1) Added s/key support .

2  Added optional excessive login logging.
3) Added login acces control on a per host/tty base.
4) See skey(1) for skey descriptions and src/usr.bin/login/README
  for the logging and access control features.

-Guido

3 files changed, 280 insertions, 0 deletions

diff --git a/usr.bin/keyinit/Makefile b/usr.bin/keyinit/Makefile
new file mode 100644
index 0000000..4c44d30
--- /dev/null
+++ b/usr.bin/keyinit/Makefile
@@ -0,0 +1,21 @@
+
+#	@(#)Makefile	5.6 (Berkeley) 3/5/91
+#
+
+PROG=	keyinit
+MAN1=   keyinit.1
+CFLAGS+=-I${.CURDIR}/../../lib
+DPADD=	/usr/bin/libskey.a
+LDADD=	-lskey
+
+.if exists(/usr/lib/libcrypt.a)
+DPADD+= ${LIBCRYPT}
+LDADD+= -lcrypt
+.endif
+
+SRCS=	skeyinit.c
+
+BINOWN=	root
+BINMODE=4555
+
+.include <bsd.prog.mk>
diff --git a/usr.bin/keyinit/keyinit.1 b/usr.bin/keyinit/keyinit.1
new file mode 100644
index 0000000..2fe2d03
--- /dev/null
+++ b/usr.bin/keyinit/keyinit.1
@@ -0,0 +1,64 @@
+.ll 6i
+.pl 10.5i
+.\"	@(#)keyinit.1	1.0 (Bellcore) 7/20/93
+.\"
+.lt 6.0i
+.TH KEYINIT 1 "20 July 1993"
+.AT 3
+.SH NAME
+keyinit \-  Change password or add user to S/Key authentication system.
+.SH SYNOPSIS
+.B keyinit [\-s]   [<user ID >] 
+.SH DESCRIPTION
+.I keyinit
+initializes the system so you can use S/Key one-time passwords to
+login.  The program will ask you to enter a secret pass phrase; enter a
+phrase of several words in response. After the S/Key database has been
+updated you can login using either your regular UNIX password or using
+S/Key one-time passwords. 
+.PP
+When logging in from another machine you can avoid typing a real
+password over the network, by typing your S/Key pass phrase to the
+\fIkey\fR command on the local machine:  the program will respond with
+the one-time password that you should use to log into the remote
+machine.  This is most conveniently done with cut-and-paste operations
+using a mouse.  Alternatively, you can pre-compute one-time passwords
+using the \fIkey\fR command and carry them with you on a piece of paper.
+.PP
+\fIkeyinit\fR requires you to type your secret password, so it should
+be used only on a secure terminal. For example, on the console of a
+workstation. If you are using \fIkeyinit\fR while logged in over an
+untrusted network, follow the instructions given below with the \-s
+option.
+.SH OPTIONS
+.IP \-s
+Set secure mode where the user is expected to have used a secure
+machine to generate the first one time password.  Without the \-s the
+system will assume you are direct connected over secure communications
+and prompt you for your secret password.
+The \-s option also allows one to set the seed and count for complete
+control of the parameters.  You can use keyinit -s in compination with
+the 
+.I key
+command to set the seed and count if you do not like the defaults.
+To do this run keyinit in one window and put in your count and seed
+then run key in another window to generate the correct 6 english words
+for that count and seed. You can then
+"cut" and "paste" them or copy them into the keyinit window.
+.sp
+.LP
+.B <user ID>
+the ID for the user to be changed/added
+.SH DIAGNOSTICS
+.SH FILES
+.TP
+/etc/skeykeys data base of information for S/Key system.
+.SH BUGS
+.LP
+.SH SEE ALSO
+.BR skey(1),
+.BR key(1),
+.BR keysu(1),
+.BR keyinfo(1)
+.SH AUTHOR
+Command by Phil Karn, Neil M. Haller, John S. Walden
diff --git a/usr.bin/keyinit/skeyinit.c b/usr.bin/keyinit/skeyinit.c
new file mode 100644
index 0000000..d13bd6b
--- /dev/null
+++ b/usr.bin/keyinit/skeyinit.c
@@ -0,0 +1,195 @@
+/*   change password or add user to S/KEY authentication system.
+ *   S/KEY is a tradmark of Bellcore  */
+
+#include <stdio.h>
+#include <string.h>
+#include <pwd.h>
+#include "libskey/skey.h"
+#include <stdio.h>
+#include <time.h>
+
+extern int optind;
+extern char *optarg;
+
+char * readpass();
+
+int skeylookup __ARGS((struct skey *mp,char *name));
+
+#define NAMELEN 2
+int
+main(argc,argv)
+int argc;
+char *argv[];
+{
+	struct skey skey;
+	int rval,n,nn,i,defaultsetup;
+	char seed[18],tmp[80],key[8];
+	struct passwd *ppuser,*pp;
+	char defaultseed[17], passwd[256],passwd2[256] ;
+
+
+	time_t now;
