diff options
author | markm <markm@FreeBSD.org> | 2001-07-09 17:52:34 +0000 |
---|---|---|
committer | markm <markm@FreeBSD.org> | 2001-07-09 17:52:34 +0000 |
commit | 431a592722db6b9341bb9b1e6a409a39edee7797 (patch) | |
tree | dfb18c225b48df272ea8a82f1e00b304e618defc /lib | |
parent | 92ae7a35b556bd6e54d8d69ba0079ec0004fe892 (diff) | |
download | FreeBSD-src-431a592722db6b9341bb9b1e6a409a39edee7797.zip FreeBSD-src-431a592722db6b9341bb9b1e6a409a39edee7797.tar.gz |
Axe S/Key. OPIE is the legal successor.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/Makefile | 8 | ||||
-rw-r--r-- | lib/libskey/Makefile | 23 | ||||
-rw-r--r-- | lib/libskey/mdx.h | 19 | ||||
-rw-r--r-- | lib/libskey/pathnames.h | 6 | ||||
-rw-r--r-- | lib/libskey/put.c | 2293 | ||||
-rw-r--r-- | lib/libskey/skey.1 | 91 | ||||
-rw-r--r-- | lib/libskey/skey.3 | 163 | ||||
-rw-r--r-- | lib/libskey/skey.access.5 | 224 | ||||
-rw-r--r-- | lib/libskey/skey.h | 60 | ||||
-rw-r--r-- | lib/libskey/skey_crypt.c | 38 | ||||
-rw-r--r-- | lib/libskey/skey_getpass.c | 37 | ||||
-rw-r--r-- | lib/libskey/skeyaccess.c | 588 | ||||
-rw-r--r-- | lib/libskey/skeylogin.c | 343 | ||||
-rw-r--r-- | lib/libskey/skeysubr.c | 135 |
14 files changed, 3 insertions, 4025 deletions
diff --git a/lib/Makefile b/lib/Makefile index 01e5de0..09b4378 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -6,14 +6,12 @@ # # csu must be built before all shared libaries for ELF. # libcom_err must be built before libkrb, libpam and libss. -# libcrypt must be built before libkrb, libpam and libskey. +# libcrypt must be built before libkrb and libpam. # msun must be built before libg++ and libstdc++. -# libmd must be built before libatm, libopie, libradius, libskey, and -# libtacplus. +# libmd must be built before libatm, libopie, libradius, and libtacplus. # libncurses must be built before libdialog, libedit and libreadline. # libopie must be built before libpam. # libradius must be built before libpam. -# libskey must be built before libpam. # libtacplus must be built before libpam. # libutil must be built before libpam. # libsbuf must be built before libcam. @@ -21,7 +19,7 @@ # Otherwise, the SUBDIR list should be in alphabetical order. SUBDIR= ${_csu} libcom_err libcrypt msun libmd \ - libncurses libradius libskey libtacplus libutil libsbuf \ + libncurses libradius libtacplus libutil libsbuf \ ${_compat} libalias libatm ${_libbind} libbz2 libc ${_libc_r} \ libcalendar libcam libcompat libdevinfo libdevstat libdisk \ libedit libfetch libform libftpio libgnumalloc ${_libio} libipsec \ diff --git a/lib/libskey/Makefile b/lib/libskey/Makefile deleted file mode 100644 index 1a799fd..0000000 --- a/lib/libskey/Makefile +++ /dev/null @@ -1,23 +0,0 @@ -# @(#)Makefile 5.4 (Berkeley) 5/7/91 -# $FreeBSD$ - -LIB= skey -SRCS= skeyaccess.c put.c skey_crypt.c skey_getpass.c skeylogin.c skeysubr.c -INCS= skey.h -MAN= skey.1 -MAN+= skey.3 -MLINKS= skey.3 skeylookup.3 skey.3 skeyverify.3 skey.3 skeychallenge.3 \ - skey.3 skeyinfo.3 skey.3 skeyaccess.3 skey.3 skey_getpass.3 \ - skey.3 skey_crypt.3 -MAN+= skey.access.5 - -CFLAGS+=-DPERMIT_CONSOLE -D_SKEY_INTERNAL -I${.CURDIR} -CFLAGS+=-W -Wall -.if ${MACHINE_ARCH} == "i386" -CFLAGS+=-Werror -.endif - -DPADD+= ${LIBCRYPT} ${LIBMD} -LDADD+= -lcrypt -lmd - -.include <bsd.lib.mk> diff --git a/lib/libskey/mdx.h b/lib/libskey/mdx.h deleted file mode 100644 index 567d541..0000000 --- a/lib/libskey/mdx.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifdef MD5 -/* S/Key can use MD5 now, if defined... */ -#include <md5.h> - -#define MDXFinal MD5Final -#define MDXInit MD5Init -#define MDXUpdate MD5Update -#define MDX_CTX MD5_CTX -#else - -/* By default, use MD4 for compatibility */ -#include <md4.h> - -#define MDXFinal MD4Final -#define MDXInit MD4Init -#define MDXUpdate MD4Update -#define MDX_CTX MD4_CTX - -#endif diff --git a/lib/libskey/pathnames.h b/lib/libskey/pathnames.h deleted file mode 100644 index ca91fcc..0000000 --- a/lib/libskey/pathnames.h +++ /dev/null @@ -1,6 +0,0 @@ -/* $FreeBSD$ (FreeBSD) */ - -#include <paths.h> - -#define _PATH_SKEYACCESS "/etc/skey.access" -#define _PATH_SKEYFILE "/etc/skeykeys" diff --git a/lib/libskey/put.c b/lib/libskey/put.c deleted file mode 100644 index e57d9ca..0000000 --- a/lib/libskey/put.c +++ /dev/null @@ -1,2293 +0,0 @@ -#include <stdio.h> -#include <string.h> -#include <assert.h> -#include <ctype.h> -#include "skey.h" - -static unsigned long extract __P((char *s,int start,int length)); -static void standard __P((char *word)); -static void insert __P((char *s, int x, int start, int length)); -static int wsrch __P((char *w,int low,int high)); - -/* Dictionary for integer-word translations */ -static char Wp[2048][4] = { -"A", -"ABE", -"ACE", -"ACT", -"AD", -"ADA", -"ADD", -"AGO", -"AID", -"AIM", -"AIR", -"ALL", -"ALP", -"AM", -"AMY", -"AN", -"ANA", -"AND", -"ANN", -"ANT", -"ANY", -"APE", -"APS", -"APT", -"ARC", -"ARE", -"ARK", -"ARM", -"ART", -"AS", -"ASH", -"ASK", -"AT", -"ATE", -"AUG", -"AUK", -"AVE", -"AWE", -"AWK", -"AWL", -"AWN", -"AX", -"AYE", -"BAD", -"BAG", -"BAH", -"BAM", -"BAN", -"BAR", -"BAT", -"BAY", -"BE", -"BED", -"BEE", -"BEG", -"BEN", -"BET", -"BEY", -"BIB", -"BID", -"BIG", -"BIN", -"BIT", -"BOB", -"BOG", -"BON", -"BOO", -"BOP", -"BOW", -"BOY", -"BUB", -"BUD", -"BUG", -"BUM", -"BUN", -"BUS", -"BUT", -"BUY", -"BY", -"BYE", -"CAB", -"CAL", -"CAM", -"CAN", -"CAP", -"CAR", -"CAT", -"CAW", -"COD", -"COG", -"COL", -"CON", -"COO", -"COP", -"COT", -"COW", -"COY", -"CRY", -"CUB", -"CUE", -"CUP", -"CUR", -"CUT", -"DAB", -"DAD", -"DAM", -"DAN", -"DAR", -"DAY", -"DEE", -"DEL", -"DEN", -"DES", -"DEW", -"DID", -"DIE", -"DIG", -"DIN", -"DIP", -"DO", -"DOE", -"DOG", -"DON", -"DOT", -"DOW", -"DRY", -"DUB", -"DUD", -"DUE", -"DUG", -"DUN", -"EAR", -"EAT", -"ED", -"EEL", -"EGG", -"EGO", -"ELI", -"ELK", -"ELM", -"ELY", -"EM", -"END", -"EST", -"ETC", -"EVA", -"EVE", -"EWE", -"EYE", -"FAD", -"FAN", -"FAR", -"FAT", -"FAY", -"FED", -"FEE", -"FEW", -"FIB", -"FIG", -"FIN", -"FIR", -"FIT", -"FLO", -"FLY", -"FOE", -"FOG", -"FOR", -"FRY", -"FUM", -"FUN", -"FUR", -"GAB", -"GAD", -"GAG", -"GAL", -"GAM", -"GAP", -"GAS", -"GAY", -"GEE", -"GEL", -"GEM", -"GET", -"GIG", -"GIL", -"GIN", -"GO", -"GOT", -"GUM", -"GUN", -"GUS", -"GUT", -"GUY", -"GYM", -"GYP", -"HA", -"HAD", -"HAL", -"HAM", -"HAN", -"HAP", -"HAS", -"HAT", -"HAW", -"HAY", -"HE", -"HEM", -"HEN", -"HER", -"HEW", -"HEY", -"HI", -"HID", -"HIM", -"HIP", -"HIS", -"HIT", -"HO", -"HOB", -"HOC", -"HOE", -"HOG", -"HOP", -"HOT", -"HOW", -"HUB", -"HUE", -"HUG", -"HUH", -"HUM", -"HUT", -"I", -"ICY", -"IDA", -"IF", -"IKE", -"ILL", -"INK", -"INN", -"IO", -"ION", -"IQ", -"IRA", -"IRE", -"IRK", -"IS", -"IT", -"ITS", -"IVY", -"JAB", -"JAG", -"JAM", -"JAN", -"JAR", -"JAW", -"JAY", -"JET", -"JIG", -"JIM", -"JO", -"JOB", -"JOE", -"JOG", -"JOT", -"JOY", -"JUG", -"JUT", -"KAY", -"KEG", -"KEN", -"KEY", -"KID", -"KIM", -"KIN", -"KIT", -"LA", -"LAB", -"LAC", -"LAD", -"LAG", -"LAM", -"LAP", -"LAW", -"LAY", -"LEA", -"LED", -"LEE", -"LEG", -"LEN", -"LEO", -"LET", -"LEW", -"LID", -"LIE", -"LIN", -"LIP", -"LIT", -"LO", -"LOB", -"LOG", -"LOP", -"LOS", -"LOT", -"LOU", -"LOW", -"LOY", -"LUG", -"LYE", -"MA", -"MAC", -"MAD", -"MAE", -"MAN", -"MAO", -"MAP", -"MAT", -"MAW", -"MAY", -"ME", -"MEG", -"MEL", -"MEN", -"MET", -"MEW", -"MID", -"MIN", -"MIT", -"MOB", -"MOD", -"MOE", -"MOO", -"MOP", -"MOS", -"MOT", -"MOW", -"MUD", -"MUG", -"MUM", -"MY", -"NAB", -"NAG", -"NAN", -"NAP", -"NAT", -"NAY", -"NE", -"NED", -"NEE", -"NET", -"NEW", -"NIB", -"NIL", -"NIP", -"NIT", -"NO", -"NOB", -"NOD", -"NON", -"NOR", -"NOT", -"NOV", -"NOW", -"NU", -"NUN", -"NUT", -"O", -"OAF", -"OAK", -"OAR", -"OAT", -"ODD", -"ODE", -"OF", -"OFF", -"OFT", -"OH", -"OIL", -"OK", -"OLD", -"ON", -"ONE", -"OR", -"ORB", -"ORE", -"ORR", -"OS", -"OTT", -"OUR", -"OUT", -"OVA", -"OW", -"OWE", -"OWL", -"OWN", -"OX", -"PA", -"PAD", -"PAL", -"PAM", -"PAN", -"PAP", -"PAR", -"PAT", -"PAW", -"PAY", -"PEA", -"PEG", -"PEN", -"PEP", -"PER", -"PET", -"PEW", -"PHI", -"PI", -"PIE", -"PIN", -"PIT", -"PLY", -"PO", -"POD", -"POE", -"POP", -"POT", -"POW", -"PRO", -"PRY", -"PUB", -"PUG", -"PUN", -"PUP", -"PUT", -"QUO", -"RAG", -"RAM", -"RAN", -"RAP", -"RAT", -"RAW", -"RAY", -"REB", -"RED", -"REP", -"RET", -"RIB", -"RID", -"RIG", -"RIM", -"RIO", -"RIP", -"ROB", -"ROD", -"ROE", -"RON", -"ROT", -"ROW", -"ROY", -"RUB", -"RUE", -"RUG", -"RUM", -"RUN", -"RYE", -"SAC", -"SAD", -"SAG", -"SAL", -"SAM", -"SAN", -"SAP", -"SAT", -"SAW", -"SAY", -"SEA", -"SEC", -"SEE", -"SEN", -"SET", -"SEW", -"SHE", -"SHY", -"SIN", -"SIP", -"SIR", -"SIS", -"SIT", -"SKI", -"SKY", -"SLY", -"SO", -"SOB", -"SOD", -"SON", -"SOP", -"SOW", -"SOY", -"SPA", -"SPY", -"SUB", -"SUD", -"SUE", -"SUM", -"SUN", -"SUP", -"TAB", -"TAD", -"TAG", -"TAN", -"TAP", -"TAR", -"TEA", -"TED", -"TEE", -"TEN", -"THE", -"THY", -"TIC", -"TIE", -"TIM", -"TIN", -"TIP", -"TO", -"TOE", -"TOG", -"TOM", -"TON", -"TOO", -"TOP", -"TOW", -"TOY", -"TRY", -"TUB", -"TUG", -"TUM", -"TUN", -"TWO", -"UN", -"UP", -"US", -"USE", -"VAN", -"VAT", -"VET", -"VIE", -"WAD", -"WAG", -"WAR", -"WAS", -"WAY", -"WE", -"WEB", -"WED", -"WEE", -"WET", -"WHO", -"WHY", -"WIN", -"WIT", -"WOK", -"WON", -"WOO", -"WOW", -"WRY", -"WU", -"YAM", -"YAP", -"YAW", -"YE", -"YEA", -"YES", -"YET", -"YOU", -"ABED", -"ABEL", -"ABET", -"ABLE", -"ABUT", -"ACHE", -"ACID", -"ACME", -"ACRE", -"ACTA", -"ACTS", -"ADAM", -"ADDS", -"ADEN", -"AFAR", -"AFRO", -"AGEE", -"AHEM", -"AHOY", -"AIDA", -"AIDE", -"AIDS", -"AIRY", -"AJAR", -"AKIN", -"ALAN", -"ALEC", -"ALGA", -"ALIA", -"ALLY", -"ALMA", -"ALOE", -"ALSO", -"ALTO", -"ALUM", -"ALVA", -"AMEN", -"AMES", -"AMID", -"AMMO", -"AMOK", -"AMOS", -"AMRA", -"ANDY", -"ANEW", -"ANNA", -"ANNE", -"ANTE", -"ANTI", -"AQUA", -"ARAB", -"ARCH", -"AREA", -"ARGO", -"ARID", -"ARMY", -"ARTS", -"ARTY", -"ASIA", -"ASKS", -"ATOM", -"AUNT", -"AURA", -"AUTO", -"AVER", -"AVID", -"AVIS", -"AVON", -"AVOW", -"AWAY", -"AWRY", -"BABE", -"BABY", -"BACH", -"BACK", -"BADE", -"BAIL", -"BAIT", -"BAKE", -"BALD", -"BALE", -"BALI", -"BALK", -"BALL", -"BALM", -"BAND", -"BANE", -"BANG", -"BANK", -"BARB", -"BARD", -"BARE", -"BARK", -"BARN", -"BARR", -"BASE", -"BASH", -"BASK", -"BASS", -"BATE", -"BATH", -"BAWD", -"BAWL", -"BEAD", -"BEAK", -"BEAM", -"BEAN", -"BEAR", -"BEAT", -"BEAU", -"BECK", -"BEEF", -"BEEN", -"BEER", -"BEET", -"BELA", -"BELL", -"BELT", -"BEND", -"BENT", -"BERG", -"BERN", -"BERT", -"BESS", -"BEST", -"BETA", -"BETH", -"BHOY", -"BIAS", -"BIDE", -"BIEN", -"BILE", -"BILK", -"BILL", -"BIND", -"BING", -"BIRD", -"BITE", -"BITS", -"BLAB", -"BLAT", -"BLED", -"BLEW", -"BLOB", -"BLOC", -"BLOT", -"BLOW", -"BLUE", -"BLUM", -"BLUR", -"BOAR", -"BOAT", -"BOCA", -"BOCK", -"BODE", -"BODY", -"BOGY", -"BOHR", -"BOIL", -"BOLD", -"BOLO", -"BOLT", -"BOMB", -"BONA", -"BOND", -"BONE", -"BONG", -"BONN", -"BONY", -"BOOK", -"BOOM", -"BOON", -"BOOT", -"BORE", -"BORG", -"BORN", -"BOSE", -"BOSS", -"BOTH", -"BOUT", -"BOWL", -"BOYD", -"BRAD", -"BRAE", -"BRAG", -"BRAN", -"BRAY", -"BRED", -"BREW", -"BRIG", -"BRIM", -"BROW", -"BUCK", -"BUDD", -"BUFF", -"BULB", -"BULK", -"BULL", -"BUNK", -"BUNT", -"BUOY", -"BURG", -"BURL", -"BURN", -"BURR", -"BURT", -"BURY", -"BUSH", -"BUSS", -"BUST", -"BUSY", -"BYTE", -"CADY", -"CAFE", -"CAGE", -"CAIN", -"CAKE", -"CALF", -"CALL", -"CALM", -"CAME", -"CANE", -"CANT", -"CARD", -"CARE", -"CARL", -"CARR", -"CART", -"CASE", -"CASH", -"CASK", -"CAST", -"CAVE", -"CEIL", -"CELL", -"CENT", -"CERN", -"CHAD", -"CHAR", -"CHAT", -"CHAW", -"CHEF", -"CHEN", -"CHEW", -"CHIC", -"CHIN", -"CHOU", -"CHOW", -"CHUB", -"CHUG", -"CHUM", -"CITE", -"CITY", -"CLAD", -"CLAM", -"CLAN", -"CLAW", -"CLAY", -"CLOD", -"CLOG", -"CLOT", -"CLUB", -"CLUE", -"COAL", -"COAT", -"COCA", -"COCK", -"COCO", -"CODA", -"CODE", -"CODY", -"COED", -"COIL", -"COIN", -"COKE", -"COLA", -"COLD", -"COLT", -"COMA", -"COMB", -"COME", -"COOK", -"COOL", -"COON", -"COOT", -"CORD", -"CORE", -"CORK", -"CORN", -"COST", -"COVE", -"COWL", -"CRAB", -"CRAG", -"CRAM", -"CRAY", -"CREW", -"CRIB", -"CROW", -"CRUD", -"CUBA", -"CUBE", -"CUFF", -"CULL", -"CULT", -"CUNY", -"CURB", -"CURD", -"CURE", -"CURL", -"CURT", -"CUTS", -"DADE", -"DALE", -"DAME", -"DANA", -"DANE", -"DANG", -"DANK", -"DARE", -"DARK", -"DARN", -"DART", -"DASH", -"DATA", -"DATE", -"DAVE", -"DAVY", -"DAWN", -"DAYS", -"DEAD", -"DEAF", -"DEAL", -"DEAN", -"DEAR", -"DEBT", -"DECK", -"DEED", -"DEEM", -"DEER", -"DEFT", -"DEFY", -"DELL", -"DENT", -"DENY", -"DESK", -"DIAL", -"DICE", -"DIED", -"DIET", -"DIME", -"DINE", -"DING", -"DINT", -"DIRE", -"DIRT", -"DISC", -"DISH", -"DISK", -"DIVE", -"DOCK", -"DOES", -"DOLE", -"DOLL", -"DOLT", -"DOME", -"DONE", -"DOOM", -"DOOR", -"DORA", -"DOSE", -"DOTE", -"DOUG", -"DOUR", -"DOVE", -"DOWN", -"DRAB", -"DRAG", -"DRAM", -"DRAW", -"DREW", -"DRUB", -"DRUG", -"DRUM", -"DUAL", -"DUCK", -"DUCT", -"DUEL", -"DUET", -"DUKE", -"DULL", -"DUMB", -"DUNE", -"DUNK", -"DUSK", -"DUST", -"DUTY", -"EACH", -"EARL", -"EARN", -"EASE", -"EAST", -"EASY", -"EBEN", -"ECHO", -"EDDY", -"EDEN", -"EDGE", -"EDGY", -"EDIT", -"EDNA", -"EGAN", -"ELAN", -"ELBA", -"ELLA", -"ELSE", -"EMIL", -"EMIT", -"EMMA", -"ENDS", -"ERIC", -"EROS", -"EVEN", -"EVER", -"EVIL", -"EYED", -"FACE", -"FACT", -"FADE", -"FAIL", -"FAIN", -"FAIR", -"FAKE", -"FALL", -"FAME", -"FANG", -"FARM", -"FAST", -"FATE", -"FAWN", -"FEAR", -"FEAT", -"FEED", -"FEEL", -"FEET", -"FELL", -"FELT", -"FEND", -"FERN", -"FEST", -"FEUD", -"FIEF", -"FIGS", -"FILE", -"FILL", -"FILM", -"FIND", -"FINE", -"FINK", -"FIRE", -"FIRM", -"FISH", -"FISK", -"FIST", -"FITS", -"FIVE", -"FLAG", -"FLAK", -"FLAM", -"FLAT", -"FLAW", -"FLEA", -"FLED", -"FLEW", -"FLIT", -"FLOC", -"FLOG", -"FLOW", -"FLUB", -"FLUE", -"FOAL", -"FOAM", -"FOGY", -"FOIL", -"FOLD", -"FOLK", -"FOND", -"FONT", -"FOOD", -"FOOL", -"FOOT", -"FORD", -"FORE", -"FORK", -"FORM", -"FORT", -"FOSS", -"FOUL", -"FOUR", -"FOWL", -"FRAU", -"FRAY", -"FRED", -"FREE", -"FRET", -"FREY", -"FROG", -"FROM", -"FUEL", -"FULL", -"FUME", -"FUND", -"FUNK", -"FURY", -"FUSE", -"FUSS", -"GAFF", -"GAGE", -"GAIL", -"GAIN", -"GAIT", -"GALA", -"GALE", -"GALL", -"GALT", -"GAME", -"GANG", -"GARB", -"GARY", -"GASH", -"GATE", -"GAUL", -"GAUR", -"GAVE", -"GAWK", -"GEAR", -"GELD", -"GENE", -"GENT", -"GERM", -"GETS", -"GIBE", -"GIFT", -"GILD", -"GILL", -"GILT", -"GINA", -"GIRD", -"GIRL", -"GIST", -"GIVE", -"GLAD", -"GLEE", -"GLEN", -"GLIB", -"GLOB", -"GLOM", -"GLOW", -"GLUE", -"GLUM", -"GLUT", -"GOAD", -"GOAL", -"GOAT", -"GOER", -"GOES", -"GOLD", -"GOLF", -"GONE", -"GONG", -"GOOD", -"GOOF", -"GORE", -"GORY", -"GOSH", -"GOUT", -"GOWN", -"GRAB", -"GRAD", -"GRAY", -"GREG", -"GREW", -"GREY", -"GRID", -"GRIM", -"GRIN", -"GRIT", -"GROW", -"GRUB", -"GULF", -"GULL", -"GUNK", -"GURU", -"GUSH", -"GUST", -"GWEN", -"GWYN", -"HAAG", -"HAAS", -"HACK", -"HAIL", -"HAIR", -"HALE", -"HALF", -"HALL", -"HALO", -"HALT", -"HAND", -"HANG", -"HANK", -"HANS", -"HARD", -"HARK", -"HARM", -"HART", -"HASH", -"HAST", -"HATE", -"HATH", -"HAUL", -"HAVE", -"HAWK", -"HAYS", -"HEAD", -"HEAL", -"HEAR", -"HEAT", -"HEBE", -"HECK", -"HEED", -"HEEL", -"HEFT", -"HELD", -"HELL", -"HELM", -"HERB", -"HERD", -"HERE", -"HERO", -"HERS", -"HESS", -"HEWN", -"HICK", -"HIDE", -"HIGH", -"HIKE", -"HILL", -"HILT", -"HIND", -"HINT", -"HIRE", -"HISS", -"HIVE", -"HOBO", -"HOCK", -"HOFF", -"HOLD", -"HOLE", -"HOLM", -"HOLT", -"HOME", -"HONE", -"HONK", -"HOOD", -"HOOF", -"HOOK", -"HOOT", -"HORN", -"HOSE", -"HOST", -"HOUR", -"HOVE", -"HOWE", -"HOWL", -"HOYT", -"HUCK", -"HUED", -"HUFF", -"HUGE", -"HUGH", -"HUGO", -"HULK", -"HULL", -"HUNK", -"HUNT", -"HURD", -"HURL", -"HURT", -"HUSH", -"HYDE", -"HYMN", -"IBIS", -"ICON", -"IDEA", -"IDLE", -"IFFY", -"INCA", -"INCH", -"INTO", -"IONS", -"IOTA", -"IOWA", -"IRIS", -"IRMA", -"IRON", -"ISLE", -"ITCH", -"ITEM", -"IVAN", -"JACK", -"JADE", -"JAIL", -"JAKE", -"JANE", -"JAVA", -"JEAN", -"JEFF", -"JERK", -"JESS", -"JEST", -"JIBE", -"JILL", -"JILT", -"JIVE", -"JOAN", -"JOBS", -"JOCK", -"JOEL", -"JOEY", -"JOHN", -"JOIN", -"JOKE", -"JOLT", -"JOVE", -"JUDD", -"JUDE", -"JUDO", -"JUDY", -"JUJU", -"JUKE", -"JULY", -"JUNE", -"JUNK", -"JUNO", -"JURY", -"JUST", -"JUTE", -"KAHN", -"KALE", -"KANE", -"KANT", -"KARL", -"KATE", -"KEEL", -"KEEN", -"KENO", -"KENT", -"KERN", -"KERR", -"KEYS", -"KICK", -"KILL", -"KIND", -"KING", -"KIRK", -"KISS", -"KITE", -"KLAN", -"KNEE", -"KNEW", -"KNIT", -"KNOB", -"KNOT", -"KNOW", -"KOCH", -"KONG", -"KUDO", -"KURD", -"KURT", -"KYLE", -"LACE", -"LACK", -"LACY", -"LADY", -"LAID", -"LAIN", -"LAIR", -"LAKE", -"LAMB", -"LAME", -"LAND", -"LANE", -"LANG", -"LARD", -"LARK", -"LASS", -"LAST", -"LATE", -"LAUD", -"LAVA", -"LAWN", -"LAWS", -"LAYS", -"LEAD", -"LEAF", -"LEAK", -"LEAN", -"LEAR", -"LEEK", -"LEER", -"LEFT", -"LEND", -"LENS", -"LENT", -"LEON", -"LESK", -"LESS", -"LEST", -"LETS", -"LIAR", -"LICE", -"LICK", -"LIED", -"LIEN", -"LIES", -"LIEU", -"LIFE", -"LIFT", -"LIKE", -"LILA", -"LILT", -"LILY", -"LIMA", -"LIMB", -"LIME", -"LIND", -"LINE", -"LINK", -"LINT", -"LION", -"LISA", -"LIST", -"LIVE", -"LOAD", -"LOAF", -"LOAM", -"LOAN", -"LOCK", -"LOFT", -"LOGE", -"LOIS", -"LOLA", -"LONE", -"LONG", -"LOOK", -"LOON", -"LOOT", -"LORD", -"LORE", -"LOSE", -"LOSS", -"LOST", -"LOUD", -"LOVE", -"LOWE", -"LUCK", -"LUCY", -"LUGE", -"LUKE", -"LULU", -"LUND", -"LUNG", -"LURA", -"LURE", -"LURK", -"LUSH", -"LUST", -"LYLE", -"LYNN", -"LYON", -"LYRA", -"MACE", -"MADE", -"MAGI", -"MAID", -"MAIL", -"MAIN", -"MAKE", -"MALE", -"MALI", -"MALL", -"MALT", -"MANA", -"MANN", -"MANY", -"MARC", -"MARE", -"MARK", -"MARS", -"MART", -"MARY", -"MASH", -"MASK", -"MASS", -"MAST", -"MATE", -"MATH", -"MAUL", -"MAYO", -"MEAD", -"MEAL", -"MEAN", -"MEAT", -"MEEK", -"MEET", -"MELD", -"MELT", -