int
opendatabase(void)
{
char netdbnm[256];
Ndb *xdb, *netdb;
if (db)
return 0;
xdb = ndbopen(dbfile); /* /lib/ndb */
snprint(netdbnm, sizeof netdbnm, "%s/ndb", mntpt);
for(netdb = xdb; netdb; netdb = netdb->next)
if(strcmp(netdb->file, netdbnm) == 0){
db = xdb;
return 0;
}
netdb = ndbopen(netdbnm); /* /net/ndb */
if(netdb)
netdb->nohash = 1;
db = ndbcat(netdb, xdb); /* both */
return db? 0: -1;
}
static void ndbinit(void)
{
db = ndbopen(dbfile);
if (db == NULL)
error(1, 0, "%s: %r", "can't open network database");
netdb = ndbopen(netndb);
if (netdb != NULL) {
netdb->nohash = 1;
db = ndbcat(netdb, db);
}
}
void
main(int argc, char **argv)
{
Ndb *db;
char *dbfile = 0;
ARGBEGIN{
case 'f':
dbfile = ARGF();
break;
default:
usage();
break;
}ARGEND;
if(argc < 3)
usage();
db = ndbopen(dbfile);
if(db == 0){
fprint(2, "no db files\n");
exits("no db");
}
search(db, argv[0], argv[1], argv+2, argc-2);
ndbclose(db);
exits(0);
}
void
main(int argc, char **argv)
{
Ipinfo ii;
uchar addrs[2][IPaddrlen];
int i, j;
db = ndbopen(0);
fmtinstall('E', eipconv);
fmtinstall('I', eipconv);
if(argc < 2)
exits(0);
if(strchr(argv[1], '.')){
if(ipinfo(db, 0, argv[1], 0, &ii) < 0)
exits(0);
} else {
if(ipinfo(db, argv[1], 0, 0, &ii) < 0)
exits(0);
}
print("a %I m %I n %I f %s e %E a %I\n", ii.ipaddr,
ii.ipmask, ii.ipnet, ii.bootf, ii.etheraddr, ii.auip);
i = lookupserver("auth", addrs, &ii);
print("lookupserver returns %d\n", i);
for(j = 0; j < i; j++)
print("%I\n", addrs[j]);
i = lookupserver("dns", addrs, &ii);
print("lookupserver returns %d\n", i);
for(j = 0; j < i; j++)
print("%I\n", addrs[j]);
}
static Ndb*
dbopen(char* dbname)
{
Ndb *db;
if((db = ndbopen(dbname)) == 0)
error("dbopen: %s: %r\n", dbname);
return db;
}
void
parse(char *file)
{
int i;
Ndb *db;
Ndbtuple *t, *nt, *tt, *ipnett;
char *p;
db = ndbopen(file);
if(db == 0)
exits("no database");
while(t = ndbparse(db)){
for(nt = t; nt; nt = nt->entry){
if(strcmp(nt->attr, "ip") == 0)
break;
if(strcmp(nt->attr, "flavor") == 0
&& strcmp(nt->val, "console") == 0)
return;
}
if(nt == 0){
ndbfree(t);
continue;
}
/* dump anything not on our nets */
ipnett = 0;
for(tt = t; tt; tt = tt->entry){
if(strcmp(tt->attr, "ipnet") == 0){
ipnett = tt;
break;
}
if(strcmp(tt->attr, "dom") == 0){
i = strlen(tt->val);
p = tt->val+i-domnamlen;
if(p >= tt->val && strcmp(p, domname) == 0)
break;
}
}
if(tt == 0){
ndbfree(t);
continue;
}
for(; nt; nt = nt->entry){
if(strcmp(nt->attr, "ip") != 0)
continue;
x[nx].it = nt;
x[nx].nt = ipnett;
x[nx++].t = t;
}
}
}
void
main(int argc, char **argv)
{
Ndb *db2;
if(argc!=2){
fprint(2, "usage: %s pinsecurid\n", argv[0]);
exits("usage");
}
db = ndbopen("/lib/ndb/auth");
if(db == 0)
syslog(0, "secstore", "no /lib/ndb/auth");
db2 = ndbopen(0);
if(db2 == 0)
syslog(0, "secstore", "no /lib/ndb/local");
db = ndbcat(db, db2);
print("user=%s\n", getenv("user"));
print("%s\n", secureidcheck(getenv("user"), argv[1]));
exits(0);
}
static void
expand_meta(DS *ds)
{
static Ndb *db;
Ndbs s;
char *sys, *smtpserver;
/* can't ask cs, so query database directly. */
sys = sysname();
if(db == nil)
db = ndbopen(0);
smtpserver = ndbgetvalue(db, &s, "sys", sys, "smtp", nil);
snprint(ds->host, 128, "%s", smtpserver);
}
void
main(int argc, char **argv)
{
int reps = 1;
char *rattr = nil, *dbfile = nil;
Ndb *db;
ARGBEGIN{
case 'a':
all++;
break;
case 'm':
multiple++;
break;
case 'f':
dbfile = EARGF(usage());
break;
default:
usage();
}ARGEND;
switch(argc){
case 4:
reps = atoi(argv[3]); /* wtf use is this? */
/* fall through */
case 3:
rattr = argv[2];
break;
case 2:
rattr = nil;
break;
default:
usage();
}
if(Binit(&bout, 1, OWRITE) == -1)
sysfatal("Binit: %r");
db = ndbopen(dbfile);
if(db == nil){
fprint(2, "%s: no db files\n", argv0);
exits("no db");
}
while(reps--)
search(db, argv[0], argv[1], rattr);
ndbclose(db);
exits(0);
}
/*
* open ndbfile as db if not already open. also check for stale data
* and reload as needed.
