int
main(int argc, char *argv[])
{
struct ktc_principal client;
struct ktc_encryptionKey sessionkey;
Date start, end;
afs_int32 host;
char key[8];
char ticket[MAXKTCTICKETLEN];
afs_int32 ticketLen;
afs_int32 code;
char bob[KA_TIMESTR_LEN];
whoami = argv[0];
initialize_RXK_error_table();
initialize_KA_error_table();
if (argc != 3) {
printf("Usage is %s key ticket\n", whoami);
exit(1);
}
if (ka_ReadBytes(argv[1], key, sizeof(key)) != 8)
printf("Key must be 8 bytes long\n");
if (!des_check_key_parity(key) || des_is_weak_key(key)) {
afs_com_err(whoami, KABADKEY, "server's key for decoding ticket is bad");
exit(1);
}
ticketLen = ka_ReadBytes(argv[2], ticket, sizeof(ticket));
printf("Ticket length is %d\n", ticketLen);
code =
tkt_DecodeTicket(ticket, ticketLen, key, client.name, client.instance,
client.cell, &sessionkey, &host, &start, &end);
if (code) {
afs_com_err(whoami, code, "decoding ticket");
if (code = tkt_CheckTimes(start, end, time(0)) <= 0)
afs_com_err(whoami, 0, "because of start or end times");
exit(1);
}
if (!des_check_key_parity(&sessionkey) || des_is_weak_key(&sessionkey)) {
afs_com_err(whoami, KABADKEY, "checking ticket's session key");
exit(1);
}
ka_PrintUserID("Client is ", client.name, client.instance, 0);
if (strlen(client.cell))
printf("@%s", client.cell);
printf("\nSession key is ");
ka_PrintBytes(&sessionkey, 8);
ka_timestr(start, bob, KA_TIMESTR_LEN);
printf("\nGood from %s", bob);
ka_timestr(end, bob, KA_TIMESTR_LEN);
printf(" till %s\n", bob);
}
afs_int32
UDP_GetTicket(int ksoc, struct packet *pkt, afs_int32 kvno,
char *authDomain, char *ticket, int ticketLen, char *auth,
int authLen)
{
afs_int32 code;
struct ktc_encryptionKey tgskey;
char name[MAXKTCNAMELEN];
char inst[MAXKTCNAMELEN];
char cell[MAXKTCREALMLEN];
struct ktc_encryptionKey authSessionKey;
afs_int32 host;
Date start;
Date authEnd;
Date now = time(0);
int celllen;
int import;
char *packet;
int slen;
int byteOrder = pkt->byteOrder;
char sname[MAXKTCNAMELEN];
char sinst[MAXKTCNAMELEN];
afs_int32 time_ws;
unsigned char life;
struct ubik_trans *tt;
afs_int32 to;
struct kaentry caller;
struct kaentry server;
Date reqEnd;
struct ktc_encryptionKey sessionKey;
int newTicketLen;
char newTicket[MAXKTCTICKETLEN];
char cipher[2 * MAXKTCTICKETLEN]; /* put encrypted part of answer here */
int cipherLen;
struct packet ans;
COUNT_REQ(UGetTicket);
if ((code = InitAuthServ(&tt, LOCKREAD, this_op)))
goto fail;
code =
ka_LookupKvno(tt, KA_TGS_NAME,
((strlen(authDomain) > 0) ? authDomain : lrealm), kvno,
&tgskey);
if (code)
goto abort;
code =
tkt_DecodeTicket(ticket, ticketLen, &tgskey, name, inst, cell,
&authSessionKey, &host, &start, &authEnd);
