void AfsLogonInit(void)
{
if ( bInit == FALSE ) {
if ( WaitForSingleObject( hInitMutex, INFINITE ) == WAIT_OBJECT_0 ) {
/* initAFSDirPath() initializes an array and sets a
* flag so that the initialization can only occur
* once. No cleanup will be done when the DLL is
* unloaded so the initialization will not be
* performed again on a subsequent reload
*/
initAFSDirPath();
/* ka_Init initializes a number of error tables.
* and then calls ka_CellConfig() which grabs
* an afsconf_dir structure via afsconf_Open().
* Upon a second attempt to call ka_CellConfig()
* the structure will be released with afsconf_Close()
* and then re-opened. Could this corrupt memory?
*
* We only need this if we are not using KFW.
*/
if (!KFW_is_available())
ka_Init(0);
bInit = TRUE;
}
ReleaseMutex(hInitMutex);
}
}
afs_int32
ka_UserReadPassword(char *prompt, char *password, int plen, char **reasonP)
{
afs_int32 code = 0;
if (reasonP)
*reasonP = "";
code = ka_Init(0);
if (code)
return code;
code = UI_UTIL_read_pw_string(password, plen, prompt, 0);
if (code)
code = KAREADPW;
else if (strlen(password) == 0)
code = KANULLPASSWORD;
else
return 0;
if (reasonP) {
*reasonP = (char *)afs_error_message(code);
}
return code;
}
/*
* authenticate with AFS
* returns:
* 1 if read password but couldn't authenticate correctly via AFS
* 0 if authenticated via AFS correctly
*/
int
afs_verify(char *uname, /* user name trying to log in */
char *pword, /* password */
afs_int32 * exp, /* expiration time */
int quite)
{ /* no printing */
auto char *reason;
ka_Init(0);
/*
* The basic model for logging in now, is that *if* there
* is a kerberos record for this individual user we will
* trust kerberos (provided the user really has an account
* locally.) If there is no kerberos record (or the password
* were typed incorrectly.) we would attempt to authenticate
* against the local password file entry. Naturally, if
* both fail we use existing failure code.
*/
if (ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION + KA_USERAUTH_DOSETPAG, uname, /* kerberos name */
NULL, /* instance */
NULL, /* realm */
pword, /* password */
0, /* default lifetime */
exp, /* spare 1/expiration */
0, /* spare 2 */
&reason /* error string */
)) {
if (!quite) {
printf("Unable to authenticate to AFS because %s\n", reason);
printf("proceeding with local authentication...\n");
}
return 1;
}
/* authenticated successfully */
return 0;
}
afs_int32
ka_UserAuthenticateGeneral(afs_int32 flags, char *name, char *instance,
char *realm, char *password, Date lifetime,
afs_int32 * password_expires, /* days 'til, or don't change if not set */
afs_int32 spare2, char **reasonP)
{
int remainingTime = 0;
struct ktc_encryptionKey key;
afs_int32 code, dosetpag = 0;
if (reasonP)
*reasonP = "";
if ((flags & KA_USERAUTH_VERSION_MASK) != KA_USERAUTH_VERSION)
return KAOLDINTERFACE;
if ((strcmp(name, "root") == 0) && (instance == 0)) {
if (reasonP)
*reasonP = "root is only authenticated locally";
return KANOENT;
}
code = ka_Init(0);
if (code)
return code;
ka_StringToKey(password, realm, &key);
/*
* alarm is set by kpasswd only so ignore for
* NT
*/
#ifndef AFS_NT40_ENV
{ /* Rx uses timers, save to be safe */
if (rx_socket) {
/* don't reset alarms, rx already running */
remainingTime = 0;
} else