*/
static Ndb *
opendb(void)
{
static ulong lastcheck;
/* check no more often than once every minute */
if(db == nil) {
db = ndbopen(ndbfile);
if(db != nil)
lastcheck = now;
} else if(now >= lastcheck + 60) {
if (ndbchanged(db))
ndbreopen(db);
lastcheck = now;
}
return db;
}
void
main(int argc, char **argv)
{
Ipinfo ii;
Ndb *db;
db = ndbopen(0);
fmtinstall('E', eipconv);
fmtinstall('I', eipconv);
if(argc < 2)
exits(0);
if(strchr(argv[1], '.')){
if(ipinfo(db, 0, argv[1], 0, &ii) < 0)
exits(0);
} else {
if(ipinfo(db, argv[1], 0, 0, &ii) < 0)
exits(0);
}
fprint(2, "a %I m %I n %I f %s e %E\n", ii.ipaddr,
ii.ipmask, ii.ipnet, ii.bootf, ii.etheraddr);
}
void
main(int argc, char *argv[])
{
int n;
int32_t chal;
char *err;
char ukey[DESKEYLEN], resp[32], buf[NETCHLEN];
Ndb *db2;
ARGBEGIN{
case 'd':
debug = 1;
break;
}ARGEND;
db = ndbopen("/lib/ndb/auth");
if(db == 0)
syslog(0, AUTHLOG, "no /lib/ndb/auth");
db2 = ndbopen(0);
if(db2 == 0)
syslog(0, AUTHLOG, "no /lib/ndb/local");
db = ndbcat(db, db2);
werrstr("");
strcpy(raddr, "unknown");
if(argc >= 1)
getraddr(argv[argc-1]);
argv0 = "guard";
srand((getpid()*1103515245)^time(0));
notify(catchalarm);
/*
* read the host and client and get their keys
*/
if(readarg(0, user, sizeof user) < 0)
fail(0);
/*
* challenge-response
*/
chal = lnrand(MAXNETCHAL);
snprint(buf, sizeof buf, "challenge: %lud\nresponse: ", chal);
n = strlen(buf) + 1;
if(write(1, buf, n) != n){
if(debug)
syslog(0, AUTHLOG, "g-fail %s@%s: %r sending chal",
user, raddr);
exits("replying to server");
}
alarm(3*60*1000);
werrstr("");
if(readarg(0, resp, sizeof resp) < 0){
if(debug)
syslog(0, AUTHLOG, "g-fail %s@%s: %r reading resp",
user, raddr);
fail(0);
}
alarm(0);
/* remove password login from guard.research.bell-labs.com, sucre, etc. */
// if(!findkey(KEYDB, user, ukey) || !netcheck(ukey, chal, resp))
if(!findkey(NETKEYDB, user, ukey) || !netcheck(ukey, chal, resp))
if((err = secureidcheck(user, resp)) != nil){
print("NO %s", err);
write(1, "NO", 2);
if(debug) {
char *r;
/*
* don't log the entire response, since the first
* Pinlen digits may be the user's secure-id pin.