pkt->name = name;
pkt->inst = inst;
pkt->realm = cell;
if (code) {
code = KERB_ERR_AUTH_EXP; /* was KANOAUTH */
goto abort;
}
save_principal(udptgsPrincipal, name, inst, cell);
code = tkt_CheckTimes(start, authEnd, now);
if (code <= 0) {
if (code == -1) {
code = KERB_ERR_SERVICE_EXP; /* was RXKADEXPIRED */
goto abort;
}
code = KERB_ERR_AUTH_EXP; /* was KANOAUTH */
goto abort;
}
celllen = strlen(cell);
import = 0;
if ((strlen(authDomain) > 0) && (strcmp(authDomain, lrealm) != 0))
import = 1;
if (import && (celllen == 0)) {
code = KERB_ERR_PKT_VER; /* was KABADTICKET */
goto abort;
}
if (celllen == 0) {
strncpy(cell, lrealm, MAXKTCREALMLEN - 1);
cell[MAXKTCREALMLEN - 1] = 0;
};
if (!krb4_cross && strcmp(lrealm, cell) != 0) {
code = KERB_ERR_PRINCIPAL_UNKNOWN;
goto abort;
}
if (krb_udp_debug) {
printf("UGetTicket: got ticket from '%s'.'%s'@'%s'\n", name, inst,
cell);
}
code = check_auth(pkt, auth, authLen, &authSessionKey, name, inst, cell);
if (code)
goto abort;
/* authenticator and all is OK so read actual request */
packet = pkt->rest;
getint(time_ws);
life = *(unsigned char *)packet++;
getstr(sname);
getstr(sinst);
start = now;
reqEnd = life_to_time(start, life);
if (krb_udp_debug) {
printf("UGetTicket: request for server '%s'.'%s'\n", sname, sinst);
}
save_principal(udptgsServerPrincipal, sname, sinst, 0);
if (import) {
strcpy(caller.userID.name, name);
strcpy(caller.userID.instance, inst);
caller.max_ticket_lifetime = htonl(MAXKTCTICKETLIFETIME);
} else {
code = FindBlock(tt, name, inst, &to, &caller);
if (code)
goto abort;
if (to == 0) {
ka_PrintUserID("GetTicket: User ", name, inst, " unknown.\n");
code = KERB_ERR_PRINCIPAL_UNKNOWN; /* KANOENT */
goto abort;
}
if (ntohl(caller.flags) & KAFNOTGS) {
code = KERB_ERR_AUTH_EXP; /* was KABADUSER */
goto abort;
}
}
code = FindBlock(tt, sname, sinst, &to, &server); /* get server's entry */
if (code)
goto abort;
if (to == 0) { /* entry not found */
ka_PrintUserID("GetTicket: Server ", sname, sinst, " unknown.\n");
code = KERB_ERR_PRINCIPAL_UNKNOWN; /* KANOENT */
goto abort;
}
code = ubik_EndTrans(tt);
if (code)
goto fail;
if (ntohl(server.flags) & KAFNOSEAL)
return KABADSERVER;
code = DES_new_random_key(ktc_to_cblock(&sessionKey));
if (code) {
code = KERB_ERR_NULL_KEY; /* was KANOKEYS */
goto fail;
}
reqEnd =
umin(umin(reqEnd, authEnd),
umin(start + ntohl(caller.max_ticket_lifetime),
start + ntohl(server.max_ticket_lifetime)));
code =
tkt_MakeTicket(newTicket, &newTicketLen, &server.key,
caller.userID.name, caller.userID.instance, cell,
start, reqEnd, &sessionKey,
htonl(pkt->from.sin_addr.s_addr), server.userID.name,
server.userID.instance);
