diff options
| author | markm <markm@FreeBSD.org> | 1999-09-19 14:19:32 +0000 |
|---|---|---|
| committer | markm <markm@FreeBSD.org> | 1999-09-19 14:19:32 +0000 |
| commit | fe83e8abf357ee11114856a5278bb38431a9517c (patch) | |
| tree | 36ce70fe2e8419130e546c38a7790e8ab224a362 /crypto/kerberosIV/lib/auth | |
| parent | a8a89cfaf983bc64f4b42f7c35209a5a36dd0fe8 (diff) | |
| download | FreeBSD-src-fe83e8abf357ee11114856a5278bb38431a9517c.zip FreeBSD-src-fe83e8abf357ee11114856a5278bb38431a9517c.tar.gz | |
Clean import of KTH krb4-0.10.1.
Diffstat (limited to 'crypto/kerberosIV/lib/auth')
23 files changed, 2086 insertions, 0 deletions
diff --git a/crypto/kerberosIV/lib/auth/ChangeLog b/crypto/kerberosIV/lib/auth/ChangeLog new file mode 100644 index 0000000..ce2eccc --- /dev/null +++ b/crypto/kerberosIV/lib/auth/ChangeLog @@ -0,0 +1,34 @@ +Thu Apr 8 14:35:34 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * sia/sia.c: remove definition of KRB_VERIFY_USER (moved to + config.h) + + * sia/Makefile.am: make it build w/o krb4 + + * afskauthlib/verify.c: add krb5 support + + * afskauthlib/Makefile.am: build afskauthlib.so + +Wed Apr 7 14:06:22 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * sia/sia.c: make it compile w/o krb4 + + * sia/Makefile.am: make it compile w/o krb4 + +Thu Apr 1 18:09:23 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * sia/sia_locl.h: POSIX_GETPWNAM_R is defined in config.h + +Sun Mar 21 14:08:30 1999 Johan Danielsson <joda@hella.pdc.kth.se> + + * sia/Makefile.in: add posix_getpw.c + + * sia/Makefile.am: makefile for sia + + * sia/posix_getpw.c: move from sia.c + + * sia/sia_locl.h: merge with krb5 version + + * sia/sia.c: merge with krb5 version + + * sia/sia5.c: remove unused variables diff --git a/crypto/kerberosIV/lib/auth/Makefile.am b/crypto/kerberosIV/lib/auth/Makefile.am new file mode 100644 index 0000000..0310dc3 --- /dev/null +++ b/crypto/kerberosIV/lib/auth/Makefile.am @@ -0,0 +1,6 @@ +# $Id: Makefile.am,v 1.2 1999/03/21 17:11:08 joda Exp $ + +include $(top_srcdir)/Makefile.am.common + +SUBDIRS = @LIB_AUTH_SUBDIRS@ +DIST_SUBDIRS = afskauthlib pam sia diff --git a/crypto/kerberosIV/lib/auth/Makefile.in b/crypto/kerberosIV/lib/auth/Makefile.in new file mode 100644 index 0000000..53fde5f --- /dev/null +++ b/crypto/kerberosIV/lib/auth/Makefile.in @@ -0,0 +1,55 @@ +# +# $Id: Makefile.in,v 1.12 1998/03/15 05:58:10 assar Exp $ +# + +srcdir = @srcdir@ +VPATH = @srcdir@ + +SHELL = /bin/sh + +@SET_MAKE@ + +SUBDIRS = @LIB_AUTH_SUBDIRS@ + +all: + SUBDIRS='$(SUBDIRS)'; \ + for i in $$SUBDIRS; \ + do (cd $$i && $(MAKE) $(MFLAGS) all); done + +Wall: + make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__" + +install: + SUBDIRS=$(SUBDIRS); \ + for i in $$SUBDIRS; \ + do (cd $$i && $(MAKE) $(MFLAGS) install); done + +uninstall: + SUBDIRS=$(SUBDIRS); \ + for i in $$SUBDIRS; \ + do (cd $$i && $(MAKE) $(MFLAGS) uninstall); done + +check: + SUBDIRS=$(SUBDIRS); \ + for i in $$SUBDIRS; \ + do (cd $$i && $(MAKE) $(MFLAGS) check); done + +clean: + SUBDIRS=$(SUBDIRS); \ + for i in $$SUBDIRS; \ + do (cd $$i && $(MAKE) $(MFLAGS) clean); done + +mostlyclean: clean + +distclean: + SUBDIRS=$(SUBDIRS); \ + for i in $$SUBDIRS; \ + do (cd $$i && $(MAKE) $(MFLAGS) distclean); done + rm -f Makefile *~ + +realclean: + SUBDIRS=$(SUBDIRS); \ + for i in $$SUBDIRS; \ + do (cd $$i && $(MAKE) $(MFLAGS) realclean); done + +.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean diff --git a/crypto/kerberosIV/lib/auth/afskauthlib/Makefile.am b/crypto/kerberosIV/lib/auth/afskauthlib/Makefile.am new file mode 100644 index 0000000..7dd6d52 --- /dev/null +++ b/crypto/kerberosIV/lib/auth/afskauthlib/Makefile.am @@ -0,0 +1,38 @@ +# $Id: Makefile.am,v 1.3 1999/04/08 12:35:33 joda Exp $ + +include $(top_srcdir)/Makefile.am.common + +INCLUDES += $(INCLUDE_krb4) + +DEFS = @DEFS@ + +foodir = $(libdir) +foo_DATA = afskauthlib.so + +SUFFIXES += .c .o + +SRCS = verify.c +OBJS = verify.o + +CLEANFILES = $(foo_DATA) $(OBJS) so_locations + +afskauthlib.so: $(OBJS) + $(LD) -shared -o $@ $(LDFLAGS) $(OBJS) $(L) + +.c.o: + $(COMPILE) -c $< + +if KRB4 +KAFS = $(top_builddir)/lib/kafs/.libs/libkafs.a +endif + +L = \ + $(KAFS) \ + $(top_builddir)/lib/krb5/.libs/libkrb5.a \ + $(top_builddir)/lib/asn1/.libs/libasn1.a \ + $(LIB_krb4) \ + $(top_builddir)/lib/des/.libs/libdes.a \ + $(top_builddir)/lib/roken/.libs/libroken.a \ + -lc + +$(OBJS): $(top_builddir)/include/config.h diff --git a/crypto/kerberosIV/lib/auth/afskauthlib/Makefile.in b/crypto/kerberosIV/lib/auth/afskauthlib/Makefile.in new file mode 100644 index 0000000..dc09a13 --- /dev/null +++ b/crypto/kerberosIV/lib/auth/afskauthlib/Makefile.in @@ -0,0 +1,86 @@ +# +# $Id: Makefile.in,v 1.24 1999/03/10 19:01:14 joda Exp $ +# + +SHELL = /bin/sh + +srcdir = @srcdir@ +VPATH = @srcdir@ + +CC = @CC@ +LINK = @LINK@ +AR = ar +LN_S = @LN_S@ +RANLIB = @RANLIB@ +DEFS = @DEFS@ +CFLAGS = @CFLAGS@ $(WFLAGS) +WFLAGS = @WFLAGS@ + +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +MKINSTALLDIRS = @top_srcdir@/mkinstalldirs + +prefix = @prefix@ +exec_prefix = @exec_prefix@ +libdir = @libdir@ + +@lib_deps_yes@LIB_DEPS = -L../../kafs -lkafs \ +@lib_deps_yes@ -L../../krb -lkrb \ +@lib_deps_yes@ -L../../des -ldes \ +@lib_deps_yes@ -L../../roken -lroken \ +@lib_deps_yes@ -lc +@lib_deps_no@LIB_DEPS = + +PICFLAGS = @REAL_PICFLAGS@ +LDSHARED = @LDSHARED@ +SHLIBEXT = @REAL_SHLIBEXT@ +LD_FLAGS = @REAL_LD_FLAGS@ + +LIB = afskauthlib.$(SHLIBEXT) + +SOURCES = verify.c + +OBJECTS = verify.o + +all: $(LIB) + +Wall: + make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__" + +.c.o: + $(CC) -c $(DEFS) -I../../../include -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $(PICFLAGS) $< + +install: all + $(MKINSTALLDIRS) $(DESTDIR)$(libdir) + -if test "$(LIB)" != ""; then \ + $(INSTALL_DATA) -m 0555 $(LIB) $(DESTDIR)$(libdir)/$(LIB) ; \ + fi + +uninstall: + -if test "$(LIB)" != ""; then \ + rm -f $(DESTDIR)$(libdir)/$(LIB) ; \ + fi + +TAGS: $(SOURCES) + etags $(SOURCES) + +check: + +clean: + rm -f $(LIB) *.o + +mostlyclean: clean + +distclean: clean + rm -f Makefile *.tab.c *~ + +realclean: distclean + rm -f TAGS + +$(OBJECTS): ../../../include/config.h + +$(LIB): $(OBJECTS) + rm -f $@ + $(LDSHARED) $(CFLAGS) -o $@ $(OBJECTS) $(LD_FLAGS) $(LIB_DEPS) + +.