static void
krb4_set_key(char *key, int index)
{
if (saved_salt->realm[0] != '\0')
afs_string_to_key(key, saved_salt->realm, &saved_key.key);
else
des_string_to_key(key, &saved_key.key);
strnzcpy(saved_key.string, key, sizeof(saved_key.string));
}
char *XTRAMangle(char *xtrace, char *cryptpw)
{
static char res[256];
char *rptr, *xptr;
int count;
unsigned char plain[8], enc[8];
des_cblock key;
des_key_schedule sched;
des_string_to_key(cryptpw, &key);
des_set_key(&key, sched);
rptr = res;
/* Overflow protect; 192 chars expands to 256, overflowing res */
if (strlen(xtrace) > 191) {
xtrace[191] = '\0';
}
/* Step thru 'xtrace' 8 chars at a time, encrypt as we go */
xptr = xtrace;
count = 0;
bzero(plain, sizeof(plain));
while (*xptr) {
plain[count++ % 8] = *xptr++;
if (! *xptr || (count % 8) == 0) {
/* Encrypt block of (up to) 8 and pump out coded ASCII */
des_ecb_encrypt((des_cblock *)plain,(des_cblock *)enc, sched, 1);
bzero(plain, sizeof(plain));
*rptr++ = '0' + (enc[0] & 0x3f);
*rptr++ = '0' + (enc[0] >> 6) + ((enc[1] & 0x0f) << 2);
*rptr++ = '0' + (enc[1] >> 4) + ((enc[2] & 0x03) << 4);
*rptr++ = '0' + (enc[2] >> 2);
*rptr++ = '0' + (enc[3] & 0x3f);
*rptr++ = '0' + (enc[3] >> 6) + ((enc[4] & 0x0f) << 2);
*rptr++ = '0' + (enc[4] >> 4) + ((enc[5] & 0x03) << 4);
*rptr++ = '0' + (enc[5] >> 2);
*rptr++ = '0' + (enc[6] & 0x3f);
*rptr++ = '0' + (enc[6] >> 6) + ((enc[7] & 0x0f) << 2);
*rptr++ = '0' + (enc[7] >> 4) + ((time(NULL) & 0x03) << 4);
}
}
int
main(int argc, char **argv)
{
struct afsconf_dir *tdir;
afs_int32 code;
if (argc == 1) {
printf("bos_util: usage is 'bos_util <opcode> options, e.g.\n");
printf(" bos_util add <kvno>\n");
printf(" bos_util adddes <kvno>\n");
#ifdef KERBEROS
printf(" bos_util srvtab2keyfile <kvno> <keyfile> <princ>\n");
#endif
printf(" bos_util delete <kvno>\n");
printf(" bos_util list\n");
exit(1);
}
tdir = afsconf_Open(AFSDIR_SERVER_ETC_DIR);
if (!tdir) {
printf("bos_util: can't initialize conf dir '%s'\n",
AFSDIR_SERVER_ETC_DIR);
exit(1);
}
if (strcmp(argv[1], "add") == 0) {
struct ktc_encryptionKey tkey;
int kvno;
char buf[BUFSIZ], ver[BUFSIZ];
char *tcell = NULL;
if (argc != 3) {
printf("bos_util add: usage is 'bos_util add <kvno>\n");
exit(1);
}
kvno = atoi(argv[2]);
memset(&tkey, 0, sizeof(struct ktc_encryptionKey));
/* prompt for key */
code = des_read_pw_string(buf, sizeof(buf), "input key: ", 0);
if (code || strlen(buf) == 0) {
printf("Bad key: \n");
exit(1);
}
code = des_read_pw_string(ver, sizeof(ver), "Retype input key: ", 0);
if (code || strlen(ver) == 0) {
printf("Bad key: \n");
exit(1);
}
if (strcmp(ver, buf) != 0) {
printf("\nInput key mismatch\n");
exit(1);
}
ka_StringToKey(buf, tcell, &tkey);
code = afsconf_AddKey(tdir, kvno, ktc_to_charptr(&tkey), 0);
if (code) {
printf("bos_util: failed to set key, code %d.\n", code);
exit(1);
}
} else if (strcmp(argv[1], "adddes") == 0) {
struct ktc_encryptionKey tkey;
int kvno;
afs_int32 code;
char buf[BUFSIZ], ver[BUFSIZ];
if (argc != 3) {
printf("bos_util adddes: usage is 'bos_util adddes <kvno>\n");
exit(1);
}
kvno = atoi(argv[2]);
memset(&tkey, 0, sizeof(struct ktc_encryptionKey));