if (code)
goto fail;
cipherLen = sizeof(cipher);
code =
create_cipher(cipher, &cipherLen, &sessionKey, sname, sinst, start,
reqEnd, ntohl(server.key_version), newTicket,
newTicketLen, &authSessionKey);
if (code)
goto fail;
code =
create_reply(&ans, name, inst, start, reqEnd, 0, cipher, cipherLen);
if (code)
goto fail;
code =
sendto(ksoc, ans.data, ans.len, 0, (struct sockaddr *)&pkt->from,
sizeof(pkt->from));
if (code != ans.len) {
perror("calling sendto");
code = -1;
goto fail;
}
if (cipherLen != 0) {
KALOG(name, inst, sname, sinst, NULL, host, LOG_GETTICKET);
}
osi_audit(UDPGetTicketEvent, 0, AUD_STR, name, AUD_STR, inst, AUD_STR,
cell, AUD_STR, sname, AUD_STR, sinst, AUD_END);
return 0;
abort:
ubik_AbortTrans(tt);
fail:
osi_audit(UDPGetTicketEvent, code, AUD_STR, name, AUD_STR, inst, AUD_STR,
NULL, AUD_STR, NULL, AUD_STR, NULL, AUD_END);
return code;
}
int
CommandProc(struct cmd_syndesc *as, void *arock)
{
char name[MAXKTCNAMELEN] = "";
char instance[MAXKTCNAMELEN] = "";
char cell[MAXKTCREALMLEN] = "";
char realm[MAXKTCREALMLEN] = "";
afs_int32 serverList[MAXSERVERS];
char *lcell; /* local cellname */
int code;
int i;
struct ubik_client *conn = 0;
struct ktc_encryptionKey key;
struct ktc_encryptionKey mitkey;
struct ktc_encryptionKey newkey;
struct ktc_encryptionKey newmitkey;
struct ktc_token token;
struct passwd pwent;
struct passwd *pw = &pwent;
int insist; /* insist on good password quality */
int lexplicit = 0; /* servers specified explicitly */
int local; /* explicit cell is same a local cell */
int foundPassword = 0; /*Not yet, anyway */
int foundNewPassword = 0; /*Not yet, anyway */
int foundExplicitCell = 0; /*Not yet, anyway */
#ifdef DEFAULT_MITV4_STRINGTOKEY
int dess2k = 1;
#elif DEFAULT_AFS_STRINGTOKEY
int dess2k = 0;
#else
int dess2k = -1;
#endif
/* blow away command line arguments */
for (i = 1; i < zero_argc; i++)
memset(zero_argv[i], 0, strlen(zero_argv[i]));
zero_argc = 0;
/* first determine quiet flag based on -pipe switch */
Pipe = (as->parms[aPIPE].items ? 1 : 0);
#if TIMEOUT
signal(SIGALRM, timedout);
alarm(30);
#endif
code = ka_Init(0);
if (code || !(lcell = ka_LocalCell())) {
#ifndef AFS_FREELANCE_CLIENT
if (!Pipe)
afs_com_err(rn, code, "Can't get local cell name!");
exit(1);
#endif
}
code = rx_Init(0);
if (code) {
if (!Pipe)
afs_com_err(rn, code, "Failed to initialize Rx");
exit(1);
}
strcpy(instance, "");
/* Parse our arguments. */
if (as->parms[aCELL].items) {
/*
* cell name explicitly mentioned; take it in if no other cell name
* has already been specified and if the name actually appears. If
* the given cell name differs from our own, we don't do a lookup.
