void AfsLogonInit(void) { if ( bInit == FALSE ) { if ( WaitForSingleObject( hInitMutex, INFINITE ) == WAIT_OBJECT_0 ) { /* initAFSDirPath() initializes an array and sets a * flag so that the initialization can only occur * once. No cleanup will be done when the DLL is * unloaded so the initialization will not be * performed again on a subsequent reload */ initAFSDirPath(); /* ka_Init initializes a number of error tables. * and then calls ka_CellConfig() which grabs * an afsconf_dir structure via afsconf_Open(). * Upon a second attempt to call ka_CellConfig() * the structure will be released with afsconf_Close() * and then re-opened. Could this corrupt memory? * * We only need this if we are not using KFW. */ if (!KFW_is_available()) ka_Init(0); bInit = TRUE; } ReleaseMutex(hInitMutex); } }
afs_int32 ka_UserReadPassword(char *prompt, char *password, int plen, char **reasonP) { afs_int32 code = 0; if (reasonP) *reasonP = ""; code = ka_Init(0); if (code) return code; code = UI_UTIL_read_pw_string(password, plen, prompt, 0); if (code) code = KAREADPW; else if (strlen(password) == 0) code = KANULLPASSWORD; else return 0; if (reasonP) { *reasonP = (char *)afs_error_message(code); } return code; }
/* * authenticate with AFS * returns: * 1 if read password but couldn't authenticate correctly via AFS * 0 if authenticated via AFS correctly */ int afs_verify(char *uname, /* user name trying to log in */ char *pword, /* password */ afs_int32 * exp, /* expiration time */ int quite) { /* no printing */ auto char *reason; ka_Init(0); /* * The basic model for logging in now, is that *if* there * is a kerberos record for this individual user we will * trust kerberos (provided the user really has an account * locally.) If there is no kerberos record (or the password * were typed incorrectly.) we would attempt to authenticate * against the local password file entry. Naturally, if * both fail we use existing failure code. */ if (ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION + KA_USERAUTH_DOSETPAG, uname, /* kerberos name */ NULL, /* instance */ NULL, /* realm */ pword, /* password */ 0, /* default lifetime */ exp, /* spare 1/expiration */ 0, /* spare 2 */ &reason /* error string */ )) { if (!quite) { printf("Unable to authenticate to AFS because %s\n", reason); printf("proceeding with local authentication...\n"); } return 1; } /* authenticated successfully */ return 0; }
afs_int32 ka_UserAuthenticateGeneral(afs_int32 flags, char *name, char *instance, char *realm, char *password, Date lifetime, afs_int32 * password_expires, /* days 'til, or don't change if not set */ afs_int32 spare2, char **reasonP) { int remainingTime = 0; struct ktc_encryptionKey key; afs_int32 code, dosetpag = 0; if (reasonP) *reasonP = ""; if ((flags & KA_USERAUTH_VERSION_MASK) != KA_USERAUTH_VERSION) return KAOLDINTERFACE; if ((strcmp(name, "root") == 0) && (instance == 0)) { if (reasonP) *reasonP = "root is only authenticated locally"; return KANOENT; } code = ka_Init(0); if (code) return code; ka_StringToKey(password, realm, &key); /* * alarm is set by kpasswd only so ignore for * NT */ #ifndef AFS_NT40_ENV { /* Rx uses timers, save to be safe */ if (rx_socket) { /* don't reset alarms, rx already running */ remainingTime = 0; } else remainingTime = alarm(0); } #endif #if !defined(AFS_NT40_ENV) && !defined(AFS_LINUX20_ENV) && !defined(AFS_USR_LINUX20_ENV) && (!defined(AFS_XBSD_ENV) || defined(AFS_FBSD_ENV)) /* handle smoothly the case where no AFS system calls exists (yet) */ (void)signal(SIGSYS, SIG_IGN); #endif #ifdef AFS_DECOSF_ENV (void)signal(SIGTRAP, SIG_IGN); #endif /* AFS_DECOSF_ENV */ if (instance == 0) instance = ""; if (flags & KA_USERAUTH_ONLY_VERIFY) { code = ka_VerifyUserToken(name, instance, realm, &key); if (code == KABADREQUEST) { DES_string_to_key(password, ktc_to_cblockptr(&key)); code = ka_VerifyUserToken(name, instance, realm, &key); } } else { #ifdef AFS_DUX40_ENV if (flags & KA_USERAUTH_DOSETPAG) afs_setpag(); #else #if !defined(UKERNEL) && !defined(AFS_NT40_ENV) if (flags & KA_USERAUTH_DOSETPAG) setpag(); #endif #endif if (flags & KA_USERAUTH_DOSETPAG2) dosetpag = 1; #ifdef AFS_KERBEROS_ENV if ((flags & KA_USERAUTH_DOSETPAG) || dosetpag) ktc_newpag(); #endif if (lifetime == 0) lifetime = MAXKTCTICKETLIFETIME; code = GetTickets(name, instance, realm, &key, lifetime, password_expires, dosetpag); if (code == KABADREQUEST) { DES_string_to_key(password, ktc_to_cblockptr(&key)); code = GetTickets(name, instance, realm, &key, lifetime, password_expires, dosetpag); } } #ifndef AFS_NT40_ENV if (remainingTime) { pr_End(); rx_Finalize(); alarm(remainingTime); /* restore timer, if any */ } #endif if (code && reasonP) switch (code) { case KABADREQUEST: *reasonP = "password was incorrect"; break; case KAUBIKCALL: *reasonP = "Authentication Server was unavailable"; break; default: *reasonP = (char *)afs_error_message(code); } return code; }
int CommandProc(struct cmd_syndesc *as, void *arock) { char name[MAXKTCNAMELEN]; char instance[MAXKTCNAMELEN]; char cell[MAXKTCREALMLEN]; char realm[MAXKTCREALMLEN]; afs_uint32 serverList[MAXSERVERS]; char *lcell; /* local cellname */ char lrealm[MAXKTCREALMLEN]; /* uppercase copy of local cellname */ int code; int i, dosetpag; Date lifetime; /* requested ticket lifetime */ struct passwd pwent; struct passwd *pw = &pwent; struct passwd *lclpw = &pwent; char passwd[BUFSIZ]; static char rn[] = "klog"; /*Routine name */ static int Pipe = 0; /* reading from a pipe */ static int Silent = 0; /* Don't want error messages */ int explicit; /* servers specified explicitly */ int local; /* explicit cell is same a local one */ int foundPassword = 0; /*Not yet, anyway */ int foundExplicitCell = 0; /*Not yet, anyway */ int writeTicketFile = 0; /* write ticket file to /tmp */ afs_int32 password_expires = -1; char *reason; /* string describing errors */ /* blow away command line arguments */ for (i = 1; i < zero_argc; i++) memset(zero_argv[i], 0, strlen(zero_argv[i])); zero_argc = 0; /* first determine quiet flag based on -silent switch */ Silent = (as->parms[aSILENT].items ? 1 : 0); Pipe = (as->parms[aPIPE].items ? 1 : 0); /* Determine if we should also do a setpag based on -setpag switch */ dosetpag = (as->parms[aSETPAG].items ? 1 : 0); if (as->parms[aTMP].items) { writeTicketFile = 1; } if (as->parms[aCELL].items) { /* * cell name explicitly mentioned; take it in if no other cell name * has already been specified and if the name actually appears. If * the given cell name differs from our own, we don't do a lookup. */ foundExplicitCell = 1; strncpy(realm, as->parms[aCELL].items->data, sizeof(realm)); /* XXX the following is just a hack to handle the afscell environment XXX */ (void)afsconf_GetCellInfo((struct afsconf_dir *)0, realm, 0, (struct afsconf_cell *)0); } code = ka_Init(0); if (code || !