"MEMO", -"MEND", -"MENU", -"MERT", -"MESH", -"MESS", -"MICE", -"MIKE", -"MILD", -"MILE", -"MILK", -"MILL", -"MILT", -"MIMI", -"MIND", -"MINE", -"MINI", -"MINK", -"MINT", -"MIRE", -"MISS", -"MIST", -"MITE", -"MITT", -"MOAN", -"MOAT", -"MOCK", -"MODE", -"MOLD", -"MOLE", -"MOLL", -"MOLT", -"MONA", -"MONK", -"MONT", -"MOOD", -"MOON", -"MOOR", -"MOOT", -"MORE", -"MORN", -"MORT", -"MOSS", -"MOST", -"MOTH", -"MOVE", -"MUCH", -"MUCK", -"MUDD", -"MUFF", -"MULE", -"MULL", -"MURK", -"MUSH", -"MUST", -"MUTE", -"MUTT", -"MYRA", -"MYTH", -"NAGY", -"NAIL", -"NAIR", -"NAME", -"NARY", -"NASH", -"NAVE", -"NAVY", -"NEAL", -"NEAR", -"NEAT", -"NECK", -"NEED", -"NEIL", -"NELL", -"NEON", -"NERO", -"NESS", -"NEST", -"NEWS", -"NEWT", -"NIBS", -"NICE", -"NICK", -"NILE", -"NINA", -"NINE", -"NOAH", -"NODE", -"NOEL", -"NOLL", -"NONE", -"NOOK", -"NOON", -"NORM", -"NOSE", -"NOTE", -"NOUN", -"NOVA", -"NUDE", -"NULL", -"NUMB", -"OATH", -"OBEY", -"OBOE", -"ODIN", -"OHIO", -"OILY", -"OINT", -"OKAY", -"OLAF", -"OLDY", -"OLGA", -"OLIN", -"OMAN", -"OMEN", -"OMIT", -"ONCE", -"ONES", -"ONLY", -"ONTO", -"ONUS", -"ORAL", -"ORGY", -"OSLO", -"OTIS", -"OTTO", -"OUCH", -"OUST", -"OUTS", -"OVAL", -"OVEN", -"OVER", -"OWLY", -"OWNS", -"QUAD", -"QUIT", -"QUOD", -"RACE", -"RACK", -"RACY", -"RAFT", -"RAGE", -"RAID", -"RAIL", -"RAIN", -"RAKE", -"RANK", -"RANT", -"RARE", -"RASH", -"RATE", -"RAVE", -"RAYS", -"READ", -"REAL", -"REAM", -"REAR", -"RECK", -"REED", -"REEF", -"REEK", -"REEL", -"REID", -"REIN", -"RENA", -"REND", -"RENT", -"REST", -"RICE", -"RICH", -"RICK", -"RIDE", -"RIFT", -"RILL", -"RIME", -"RING", -"RINK", -"RISE", -"RISK", -"RITE", -"ROAD", -"ROAM", -"ROAR", -"ROBE", -"ROCK", -"RODE", -"ROIL", -"ROLL", -"ROME", -"ROOD", -"ROOF", -"ROOK", -"ROOM", -"ROOT", -"ROSA", -"ROSE", -"ROSS", -"ROSY", -"ROTH", -"ROUT", -"ROVE", -"ROWE", -"ROWS", -"RUBE", -"RUBY", -"RUDE", -"RUDY", -"RUIN", -"RULE", -"RUNG", -"RUNS", -"RUNT", -"RUSE", -"RUSH", -"RUSK", -"RUSS", -"RUST", -"RUTH", -"SACK", -"SAFE", -"SAGE", -"SAID", -"SAIL", -"SALE", -"SALK", -"SALT", -"SAME", -"SAND", -"SANE", -"SANG", -"SANK", -"SARA", -"SAUL", -"SAVE", -"SAYS", -"SCAN", -"SCAR", -"SCAT", -"SCOT", -"SEAL", -"SEAM", -"SEAR", -"SEAT", -"SEED", -"SEEK", -"SEEM", -"SEEN", -"SEES", -"SELF", -"SELL", -"SEND", -"SENT", -"SETS", -"SEWN", -"SHAG", -"SHAM", -"SHAW", -"SHAY", -"SHED", -"SHIM", -"SHIN", -"SHOD", -"SHOE", -"SHOT", -"SHOW", -"SHUN", -"SHUT", -"SICK", -"SIDE", -"SIFT", -"SIGH", -"SIGN", -"SILK", -"SILL", -"SILO", -"SILT", -"SINE", -"SING", -"SINK", -"SIRE", -"SITE", -"SITS", -"SITU", -"SKAT", -"SKEW", -"SKID", -"SKIM", -"SKIN", -"SKIT", -"SLAB", -"SLAM", -"SLAT", -"SLAY", -"SLED", -"SLEW", -"SLID", -"SLIM", -"SLIT", -"SLOB", -"SLOG", -"SLOT", -"SLOW", -"SLUG", -"SLUM", -"SLUR", -"SMOG", -"SMUG", -"SNAG", -"SNOB", -"SNOW", -"SNUB", -"SNUG", -"SOAK", -"SOAR", -"SOCK", -"SODA", -"SOFA", -"SOFT", -"SOIL", -"SOLD", -"SOME", -"SONG", -"SOON", -"SOOT", -"SORE", -"SORT", -"SOUL", -"SOUR", -"SOWN", -"STAB", -"STAG", -"STAN", -"STAR", -"STAY", -"STEM", -"STEW", -"STIR", -"STOW", -"STUB", -"STUN", -"SUCH", -"SUDS", -"SUIT", -"SULK", -"SUMS", -"SUNG", -"SUNK", -"SURE", -"SURF", -"SWAB", -"SWAG", -"SWAM", -"SWAN", -"SWAT", -"SWAY", -"SWIM", -"SWUM", -"TACK", -"TACT", -"TAIL", -"TAKE", -"TALE", -"TALK", -"TALL", -"TANK", -"TASK", -"TATE", -"TAUT", -"TEAL", -"TEAM", -"TEAR", -"TECH", -"TEEM", -"TEEN", -"TEET", -"TELL", -"TEND", -"TENT", -"TERM", -"TERN", -"TESS", -"TEST", -"THAN", -"THAT", -"THEE", -"THEM", -"THEN", -"THEY", -"THIN", -"THIS", -"THUD", -"THUG", -"TICK", -"TIDE", -"TIDY", -"TIED", -"TIER", -"TILE", -"TILL", -"TILT", -"TIME", -"TINA", -"TINE", -"TINT", -"TINY", -"TIRE", -"TOAD", -"TOGO", -"TOIL", -"TOLD", -"TOLL", -"TONE", -"TONG", -"TONY", -"TOOK", -"TOOL", -"TOOT", -"TORE", -"TORN", -"TOTE", -"TOUR", -"TOUT", -"TOWN", -"TRAG", -"TRAM", -"TRAY", -"TREE", -"TREK", -"TRIG", -"TRIM", -"TRIO", -"TROD", -"TROT", -"TROY", -"TRUE", -"TUBA", -"TUBE", -"TUCK", -"TUFT", -"TUNA", -"TUNE", -"TUNG", -"TURF", -"TURN", -"TUSK", -"TWIG", -"TWIN", -"TWIT", -"ULAN", -"UNIT", -"URGE", -"USED", -"USER", -"USES", -"UTAH", -"VAIL", -"VAIN", -"VALE", -"VARY", -"VASE", -"VAST", -"VEAL", -"VEDA", -"VEIL", -"VEIN", -"VEND", -"VENT", -"VERB", -"VERY", -"VETO", -"VICE", -"VIEW", -"VINE", -"VISE", -"VOID", -"VOLT", -"VOTE", -"WACK", -"WADE", -"WAGE", -"WAIL", -"WAIT", -"WAKE", -"WALE", -"WALK", -"WALL", -"WALT", -"WAND", -"WANE", -"WANG", -"WANT", -"WARD", -"WARM", -"WARN", -"WART", -"WASH", -"WAST", -"WATS", -"WATT", -"WAVE", -"WAVY", -"WAYS", -"WEAK", -"WEAL", -"WEAN", -"WEAR", -"WEED", -"WEEK", -"WEIR", -"WELD", -"WELL", -"WELT", -"WENT", -"WERE", -"WERT", -"WEST", -"WHAM", -"WHAT", -"WHEE", -"WHEN", -"WHET", -"WHOA", -"WHOM", -"WICK", -"WIFE", -"WILD", -"WILL", -"WIND", -"WINE", -"WING", -"WINK", -"WINO", -"WIRE", -"WISE", -"WISH", -"WITH", -"WOLF", -"WONT", -"WOOD", -"WOOL", -"WORD", -"WORE", -"WORK", -"WORM", -"WORN", -"WOVE", -"WRIT", -"WYNN", -"YALE", -"YANG", -"YANK", -"YARD", -"YARN", -"YAWL", -"YAWN", -"YEAH", -"YEAR", -"YELL", -"YOGA", -"YOKE" -}; - -/* Encode 8 bytes in 'c' as a string of English words. - * Returns a pointer to a static buffer - */ -char * -btoe(engout,c) -char *c, *engout; -{ - char cp[9]; /* add in room for the parity 2 bits*/ - int p,i ; - - engout[0] = '\0'; - memcpy(cp, c,8); - /* compute parity */ - for(p = 0,i = 0; i < 64;i += 2) - p += extract(cp,i,2); - - cp[8] = (char)p << 6; - strncat(engout,&Wp[extract(cp, 0,11)][0],4); - strcat(engout," "); - strncat(engout,&Wp[extract(cp,11,11)][0],4); - strcat(engout," "); - strncat(engout,&Wp[extract(cp,22,11)][0],4); - strcat(engout," "); - strncat(engout,&Wp[extract(cp,33,11)][0],4); - strcat(engout," "); - strncat(engout,&Wp[extract(cp,44,11)][0],4); - strcat(engout," "); - strncat(engout,&Wp[extract(cp,55,11)][0],4); -#ifdef notdef - printf("engout is %s\n\r",engout); -#endif - return(engout); -} - -/* convert English to binary - * returns 1 OK - all good words and parity is OK - * 0 word not in data base - * -1 badly formed in put ie > 4 char word - * -2 words OK but parity is wrong - */ -int -etob(out, e) -char *out; -char *e; -{ - char *word, *cp; - int i, v,l, low,high; - unsigned int p; - char b[9]; - char input[36]; - - if(e == NULL) - return -1; - - strncpy(input,e,sizeof(input)); - cp = input; - memset(b, 0, sizeof(b)); - memset(out, 0, 8); - for(i=0,p=0;i<6;i++,p+=11){ - while ((word = strsep(&cp, " ")) != NULL && *word == '\0') - ; - if (word == NULL) - return -1; - l = strlen(word); - if(l > 4 || l < 1){ - return -1; - } else if(l < 4){ - low = 0; - high = 570; - } else { - low = 571; - high = 2047; - } - standard(word); - if( (v = wsrch(word,low,high)) < 0 ) - return 0; - insert(b,v,(int)p,11); - } - - /* now check the parity of what we got */ - for(p = 0, i = 0; i < 64; i +=2) - p += extract(b, i, 2); - - if( (p & 3) != extract(b, 64,2) ) - return -2; - - memcpy(out,b,8); - - return 1; -} -/* Display 8 bytes as a series of 16-bit hex digits */ -char * -put8(out,s) -char *out; -char *s; -{ - sprintf(out,"%02X%02X %02X%02X %02X%02X %02X%02X", - s[0] & 0xff,s[1] & 0xff,s[2] & 0xff, - s[3] & 0xff,s[4] & 0xff,s[5] & 0xff, - s[6] & 0xff,s[7] & 0xff); - return out; -} -#ifdef notdef -/* Encode 8 bytes in 'cp' as stream of ascii letters. - * Provided as a possible alternative to btoe() - */ -char * -btoc(cp) -char *cp; -{ - int i; - static char out[31]; - - /* code out put by characters 6 bits each added to 0x21 (!)*/ - for(i=0;i <= 10;i++){ - /* last one is only 4 bits not 6*/ - out[i] = '!'+ extract(cp,6*i,i >= 10 ? 4:6); - } - out[i] = '\0'; - return(out); -} -#endif - -/* Internal subroutines for word encoding/decoding */ - -/* Dictionary binary search */ -static int -wsrch(w,low,high) -char *w; -int low, high; -{ - int i,j; - - for(;;){ - i = (low + high)/2; - if((j = strncmp(w,Wp[i],4)) == 0) - return i; /* Found it */ - if(high == low+1){ - /* Avoid effects of integer truncation in /2 */ - if(strncmp(w,Wp[high],4) == 0) - return high; - else - return -1; - } - if(low >= high) - return -1; /* I don't *think* this can happen...