // if(!findkey(KEYDB, user, ukey) || !netcheck(ukey, chal, resp)) if(!findkey(NETKEYDB, user, ukey) || !netcheck(ukey, chal, resp)) if((err = secureidcheck(user, resp)) != nil){ print("NO %s", err); write(1, "NO", 2); if(debug) { char *r; /* * don't log the entire response, since the first * Pinlen digits may be the user's secure-id pin. */ if (strlen(resp) < Pinlen) r = strdup("<too short for pin>"); else if (strlen(resp) == Pinlen) r = strdup("<pin only>"); else r = smprint("%.*s%s", Pinlen, "******************", resp + Pinlen); syslog(0, AUTHLOG, "g-fail %s@%s: %s: resp %s to chal %lud", user, raddr, err, r, chal); free(r); } fail(user); } write(1, "OK", 2); if(debug) syslog(0, AUTHLOG, "g-ok %s@%s", user, raddr); succeed(user); exits(0); }
void challengebox(Ticketreq *tr) { long chal; char *key, *netkey; char kbuf[DESKEYLEN], nkbuf[DESKEYLEN], hkey[DESKEYLEN]; char buf[NETCHLEN+1]; char *err; key = findkey(KEYDB, tr->uid, kbuf); netkey = findkey(NETKEYDB, tr->uid, nkbuf); if(key == 0 && netkey == 0){ /* make one up so caller doesn't know it was wrong */ mkkey(nkbuf); netkey = nkbuf; if(debug) syslog(0, AUTHLOG, "cr-fail uid %s@%s", tr->uid, raddr); } if(findkey(KEYDB, tr->hostid, hkey) == 0){ /* make one up so caller doesn't know it was wrong */ mkkey(hkey); if(debug) syslog(0, AUTHLOG, "cr-fail hostid %s %s@%s", tr->hostid, tr->uid, raddr); } /* * challenge-response */ memset(buf, 0, sizeof(buf)); buf[0] = AuthOK; chal = lnrand(MAXNETCHAL); snprint(buf+1, sizeof buf - 1, "%lud", chal); if(write(1, buf, NETCHLEN+1) < 0) exits(0); if(readn(0, buf, NETCHLEN) < 0) exits(0); if(!(key && netcheck(key, chal, buf)) && !(netkey && netcheck(netkey, chal, buf)) && (err = secureidcheck(tr->uid, buf)) != nil){ replyerror("cr-fail %s %s %s", err, tr->uid, raddr); logfail(tr->uid); if(debug) syslog(0, AUTHLOG, "cr-fail %s@%s(%s): bad resp", tr->uid, tr->hostid, raddr); return; } succeed(tr->uid); /* * reply with ticket & authenticator */ if(tickauthreply(tr, hkey) < 0){ if(debug) syslog(0, AUTHLOG, "cr-fail %s@%s(%s): hangup", tr->uid, tr->hostid, raddr); exits(0); } if(debug) syslog(0, AUTHLOG, "cr-ok %s@%s(%s)", tr->uid, tr->hostid, raddr); }