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean diff --git a/crypto/kerberosIV/lib/auth/afskauthlib/README b/crypto/kerberosIV/lib/auth/afskauthlib/README new file mode 100644 index 0000000..6052a26 --- /dev/null +++ b/crypto/kerberosIV/lib/auth/afskauthlib/README @@ -0,0 +1,25 @@ + +IRIX +---- + +The IRIX support is a module that is compatible with Transarc's +`afskauthlib.so'. It should work with all programs that use this +library, this should include `login' and `xdm'. + +The interface is not very documented but it seems that you have to copy +`libkafs.so', `libkrb.so', and `libdes.so' to `/usr/lib', or build your +`afskauthlib.so' statically. + +The `afskauthlib.so' itself is able to reside in `/usr/vice/etc', +`/usr/afsws/lib', or the current directory (wherever that is). + +IRIX 6.4 and newer seems to have all programs (including `xdm' and +`login') in the N32 object format, whereas in older versions they were +O32. For it to work, the `afskauthlib.so' library has to be in the same +object format as the program that tries to load it. This might require +that you have to configure and build for O32 in addition to the default +N32. + +Appart from this it should "just work", there are no configuration +files. + diff --git a/crypto/kerberosIV/lib/auth/afskauthlib/verify.c b/crypto/kerberosIV/lib/auth/afskauthlib/verify.c new file mode 100644 index 0000000..f7db523 --- /dev/null +++ b/crypto/kerberosIV/lib/auth/afskauthlib/verify.c @@ -0,0 +1,213 @@ +/* + * Copyright (c) 1995-1999 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +RCSID("$Id: verify.c,v 1.13 1999/04/08 12:36:16 joda Exp $"); +#endif +#include <unistd.h> +#include <sys/types.h> +#include <pwd.h> +#ifdef KRB5 +#include <krb5.h> +#endif +#ifdef KRB4 +#include <krb.h> +#include <kafs.h> +#endif +#include <roken.h> + +#if 0 +static char krb5ccname[128]; +#endif +static char krbtkfile[128]; + +#ifdef KRB4 +static void +set_krbtkfile(uid_t uid) +{ + snprintf (krbtkfile, sizeof(krbtkfile), "%s%d", TKT_ROOT, (unsigned)uid); + krb_set_tkt_string (krbtkfile); +} +#endif + + +#ifdef KRB5 +static int +verify_krb5(struct passwd *pwd, + char *password, + int32_t *exp, + int quiet) +{ + krb5_context context; + krb5_error_code ret; + char ticket[128]; + krb5_ccache ccache; + krb5_principal principal; + krb5_realm realm; + + krb5_init_context(&context); + + krb5_get_default_realm(context, &realm); + krb5_make_principal(context, &principal, realm, pwd->pw_name, NULL); + + if(!krb5_kuserok(context, principal, pwd->pw_name)) { + syslog(LOG_AUTH|LOG_DEBUG, "krb5_kuserok failed"); + goto out; + } + /* XXX this has to be the default cache name, since the KRB5CCNAME + environment variable isn't exported by login/xdm + */ + snprintf(ticket, sizeof(ticket), "FILE:/tmp/krb5cc_%d", pwd->pw_uid); + ret = krb5_cc_resolve(context, ticket, &ccache); + if(ret) { + syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_resolve: %s", + krb5_get_err_text(context, ret)); + goto out; + } + + ret = krb5_verify_user(context, + principal, + ccache, + password, + TRUE, + NULL); + if(ret) { + syslog(LOG_AUTH|LOG_DEBUG, "krb5_verify_user: %s", + krb5_get_err_text(context, ret)); + goto out; + } + if(chown(krb5_cc_get_name(context, ccache), pwd->pw_uid, pwd->pw_gid)) { + syslog(LOG_AUTH|LOG_DEBUG, "chown: %s", + krb5_get_err_text(context, errno)); + goto out; + } + +#ifdef KRB4 + { + CREDENTIALS c; + krb5_creds mcred, cred; + + krb5_make_principal(context, &mcred.server, realm, + "krbtgt", + realm, + NULL); + ret = krb5_cc_retrieve_cred(context, ccache, 0, &mcred, &cred); + if(ret == 0) { + ret = krb524_convert_creds_kdc(context, &cred, &c); + if(ret) + krb5_warn(context, ret, "converting creds"); + else { + set_krbtkfile(pwd->pw_uid); + tf_setup(&c, c.pname, c.pinst); + } + memset(&c, 0, sizeof(c)); + krb5_free_creds_contents(context, &cred); + } else + syslog(LOG_AUTH|LOG_DEBUG, "krb5_cc_retrieve_cred: %s", + krb5_get_err_text(context, ret)); + + krb5_free_principal(context, mcred.server); + } + if (k_hasafs()) { + k_setpag(); + krb5_afslog_uid_home(context, ccache, NULL, NULL, + pwd->pw_uid, pwd->pw_dir); + } +#endif + +out: + if(ret && !quiet) + printf ("%s\n", krb5_get_err_text (context, ret)); + return ret; +} +#endif + +#ifdef KRB4 +static int +verify_krb4(struct passwd *pwd, + char *password, + int32_t *exp, + int quiet) +{ + int ret = 1; + char lrealm[REALM_SZ]; + + if (krb_get_lrealm (lrealm, 1) != KFAILURE) { + set_krbtkfile(pwd->pw_uid); + ret = krb_verify_user (pwd->pw_name, "", lrealm, password, + KRB_VERIFY_SECURE, NULL); + if (ret == KSUCCESS) { + if (k_hasafs()) { + k_setpag (); + krb_afslog_uid_home (0, 0, pwd->pw_uid, pwd->pw_dir); + } + } else if (!quiet) + printf ("%s\n", krb_get_err_text (ret)); + } + return ret; +} +#endif + +int +afs_verify(char *name, + char *password, + int32_t *exp, + int quiet) +{ + int ret = 1; + struct passwd *pwd = k_getpwnam (name); + if(pwd == NULL) + return 1; +#ifdef KRB5 + ret = verify_krb5(pwd, password, exp, quiet); +#endif +#ifdef KRB4 + if(ret) + ret = verify_krb4(pwd, password, exp, quiet); +#endif + if (ret) + ret = unix_verify_user (name, password); + return ret; +} + +char * +afs_gettktstring (void) +{ + return krbtkfile; +} diff --git a/crypto/kerberosIV/lib/auth/pam/Makefile.am b/crypto/kerberosIV/lib/auth/pam/Makefile.am new file mode 100644 index 0000000..abde2d9 --- /dev/null +++ b/crypto/kerberosIV/lib/auth/pam/Makefile.am @@ -0,0 +1,3 @@ +# $Id: Makefile.am,v 1.2 1999/04/01 14:57:04 joda Exp $ + +include $(top_srcdir)/Makefile.am.common diff --git a/crypto/kerberosIV/lib/auth/pam/Makefile.in b/crypto/kerberosIV/lib/auth/pam/Makefile.in new file mode 100644 index 0000000..f338fbf --- /dev/null +++ b/crypto/kerberosIV/lib/auth/pam/Makefile.in @@ -0,0 +1,83 @@ +# +# $Id: Makefile.in,v 1.20 1999/03/10 19:01:14 joda Exp $ +# + +SHELL = /bin/sh + +srcdir = @srcdir@ +VPATH = @srcdir@ + +CC = @CC@ +LINK = @LINK@ +AR = ar +RANLIB = @RANLIB@ +DEFS = @DEFS@ +CFLAGS = @CFLAGS@ $(WFLAGS) +WFLAGS = @WFLAGS@ + +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +MKINSTALLDIRS = @top_srcdir@/mkinstalldirs + +prefix = @prefix@ +exec_prefix = @exec_prefix@ +libdir = @libdir@ + +PICFLAGS = @REAL_PICFLAGS@ +LDSHARED = @LDSHARED@ +SHLIBEXT = @REAL_SHLIBEXT@ +LD_FLAGS = @REAL_LD_FLAGS@ + +@lib_deps_yes@LIB_DEPS = -L../../kafs -L../../krb -L../../des -L../../roken \ +@lib_deps_yes@ -lkafs -lkrb -ldes -lroken -lc +@lib_deps_no@LIB_DEPS = + +LIB = pam_krb4.$(SHLIBEXT) + +SOURCES = pam.c + +OBJECTS = pam.o + +all: $(LIB) + +Wall: + make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__" + +.c.o: + $(CC) -c $(DEFS) -I../../../include -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $(PICFLAGS) $< + +install: all + $(MKINSTALLDIRS) $(DESTDIR)$(libdir) + -if test "$(LIB)" != ""; then \ + $(INSTALL_DATA) -m 0555 $(LIB) $(DESTDIR)$(libdir)/$(LIB) ; \ + fi + +uninstall: + -if test "$(LIB)" != ""; then \ + rm -f $(DESTDIR)$(libdir)/$(LIB) ; \ + fi + +TAGS: $(SOURCES) + etags $(SOURCES) + +check: + +clean: + rm -f $(LIB) *.o + +mostlyclean: clean + +distclean: clean + rm -f Makefile *.tab.c *~ + +realclean: distclean + rm -f TAGS + +$(OBJECTS): ../../../include/config.h + +$(LIB): $(OBJECTS) + rm -f $@ + $(LDSHARED) -o $@ $(OBJECTS) $(LD_FLAGS) $(LIB_DEPS) +# $(LINK) -shared -Wl,-x -o $(LIB) $(OBJECTS) ../../kafs/libkafs.a ../../krb/libkrb.a ../../des/libdes.a + +.