remainingTime = alarm(0);
}
#endif
#if !defined(AFS_NT40_ENV) && !defined(AFS_LINUX20_ENV) && !defined(AFS_USR_LINUX20_ENV) && (!defined(AFS_XBSD_ENV) || defined(AFS_FBSD_ENV))
/* handle smoothly the case where no AFS system calls exists (yet) */
(void)signal(SIGSYS, SIG_IGN);
#endif
#ifdef AFS_DECOSF_ENV
(void)signal(SIGTRAP, SIG_IGN);
#endif /* AFS_DECOSF_ENV */
if (instance == 0)
instance = "";
if (flags & KA_USERAUTH_ONLY_VERIFY) {
code = ka_VerifyUserToken(name, instance, realm, &key);
if (code == KABADREQUEST) {
DES_string_to_key(password, ktc_to_cblockptr(&key));
code = ka_VerifyUserToken(name, instance, realm, &key);
}
} else {
#ifdef AFS_DUX40_ENV
if (flags & KA_USERAUTH_DOSETPAG)
afs_setpag();
#else
#if !defined(UKERNEL) && !defined(AFS_NT40_ENV)
if (flags & KA_USERAUTH_DOSETPAG)
setpag();
#endif
#endif
if (flags & KA_USERAUTH_DOSETPAG2)
dosetpag = 1;
#ifdef AFS_KERBEROS_ENV
if ((flags & KA_USERAUTH_DOSETPAG) || dosetpag)
ktc_newpag();
#endif
if (lifetime == 0)
lifetime = MAXKTCTICKETLIFETIME;
code =
GetTickets(name, instance, realm, &key, lifetime,
password_expires, dosetpag);
if (code == KABADREQUEST) {
DES_string_to_key(password, ktc_to_cblockptr(&key));
code =
GetTickets(name, instance, realm, &key, lifetime,
password_expires, dosetpag);
}
}
#ifndef AFS_NT40_ENV
if (remainingTime) {
pr_End();
rx_Finalize();
alarm(remainingTime); /* restore timer, if any */
}
#endif
if (code && reasonP)
switch (code) {
case KABADREQUEST:
*reasonP = "password was incorrect";
break;
case KAUBIKCALL:
*reasonP = "Authentication Server was unavailable";
break;
default:
*reasonP = (char *)afs_error_message(code);
}
return code;
}
int
CommandProc(struct cmd_syndesc *as, void *arock)
{
char name[MAXKTCNAMELEN];
char instance[MAXKTCNAMELEN];
char cell[MAXKTCREALMLEN];
char realm[MAXKTCREALMLEN];
afs_uint32 serverList[MAXSERVERS];
char *lcell; /* local cellname */
char lrealm[MAXKTCREALMLEN]; /* uppercase copy of local cellname */
int code;
int i, dosetpag;
Date lifetime; /* requested ticket lifetime */
struct passwd pwent;
struct passwd *pw = &pwent;
struct passwd *lclpw = &pwent;
char passwd[BUFSIZ];
static char rn[] = "klog"; /*Routine name */
static int Pipe = 0; /* reading from a pipe */
static int Silent = 0; /* Don't want error messages */
int explicit; /* servers specified explicitly */
int local; /* explicit cell is same a local one */
int foundPassword = 0; /*Not yet, anyway */
int foundExplicitCell = 0; /*Not yet, anyway */
int writeTicketFile = 0; /* write ticket file to /tmp */
afs_int32 password_expires = -1;
char *reason; /* string describing errors */
/* blow away command line arguments */
for (i = 1; i < zero_argc; i++)
memset(zero_argv[i], 0, strlen(zero_argv[i]));
zero_argc = 0;
/* first determine quiet flag based on -silent switch */
Silent = (as->parms[aSILENT].items ? 1 : 0);
Pipe = (as->parms[aPIPE].items ? 1 : 0);
/* Determine if we should also do a setpag based on -setpag switch */
dosetpag = (as->parms[aSETPAG].items ? 1 : 0);
if (as->parms[aTMP].items) {
writeTicketFile = 1;
}
if (as->parms[aCELL].items) {
/*
* cell name explicitly mentioned; take it in if no other cell name
* has already been specified and if the name actually appears. If
* the given cell name differs from our own, we don't do a lookup.