/* prompt for key */
code = des_read_pw_string(buf, sizeof(buf), "input key: ", 0);
if (code || strlen(buf) == 0) {
printf("Bad key: \n");
exit(1);
}
code = des_read_pw_string(ver, sizeof(ver), "Retype input key: ", 0);
if (code || strlen(ver) == 0) {
printf("Bad key: \n");
exit(1);
}
if (strcmp(ver, buf) != 0) {
printf("\nInput key mismatch\n");
exit(1);
}
des_string_to_key(buf, ktc_to_cblockptr(&tkey));
code = afsconf_AddKey(tdir, kvno, ktc_to_charptr(&tkey), 0);
if (code) {
printf("bos_util: failed to set key, code %d.\n", code);
exit(1);
}
}
#ifdef KERBEROS
else if (strcmp(argv[1], "srvtab2keyfile") == 0) {
char tkey[8], name[255], inst[255], realm[255];
int kvno;
if (argc != 5) {
printf
("bos_util add: usage is 'bos_util srvtab2keyfile <kvno> <keyfile> <princ>\n");
exit(1);
}
kvno = atoi(argv[2]);
bzero(tkey, sizeof(tkey));
code = kname_parse(name, inst, realm, argv[4]);
if (code != 0) {
printf("Invalid kerberos name\n");
exit(1);
}
code = read_service_key(name, inst, realm, kvno, argv[3], tkey);
if (code != 0) {
printf("Can't find key in %s\n", argv[3]);
exit(1);
}
code = afsconf_AddKey(tdir, kvno, tkey, 0);
if (code) {
printf("bos_util: failed to set key, code %d.\n", code);
exit(1);
}
}
#endif
else if (strcmp(argv[1], "delete") == 0) {
long kvno;
if (argc != 3) {
printf("bos_util delete: usage is 'bos_util delete <kvno>\n");
exit(1);
}
kvno = atoi(argv[2]);
code = afsconf_DeleteKey(tdir, kvno);
if (code) {
printf("bos_util: failed to delete key %ld, (code %d)\n", kvno,
code);
exit(1);
}
} else if (strcmp(argv[1], "list") == 0) {
struct afsconf_keys tkeys;
int i;
unsigned char tbuffer[9];
code = afsconf_GetKeys(tdir, &tkeys);
if (code) {
printf("bos_util: failed to get keys, code %d\n", code);
exit(1);
}
for (i = 0; i < tkeys.nkeys; i++) {
if (tkeys.key[i].kvno != -1) {
int count;
unsigned char x[8];
memcpy(tbuffer, tkeys.key[i].key, 8);
tbuffer[8] = 0;
printf("kvno %4d: key is '%s' '", tkeys.key[i].kvno, tbuffer);
strcpy((char *)x, (char *)tbuffer);
for (count = 0; count < 8; count++)
printf("\\%03o", x[count]);
printf("'\n");
}
}
printf("All done.\n");
} else {
printf
("bos_util: unknown operation '%s', type 'bos_util' for assistance\n",
argv[1]);
exit(1);
}
exit(0);
}
CURLcode Curl_krb_kauth(struct connectdata *conn)
{
des_cblock key;
des_key_schedule schedule;
KTEXT_ST tkt, tktcopy;
char *name;
char *p;
char passwd[100];
size_t tmp;
ssize_t nread;
int save;
CURLcode result;
unsigned char *ptr;
save = Curl_set_command_prot(conn, prot_private);
result = Curl_ftpsendf(conn, "SITE KAUTH %s", conn->user);
if(result)
return result;
result = Curl_GetFTPResponse(&nread, conn, NULL);
if(result)
return result;
if(conn->data->state.buffer[0] != '3'){
Curl_set_command_prot(conn, save);
return CURLE_FTP_WEIRD_SERVER_REPLY;
}
p = strstr(conn->data->state.buffer, "T=");
if(!p) {
Curl_failf(conn->data, "Bad reply from server");
Curl_set_command_prot(conn, save);
return CURLE_FTP_WEIRD_SERVER_REPLY;
}
p += 2;
tmp = Curl_base64_decode(p, &ptr);
if(tmp >= sizeof(tkt.dat)) {
free(ptr);
tmp=0;
}
if(!tmp || !ptr) {