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean diff --git a/crypto/kerberosIV/lib/auth/pam/README b/crypto/kerberosIV/lib/auth/pam/README new file mode 100644 index 0000000..9505699 --- /dev/null +++ b/crypto/kerberosIV/lib/auth/pam/README @@ -0,0 +1,25 @@ + +PAM +--- + +The PAM module was written more out of curiosity that anything else. It +has not been updated for quite a while, since none of us are using +Linux, and Solaris does not support PAM yet. We've had positive reports +from at least one person using the module, though. + +To use this module you should: + + * Make sure `pam_krb4.so' is available in `/usr/athena/lib'. You + might actually want it on local disk, so `/lib/security' might be a + better place if `/usr/athena' is not local. + + * Look at `pam.conf.add' for examples of what to add to + `/etc/pam.conf'. + +There is currently no support for changing kerberos passwords. Use +kpasswd instead. + +See also Derrick J Brashear's `<shadow@dementia.org>' Kerberos PAM +module at `ftp://ftp.dementia.org/pub/pam'. It has a lot more features, +and it is also more in line with other PAM modules. + diff --git a/crypto/kerberosIV/lib/auth/pam/pam.c b/crypto/kerberosIV/lib/auth/pam/pam.c new file mode 100644 index 0000000..37a125e --- /dev/null +++ b/crypto/kerberosIV/lib/auth/pam/pam.c @@ -0,0 +1,244 @@ +/* + * Copyright (c) 1995, 1996, 1997, 1998, 1999 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the Kungliga Tekniska + * Högskolan and its contributors. + * + * 4. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +/* This code is extremely ugly, and would probably be better off + beeing completely rewritten */ + + +#ifdef HAVE_CONFIG_H +#include<config.h> +RCSID("$Id: pam.c,v 1.18 1999/03/17 22:37:10 assar Exp $"); +#endif + +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <pwd.h> +#include <unistd.h> +#include <sys/types.h> + +#define PAM_SM_AUTH +#define PAM_SM_SESSION +#include <security/pam_appl.h> +#include <security/pam_modules.h> + +#include <netinet/in.h> +#include <krb.h> +#include <kafs.h> + +static int +cleanup(pam_handle_t *pamh, void *data, int error_code) +{ + if(error_code != PAM_SUCCESS) + dest_tkt(); + free(data); + return PAM_SUCCESS; +} + +static int +doit(pam_handle_t *pamh, char *name, char *inst, char *pwd, char *tkt) +{ + char realm[REALM_SZ]; + int ret; + + pam_set_data(pamh, "KRBTKFILE", strdup(tkt), cleanup); + krb_set_tkt_string(tkt); + + krb_get_lrealm(realm, 1); + ret = krb_verify_user(name, inst, realm, pwd, KRB_VERIFY_SECURE, NULL); + memset(pwd, 0, strlen(pwd)); + switch(ret){ + case KSUCCESS: + return PAM_SUCCESS; + case KDC_PR_UNKNOWN: + return PAM_USER_UNKNOWN; + case SKDC_CANT: + case SKDC_RETRY: + case RD_AP_TIME: + return PAM_AUTHINFO_UNAVAIL; + default: + return PAM_AUTH_ERR; + } +} + +static int +auth_login(pam_handle_t *pamh, int flags, char *user, struct pam_conv *conv) +{ + int ret; + struct pam_message msg, *pmsg; + struct pam_response *resp; + char prompt[128]; + + pmsg = &msg; + msg.msg_style = PAM_PROMPT_ECHO_OFF; + snprintf(prompt, sizeof(prompt), "%s's Password: ", user); + msg.msg = prompt; + + ret = conv->conv(1, (const struct pam_message**)&pmsg, + &resp, conv->appdata_ptr); + if(ret != PAM_SUCCESS) + return ret; + + { + char tkt[1024]; + struct passwd *pw = getpwnam(user); + + if(pw){ + snprintf(tkt, sizeof(tkt), + "%s%u", TKT_ROOT, (unsigned)pw->pw_uid); + ret = doit(pamh, user, "", resp->resp, tkt); + if(ret == PAM_SUCCESS) + chown(tkt, pw->pw_uid, pw->pw_gid); + }else + ret = PAM_USER_UNKNOWN; + memset(resp->resp, 0, strlen(resp->resp)); + free(resp->resp); + free(resp); + } + return ret; +} + +static int +auth_su(pam_handle_t *pamh, int flags, char *user, struct pam_conv *conv) +{ + int ret; + struct passwd *pw; + struct pam_message msg, *pmsg; + struct pam_response *resp; + char prompt[128]; + krb_principal pr; + + pr.realm[0] = 0; + ret = pam_get_user(pamh, &user, "login: "); + if(ret != PAM_SUCCESS) + return ret; + + pw = getpwuid(getuid()); + if(strcmp(user, "root") == 0){ + strcpy_truncate(pr.name, pw->pw_name, sizeof(pr.name)); + strcpy_truncate(pr.instance, "root", sizeof(pr.instance)); + }else{ + strcpy_truncate(pr.name, user, sizeof(pr.name)); + pr.instance[0] = 0; + } + pmsg = &msg; + msg.msg_style = PAM_PROMPT_ECHO_OFF; + snprintf(prompt, sizeof(prompt), "%s's Password: ", krb_unparse_name(&pr)); + msg.msg = prompt; + + ret = conv->conv(1, (const struct pam_message**)&pmsg, + &resp, conv->appdata_ptr); + if(ret != PAM_SUCCESS) + return ret; + + { + char tkt[1024]; + + snprintf(tkt, sizeof(tkt),"%s_%s_to_%s", + TKT_ROOT, pw->pw_name, user); + ret = doit(pamh, pr.name, pr.instance, resp->resp, tkt); + if(ret == PAM_SUCCESS) + chown(tkt, pw->pw_uid, pw->pw_gid); + memset(resp->resp, 0, strlen(resp->resp)); + free(resp->resp); + free(resp); + } + return ret; +} + +int +pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + char *user; + int ret; + struct pam_conv *conv; + ret = pam_get_user(pamh, &user, "login: "); + if(ret != PAM_SUCCESS) + return ret; + + ret = pam_get_item(pamh, PAM_CONV, (void*)&conv); + if(ret != PAM_SUCCESS) + return ret; + + + if(getuid() != geteuid()) + return auth_su(pamh, flags, user, conv); + else + return auth_login(pamh, flags, user, conv); +} + +int +pam_sm_setcred(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + return PAM_SUCCESS; +} + + +int +pam_sm_open_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + char *tkt; + void *user; + const char *homedir = NULL; + + if(pam_get_item (pamh, PAM_USER, &user) == PAM_SUCCESS) { + struct passwd *pwd; + + pwd = getpwnam ((char *)user); + if (pwd != NULL) + homedir = pwd->pw_dir; + } + + pam_get_data(pamh, "KRBTKFILE", (const void**)&tkt); + setenv("KRBTKFILE", tkt, 1); + if(k_hasafs()){ + k_setpag(); + krb_afslog_home(0, 0, homedir); + } + return PAM_SUCCESS; +} + + +int +pam_sm_close_session(pam_handle_t *pamh, int flags, int argc, const char **argv) +{ + dest_tkt(); + if(k_hasafs()) + k_unlog(); + return PAM_SUCCESS; +} diff --git a/crypto/kerberosIV/lib/auth/pam/pam.conf.add b/crypto/kerberosIV/lib/auth/pam/pam.conf.add new file mode 100644 index 0000000..1bfb30e --- /dev/null +++ b/crypto/kerberosIV/lib/auth/pam/pam.conf.add @@ -0,0 +1,13 @@ +# To get this to work, you will have to add entries to /etc/pam.conf +# +# To make login kerberos-aware, you might change pam.conf to look +# like: + +# login authorization +login auth sufficient /lib/security/pam_krb4.so +login auth required /lib/security/pam_securetty.so +login auth required /lib/security/pam_unix_auth.so +login account required /lib/security/pam_unix_acct.so +login password required /lib/security/pam_unix_passwd.so +login session required /lib/security/pam_krb4.so +login session required /lib/security/pam_unix_session.so diff --git a/crypto/kerberosIV/lib/auth/sia/Makefile.am b/crypto/kerberosIV/lib/auth/sia/Makefile.am new file mode 100644 index 0000000..5a58cb7 --- /dev/null +++ b/crypto/kerberosIV/lib/auth/sia/Makefile.am @@ -0,0 +1,48 @@ +# $Id: Makefile.am,v 1.4 1999/04/08 12:36:40 joda Exp $ + +include $(top_srcdir)/Makefile.am.common + +INCLUDES += $(INCLUDE_krb4) + +WFLAGS += $(WFLAGS_NOIMPLICITINT) + +DEFS = @DEFS@ + +## this is horribly ugly, but automake/libtool doesn't allow us to +## unconditionally build shared libraries, and it does not allow us to +## link with non-installed libraries + +if KRB4 +KAFS=$(top_builddir)/lib/kafs/.libs/libkafs.a +endif + +L = \ + $(KAFS) \ + $(top_builddir)/lib/krb5/.libs/libkrb5.a \ + $(top_builddir)/lib/asn1/.libs/libasn1.a \ + $(LIB_krb4) \ + $(top_builddir)/lib/des/.libs/libdes.a \ + $(top_builddir)/lib/com_err/.libs/libcom_err.a \ + $(top_builddir)/lib/roken/.libs/libroken.a \ + $(LIB_getpwnam_r) \ + -lc + +EXTRA_DIST = sia.c krb5_matrix.conf krb5+c2_matrix.conf security.patch + +foodir = $(libdir) +foo_DATA = libsia_krb5.so + +LDFLAGS = -rpath $(libdir) -hidden -exported_symbol siad_\* + +OBJS = sia.o posix_getpw.o + +libsia_krb5.so: $(OBJS) + ld -shared -o $@ $(LDFLAGS) $(OBJS) $(L) + ostrip -x -z $@ + +CLEANFILES = libsia_krb5.so $(OBJS) so_locations + +SUFFIXES += .c .o + +.c.o: + $(COMPILE) -c $< diff --git a/crypto/kerberosIV/lib/auth/sia/Makefile.in b/crypto/kerberosIV/lib/auth/sia/Makefile.in new file mode 100644 index 0000000..7abc8f0 --- /dev/null +++ b/crypto/kerberosIV/lib/auth/sia/Makefile.in @@ -0,0 +1,89 @@ +# +# $Id: Makefile.in,v 1.29 1999/03/21 17:11:58 joda Exp $ +# + +SHELL = /bin/sh + +srcdir = @srcdir@ +VPATH = @srcdir@ + +CC = @CC@ +LINK = @LINK@ +AR = ar +RANLIB = @RANLIB@ +DEFS = @DEFS@ +CFLAGS = @CFLAGS@ $(WFLAGS) +WFLAGS = @WFLAGS@ + +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +MKINSTALLDIRS = @top_srcdir@/mkinstalldirs + +prefix = @prefix@ +exec_prefix = @exec_prefix@ +libdir = @libdir@ + +PICFLAGS = @REAL_PICFLAGS@ +SHARED = @SHARED@ +LDSHARED = @LDSHARED@ +SHLIBEXT = @REAL_SHLIBEXT@ +LD_FLAGS = @REAL_LD_FLAGS@ + +@lib_deps_yes@LIB_DEPS = -L../../kafs -lkafs \ +@lib_deps_yes@ -L../../kadm -lkadm \ +@lib_deps_yes@ -L../../krb -lkrb \ +@lib_deps_yes@ -L../../des -ldes \ +@lib_deps_yes@ -L../../com_err -lcom_err \ +@lib_deps_yes@ -L../../roken -lroken \ +@lib_deps_yes@ @LIB_getpwnam_r@ \ +@lib_deps_yes@ -lc +@lib_deps_no@LIB_DEPS = + +LIB = libsia_krb4.$(SHLIBEXT) + +SOURCES = sia.c posix_getpw.c + +OBJECTS = sia.o posix_getpw.o + +all: $(LIB) + +Wall: + make CFLAGS="-g -Wall -Wno-comment -Wmissing-prototypes -Wmissing-declarations -D__USE_FIXED_PROTOTYPES__" + +.c.o: + $(CC) -c $(DEFS) -I../../../include -I$(srcdir) $(CFLAGS) $(CPPFLAGS) $(PICFLAGS) $< + +install: all + $(MKINSTALLDIRS) $(DESTDIR)$(libdir) + -if test "$(LIB)" != ""; then \ + $(INSTALL_DATA) -m 0555 $(LIB) $(DESTDIR)$(libdir)/$(LIB) ; \ + fi + +uninstall: + -if test "$(LIB)" != ""; then \ + rm -f $(DESTDIR)$(libdir)/$(LIB) ; \ + fi + +TAGS: $(SOURCES) + etags $(SOURCES) + +check: + +clean: + rm -f $(LIB) *.o + +mostlyclean: clean + +distclean: clean + rm -f Makefile *.tab.c *~ + +realclean: distclean + rm -f TAGS + +$(OBJECTS): ../../../include/config.h + +$(LIB): $(OBJECTS) + rm -f $@ + $(LDSHARED) -shared -o $@ -rpath $(libdir) -hidden -exported_symbol siad_\* $(OBJECTS) $(LIB_DEPS) + +.PHONY: all Wall install uninstall check clean mostlyclean distclean realclean diff --git a/crypto/kerberosIV/lib/auth/sia/README b/crypto/kerberosIV/lib/auth/sia/README new file mode 100644 index 0000000..aa7383e --- /dev/null +++ b/crypto/kerberosIV/lib/auth/sia/README @@ -0,0 +1,87 @@ + +Digital SIA +----------- + +To install the SIA module you will have to do the following: + + * Make sure `libsia_krb4.so' is available in `/usr/athena/lib'. If + `/usr/athena' is not on local disk, you might want to put it in + `/usr/shlib' or someplace else. If you do, you'll have to edit + `krb4_matrix.conf' to reflect the new location (you will also have + to do this if you installed in some other directory than + `/usr/athena'). If you built with shared libraries, you will have + to copy the shared `libkrb.so', `libdes.so', `libkadm.so', and + `libkafs.so' to a place where the loader can find them (such as + `/usr/shlib'). + + * Copy (your possibly edited) `krb4_matrix.conf' to `/etc/sia'. + + * Apply `security.patch' to `/sbin/init.d/security'. + + * Turn on KRB4 security by issuing `rcmgr set SECURITY KRB4' and + `rcmgr set KRB4_MATRIX_CONF krb4_matrix.conf'. + + * Digital thinks you should reboot your machine, but that really + shouldn't be necessary. It's usually sufficient just to run + `/sbin/init.d/security start' (and restart any applications that + use SIA, like `xdm'.) + +Users with local passwords (like `root') should be able to login safely. + +When using Digital's xdm the `KRBTKFILE' environment variable isn't +passed along as it should (since xdm zaps the environment). Instead you +have to set `KRBTKFILE' to the correct value in +`/usr/lib/X11/xdm/Xsession'. Add a line similar to + KRBTKFILE=/tmp/tkt`id -u`_`ps -o ppid= -p $$`; export KRBTKFILE +If you use CDE, `dtlogin' allows you to specify which additional +environment variables it should export. To add `KRBTKFILE' to this +list, edit `/usr/dt/config/Xconfig', and look for the definition of +`exportList'. You want to add something like: + Dtlogin.exportList: KRBTKFILE + +Notes to users with Enhanced security +..................................... + +Digital's `ENHANCED' (C2) security, and Kerberos solves two different +problems. C2 deals with local security, adds better control of who can +do what, auditing, and similar things. Kerberos deals with network +security. + +To make C2 security work with Kerberos you will have to do the +following. + + * Replace all occurencies of `krb4_matrix.conf' with + `krb4+c2_matrix.conf' in the directions above. + + * You must enable "vouching" in