(lcell = ka_LocalCell())) { nocell: if (!Silent) afs_com_err(rn, code, "Can't get local cell name!"); KLOGEXIT(code); } if ((code = ka_CellToRealm(lcell, lrealm, 0))) goto nocell; strcpy(instance, ""); /* Parse our arguments. */ if (as->parms[aCELL].items) { /* * cell name explicitly mentioned; take it in if no other cell name * has already been specified and if the name actually appears. If * the given cell name differs from our own, we don't do a lookup. */ foundExplicitCell = 1; strncpy(realm, as->parms[aCELL].items->data, sizeof(realm)); } if (as->parms[aSERVERS].items) { /* explicit server list */ int i; struct cmd_item *ip; char *ap[MAXSERVERS + 2]; for (ip = as->parms[aSERVERS].items, i = 2; ip; ip = ip->next, i++) ap[i] = ip->data; ap[0] = ""; ap[1] = "-servers"; code = ubik_ParseClientList(i, ap, serverList); if (code) { if (!Silent) { afs_com_err(rn, code, "could not parse server list"); } return code; } explicit = 1; } else
int CommandProc(struct cmd_syndesc *as, void *arock) { char name[MAXKTCNAMELEN] = ""; char instance[MAXKTCNAMELEN] = ""; char cell[MAXKTCREALMLEN] = ""; char realm[MAXKTCREALMLEN] = ""; afs_int32 serverList[MAXSERVERS]; char *lcell; /* local cellname */ int code; int i; struct ubik_client *conn = 0; struct ktc_encryptionKey key; struct ktc_encryptionKey mitkey; struct ktc_encryptionKey newkey; struct ktc_encryptionKey newmitkey; struct ktc_token token; struct passwd pwent; struct passwd *pw = &pwent; int insist; /* insist on good password quality */ int lexplicit = 0; /* servers specified explicitly */ int local; /* explicit cell is same a local cell */ int foundPassword = 0; /*Not yet, anyway */ int foundNewPassword = 0; /*Not yet, anyway */ int foundExplicitCell = 0; /*Not yet, anyway */ #ifdef DEFAULT_MITV4_STRINGTOKEY int dess2k = 1; #elif DEFAULT_AFS_STRINGTOKEY int dess2k = 0; #else int dess2k = -1; #endif /* blow away command line arguments */ for (i = 1; i < zero_argc; i++) memset(zero_argv[i], 0, strlen(zero_argv[i])); zero_argc = 0; /* first determine quiet flag based on -pipe switch */ Pipe = (as->parms[aPIPE].items ? 1 : 0); #if TIMEOUT signal(SIGALRM, timedout); alarm(30); #endif code = ka_Init(0); if (code || !(lcell = ka_LocalCell())) { #ifndef AFS_FREELANCE_CLIENT if (!Pipe) afs_com_err(rn, code, "Can't get local cell name!"); exit(1); #endif } code = rx_Init(0); if (code) { if (!Pipe) afs_com_err(rn, code, "Failed to initialize Rx"); exit(1); } strcpy(instance, ""); /* Parse our arguments. */ if (as->parms[aCELL].items) { /* * cell name explicitly mentioned; take it in if no other cell name * has already been specified and if the name actually appears. If * the given cell name differs from our own, we don't do a lookup. */ foundExplicitCell = 1; strncpy(realm, as->parms[aCELL].items->data, sizeof(realm)); } if (as->parms[aSERVERS].items) { /* explicit server list */ int i; struct cmd_item *ip; char *ap[MAXSERVERS + 2]; for (ip = as->parms[aSERVERS].items, i = 2; ip; ip = ip->next, i++) ap[i] = ip->data; ap[0] = ""; ap[1] = "-servers"; code = ubik_ParseClientList(i, ap, serverList); if (code) { if (!Pipe) afs_com_err(rn, code, "could not parse server list"); return code; } lexplicit = 1; } if (as->parms[aPRINCIPAL].items) { ka_ParseLoginName(as->parms[aPRINCIPAL].items->data, name, instance, cell); if (strlen(instance) > 0) if (!Pipe) fprintf(stderr, "Non-null instance (%s) may cause strange behavior.