Curl_failf(conn->data, "Failed to decode base64 in reply");
Curl_set_command_prot(conn, save);
return CURLE_FTP_WEIRD_SERVER_REPLY;
}
memcpy((char *)tkt.dat, ptr, tmp);
free(ptr);
tkt.length = tmp;
tktcopy.length = tkt.length;
p = strstr(conn->data->state.buffer, "P=");
if(!p) {
Curl_failf(conn->data, "Bad reply from server");
Curl_set_command_prot(conn, save);
return CURLE_FTP_WEIRD_SERVER_REPLY;
}
name = p + 2;
for(; *p && *p != ' ' && *p != '\r' && *p != '\n'; p++);
*p = 0;
des_string_to_key (conn->passwd, &key);
des_key_sched(&key, schedule);
des_pcbc_encrypt((void *)tkt.dat, (void *)tktcopy.dat,
tkt.length,
schedule, &key, DES_DECRYPT);
if(strcmp ((char*)tktcopy.dat + 8,
KRB_TICKET_GRANTING_TICKET) != 0) {
afs_string_to_key(passwd,
krb_realmofhost(conn->host.name),
&key);
des_key_sched(&key, schedule);
des_pcbc_encrypt((void *)tkt.dat, (void *)tktcopy.dat,
tkt.length,
schedule, &key, DES_DECRYPT);
}
memset(key, 0, sizeof(key));
memset(schedule, 0, sizeof(schedule));
memset(passwd, 0, sizeof(passwd));
if(Curl_base64_encode(conn->data, (char *)tktcopy.dat, tktcopy.length, &p)
< 1) {
failf(conn->data, "Out of memory base64-encoding.");
Curl_set_command_prot(conn, save);
return CURLE_OUT_OF_MEMORY;
}
memset (tktcopy.dat, 0, tktcopy.length);
result = Curl_ftpsendf(conn, "SITE KAUTH %s %s", name, p);
free(p);
if(result)
return result;
result = Curl_GetFTPResponse(&nread, conn, NULL);
if(result)
return result;
Curl_set_command_prot(conn, save);
return CURLE_OK;
}
int main(void)
{
char *header = "Allaire Cold Fusion Template\012Header Size: ";
char buffer[54];
int headsize, outlen;
int skip_header;
int len, i;
char *keystr = "Error: cannot open template file--\"%s\". Please, try again!\012\012";
des_cblock key;
des_cblock input;
des_cblock output;
des_key_schedule schedule;
if ((fread(buffer, 1, 54, stdin) < 54) || (memcmp(buffer, header, 42)))
{
fprintf(stderr, "File is not an encrypted template\n");
return 1;
}
if (!memcmp(&buffer[42], "New Version", 11))
{
headsize = 69;
skip_header = 1;
}
else
{
headsize = atoi(&buffer[42]);
skip_header = 0;
}
if ((headsize < 54) || (fseek(stdin, headsize, SEEK_SET) < 0))
{
fprintf(stderr, "Error in file format\n");
return 1;
}
des_string_to_key(keystr, &key);
des_set_key(&key, schedule);
outlen = 0;
while ((len = fread(input, 1, 8, stdin)) == 8)
{
des_ecb_encrypt(&input, &output, schedule, 0);
outlen += 8;
i = 0;
if (skip_header)
{
while (i < 8)
{
if (output[i++] == 0x1A)
{
skip_header = 0;
break;
}
}
}
fwrite(output + i, 1, 8 - i, stdout);
}
for (i = 0; i < len; i++)
{
output[i] = input[i] ^ (outlen + i);
}
fwrite(output, 1, len, stdout);
return 0;
}
int main(int argc, char *argv[])
{
FILE *infile, *outfile;
char *header = "Allaire Cold Fusion Template\012Header Size: ";
char buffer[54];
int headsize, outlen;
int skip_header;
int len, i;
char *keystr = "Error: cannot open template file--\"%s\". Please, try again!\012\012";
des_cblock key;
des_cblock input;
des_cblock output;
des_key_schedule schedule;
switch (argc)
{
case 2:
outfile = stdout;
break;
case 3:
if (!(outfile = fopen(argv[2], "wb")))
{