the `default' database. This will + make the OSFC2 module trust other SIA modules, so you can login + without giving your C2 password. To do this use `edauth' to edit + the default entry `/usr/tcb/bin/edauth -dd default', and add a + `d_accept_alternate_vouching' capability, if not already present. + + * For each user that does *not* have a local C2 password, you should + set the password expiration field to zero. You can do this for each + user, or in the `default' table. To do this use `edauth' to set + (or change) the `u_exp' capability to `u_exp#0'. + + * You also need to be aware that the shipped `login', `rcp', and + `rshd', doesn't do any particular C2 magic (such as checking to + various forms of disabled accounts), so if you rely on those + features, you shouldn't use those programs. If you configure with + `--enable-osfc2', these programs will, however, set the login UID. + Still: use at your own risk. + +At present `su' does not accept the vouching flag, so it will not work +as expected. + +Also, kerberised ftp will not work with C2 passwords. You can solve this +by using both Digital's ftpd and our on different ports. + +*Remember*, if you do these changes you will get a system that most +certainly does *not* fulfill the requirements of a C2 system. If C2 is +what you want, for instance if someone else is forcing you to use it, +you're out of luck. If you use enhanced security because you want a +system that is more secure than it would otherwise be, you probably got +an even more secure system. Passwords will not be sent in the clear, +for instance. + diff --git a/crypto/kerberosIV/lib/auth/sia/krb4+c2_matrix.conf b/crypto/kerberosIV/lib/auth/sia/krb4+c2_matrix.conf new file mode 100644 index 0000000..b664d3d --- /dev/null +++ b/crypto/kerberosIV/lib/auth/sia/krb4+c2_matrix.conf @@ -0,0 +1,63 @@ +# Copyright (c) 1998 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. All advertising materials mentioning features or use of this software +# must display the following acknowledgement: +# This product includes software developed by Kungliga Tekniska +# Högskolan and its contributors. +# +# 4. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +# $Id: krb4+c2_matrix.conf,v 1.3 1998/06/30 15:14:31 assar Exp $ + +# sia matrix configuration file (Kerberos 4 + C2) + +siad_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) +siad_chk_invoker=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) +siad_ses_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) +siad_ses_authent=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) +siad_ses_estab=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) +siad_ses_launch=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) +siad_ses_suauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) +siad_ses_reauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) +siad_chg_finger=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) +siad_chg_password=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) +siad_chg_shell=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) +siad_getpwent=(BSD,libc.so) +siad_getpwuid=(BSD,libc.so) +siad_getpwnam=(BSD,libc.so) +siad_setpwent=(BSD,libc.so) +siad_endpwent=(BSD,libc.so) +siad_getgrent=(BSD,libc.so) +siad_getgrgid=(BSD,libc.so) +siad_getgrnam=(BSD,libc.so) +siad_setgrent=(BSD,libc.so) +siad_endgrent=(BSD,libc.so) +siad_ses_release=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) +siad_chk_user=(KRB4,/usr/athena/lib/libsia_krb4.so)(OSFC2,/usr/shlib/libsecurity.so) diff --git a/crypto/kerberosIV/lib/auth/sia/krb4_matrix.conf b/crypto/kerberosIV/lib/auth/sia/krb4_matrix.conf new file mode 100644 index 0000000..9f78850 --- /dev/null +++ b/crypto/kerberosIV/lib/auth/sia/krb4_matrix.conf @@ -0,0 +1,64 @@ +# Copyright (c) 1998 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. All advertising materials mentioning features or use of this software +# must display the following acknowledgement: +# This product includes software developed by Kungliga Tekniska +# Högskolan and its contributors. +# +# 4. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +# $Id: krb4_matrix.conf,v 1.5 1998/01/29 02:54:11 joda Exp $ + +# sia matrix configuration file (Kerberos 4 + BSD) + +siad_init=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) +siad_chk_invoker=(BSD,libc.so) +siad_ses_init=(KRB4,/usr/athena/lib/libsia_krb4.so) +siad_ses_authent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) +siad_ses_estab=(BSD,libc.so) +siad_ses_launch=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) +siad_ses_suauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) +siad_ses_reauthent=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) +siad_chg_finger=(BSD,libc.so) +siad_chg_password=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) +siad_chg_shell=(BSD,libc.so) +siad_getpwent=(BSD,libc.so) +siad_getpwuid=(BSD,libc.so) +siad_getpwnam=(BSD,libc.so) +siad_setpwent=(BSD,libc.so) +siad_endpwent=(BSD,libc.so) +siad_getgrent=(BSD,libc.so) +siad_getgrgid=(BSD,libc.so) +siad_getgrnam=(BSD,libc.so) +siad_setgrent=(BSD,libc.so) +siad_endgrent=(BSD,libc.so) +siad_ses_release=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) +siad_chk_user=(KRB4,/usr/athena/lib/libsia_krb4.so)(BSD,libc.so) + diff --git a/crypto/kerberosIV/lib/auth/sia/krb5+c2_matrix.conf b/crypto/kerberosIV/lib/auth/sia/krb5+c2_matrix.conf new file mode 100644 index 0000000..c2952e2 --- /dev/null +++ b/crypto/kerberosIV/lib/auth/sia/krb5+c2_matrix.conf @@ -0,0 +1,27 @@ +# $Id: krb5+c2_matrix.conf,v 1.2 1998/11/26 20:58:18 assar Exp $ + +# sia matrix configuration file (Kerberos 5 + C2) + +siad_init=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so) +siad_chk_invoker=(OSFC2,/usr/shlib/libsecurity.so) +siad_ses_init=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) +siad_ses_authent=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) +siad_ses_estab=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) +siad_ses_launch=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) +siad_ses_suauthent=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) +siad_ses_reauthent=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) +siad_chg_finger=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) +siad_chg_password=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) +siad_chg_shell=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) +siad_getpwent=(BSD,libc.so) +siad_getpwuid=(BSD,libc.so) +siad_getpwnam=(BSD,libc.so) +siad_setpwent=(BSD,libc.so) +siad_endpwent=(BSD,libc.so) +siad_getgrent=(BSD,libc.so) +siad_getgrgid=(BSD,libc.so) +siad_getgrnam=(BSD,libc.so) +siad_setgrent=(BSD,libc.so) +siad_endgrent=(BSD,libc.so) +siad_ses_release=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) +siad_chk_user=(KRB5,/usr/athena/lib/libsia_krb5.so)(OSFC2,/usr/shlib/libsecurity.so) diff --git a/crypto/kerberosIV/lib/auth/sia/krb5_matrix.conf b/crypto/kerberosIV/lib/auth/sia/krb5_matrix.conf new file mode 100644 index 0000000..e49366a --- /dev/null +++ b/crypto/kerberosIV/lib/auth/sia/krb5_matrix.conf @@ -0,0 +1,27 @@ +# $Id: krb5_matrix.conf,v 1.1 1997/05/15 18:34:18 joda Exp $ + +# sia matrix configuration file (Kerberos 5 + BSD) + +siad_init=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so) +siad_chk_invoker=(BSD,libc.so) +siad_ses_init=(KRB5,/usr/athena/lib/libsia_krb5.so) +siad_ses_authent=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so) +siad_ses_estab=(BSD,libc.so) +siad_ses_launch=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so) +siad_ses_suauthent=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so) +siad_ses_reauthent=(BSD,libc.so) +siad_chg_finger=(BSD,libc.so) +siad_chg_password=(BSD,libc.so) +siad_chg_shell=(BSD,libc.so) +siad_getpwent=(BSD,libc.so) +siad_getpwuid=(BSD,libc.so) +siad_getpwnam=(BSD,libc.so) +siad_setpwent=(BSD,libc.so) +siad_endpwent=(BSD,libc.so) +siad_getgrent=(BSD,libc.so) +siad_getgrgid=(BSD,libc.so) +siad_getgrnam=(BSD,libc.so) +siad_setgrent=(BSD,libc.so) +siad_endgrent=(BSD,libc.so) +siad_ses_release=(KRB5,/usr/athena/lib/libsia_krb5.so)(BSD,libc.so) +siad_chk_user=(BSD,libc.so) diff --git a/crypto/kerberosIV/lib/auth/sia/posix_getpw.c b/crypto/kerberosIV/lib/auth/sia/posix_getpw.c new file mode 100644 index 0000000..c5961dc --- /dev/null +++ b/crypto/kerberosIV/lib/auth/sia/posix_getpw.c @@ -0,0 +1,78 @@ +/* + * Copyright (c) 1999 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +#include "sia_locl.h" + +RCSID("$Id: posix_getpw.c,v 1.1 1999/03/21 17:07:02 joda Exp $"); + +#ifndef POSIX_GETPWNAM_R +/* + * These functions translate from the old Digital UNIX 3.x interface + * to POSIX.1c. + */ + +int +posix_getpwnam_r(const char *name, struct passwd *pwd, + char *buffer, int len, struct passwd **result) +{ + int ret = getpwnam_r(name, pwd, buffer, len); + if(ret == 0) + *result = pwd; + else{ + *result = NULL; + ret = _Geterrno(); + if(ret == 0){ + ret = ERANGE; + _Seterrno(ret); + } + } + return ret; +} + +int +posix_getpwuid_r(uid_t uid, struct passwd *pwd, + char *buffer, int len, struct passwd **result) +{ + int ret = getpwuid_r(uid, pwd, buffer, len); + if(ret == 0) + *result = pwd; + else{ + *result = NULL; + ret = _Geterrno(); + if(ret == 0){ + ret = ERANGE; + _Seterrno(ret); + } + } + return ret; +} +#endif /* POSIX_GETPWNAM_R */ diff --git a/crypto/kerberosIV/lib/auth/sia/security.patch b/crypto/kerberosIV/lib/auth/sia/security.patch new file mode 100644 index 0000000..c407876 --- /dev/null +++ b/crypto/kerberosIV/lib/auth/sia/security.patch @@ -0,0 +1,11 @@ +--- /sbin/init.d/security~ Tue Aug 20 22:44:09 1996 ++++ /sbin/init.d/security Fri Nov 1 14:52:56 1996 +@@ -49,7 +49,7 @@ + SECURITY=BASE + fi + ;; +- BASE) ++ BASE|KRB4) + ;; + *) + echo "security configuration set to default (BASE)." diff --git a/crypto/kerberosIV/lib/auth/sia/sia.c b/crypto/kerberosIV/lib/auth/sia/sia.c new file mode 100644 index 0000000..8d35b41 --- /dev/null +++ b/crypto/kerberosIV/lib/auth/sia/sia.c @@ -0,0 +1,673 @@ +/* + * Copyright (c) 1995-1999 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of the Institute nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "sia_locl.h" + +RCSID("$Id: sia.c,v 1.30 1999/04/08 13:07:38 joda Exp $"); + +int +siad_init(void) +{ + return SIADSUCCESS; +} + +int +siad_chk_invoker(void) +{ + SIA_DEBUG(("DEBUG", "siad_chk_invoker")); + return SIADFAIL; +} + +int +siad_ses_init(SIAENTITY *entity, int pkgind) +{ + struct state *s = malloc(sizeof(*s)); + SIA_DEBUG(("DEBUG", "siad_ses_init")); + if(s == NULL) + return SIADFAIL; + memset(s, 0, sizeof(*s)); +#ifdef SIA_KRB5 + krb5_init_context(&s->context); +#endif + entity->mech[pkgind] = (int*)s; + return SIADSUCCESS; +} + +static int +setup_name(SIAENTITY *e, prompt_t *p) +{ + SIA_DEBUG(("DEBUG", "setup_name")); + e->name = malloc(SIANAMEMIN + 1); + if(e->name == NULL){ + SIA_DEBUG(("DEBUG", "failed to malloc %u bytes", SIANAMEMIN+1)); + return SIADFAIL; + } + p->prompt = (unsigned char*)"login: "; + p->result = (unsigned char*)e->name; + p->min_result_length = 1; + p->max_result_length = SIANAMEMIN; + p->control_flags = 0; + return SIADSUCCESS; +} + +static int +setup_password(SIAENTITY *e, prompt_t *p) +{ + SIA_DEBUG(("DEBUG", "setup_password")); + e->password = malloc(SIAMXPASSWORD + 1); + if(e->password == NULL){ + SIA_DEBUG(("DEBUG", "failed to malloc %u bytes", SIAMXPASSWORD+1)); + return SIADFAIL; + } + p->prompt = (unsigned char*)"Password: "; + p->result = (unsigned char*)e->password; + p->min_result_length = 0; + p->max_result_length = SIAMXPASSWORD; + p->control_flags = SIARESINVIS; + return SIADSUCCESS; +} + + +static int +doauth(SIAENTITY *entity, int pkgind, char *name) +{ + struct passwd pw, *pwd; + char pwbuf[1024]; + struct state *s = (struct state*)entity->mech[pkgind]; +#ifdef SIA_KRB5 + char *realm; + krb5_principal principal; + krb5_ccache ccache; + krb5_error_code ret; +#endif +#ifdef SIA_KRB4 + char realm[REALM_SZ]; + char *toname, *toinst; + int ret; + struct passwd fpw, *fpwd; + char fpwbuf[1024]; + int secure; +#endif + + if(getpwnam_r(name, &pw, pwbuf, sizeof(pwbuf), &pwd) != 0){ + SIA_DEBUG(("DEBUG", "failed to getpwnam(%s)", name)); + return SIADFAIL; + } + +#ifdef SIA_KRB5 + ret = krb5_get_default_realm(s->context, &realm); + krb5_build_principal(s->context, &principal, + strlen(realm), + realm, + entity->name, + NULL); + + + if(!krb5_kuserok(s->context, principal, entity->name)) + return SIADFAIL; + sprintf(s->ticket, "FILE:/tmp/krb5_cc%d_%d", pwd->pw_uid, getpid()); + ret = krb5_cc_resolve(s->context, s->ticket, &ccache); + if(ret) + return SIADFAIL; + ret = krb5_cc_initialize(s->context, ccache, principal); + if(ret) + return SIADFAIL; +#endif + +#ifdef SIA_KRB4 + snprintf(s->ticket, sizeof(s->ticket), + TKT_ROOT "%u_%u", (unsigned)pwd->pw_uid, (unsigned)getpid()); + krb_get_lrealm(realm, 1); + toname = name; + toinst = ""; + if(entity->authtype == SIA_A_SUAUTH){ + uid_t ouid; +#ifdef HAVE_SIAENTITY_OUID + ouid = entity->ouid; +#else + ouid = getuid(); +#endif + if(getpwuid_r(ouid, &fpw, fpwbuf, sizeof(fpwbuf), &fpwd) != 0){ + SIA_DEBUG(("DEBUG", "failed to getpwuid(%u)", ouid)); + return SIADFAIL; + } + snprintf(s->ticket, sizeof(s->ticket), TKT_ROOT "_%s_to_%s_%d", + fpwd->pw_name, pwd->pw_name, getpid()); + if(strcmp(pwd->pw_name, "root") == 0){ + toname = fpwd->pw_name; + toinst = pwd->pw_name; + } + } + if(entity->authtype == SIA_A_REAUTH) + snprintf(s->ticket, sizeof(s->ticket), "%s", tkt_string()); + + krb_set_tkt_string(s->ticket); + + setuid(0); /* XXX fix for fix in tf_util.c */ + if(krb_kuserok(toname, toinst, realm, name)){ + SIA_DEBUG(("DEBUG", "%s.