+	struct tm *tm;
+	char tbuf[27],buf[60];
+	char lastc, me[80];
+	int l;
+
+	time(&now);
+#if 0	/* Choose a more random seed */
+	tm = localtime(&now);
+	strftime(tbuf, sizeof(tbuf), "%M%j", tm);
+#else
+	sprintf(tbuf, "%05ld", (long) (now % 100000));
+#endif
+	gethostname(defaultseed,NAMELEN);
+	strcpy(&defaultseed[NAMELEN],tbuf);
+
+	pp = ppuser = getpwuid(getuid());
+	strcpy(me,pp->pw_name);
+	defaultsetup = 1;
+	if( argc > 1){
+		if(strcmp("-s", argv[1]) == 0)
+			defaultsetup = 0;
+		else
+			pp = getpwnam(argv[1]);
+		if(argc > 2)
+			pp = getpwnam(argv[2]);
+
+	}
+	if(pp == NULL){
+		printf("User unknown\n");
+		return 1;
+	}
+	if(strcmp( pp->pw_name,me) != 0){
+		if(getuid() != 0){
+			/* Only root can change other's passwds */
+			printf("Permission denied.\n");
+			return(1);
+		}
+	}
+
+
+
+	rval = skeylookup(&skey,pp->pw_name);
+	switch(rval){
+	case -1:
+		perror("error in opening database");
+		return 1;
+	case 0:
+		printf("Updating %s:\n",pp->pw_name);
+		printf("Old key: %s\n",skey.seed);
+		/* lets be nice if they have a skey.seed that ends in 0-8 just add one*/
+		l = strlen(skey.seed);
+		if( l > 0){
+			lastc = skey.seed[l-1];
+			if( isdigit(lastc) && lastc != '9' ){
+				strcpy(defaultseed, skey.seed);
+				defaultseed[l-1] = lastc + 1;
+			}
+			if( isdigit(lastc) && lastc == '9' && l < 16){
+				strcpy(defaultseed, skey.seed);
+				defaultseed[l-1] = '0';
+				defaultseed[l] = '0';
+				defaultseed[l+1] = '\0';
+			}
+		}
+		break;
+	case 1:
+		skey.val = 0;	/* XXX */
+		printf("Adding %s:\n",pp->pw_name);
+		break;
+	}
+    n = 99;
+    if( ! defaultsetup){
+	printf("Reminder you need the 6 english words from the skey command.\n");
+	for(i=0;;i++){
+		if(i >= 2) exit(1);
+		printf("Enter sequence count from 1 to 10000: ");
+		fgets(tmp,sizeof(tmp),stdin);
+		n = atoi(tmp);
+		if(n > 0 && n < 10000)
+			break;	/* Valid range */
+		printf("Count must be > 0 and < 10000\n");
+	}
+    }
+    if( !defaultsetup){
+	printf("Enter new key [default %s]: ", defaultseed);
+	fflush(stdout);
+	fgets(seed,sizeof(seed),stdin);
+	rip(seed);
+	if(strlen(seed) > 16){
+		printf("Seed truncated to 16 chars\n");
+		seed[16] = '\0';
+	}
+	if( seed[0] == '\0') strcpy(seed,defaultseed);
+	for(i=0;;i++){
+		if(i >= 2) exit(1);
+		printf("s/key %d %s\ns/key access password: ",n,seed);
+		fgets(tmp,sizeof(tmp),stdin);
+		rip(tmp);
+		backspace(tmp);
+		if(tmp[0] == '?'){
+			printf("Enter 6 English words from secure S/Key calculation.\n");
+			continue;
+		}
+		if(tmp[0] == '\0'){
+			exit(1);
+		}
+		if(etob(key,tmp) == 1 || atob8(key,tmp) == 0)
+			break;	/* Valid format */
+		printf("Invalid format, try again with 6 English words.\n");
+	}
+    } else {
+	/* Get user's secret password */
+	fprintf(stderr,"Reminder - Only use this method if you are directly connected.\n");
+	fprintf(stderr,"If you are using telnet or rlogin exit with no password and use keyinit -s.\n");
+	for(i=0;;i++){
+		if(i >= 2) exit(1);
+		fprintf(stderr,"Enter secret password: ");
+		readpass(passwd,sizeof(passwd));
+		if(passwd[0] == '\0'){
+			exit(1);
+		}
+		fprintf(stderr,"Again secret password: ");
+		readpass(passwd2,sizeof(passwd));
+		if(passwd2[0] == '\0'){
+			exit(1);
+		}
+		if(strlen(passwd) < 4 && strlen(passwd2) < 4) {
+			fprintf(stderr, "Sorry your password must be longer\n\r");
+			exit(1);
+		}
+		if(strcmp(passwd,passwd2) == 0) break;
+		fprintf(stderr, "Sorry no match\n");
+		
+	
+	}
+	strcpy(seed,defaultseed);
+
+	/* Crunch seed and password into starting key */
+	if(keycrunch(key,seed,passwd) != 0){
+		fprintf(stderr,"%s: key crunch failed\n",argv[0]);
+		return 1;
+	}
+	nn = n;
+	while(nn-- != 0)
+		f(key);
+    }
+	time(&now);
+	tm = localtime(&now);
+	strftime(tbuf, sizeof(tbuf), " %b %d,%Y %T", tm);
+        if (skey.val == NULL)
+                  skey.val = (char *) malloc(16+1);
+
+
+	btoa8(skey.val,key);
+	fprintf(skey.keyfile,"%s %04d %-16s %s %-21s\n",pp->pw_name,n,
+		seed,skey.val, tbuf);
+	fclose(skey.keyfile);
+	printf("\nID %s s/key is %d %s\n",pp->pw_name,n,seed);
+	printf("%s\n",btoe(buf,key));
+#ifdef HEXIN
+	printf("%s\n",put8(buf,key));
+#endif
+	return 0;
+}