1) Added s/key support .

2  Added optional excessive login logging.
3) Added login acces control on a per host/tty base.
4) See skey(1) for skey descriptions and src/usr.bin/login/README
  for the logging and access control features.

-Guido

5 files changed, 357 insertions, 0 deletions

diff --git a/usr.bin/key/Makefile b/usr.bin/key/Makefile
new file mode 100644
index 0000000..b8553ab
--- /dev/null
+++ b/usr.bin/key/Makefile
@@ -0,0 +1,21 @@
+
+#	@(#)Makefile	5.6 (Berkeley) 3/5/91
+#
+
+PROG=	key
+MAN1=   key.1 skey.1
+CFLAGS+=-I${.CURDIR}/../../lib
+
+
+DPADD=	/usr/bin/libskey.a
+LDADD=	-lskey
+
+.if exists(/usr/lib/libcrypt.a)
+DPADD+= ${LIBCRYPT}
+LDADD+= -lcrypt
+.endif
+
+SRCS=	skey.c
+
+.include <bsd.prog.mk>
+
diff --git a/usr.bin/key/README.WZV b/usr.bin/key/README.WZV
new file mode 100644
index 0000000..a13f3b5
--- /dev/null
+++ b/usr.bin/key/README.WZV
@@ -0,0 +1,100 @@
+One of the nice things of S/Key is that it still leaves you the option
+to use regular UNIX passwords. In fact, the presence of S/Key support
+is completely invisible for a user until she has set up a password with
+the keyinit command. You can permit regular UNIX passwords for local
+logins, while at the same time insisting on S/Key passwords for logins
+from outside.
+
+ORIGIN
+
+These files are modified versions of the s/key files found on
+thumper.bellcore.com at 21 oct 1993. They have been fixed to
+run on top of SunOS 4.1.3 and Solaris 2.3.
+
+Installation is described at the end of this file.
+
+USAGE
+
+Use the keyinit command to set up a new series of s/key passwords.
+
+    wzv_6% keyinit
+    Updating wietse:
+    Old key: wz173500
+    Reminder - Only use this method if you are direct connected.
+    If you are using telnet or dial-in exit with no password and use keyinit -s.
+    Enter secret password: 
+    Again secret password: 
+
+    ID wietse s/key is 99 wz173501
+    BLAH BLA BLAH BLAH BLAH BLA
+
+Be sure to make your secret password sufficiently long. Try using a
+full sentence instead of just one single word.
+
+You will have to do a "keyinit" on every system that you want to login
+on using one-time passwords.
+
+Whenever you log into an s/key protected system you will see
+something like:
+
+    login: wietse
+    s/key 98 wz173501
+    Password:
+
+In this case you can either enter your regular UNIX password or
+your one-time s/key password. For example, I open a local window 
+to compute the password:
+
+    local% key 98 wz173501
+    Reminder - Do not use key while logged in via telnet or rlogin.
+    Enter secret password: 
+    BLAH BLA BLAH BLAH BLAH BLA
+
+The "BLAH BLA BLAH BLAH BLAH BLA" is the one-time s/key password.
+
+If you have to type the one-time password in by hand, it is convenient
+to have echo turned on so that you can correct typing errors. Just type
+a newline at the "Password:" prompt:
+
+    login: wietse
+    s/key 98 wz173501
+    Password: (turning echo on)
+    Password:BLAH BLA BLAH BLAH BLAH BLA
+
+The 98 in the challenge will be 97 the next time, and so on. You'll get
+a warning when you are about to run out of s/key passwords, so that you
+will have to run the keyinit command again.
+
+Sometimes it is more practical to carry a piece of paper with a small
+series of one-time passwords. You can generate the list with:
+
+    % key -n 10 98 wz173501
+    98: BLAH BLA BLAH BLAH BLAH BLA
+    97: ... 
+    96: ...
+
+Be careful when printing material like this!
+
+INSTALLATION
+
+To install, do: make sunos4 (or whatever), then: make install.  
+
+The UNIX password is always permitted with non-network logins.  By
+default, UNIX passwords are always permitted (the Bellcore code by
+default disallows UNIX passwords but I think that is too painful).  In
+order to permit UNIX passwords only with logins from specific networks,
+create a file /etc/skey.access. For example,
+
+    # First word says if UNIX passwords are to be permitted or denied.