*/ - if(j < 0) - high = i; /* Search lower half */ - else - low = i; /* Search upper half */ - } -} -static void -insert(s, x, start, length) -char *s; -int x; -int start, length; -{ - unsigned char cl; - unsigned char cc; - unsigned char cr; - unsigned long y; - int shift; - - assert(length <= 11); - assert(start >= 0); - assert(length >= 0); - assert(start +length <= 66); - - shift = ((8 -(( start + length) % 8))%8); - y = (long) x << shift; - cl = (y >> 16) & 0xff; - cc = (y >> 8) & 0xff; - cr = y & 0xff; - if(shift + length > 16){ - s[start /8] |= cl; - s[start/8 +1] |= cc; - s[start/8 +2] |= cr; - } else if(shift +length > 8){ - s[start/8] |= cc; - s[start/8 + 1] |= cr; - } else { - s[start/8] |= cr; - } -} - -static void -standard(word) -register char *word; -{ - while(*word){ - if(!isascii(*word)) - break; - if(islower(*word)) - *word = toupper(*word); - if(*word == '1') - *word = 'L'; - if(*word == '0') - *word = 'O'; - if(*word == '5') - *word = 'S'; - word++; - } -} - -/* Extract 'length' bits from the char array 's' starting with bit 'start' */ -static unsigned long -extract(s, start, length) -char *s; -int start, length; -{ - unsigned char cl; - unsigned char cc; - unsigned char cr; - unsigned long x; - - assert(length <= 11); - assert(start >= 0); - assert(length >= 0); - assert(start +length <= 66); - - cl = s[start/8]; - cc = s[start/8 +1]; - cr = s[start/8 +2]; - x = ((long)(cl<<8 | cc) <<8 | cr) ; - x = x >> (24 - (length + (start %8))); - x =( x & (0xffff >> (16-length) ) ); - return(x); -} - diff --git a/lib/libskey/skey.1 b/lib/libskey/skey.1 deleted file mode 100644 index bc8bbd5..0000000 --- a/lib/libskey/skey.1 +++ /dev/null @@ -1,91 +0,0 @@ -.\" @(#)skey.1 1.1 10/28/93 -.\" $FreeBSD$ -.\" -.Dd October 28, 1993 -.Dt KEY 1 -.Os -.Sh NAME -.Nm S/key -.Nd "a procedure to use one time passwords for accessing computer systems" -.Sh DESCRIPTION -.Nm -is a procedure for using one time password to authenticate access to -computer systems. -It uses 64 bits of information transformed by the -MD4 algorithm. -The user supplies the 64 bits in the form of 6 English -words that are generated by a secure computer. -Example use of the -.Nm -program -.Nm key : -.Bd -literal -offset indent ->key 99 th91334 -Enter password: <your secret password is entered here> -OMEN US HORN OMIT BACK AHOY -> -.Ed -.Pp -The programs that are part of the -.Nm -system are -.Nm keyinit , key , -and -.Nm keyinfo . -.Nm Keyinit -is used to get your ID set up, -.Nm key -is -used to get the one time password each time, -.Nm keyinfo -is used to extract information from the -.Nm -database. -.Pp -When you run -.Nm keyinit -you inform the system of your -secret password. -Running -.Nm key -then generates the -one-time passwords, and also requires your secret -password. -If however, you misspell your password -while running -.Nm key , -you will get a list of passwords -that will not work, and no indication about the problem. -.Pp -Password sequence numbers count backward from 99. -If you don't know this, the syntax for -.Nm key -will be confusing. -.Pp -You can enter the passwords using small letters, even -though the -.Nm key -program gives them in caps. -.Pp -.Tn Macintosh -and a general purpose -.Tn PC -use are available. -.Pp -Under -.Fx , -you can control, with -.Pa /etc/skey.access , -from which hosts and/or networks the use of -.Nm -passwords is obligated. -.Sh SEE ALSO -.Xr key 1 , -.Xr keyinfo 1 , -.Xr keyinit 1 , -.Xr skey.access 5 -.Sh AUTHORS -.An Phil Karn -.An Neil M. Haller -.An John S. Walden -.An Scott Chasin diff --git a/lib/libskey/skey.3 b/lib/libskey/skey.3 deleted file mode 100644 index b52da5b..0000000 --- a/lib/libskey/skey.3 +++ /dev/null @@ -1,163 +0,0 @@ -.\" Copyright (c) 1996 -.\" David L. Nugent. All Rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in the -.\" documentation and/or other materials provided with the distribution. -.\" -.\" THIS SOFTWARE IS PROVIDED BY DAVID L. NUGENT AND CONTRIBUTORS ``AS IS'' AND -.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -.\" ARE DISCLAIMED. IN NO EVENT SHALL DAVID L. NUGENT OR CONTRIBUTORS BE LIABLE -.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -.\" SUCH DAMAGE. -.\" -.\" $FreeBSD$ -.\" -.Dd December 22, 1996 -.Dt SKEY 3 -.Os -.Sh NAME -.Nm skeylookup , -.Nm skeyverify , -.Nm skeychallenge , -.Nm skeyinfo , -.Nm skeyaccess , -.Nm skey_getpass , -.Nm skey_crypt -.Nd library routines for S/Key password control table access -.Sh LIBRARY -.Lb libskey -.Sh SYNOPSIS -.Fd #include <stdio.h> -.Fd #include <skey.h> -.Ft int -.Fn skeylookup "struct skey *mp" "const char *name" -.Ft int -.Fn skeyverify "struct skey *mp" "char *response" -.Ft int -.Fn skeychallenge "struct skey *mp" "const char *name" "char *challenge" -.Ft int -.Fn skeyinfo "struct skey *mp" "const char *name" "char *ss" -.Ft int -.Fn skeyaccess "char *user" "const char *port" "const char *host" "const char *addr" -.Ft char * -.Fn skey_getpass "const char *prompt" "struct passwd *pwd" "int pwok" -.Ft const char * -.Fn skey_crypt "char *pp" "char *salt" "struct passwd *pwd" "int pwok" -.Sh DESCRIPTION -These routes support the S/Key one time password system used for -accessing computer systems. -See -.Xr skey 1 -for more information about the S/Key system itself. -.Pp -.Pp -.Fn skeylookup -finds an entry in the one-time password database. -On success (an entry is found corresponding to the given name), -they skey structure passed by the caller is filled and 0 is -returned, with the file read/write pointer positioned at the -beginning of the record found. -If no entry is found corresponding to the given name, the file -read/write pointer is positioned at end of file and the routine -returns 1. -If the database cannot be opened or an access error occurs, -.Fn skeylookup -returns -1. -.Pp -The -.Fn skeyinfo -function looks up skey info for user 'name'. -If successful, the caller's skey structure is filled and -.Fn skeyinfo -returns 0. -If an optional challenge string buffer is given, it is updated. -If unsuccessful (e.g. if the name is unknown, or the database -cannot be accessed) -1 is returned. -.Pp -.Fn skeychallenge -returns an skey challenge string for 'name'. -If successful, the caller's skey structure is filled, and -the function returns 0, with the file read/write pointer -left at the start of the record. -If unsuccessful (ie. the name was not found), the function -returns -1 and the database is closed. -.Pp -.Fn skeyverify -verifies a response to an s/key challenge. -If this function returns 0, the verify was successful and -the database was updated. -If 1 is returned, the verify failed and the database remains -unchanged. -If -1 is returned, some sort of error occurred with the database, -and the database is left unchanged. -The s/key database is always closed by this call. -.Pp -The -.Fn skey_getpass -function may be used to read regular or s/key passwords. -The prompt to use is passed to the function, along with the -full (secure) struct passwd for the user to be verified. -.Fn skey_getpass -uses the standard library getpass on the first attempt at -retrieving the user's password, and if that is blank, turns -echo back on and retrieves the S/Key password. -In either case, the entered string is returned back to the -caller. -.Pp -The -.Fn skey_crypt -is a wrapper function for the standard library -.Xr crypt 3 , -which returns the encrypted UNIX password if either the given -s/key or regular passwords are ok. -.Fn skey_crypt -first attempts verification of the given password via the skey -method, and will return the encrypted password from the -passwd structure if it can be verified, as though the user had -actually entered the correct UNIX password. -If s/key password verification does not work, then the password -is encrypted in the usual way and the result passed back to the -caller. -If the passwd structure pointer is NULL, -.Fn skey_crypt -returns a non-NULL string which could not possibly be a valid -UNIX password (namely, a string containing ":"). -.Pp -The -.Fn skeyaccess -function determines whether traditional UNIX (non-S/Key) passwords -are permitted for any combination of user name, group member, -terminal port, host name, and network. If UNIX passwords are allowed, -.Fn skeyaccess -returns a non-zero value. If UNIX passwords are not allowed, it -returns 0. See -.Xr skey.access 5 -for more information on the layout and structure of the -skey.access configuration file which this function uses. -.Sh RETURN VALUES -See above. -.Sh SEE ALSO -.Xr skey 1 , -.Xr skey.access 5 -.Sh BUGS -No advisory locking is done on the s/key database to guard against -simultaneous access from multiple processes. -This is not normally a problem when keys are added to or updated -in the file, but may be problematic when keys are removed. -.Sh AUTHORS -.An Phil Karn , -.An Neil M. Haller , -.An John S. Walden , -.An Scott Chasin diff --git a/lib/libskey/skey.access.5 b/lib/libskey/skey.access.5 deleted file mode 100644 index e9586b5..0000000 --- a/lib/libskey/skey.access.5 +++ /dev/null @@ -1,224 +0,0 @@ -.\" $FreeBSD$ -.