*/
if (strlen(resp) < Pinlen)
r = strdup("<too short for pin>");
else if (strlen(resp) == Pinlen)
r = strdup("<pin only>");
else
r = smprint("%.*s%s", Pinlen,
"******************", resp + Pinlen);
syslog(0, AUTHLOG,
"g-fail %s@%s: %s: resp %s to chal %lud",
user, raddr, err, r, chal);
free(r);
}
fail(user);
}
write(1, "OK", 2);
if(debug)
syslog(0, AUTHLOG, "g-ok %s@%s", user, raddr);
succeed(user);
exits(0);
}
void
main(int argc, char **argv)
{
int afd, dfd, lcfd, forceSTA = 0;
char aserve[128], net[128], adir[40], ldir[40];
char *remote, *serve = "tcp!*!5356", *S = "secstore";
Ndb *db2;
setnetmtpt(net, sizeof(net), nil);
ARGBEGIN{
case 'R':
forceSTA = 1;
break;
case 's':
serve = EARGF(usage());
break;
case 'S':
S = EARGF(usage());
break;
case 'x':
setnetmtpt(net, sizeof(net), EARGF(usage()));
break;
case 'v':
verbose++;
break;
default:
usage();
}ARGEND;
if(!verbose)
switch(rfork(RFNOTEG|RFPROC|RFFDG)) {
case -1:
sysfatal("fork: %r");
case 0:
break;
default:
exits(0);
}
snprint(aserve, sizeof aserve, "%s/%s", net, serve);
afd = announce(aserve, adir);
if(afd < 0)
sysfatal("%s: %r", aserve);
syslog(0, LOG, "ANNOUNCE %s", aserve);
for(;;){
if((lcfd = listen(adir, ldir)) < 0)
exits("can't listen");
switch(fork()){
case -1:
fprint(2, "secstore forking: %r\n");
close(lcfd);
break;
case 0:
/*
* "/lib/ndb/common.radius does not exist"
* if db set before fork.
*/
db = ndbopen("/lib/ndb/auth");
if(db == 0)
syslog(0, LOG, "no /lib/ndb/auth");
db2 = ndbopen(0);
if(db2 == 0)
syslog(0, LOG, "no /lib/ndb/local");
db = ndbcat(db, db2);
if((dfd = accept(lcfd, ldir)) < 0)
exits("can't accept");
alarm(30*60*1000); /* 30 min */
remote = remoteIP(ldir);
syslog(0, LOG, "secstore from %s", remote);
free(remote);
dologin(dfd, S, forceSTA);
exits(nil);
default:
close(lcfd);
break;
}
}
}
/* returns 0 on success, error message on failure */
char*
secureidcheck(char *user, char *response)
{
Packet *req = nil, *resp = nil;
ulong u[4];
uchar x[16];
char *radiussecret;
char ruser[ 64];
char dest[3*IPaddrlen+20];
Secret shared, pass;
char *rv = "authentication failed";
Ndbs s;
Ndbtuple *t, *nt, *tt;
uchar *ip;
static Ndb *netdb;
if(netdb == nil)
netdb = ndbopen(0);
/* bad responses make them disable the fob, avoid silly checks */
if(strlen(response) < 4 || strpbrk(response,"abcdefABCDEF") != nil)
goto out;
/* get radius secret */
radiussecret = ndbgetvalue(db, &s, "radius", "lra-radius", "secret", &t);
if(radiussecret == nil){
syslog(0, AUTHLOG, "secureidcheck: nil radius secret: %r");
goto out;
}
/* translate user name if we have to */
strcpy(ruser, user);
for(nt = t; nt; nt = nt->entry){
if(strcmp(nt->attr, "uid") == 0 && strcmp(nt->val, user) == 0)
for(tt = nt->line; tt != nt; tt = tt->line)
if(strcmp(tt->attr, "rid") == 0){
strcpy(ruser, tt->val);
break;
}
}
ndbfree(t);
u[0] = fastrand();
u[1] = fastrand();
u[2] = fastrand();
u[3] = fastrand();
req = newRequest((uchar*)u);
if(req == nil)
goto out;
shared.s = (uchar*)radiussecret;
shared.len = strlen(radiussecret);
ip = getipv4addr();
if(ip == nil){
syslog(0, AUTHLOG, "no interfaces: %r\n");
goto out;
}
if(setAttribute(req, R_NASIPAddress, ip + IPv4off, 4) < 0)
goto out;
if(setAttribute(req, R_UserName, (uchar*)ruser, strlen(ruser)) < 0)
goto out;
pass.s = (uchar*)response;
pass.len = strlen(response);
hide(&shared, req->authenticator, &pass, x);
if(setAttribute(req, R_UserPassword, x, 16) < 0)
goto out;
t = ndbsearch(netdb, &s, "sys", "lra-radius");
if(t == nil){
syslog(0, AUTHLOG, "secureidcheck: nil radius sys search: %r\n");
goto out;
}
for(nt = t; nt; nt = nt->entry){
if(strcmp(nt->attr, "ip") != 0)
continue;