\n", instance); if (strlen(cell) > 0) { if (foundExplicitCell) { if (!Pipe) fprintf(stderr, "%s: May not specify an explicit cell twice.\n", rn); return -1; } foundExplicitCell = 1; strncpy(realm, cell, sizeof(realm)); } pw->pw_name = name; } else { /* No explicit name provided: use Unix uid. */ #ifdef AFS_NT40_ENV userNameLen = 128; if (GetUserName(userName, &userNameLen) == 0) { if (!Pipe) { fprintf(stderr, "Can't figure out your name in local cell %s from your user id.\n", lcell); fprintf(stderr, "Try providing the user name.\n"); } exit(1); } pw->pw_name = userName; #else pw = getpwuid(getuid()); if (pw == 0) { if (!Pipe) { fprintf(stderr, "Can't figure out your name in local cell %s from your user id.\n", lcell); fprintf(stderr, "Try providing the user name.\n"); } exit(1); } #endif } if (as->parms[aPASSWORD].items) { /* * Current argument is the desired password string. Remember it in * our local buffer, and zero out the argument string - anyone can * see it there with ps! */ foundPassword = 1; strncpy(passwd, as->parms[aPASSWORD].items->data, sizeof(passwd)); memset(as->parms[aPASSWORD].items->data, 0, strlen(as->parms[aPASSWORD].items->data)); } if (as->parms[aNEWPASSWORD].items) { /* * Current argument is the new password string. Remember it in * our local buffer, and zero out the argument string - anyone can * see it there with ps! */ foundNewPassword = 1; strncpy(npasswd, as->parms[aNEWPASSWORD].items->data, sizeof(npasswd)); memset(as->parms[aNEWPASSWORD].items->data, 0, strlen(as->parms[aNEWPASSWORD].items->data)); } #ifdef AFS_FREELANCE_CLIENT if (!foundExplicitCell && !lcell) { if (!Pipe) afs_com_err(rn, code, "no cell name provided"); exit(1); } #else if (!foundExplicitCell) strcpy(realm, lcell); #endif /* freelance */ if ((code = ka_CellToRealm(realm, realm, &local))) { if (!Pipe) afs_com_err(rn, code, "Can't convert cell to realm"); exit(1); } lcstring(cell, realm, sizeof(cell)); ka_PrintUserID("Changing password for '", pw->pw_name, instance, "'"); printf(" in cell '%s'.\n", cell); /* Get the password if it wasn't provided. */ if (!foundPassword) { if (Pipe) getpipepass(passwd, sizeof(passwd)); else { code = read_pass(passwd, sizeof(passwd), "Old password: "******"reading password"); exit(1); } } } ka_StringToKey(passwd, realm, &key); des_string_to_key(passwd, ktc_to_cblockptr(&mitkey)); give_to_child(passwd); /* Get new password if it wasn't provided. */ insist = 0; if (!foundNewPassword) { if (Pipe) getpipepass(npasswd, sizeof(npasswd)); else { do { code = read_pass(npasswd, sizeof(npasswd), "New password (RETURN to abort): ", 0); if (code || (strlen(npasswd) == 0)) { if (code) code = KAREADPW; goto no_change; } } while (password_bad(npasswd)); code = read_pass(verify, sizeof(verify), "Retype new password: "******"Mismatch - "); goto no_change; } memset(verify, 0, sizeof(verify)); } } if ((code = password_bad(npasswd))) { /* assmt here! */ goto no_change_no_msg; } #if TRUNCATEPASSWORD if (strlen(npasswd) > 8) { npasswd[8] = 0; fprintf(stderr, "%s: password too long, only the first 8 chars will be used.