*/
foundExplicitCell = 1;
strncpy(realm, as->parms[aCELL].items->data, sizeof(realm));
/* XXX the following is just a hack to handle the afscell environment XXX */
(void)afsconf_GetCellInfo((struct afsconf_dir *)0, realm, 0,
(struct afsconf_cell *)0);
}
code = ka_Init(0);
if (code || !(lcell = ka_LocalCell())) {
nocell:
if (!Silent)
afs_com_err(rn, code, "Can't get local cell name!");
KLOGEXIT(code);
}
if ((code = ka_CellToRealm(lcell, lrealm, 0)))
goto nocell;
strcpy(instance, "");
/* Parse our arguments. */
if (as->parms[aCELL].items) {
/*
* cell name explicitly mentioned; take it in if no other cell name
* has already been specified and if the name actually appears. If
* the given cell name differs from our own, we don't do a lookup.
*/
foundExplicitCell = 1;
strncpy(realm, as->parms[aCELL].items->data, sizeof(realm));
}
if (as->parms[aSERVERS].items) {
/* explicit server list */
int i;
struct cmd_item *ip;
char *ap[MAXSERVERS + 2];
for (ip = as->parms[aSERVERS].items, i = 2; ip; ip = ip->next, i++)
ap[i] = ip->data;
ap[0] = "";
ap[1] = "-servers";
code = ubik_ParseClientList(i, ap, serverList);
if (code) {
if (!Silent) {
afs_com_err(rn, code, "could not parse server list");
}
return code;
}
explicit = 1;
} else
int
CommandProc(struct cmd_syndesc *as, void *arock)
{
char name[MAXKTCNAMELEN] = "";
char instance[MAXKTCNAMELEN] = "";
char cell[MAXKTCREALMLEN] = "";
char realm[MAXKTCREALMLEN] = "";
afs_int32 serverList[MAXSERVERS];
char *lcell; /* local cellname */
int code;
int i;
struct ubik_client *conn = 0;
struct ktc_encryptionKey key;
struct ktc_encryptionKey mitkey;
struct ktc_encryptionKey newkey;
struct ktc_encryptionKey newmitkey;
struct ktc_token token;
struct passwd pwent;
struct passwd *pw = &pwent;
int insist; /* insist on good password quality */
int lexplicit = 0; /* servers specified explicitly */
int local; /* explicit cell is same a local cell */
int foundPassword = 0; /*Not yet, anyway */
int foundNewPassword = 0; /*Not yet, anyway */
int foundExplicitCell = 0; /*Not yet, anyway */
#ifdef DEFAULT_MITV4_STRINGTOKEY
int dess2k = 1;
#elif DEFAULT_AFS_STRINGTOKEY
int dess2k = 0;
#else
int dess2k = -1;
#endif
/* blow away command line arguments */
for (i = 1; i < zero_argc; i++)
memset(zero_argv[i], 0, strlen(zero_argv[i]));
zero_argc = 0;
/* first determine quiet flag based on -pipe switch */
Pipe = (as->parms[aPIPE].items ? 1 : 0);
#if TIMEOUT
signal(SIGALRM, timedout);
alarm(30);
#endif
code = ka_Init(0);
if (code || !(lcell = ka_LocalCell())) {
#ifndef AFS_FREELANCE_CLIENT
if (!Pipe)
afs_com_err(rn, code, "Can't get local cell name!");
exit(1);
#endif
}
code = rx_Init(0);
if (code) {
if (!Pipe)
afs_com_err(rn, code, "Failed to initialize Rx");
exit(1);
}
strcpy(instance, "");
/* Parse our arguments. */
if (as->parms[aCELL].items) {
/*
* cell name explicitly mentioned; take it in if no other cell name
* has already been specified and if the name actually appears. If
* the given cell name differs from our own, we don't do a lookup.