snprint(dest,sizeof dest,"udp!%s!oradius", nt->val);
resp = rpc(dest, &shared, req);
if(resp == nil){
syslog(0, AUTHLOG, "%s nil response", dest);
continue;
}
if(resp->ID != req->ID){
syslog(0, AUTHLOG, "%s mismatched ID req=%d resp=%d",
dest, req->ID, resp->ID);
freePacket(resp);
resp = nil;
continue;
}
switch(resp->code){
case R_AccessAccept:
syslog(0, AUTHLOG, "%s accepted ruser=%s", dest, ruser);
rv = nil;
break;
case R_AccessReject:
syslog(0, AUTHLOG, "%s rejected ruser=%s %s", dest, ruser, replymsg(resp));
rv = "secureid failed";
break;
case R_AccessChallenge:
syslog(0, AUTHLOG, "%s challenge ruser=%s %s", dest, ruser, replymsg(resp));
rv = "secureid out of sync";
break;
default:
syslog(0, AUTHLOG, "%s code=%d ruser=%s %s", dest, resp->code, ruser, replymsg(resp));
break;
}
break; /* we have a proper reply, no need to ask again */
}
ndbfree(t);
free(radiussecret);
out:
freePacket(req);
freePacket(resp);
return rv;
}
void
main(int argc, char **argv)
{
Ndbtuple *t, *nt;
int n;
Dir *d;
uint8_t buf[8];
char file[128];
int fd;
uint32_t off;
uint8_t *p;
if(argc != 3){
fprint(2, "usage: mkhash file attribute\n");
exits("usage");
}
db = ndbopen(argv[1]);
if(db == 0){
fprint(2, "mkhash: can't open %s\n", argv[1]);
exits(syserr());
}
/* try a bigger than normal buffer */
Binits(&db->b, Bfildes(&db->b), OREAD, nbuf, sizeof(nbuf));
/* count entries to calculate hash size */
n = 0;
while(nt = ndbparse(db)){
for(t = nt; t; t = t->entry){
if(strcmp(t->attr, argv[2]) == 0)
n++;
}
ndbfree(nt);
}
/* allocate an array large enough for worst case */
hlen = 2*n+1;
n = hlen*NDBPLEN + hlen*2*NDBPLEN;
ht = mallocz(n, 1);
if(ht == 0){
fprint(2, "mkhash: not enough memory\n");
exits(syserr());
}
for(p = ht; p < &ht[n]; p += NDBPLEN)
NDBPUTP(NDBNAP, p);
nextchain = hlen*NDBPLEN;
/* create the in core hash table */
Bseek(&db->b, 0, 0);
off = 0;
while(nt = ndbparse(db)){
for(t = nt; t; t = t->entry){
if(strcmp(t->attr, argv[2]) == 0)
enter(t->val, off);
}
ndbfree(nt);
off = Boffset(&db->b);
}
/* create the hash file */
snprint(file, sizeof(file), "%s.%s", argv[1], argv[2]);
fd = create(file, ORDWR, 0664);
if(fd < 0){
fprint(2, "mkhash: can't create %s\n", file);
exits(syserr());
}
NDBPUTUL(db->mtime, buf);
NDBPUTUL(hlen, buf+NDBULLEN);
if(write(fd, buf, NDBHLEN) != NDBHLEN){
fprint(2, "mkhash: writing %s\n", file);
exits(syserr());
}
if(write(fd, ht, nextchain) != nextchain){
fprint(2, "mkhash: writing %s\n", file);
exits(syserr());
}
close(fd);
/* make sure file didn't change while we were making the hash */
d = dirstat(argv[1]);
if(d == nil || d->qid.path != db->qid.path
|| d->qid.vers != db->qid.vers){
fprint(2, "mkhash: %s changed underfoot\n", argv[1]);
remove(file);
exits("changed");
}
exits(0);
}
void
main(int argc, char *argv[])
{
char buf[TICKREQLEN];
Ticketreq tr;
ARGBEGIN{
case 'd':
debug++;
}ARGEND
strcpy(raddr, "unknown");
if(argc >= 1)
getraddr(argv[argc-1]);
alarm(10*60*1000); /* kill a connection after 10 minutes */
db = ndbopen("/lib/ndb/auth");
if(db == 0)
syslog(0, AUTHLOG, "no /lib/ndb/auth");
srand(time(0)*getpid());
for(;;){
if(readn(0, buf, TICKREQLEN) <= 0)
exits(0);
convM2TR(buf, &tr);
switch(buf[0]){
case AuthTreq:
ticketrequest(&tr);
break;
case AuthChal:
challengebox(&tr);
break;
case AuthPass:
changepasswd(&tr);
break;
case AuthApop:
apop(&tr, AuthApop);
break;
case AuthChap:
chap(&tr);
break;
case AuthMSchap:
mschap(&tr);
break;
case AuthCram:
apop(&tr, AuthCram);
break;
case AuthHttp:
http(&tr);
break;
case AuthVNC:
vnc(&tr);
break;
default:
syslog(0, AUTHLOG, "unknown ticket request type: %d", buf[0]);
exits(0);
}
}
/* not reached */
}