+    # remainder of the rule is a networknumber and mask. A rule matches a
+    # host if any of its addresses satisfies:
+    # 
+    #	network = (address & mask)
+    # 
+    #what	network		mask
+    permit	131.155.210.0	255.255.255.0
+    deny	0.0.0.0		0.0.0.0
+
+This particular example will permit UNIX passwords with logins from any
+host on network 131.155.210, but will insist on one-time passwords in
+all other cases.
diff --git a/usr.bin/key/key.1 b/usr.bin/key/key.1
new file mode 100644
index 0000000..d9da463
--- /dev/null
+++ b/usr.bin/key/key.1
@@ -0,0 +1,49 @@
+.ll 6i
+.pl 10.5i
+.\"	@(#)key.1	1.0 (Bellcore) 12/2/91
+.\"
+.lt 6.0i
+.TH KEY 1 "2 December 1991"
+.AT 3
+.SH NAME
+key \-  Stand\-alone program for computing responses to S/Key challenges.
+.SH SYNOPSIS
+.B key [\-n <count>] <Sequence> <key> 
+.SH DESCRIPTION
+.I key
+Takes the optional count  of the number of one time access 
+passwords to print
+along with a (maximum) sequence number and key as command line args, 
+it prompts for the user's secret password, and produces both word 
+and hex format responses.
+.SH EXAMPLE
+.sh
+  Usage example:
+.sp 0
+ 	>key \-n 5 99 th91334
+.sp 0
+ 	Enter password: <your secret password is entered here>
+.sp 0
+ 	OMEN US HORN OMIT BACK AHOY
+.sp 0
+	.... 4 more passwords.
+.sp 0
+ 	>
+.LP
+.SH OPTIONS
+.LP
+.B \-n <count>
+the number of one time access passwords to print.
+The default is one.
+.SH DIAGNOSTICS
+.SH BUGS
+.LP
+.SH SEE ALSO
+.BR skey(1),
+.BR keyinit(1),
+.BR keysu(1),
+.BR keyinfo(1)
+.SH AUTHOR
+Command by Phil Karn, Neil M. Haller, John S. Walden
+.SH CONTACT
+staff@thumper.bellcore.com
diff --git a/usr.bin/key/skey.1 b/usr.bin/key/skey.1
new file mode 100644
index 0000000..0a8b1b6
--- /dev/null
+++ b/usr.bin/key/skey.1
@@ -0,0 +1,59 @@
+.ll 6i
+.pl 10.5i
+.\"	@(#)skey.1	1.1 	10/28/93
+.\"
+.lt 6.0i
+.TH KEY 1 "28 October 1993"
+.AT 3
+.SH NAME
+S/key \-  A proceedure to use one time passwords for accessing computer systems.
+.SH DESCRIPTION
+.I S/key
+is a proceedure for using one time password to authenticate access to
+compter systems. It uses 64 bits of information transformed by the
+MD4 algorithm. The user supplies the 64 bits in the form of 6 English
+words that are generated by a secure computer.
+Example use of the S/key program 
+.I key
+.sp
+  Usage example:
+.sp 0
+ 	>key  99 th91334
+.sp 0
+ 	Enter password: <your secret password is intered here>
+.sp 0
+ 	OMEN US HORN OMIT BACK AHOY
+.sp 0
+ 	>
+.sp
+The programs that are part of the S/Key system are keyinit, key, and
+keyinfo. Keyinit is used to get your ID set up, key is
+used to get the one time password each time,
+keyinfo is used to extract information from the S/Key database.
+.sp
+When you run "keyinit" you inform the system of your
+secret password.  Running "key" then generates the
+one-time passwords, and also requires your secret
+password.  If however, you misspell your password
+while running "key", you will get a list of passwords
+that will not work, and no indication about the problem.
+.sp
+Password sequence numbers count backward from 99.  If you
+don't know this, the syntax for "key" will be confusing.
+.sp
+You can enter the passwords using small letters, even
+though the "key" program gives them in caps.
+.sp
+Macintosh and a general purpose PC use
+are available. 