*/
foundExplicitCell = 1;
strncpy(realm, as->parms[aCELL].items->data, sizeof(realm));
}
if (as->parms[aSERVERS].items) {
/* explicit server list */
int i;
struct cmd_item *ip;
char *ap[MAXSERVERS + 2];
for (ip = as->parms[aSERVERS].items, i = 2; ip; ip = ip->next, i++)
ap[i] = ip->data;
ap[0] = "";
ap[1] = "-servers";
code = ubik_ParseClientList(i, ap, serverList);
if (code) {
if (!Pipe)
afs_com_err(rn, code, "could not parse server list");
return code;
}
lexplicit = 1;
}
if (as->parms[aPRINCIPAL].items) {
ka_ParseLoginName(as->parms[aPRINCIPAL].items->data, name, instance,
cell);
if (strlen(instance) > 0)
if (!Pipe)
fprintf(stderr,
"Non-null instance (%s) may cause strange behavior.\n",
instance);
if (strlen(cell) > 0) {
if (foundExplicitCell) {
if (!Pipe)
fprintf(stderr,
"%s: May not specify an explicit cell twice.\n",
rn);
return -1;
}
foundExplicitCell = 1;
strncpy(realm, cell, sizeof(realm));
}
pw->pw_name = name;
} else {
/* No explicit name provided: use Unix uid. */
#ifdef AFS_NT40_ENV
userNameLen = 128;
if (GetUserName(userName, &userNameLen) == 0) {
if (!Pipe) {
fprintf(stderr,
"Can't figure out your name in local cell %s from your user id.\n",
lcell);
fprintf(stderr, "Try providing the user name.\n");
}
exit(1);
}
pw->pw_name = userName;
#else
pw = getpwuid(getuid());
if (pw == 0) {
if (!Pipe) {
fprintf(stderr,
"Can't figure out your name in local cell %s from your user id.\n",
lcell);
fprintf(stderr, "Try providing the user name.\n");
}
exit(1);
}
#endif
}
if (as->parms[aPASSWORD].items) {
/*
* Current argument is the desired password string. Remember it in
* our local buffer, and zero out the argument string - anyone can
* see it there with ps!
*/
foundPassword = 1;
strncpy(passwd, as->parms[aPASSWORD].items->data, sizeof(passwd));
memset(as->parms[aPASSWORD].items->data, 0,
strlen(as->parms[aPASSWORD].items->data));
}
if (as->parms[aNEWPASSWORD].items) {
/*
* Current argument is the new password string. Remember it in
* our local buffer, and zero out the argument string - anyone can
* see it there with ps!
*/
foundNewPassword = 1;
strncpy(npasswd, as->parms[aNEWPASSWORD].items->data,
sizeof(npasswd));
memset(as->parms[aNEWPASSWORD].items->data, 0,
strlen(as->parms[aNEWPASSWORD].items->data));
}
#ifdef AFS_FREELANCE_CLIENT
if (!foundExplicitCell && !lcell) {
if (!Pipe)
afs_com_err(rn, code, "no cell name provided");
exit(1);
}
#else
if (!foundExplicitCell)
strcpy(realm, lcell);
#endif /* freelance */
if ((code = ka_CellToRealm(realm, realm, &local))) {
if (!Pipe)
afs_com_err(rn, code, "Can't convert cell to realm");
exit(1);
}
lcstring(cell, realm, sizeof(cell));
ka_PrintUserID("Changing password for '", pw->pw_name, instance, "'");
printf(" in cell '%s'.\n", cell);
/* Get the password if it wasn't provided. */
if (!foundPassword) {
if (Pipe)
getpipepass(passwd, sizeof(passwd));
else {
code = read_pass(passwd, sizeof(passwd), "Old password: "******"reading password");
exit(1);
}
}
}
ka_StringToKey(passwd, realm, &key);
des_string_to_key(passwd, ktc_to_cblockptr(&mitkey));
give_to_child(passwd);
/* Get new password if it wasn't provided. */
insist = 0;
if (!foundNewPassword) {
if (Pipe)
getpipepass(npasswd, sizeof(npasswd));
else {
do {
code =
read_pass(npasswd, sizeof(npasswd),
"New password (RETURN to abort): ", 0);
if (code || (strlen(npasswd) == 0)) {
if (code)
code = KAREADPW;
goto no_change;
}
} while (password_bad(npasswd));
code =
read_pass(verify, sizeof(verify), "Retype new password: "******"Mismatch - ");
goto no_change;
}
memset(verify, 0, sizeof(verify));
}
}
if ((code = password_bad(npasswd))) { /* assmt here! */
goto no_change_no_msg;
}
#if TRUNCATEPASSWORD
if (strlen(npasswd) > 8) {
npasswd[8] = 0;
fprintf(stderr,
"%s: password too long, only the first 8 chars will be used.\n",
rn);
} else
npasswd[8] = 0; /* in case the password was exactly 8 chars long */
#endif
ka_StringToKey(npasswd, realm, &newkey);
des_string_to_key(npasswd, ktc_to_cblockptr(&newmitkey));
memset(npasswd, 0, sizeof(npasswd));
if (lexplicit)
ka_ExplicitCell(realm, serverList);
/* Get an connection to kaserver's admin service in desired cell. Set the
* lifetime above the time uncertainty so that badly skewed clocks are
* reported when the ticket is decrypted. Then give us 10 seconds to
* actually get our work done if the clocks are skewed by only 14:59.