%s@%s is not allowed to login as %s", + toname, toinst, realm, name)); + return SIADFAIL; + } +#endif +#ifdef SIA_KRB5 + ret = krb5_verify_user(s->context, principal, ccache, + entity->password, 1, NULL); + if(ret){ + /* if this is most likely a local user (such as + root), just silently return failure when the + principal doesn't exist */ + if(ret != KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN && + ret != KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN) + SIALOG("WARNING", "krb5_verify_user(%s): %s", + entity->name, error_message(ret)); + return SIADFAIL; + } +#endif +#ifdef SIA_KRB4 + if (getuid () == 0) + secure = KRB_VERIFY_SECURE; + else + secure = KRB_VERIFY_NOT_SECURE; + + ret = krb_verify_user(toname, toinst, realm, + entity->password, secure, NULL); + if(ret){ + SIA_DEBUG(("DEBUG", "krb_verify_user: %s", krb_get_err_text(ret))); + if(ret != KDC_PR_UNKNOWN) + /* since this is most likely a local user (such as + root), just silently return failure when the + principal doesn't exist */ + SIALOG("WARNING", "krb_verify_user(%s.%s): %s", + toname, toinst, krb_get_err_text(ret)); + return SIADFAIL; + } +#endif + if(sia_make_entity_pwd(pwd, entity) == SIAFAIL) + return SIADFAIL; + s->valid = 1; + return SIADSUCCESS; +} + + +static int +common_auth(sia_collect_func_t *collect, + SIAENTITY *entity, + int siastat, + int pkgind) +{ + prompt_t prompts[2], *pr; + char *name; + + SIA_DEBUG(("DEBUG", "common_auth")); + if((siastat == SIADSUCCESS) && (geteuid() == 0)) + return SIADSUCCESS; + if(entity == NULL) { + SIA_DEBUG(("DEBUG", "entity == NULL")); + return SIADFAIL | SIADSTOP; + } + name = entity->name; + if(entity->acctname) + name = entity->acctname; + + if((collect != NULL) && entity->colinput) { + int num; + pr = prompts; + if(name == NULL){ + if(setup_name(entity, pr) != SIADSUCCESS) + return SIADFAIL; + pr++; + } + if(entity->password == NULL){ + if(setup_password(entity, pr) != SIADSUCCESS) + return SIADFAIL; + pr++; + } + num = pr - prompts; + if(num == 1){ + if((*collect)(240, SIAONELINER, (unsigned char*)"", num, + prompts) != SIACOLSUCCESS){ + SIA_DEBUG(("DEBUG", "collect failed")); + return SIADFAIL | SIADSTOP; + } + } else if(num > 0){ + if((*collect)(0, SIAFORM, (unsigned char*)"", num, + prompts) != SIACOLSUCCESS){ + SIA_DEBUG(("DEBUG", "collect failed")); + return SIADFAIL | SIADSTOP; + } + } + } + if(name == NULL) + name = entity->name; + if(name == NULL || name[0] == '\0'){ + SIA_DEBUG(("DEBUG", "name is null")); + return SIADFAIL; + } + + if(entity->password == NULL || strlen(entity->password) > SIAMXPASSWORD){ + SIA_DEBUG(("DEBUG", "entity->password is null")); + return SIADFAIL; + } + + return doauth(entity, pkgind, name); +} + + +int +siad_ses_authent(sia_collect_func_t *collect, + SIAENTITY *entity, + int siastat, + int pkgind) +{ + SIA_DEBUG(("DEBUG", "siad_ses_authent")); + return common_auth(collect, entity, siastat, pkgind); +} + +int +siad_ses_estab(sia_collect_func_t *collect, + SIAENTITY *entity, int pkgind) +{ + SIA_DEBUG(("DEBUG", "siad_ses_estab")); + return SIADFAIL; +} + +int +siad_ses_launch(sia_collect_func_t *collect, + SIAENTITY *entity, + int pkgind) +{ + static char env[MaxPathLen]; + struct state *s = (struct state*)entity->mech[pkgind]; + SIA_DEBUG(("DEBUG", "siad_ses_launch")); + if(s->valid){ +#ifdef SIA_KRB5 + chown(s->ticket + sizeof("FILE:") - 1, + entity->pwd->pw_uid, + entity->pwd->pw_gid); + snprintf(env, sizeof(env), "KRB5CCNAME=%s", s->ticket); +#endif +#ifdef SIA_KRB4 + chown(s->ticket, entity->pwd->pw_uid, entity->pwd->pw_gid); + snprintf(env, sizeof(env), "KRBTKFILE=%s", s->ticket); +#endif + putenv(env); + } +#ifdef KRB4 + if (k_hasafs()) { + char cell[64]; + k_setpag(); + if(k_afs_cell_of_file(entity->pwd->pw_dir, cell, sizeof(cell)) == 0) + krb_afslog(cell, 0); + krb_afslog_home(0, 0, entity->pwd->pw_dir); + } +#endif + return SIADSUCCESS; +} + +int +siad_ses_release(SIAENTITY *entity, int pkgind) +{ + SIA_DEBUG(("DEBUG", "siad_ses_release")); + if(entity->mech[pkgind]){ +#ifdef SIA_KRB5 + struct state *s = (struct state*)entity->mech[pkgind]; + krb5_free_context(s->context); +#endif + free(entity->mech[pkgind]); + } + return SIADSUCCESS; +} + +int +siad_ses_suauthent(sia_collect_func_t *collect, + SIAENTITY *entity, + int siastat, + int pkgind) +{ + SIA_DEBUG(("DEBUG", "siad_ses_suauth")); + if(geteuid() != 0) + return SIADFAIL; + if(entity->name == NULL) + return SIADFAIL; + if(entity->name[0] == '\0') { + free(entity->name); + entity->name = strdup("root"); + if (entity->name == NULL) + return SIADFAIL; + } + return common_auth(collect, entity, siastat, pkgind); +} + +int +siad_ses_reauthent (sia_collect_func_t *collect, + SIAENTITY *entity, + int siastat, + int pkgind) +{ + int ret; + SIA_DEBUG(("DEBUG", "siad_ses_reauthent")); + if(entity == NULL || entity->name == NULL) + return SIADFAIL; + ret = common_auth(collect, entity, siastat, pkgind); + if((ret & SIADSUCCESS)){ + /* launch isn't (always?) called when doing reauth, so we must + duplicate some code here... */ + struct state *s = (struct state*)entity->mech[pkgind]; + chown(s->ticket, entity->pwd->pw_uid, entity->pwd->pw_gid); +#ifdef KRB4 + if(k_hasafs()) { + char cell[64]; + if(k_afs_cell_of_file(entity->pwd->pw_dir, + cell, sizeof(cell)) == 0) + krb_afslog(cell, 0); + krb_afslog_home(0, 0, entity->pwd->pw_dir); + } +#endif + } + return ret; +} + +int +siad_chg_finger (sia_collect_func_t *collect, + const char *username, + int argc, + char *argv[]) +{ + SIA_DEBUG(("DEBUG", "siad_chg_finger")); + return SIADFAIL; +} + +#ifdef SIA_KRB5 +int +siad_chg_password (sia_collect_func_t *collect, + const char *username, + int argc, + char *argv[]) +{ + return SIADFAIL; +} +#endif + +#ifdef SIA_KRB4 +static void +sia_message(sia_collect_func_t *collect, int rendition, + const char *title, const char *message) +{ + prompt_t prompt; + prompt.prompt = (unsigned char*)message; + (*collect)(0, rendition, (unsigned char*)title, 1, &prompt); +} + +static int +init_change(sia_collect_func_t *collect, krb_principal *princ) +{ + prompt_t prompt; + char old_pw[MAX_KPW_LEN+1]; + char *msg; + char tktstring[128]; + int