+.sp
+Under FreeBSD, you can control, with /etc/skey.access, from which
+hosts and/or networks the use of S/Key passwords is obligated. 
+.LP
+.SH SEE ALSO
+.BR keyinit(1),
+.BR key(1),
+.BR keyinfo(1)
+.BR skey.access(5)
+.SH AUTHOR
+Phil Karn, Neil M. Haller, John S. Walden, Scott Chasin
diff --git a/usr.bin/key/skey.c b/usr.bin/key/skey.c
new file mode 100644
index 0000000..e025312
--- /dev/null
+++ b/usr.bin/key/skey.c
@@ -0,0 +1,128 @@
+/* Stand-alone program for computing responses to S/Key challenges.
+ * Takes the iteration count and seed as command line args, prompts
+ * for the user's key, and produces both word and hex format responses.
+ *
+ * Usage example:
+ *	>skey 88 ka9q2
+ *	Enter password:
+ *	OMEN US HORN OMIT BACK AHOY
+ *	C848 666B 6435 0A93
+ *	>
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef	__MSDOS__
+#include <dos.h>
+#else	/* Assume BSD unix */
+#include <fcntl.h>
+#endif
+#include "libskey/md4.h"
+#include "libskey/skey.h"
+
+char *readpass();
+void usage();
+int getopt();
+extern int optind;
+extern char *optarg;
+
+int
+main(argc,argv)
+int argc;
+char *argv[];
+{
+	int n,cnt,i;
+	char passwd[256],passwd2[256];
+	char key[8];
+	char *seed;
+	char buf[33];
+	char *slash;
+
+	cnt = 1;
+	while((i = getopt(argc,argv,"n:")) != EOF){
+		switch(i){
+		case 'n':
+			cnt = atoi(optarg);
+			break;
+		}
+	}
+	/* could be in the form <number>/<seed> */
+	if(argc <= optind + 1){
+		/*look for / in it */
+		if(argc <= optind){
+			usage(argv[0]);
+			return 1;
+		}
+
+		slash = strchr(argv[optind], '/');
+		if(slash == NULL){
+			usage(argv[0]);
+			return 1;
+		}
+		*slash++ = '\0';
+		seed = slash;
+
+		if((n = atoi(argv[optind])) < 0){
+			fprintf(stderr,"%s not positive\n",argv[optind]);
+			usage(argv[0]);
+			return 1;
+		}
+	}
+	else {
+
+		if((n = atoi(argv[optind])) < 0){
+			fprintf(stderr,"%s not positive\n",argv[optind]);
+			usage(argv[0]);
+			return 1;
+		}
+		seed = argv[++optind];
+	}
+	fprintf(stderr,"Reminder - Do not use this program while logged in via telnet or rlogin.\n");
+
+	/* Get user's secret password */
+	for(;;){
+		fprintf(stderr,"Enter secret password: ");
+		readpass(passwd,sizeof(passwd));
+		break;
+	/************
+		fprintf(stderr,"Again secret password: ");
+		readpass(passwd2,sizeof(passwd));
+		if(strcmp(passwd,passwd2) == 0) break;
+		fprintf(stderr, "Sorry no match\n");
+        **************/
+	
+	}
+
+	/* Crunch seed and password into starting key */
+	if(keycrunch(key,seed,passwd) != 0){
+		fprintf(stderr,"%s: key crunch failed\n",argv[0]);
+		return 1;
+	}
+	if(cnt == 1){
+		while(n-- != 0)
+			f(key);
+		printf("%s\n",btoe(buf,key));
+#ifdef	HEXIN
+		printf("%s\n",put8(buf,key));
+#endif
+	} else {
+		for(i=0;i<=n-cnt;i++)
+			f(key);
+		for(;i<=n;i++){
+#ifdef	HEXIN
+			printf("%d: %-29s  %s\n",i,btoe(buf,key),put8(buf,key));
+#else
+			printf("%d: %-29s\n",i,btoe(buf,key));
+#endif
+			f(key);		
+		}
+	}
+	return 0;
+}
+void
+usage(s)
+char *s;
+{
+	fprintf(stderr,"Usage: %s [-n count] <sequence #>[/] <key> \n",s);
+}
+