\" -.Dd January 12, 2001 -.Dt SKEY.ACCESS 5 -.Os -.Sh NAME -.Nm skey.access -.Nd "S/Key password control table" -.Sh DESCRIPTION -The S/Key password control table -.Pq Pa /etc/skey.access -is used by -.Nm login Ns \-like -programs to determine when -.Ux -passwords may be used -to access the system. -.Bl -bullet -.It -When the table does not exist, there are no password restrictions. -The user may enter the -.Ux -password or the S/Key one. -.It -When the table does exist, -.Ux -passwords are permitted only when -explicitly specified. -.It -For the sake of sanity, -.Ux -passwords are always permitted on the -systems console. -.El -.Sh TABLE FORMAT -The format of the table is one rule per line. -Rules are matched in order. -The search terminates when the first matching rule is found, or -when the end of the table is reached. -.Pp -Rules have the form: -.Pp -.Bl -item -offset indent -compact -.It -.Ic permit -.Ar condition condition ... -.It -.Ic deny -.Ar condition condition ... -.El -.Pp -where -.Ic permit -and -.Ic deny -may be followed by zero or more -.Ar conditions . -Comments begin with a -.Ql # -character, and extend through the end of the line. -Empty lines or -lines with only comments are ignored. -.Pp -A rule is matched when all conditions are satisfied. -A rule without -conditions is always satisfied. -For example, the last entry could -be a line with just the word -.Ic deny -on it. -.Sh CONDITIONS -.Bl -tag -width indent -.It Ic hostname Ar wzv.win.tue.nl -True when the login comes from host -.Ar wzv.win.tue.nl . -See the -.Sx WARNINGS -section below. -.It Ic internet Ar 131.155.210.0 255.255.255.0 -True when the remote host has an internet address in network -.Ar 131.155.210 . -The general form of a net/mask rule is: -.Pp -.D1 Ic internet Ar net mask -.Pp -The expression is true when the host has an internet address for which -the bitwise and of -.Ar address -and -.Ar mask -equals -.Ar net . -See the -.Sx WARNINGS -section below. -.It Ic port Ar ttya -True when the login terminal is equal to -.Pa /dev/ttya . -Remember that -.Ux -passwords are always permitted with logins on the -system console. -.It Ic user Ar uucp -True when the user attempts to log in as -.Ar uucp . -.It Ic group Ar wheel -True when the user attempts to log in as a member of the -.Ar wheel -group. -.El -.Sh COMPATIBILITY -For the sake of backwards compatibility, the -.Ic internet -keyword may be omitted from net/mask patterns. -.Sh WARNINGS -When the S/Key control table -.Pq Pa /etc/skey.access -exists, users without S/Key passwords will be able to login only -where its rules allow the use of -.Ux -passwords. -In particular, this -means that an invocation of -.Xr login 1 -in a pseudo-tty (e.g. from -within -.Xr xterm 1 -or -.Xr screen 1 -will be treated as a login -that is neither from the console nor from the network, mandating the use -of an S/Key password. -Such an invocation of -.Xr login 1 -will necessarily -fail for those users who do not have an S/Key password. -.Pp -Several rule types depend on host name or address information obtained -through the network. -What follows is a list of conceivable attacks to force the system to permit -.Ux -passwords. -.Ss "Host address spoofing (source routing)" -An intruder configures a local interface to an address in a trusted -network and connects to the victim using that source address. -Given -the wrong client address, the victim draws the wrong conclusion from -rules based on host addresses or from rules based on host names derived -from addresses. -.Pp -Remedies: -.Bl -enum -.It -do not permit -.Ux -passwords with network logins; -.It -use network software that discards source routing information (e.g.\& -a tcp wrapper). -.El -.Pp -Almost every network server must look up the client host name using the -client network address. -The next obvious attack therefore is: -.Ss "Host name spoofing (bad PTR record)" -An intruder manipulates the name server system so that the client -network address resolves to the name of a trusted host. -Given the -wrong host name, the victim draws the wrong conclusion from rules based -on host names, or from rules based on addresses derived from host -names. -.Pp -Remedies: -.Bl -enum -.It -do not permit -.Ux -passwords with network logins; -.It -use -network software that verifies that the hostname resolves to the client -network address (e.g. a tcp wrapper). -.El -.Pp -Some applications, such as the -.Ux -.Xr login 1 -program, must look up the -client network address using the client host name. -In addition to the -previous two attacks, this opens up yet another possibility: -.Ss "Host address spoofing (extra A record)" -An intruder manipulates the name server system so that the client host -name (also) resolves to a trusted address. -.Pp -Remedies: -.Bl -enum -.It -do not permit -.Ux -passwords with network logins; -.It -the -.Fn skeyaccess -routines ignore network addresses that appear to -belong to someone else. -.El -.Sh DIAGNOSTICS -Syntax errors are reported to the -.Xr syslogd 8 . -When an error is found -the rule is skipped. -.Sh FILES -.Bl -tag -width /etc/skey.access -.It Pa /etc/skey.access -password control table -.El -.Sh SEE ALSO -.Xr login 1 , -.Xr syslogd 8 -.Sh AUTHORS -.An Wietse Venema , -Eindhoven University of Technology, -The Netherlands. diff --git a/lib/libskey/skey.h b/lib/libskey/skey.h deleted file mode 100644 index e62d507..0000000 --- a/lib/libskey/skey.h +++ /dev/null @@ -1,60 +0,0 @@ -#ifndef _SKEY_H_ -#define _SKEY_H_ - -#include <sys/cdefs.h> - -/* Server-side data structure for reading keys file during login */ -struct skey { - FILE *keyfile; - char buf[256]; - char *logname; - int n; - char *seed; - char *val; - long recstart; /*needed so reread of buffer is efficient*/ -}; - -#ifdef _SKEY_INTERNAL -/* Client-side structure for scanning data stream for challenge */ -struct mc { - char buf[256]; - int skip; - int cnt; -}; - -#define atob8 _sk_atob8 -#define btoa8 _sk_btoa8 -#define btoe _sk_btoe -#define etob _sk_etob -#define f _sk_f -#define htoi _sk_htoi -#define keycrunch _sk_keycrunch -#define put8 _sk_put8 -#define readpass _sk_readpass -#define rip _sk_rip -#define sevenbit _sk_sevenbit - -void f __P((char *x)); -int keycrunch __P((char *result,const char *seed,const char *passwd)); -char *btoe __P((char *engout,char *c)); -char *put8 __P((char *out,char *s)); -int atob8 __P((char *out, char *in)); -int btoa8 __P((char *out, char *in)); -int htoi __P((char c)); -int etob __P((char *out,char *e)); -void sevenbit __P((char *s)); -char *readpass __P((char *buf, int n)); -void rip __P((char *buf)); -#endif /* _SKEY_INTERNAL */ - -/* Simplified application programming interface. */ -#include <pwd.h> -int skeylookup __P((struct skey *mp, const char *name)); -int skeyverify __P((struct skey *mp, char *response)); -int skeychallenge __P((struct skey *mp, const char *name, char *challenge)); -int skeyinfo __P((struct skey *mp, const char* name, char *ss)); -int skeyaccess __P((char *user, const char *port, const char *host, const char *addr)); -char *skey_getpass __P((const char *prompt, struct passwd * pwd, int pwok)); -const char *skey_crypt __P((char *pp, char *salt, struct passwd *pwd, int pwok)); - -#endif /* _SKEY_H_ */ diff --git a/lib/libskey/skey_crypt.c b/lib/libskey/skey_crypt.c deleted file mode 100644 index 4e3a141..0000000 --- a/lib/libskey/skey_crypt.c +++ /dev/null @@ -1,38 +0,0 @@ -/* Author: Wietse Venema, Eindhoven University of Technology. */ - -#include <string.h> -#include <stdio.h> -#include <pwd.h> -#include <unistd.h> - -#include "skey.h" - -/* skey_crypt - return encrypted UNIX passwd if s/key or regular password ok */ - -const char *skey_crypt(pp, salt, pwd, pwok) -char *pp; -char *salt; -struct passwd *pwd; -int pwok; -{ - struct skey skey; - char *p; - - /* Try s/key authentication even when the UNIX password is permitted. */ - - if (pwd != 0 && skeyinfo(&skey, pwd->pw_name, (char *) 0) == 0 - && skeyverify(&skey, pp) == 0) { - /* s/key authentication succeeded */ - return (pwd->pw_passwd); - } - - /* When s/key authentication does not work, always invoke crypt(). */ - - p = crypt(pp, salt); - if (pwok && pwd != 0 && strcmp(p, pwd->pw_passwd) == 0) - return (pwd->pw_passwd); - - /* The user does not exist or entered bad input. */ - - return (":"); -} diff --git a/lib/libskey/skey_getpass.c b/lib/libskey/skey_getpass.c deleted file mode 100644 index c3f5432..0000000 --- a/lib/libskey/skey_getpass.c +++ /dev/null @@ -1,37 +0,0 @@ -#include <unistd.h> -#include <stdio.h> -#include <skey.h> - -/* skey_getpass - read regular or s/key password */ - -char *skey_getpass(prompt, pwd, pwok) -const char *prompt; -struct passwd *pwd; -int pwok; -{ - static char buf[128]; - struct skey skey; - char *pass; - int sflag; - - /* Attempt an s/key challenge. */ - sflag = (pwd == NULL || skeyinfo(&skey, pwd->pw_name, buf)); - if (!sflag) { - printf("%s\n", buf); - if (!pwok) - printf("(s/key required)\n"); - } - - pass = getpass(prompt); - - /* Give S/Key users a chance to do it