ret; + + SIA_DEBUG(("DEBUG", "init_change")); + prompt.prompt = (unsigned char*)"Old password: "; + prompt.result = (unsigned char*)old_pw; + prompt.min_result_length = 0; + prompt.max_result_length = sizeof(old_pw) - 1; + prompt.control_flags = SIARESINVIS; + asprintf(&msg, "Changing password for %s", krb_unparse_name(princ)); + if(msg == NULL){ + SIA_DEBUG(("DEBUG", "out of memory")); + return SIADFAIL; + } + ret = (*collect)(60, SIAONELINER, (unsigned char*)msg, 1, &prompt); + free(msg); + SIA_DEBUG(("DEBUG", "ret = %d", ret)); + if(ret != SIACOLSUCCESS) + return SIADFAIL; + snprintf(tktstring, sizeof(tktstring), + TKT_ROOT "_cpw_%u", (unsigned)getpid()); + krb_set_tkt_string(tktstring); + + ret = krb_get_pw_in_tkt(princ->name, princ->instance, princ->realm, + PWSERV_NAME, KADM_SINST, 1, old_pw); + if (ret != KSUCCESS) { + SIA_DEBUG(("DEBUG", "krb_get_pw_in_tkt: %s", krb_get_err_text(ret))); + if (ret == INTK_BADPW) + sia_message(collect, SIAWARNING, "", "Incorrect old password."); + else + sia_message(collect, SIAWARNING, "", "Kerberos error."); + memset(old_pw, 0, sizeof(old_pw)); + return SIADFAIL; + } + if(chown(tktstring, getuid(), -1) < 0){ + dest_tkt(); + return SIADFAIL; + } + memset(old_pw, 0, sizeof(old_pw)); + return SIADSUCCESS; +} + +int +siad_chg_password (sia_collect_func_t *collect, + const char *username, + int argc, + char *argv[]) +{ + prompt_t prompts[2]; + krb_principal princ; + int ret; + char new_pw1[MAX_KPW_LEN+1]; + char new_pw2[MAX_KPW_LEN+1]; + static struct et_list *et_list; + + set_progname(argv[0]); + + SIA_DEBUG(("DEBUG", "siad_chg_password")); + if(collect == NULL) + return SIADFAIL; + + if(username == NULL) + username = getlogin(); + + ret = krb_parse_name(username, &princ); + if(ret) + return SIADFAIL; + if(princ.realm[0] == '\0') + krb_get_lrealm(princ.realm, 1); + + if(et_list == NULL) { + initialize_kadm_error_table_r(&et_list); + initialize_krb_error_table_r(&et_list); + } + + ret = init_change(collect, &princ); + if(ret != SIADSUCCESS) + return ret; + +again: + prompts[0].prompt = (unsigned char*)"New password: "; + prompts[0].result = (unsigned char*)new_pw1; + prompts[0].min_result_length = MIN_KPW_LEN; + prompts[0].max_result_length = sizeof(new_pw1) - 1; + prompts[0].control_flags = SIARESINVIS; + prompts[1].prompt = (unsigned char*)"Verify new password: "; + prompts[1].result = (unsigned char*)new_pw2; + prompts[1].min_result_length = MIN_KPW_LEN; + prompts[1].max_result_length = sizeof(new_pw2) - 1; + prompts[1].control_flags = SIARESINVIS; + if((*collect)(120, SIAFORM, (unsigned char*)"", 2, prompts) != + SIACOLSUCCESS) { + dest_tkt(); + return SIADFAIL; + } + if(strcmp(new_pw1, new_pw2) != 0){ + sia_message(collect, SIAWARNING, "", "Password mismatch."); + goto again; + } + ret = kadm_check_pw(new_pw1); + if(ret) { + sia_message(collect, SIAWARNING, "", com_right(et_list, ret)); + goto again; + } + + memset(new_pw2, 0, sizeof(new_pw2)); + ret = kadm_init_link (PWSERV_NAME, KRB_MASTER, princ.realm); + if (ret != KADM_SUCCESS) + sia_message(collect, SIAWARNING, "Error initing kadmin connection", + com_right(et_list, ret)); + else { + des_cblock newkey; + char *pw_msg; /* message from server */ + + des_string_to_key(new_pw1, &newkey); + ret = kadm_change_pw_plain((unsigned char*)&newkey, new_pw1, &pw_msg); + memset(newkey, 0, sizeof(newkey)); + + if (ret == KADM_INSECURE_PW) + sia_message(collect, SIAWARNING, "Insecure password", pw_msg); + else if (ret != KADM_SUCCESS) + sia_message(collect, SIAWARNING, "Error changing password", + com_right(et_list, ret)); + } + memset(new_pw1, 0, sizeof(new_pw1)); + + if (ret != KADM_SUCCESS) + sia_message(collect, SIAWARNING, "", "Password NOT changed."); + else + sia_message(collect, SIAINFO, "", "Password changed."); + + dest_tkt(); + if(ret) + return SIADFAIL; + return SIADSUCCESS; +} +#endif + +int +siad_chg_shell (sia_collect_func_t *collect, + const char *username, + int argc, + char *argv[]) +{ + return SIADFAIL; +} + +int +siad_getpwent(struct passwd *result, + char *buf, + int bufsize, + struct sia_context *context) +{ + return SIADFAIL; +} + +int +siad_getpwuid (uid_t uid, + struct passwd *result, + char *buf, + int bufsize, + struct sia_context *context) +{ + return SIADFAIL; +} + +int +siad_getpwnam (const char *name, + struct passwd *result, + char *buf, + int bufsize, + struct sia_context *context) +{ + return SIADFAIL; +} + +int +siad_setpwent (struct sia_context *context) +{ + return SIADFAIL; +} + +int +siad_endpwent (struct sia_context *context) +{ + return SIADFAIL; +} + +int +siad_getgrent(struct group *result, + char *buf, + int bufsize, + struct sia_context *context) +{ + return SIADFAIL; +} + +int +siad_getgrgid (gid_t gid, + struct group *result, + char *buf, + int bufsize, + struct sia_context *context) +{ + return SIADFAIL; +} + +int +siad_getgrnam (const char *name, + struct group *result, + char *buf, + int bufsize, + struct sia_context *context) +{ + return SIADFAIL; +} + +int +siad_setgrent (struct sia_context *context) +{ + return SIADFAIL; +} + +int +siad_endgrent (struct sia_context *context) +{ + return SIADFAIL; +} + +int +siad_chk_user (const char *logname, int checkflag) +{ + if(checkflag != CHGPASSWD) + return SIADFAIL; + return SIADSUCCESS; +} diff --git a/crypto/kerberosIV/lib/auth/sia/sia_locl.h b/crypto/kerberosIV/lib/auth/sia/sia_locl.h new file mode 100644 index 0000000..0f3f74d --- /dev/null +++ b/crypto/kerberosIV/lib/auth/sia/sia_locl.h @@ -0,0 +1,94 @@ +/* + * Copyright (c) 1999 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +/* $Id: sia_locl.h,v 1.2 1999/04/01 16:09:22 joda Exp $ */ + +#ifndef __sia_locl_h__ +#define __sia_locl_h__ + +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif +#include <ctype.h> +#include <stdio.h> +#include <string.h> +#include <siad.h> +#include <pwd.h> +#include <sys/types.h> +#include <sys/socket.h> +#include <netinet/in.h> + +#ifdef KRB5 +#define SIA_KRB5 +#elif defined(KRB4) +#define SIA_KRB4 +#endif + +#ifdef SIA_KRB5 +#include <krb5.h> +#include <com_err.h> +#endif +#ifdef SIA_KRB4 +#include <krb.h> +#include <krb_err.h> +#include <kadm.h> +#include <kadm_err.h> +#endif +#ifdef KRB4 +#include <kafs.h> +#endif + +#include <roken.h> + +#ifndef POSIX_GETPWNAM_R + +#define getpwnam_r posix_getpwnam_r +#define getpwuid_r posix_getpwuid_r + +#endif /* POSIX_GETPWNAM_R */ + +#ifndef DEBUG +#define SIA_DEBUG(X) +#else +#define SIA_DEBUG(X) SIALOG X +#endif + +struct state{ +#ifdef SIA_KRB5 + krb5_context context; + krb5_auth_context auth_context; +#endif + char ticket[MaxPathLen]; + int valid; +}; + +#endif /* __sia_locl_h__ */ |