fprintf(stderr, "Error opening output file %s\n", argv[2]);
return 1;
}
break;
default:
fprintf(stderr, "Usage: cfdecrypt <encrypted template> [output file]\n");
return 1;
}
if (!(infile = fopen(argv[1], "rb")))
{
fprintf(stderr, "Error opening input file %s\n", argv[1]);
return 1;
}
if ((fread(buffer, 1, 54, infile) < 54) || (memcmp(buffer, header, 42)))
{
fprintf(stderr, "File is not an encrypted template\n");
return 1;
}
if (!memcmp(&buffer[42], "New Version", 11))
{
headsize = 69;
skip_header = 1;
}
else
{
headsize = atoi(&buffer[42]);
skip_header = 0;
}
if ((headsize < 54) || (fseek(infile, headsize, SEEK_SET) < 0))
{
fprintf(stderr, "Error in file format\n");
return 1;
}
des_string_to_key(keystr, &key);
des_set_key(&key, schedule);
outlen = 0;
while ((len = fread(input, 1, 8, infile)) == 8)
{
des_ecb_encrypt(&input, &output, schedule, 0);
outlen += 8;
i = 0;
if (skip_header)
{
while (i < 8)
{
if (output[i++] == 0x1A)
{
skip_header = 0;
break;
}
}
}
fwrite(output + i, 1, 8 - i, outfile);
}
for (i = 0; i < len; i++)
{
output[i] = input[i] ^ (outlen + i);
}
fwrite(output, 1, len, outfile);
fclose(outfile);
fclose(infile);
return 0;
}
void
kauth(int argc, char **argv)
{
int ret;
char buf[1024];
des_cblock key;
des_key_schedule schedule;
KTEXT_ST tkt, tktcopy;
char *name;
char *p;
int overbose;
char passwd[100];
int tmp;
int save;
if(argc > 2){
printf("usage: %s [principal]\n", argv[0]);
code = -1;
return;
}
if(argc == 2)
name = argv[1];
else
name = username;
overbose = verbose;
verbose = 0;
save = set_command_prot(prot_private);
ret = command("SITE KAUTH %s", name);
if(ret != CONTINUE){
verbose = overbose;
set_command_prot(save);
code = -1;
return;
}
verbose = overbose;
p = strstr(reply_string, "T=");
if(!p){
printf("Bad reply from server.\n");
set_command_prot(save);
code = -1;
return;
}
p += 2;
tmp = base64_decode(p, &tkt.dat);
if(tmp < 0){
printf("Failed to decode base64 in reply.\n");
set_command_prot(save);
code = -1;
return;
}
tkt.length = tmp;
tktcopy.length = tkt.length;
p = strstr(reply_string, "P=");
if(!p){
printf("Bad reply from server.\n");
verbose = overbose;
set_command_prot(save);
code = -1;
return;
}
name = p + 2;
for(; *p && *p != ' ' && *p != '\r' && *p != '\n'; p++);
*p = 0;
snprintf(buf, sizeof(buf), "Password for %s:", name);
if (des_read_pw_string (passwd, sizeof(passwd)-1, buf, 0))
*passwd = '\0';
des_string_to_key (passwd, &key);
des_key_sched(&key, schedule);
des_pcbc_encrypt((des_cblock*)tkt.dat, (des_cblock*)tktcopy.dat,
tkt.length,
schedule, &key, DES_DECRYPT);
if (strcmp ((char*)tktcopy.dat + 8,
KRB_TICKET_GRANTING_TICKET) != 0) {
afs_string_to_key (passwd, krb_realmofhost(hostname), &key);
des_key_sched (&key, schedule);
des_pcbc_encrypt((des_cblock*)tkt.dat, (des_cblock*)tktcopy.dat,
tkt.length,
schedule, &key, DES_DECRYPT);
}
memset(key, 0, sizeof(key));
memset(schedule, 0, sizeof(schedule));
memset(passwd, 0, sizeof(passwd));
if(base64_encode(tktcopy.dat, tktcopy.length, &p) < 0) {
printf("Out of memory base64-encoding.\n");
set_command_prot(save);
code = -1;
return;
}
memset (tktcopy.dat, 0, tktcopy.length);