with echo on. */ - if (!sflag && !feof(stdin) && *pass == '\0') { - fputs(" (turning echo on)\n", stdout); - fputs(prompt, stdout); - fflush(stdout); - fgets(buf, sizeof(buf), stdin); - rip(buf); - return (buf); - } else - return (pass); -} diff --git a/lib/libskey/skeyaccess.c b/lib/libskey/skeyaccess.c deleted file mode 100644 index c71dd81..0000000 --- a/lib/libskey/skeyaccess.c +++ /dev/null @@ -1,588 +0,0 @@ - /* - * Figure out if UNIX passwords are permitted for any combination of user - * name, group member, terminal port, host_name or network: - * - * Programmatic interface: skeyaccess(user, port, host, addr) - * - * All arguments are null-terminated strings. Specify a null character pointer - * where information is not available. - * - * When no address information is given this code performs the host (internet) - * address lookup itself. It rejects addresses that appear to belong to - * someone else. - * - * When compiled with -DPERMIT_CONSOLE always permits UNIX passwords with - * console logins, no matter what the configuration file says. - * - * To build a stand-alone test version, compile with -DTEST and run it off an - * skey.access file in the current directory: - * - * Command-line interface: ./skeyaccess user port [host_or_ip_addr] - * - * Errors are reported via syslogd. - * - * Author: Wietse Venema, Eindhoven University of Technology. - * - * $FreeBSD$ - */ - -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <string.h> -#include <netdb.h> -#include <arpa/inet.h> -#include <stdio.h> -#include <grp.h> -#include <ctype.h> -#include <syslog.h> -#include <unistd.h> -#include <stdlib.h> -#include <sys/param.h> - -#include "pathnames.h" - - /* - * Token input with one-deep pushback. - */ -static char *prev_token = 0; /* push-back buffer */ -static char *line_pointer = NULL; -static char *first_token __P((char *, int, FILE *)); -static int line_number; -static void unget_token __P((char *)); -static char *get_token __P((void)); -static char *need_token __P((void)); -static char *need_internet_addr __P((void)); - - /* - * Various forms of token matching. - */ -#define match_host_name(l) match_token((l)->host_name) -#define match_port(l) match_token((l)->port) -#define match_user(l) match_token((l)->user) -struct login_info; -static int match_internet_addr __P((struct login_info *)); -static int match_group __P((struct login_info *)); -static int match_token __P((char *)); -static int is_internet_addr __P((char *)); -static struct addrinfo *convert_internet_addr __P((char *)); -static struct addrinfo *lookup_internet_addr __P((char *)); - -#define MAX_ADDR 32 -#define PERMIT 1 -#define DENY 0 - -#ifndef CONSOLE -#define CONSOLE "console" -#endif -#ifndef VTY_PREFIX -#define VTY_PREFIX "ttyv" -#endif - -struct login_info { - char *host_name; /* host name */ - struct addrinfo *internet_addr; /* addrinfo chain */ - char *user; /* user name */ - char *port; /* login port */ -}; - -static int _skeyaccess __P((FILE *, struct login_info *)); -int skeyaccess __P((char *, char *, char *, char *)); - -/* skeyaccess - find out if UNIX passwords are permitted */ - -int skeyaccess(user, port, host, addr) -char *user; -char *port; -char *host; -char *addr; -{ - FILE *fp; - struct login_info login_info; - int result; - - /* - * Assume no restriction on the use of UNIX passwords when the s/key - * acces table does not exist. - */ - if ((fp = fopen(_PATH_SKEYACCESS, "r")) == 0) { -#ifdef TEST - fprintf(stderr, "No file %s, thus no access control\n", _PATH_SKEYACCESS); -#endif - return (PERMIT); - } - - /* - * Bundle up the arguments in a structure so we won't have to drag around - * boring long argument lists. - * - * Look up the host address when only the name is given. We try to reject - * addresses that belong to someone else. - */ - login_info.user = user; - login_info.port = port; - - if (host != NULL && !is_internet_addr(host)) { - login_info.host_name = host; - } else { - login_info.host_name = NULL; - } - - if (addr != NULL && is_internet_addr(addr)) { - login_info.internet_addr = convert_internet_addr(addr); - } else if (host != NULL) { - if (is_internet_addr(host)) { - login_info.internet_addr = convert_internet_addr(host); - } else { - login_info.internet_addr = lookup_internet_addr(host); - } - } else { - login_info.internet_addr = NULL; - } - - /* - * Print what we think the user wants us to do. - */ -#ifdef TEST - printf("port: %s\n", login_info.port); - printf("user: %s\n", login_info.user); - printf("host: %s\n", login_info.host_name ? login_info.host_name : "none"); - printf("addr: "); - if (login_info.internet_addr == NULL) { - printf("none\n"); - } else { - struct addrinfo *res; - char haddr[NI_MAXHOST]; - - for (res = login_info.internet_addr; res; res = res->ai_next) { - getnameinfo(res->ai_addr, res->ai_addrlen, haddr, sizeof(haddr), - NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID); - printf("%s%s", haddr, res->ai_next ? " " : "\n"); - } - } -#endif - result = _skeyaccess(fp, &login_info); - fclose(fp); - if (login_info.internet_addr) - freeaddrinfo(login_info.internet_addr); - return (result); -} - -/* _skeyaccess - find out if UNIX passwords are permitted */ - -static int _skeyaccess(fp, login_info) -FILE *fp; -struct login_info *login_info; -{ - char buf[BUFSIZ]; - char *tok; - int match; - int permission=DENY; - -#ifdef PERMIT_CONSOLE - if (login_info->port != 0 && - (strcmp(login_info->port, CONSOLE) == 0 || - strncmp(login_info->port, VTY_PREFIX, sizeof(VTY_PREFIX) - 1) == 0 - ) - ) - return (1); -#endif - - /* - * Scan the s/key access table until we find an entry that matches. If no - * match is found, assume that UNIX passwords are disallowed. - */ - match = 0; - while (match == 0 && (tok = first_token(buf, sizeof(buf), fp))) { - if (strncasecmp(tok, "permit", 4) == 0) { - permission = PERMIT; - } else if (strncasecmp(tok, "deny", 4) == 0) { - permission = DENY; - } else { - syslog(LOG_ERR, "%s: line %d: bad permission: %s", - _PATH_SKEYACCESS, line_number, tok); - continue; /* error */ - } - - /* - * Process all conditions in this entry until we find one that fails. - */ - match = 1; - while (match != 0 && (tok = get_token())) { - if (strcasecmp(tok, "hostname") == 0) { - match = match_host_name(login_info); - } else if (strcasecmp(tok, "port") == 0) { - match = match_port(login_info); - } else if (strcasecmp(tok, "user") == 0) { - match = match_user(login_info); - } else if (strcasecmp(tok, "group") == 0) { - match = match_group(login_info); - } else if (strcasecmp(tok, "internet") == 0) { - match = match_internet_addr(login_info); - } else if (is_internet_addr(tok)) { - unget_token(tok); - match = match_internet_addr(login_info); - } else { - syslog(LOG_ERR, "%s: line %d: bad condition: %s", - _PATH_SKEYACCESS, line_number, tok); - match = 0; - } - } - } - return (match ? permission : DENY); -} - -/* translate IPv4 mapped IPv6 address to IPv4 address */ - -static void -ai_unmapped(struct addrinfo *ai) -{ - struct sockaddr_in6 *sin6; - struct sockaddr_in *sin4; - u_int32_t addr; - int port; - - if (ai->ai_family != AF_INET6) - return; - sin6 = (struct sockaddr_in6 *)ai->ai_addr; - if (!IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) - return; - sin4 = (struct sockaddr_in *)ai->ai_addr; - addr = *(u_int32_t *)&sin6->sin6_addr.s6_addr[12]; - port = sin6->sin6_port; - memset(sin4, 0, sizeof(struct sockaddr_in)); - sin4->sin_addr.s_addr = addr; - sin4->sin_port = port; - sin4->sin_family = AF_INET; - sin4->sin_len = sizeof(struct sockaddr_in); - ai->ai_family = AF_INET; - ai->ai_addrlen = sizeof(struct sockaddr_in); -} - -/* match_internet_addr - match internet network address */ - -static int match_internet_addr(login_info) -struct login_info *login_info; -{ - char *tok; - struct addrinfo *res; - struct sockaddr_storage pattern, mask; - struct sockaddr_in *addr4, *pattern4, *mask4; - struct sockaddr_in6 *addr6, *pattern6, *mask6; - int i, match; - - if (login_info->internet_addr == NULL) - return (0); - if ((tok = need_internet_addr()) == 0) - return (0); - if ((res = convert_internet_addr(tok)) == NULL) - return (0); - memcpy(&pattern, res->ai_addr, res->ai_addrlen); - freeaddrinfo(res); - if ((tok = need_internet_addr()) == 0) - return (0); - if ((res = convert_internet_addr(tok)) == NULL) - return (0); - memcpy(&mask, res->ai_addr, res->ai_addrlen); - freeaddrinfo(res); - if (pattern.ss_family != mask.ss_family) - return (0); - mask4 = (struct sockaddr_in *)&mask; - pattern4 = (struct sockaddr_in *)&pattern; - mask6 = (struct sockaddr_in6 *)&mask; - pattern6 = (struct sockaddr_in6 *)&pattern; - - /* - * See if any of the addresses matches a pattern in the control file. We - * have already tried to drop addresses that belong