*/
foundExplicitCell = 1;
strncpy(realm, as->parms[aCELL].items->data, sizeof(realm));
}
if (as->parms[aSERVERS].items) {
/* explicit server list */
int i;
struct cmd_item *ip;
char *ap[MAXSERVERS + 2];
for (ip = as->parms[aSERVERS].items, i = 2; ip; ip = ip->next, i++)
ap[i] = ip->data;
ap[0] = "";
ap[1] = "-servers";
code = ubik_ParseClientList(i, ap, serverList);
if (code) {
if (!Pipe)
afs_com_err(rn, code, "could not parse server list");
return code;
}
lexplicit = 1;
}
if (as->parms[aPRINCIPAL].items) {
ka_ParseLoginName(as->parms[aPRINCIPAL].items->data, name, instance,
cell);
if (strlen(instance) > 0)
if (!Pipe)
fprintf(stderr,
"Non-null instance (%s) may cause strange behavior.\n",
instance);
if (strlen(cell) > 0) {
if (foundExplicitCell) {
if (!Pipe)
fprintf(stderr,
"%s: May not specify an explicit cell twice.\n",
rn);
return -1;
}
foundExplicitCell = 1;
strncpy(realm, cell, sizeof(realm));
}
pw->pw_name = name;
} else {
/* No explicit name provided: use Unix uid. */
#ifdef AFS_NT40_ENV
userNameLen = 128;
if (GetUserName(userName, &userNameLen) == 0) {
if (!Pipe) {
fprintf(stderr,
"Can't figure out your name in local cell %s from your user id.\n",
lcell);
fprintf(stderr, "Try providing the user name.\n");
}
exit(1);
}
pw->pw_name = userName;
#else
pw = getpwuid(getuid());
if (pw == 0) {
if (!Pipe) {
fprintf(stderr,
"Can't figure out your name in local cell %s from your user id.\n",
lcell);
fprintf(stderr, "Try providing the user name.\n");
}
exit(1);
}
#endif
}
if (as->parms[aPASSWORD].items) {
/*
* Current argument is the desired password string. Remember it in
* our local buffer, and zero out the argument string - anyone can
* see it there with ps!
*/
foundPassword = 1;
strncpy(passwd, as->parms[aPASSWORD].items->data, sizeof(passwd));
memset(as->parms[aPASSWORD].items->data, 0,
strlen(as->parms[aPASSWORD].items->data));
}
if (as->parms[aNEWPASSWORD].items) {
/*
* Current argument is the new password string. Remember it in
* our local buffer, and zero out the argument string - anyone can
* see it there with ps!
*/
foundNewPassword = 1;
strncpy(npasswd, as->parms[aNEWPASSWORD].items->data,
sizeof(npasswd));
memset(as->parms[aNEWPASSWORD].items->data, 0,
strlen(as->parms[aNEWPASSWORD].items->data));
}
#ifdef AFS_FREELANCE_CLIENT
if (!foundExplicitCell && !lcell) {
if (!Pipe)
afs_com_err(rn, code, "no cell name provided");
exit(1);
}
#else
if (!foundExplicitCell)
strcpy(realm, lcell);
#endif /* freelance */
if ((code = ka_CellToRealm(realm, realm, &local))) {
if (!Pipe)
afs_com_err(rn, code, "Can't convert cell to realm");
exit(1);
}
lcstring(cell, realm, sizeof(cell));
ka_PrintUserID("Changing password for '", pw->pw_name, instance, "'");
printf(" in cell '%s'.\n", cell);
/* Get the password if it wasn't provided. */
if (!foundPassword) {
if (Pipe)
getpipepass(passwd, sizeof(passwd));
else {
code = read_pass(passwd, sizeof(passwd), "Old password: "******"reading password");
exit(1);
}
}
}
ka_StringToKey(passwd, realm, &key);
des_string_to_key(passwd, ktc_to_cblockptr(&mitkey));
give_to_child(passwd);
/* Get new password if it wasn't provided. */
insist = 0;
if (!foundNewPassword) {
if (Pipe)
getpipepass(npasswd, sizeof(npasswd));
else {
do {
code =
read_pass(npasswd, sizeof(npasswd),
"New password (RETURN to abort): ", 0);
if (code || (strlen(npasswd) == 0)) {
if (code)
code = KAREADPW;
goto no_change;
}
} while (password_bad(npasswd));
code =
read_pass(verify, sizeof(verify), "Retype new password: "******"Mismatch - ");
goto no_change;
}
memset(verify, 0, sizeof(verify));
}
}
if ((code = password_bad(npasswd))) { /* assmt here! */
goto no_change_no_msg;
}
#if TRUNCATEPASSWORD
if (strlen(npasswd) > 8) {
npasswd[8] = 0;
fprintf(stderr,
"%s: password too long, only the first 8 chars will be used.\n",
rn);
} else
npasswd[8] = 0; /* in case the password was exactly 8 chars long */
#endif
ka_StringToKey(npasswd, realm, &newkey);
des_string_to_key(npasswd, ktc_to_cblockptr(&newmitkey));
memset(npasswd, 0, sizeof(npasswd));
if (lexplicit)
ka_ExplicitCell(realm, serverList);
/* Get an connection to kaserver's admin service in desired cell. Set the
* lifetime above the time uncertainty so that badly skewed clocks are
* reported when the ticket is decrypted. Then give us 10 seconds to
* actually get our work done if the clocks are skewed by only 14:59.