* NOTE: Kerberos lifetime encoding will round this up to next 5 minute
* interval, namely 20 minutes. */
#define ADMIN_LIFETIME (KTC_TIME_UNCERTAINTY+1)
code =
ka_GetAdminToken(pw->pw_name, instance, realm, &key, ADMIN_LIFETIME,
&token, /*!new */ 0);
if (code == KABADREQUEST) {
code =
ka_GetAdminToken(pw->pw_name, instance, realm, &mitkey,
ADMIN_LIFETIME, &token, /*!new */ 0);
if ((code == KABADREQUEST) && (strlen(passwd) > 8)) {
/* try with only the first 8 characters incase they set their password
* with an old style passwd program. */
char pass8[9];
strncpy(pass8, passwd, 8);
pass8[8] = 0;
ka_StringToKey(pass8, realm, &key);
memset(pass8, 0, sizeof(pass8));
memset(passwd, 0, sizeof(passwd));
code = ka_GetAdminToken(pw->pw_name, instance, realm, &key, ADMIN_LIFETIME, &token, /*!new */
0);
#ifdef notdef
/* the folks in testing really *hate* this message */
if (code == 0) {
fprintf(stderr,
"Warning: only the first 8 characters of your old password were significant.\n");
}
#endif
if (code == 0) {
if (dess2k == -1)
dess2k = 0;
}
} else {
if (dess2k == -1)
dess2k = 1;
}
} else {
if (dess2k == -1)
dess2k = 0;
}
memset(&mitkey, 0, sizeof(mitkey));
memset(&key, 0, sizeof(key));
if (code == KAUBIKCALL)
afs_com_err(rn, code, "(Authentication Server unavailable, try later)");
else if (code) {
if (code == KABADREQUEST)
fprintf(stderr, "%s: Incorrect old password.\n", rn);
else
afs_com_err(rn, code, "so couldn't change password");
} else {
code =
ka_AuthServerConn(realm, KA_MAINTENANCE_SERVICE, &token, &conn);
if (code)
afs_com_err(rn, code, "contacting Admin Server");
else {
if (dess2k == 1)
code =
ka_ChangePassword(pw->pw_name, instance, conn, 0,
&newmitkey);
else
code =
ka_ChangePassword(pw->pw_name, instance, conn, 0,
&newkey);
memset(&newkey, 0, sizeof(newkey));
memset(&newmitkey, 0, sizeof(newmitkey));
if (code) {
char *reason;
reason = (char *)afs_error_message(code);
fprintf(stderr, "%s: Password was not changed because %s\n",
rn, reason);
} else
printf("Password changed.\n\n");
}
}
memset(&newkey, 0, sizeof(newkey));
memset(&newmitkey, 0, sizeof(newmitkey));
/* Might need to close down the ubik_Client connection */
if (conn) {
ubik_ClientDestroy(conn);
conn = 0;
}
rx_Finalize();
terminate_child();
exit(code);
no_change: /* yuck, yuck, yuck */
if (code)
afs_com_err(rn, code, "getting new password");
no_change_no_msg:
memset(&key, 0, sizeof(key));
memset(npasswd, 0, sizeof(npasswd));
printf("Password for '%s' in cell '%s' unchanged.\n\n", pw->pw_name,
cell);
terminate_child();
exit(code ? code : 1);
}
