void
main(int argc, char *argv[])
{
int n;
int32_t chal;
char *err;
char ukey[DESKEYLEN], resp[32], buf[NETCHLEN];
Ndb *db2;
ARGBEGIN{
case 'd':
debug = 1;
break;
}ARGEND;
db = ndbopen("/lib/ndb/auth");
if(db == 0)
syslog(0, AUTHLOG, "no /lib/ndb/auth");
db2 = ndbopen(0);
if(db2 == 0)
syslog(0, AUTHLOG, "no /lib/ndb/local");
db = ndbcat(db, db2);
werrstr("");
strcpy(raddr, "unknown");
if(argc >= 1)
getraddr(argv[argc-1]);
argv0 = "guard";
srand((getpid()*1103515245)^time(0));
notify(catchalarm);
/*
* read the host and client and get their keys
*/
if(readarg(0, user, sizeof user) < 0)
fail(0);
/*
* challenge-response
*/
chal = lnrand(MAXNETCHAL);
snprint(buf, sizeof buf, "challenge: %lud\nresponse: ", chal);
n = strlen(buf) + 1;
if(write(1, buf, n) != n){
if(debug)
syslog(0, AUTHLOG, "g-fail %s@%s: %r sending chal",
user, raddr);
exits("replying to server");
}
alarm(3*60*1000);
werrstr("");
if(readarg(0, resp, sizeof resp) < 0){
if(debug)
syslog(0, AUTHLOG, "g-fail %s@%s: %r reading resp",
user, raddr);
fail(0);
}
alarm(0);
/* remove password login from guard.research.bell-labs.com, sucre, etc. */
// if(!findkey(KEYDB, user, ukey) || !netcheck(ukey, chal, resp))
if(!findkey(NETKEYDB, user, ukey) || !netcheck(ukey, chal, resp))
if((err = secureidcheck(user, resp)) != nil){
print("NO %s", err);
write(1, "NO", 2);
if(debug) {
char *r;
/*
* don't log the entire response, since the first
* Pinlen digits may be the user's secure-id pin.
*/
if (strlen(resp) < Pinlen)
r = strdup("<too short for pin>");
else if (strlen(resp) == Pinlen)
r = strdup("<pin only>");
else
r = smprint("%.*s%s", Pinlen,
"******************", resp + Pinlen);
syslog(0, AUTHLOG,
"g-fail %s@%s: %s: resp %s to chal %lud",
user, raddr, err, r, chal);
free(r);
}
fail(user);
}
write(1, "OK", 2);
if(debug)
syslog(0, AUTHLOG, "g-ok %s@%s", user, raddr);
succeed(user);
exits(0);
}
void
challengebox(Ticketreq *tr)
{
long chal;
char *key, *netkey;
char kbuf[DESKEYLEN], nkbuf[DESKEYLEN], hkey[DESKEYLEN];
char buf[NETCHLEN+1];
char *err;
key = findkey(KEYDB, tr->uid, kbuf);
netkey = findkey(NETKEYDB, tr->uid, nkbuf);
if(key == 0 && netkey == 0){
/* make one up so caller doesn't know it was wrong */
mkkey(nkbuf);
netkey = nkbuf;
if(debug)
syslog(0, AUTHLOG, "cr-fail uid %s@%s", tr->uid, raddr);
}
if(findkey(KEYDB, tr->hostid, hkey) == 0){
/* make one up so caller doesn't know it was wrong */
mkkey(hkey);
if(debug)
syslog(0, AUTHLOG, "cr-fail hostid %s %s@%s", tr->hostid,
tr->uid, raddr);
}
/*
* challenge-response
*/
memset(buf, 0, sizeof(buf));
buf[0] = AuthOK;
chal = lnrand(MAXNETCHAL);
snprint(buf+1, sizeof buf - 1, "%lud", chal);
if(write(1, buf, NETCHLEN+1) < 0)
exits(0);
if(readn(0, buf, NETCHLEN) < 0)
exits(0);
if(!(key && netcheck(key, chal, buf))
&& !(netkey && netcheck(netkey, chal, buf))
&& (err = secureidcheck(tr->uid, buf)) != nil){
replyerror("cr-fail %s %s %s", err, tr->uid, raddr);
logfail(tr->uid);
if(debug)
syslog(0, AUTHLOG, "cr-fail %s@%s(%s): bad resp",
tr->uid, tr->hostid, raddr);
return;
}
succeed(tr->uid);
/*
* reply with ticket & authenticator
*/
if(tickauthreply(tr, hkey) < 0){
if(debug)
syslog(0, AUTHLOG, "cr-fail %s@%s(%s): hangup",
tr->uid, tr->hostid, raddr);
exits(0);
}
if(debug)
syslog(0, AUTHLOG, "cr-ok %s@%s(%s)",
tr->uid, tr->hostid, raddr);
}