* NOTE: Kerberos lifetime encoding will round this up to next 5 minute
* interval, namely 20 minutes. */
#define ADMIN_LIFETIME (KTC_TIME_UNCERTAINTY+1)
code =
ka_GetAdminToken(pw->pw_name, instance, realm, &key, ADMIN_LIFETIME,
&token, /*!new */ 0);
if (code == KABADREQUEST) {
code =
ka_GetAdminToken(pw->pw_name, instance, realm, &mitkey,
ADMIN_LIFETIME, &token, /*!new */ 0);
if ((code == KABADREQUEST) && (strlen(passwd) > 8)) {
/* try with only the first 8 characters incase they set their password
* with an old style passwd program. */
char pass8[9];
strncpy(pass8, passwd, 8);
pass8[8] = 0;
ka_StringToKey(pass8, realm, &key);
memset(pass8, 0, sizeof(pass8));
memset(passwd, 0, sizeof(passwd));
code = ka_GetAdminToken(pw->pw_name, instance, realm, &key, ADMIN_LIFETIME, &token, /*!new */
0);
#ifdef notdef
/* the folks in testing really *hate* this message */
if (code == 0) {
fprintf(stderr,
"Warning: only the first 8 characters of your old password were significant.\n");
}
#endif
if (code == 0) {
if (dess2k == -1)
dess2k = 0;
}
} else {
if (dess2k == -1)
dess2k = 1;
}
} else {
if (dess2k == -1)
dess2k = 0;
}
memset(&mitkey, 0, sizeof(mitkey));
memset(&key, 0, sizeof(key));
if (code == KAUBIKCALL)
afs_com_err(rn, code, "(Authentication Server unavailable, try later)");
else if (code) {
if (code == KABADREQUEST)
fprintf(stderr, "%s: Incorrect old password.\n", rn);
else
afs_com_err(rn, code, "so couldn't change password");
} else {
code =
ka_AuthServerConn(realm, KA_MAINTENANCE_SERVICE, &token, &conn);
if (code)
afs_com_err(rn, code, "contacting Admin Server");
else {
if (dess2k == 1)
code =
ka_ChangePassword(pw->pw_name, instance, conn, 0,
&newmitkey);
else
code =
ka_ChangePassword(pw->pw_name, instance, conn, 0,
&newkey);
memset(&newkey, 0, sizeof(newkey));
memset(&newmitkey, 0, sizeof(newmitkey));
if (code) {
char *reason;
reason = (char *)afs_error_message(code);
fprintf(stderr, "%s: Password was not changed because %s\n",
rn, reason);
} else
printf("Password changed.\n\n");
}
}
memset(&newkey, 0, sizeof(newkey));
memset(&newmitkey, 0, sizeof(newmitkey));
/* Might need to close down the ubik_Client connection */
if (conn) {
ubik_ClientDestroy(conn);
conn = 0;
}
rx_Finalize();
terminate_child();
exit(code);
no_change: /* yuck, yuck, yuck */
if (code)
afs_com_err(rn, code, "getting new password");
no_change_no_msg:
memset(&key, 0, sizeof(key));
memset(npasswd, 0, sizeof(npasswd));
printf("Password for '%s' in cell '%s' unchanged.\n\n", pw->pw_name,
cell);
terminate_child();
exit(code ? code : 1);
}