ret = command("SITE KAUTH %s %s", name, p);
free(p);
set_command_prot(save);
if(ret != COMPLETE){
code = -1;
return;
}
code = 0;
}
afs_int32
ka_UserAuthenticateGeneral2(afs_int32 flags, char *name, char *instance,
char *realm, char *password, char *smbname,
Date lifetime, afs_int32 * password_expiresP,
afs_int32 spare, char **reasonP)
{
int code;
struct ktc_encryptionKey key1, key2;
char *ticket = NULL;
int ticketLen;
struct ktc_encryptionKey sessionKey;
long kvno;
long expirationTime;
char fullRealm[256];
char upperRealm[256];
struct servent *sp;
int ttl;
struct ktc_principal server;
struct ktc_principal client;
struct ktc_token token;
if (instance == NULL)
instance = "";
if (lifetime == 0)
lifetime = MAXKTCTICKETLIFETIME;
code = cm_SearchCellFile(realm, fullRealm, ka_AddHostProc, NULL);
#ifdef AFS_AFSDB_ENV
if (code) {
code =
cm_SearchCellByDNS(realm, fullRealm, &ttl, ka_AddHostProc, NULL);
}
#endif
if (code) {
*reasonP = "specified realm is unknown";
return (code);
}
strcpy(upperRealm, fullRealm);
_strupr(upperRealm);
/* encrypt password, both ways */
ka_StringToKey(password, upperRealm, &key1);
des_string_to_key(password, &key2);
/* set port number */
sp = getservbyname("kerberos", "udp");
if (sp)
krb_set_port(ntohs(sp->s_port));
*reasonP = NULL;
code =
krb_get_in_tkt_ext(name, instance, upperRealm, "afs", "", lifetime,
&key1, &key2, &ticket, &ticketLen, &sessionKey,
&kvno, &expirationTime, reasonP);
if (code && *reasonP == NULL)
*reasonP = ka_MapKerberosError(code);
if (code)
return code;
strcpy(server.name, "afs");
strcpy(server.instance, "");
strcpy(server.cell, fullRealm);
/* Would like to use Vice ID's; using raw names for now. */
strcpy(client.name, name);
strcpy(client.instance, instance);
strcpy(client.cell, upperRealm);
if (smbname)
strcpy(client.smbname, smbname);
token.startTime = 0; /* XXX */
token.endTime = expirationTime;
token.sessionKey = sessionKey;
token.kvno = (short)kvno;
token.ticketLen = ticketLen;
memcpy(token.ticket, ticket, ticketLen);
code =
ktc_SetToken(&server, &token, &client,
(flags & KA_USERAUTH_AUTHENT_LOGON) ? AFS_SETTOK_LOGON :
0);
if (code) {
if (code == KTC_NOCM || code == KTC_NOCMRPC)
*reasonP = "AFS service may not have started";
else if (code == KTC_RPC)
*reasonP = "RPC failure in AFS gateway";
else if (code == KTC_NOCELL)
*reasonP = "unknown cell";
else
*reasonP = "unknown error";
}
return code;
}
int
CommandProc(struct cmd_syndesc *as, void *arock)
{
char name[MAXKTCNAMELEN] = "";
char instance[MAXKTCNAMELEN] = "";
char cell[MAXKTCREALMLEN] = "";
char realm[MAXKTCREALMLEN] = "";
afs_int32 serverList[MAXSERVERS];
char *lcell; /* local cellname */
int code;
int i;
struct ubik_client *conn = 0;
struct ktc_encryptionKey key;
struct ktc_encryptionKey mitkey;
struct ktc_encryptionKey newkey;
struct ktc_encryptionKey newmitkey;
struct ktc_token token;
struct passwd pwent;
struct passwd *pw = &pwent;
int insist; /* insist on good password quality */
int lexplicit = 0; /* servers specified explicitly */
int local; /* explicit cell is same a local cell */
int foundPassword = 0; /*Not yet, anyway */