\n", rn); } else npasswd[8] = 0; /* in case the password was exactly 8 chars long */ #endif ka_StringToKey(npasswd, realm, &newkey); des_string_to_key(npasswd, ktc_to_cblockptr(&newmitkey)); memset(npasswd, 0, sizeof(npasswd)); if (lexplicit) ka_ExplicitCell(realm, serverList); /* Get an connection to kaserver's admin service in desired cell. Set the * lifetime above the time uncertainty so that badly skewed clocks are * reported when the ticket is decrypted. Then give us 10 seconds to * actually get our work done if the clocks are skewed by only 14:59. * NOTE: Kerberos lifetime encoding will round this up to next 5 minute * interval, namely 20 minutes. */ #define ADMIN_LIFETIME (KTC_TIME_UNCERTAINTY+1) code = ka_GetAdminToken(pw->pw_name, instance, realm, &key, ADMIN_LIFETIME, &token, /*!new */ 0); if (code == KABADREQUEST) { code = ka_GetAdminToken(pw->pw_name, instance, realm, &mitkey, ADMIN_LIFETIME, &token, /*!new */ 0); if ((code == KABADREQUEST) && (strlen(passwd) > 8)) { /* try with only the first 8 characters incase they set their password * with an old style passwd program. */ char pass8[9]; strncpy(pass8, passwd, 8); pass8[8] = 0; ka_StringToKey(pass8, realm, &key); memset(pass8, 0, sizeof(pass8)); memset(passwd, 0, sizeof(passwd)); code = ka_GetAdminToken(pw->pw_name, instance, realm, &key, ADMIN_LIFETIME, &token, /*!new */ 0); #ifdef notdef /* the folks in testing really *hate* this message */ if (code == 0) { fprintf(stderr, "Warning: only the first 8 characters of your old password were significant.\n"); } #endif if (code == 0) { if (dess2k == -1) dess2k = 0; } } else { if (dess2k == -1) dess2k = 1; } } else { if (dess2k == -1) dess2k = 0; } memset(&mitkey, 0, sizeof(mitkey)); memset(&key, 0, sizeof(key)); if (code == KAUBIKCALL) afs_com_err(rn, code, "(Authentication Server unavailable, try later)"); else if (code) { if (code == KABADREQUEST) fprintf(stderr, "%s: Incorrect old password.\n", rn); else afs_com_err(rn, code, "so couldn't change password"); } else { code = ka_AuthServerConn(realm, KA_MAINTENANCE_SERVICE, &token, &conn); if (code) afs_com_err(rn, code, "contacting Admin Server"); else { if (dess2k == 1) code = ka_ChangePassword(pw->pw_name, instance, conn, 0, &newmitkey); else code = ka_ChangePassword(pw->pw_name, instance, conn, 0, &newkey); memset(&newkey, 0, sizeof(newkey)); memset(&newmitkey, 0, sizeof(newmitkey)); if (code) { char *reason; reason = (char *)afs_error_message(code); fprintf(stderr, "%s: Password was not changed because %s\n", rn, reason); } else printf("Password changed.\n\n"); } } memset(&newkey, 0, sizeof(newkey)); memset(&newmitkey, 0, sizeof(newmitkey)); /* Might need to close down the ubik_Client connection */ if (conn) { ubik_ClientDestroy(conn); conn = 0; } rx_Finalize(); terminate_child(); exit(code); no_change: /* yuck, yuck, yuck */ if (code) afs_com_err(rn, code, "getting new password"); no_change_no_msg: memset(&key, 0, sizeof(key)); memset(npasswd, 0, sizeof(npasswd)); printf("Password for '%s' in cell '%s' unchanged.\n\n", pw->pw_name, cell); terminate_child(); exit(code ? code : 1); }