to someone else. - */ - - for (res = login_info->internet_addr; res; res = res->ai_next) { - ai_unmapped(res); - if (res->ai_family != pattern.ss_family) - continue; - switch (res->ai_family) { - case AF_INET: - addr4 = (struct sockaddr_in *)res->ai_addr; - if (addr4->sin_addr.s_addr != INADDR_NONE && - (addr4->sin_addr.s_addr & mask4->sin_addr.s_addr) == pattern4->sin_addr.s_addr) - return (1); - break; - case AF_INET6: - addr6 = (struct sockaddr_in6 *)res->ai_addr; - if (pattern6->sin6_scope_id != 0 && - addr6->sin6_scope_id != pattern6->sin6_scope_id) - break; - match = 1; - for (i = 0; i < 16; ++i) { - if ((addr6->sin6_addr.s6_addr[i] & mask6->sin6_addr.s6_addr[i]) != pattern6->sin6_addr.s6_addr[i]) { - match = 0; - break; - } - } - if (match) - return (1); - break; - } - } - return (0); -} - -/* match_group - match username against group */ - -static int match_group(login_info) -struct login_info *login_info; -{ - struct group *group; - char *tok; - char **memp; - - if ((tok = need_token()) && (group = getgrnam(tok))) { - for (memp = group->gr_mem; *memp; memp++) - if (strcmp(login_info->user, *memp) == 0) - return (1); - } - return (0); /* XXX endgrent() */ -} - -/* match_token - get and match token */ - -static int match_token(str) -char *str; -{ - char *tok; - - return (str && (tok = need_token()) && strcasecmp(str, tok) == 0); -} - -/* first_token - read line and return first token */ - -static char *first_token(buf, len, fp) -char *buf; -int len; -FILE *fp; -{ - char *cp; - - prev_token = 0; - for (;;) { - if (fgets(buf, len, fp) == 0) - return (0); - line_number++; - buf[strcspn(buf, "\r\n#")] = 0; -#ifdef TEST - if (buf[0]) - printf("rule: %s\n", buf); -#endif - line_pointer = buf; - while ((cp = strsep(&line_pointer, " \t")) != NULL && *cp == '\0') - ; - if (cp != NULL) - return (cp); - } -} - -/* unget_token - push back last token */ - -static void unget_token(cp) -char *cp; -{ - prev_token = cp; -} - -/* get_token - retrieve next token from buffer */ - -static char *get_token() -{ - char *cp; - - if ( (cp = prev_token) ) { - prev_token = 0; - } else { - while ((cp = strsep(&line_pointer, " \t")) != NULL && *cp == '\0') - ; - } - return (cp); -} - -/* need_token - complain if next token is not available */ - -static char *need_token() -{ - char *cp; - - if ((cp = get_token()) == 0) - syslog(LOG_ERR, "%s: line %d: premature end of rule", - _PATH_SKEYACCESS, line_number); - return (cp); -} - -/* need_internet_addr - complain if next token is not an internet address */ - -static char *need_internet_addr() -{ - char *cp; - - if ((cp = get_token()) == 0) { - syslog(LOG_ERR, "%s: line %d: internet address expected", - _PATH_SKEYACCESS, line_number); - return (0); - } else if (!is_internet_addr(cp)) { - syslog(LOG_ERR, "%s: line %d: bad internet address: %s", - _PATH_SKEYACCESS, line_number, cp); - return (0); - } else { - return (cp); - } -} - -/* is_internet_addr - determine if string is a dotted quad decimal address */ - -static int is_internet_addr(str) -char *str; -{ - struct addrinfo *res; - - if ((res = convert_internet_addr(str)) != NULL) - freeaddrinfo(res); - return (res != NULL); -} - -/* - * Nuke addrinfo entry from list. - * XXX: Depending on the implementation of KAME's getaddrinfo(3). - */ -static void nuke_ai(aip) -struct addrinfo **aip; -{ - struct addrinfo *ai; - - ai = *aip; - *aip = ai->ai_next; - if (ai->ai_canonname) { - if (ai->ai_next && !ai->ai_next->ai_canonname) - ai->ai_next->ai_canonname = ai->ai_canonname; - else - free(ai->ai_canonname); - } - free(ai); -} - -/* lookup_internet_addr - look up internet addresses with extreme prejudice */ - -static struct addrinfo *lookup_internet_addr(host) -char *host; -{ - struct addrinfo hints, *res0, *res, **resp; - char hname[NI_MAXHOST], haddr[NI_MAXHOST]; - int error; - - memset(&hints, 0, sizeof(hints)); - hints.ai_family = PF_UNSPEC; - hints.ai_socktype = SOCK_STREAM; - hints.ai_flags = AI_PASSIVE | AI_CANONNAME; - if (getaddrinfo(host, NULL, &hints, &res0) != 0) - return (NULL); - if (res0->ai_canonname == NULL) { - freeaddrinfo(res0); - return (NULL); - } - - /* - * Wipe addresses that appear to belong to someone else. We will get - * false alarms when when the hostname comes from DNS, while its - * addresses are listed under different names in local databases. - */ -#define NEQ(x,y) (strcasecmp((x),(y)) != 0) -#define NEQ3(x,y,n) (strncasecmp((x),(y), (n)) != 0) - - resp = &res0; - while ((res = *resp) != NULL) { - if (res->ai_family != AF_INET && res->ai_family != AF_INET6) { - nuke_ai(resp); - continue; - } - error = getnameinfo(res->ai_addr, res->ai_addrlen, - hname, sizeof(hname), - NULL, 0, NI_NAMEREQD | NI_WITHSCOPEID); - if (error) { - getnameinfo(res->ai_addr, res->ai_addrlen, haddr, sizeof(haddr), - NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID); - syslog(LOG_ERR, "address %s not registered for host %s", - haddr, res0->ai_canonname); - nuke_ai(resp); - continue; - } - if (NEQ(res0->ai_canonname, hname) && - NEQ3(res0->ai_canonname, "localhost.", 10)) { - getnameinfo(res->ai_addr, res->ai_addrlen, haddr, sizeof(haddr), - NULL, 0, NI_NUMERICHOST | NI_WITHSCOPEID); - syslog(LOG_ERR, "address %s registered for host %s and %s", - haddr, hname, res0->ai_canonname); - nuke_ai(resp); - continue; - } - resp = &res->ai_next; - } - return (res0); -} - -/* convert_internet_addr - convert string to internet address */ - -static struct addrinfo *convert_internet_addr(string) -char *string; -{ - struct addrinfo hints, *res; - - memset(&hints, 0, sizeof(hints)); - hints.ai_family = PF_UNSPEC; - hints.ai_socktype = SOCK_STREAM; - hints.ai_flags = AI_PASSIVE | AI_NUMERICHOST; - if (getaddrinfo(string, NULL, &hints, &res) != 0) - return (NULL); - return (res); -} - -#ifdef TEST - -main(argc, argv) -int argc; -char **argv; -{ - struct addrinfo hints, *res; - char host[MAXHOSTNAMELEN + 1]; - int verdict; - char *user; - char *port; - - if (argc != 3 && argc != 4) { - fprintf(stderr, "usage: %s user port [host_or_ip_address]\n", argv[0]); - exit(0); - } - if (_PATH_SKEYACCESS[0] != '/') - printf("Warning: this program uses control file: %s\n", _PATH_SKEYACCESS); - openlog("login", LOG_PID, LOG_AUTH); - - user = argv[1]; - port = argv[2]; - if (argv[3]) { - memset(&hints, 0, sizeof(hints)); - hints.ai_family = PF_UNSPEC; - hints.ai_socktype = SOCK_STREAM; - hints.ai_flags = AI_PASSIVE | AI_CANONNAME; - if (getaddrinfo(argv[3], NULL, &hints, &res) == 0) { - if (res->ai_canonname == NULL) - strncpy(host, argv[3], MAXHOSTNAMELEN); - else - strncpy(host, res->ai_canonname, MAXHOSTNAMELEN); - freeaddrinfo(res); - } else - strncpy(host, argv[3], MAXHOSTNAMELEN); - host[MAXHOSTNAMELEN] = 0; - } - verdict = skeyaccess(user, port, argv[3] ? host : (char *) 0, (char *) 0); - printf("UNIX passwords %spermitted\n", verdict ? "" : "NOT "); - return (0); -} - -#endif diff --git a/lib/libskey/skeylogin.c b/lib/libskey/skeylogin.c deleted file mode 100644 index ae2e279..0000000 --- a/lib/libskey/skeylogin.c +++ /dev/null @@ -1,343 +0,0 @@ -/* Login code for S/KEY Authentication. S/KEY is a trademark - * of Bellcore. - * - * Mink is the former name of the S/KEY authentication system. - * Many references for mink may still be found in this program. - * - * $FreeBSD$ - */ - -#include <sys/param.h> -#include <sys/stat.h> -#include <sys/time.h> -#include <sys/resource.h> - -#include <errno.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <time.h> -#include <utmp.h> - -#include "skey.h" -#include "pathnames.h" - -static char *skipspace __P((char *)); - -#define setpriority(x,y,z) /* nothing */ - -static const char *month[12] = { - "Jan", "Feb", "Mar", "Apr", "May", "Jun", - "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" -}; - -/* Look up skey info for user 'name'. If successful, fill in the caller's - * skey structure and return 0. If unsuccessful (e.g., if name is unknown) - * return -1. If an optional challenge string buffer is given, update it. - * - * The file read/write pointer is left at the start of the - * record. - */ -int -skeyinfo(mp,name,ss) -struct skey *mp; -const char *name; -char *ss; -{ - int rval; - - rval = skeylookup(mp,name); - switch(rval){ - case -1: /* File error */ - return -1; - case 0: /* Lookup succeeded */ - if (ss != 0) { - sprintf(ss, "s/key %d %s",mp->n - 1,mp->seed); - fclose(mp->keyfile); - } - return 0; - case 1: /* User not found */ - fclose(mp->keyfile); - return -1; - } - return -1; /* Can't happen */ -} - -/* Return a skey challenge string for user 'name'. If successful, - * fill in the caller's skey structure and return 0. If unsuccessful - * (e.g., if name is unknown) return -1. - * - * The file read/write pointer is left at the start of the - * record. - */ -int -skeychallenge(mp,name, ss) -struct skey *mp; -const char *name; -char *ss; -{ - int rval; - - rval = skeylookup(mp,name); - switch(rval){ - case -1: /* File error */ - return -1; - case 0: /* Lookup succeeded, issue challenge */ - sprintf(ss, "s/key %d %s",mp->n - 1,mp->seed); - return 0; - case 1: /* User not found */ - fclose(mp->keyfile); - return -1; - } - return -1; /* Can't happen */ -} - -/* Find an entry in the One-time Password database. - * Return codes: - * -1: error in opening database - * 0: entry found, file R/W pointer positioned at beginning of record - * 1: entry not found, file R/W pointer positioned at EOF - */ -int -skeylookup(mp,name) -struct skey *mp; -const char *name; -{ - int found; - size_t len; - long recstart = 0; - char *cp, *p; - struct stat statbuf; - mode_t oldmask; - - /* See if the _PATH_SKEYFILE exists, and create it if not */ - if(stat(_PATH_SKEYFILE,&statbuf) == -1 && errno == ENOENT){ - oldmask = umask(S_IRWXG|S_IRWXO); - mp->keyfile = fopen(_PATH_SKEYFILE,"w+"); - (void)umask(oldmask); - } else { - /* Otherwise open normally for update */ - mp->keyfile = fopen(_PATH_SKEYFILE,"r+"); - } - if(mp->keyfile == NULL) - return -1; - - /* Look up user name in database */ - len = strlen(name); - if(len > UT_NAMESIZE) - len = UT_NAMESIZE; - found = 0; - while(!feof(mp->keyfile)){ - recstart = ftell(mp->keyfile); - mp->recstart = recstart; - if(fgets(mp->buf,sizeof(mp->buf),mp->keyfile) != mp->buf){ - break; - } - rip(mp->buf); - if(mp->buf[0] == '#') - continue; /* Comment */ - p = mp->buf; - while ((cp = strsep(&p, " \t")) != NULL && *cp == '\0') - ; - if((mp->logname = cp) == NULL) - continue; - while ((cp = strsep(&p, " \t")) != NULL && *cp == '\0') - ; - if(cp == NULL) - continue; - mp->n = atoi(cp); - while ((cp = strsep(&p, " \t")) != NULL && *cp == '\0') - ; - if((mp->seed = cp) == NULL) - continue; - while ((cp = strsep(&p, " \t")) != NULL && *cp == '\0') - ; - if((mp->val = cp) == NULL) - continue; - if(strlen(mp->logname) == len - && strncmp(mp->logname,name,len) == 0){ - found = 1; - break; - } - } - if(found){ - fseek(mp->keyfile,recstart,0); - return 0; - } else - return 1; -} -/* Verify response to a s/key challenge. - * - * Return codes: - * -1: Error of some sort; database unchanged - * 0: Verify successful, database updated - * 1: Verify failed, database unchanged - * - * The database file is always closed by this call. - */ -int -skeyverify(mp,response) -struct skey *mp; -char *response; -{ - char key[8]; - char fkey[8]; - char filekey[8]; - time_t now; - struct tm *tm; - char tbuf[27], fbuf[20]; - char *cp, *p; - - time(&now); - tm = localtime(&now); -/* can't use %b here, because it can be in national form */ - strftime(fbuf, sizeof(fbuf), "%d,%Y %T", tm); - snprintf(tbuf, sizeof(tbuf), " %s %s", month[tm->tm_mon], fbuf); - - if(response == NULL){ - fclose(mp->keyfile); - return -1; - } - rip(response); - - /* Convert response to binary */ - if(etob(key,response) != 1 && atob8(key,response) != 0){ - /* Neither english words or ascii hex */ - fclose(mp->keyfile); - return -1; - } - - /* Compute fkey = f(key) */ - memcpy(fkey,key,sizeof(key)); - f(fkey); - /* in order to make the window of update as short as possible - we must do the comparison here and if OK write it back - other wise the same password can be used twice to get in - to the system - */ - - setpriority(PRIO_PROCESS, 0, -4); - - /* reread the file record NOW*/ - - fseek(mp->keyfile,mp->recstart,0); - if(fgets(mp->buf,sizeof(mp->buf),mp->keyfile) != mp->buf){ - setpriority(PRIO_PROCESS, 0, 0); - fclose(mp->keyfile); - return -1; - } - rip(mp->buf); - p = mp->buf; - while ((cp = strsep(&p, " \t")) != NULL && *cp == '\0') - ; - mp->logname = cp; - while ((cp = strsep(&p, " \t")) != NULL && *cp == '\0') - ; - while ((cp = strsep(&p, " \t")) != NULL && *cp == '\0') - ; - mp->seed = cp; - while ((cp = strsep(&p, " \t")) != NULL && *cp == '\0') - ; - mp->val = cp; - /* And convert file value to hex for comparison */ - atob8(filekey,mp->val); - - /* Do actual comparison */ - if(memcmp(filekey,fkey,8) != 0){ - /* Wrong response */ - setpriority(PRIO_PROCESS, 0, 0); - fclose(mp->keyfile); - return 1; - } - - /* Update key in database by overwriting entire record. Note - * that we must write exactly the same number of bytes as in - * the original record (note fixed width field for N) - */ - btoa8(mp->val,key); - mp->n--; - fseek(mp->keyfile,mp->recstart,0); - fprintf(mp->keyfile,"%s %04d %-16s %s %-21s\n",mp->logname,mp->n,mp->seed, - mp->val, tbuf); - - fclose(mp->keyfile); - - setpriority(PRIO_PROCESS, 0, 0); - return 0; -} - - -/* Convert 8-byte hex-ascii string to binary array - * Returns 0 on success, -1 on error - */ -int -atob8(out,in) -register char *out,*in; -{ - register int i; - register int val; - - if(in == NULL || out == NULL) - return -1; - - for(i=0;i<8;i++){ - if((in = skipspace(in)) == NULL) - return -1; - if((val = htoi(*in++)) == -1) - return -1; - *out = val << 4; - - if((in = skipspace(in)) == NULL) - return -1; - if((val = htoi(*in++)) == -1) - return -1; - *out++ |= val; - } - return 0; -} - -static -char * -skipspace(cp) -register char *cp; -{ - while(*cp == ' ' || *cp == '\t') - cp++; - - if(*cp == '\0') - return NULL; - else - return cp; -} - -/* Convert 8-byte binary array to hex-ascii string */ -int -btoa8(out,in) -register char *out,*in; -{ - register int i; - - if(in == NULL || out == NULL) - return -1; - - for(i=0;i<8;i++){ - sprintf(out,"%02x",*in++ & 0xff); - out += 2; - } - return 0; -} - - -/* Convert hex digit to binary integer */ -int -htoi(c) -register char c; -{ - if('0' <= c && c <= '9') - return c - '0'; - if('a' <= c && c <= 'f') - return 10 + c - 'a'; - if('A' <= c && c <= 'F') - return 10 + c - 'A'; - return -1; -} diff --git a/lib/libskey/skeysubr.c b/lib/libskey/skeysubr.c deleted file mode 100644 index 3230c31..0000000 --- a/lib/libskey/skeysubr.c +++ /dev/null @@ -1,135 +0,0 @@ -/* $FreeBSD$ */ - -#include <err.h> -#include <stdio.h> -#include <stdlib.h> -#include <string.h> -#include <fcntl.h> -#include <termios.h> -#include <signal.h> - -#include "skey.h" -#include "mdx.h" - -/* Crunch a key: - * concatenate the seed and the password, run through MDX and - * collapse to 64 bits. This is defined as the user's starting key. - */ -int -keycrunch(result,seed,passwd) -char *result; /* 8-byte result */ -const char *seed; /* Seed, any length */ -const char *passwd; /* Password, any length */ -{ - char *buf; - MDX_CTX md; - u_int32_t results[4]; - unsigned int buflen; - - buflen = strlen(seed) + strlen(passwd); - if((buf = malloc(buflen+1)) == NULL) - return -1; - strcpy(buf,seed); - strcat(buf,passwd); - - /* Crunch the key through MD[45] */ - sevenbit(buf); - MDXInit(&md); - MDXUpdate(&md,(unsigned char *)buf,buflen); - MDXFinal((unsigned char *)results,&md); - free(buf); - - results[0] ^= results[2]; - results[1] ^= results[3]; - - memcpy(result,(char *)results,8); - - return 0; -} - -/* The one-way function f(). Takes 8 bytes and returns 8 bytes in place */ -void -f(x) -char *x; -{ - MDX_CTX md; - u_int32_t results[4]; - - MDXInit(&md); - MDXUpdate(&md,(unsigned char *)x,8); - MDXFinal((unsigned char *)results,&md); - /* Fold 128 to 64 bits */ - results[0] ^= results[2]; - results[1] ^= results[3]; - - memcpy(x,(char *)results,8); -} - -/* Strip trailing cr/lf from a line of text */ -void -rip(buf) -char *buf; -{ - buf[strcspn(buf, "\r\n")] = 0; -} - -static struct termios saved_ttymode; - -static void interrupt __P((int)); - -static void interrupt(sig) -int sig; -{ - tcsetattr(0, TCSANOW, &saved_ttymode); - err(1, "interrupted by signal %s", sys_siglist[sig]); -} - -char * -readpass(buf,n) -char *buf; -int n; -{ - struct termios noecho_ttymode; - void (*oldsig) __P((int)); - - /* Save normal line editing modes */ - tcgetattr(0, &saved_ttymode); - if ((oldsig = signal(SIGINT, SIG_IGN)) != SIG_IGN) - signal(SIGINT, interrupt); - - /* Turn off echoing */ - tcgetattr(0, &noecho_ttymode); - noecho_ttymode.c_lflag &= ~ECHO; - tcsetattr(0, TCSANOW, &noecho_ttymode); - fgets(buf,n,stdin); - rip(buf); - - /* Restore previous tty modes */ - tcsetattr(0, TCSANOW, &saved_ttymode); - if (oldsig != SIG_IGN) - signal(SIGINT, oldsig); - - /* - after the secret key is taken from the keyboard, the line feed is - written to standard error instead of standard output. That means that - anyone using the program from a terminal won't notice, but capturing - standard output will get the key words without a newline in front of - them. - */ - fprintf(stderr, "\n"); - fflush(stderr); - sevenbit(buf); - - return buf; -} - -void -sevenbit(s) -char *s; -{ - /* make sure there are only 7 bit code in the line*/ - while(*s){ - *s &= 0x7f; - s++; - } -} |