int foundNewPassword = 0; /*Not yet, anyway */
int foundExplicitCell = 0; /*Not yet, anyway */
#ifdef DEFAULT_MITV4_STRINGTOKEY
int dess2k = 1;
#elif DEFAULT_AFS_STRINGTOKEY
int dess2k = 0;
#else
int dess2k = -1;
#endif
/* blow away command line arguments */
for (i = 1; i < zero_argc; i++)
memset(zero_argv[i], 0, strlen(zero_argv[i]));
zero_argc = 0;
/* first determine quiet flag based on -pipe switch */
Pipe = (as->parms[aPIPE].items ? 1 : 0);
#if TIMEOUT
signal(SIGALRM, timedout);
alarm(30);
#endif
code = ka_Init(0);
if (code || !(lcell = ka_LocalCell())) {
#ifndef AFS_FREELANCE_CLIENT
if (!Pipe)
afs_com_err(rn, code, "Can't get local cell name!");
exit(1);
#endif
}
code = rx_Init(0);
if (code) {
if (!Pipe)
afs_com_err(rn, code, "Failed to initialize Rx");
exit(1);
}
strcpy(instance, "");
/* Parse our arguments. */
if (as->parms[aCELL].items) {
/*
* cell name explicitly mentioned; take it in if no other cell name
* has already been specified and if the name actually appears. If
* the given cell name differs from our own, we don't do a lookup.
*/
foundExplicitCell = 1;
strncpy(realm, as->parms[aCELL].items->data, sizeof(realm));
}
if (as->parms[aSERVERS].items) {
/* explicit server list */
int i;
struct cmd_item *ip;
char *ap[MAXSERVERS + 2];
for (ip = as->parms[aSERVERS].items, i = 2; ip; ip = ip->next, i++)
ap[i] = ip->data;
ap[0] = "";
ap[1] = "-servers";
code = ubik_ParseClientList(i, ap, serverList);
if (code) {
if (!Pipe)
afs_com_err(rn, code, "could not parse server list");
return code;
}
lexplicit = 1;
}
if (as->parms[aPRINCIPAL].items) {
ka_ParseLoginName(as->parms[aPRINCIPAL].items->data, name, instance,
cell);
if (strlen(instance) > 0)
if (!Pipe)
fprintf(stderr,
"Non-null instance (%s) may cause strange behavior.\n",
instance);
if (strlen(cell) > 0) {
if (foundExplicitCell) {
if (!Pipe)
fprintf(stderr,
"%s: May not specify an explicit cell twice.\n",
rn);
return -1;
}
foundExplicitCell = 1;
strncpy(realm, cell, sizeof(realm));
}
pw->pw_name = name;
} else {
/* No explicit name provided: use Unix uid. */
#ifdef AFS_NT40_ENV
userNameLen = 128;
if (GetUserName(userName, &userNameLen) == 0) {
if (!Pipe) {
fprintf(stderr,
"Can't figure out your name in local cell %s from your user id.\n",
lcell);
fprintf(stderr, "Try providing the user name.\n");
}
exit(1);
}
pw->pw_name = userName;
#else
pw = getpwuid(getuid());
if (pw == 0) {
if (!Pipe) {
fprintf(stderr,
"Can't figure out your name in local cell %s from your user id.\n",
lcell);
fprintf(stderr, "Try providing the user name.\n");
}
exit(1);
}
#endif
}
if (as->parms[aPASSWORD].items) {
/*
* Current argument is the desired password string. Remember it in
* our local buffer, and zero out the argument string - anyone can
* see it there with ps!
*/
foundPassword = 1;
strncpy(passwd, as->parms[aPASSWORD].items->data, sizeof(passwd));
memset(as->parms[aPASSWORD].items->data, 0,
strlen(as->parms[aPASSWORD].items->data));
}
if (as->parms[aNEWPASSWORD].items) {
/*
* Current argument is the new password string. Remember it in
* our local buffer, and zero out the argument string - anyone can
* see it there with ps!
*/
foundNewPassword = 1;
strncpy(npasswd, as->parms[aNEWPASSWORD].items->data,
sizeof(npasswd));
memset(as->parms[aNEWPASSWORD].items->data, 0,
strlen(as->parms[aNEWPASSWORD].items->data));
}
#ifdef AFS_FREELANCE_CLIENT
if (!foundExplicitCell && !lcell) {
if (!Pipe)
afs_com_err(rn, code, "no cell name provided");
exit(1);
}
#else
if (!foundExplicitCell)
strcpy(realm, lcell);
#endif /* freelance */
if ((code = ka_CellToRealm(realm, realm, &local))) {
if (!Pipe)
afs_com_err(rn, code, "Can't convert cell to realm");
exit(1);
}
lcstring(cell, realm, sizeof(cell));
ka_PrintUserID("Changing password for '", pw->pw_name, instance, "'");
printf(" in cell '%s'.\n", cell);
/* Get the password if it wasn't provided. */
if (!foundPassword) {
if (Pipe)
getpipepass(passwd, sizeof(passwd));
else {
code = read_pass(passwd, sizeof(passwd), "Old password: "******"reading password");
exit(1);
}
}
}
ka_StringToKey(passwd, realm, &key);
des_string_to_key(passwd, ktc_to_cblockptr(&mitkey));
give_to_child(passwd);
/* Get new password if it wasn't provided. */
insist = 0;
if (!foundNewPassword) {
if (Pipe)
getpipepass(npasswd, sizeof(npasswd));
else {
do {
code =
read_pass(npasswd, sizeof(npasswd),
"New password (RETURN to abort): ", 0);
if (code || (strlen(npasswd) == 0)) {
if (code)
code = KAREADPW;
goto no_change;
}
} while (password_bad(npasswd));
code =
read_pass(verify, sizeof(verify), "Retype new password: "******"Mismatch - ");
goto no_change;
}
memset(verify, 0, sizeof(verify));
}
}
if ((code = password_bad(npasswd))) { /* assmt here! */
goto no_change_no_msg;
}
#if TRUNCATEPASSWORD
if (strlen(npasswd) > 8) {
npasswd[8] = 0;
fprintf(stderr,
"%s: password too long, only the first 8 chars will be used.\n",
rn);
} else
npasswd[8] = 0; /* in case the password was exactly 8 chars long */
#endif
ka_StringToKey(npasswd, realm, &newkey);
des_string_to_key(npasswd, ktc_to_cblockptr(&newmitkey));
memset(npasswd, 0, sizeof(npasswd));
if (lexplicit)
ka_ExplicitCell(realm, serverList);
/* Get an connection to kaserver's admin service in desired cell. Set the
* lifetime above the time uncertainty so that badly skewed clocks are
* reported when the ticket is decrypted. Then give us 10 seconds to
* actually get our work done if the clocks are skewed by only 14:59.
* NOTE: Kerberos lifetime encoding will round this up to next 5 minute
* interval, namely 20 minutes. */
#define ADMIN_LIFETIME (KTC_TIME_UNCERTAINTY+1)
code =
ka_GetAdminToken(pw->pw_name, instance, realm, &key, ADMIN_LIFETIME,
&token, /*!new */ 0);
if (code == KABADREQUEST) {
code =
ka_GetAdminToken(pw->pw_name, instance, realm, &mitkey,
ADMIN_LIFETIME, &token, /*!new */ 0);
if ((code == KABADREQUEST) && (strlen(passwd) > 8)) {
/* try with only the first 8 characters incase they set their password
* with an old style passwd program. */
char pass8[9];
strncpy(pass8, passwd, 8);
pass8[8] = 0;
ka_StringToKey(pass8, realm, &key);
memset(pass8, 0, sizeof(pass8));
memset(passwd, 0, sizeof(passwd));
code = ka_GetAdminToken(pw->pw_name, instance, realm, &key, ADMIN_LIFETIME, &token, /*!new */
0);
#ifdef notdef
/* the folks in testing really *hate* this message */
if (code == 0) {
fprintf(stderr,
"Warning: only the first 8 characters of your old password were significant.\n");
}
#endif
if (code == 0) {
if (dess2k == -1)
dess2k = 0;
}
} else {
if (dess2k == -1)
dess2k = 1;
}
} else {
if (dess2k == -1)
dess2k = 0;
}
memset(&mitkey, 0, sizeof(mitkey));
memset(&key, 0, sizeof(key));
if (code == KAUBIKCALL)
afs_com_err(rn, code, "(Authentication Server unavailable, try later)");
else if (code) {
if (code == KABADREQUEST)
fprintf(stderr, "%s: Incorrect old password.\n", rn);
else
afs_com_err(rn, code, "so couldn't change password");
} else {
code =
ka_AuthServerConn(realm, KA_MAINTENANCE_SERVICE, &token, &conn);
if (code)
afs_com_err(rn, code, "contacting Admin Server");
else {
if (dess2k == 1)
code =
ka_ChangePassword(pw->pw_name, instance, conn, 0,
&newmitkey);
else
code =
ka_ChangePassword(pw->pw_name, instance, conn, 0,
&newkey);
memset(&newkey, 0, sizeof(newkey));
memset(&newmitkey, 0, sizeof(newmitkey));
if (code) {
char *reason;
reason = (char *)afs_error_message(code);
fprintf(stderr, "%s: Password was not changed because %s\n",
rn, reason);
} else
printf("Password changed.\n\n");
}
}
memset(&newkey, 0, sizeof(newkey));
memset(&newmitkey, 0, sizeof(newmitkey));
/* Might need to close down the ubik_Client connection */
if (conn) {
ubik_ClientDestroy(conn);
conn = 0;
}
rx_Finalize();
terminate_child();
exit(code);
no_change: /* yuck, yuck, yuck */
if (code)
afs_com_err(rn, code, "getting new password");
no_change_no_msg:
memset(&key, 0, sizeof(key));
memset(npasswd, 0, sizeof(npasswd));
printf("Password for '%s' in cell '%s' unchanged.\n\n", pw->pw_name,
cell);
terminate_child();
exit(code ? code : 1);
}
/* Called to see if the user's typed password is valid. We do this by asking
the kerberos server for a ticket and checking to see if it gave us one.
We need to move the ticketfile first, or otherwise we end up updating the
user's tkfile with new tickets. This would break services like zephyr that
like to stay authenticated, and it would screw with AFS authentication at
some sites. So, we do a quick, painful hack with a tmpfile.
*/
Bool
kerberos_passwd_valid_p (const char *typed_passwd, Bool verbose_p)
{
# ifdef HAVE_DARWIN
return (klNoErr ==
KLAcquireNewInitialTicketsWithPassword (princ, NULL,
typed_passwd, NULL));
# else /* !HAVE_DARWIN */
/* See comments in kerberos_lock_init -- should we do it the Mac Way
on all systems?
*/
C_Block mitkey;
Bool success;
char *newtkfile;
int fh = -1;
/* temporarily switch to a new ticketfile.
I'm not using tmpnam() because it isn't entirely portable.
this could probably be fixed with autoconf. */
newtkfile = malloc(80 * sizeof(char));
memset(newtkfile, 0, sizeof(newtkfile));
sprintf(newtkfile, "/tmp/xscrn-%i.XXXXXX", getpid());
if( (fh = mkstemp(newtkfile)) < 0)
{
free(newtkfile);
return(False);
}
if( fchmod(fh, 0600) < 0)
{
free(newtkfile);
return(False);
}
krb_set_tkt_string(newtkfile);
/* encrypt the typed password. if you have an AFS password instead
of a kerberos one, you lose *right here*. If you want to use AFS
passwords, you can use ka_StringToKey() instead. As always, ymmv. */
des_string_to_key(typed_passwd, mitkey);
if (krb_get_in_tkt(name, inst, realm, "krbtgt", realm, DEFAULT_TKT_LIFE,
key_to_key, NULL, (char *) mitkey) != 0) {
success = False;
} else {
success = True;
}
/* quickly block out the tempfile and password to prevent snooping,
then restore the old ticketfile and cleean up a bit. */
dest_tkt();
krb_set_tkt_string(tk_file);
free(newtkfile);
memset(mitkey, 0, sizeof(mitkey));
close(fh); /* #### tom: should the file be removed? */
/* Did we verify successfully? */
return success;
# endif /* !HAVE_DARWIN */
}
